diff --git a/docker-compose.yml b/docker-compose.yml index 15e0a06..ce57dec 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,10 +5,18 @@ x-certs: &certs volumes: - /opt/ssl:/certs +x-logging: &logging + logging: + driver: "local" + options: + max-size: "5m" + max-file: "2" + version: "3.4" services: dashboard: + <<: *logging image: rmountjoy/dashmachine:latest volumes: - dashboard:/dashmachine/dashmachine/user_data @@ -17,6 +25,7 @@ services: - nginx foundry: + <<: *logging image: felddy/foundryvtt:release volumes: - foundry:/data @@ -35,30 +44,32 @@ services: networks: - nginx - monica: - build: ./monica - image: monica - env_file: ./monica/.env - environment: - - APP_URL=https://personel.${DOMAIN} - - DB_PASSWORD=${DB_PASSWORD} - - DB_USERNAME=${DB_USER} - - MAIL_FROM_ADDRESS=${MAIL_FROM} - - MAIL_HOST=${MAIL_HOST} - - MAIL_PORT=${MAIL_PORT} - - MAIL_USERNAME=${MAIL_USER} - - MAIL_PASSWORD=${MAIL_PASSWORD} - volumes: - - monica-data:/var/www/html/storage - - monica-public:/var/www/html/public - restart: always - depends_on: - - db - networks: - - db - - nginx + # monica: + # <<: *logging + # build: ./monica + # image: monica + # env_file: ./monica/.env + # environment: + # - APP_URL=https://personel.${DOMAIN} + # - DB_PASSWORD=${DB_PASSWORD} + # - DB_USERNAME=${DB_USER} + # - MAIL_FROM_ADDRESS=${MAIL_FROM} + # - MAIL_HOST=${MAIL_HOST} + # - MAIL_PORT=${MAIL_PORT} + # - MAIL_USERNAME=${MAIL_USER} + # - MAIL_PASSWORD=${MAIL_PASSWORD} + # volumes: + # - monica-data:/var/www/html/storage + # - monica-public:/var/www/html/public + # restart: always + # depends_on: + # - db + # networks: + # - db + # - nginx nextcloud: + <<: *logging build: ./nextcloud image: nextcloud restart: always @@ -90,13 +101,14 @@ services: - "office.scarif.space:${LOCAL_IP}" collabora: + <<: *logging image: collabora/code restart: always cap_add: - MKNOD - volumes: - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro + # volumes: + # - /etc/timezone:/etc/timezone:ro + # - /etc/localtime:/etc/localtime:ro environment: - DONT_GEN_SSL_CERT="True" - domain=tower.${DOMAIN} @@ -113,6 +125,7 @@ services: - "office.scarif.space:${LOCAL_IP}" pinry: + <<: *logging image: 'getpinry/pinry' volumes: - pinry:/data @@ -124,6 +137,7 @@ services: - db gitea: + <<: *logging image: gitea/gitea:1 environment: - "APP_NAME=Labs: Where the good stuff happens" @@ -153,6 +167,7 @@ services: - db jitsi: + <<: *logging image: jitsi/web:latest restart: always volumes: @@ -251,6 +266,7 @@ services: # XMPP server prosody: + <<: *logging image: jitsi/prosody:latest restart: always expose: @@ -320,6 +336,7 @@ services: # Focus component jicofo: + <<: *logging image: jitsi/jicofo:latest restart: always volumes: @@ -349,6 +366,7 @@ services: # Video bridge jvb: + <<: *logging image: jitsi/jvb:latest restart: always ports: @@ -383,6 +401,7 @@ services: db: + <<: *logging image: mariadb command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed environment: @@ -403,6 +422,7 @@ services: - redis nginx: + <<: *logging image: nginx:alpine restart: always volumes: @@ -416,7 +436,7 @@ services: - DOMAIN=${DOMAIN} depends_on: - dashboard - - monica + # - monica - nextcloud - gitea - collabora @@ -451,3 +471,4 @@ networks: nginx: redis: meet.jitsi: + diff --git a/nginx/nginx.conf.template b/nginx/nginx.conf.template index 369d24f..2fccd4a 100644 --- a/nginx/nginx.conf.template +++ b/nginx/nginx.conf.template @@ -68,141 +68,141 @@ http { # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; - upstream monica-handler { - server monica:9000; - } - - server { - listen 443 ssl http2; - - ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; - ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; - - server_name personel.${DOMAIN}; - - ## HSTS ## - # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. - # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. - # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting - # removed from this list could take several months. - # - #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; - - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - root /var/www/html/monica/public; - - index index.html index.htm index.php; - - charset utf-8; - - location / { - try_files $uri $uri/ /index.php?$query_string; - } - - location ~ ^/(?:robots.txt|security.txt) { - allow all; - log_not_found off; - access_log off; - } - - error_page 404 500 502 503 504 /index.php; - - location ~ /\.well-known/(?:carddav|caldav) { - return 301 $scheme://$host/dav; - } - location = /.well-known/security.txt { - return 301 $scheme://$host/security.txt; - } - location ~ /\.(?!well-known).* { - deny all; - } - - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - location ~ \.php$ { - # regex to split $uri to $fastcgi_script_name and $fastcgi_path - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - - # Check that the PHP script exists before passing it - try_files $fastcgi_script_name =404; - - fastcgi_pass monica-handler; - fastcgi_index index.php; - - include fastcgi_params; - - # Cannot use $document_root as the path to monica on the docker container - # is different to the path to the public files in this nginx container. - fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name; - # Bypass the fact that try_files resets $fastcgi_path_info - # see: http://trac.nginx.org/nginx/ticket/321 - set $path_info $fastcgi_path_info; - fastcgi_param PATH_INFO $path_info; - } - - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|json)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - - ## HSTS ## - # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. - # Note it is intended to have those duplicated to the ones above. - # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. - # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting - # removed from this list could take several months. - # - #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; - - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$request_uri; - - # Optional: Don't log access to assets - access_log off; - } - - # deny access to .htaccess files - location ~ /\.ht { - deny all; - } - } +# upstream monica-handler { +# server monica:9000; +# } +# +# server { +# listen 443 ssl http2; +# +# ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; +# ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; +# +# server_name personel.${DOMAIN}; +# +# ## HSTS ## +# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. +# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. +# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting +# # removed from this list could take several months. +# # +# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; +# +# add_header Referrer-Policy "no-referrer" always; +# add_header X-Content-Type-Options "nosniff" always; +# add_header X-Download-Options "noopen" always; +# add_header X-Frame-Options "SAMEORIGIN" always; +# add_header X-Permitted-Cross-Domain-Policies "none" always; +# add_header X-Robots-Tag "none" always; +# add_header X-XSS-Protection "1; mode=block" always; +# +# # Remove X-Powered-By, which is an information leak +# fastcgi_hide_header X-Powered-By; +# +# root /var/www/html/monica/public; +# +# index index.html index.htm index.php; +# +# charset utf-8; +# +# location / { +# try_files $uri $uri/ /index.php?$query_string; +# } +# +# location ~ ^/(?:robots.txt|security.txt) { +# allow all; +# log_not_found off; +# access_log off; +# } +# +# error_page 404 500 502 503 504 /index.php; +# +# location ~ /\.well-known/(?:carddav|caldav) { +# return 301 $scheme://$host/dav; +# } +# location = /.well-known/security.txt { +# return 301 $scheme://$host/security.txt; +# } +# location ~ /\.(?!well-known).* { +# deny all; +# } +# +# # set max upload size +# client_max_body_size 10G; +# fastcgi_buffers 64 4K; +# +# # Enable gzip but do not remove ETag headers +# gzip on; +# gzip_vary on; +# gzip_comp_level 4; +# gzip_min_length 256; +# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; +# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; +# +# # Uncomment if your server is build with the ngx_pagespeed module +# # This module is currently not supported. +# #pagespeed off; +# +# location ~ \.php$ { +# # regex to split $uri to $fastcgi_script_name and $fastcgi_path +# fastcgi_split_path_info ^(.+?\.php)(/.*)$; +# +# # Check that the PHP script exists before passing it +# try_files $fastcgi_script_name =404; +# +# fastcgi_pass monica-handler; +# fastcgi_index index.php; +# +# include fastcgi_params; +# +# # Cannot use $document_root as the path to monica on the docker container +# # is different to the path to the public files in this nginx container. +# fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name; +# # Bypass the fact that try_files resets $fastcgi_path_info +# # see: http://trac.nginx.org/nginx/ticket/321 +# set $path_info $fastcgi_path_info; +# fastcgi_param PATH_INFO $path_info; +# } +# +# # Adding the cache control header for js and css files +# # Make sure it is BELOW the PHP block +# location ~ \.(?:css|js|woff2?|svg|gif|json)$ { +# try_files $uri /index.php$request_uri; +# add_header Cache-Control "public, max-age=15778463"; +# +# ## HSTS ## +# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. +# # Note it is intended to have those duplicated to the ones above. +# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. +# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting +# # removed from this list could take several months. +# # +# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; +# +# add_header Referrer-Policy "no-referrer" always; +# add_header X-Content-Type-Options "nosniff" always; +# add_header X-Download-Options "noopen" always; +# add_header X-Frame-Options "SAMEORIGIN" always; +# add_header X-Permitted-Cross-Domain-Policies "none" always; +# add_header X-Robots-Tag "none" always; +# add_header X-XSS-Protection "1; mode=block" always; +# +# # Optional: Don't log access to assets +# access_log off; +# } +# +# location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { +# try_files $uri /index.php$request_uri; +# +# # Optional: Don't log access to assets +# access_log off; +# } +# +# # deny access to .htaccess files +# location ~ /\.ht { +# deny all; +# } +# } upstream nextcloud-handler { server nextcloud:9000;