From fb6551041397cd4ff1e6711a2bf7a3bdb1bf39f4 Mon Sep 17 00:00:00 2001 From: Julian Euler Date: Wed, 9 Feb 2022 14:11:28 +0100 Subject: [PATCH 1/4] update docker production templates --- contrib/docker/.env.prod.template | 85 +++++++++++++- contrib/docker/docker-compose.prod.yaml | 149 +++++++++++++++--------- 2 files changed, 174 insertions(+), 60 deletions(-) diff --git a/contrib/docker/.env.prod.template b/contrib/docker/.env.prod.template index c0c10181..73ab5a2d 100644 --- a/contrib/docker/.env.prod.template +++ b/contrib/docker/.env.prod.template @@ -1,20 +1,97 @@ +# Security +# + +SECRET_KEY= +ADMIN_API_TOKEN= + +# +# Networking +# + # The base domain DOMAIN=workadventure.localhost +HTTP_PORT=80 +HTTPS_PORT=443 + +# Subdomains (must match the DOMAIN variable above) +FRONT_HOST=front.workadventure.localhost +PUSHER_HOST=pusher.workadventure.localhost +BACK_HOST=api.workadventure.localhost +MAPS_HOST=maps.workadventure.localhost +ICON_HOST=icon.workadventure.localhost + +# +# Basic configuration +# + +# The directory to store data in +DATA_DIR=./wa + +# The URL used by default, in the form: "/_/global/map/url.json" +START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json + +MAX_PER_GROUP=4 +MAX_USERNAME_LENGTH=8 +DISABLE_ANONYMOUS=false + +# The version of the docker image to use +# (Must uncomment "image" keys in the docker-compose file) +VERSION=master + +TZ=Europe/Paris + +# +# Jitsi +# -DEBUG_MODE=false JITSI_URL=meet.jit.si -# If your Jitsi environment has authentication set up, you MUST set JITSI_PRIVATE_MODE to "true" and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret +# If your Jitsi environment has authentication set up, +# you MUST set JITSI_PRIVATE_MODE to "true" +# and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret JITSI_PRIVATE_MODE=false JITSI_ISS= SECRET_JITSI_KEY= +# +# Turn/Stun +# + # URL of the TURN server (needed to "punch a hole" through some networks for P2P connections) TURN_SERVER= TURN_USER= TURN_PASSWORD= +# If your Turn server is configured to use the Turn REST API, you should put the shared auth secret here. +# If you are using Coturn, this is the value of the "static-auth-secret" parameter in your coturn config file. +# Keep empty if you are sharing hard coded / clear text credentials. +TURN_STATIC_AUTH_SECRET= +# URL of the STUN server +STUN_SERVER= -# The URL used by default, in the form: "/_/global/map/url.json" -START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json +# +# Certificate config +# # The email address used by Let's encrypt to send renewal warnings (compulsory) ACME_EMAIL= + +# +# Advanced configuration +# Generally does not need to be changed +# + + +# Workadventure settings +DISABLE_NOTIFICATIONS=false +SKIP_RENDER_OPTIMIZATIONS=false +STORE_VARIABLES_FOR_LOCAL_MAPS=true + +# Debugging options +DEBUG_MODE=false +LOG_LEVEL=WARN + +# Internal URLs +API_URL=back:50051 +ADMIN_URL=//workadventure.localhost +ADMIN_API_URL= + +RESTART_POLICY=unless-stopped diff --git a/contrib/docker/docker-compose.prod.yaml b/contrib/docker/docker-compose.prod.yaml index 62be6749..16af128a 100644 --- a/contrib/docker/docker-compose.prod.yaml +++ b/contrib/docker/docker-compose.prod.yaml @@ -1,114 +1,151 @@ -version: "3.3" +version: "3.5" services: reverse-proxy: - image: traefik:v2.3 + image: traefik:v2.6 command: - - --log.level=WARN - #- --api.insecure=true + - --log.level=${LOG_LEVEL} - --providers.docker - - --entryPoints.web.address=:80 + # Entry points + - --entryPoints.web.address=:${HTTP_PORT} - --entrypoints.web.http.redirections.entryPoint.to=websecure - --entrypoints.web.http.redirections.entryPoint.scheme=https - - --entryPoints.websecure.address=:443 + - --entryPoints.websecure.address=:${HTTPS_PORT} + # HTTP challenge - --certificatesresolvers.myresolver.acme.email=${ACME_EMAIL} - --certificatesresolvers.myresolver.acme.storage=/acme.json - # used during the challenge - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web + # Let's Encrypt's staging server + # uncomment during testing to avoid rate limiting + #- --certificatesresolvers.dnsresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory ports: - - "80:80" - - "443:443" - # The Web UI (enabled by --api.insecure=true) - #- "8080:8080" - depends_on: - - pusher - - front + - "${HTTP_PORT}:80" + - "${HTTPS_PORT}:443" volumes: - /var/run/docker.sock:/var/run/docker.sock - - ./acme.json:/acme.json - restart: unless-stopped + - ${DATA_DIR}/letsencrypt/acme.json:/acme.json + restart: ${RESTART_POLICY} front: build: context: ../.. dockerfile: front/Dockerfile - #image: thecodingmachine/workadventure-front:master + #image: thecodingmachine/workadventure-front:${VERSION} environment: - DEBUG_MODE: "$DEBUG_MODE" - JITSI_URL: $JITSI_URL - JITSI_PRIVATE_MODE: "$JITSI_PRIVATE_MODE" - PUSHER_URL: //pusher.${DOMAIN} - ICON_URL: //icon.${DOMAIN} - TURN_SERVER: "${TURN_SERVER}" - TURN_USER: "${TURN_USER}" - TURN_PASSWORD: "${TURN_PASSWORD}" - START_ROOM_URL: "${START_ROOM_URL}" + - DEBUG_MODE + - JITSI_URL + - JITSI_PRIVATE_MODE + - PUSHER_URL=//${PUSHER_HOST} + - ICON_URL=//${ICON_HOST} + - TURN_SERVER + - TURN_USER + - TURN_PASSWORD + - TURN_STATIC_AUTH_SECRET + - STUN_SERVER + - START_ROOM_URL + - SKIP_RENDER_OPTIMIZATIONS + - MAX_PER_GROUP + - MAX_USERNAME_LENGTH + - DISABLE_ANONYMOUS + - DISABLE_NOTIFICATIONS labels: - - "traefik.http.routers.front.rule=Host(`play.${DOMAIN}`)" - - "traefik.http.routers.front.entryPoints=web,traefik" + - "traefik.http.routers.front.rule=Host(`${FRONT_HOST}`)" + - "traefik.http.routers.front.entryPoints=web" - "traefik.http.services.front.loadbalancer.server.port=80" - - "traefik.http.routers.front-ssl.rule=Host(`play.${DOMAIN}`)" + - "traefik.http.routers.front-ssl.rule=Host(`${FRONT_HOST}`)" - "traefik.http.routers.front-ssl.entryPoints=websecure" - - "traefik.http.routers.front-ssl.tls=true" - "traefik.http.routers.front-ssl.service=front" + - "traefik.http.routers.front-ssl.tls=true" - "traefik.http.routers.front-ssl.tls.certresolver=myresolver" - restart: unless-stopped + restart: ${RESTART_POLICY} pusher: build: context: ../.. dockerfile: pusher/Dockerfile - #image: thecodingmachine/workadventure-pusher:master + #image: thecodingmachine/workadventure-pusher:${VERSION} command: yarn run runprod environment: - SECRET_JITSI_KEY: "$SECRET_JITSI_KEY" - SECRET_KEY: yourSecretKey - API_URL: back:50051 - JITSI_URL: $JITSI_URL - JITSI_ISS: $JITSI_ISS - FRONT_URL: https://play.${DOMAIN} + - SECRET_JITSI_KEY + - SECRET_KEY + - API_URL + - FRONT_URL=https://${FRONT_HOST} + - JITSI_URL + - JITSI_ISS + - DISABLE_ANONYMOUS labels: - - "traefik.http.routers.pusher.rule=Host(`pusher.${DOMAIN}`)" - - "traefik.http.routers.pusher.entryPoints=web,traefik" + - "traefik.http.routers.pusher.rule=Host(`${PUSHER_HOST}`)" + - "traefik.http.routers.pusher.entryPoints=web" - "traefik.http.services.pusher.loadbalancer.server.port=8080" - - "traefik.http.routers.pusher-ssl.rule=Host(`pusher.${DOMAIN}`)" + - "traefik.http.routers.pusher-ssl.rule=Host(${PUSHER_HOST}`)" - "traefik.http.routers.pusher-ssl.entryPoints=websecure" - - "traefik.http.routers.pusher-ssl.tls=true" - "traefik.http.routers.pusher-ssl.service=pusher" + - "traefik.http.routers.pusher-ssl.tls=true" - "traefik.http.routers.pusher-ssl.tls.certresolver=myresolver" - restart: unless-stopped + restart: ${RESTART_POLICY} back: build: context: ../.. dockerfile: back/Dockerfile - #image: thecodingmachine/workadventure-back:master + #image: thecodingmachine/workadventure-back:${VERSION} command: yarn run runprod environment: - SECRET_JITSI_KEY: "$SECRET_JITSI_KEY" - ADMIN_API_TOKEN: "$ADMIN_API_TOKEN" - ADMIN_API_URL: "$ADMIN_API_URL" - JITSI_URL: $JITSI_URL - JITSI_ISS: $JITSI_ISS + - SECRET_JITSI_KEY + - SECRET_KEY + - ADMIN_API_TOKEN + - ADMIN_API_URL + - TURN_SERVER + - TURN_USER + - TURN_PASSWORD + - TURN_STATIC_AUTH_SECRET + - STUN_SERVER + - JITSI_URL + - JITSI_ISS + - MAX_PER_GROUP + - STORE_VARIABLES_FOR_LOCAL_MAPS labels: - - "traefik.http.routers.back.rule=Host(`api.${DOMAIN}`)" + - "traefik.http.routers.back.rule=Host(`${BACK_HOST}`)" - "traefik.http.routers.back.entryPoints=web" - "traefik.http.services.back.loadbalancer.server.port=8080" - - "traefik.http.routers.back-ssl.rule=Host(`api.${DOMAIN}`)" + - "traefik.http.routers.back-ssl.rule=Host(`${BACK_HOST}`)" - "traefik.http.routers.back-ssl.entryPoints=websecure" - - "traefik.http.routers.back-ssl.tls=true" - "traefik.http.routers.back-ssl.service=back" + - "traefik.http.routers.back-ssl.tls=true" - "traefik.http.routers.back-ssl.tls.certresolver=myresolver" - restart: unless-stopped + restart: ${RESTART_POLICY} + + maps: + build: + context: ../.. + Dockerfile: maps/Dockerfile + #image: thecodingmachine/workadventure-maps:${VERSION} + environment: + - DEBUG_MODE + - STARTUP_COMMAND_0=sudo a2enmod headers + - STARTUP_COMMAND_1=yarn install + - STARTUP_COMMAND_2=yarn run prod & + volumes: + - ${DATA_DIR}/maps:/var/www/html + labels: + - "traefik.http.routers.maps.rule=Host(`${MAPS_HOST}`)" + - "traefik.http.routers.maps.entryPoints=web" + - "traefik.http.services.maps.loadbalancer.server.port=80" + - "traefik.http.routers.maps-ssl.rule=Host(`${MAPS_HOST}`)" + - "traefik.http.routers.maps-ssl.entryPoints=websecure" + - "traefik.http.routers.maps-ssl.service=maps" + - "traefik.http.routers.maps-ssl.tls=true" + - "traefik.http.routers.maps-ssl.tls.certresolver=myresolver" + restart: ${RESTART_POLICY} icon: image: matthiasluedtke/iconserver:v3.13.0 labels: - - "traefik.http.routers.icon.rule=Host(`icon.${DOMAIN}`)" + - "traefik.http.routers.icon.rule=Host(`${ICON_HOST}`)" - "traefik.http.routers.icon.entryPoints=web,traefik" - "traefik.http.services.icon.loadbalancer.server.port=8080" - - "traefik.http.routers.icon-ssl.rule=Host(`icon.${DOMAIN}`)" + - "traefik.http.routers.icon-ssl.rule=Host(`${ICON_HOST}`)" - "traefik.http.routers.icon-ssl.entryPoints=websecure" - - "traefik.http.routers.icon-ssl.tls=true" - "traefik.http.routers.icon-ssl.service=icon" + - "traefik.http.routers.icon-ssl.tls=true" - "traefik.http.routers.icon-ssl.tls.certresolver=myresolver" From f8f6b8aad98de88f6d7045e307faaccf5c1113af Mon Sep 17 00:00:00 2001 From: Julian Euler Date: Wed, 9 Feb 2022 14:18:03 +0100 Subject: [PATCH 2/4] prod templates: add contact url & openID, move vars The old template was outdated. Added additional explanations to variables and divided them into sections. --- contrib/docker/.env.prod.template | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/contrib/docker/.env.prod.template b/contrib/docker/.env.prod.template index 73ab5a2d..8ade4634 100644 --- a/contrib/docker/.env.prod.template +++ b/contrib/docker/.env.prod.template @@ -10,10 +10,9 @@ ADMIN_API_TOKEN= # The base domain DOMAIN=workadventure.localhost -HTTP_PORT=80 -HTTPS_PORT=443 -# Subdomains (must match the DOMAIN variable above) +# Subdomains +# MUST match the DOMAIN variable above FRONT_HOST=front.workadventure.localhost PUSHER_HOST=pusher.workadventure.localhost BACK_HOST=api.workadventure.localhost @@ -30,12 +29,16 @@ DATA_DIR=./wa # The URL used by default, in the form: "/_/global/map/url.json" START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json +# If you want to have a contact page in your menu, +# you MUST set CONTACT_URL to the URL of the page that you want +CONTACT_URL= + MAX_PER_GROUP=4 MAX_USERNAME_LENGTH=8 DISABLE_ANONYMOUS=false # The version of the docker image to use -# (Must uncomment "image" keys in the docker-compose file) +# MUST uncomment "image" keys in the docker-compose file for it to be effective VERSION=master TZ=Europe/Paris @@ -60,7 +63,7 @@ SECRET_JITSI_KEY= TURN_SERVER= TURN_USER= TURN_PASSWORD= -# If your Turn server is configured to use the Turn REST API, you should put the shared auth secret here. +# If your Turn server is configured to use the Turn REST API, you MUST put the shared auth secret here. # If you are using Coturn, this is the value of the "static-auth-secret" parameter in your coturn config file. # Keep empty if you are sharing hard coded / clear text credentials. TURN_STATIC_AUTH_SECRET= @@ -74,11 +77,28 @@ STUN_SERVER= # The email address used by Let's encrypt to send renewal warnings (compulsory) ACME_EMAIL= +# +# Additional app configs +# Configuration for apps which are not workadventure itself +# + +# openID +OPID_CLIENT_ID= +OPID_CLIENT_SECRET= +OPID_CLIENT_ISSUER= +OPID_CLIENT_REDIRECT_URL= +OPID_LOGIN_SCREEN_PROVIDER=http://pusher.workadventure.localhost/login-screen +OPID_PROFILE_SCREEN_PROVIDER= + + # # Advanced configuration # Generally does not need to be changed # +# Networking +HTTP_PORT=80 +HTTPS_PORT=443 # Workadventure settings DISABLE_NOTIFICATIONS=false From 5aa46f6d84858b25dfdbb2009c5d0d363a4054b3 Mon Sep 17 00:00:00 2001 From: Julian Euler Date: Thu, 10 Feb 2022 10:18:44 +0100 Subject: [PATCH 3/4] prod template: move admin api URL and remove duplicate --- contrib/docker/.env.prod.template | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/contrib/docker/.env.prod.template b/contrib/docker/.env.prod.template index 8ade4634..5e9adc87 100644 --- a/contrib/docker/.env.prod.template +++ b/contrib/docker/.env.prod.template @@ -19,6 +19,9 @@ BACK_HOST=api.workadventure.localhost MAPS_HOST=maps.workadventure.localhost ICON_HOST=icon.workadventure.localhost +# SAAS admin panel +ADMIN_API_URL= + # # Basic configuration # @@ -111,7 +114,5 @@ LOG_LEVEL=WARN # Internal URLs API_URL=back:50051 -ADMIN_URL=//workadventure.localhost -ADMIN_API_URL= RESTART_POLICY=unless-stopped From 92f47286774804a1535e247069de1224db8b0591 Mon Sep 17 00:00:00 2001 From: Julian Euler Date: Thu, 10 Feb 2022 10:26:46 +0100 Subject: [PATCH 4/4] prod template: remove maps container As stated by moufmouf, this is only meant for testing and hosting maps --- contrib/docker/docker-compose.prod.yaml | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/contrib/docker/docker-compose.prod.yaml b/contrib/docker/docker-compose.prod.yaml index 16af128a..80ed192b 100644 --- a/contrib/docker/docker-compose.prod.yaml +++ b/contrib/docker/docker-compose.prod.yaml @@ -115,29 +115,6 @@ services: - "traefik.http.routers.back-ssl.tls.certresolver=myresolver" restart: ${RESTART_POLICY} - maps: - build: - context: ../.. - Dockerfile: maps/Dockerfile - #image: thecodingmachine/workadventure-maps:${VERSION} - environment: - - DEBUG_MODE - - STARTUP_COMMAND_0=sudo a2enmod headers - - STARTUP_COMMAND_1=yarn install - - STARTUP_COMMAND_2=yarn run prod & - volumes: - - ${DATA_DIR}/maps:/var/www/html - labels: - - "traefik.http.routers.maps.rule=Host(`${MAPS_HOST}`)" - - "traefik.http.routers.maps.entryPoints=web" - - "traefik.http.services.maps.loadbalancer.server.port=80" - - "traefik.http.routers.maps-ssl.rule=Host(`${MAPS_HOST}`)" - - "traefik.http.routers.maps-ssl.entryPoints=websecure" - - "traefik.http.routers.maps-ssl.service=maps" - - "traefik.http.routers.maps-ssl.tls=true" - - "traefik.http.routers.maps-ssl.tls.certresolver=myresolver" - restart: ${RESTART_POLICY} - icon: image: matthiasluedtke/iconserver:v3.13.0 labels: