diff --git a/contrib/docker/.env.prod.template b/contrib/docker/.env.prod.template index c0c10181..5e9adc87 100644 --- a/contrib/docker/.env.prod.template +++ b/contrib/docker/.env.prod.template @@ -1,20 +1,118 @@ +# Security +# + +SECRET_KEY= +ADMIN_API_TOKEN= + +# +# Networking +# + # The base domain DOMAIN=workadventure.localhost -DEBUG_MODE=false +# Subdomains +# MUST match the DOMAIN variable above +FRONT_HOST=front.workadventure.localhost +PUSHER_HOST=pusher.workadventure.localhost +BACK_HOST=api.workadventure.localhost +MAPS_HOST=maps.workadventure.localhost +ICON_HOST=icon.workadventure.localhost + +# SAAS admin panel +ADMIN_API_URL= + +# +# Basic configuration +# + +# The directory to store data in +DATA_DIR=./wa + +# The URL used by default, in the form: "/_/global/map/url.json" +START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json + +# If you want to have a contact page in your menu, +# you MUST set CONTACT_URL to the URL of the page that you want +CONTACT_URL= + +MAX_PER_GROUP=4 +MAX_USERNAME_LENGTH=8 +DISABLE_ANONYMOUS=false + +# The version of the docker image to use +# MUST uncomment "image" keys in the docker-compose file for it to be effective +VERSION=master + +TZ=Europe/Paris + +# +# Jitsi +# + JITSI_URL=meet.jit.si -# If your Jitsi environment has authentication set up, you MUST set JITSI_PRIVATE_MODE to "true" and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret +# If your Jitsi environment has authentication set up, +# you MUST set JITSI_PRIVATE_MODE to "true" +# and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret JITSI_PRIVATE_MODE=false JITSI_ISS= SECRET_JITSI_KEY= +# +# Turn/Stun +# + # URL of the TURN server (needed to "punch a hole" through some networks for P2P connections) TURN_SERVER= TURN_USER= TURN_PASSWORD= +# If your Turn server is configured to use the Turn REST API, you MUST put the shared auth secret here. +# If you are using Coturn, this is the value of the "static-auth-secret" parameter in your coturn config file. +# Keep empty if you are sharing hard coded / clear text credentials. +TURN_STATIC_AUTH_SECRET= +# URL of the STUN server +STUN_SERVER= -# The URL used by default, in the form: "/_/global/map/url.json" -START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json +# +# Certificate config +# # The email address used by Let's encrypt to send renewal warnings (compulsory) ACME_EMAIL= + +# +# Additional app configs +# Configuration for apps which are not workadventure itself +# + +# openID +OPID_CLIENT_ID= +OPID_CLIENT_SECRET= +OPID_CLIENT_ISSUER= +OPID_CLIENT_REDIRECT_URL= +OPID_LOGIN_SCREEN_PROVIDER=http://pusher.workadventure.localhost/login-screen +OPID_PROFILE_SCREEN_PROVIDER= + + +# +# Advanced configuration +# Generally does not need to be changed +# + +# Networking +HTTP_PORT=80 +HTTPS_PORT=443 + +# Workadventure settings +DISABLE_NOTIFICATIONS=false +SKIP_RENDER_OPTIMIZATIONS=false +STORE_VARIABLES_FOR_LOCAL_MAPS=true + +# Debugging options +DEBUG_MODE=false +LOG_LEVEL=WARN + +# Internal URLs +API_URL=back:50051 + +RESTART_POLICY=unless-stopped diff --git a/contrib/docker/docker-compose.prod.yaml b/contrib/docker/docker-compose.prod.yaml index 62be6749..80ed192b 100644 --- a/contrib/docker/docker-compose.prod.yaml +++ b/contrib/docker/docker-compose.prod.yaml @@ -1,114 +1,128 @@ -version: "3.3" +version: "3.5" services: reverse-proxy: - image: traefik:v2.3 + image: traefik:v2.6 command: - - --log.level=WARN - #- --api.insecure=true + - --log.level=${LOG_LEVEL} - --providers.docker - - --entryPoints.web.address=:80 + # Entry points + - --entryPoints.web.address=:${HTTP_PORT} - --entrypoints.web.http.redirections.entryPoint.to=websecure - --entrypoints.web.http.redirections.entryPoint.scheme=https - - --entryPoints.websecure.address=:443 + - --entryPoints.websecure.address=:${HTTPS_PORT} + # HTTP challenge - --certificatesresolvers.myresolver.acme.email=${ACME_EMAIL} - --certificatesresolvers.myresolver.acme.storage=/acme.json - # used during the challenge - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web + # Let's Encrypt's staging server + # uncomment during testing to avoid rate limiting + #- --certificatesresolvers.dnsresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory ports: - - "80:80" - - "443:443" - # The Web UI (enabled by --api.insecure=true) - #- "8080:8080" - depends_on: - - pusher - - front + - "${HTTP_PORT}:80" + - "${HTTPS_PORT}:443" volumes: - /var/run/docker.sock:/var/run/docker.sock - - ./acme.json:/acme.json - restart: unless-stopped + - ${DATA_DIR}/letsencrypt/acme.json:/acme.json + restart: ${RESTART_POLICY} front: build: context: ../.. dockerfile: front/Dockerfile - #image: thecodingmachine/workadventure-front:master + #image: thecodingmachine/workadventure-front:${VERSION} environment: - DEBUG_MODE: "$DEBUG_MODE" - JITSI_URL: $JITSI_URL - JITSI_PRIVATE_MODE: "$JITSI_PRIVATE_MODE" - PUSHER_URL: //pusher.${DOMAIN} - ICON_URL: //icon.${DOMAIN} - TURN_SERVER: "${TURN_SERVER}" - TURN_USER: "${TURN_USER}" - TURN_PASSWORD: "${TURN_PASSWORD}" - START_ROOM_URL: "${START_ROOM_URL}" + - DEBUG_MODE + - JITSI_URL + - JITSI_PRIVATE_MODE + - PUSHER_URL=//${PUSHER_HOST} + - ICON_URL=//${ICON_HOST} + - TURN_SERVER + - TURN_USER + - TURN_PASSWORD + - TURN_STATIC_AUTH_SECRET + - STUN_SERVER + - START_ROOM_URL + - SKIP_RENDER_OPTIMIZATIONS + - MAX_PER_GROUP + - MAX_USERNAME_LENGTH + - DISABLE_ANONYMOUS + - DISABLE_NOTIFICATIONS labels: - - "traefik.http.routers.front.rule=Host(`play.${DOMAIN}`)" - - "traefik.http.routers.front.entryPoints=web,traefik" + - "traefik.http.routers.front.rule=Host(`${FRONT_HOST}`)" + - "traefik.http.routers.front.entryPoints=web" - "traefik.http.services.front.loadbalancer.server.port=80" - - "traefik.http.routers.front-ssl.rule=Host(`play.${DOMAIN}`)" + - "traefik.http.routers.front-ssl.rule=Host(`${FRONT_HOST}`)" - "traefik.http.routers.front-ssl.entryPoints=websecure" - - "traefik.http.routers.front-ssl.tls=true" - "traefik.http.routers.front-ssl.service=front" + - "traefik.http.routers.front-ssl.tls=true" - "traefik.http.routers.front-ssl.tls.certresolver=myresolver" - restart: unless-stopped + restart: ${RESTART_POLICY} pusher: build: context: ../.. dockerfile: pusher/Dockerfile - #image: thecodingmachine/workadventure-pusher:master + #image: thecodingmachine/workadventure-pusher:${VERSION} command: yarn run runprod environment: - SECRET_JITSI_KEY: "$SECRET_JITSI_KEY" - SECRET_KEY: yourSecretKey - API_URL: back:50051 - JITSI_URL: $JITSI_URL - JITSI_ISS: $JITSI_ISS - FRONT_URL: https://play.${DOMAIN} + - SECRET_JITSI_KEY + - SECRET_KEY + - API_URL + - FRONT_URL=https://${FRONT_HOST} + - JITSI_URL + - JITSI_ISS + - DISABLE_ANONYMOUS labels: - - "traefik.http.routers.pusher.rule=Host(`pusher.${DOMAIN}`)" - - "traefik.http.routers.pusher.entryPoints=web,traefik" + - "traefik.http.routers.pusher.rule=Host(`${PUSHER_HOST}`)" + - "traefik.http.routers.pusher.entryPoints=web" - "traefik.http.services.pusher.loadbalancer.server.port=8080" - - "traefik.http.routers.pusher-ssl.rule=Host(`pusher.${DOMAIN}`)" + - "traefik.http.routers.pusher-ssl.rule=Host(${PUSHER_HOST}`)" - "traefik.http.routers.pusher-ssl.entryPoints=websecure" - - "traefik.http.routers.pusher-ssl.tls=true" - "traefik.http.routers.pusher-ssl.service=pusher" + - "traefik.http.routers.pusher-ssl.tls=true" - "traefik.http.routers.pusher-ssl.tls.certresolver=myresolver" - restart: unless-stopped + restart: ${RESTART_POLICY} back: build: context: ../.. dockerfile: back/Dockerfile - #image: thecodingmachine/workadventure-back:master + #image: thecodingmachine/workadventure-back:${VERSION} command: yarn run runprod environment: - SECRET_JITSI_KEY: "$SECRET_JITSI_KEY" - ADMIN_API_TOKEN: "$ADMIN_API_TOKEN" - ADMIN_API_URL: "$ADMIN_API_URL" - JITSI_URL: $JITSI_URL - JITSI_ISS: $JITSI_ISS + - SECRET_JITSI_KEY + - SECRET_KEY + - ADMIN_API_TOKEN + - ADMIN_API_URL + - TURN_SERVER + - TURN_USER + - TURN_PASSWORD + - TURN_STATIC_AUTH_SECRET + - STUN_SERVER + - JITSI_URL + - JITSI_ISS + - MAX_PER_GROUP + - STORE_VARIABLES_FOR_LOCAL_MAPS labels: - - "traefik.http.routers.back.rule=Host(`api.${DOMAIN}`)" + - "traefik.http.routers.back.rule=Host(`${BACK_HOST}`)" - "traefik.http.routers.back.entryPoints=web" - "traefik.http.services.back.loadbalancer.server.port=8080" - - "traefik.http.routers.back-ssl.rule=Host(`api.${DOMAIN}`)" + - "traefik.http.routers.back-ssl.rule=Host(`${BACK_HOST}`)" - "traefik.http.routers.back-ssl.entryPoints=websecure" - - "traefik.http.routers.back-ssl.tls=true" - "traefik.http.routers.back-ssl.service=back" + - "traefik.http.routers.back-ssl.tls=true" - "traefik.http.routers.back-ssl.tls.certresolver=myresolver" - restart: unless-stopped + restart: ${RESTART_POLICY} icon: image: matthiasluedtke/iconserver:v3.13.0 labels: - - "traefik.http.routers.icon.rule=Host(`icon.${DOMAIN}`)" + - "traefik.http.routers.icon.rule=Host(`${ICON_HOST}`)" - "traefik.http.routers.icon.entryPoints=web,traefik" - "traefik.http.services.icon.loadbalancer.server.port=8080" - - "traefik.http.routers.icon-ssl.rule=Host(`icon.${DOMAIN}`)" + - "traefik.http.routers.icon-ssl.rule=Host(`${ICON_HOST}`)" - "traefik.http.routers.icon-ssl.entryPoints=websecure" - - "traefik.http.routers.icon-ssl.tls=true" - "traefik.http.routers.icon-ssl.service=icon" + - "traefik.http.routers.icon-ssl.tls=true" - "traefik.http.routers.icon-ssl.tls.certresolver=myresolver"