Первая инструкция на коленке

.gitignore

@@ -0,0 +1,2 @@
+data
+settings

README.md

@@ -0,0 +1,50 @@
+Создаём виртуальный интерфейс и настраиваем на нём адрес 10.2.0.1/16
+
+Добавляем домены в /etc/hosts
+
+* wiki.r10x.net 10.2.0.1
+* wiki-minio.r10x.net 10.2.0.1
+
+Настраиваем файл settings/docker.env
+Создаём сертификат для keycloak
+
+```bash
+openssl genrsa -out ./settings/oidc/ca.key 4096
+openssl req -x509 -new -key ./settings/oidc/ca.key -days 3650 \
+-out ./settings/oidc/ca.crt -subj '/CN=keycloak'
+```
+
+Поднимаем Redis и Keycloack
+
+```
+docker up -d oidc redis
+```
+
+* Заходим на https://wiki.r10x.net:8443/
+* Создаём новый Realm
+* Создаём новый client, добавляем url и забираем credential key
+* Создаём пользователя
+
+Настраиваем docker.env
+
+Поднимаем outline и postgresql
+
+```
+openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
+    -keyout /etc/letsencrypt/wiki.r10x.net/private.key \
+    -out /etc/letsencrypt/wiki.r10x.net/public.crt \
+    -subj '/CN=wiki.r10x.net'
+```
+
+```
+openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
+    -keyout /etc/letsencrypt/wiki-minio.r10x/private.key \
+    -out /etc/letsencrypt/wiki-minio.r10x/public.crt \
+    -subj '/CN=wiki-minio.r10x.net'
+```
+
+```
+docker up -d outline db storage
+```
+
+http://wiki.r10x.net:8005/

docker-compose.yml

@@ -0,0 +1,118 @@
+services:
+  outline:
+    # image: docker.getoutline.com/outlinewiki/outline:latest
+    build: https://github.com/outline/outline.git
+    restart: always
+    environment:
+      NODE_TLS_REJECT_UNAUTHORIZED: 0
+    env_file: ./settings/docker.env
+    ports:
+      - "10.2.0.1:8005:3000"
+    depends_on:
+      - db
+      - redis
+      - storage
+
+  redis:
+    image: redis
+    env_file: ./settings/docker.env
+    restart: always
+    volumes:
+      - ./data/redis:/etc/redis
+    command: ["redis-server", "/etc/redis/redis.conf"]
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 30s
+      retries: 3
+
+  db:
+    image: postgres
+    env_file: ./settings/docker.env
+    restart: always
+    volumes:
+      - ./data/db:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD", "pg_isready"]
+      interval: 30s
+      timeout: 20s
+      retries: 3
+    environment:
+      POSTGRES_USER: 'outline'
+      POSTGRES_PASSWORD: 'outline'
+
+  storage:
+    image: minio/minio
+    env_file: ./settings/docker.env
+    restart: always
+    ports:
+      - "8006:8006"
+      - "9001:9001"
+    command: |
+      minio server
+      --address 0.0.0.0:8006
+      --console-address 0.0.0.0:9001
+      /data
+    deploy:
+      restart_policy:
+        condition: on-failure
+    volumes:
+      - ./data/storage:/data
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8006/minio/health/live"]
+      interval: 30s
+      timeout: 20s
+      retries: 3
+
+#  https-portal:
+#    image: steveltn/https-portal
+#    env_file: ./settings/docker.env
+#    ports:
+#      - '10.2.0.1:8005:80'
+#      - '443:443'
+#    links:
+#      - outline
+#      - storage
+#    restart: always
+#    volumes:
+#      - ./data/portal:/var/lib/https-portal
+#    healthcheck:
+#      test: ["CMD", "service", "nginx", "status"]
+#      interval: 30s
+#      timeout: 20s
+#      retries: 3
+#    environment:
+#      DOMAINS: 'wiki.r10x.net -> http://outline:3000'
+#      STAGE: 'production'
+#      WEBSOCKET: 'true'
+
+  oidc:
+    image: quay.io/keycloak/keycloak
+    restart: always
+    command: start-dev --hostname-strict false
+    ports:
+      - 8080:8080
+      - 8443:8443
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      DB_VENDOR: h2
+      KC_HOSTNAME_STRICT_HTTPS: 'false'
+      KC_HTTPS_CERTIFICATE_FILE: /mnt/cert/ca.crt
+      KC_HTTPS_CERTIFICATE_KEY_FILE: /mnt/cert/ca.key
+    volumes:
+      - ./settings/oidc/howtodoinjava-realm.json:/opt/keycloak/data/import/howtodoinjava-realm.json
+      - ./settings/oidc/ca.key:/mnt/cert/ca.key
+      - ./settings/oidc/ca.crt:/mnt/cert/ca.crt
+
+  # authelia:
+  #   image: docker.io/authelia/authelia:latest
+  #   ports:
+  #     - 9091:9091
+  #   volumes:
+  #     - ./settings/authelia:/config
+
+#volumes:
+#  https-portal-data:
+#  storage-data:
+#  database-data:

docker.env

@@ -0,0 +1,226 @@
+# –––––––––––––––– REQUIRED ––––––––––––––––
+
+NODE_ENV=production
+
+# Generate a hex-encoded 32-byte random key. You should use `openssl rand -hex 32`
+# in your terminal to generate a random value.
+SECRET_KEY=generate_a_new_key
+
+# Generate a unique random key. The format is not important but you could still use
+# `openssl rand -hex 32` in your terminal to produce this.
+UTILS_SECRET=generate_a_new_key
+
+# For production point these at your databases, in development the default
+# should work out of the box.
+DATABASE_URL=postgres://user:pass@localhost:5432/outline
+DATABASE_CONNECTION_POOL_MIN=
+DATABASE_CONNECTION_POOL_MAX=
+# Uncomment this to disable SSL for connecting to Postgres
+# PGSSLMODE=disable
+
+# For redis you can either specify an ioredis compatible url like this
+REDIS_URL=redis://localhost:6379
+# or alternatively, if you would like to provide additional connection options,
+# use a base64 encoded JSON connection option object. Refer to the ioredis documentation
+# for a list of available options.
+# Example: Use Redis Sentinel for high availability
+# {"sentinels":[{"host":"sentinel-0","port":26379},{"host":"sentinel-1","port":26379}],"name":"mymaster"}
+# REDIS_URL=ioredis://eyJzZW50aW5lbHMiOlt7Imhvc3QiOiJzZW50aW5lbC0wIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InNlbnRpbmVsLTEiLCJwb3J0IjoyNjM3OX1dLCJuYW1lIjoibXltYXN0ZXIifQ==
+
+# URL should point to the fully qualified, publicly accessible URL. If using a
+# proxy the port in URL and PORT may be different.
+URL=
+PORT=3000
+
+# See [documentation](docs/SERVICES.md) on running a separate collaboration
+# server, for normal operation this does not need to be set.
+COLLABORATION_URL=
+
+# Specify what storage system to use. Possible value is one of "s3" or "local".
+# For "local", the avatar images and document attachments will be saved on local disk. 
+FILE_STORAGE=local
+
+# If "local" is configured for FILE_STORAGE above, then this sets the parent directory under
+# which all attachments/images go. Make sure that the process has permissions to create
+# this path and also to write files to it.
+FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data
+
+# Maximum allowed size for the uploaded attachment.
+FILE_STORAGE_UPLOAD_MAX_SIZE=262144000
+
+# Override the maximum size of document imports, generally this should be lower
+# than the document attachment maximum size.
+FILE_STORAGE_IMPORT_MAX_SIZE=
+
+# Override the maximum size of workspace imports, these can be especially large
+# and the files are temporary being automatically deleted after a period of time.
+FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZE=
+
+# To support uploading of images for avatars and document attachments in a distributed 
+# architecture an s3-compatible storage can be configured if FILE_STORAGE=s3 above.
+AWS_ACCESS_KEY_ID=get_a_key_from_aws
+AWS_SECRET_ACCESS_KEY=get_the_secret_of_above_key
+AWS_REGION=xx-xxxx-x
+AWS_S3_ACCELERATE_URL=
+AWS_S3_UPLOAD_BUCKET_URL=http://s3:4569
+AWS_S3_UPLOAD_BUCKET_NAME=bucket_name_here
+AWS_S3_FORCE_PATH_STYLE=true
+AWS_S3_ACL=private
+
+# –––––––––––––– AUTHENTICATION ––––––––––––––
+
+# Third party signin credentials, at least ONE OF EITHER Google, Slack,
+# or Microsoft is required for a working installation or you'll have no sign-in
+# options.
+
+# To configure Slack auth, you'll need to create an Application at
+# => https://api.slack.com/apps
+#
+# When configuring the Client ID, add a redirect URL under "OAuth & Permissions":
+# https://<URL>/auth/slack.callback
+SLACK_CLIENT_ID=get_a_key_from_slack
+SLACK_CLIENT_SECRET=get_the_secret_of_above_key
+
+# To configure Google auth, you'll need to create an OAuth Client ID at
+# => https://console.cloud.google.com/apis/credentials
+#
+# When configuring the Client ID, add an Authorized redirect URI:
+# https://<URL>/auth/google.callback
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# To configure Microsoft/Azure auth, you'll need to create an OAuth Client. See
+# the guide for details on setting up your Azure App:
+# => https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4
+AZURE_CLIENT_ID=
+AZURE_CLIENT_SECRET=
+AZURE_RESOURCE_APP_ID=
+
+# To configure generic OIDC auth, you'll need some kind of identity provider.
+# See documentation for whichever IdP you use to acquire the following info:
+# Redirect URI is https://<URL>/auth/oidc.callback
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_AUTH_URI=
+OIDC_TOKEN_URI=
+OIDC_USERINFO_URI=
+OIDC_LOGOUT_URI=
+
+# Specify which claims to derive user information from
+# Supports any valid JSON path with the JWT payload
+OIDC_USERNAME_CLAIM=preferred_username
+
+# Display name for OIDC authentication
+OIDC_DISPLAY_NAME=OpenID Connect
+
+# Space separated auth scopes.
+OIDC_SCOPES=openid profile email
+
+# To configure the GitHub integration, you'll need to create a GitHub App at
+# => https://github.com/settings/apps
+#
+# When configuring the Client ID, add a redirect URL under "Permissions & events":
+# https://<URL>/api/github.callback
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_APP_NAME=
+GITHUB_APP_ID=
+GITHUB_APP_PRIVATE_KEY=
+
+# To configure Discord auth, you'll need to create a Discord Application at
+# => https://discord.com/developers/applications/
+#
+# When configuring the Client ID, add a redirect URL under "OAuth2":
+# https://<URL>/auth/discord.callback
+DISCORD_CLIENT_ID=
+DISCORD_CLIENT_SECRET=
+
+# DISCORD_SERVER_ID should be the ID of the Discord server that Outline is
+# integrated with. 
+# Used to verify that the user is a member of the server as well as server
+# metadata such as nicknames, server icon and name.
+DISCORD_SERVER_ID=
+
+# DISCORD_SERVER_ROLES should be a comma separated list of role IDs that are
+# allowed to access Outline. If this is not set, all members of the server
+# will be allowed to access Outline.
+# DISCORD_SERVER_ID and DISCORD_SERVER_ROLES must be set together.
+DISCORD_SERVER_ROLES=
+
+# –––––––––––––––– OPTIONAL ––––––––––––––––
+
+# Base64 encoded private key and certificate for HTTPS termination. This is only
+# required if you do not use an external reverse proxy. See documentation:
+# https://wiki.generaloutline.com/share/1c922644-40d8-41fe-98f9-df2b67239d45
+SSL_KEY=
+SSL_CERT=
+
+# If using a Cloudfront/Cloudflare distribution or similar it can be set below.
+# This will cause paths to javascript, stylesheets, and images to be updated to
+# the hostname defined in CDN_URL. In your CDN configuration the origin server
+# should be set to the same as URL.
+CDN_URL=
+
+# Auto-redirect to https in production. The default is true but you may set to
+# false if you can be sure that SSL is terminated at an external loadbalancer.
+FORCE_HTTPS=true
+
+# Have the installation check for updates by sending anonymized statistics to
+# the maintainers
+ENABLE_UPDATES=true
+
+# How many processes should be spawned. As a reasonable rule divide your servers
+# available memory by 512 for a rough estimate
+WEB_CONCURRENCY=1
+
+# You can remove this line if your reverse proxy already logs incoming http
+# requests and this ends up being duplicative
+DEBUG=http
+
+# Configure lowest severity level for server logs. Should be one of
+# error, warn, info, http, verbose, debug and silly
+LOG_LEVEL=info
+
+# For a complete Slack integration with search and posting to channels the
+# following configs are also needed, some more details
+# => https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a
+#
+SLACK_VERIFICATION_TOKEN=your_token
+SLACK_APP_ID=A0XXXXXXX
+SLACK_MESSAGE_ACTIONS=true
+
+# For Dropbox integration, follow these instructions to get the key https://www.dropbox.com/developers/embedder#setup
+# and do not forget to whitelist your domain name in the app settings
+DROPBOX_APP_KEY=
+
+# Optionally enable Sentry (sentry.io) to track errors and performance,
+# and optionally add a Sentry proxy tunnel for bypassing ad blockers in the UI:
+# https://docs.sentry.io/platforms/javascript/troubleshooting/#using-the-tunnel-option)
+SENTRY_DSN=
+SENTRY_TUNNEL=
+
+# To support sending outgoing transactional emails such as "document updated" or
+# "you've been invited" you'll need to provide authentication for an SMTP server
+SMTP_HOST=
+SMTP_PORT=
+SMTP_USERNAME=
+SMTP_PASSWORD=
+SMTP_FROM_EMAIL=
+SMTP_REPLY_EMAIL=
+SMTP_TLS_CIPHERS=
+SMTP_SECURE=true
+
+# The default interface language. See translate.getoutline.com for a list of
+# available language codes and their rough percentage translated.
+DEFAULT_LANGUAGE=en_US
+
+# Optionally enable rate limiter at application web server
+RATE_LIMITER_ENABLED=true
+
+# Configure default throttling parameters for rate limiter
+RATE_LIMITER_REQUESTS=1000
+RATE_LIMITER_DURATION_WINDOW=60
+
+# Iframely API config
+IFRAMELY_URL=
+IFRAMELY_API_KEY=