chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove monica and restrict logging

Browse Source
This commit is contained in:
Chris
2022-10-05 22:47:24 +00:00
parent 0027c24306
commit 49d4606e8e
2 changed files with 182 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
docker-compose.yml
View File

@@ -5,10 +5,18 @@ x-certs: &certs
volumes: volumes:
- /opt/ssl:/certs - /opt/ssl:/certs
x-logging: &logging
logging:
driver: "local"
options:
max-size: "5m"
max-file: "2"
version: "3.4" version: "3.4"
services: services:
dashboard: dashboard:
<<: *logging
image: rmountjoy/dashmachine:latest image: rmountjoy/dashmachine:latest
volumes: volumes:
- dashboard:/dashmachine/dashmachine/user_data - dashboard:/dashmachine/dashmachine/user_data
@@ -17,6 +25,7 @@ services:
- nginx - nginx
foundry: foundry:
<<: *logging
image: felddy/foundryvtt:release image: felddy/foundryvtt:release
volumes: volumes:
- foundry:/data - foundry:/data
@@ -35,30 +44,32 @@ services:
networks: networks:
- nginx - nginx
monica: # monica:
build: ./monica # <<: *logging
image: monica # build: ./monica
env_file: ./monica/.env # image: monica
environment: # env_file: ./monica/.env
- APP_URL=https://personel.${DOMAIN} # environment:
- DB_PASSWORD=${DB_PASSWORD} # - APP_URL=https://personel.${DOMAIN}
- DB_USERNAME=${DB_USER} # - DB_PASSWORD=${DB_PASSWORD}
- MAIL_FROM_ADDRESS=${MAIL_FROM} # - DB_USERNAME=${DB_USER}
- MAIL_HOST=${MAIL_HOST} # - MAIL_FROM_ADDRESS=${MAIL_FROM}
- MAIL_PORT=${MAIL_PORT} # - MAIL_HOST=${MAIL_HOST}
- MAIL_USERNAME=${MAIL_USER} # - MAIL_PORT=${MAIL_PORT}
- MAIL_PASSWORD=${MAIL_PASSWORD} # - MAIL_USERNAME=${MAIL_USER}
volumes: # - MAIL_PASSWORD=${MAIL_PASSWORD}
- monica-data:/var/www/html/storage # volumes:
- monica-public:/var/www/html/public # - monica-data:/var/www/html/storage
restart: always # - monica-public:/var/www/html/public
depends_on: # restart: always
- db # depends_on:
networks: # - db
- db # networks:
- nginx # - db
# - nginx
nextcloud: nextcloud:
<<: *logging
build: ./nextcloud build: ./nextcloud
image: nextcloud image: nextcloud
restart: always restart: always
@@ -90,13 +101,14 @@ services:
- "office.scarif.space:${LOCAL_IP}" - "office.scarif.space:${LOCAL_IP}"
collabora: collabora:
<<: *logging
image: collabora/code image: collabora/code
restart: always restart: always
cap_add: cap_add:
- MKNOD - MKNOD
volumes: # volumes:
- /etc/timezone:/etc/timezone:ro # - /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro # - /etc/localtime:/etc/localtime:ro
environment: environment:
- DONT_GEN_SSL_CERT="True" - DONT_GEN_SSL_CERT="True"
- domain=tower.${DOMAIN} - domain=tower.${DOMAIN}
@@ -113,6 +125,7 @@ services:
- "office.scarif.space:${LOCAL_IP}" - "office.scarif.space:${LOCAL_IP}"
pinry: pinry:
<<: *logging
image: 'getpinry/pinry' image: 'getpinry/pinry'
volumes: volumes:
- pinry:/data - pinry:/data
@@ -124,6 +137,7 @@ services:
- db - db
gitea: gitea:
<<: *logging
image: gitea/gitea:1 image: gitea/gitea:1
environment: environment:
- "APP_NAME=Labs: Where the good stuff happens" - "APP_NAME=Labs: Where the good stuff happens"
@@ -153,6 +167,7 @@ services:
- db - db
jitsi: jitsi:
<<: *logging
image: jitsi/web:latest image: jitsi/web:latest
restart: always restart: always
volumes: volumes:
@@ -251,6 +266,7 @@ services:
# XMPP server # XMPP server
prosody: prosody:
<<: *logging
image: jitsi/prosody:latest image: jitsi/prosody:latest
restart: always restart: always
expose: expose:
@@ -320,6 +336,7 @@ services:
# Focus component # Focus component
jicofo: jicofo:
<<: *logging
image: jitsi/jicofo:latest image: jitsi/jicofo:latest
restart: always restart: always
volumes: volumes:
@@ -349,6 +366,7 @@ services:
# Video bridge # Video bridge
jvb: jvb:
<<: *logging
image: jitsi/jvb:latest image: jitsi/jvb:latest
restart: always restart: always
ports: ports:
@@ -383,6 +401,7 @@ services:
db: db:
<<: *logging
image: mariadb image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
environment: environment:
@@ -403,6 +422,7 @@ services:
- redis - redis
nginx: nginx:
<<: *logging
image: nginx:alpine image: nginx:alpine
restart: always restart: always
volumes: volumes:
@@ -416,7 +436,7 @@ services:
- DOMAIN=${DOMAIN} - DOMAIN=${DOMAIN}
depends_on: depends_on:
- dashboard - dashboard
- monica # - monica
- nextcloud - nextcloud
- gitea - gitea
- collabora - collabora
@@ -451,3 +471,4 @@ networks:
nginx: nginx:
redis: redis:
meet.jitsi: meet.jitsi:

266
nginx/nginx.conf.template
View File

@@ -68,141 +68,141 @@ http {
# Mitigate httpoxy attack (see README for details) # Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy ""; proxy_set_header Proxy "";
upstream monica-handler { # upstream monica-handler {
server monica:9000; # server monica:9000;
} # }
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
server_name personel.${DOMAIN};
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
# #
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; # server {
# listen 443 ssl http2;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
root /var/www/html/monica/public;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ ^/(?:robots.txt|security.txt) {
allow all;
log_not_found off;
access_log off;
}
error_page 404 500 502 503 504 /index.php;
location ~ /\.well-known/(?:carddav|caldav) {
return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
return 301 $scheme://$host/security.txt;
}
location ~ /\.(?!well-known).* {
deny all;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location ~ \.php$ {
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
fastcgi_pass monica-handler;
fastcgi_index index.php;
include fastcgi_params;
# Cannot use $document_root as the path to monica on the docker container
# is different to the path to the public files in this nginx container.
fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# Note it is intended to have those duplicated to the ones above.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
# #
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; # ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
# ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
add_header Referrer-Policy "no-referrer" always; #
add_header X-Content-Type-Options "nosniff" always; # server_name personel.${DOMAIN};
add_header X-Download-Options "noopen" always; #
add_header X-Frame-Options "SAMEORIGIN" always; # ## HSTS ##
add_header X-Permitted-Cross-Domain-Policies "none" always; # # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
add_header X-Robots-Tag "none" always; # # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
add_header X-XSS-Protection "1; mode=block" always; # # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# # removed from this list could take several months.
# Optional: Don't log access to assets # #
access_log off; # #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
} #
# add_header Referrer-Policy "no-referrer" always;
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { # add_header X-Content-Type-Options "nosniff" always;
try_files $uri /index.php$request_uri; # add_header X-Download-Options "noopen" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# Optional: Don't log access to assets # add_header X-Permitted-Cross-Domain-Policies "none" always;
access_log off; # add_header X-Robots-Tag "none" always;
} # add_header X-XSS-Protection "1; mode=block" always;
#
# deny access to .htaccess files # # Remove X-Powered-By, which is an information leak
location ~ /\.ht { # fastcgi_hide_header X-Powered-By;
deny all; #
} # root /var/www/html/monica/public;
} #
# index index.html index.htm index.php;
#
# charset utf-8;
#
# location / {
# try_files $uri $uri/ /index.php?$query_string;
# }
#
# location ~ ^/(?:robots.txt|security.txt) {
# allow all;
# log_not_found off;
# access_log off;
# }
#
# error_page 404 500 502 503 504 /index.php;
#
# location ~ /\.well-known/(?:carddav|caldav) {
# return 301 $scheme://$host/dav;
# }
# location = /.well-known/security.txt {
# return 301 $scheme://$host/security.txt;
# }
# location ~ /\.(?!well-known).* {
# deny all;
# }
#
# # set max upload size
# client_max_body_size 10G;
# fastcgi_buffers 64 4K;
#
# # Enable gzip but do not remove ETag headers
# gzip on;
# gzip_vary on;
# gzip_comp_level 4;
# gzip_min_length 256;
# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
#
# # Uncomment if your server is build with the ngx_pagespeed module
# # This module is currently not supported.
# #pagespeed off;
#
# location ~ \.php$ {
# # regex to split $uri to $fastcgi_script_name and $fastcgi_path
# fastcgi_split_path_info ^(.+?\.php)(/.*)$;
#
# # Check that the PHP script exists before passing it
# try_files $fastcgi_script_name =404;
#
# fastcgi_pass monica-handler;
# fastcgi_index index.php;
#
# include fastcgi_params;
#
# # Cannot use $document_root as the path to monica on the docker container
# # is different to the path to the public files in this nginx container.
# fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name;
# # Bypass the fact that try_files resets $fastcgi_path_info
# # see: http://trac.nginx.org/nginx/ticket/321
# set $path_info $fastcgi_path_info;
# fastcgi_param PATH_INFO $path_info;
# }
#
# # Adding the cache control header for js and css files
# # Make sure it is BELOW the PHP block
# location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
# try_files $uri /index.php$request_uri;
# add_header Cache-Control "public, max-age=15778463";
#
# ## HSTS ##
# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# # Note it is intended to have those duplicated to the ones above.
# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# # removed from this list could take several months.
# #
# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "none" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# # Optional: Don't log access to assets
# access_log off;
# }
#
# location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
# try_files $uri /index.php$request_uri;
#
# # Optional: Don't log access to assets
# access_log off;
# }
#
# # deny access to .htaccess files
# location ~ /\.ht {
# deny all;
# }
# }
upstream nextcloud-handler { upstream nextcloud-handler {
server nextcloud:9000; server nextcloud:9000;