Create a monica app with docker-compose

2020-11-21 10:48:08 +00:00
commit ac83101e53
8 changed files with 511 additions and 0 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,66 @@
 version: "3.4"
 services:
  app:
    build: ./monica
    image: monica
    env_file: ./monica/.env
    volumes:
      - data:/var/www/html/storage
      - monica-public:/var/www/html/public
    restart: always
    depends_on:
      - db
  db:
    image: mariadb
    environment:
      - MYSQL_ROOT_PASSWORD=secret
      - MYSQL_DATABASE=monica
      - MYSQL_USER=homestead
      - MYSQL_PASSWORD=secret
    volumes:
      - db:/var/lib/mysql
    restart: always
  nginx:
    image: nginx:alpine
    restart: always
    volumes:
      - data:/var/www/html/storage:ro
      - certs:/etc/nginx/certs:ro
      - ./nginx.conf:/etc/nginx/nginx.conf
      - monica-public:/var/www/html/public:ro
    depends_on:
      - app
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy-tier
      - default
    depends_on:
      - omgwtfssl
  omgwtfssl:
    image: paulczar/omgwtfssl
    restart: "no"
    volumes:
      - certs:/certs
    environment:
      - SSL_SUBJECT=personel.scarif.local
      - CA_SUBJECT=chris@scarif.local
      - SSL_KEY=/certs/personel.scarif.local.key
      - SSL_CSR=/certs/personel.scarif.local.csr
      - SSL_CERT=/certs/personel.scarif.local.crt
    networks:
      - proxy-tier
 volumes:
  data:
  db:
  certs:
  monica-public:
 networks:
  proxy-tier:
--- a/monica/.env
+++ b/monica/.env
@@ -0,0 +1,168 @@
 #
 # Welcome, friend ❤. Thanks for trying out Monica. We hope you'll have fun.
 #
 # Two choices: local|production. Use local if you want to install Monica as a
 # development version. Use production otherwise.
 APP_ENV=production
 # true if you want to show debug information on errors. For production, put this
 # to false.
 APP_DEBUG=false
 # The encryption key. This is the most important part of the application. Keep
 # this secure otherwise, everyone will be able to access your application.
 # Must be 32 characters long exactly.
 # Use `php artisan key:generate` or `pwgen -s 32 1` to generate a random key.
 APP_KEY=LUdDIZ6FcVn0Lvajb6IY4cwGvAaomVtP
 # Prevent information leakage by referring to IDs with hashIds instead of
 # the actual IDs used in the database.
 HASH_SALT=YIfc5Go7H1TNxwnS7Uza
 HASH_LENGTH=18
 # The URL of your application.
 APP_URL=https://personel.scarif.local
 # Force using APP_URL as base url of your application.
 # You should not need this, unless you are using subdirectory config.
 APP_FORCE_URL=false
 # Database information
 # To keep this information secure, we urge you to change the default password
 # Currently only "mysql" compatible servers are working
 DB_CONNECTION=mysql
 DB_HOST=db
 DB_PORT=3306
 # You can use mysql unix socket if available, it overrides DB_HOST and DB_PORT values.
 #DB_UNIX_SOCKET=/var/run/mysqld/mysqld.sock
 DB_DATABASE=monica
 DB_USERNAME=chris
 DB_PASSWORD=secret
 DB_PREFIX=
 DB_TEST_HOST=127.0.0.1
 DB_TEST_DATABASE=monica_test
 DB_TEST_USERNAME=homestead
 DB_TEST_PASSWORD=secret
 # Use utf8mb4 database charset format to support emoji characters
 # ⚠ be sure your DBMS supports utf8mb4 format
 DB_USE_UTF8MB4=true
 # Mail credentials used to send emails from the application.
 MAIL_MAILER=smtp
 MAIL_HOST=smtp.mailtrap.io
 MAIL_PORT=2525
 MAIL_USERNAME=f41fa47f889c25
 MAIL_PASSWORD=9a13972ad70a6a
 MAIL_ENCRYPTION=
 # Outgoing emails will be sent with these identity
 MAIL_FROM_ADDRESS=chris@scarif.local
 MAIL_FROM_NAME="Scarif"
 # New registration notification sent to this email
 APP_EMAIL_NEW_USERS_NOTIFICATION=
 # Ability to disable signups on your instance.
 # Can be true or false. Default to false.
 APP_DISABLE_SIGNUP=true
 # Enable user email verification.
 APP_SIGNUP_DOUBLE_OPTIN=false
 # Set trusted proxy IP addresses.
 # To trust all proxies that connect directly to your server, use a "*".
 # To trust one or more specific proxies that connect directly to your server,
 # use a comma separated list of IP addresses.
 APP_TRUSTED_PROXIES=
 # Enable automatic cloudflare trusted proxy discover
 APP_TRUSTED_CLOUDFLARE=false
 # Frequency of creation of new log files. Logs are written when an error occurs.
 # Refer to config/logging.php for the possible values.
 LOG_CHANNEL=daily
 # Error tracking. Specific to hosted version on .com. You probably don't need
 # those.
 SENTRY_SUPPORT=false
 SENTRY_LARAVEL_DSN=
 # Send a daily ping to https://version.monicahq.com to check if a new version
 # is available. When a new version is detected, you will have a message in the
 # UI, as well as the release notes for the new changes. Can be true or false.
 # Default to true.
 CHECK_VERSION=true
 # Cache, session, and queue parameters
 # ⚠ Change this only if you know what you are doing
 #. Cache: database, file, memcached, redis, dynamodb
 #. Session: file, cookie, database, apc, memcached, redis, array
 #. Queue: sync, database, beanstalkd, sqs, redis
 #  If Queue is not set to 'sync', you'll have to set a queue worker
 #  See https://laravel.com/docs/5.7/queues#running-the-queue-worker
 CACHE_DRIVER=database
 SESSION_DRIVER=file
 SESSION_LIFETIME=120
 QUEUE_CONNECTION=database
 # If you use redis, set the redis host or ip, like:
 #REDIS_HOST=redis
 # Maximum allowed size for uploaded files, in kilobytes.
 # Make sure this is an integer, without commas or spaces.
 DEFAULT_MAX_UPLOAD_SIZE=10240
 # Maximum allowed storage size per account, in megabytes.
 # Make sure this is an integer, without commas or spaces.
 DEFAULT_MAX_STORAGE_SIZE=512
 # Default filesystem to store uploaded files.
 # Possible values: public|s3
 DEFAULT_FILESYSTEM=public
 # AWS keys for S3 when using this storage method
 AWS_KEY=
 AWS_SECRET=
 AWS_REGION=us-east-1
 AWS_BUCKET=
 AWS_SERVER=
 # Allow Two Factor Authentication feature on your instance
 MFA_ENABLED=true
 # Enable DAV support
 DAV_ENABLED=true
 # CLIENT ID and SECRET used for OAuth authentication
 PASSPORT_PERSONAL_ACCESS_CLIENT_ID=
 PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=
 # Allow to access general statistics about your instance through a public API
 # call
 ALLOW_STATISTICS_THROUGH_PUBLIC_API_ACCESS=false
 # Indicates that each user in the instance must comply to international policies
 # like CASL or GDPR
 POLICY_COMPLIANT=true
 # Enable geolocation services
 # This is used to translate addresses to GPS coordinates.
 ENABLE_GEOLOCATION=false
 # API key for geolocation services
 # We use LocationIQ (https://locationiq.com/) to translate addresses to
 # latitude/longitude coordinates. We could use Google instead but we don't
 # want to give anything to Google, ever.
 # LocationIQ offers 10,000 free requests per day.
 LOCATION_IQ_API_KEY=
 # Enable weather on contact profile page
 # Weather can only be fetched if we know longitude/latitude - this is why
 # you also need to activate the geolocation service above to make it work
 ENABLE_WEATHER=false
 # Access to weather data from darksky api
 # https://darksky.net/dev/register
 # Darksky provides an api with 1000 free API calls per day
 # You need to enable the weather above if you provide an API key here.
 DARKSKY_API_KEY=
--- a/monica/Dockerfile
+++ b/monica/Dockerfile
@@ -0,0 +1,29 @@
 FROM monica:fpm
 # Add wait-for-it
 #ADD https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh /bin/wait-for-it.sh
 #RUN chmod +x /bin/wait-for-it.sh
 # Add S6 supervisor (for graceful stop)
 ADD https://github.com/just-containers/s6-overlay/releases/download/v1.21.1.1/s6-overlay-amd64.tar.gz /tmp/
 RUN tar xzf /tmp/s6-overlay-amd64.tar.gz -C /
 COPY entrypoint.sh /usr/local/bin
 RUN chmod 755 /usr/local/bin/entrypoint.sh
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["/init"]
 RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
 # Copy PHP-FPM service script
 COPY start-fpm.sh /etc/services.d/php_fpm/run
 RUN chmod 755 /etc/services.d/php_fpm/run
 # Copy cron service script
 COPY start-cron.sh /etc/services.d/cron/run
 RUN chmod 755 /etc/services.d/cron/run
 # Copy queue service script
 COPY start-queue.sh /etc/services.d/queue/run
 RUN chmod 755 /etc/services.d/queue/run
--- a/monica/entrypoint.sh
+++ b/monica/entrypoint.sh
@@ -0,0 +1,69 @@
 #!/bin/bash
 set -Eeo pipefail
 # wait for the database to start
 waitfordb() {
    HOST=${DB_HOST:-mysql}
    PORT=${DB_PORT:-3306}
    echo "Connecting to ${HOST}:${PORT}"
    attempts=0
    max_attempts=30
    while [ $attempts -lt $max_attempts ]; do
        busybox nc -w 1 "${HOST}:${PORT}" && break
        echo "Waiting for ${HOST}:${PORT}..."
        sleep 1
        let "attempts=attempts+1"
    done
    if [ $attempts -eq $max_attempts ]; then
        echo "Unable to contact your database at ${HOST}:${PORT}"
        exit 1
    fi
    echo "Waiting for database to settle..."
    sleep 3
 }
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then
    MONICADIR=/var/www/html
    ARTISAN="php ${MONICADIR}/artisan"
    # Ensure storage directories are present
    STORAGE=${MONICADIR}/storage
    mkdir -p ${STORAGE}/logs
    mkdir -p ${STORAGE}/app/public
    mkdir -p ${STORAGE}/framework/views
    mkdir -p ${STORAGE}/framework/cache
    mkdir -p ${STORAGE}/framework/sessions
    chown -R www-data:www-data ${STORAGE}
    chmod -R g+rw ${STORAGE}
    if [ -z "${APP_KEY:-}" -o "$APP_KEY" = "ChangeMeBy32KeyLengthOrGenerated" ]; then
        ${ARTISAN} key:generate --no-interaction
    else
        echo "APP_KEY already set"
    fi
    # Run migrations
    waitfordb
    ${ARTISAN} monica:update --force -vv
    if [ -n "${SENTRY_SUPPORT:-}" -a "$SENTRY_SUPPORT" = "true" -a -z "${SENTRY_NORELEASE:-}" -a -n "${SENTRY_ENV:-}" ]; then
        commit=$(cat .sentry-commit)
        release=$(cat .sentry-release)
        ${ARTISAN} sentry:release --release="$release" --commit="$commit" --environment="$SENTRY_ENV" --force -v || true
    fi
    if [ ! -f "${STORAGE}/oauth-public.key" -o ! -f "${STORAGE}/oauth-private.key" ]; then
        echo "Passport keys creation ..."
        ${ARTISAN} passport:keys
        ${ARTISAN} passport:client --personal --no-interaction
        echo "! Please be careful to backup $MONICADIR/storage/oauth-public.key and $MONICADIR/storage/oauth-private.key files !"
    fi
 fi
 exec "$@"
--- a/monica/start-cron.sh
+++ b/monica/start-cron.sh
@@ -0,0 +1,5 @@
 #!/usr/bin/with-contenv sh
 set -eu;
 # Start Cron
 exec busybox crond -f -l 0 -L /proc/1/fd/1
--- a/monica/start-fpm.sh
+++ b/monica/start-fpm.sh
@@ -0,0 +1,5 @@
 #!/usr/bin/with-contenv sh
 set -e;
 # Start PHP-FPM
 php-fpm -R --nodaemonize
--- a/monica/start-queue.sh
+++ b/monica/start-queue.sh
@@ -0,0 +1,5 @@
 #!/usr/bin/with-contenv sh
 set -eu;
 # Start Queue
 exec php /var/www/html/artisan queue:work --sleep=10 --timeout=0 --tries=3 --queue=default,migration >/proc/1/fd/1 2>/proc/1/fd/2
--- a/nginx.conf
+++ b/nginx.conf
@@ -0,0 +1,164 @@
 worker_processes  1;
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 events {
    worker_connections  1024;
 }
 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    set_real_ip_from  10.0.0.0/8;
    set_real_ip_from  172.16.0.0/12;
    set_real_ip_from  192.168.0.0/16;
    real_ip_header    X-Real-IP;
    # Connect to app service
    upstream php-handler {
        server app:9000;
    }
    server {
        listen 443 ssl http2;
        ssl_certificate /etc/nginx/certs/personel.scarif.local.crt;
        ssl_certificate_key /etc/nginx/certs/personel.scarif.local.key;
        server_name personel.scarif.local;
        ## HSTS ##
        # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
        # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
        # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
        # removed from this list could take several months.
        #
        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;
        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;
        root /var/www/html/public;
        index index.html index.htm index.php;
        charset utf-8;
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
        location ~ ^/(?:robots.txt|security.txt) {
            allow all;
            log_not_found off;
            access_log off;
        }
        error_page 404 500 502 503 504 /index.php;
        location ~ /\.well-known/(?:carddav|caldav) {
            return 301 $scheme://$host/dav;
        }
        location = /.well-known/security.txt {
            return 301 $scheme://$host/security.txt;
        }
        location ~ /\.(?!well-known).* {
            deny all;
        }
        # set max upload size
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;
        location ~ \.php$ {
            # regex to split $uri to $fastcgi_script_name and $fastcgi_path
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            # Check that the PHP script exists before passing it
            try_files $fastcgi_script_name =404;
            fastcgi_pass php-handler;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            # Bypass the fact that try_files resets $fastcgi_path_info
            # see: http://trac.nginx.org/nginx/ticket/321
            set $path_info $fastcgi_path_info;
            fastcgi_param PATH_INFO $path_info;
        }
        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463";
            ## HSTS ##
            # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
            # Note it is intended to have those duplicated to the ones above.
            # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
            # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
            # removed from this list could take several months.
            #
            #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
            add_header Referrer-Policy "no-referrer" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-Download-Options "noopen" always;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-Permitted-Cross-Domain-Policies "none" always;
            add_header X-Robots-Tag "none" always;
            add_header X-XSS-Protection "1; mode=block" always;
            # Optional: Don't log access to assets
            access_log off;
        }
        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /index.php$request_uri;
            # Optional: Don't log access to assets
            access_log off;
        }
        # deny access to .htaccess files
        location ~ /\.ht {
            deny all;
        }
    }
 }