chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove monica and restrict logging

Browse Source
This commit is contained in:
Chris
2022-10-05 22:47:24 +00:00
parent 0027c24306
commit 49d4606e8e
2 changed files with 182 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
docker-compose.yml
View File

@@ -5,10 +5,18 @@ x-certs: &certs
volumes:
- /opt/ssl:/certs
x-logging: &logging
logging:
driver: "local"
options:
max-size: "5m"
max-file: "2"
version: "3.4"
services:
dashboard:
<<: *logging
image: rmountjoy/dashmachine:latest
volumes:
- dashboard:/dashmachine/dashmachine/user_data
@@ -17,6 +25,7 @@ services:
- nginx
foundry:
<<: *logging
image: felddy/foundryvtt:release
volumes:
- foundry:/data
@@ -35,30 +44,32 @@ services:
networks:
- nginx
monica:
build: ./monica
image: monica
env_file: ./monica/.env
environment:
- APP_URL=https://personel.${DOMAIN}
- DB_PASSWORD=${DB_PASSWORD}
- DB_USERNAME=${DB_USER}
- MAIL_FROM_ADDRESS=${MAIL_FROM}
- MAIL_HOST=${MAIL_HOST}
- MAIL_PORT=${MAIL_PORT}
- MAIL_USERNAME=${MAIL_USER}
- MAIL_PASSWORD=${MAIL_PASSWORD}
volumes:
- monica-data:/var/www/html/storage
- monica-public:/var/www/html/public
restart: always
depends_on:
- db
networks:
- db
- nginx
# monica:
# <<: *logging
# build: ./monica
# image: monica
# env_file: ./monica/.env
# environment:
# - APP_URL=https://personel.${DOMAIN}
# - DB_PASSWORD=${DB_PASSWORD}
# - DB_USERNAME=${DB_USER}
# - MAIL_FROM_ADDRESS=${MAIL_FROM}
# - MAIL_HOST=${MAIL_HOST}
# - MAIL_PORT=${MAIL_PORT}
# - MAIL_USERNAME=${MAIL_USER}
# - MAIL_PASSWORD=${MAIL_PASSWORD}
# volumes:
# - monica-data:/var/www/html/storage
# - monica-public:/var/www/html/public
# restart: always
# depends_on:
# - db
# networks:
# - db
# - nginx
nextcloud:
<<: *logging
build: ./nextcloud
image: nextcloud
restart: always
@@ -90,13 +101,14 @@ services:
- "office.scarif.space:${LOCAL_IP}"
collabora:
<<: *logging
image: collabora/code
restart: always
cap_add:
- MKNOD
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
# volumes:
# - /etc/timezone:/etc/timezone:ro
# - /etc/localtime:/etc/localtime:ro
environment:
- DONT_GEN_SSL_CERT="True"
- domain=tower.${DOMAIN}
@@ -113,6 +125,7 @@ services:
- "office.scarif.space:${LOCAL_IP}"
pinry:
<<: *logging
image: 'getpinry/pinry'
volumes:
- pinry:/data
@@ -124,6 +137,7 @@ services:
- db
gitea:
<<: *logging
image: gitea/gitea:1
environment:
- "APP_NAME=Labs: Where the good stuff happens"
@@ -153,6 +167,7 @@ services:
- db
jitsi:
<<: *logging
image: jitsi/web:latest
restart: always
volumes:
@@ -251,6 +266,7 @@ services:
# XMPP server
prosody:
<<: *logging
image: jitsi/prosody:latest
restart: always
expose:
@@ -320,6 +336,7 @@ services:
# Focus component
jicofo:
<<: *logging
image: jitsi/jicofo:latest
restart: always
volumes:
@@ -349,6 +366,7 @@ services:
# Video bridge
jvb:
<<: *logging
image: jitsi/jvb:latest
restart: always
ports:
@@ -383,6 +401,7 @@ services:
db:
<<: *logging
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
environment:
@@ -403,6 +422,7 @@ services:
- redis
nginx:
<<: *logging
image: nginx:alpine
restart: always
volumes:
@@ -416,7 +436,7 @@ services:
- DOMAIN=${DOMAIN}
depends_on:
- dashboard
- monica
# - monica
- nextcloud
- gitea
- collabora
@@ -451,3 +471,4 @@ networks:
nginx:
redis:
meet.jitsi:

270
nginx/nginx.conf.template
View File

@@ -68,141 +68,141 @@ http {
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
upstream monica-handler {
server monica:9000;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
server_name personel.${DOMAIN};
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
root /var/www/html/monica/public;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ ^/(?:robots.txt|security.txt) {
allow all;
log_not_found off;
access_log off;
}
error_page 404 500 502 503 504 /index.php;
location ~ /\.well-known/(?:carddav|caldav) {
return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
return 301 $scheme://$host/security.txt;
}
location ~ /\.(?!well-known).* {
deny all;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location ~ \.php$ {
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
fastcgi_pass monica-handler;
fastcgi_index index.php;
include fastcgi_params;
# Cannot use $document_root as the path to monica on the docker container
# is different to the path to the public files in this nginx container.
fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# Note it is intended to have those duplicated to the ones above.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to assets
access_log off;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
# upstream monica-handler {
# server monica:9000;
# }
#
# server {
# listen 443 ssl http2;
#
# ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
# ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
#
# server_name personel.${DOMAIN};
#
# ## HSTS ##
# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# # removed from this list could take several months.
# #
# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "none" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# # Remove X-Powered-By, which is an information leak
# fastcgi_hide_header X-Powered-By;
#
# root /var/www/html/monica/public;
#
# index index.html index.htm index.php;
#
# charset utf-8;
#
# location / {
# try_files $uri $uri/ /index.php?$query_string;
# }
#
# location ~ ^/(?:robots.txt|security.txt) {
# allow all;
# log_not_found off;
# access_log off;
# }
#
# error_page 404 500 502 503 504 /index.php;
#
# location ~ /\.well-known/(?:carddav|caldav) {
# return 301 $scheme://$host/dav;
# }
# location = /.well-known/security.txt {
# return 301 $scheme://$host/security.txt;
# }
# location ~ /\.(?!well-known).* {
# deny all;
# }
#
# # set max upload size
# client_max_body_size 10G;
# fastcgi_buffers 64 4K;
#
# # Enable gzip but do not remove ETag headers
# gzip on;
# gzip_vary on;
# gzip_comp_level 4;
# gzip_min_length 256;
# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
#
# # Uncomment if your server is build with the ngx_pagespeed module
# # This module is currently not supported.
# #pagespeed off;
#
# location ~ \.php$ {
# # regex to split $uri to $fastcgi_script_name and $fastcgi_path
# fastcgi_split_path_info ^(.+?\.php)(/.*)$;
#
# # Check that the PHP script exists before passing it
# try_files $fastcgi_script_name =404;
#
# fastcgi_pass monica-handler;
# fastcgi_index index.php;
#
# include fastcgi_params;
#
# # Cannot use $document_root as the path to monica on the docker container
# # is different to the path to the public files in this nginx container.
# fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name;
# # Bypass the fact that try_files resets $fastcgi_path_info
# # see: http://trac.nginx.org/nginx/ticket/321
# set $path_info $fastcgi_path_info;
# fastcgi_param PATH_INFO $path_info;
# }
#
# # Adding the cache control header for js and css files
# # Make sure it is BELOW the PHP block
# location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
# try_files $uri /index.php$request_uri;
# add_header Cache-Control "public, max-age=15778463";
#
# ## HSTS ##
# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# # Note it is intended to have those duplicated to the ones above.
# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# # removed from this list could take several months.
# #
# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "none" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# # Optional: Don't log access to assets
# access_log off;
# }
#
# location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
# try_files $uri /index.php$request_uri;
#
# # Optional: Don't log access to assets
# access_log off;
# }
#
# # deny access to .htaccess files
# location ~ /\.ht {
# deny all;
# }
# }
upstream nextcloud-handler {
server nextcloud:9000;