Первая инструкция на коленке

2024-09-05 10:16:31 +03:00
parent d3248c51fc
commit 7900d8bc09
5 changed files with 396 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
 data
 settings
--- a/README.md
+++ b/README.md
@@ -0,0 +1,50 @@
 Создаём виртуальный интерфейс и настраиваем на нём адрес 10.2.0.1/16
 Добавляем домены в /etc/hosts
 * wiki.r10x.net 10.2.0.1
 * wiki-minio.r10x.net 10.2.0.1
 Настраиваем файл settings/docker.env
 Создаём сертификат для keycloak
 ```bash
 openssl genrsa -out ./settings/oidc/ca.key 4096
 openssl req -x509 -new -key ./settings/oidc/ca.key -days 3650 \
 -out ./settings/oidc/ca.crt -subj '/CN=keycloak'
 ```
 Поднимаем Redis и Keycloack
 ```
 docker up -d oidc redis
 ```
 * Заходим на https://wiki.r10x.net:8443/
 * Создаём новый Realm
 * Создаём новый client, добавляем url и забираем credential key
 * Создаём пользователя
 Настраиваем docker.env
 Поднимаем outline и postgresql
 ```
 openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
    -keyout /etc/letsencrypt/wiki.r10x.net/private.key \
    -out /etc/letsencrypt/wiki.r10x.net/public.crt \
    -subj '/CN=wiki.r10x.net'
 ```
 ```
 openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
    -keyout /etc/letsencrypt/wiki-minio.r10x/private.key \
    -out /etc/letsencrypt/wiki-minio.r10x/public.crt \
    -subj '/CN=wiki-minio.r10x.net'
 ```
 ```
 docker up -d outline db storage
 ```
 http://wiki.r10x.net:8005/
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,118 @@
 services:
  outline:
    # image: docker.getoutline.com/outlinewiki/outline:latest
    build: https://github.com/outline/outline.git
    restart: always
    environment:
      NODE_TLS_REJECT_UNAUTHORIZED: 0
    env_file: ./settings/docker.env
    ports:
      - "10.2.0.1:8005:3000"
    depends_on:
      - db
      - redis
      - storage
  redis:
    image: redis
    env_file: ./settings/docker.env
    restart: always
    volumes:
      - ./data/redis:/etc/redis
    command: ["redis-server", "/etc/redis/redis.conf"]
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 30s
      retries: 3
  db:
    image: postgres
    env_file: ./settings/docker.env
    restart: always
    volumes:
      - ./data/db:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD", "pg_isready"]
      interval: 30s
      timeout: 20s
      retries: 3
    environment:
      POSTGRES_USER: 'outline'
      POSTGRES_PASSWORD: 'outline'
  storage:
    image: minio/minio
    env_file: ./settings/docker.env
    restart: always
    ports:
      - "8006:8006"
      - "9001:9001"
    command: |
      minio server
      --address 0.0.0.0:8006
      --console-address 0.0.0.0:9001
      /data
    deploy:
      restart_policy:
        condition: on-failure
    volumes:
      - ./data/storage:/data
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8006/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3
 #  https-portal:
 #    image: steveltn/https-portal
 #    env_file: ./settings/docker.env
 #    ports:
 #      - '10.2.0.1:8005:80'
 #      - '443:443'
 #    links:
 #      - outline
 #      - storage
 #    restart: always
 #    volumes:
 #      - ./data/portal:/var/lib/https-portal
 #    healthcheck:
 #      test: ["CMD", "service", "nginx", "status"]
 #      interval: 30s
 #      timeout: 20s
 #      retries: 3
 #    environment:
 #      DOMAINS: 'wiki.r10x.net -> http://outline:3000'
 #      STAGE: 'production'
 #      WEBSOCKET: 'true'
  oidc:
    image: quay.io/keycloak/keycloak
    restart: always
    command: start-dev --hostname-strict false
    ports:
      - 8080:8080
      - 8443:8443
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      DB_VENDOR: h2
      KC_HOSTNAME_STRICT_HTTPS: 'false'
      KC_HTTPS_CERTIFICATE_FILE: /mnt/cert/ca.crt
      KC_HTTPS_CERTIFICATE_KEY_FILE: /mnt/cert/ca.key
    volumes:
      - ./settings/oidc/howtodoinjava-realm.json:/opt/keycloak/data/import/howtodoinjava-realm.json
      - ./settings/oidc/ca.key:/mnt/cert/ca.key
      - ./settings/oidc/ca.crt:/mnt/cert/ca.crt
  # authelia:
  #   image: docker.io/authelia/authelia:latest
  #   ports:
  #     - 9091:9091
  #   volumes:
  #     - ./settings/authelia:/config
 #volumes:
 #  https-portal-data:
 #  storage-data:
 #  database-data:
--- a/docker.env
+++ b/docker.env
@@ -0,0 +1,226 @@
 # –––––––––––––––– REQUIRED ––––––––––––––––
 NODE_ENV=production
 # Generate a hex-encoded 32-byte random key. You should use `openssl rand -hex 32`
 # in your terminal to generate a random value.
 SECRET_KEY=generate_a_new_key
 # Generate a unique random key. The format is not important but you could still use
 # `openssl rand -hex 32` in your terminal to produce this.
 UTILS_SECRET=generate_a_new_key
 # For production point these at your databases, in development the default
 # should work out of the box.
 DATABASE_URL=postgres://user:pass@localhost:5432/outline
 DATABASE_CONNECTION_POOL_MIN=
 DATABASE_CONNECTION_POOL_MAX=
 # Uncomment this to disable SSL for connecting to Postgres
 # PGSSLMODE=disable
 # For redis you can either specify an ioredis compatible url like this
 REDIS_URL=redis://localhost:6379
 # or alternatively, if you would like to provide additional connection options,
 # use a base64 encoded JSON connection option object. Refer to the ioredis documentation
 # for a list of available options.
 # Example: Use Redis Sentinel for high availability
 # {"sentinels":[{"host":"sentinel-0","port":26379},{"host":"sentinel-1","port":26379}],"name":"mymaster"}
 # REDIS_URL=ioredis://eyJzZW50aW5lbHMiOlt7Imhvc3QiOiJzZW50aW5lbC0wIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InNlbnRpbmVsLTEiLCJwb3J0IjoyNjM3OX1dLCJuYW1lIjoibXltYXN0ZXIifQ==
 # URL should point to the fully qualified, publicly accessible URL. If using a
 # proxy the port in URL and PORT may be different.
 URL=
 PORT=3000
 # See [documentation](docs/SERVICES.md) on running a separate collaboration
 # server, for normal operation this does not need to be set.
 COLLABORATION_URL=
 # Specify what storage system to use. Possible value is one of "s3" or "local".
 # For "local", the avatar images and document attachments will be saved on local disk. 
 FILE_STORAGE=local
 # If "local" is configured for FILE_STORAGE above, then this sets the parent directory under
 # which all attachments/images go. Make sure that the process has permissions to create
 # this path and also to write files to it.
 FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data
 # Maximum allowed size for the uploaded attachment.
 FILE_STORAGE_UPLOAD_MAX_SIZE=262144000
 # Override the maximum size of document imports, generally this should be lower
 # than the document attachment maximum size.
 FILE_STORAGE_IMPORT_MAX_SIZE=
 # Override the maximum size of workspace imports, these can be especially large
 # and the files are temporary being automatically deleted after a period of time.
 FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZE=
 # To support uploading of images for avatars and document attachments in a distributed 
 # architecture an s3-compatible storage can be configured if FILE_STORAGE=s3 above.
 AWS_ACCESS_KEY_ID=get_a_key_from_aws
 AWS_SECRET_ACCESS_KEY=get_the_secret_of_above_key
 AWS_REGION=xx-xxxx-x
 AWS_S3_ACCELERATE_URL=
 AWS_S3_UPLOAD_BUCKET_URL=http://s3:4569
 AWS_S3_UPLOAD_BUCKET_NAME=bucket_name_here
 AWS_S3_FORCE_PATH_STYLE=true
 AWS_S3_ACL=private
 # –––––––––––––– AUTHENTICATION ––––––––––––––
 # Third party signin credentials, at least ONE OF EITHER Google, Slack,
 # or Microsoft is required for a working installation or you'll have no sign-in
 # options.
 # To configure Slack auth, you'll need to create an Application at
 # => https://api.slack.com/apps
 #
 # When configuring the Client ID, add a redirect URL under "OAuth & Permissions":
 # https://<URL>/auth/slack.callback
 SLACK_CLIENT_ID=get_a_key_from_slack
 SLACK_CLIENT_SECRET=get_the_secret_of_above_key
 # To configure Google auth, you'll need to create an OAuth Client ID at
 # => https://console.cloud.google.com/apis/credentials
 #
 # When configuring the Client ID, add an Authorized redirect URI:
 # https://<URL>/auth/google.callback
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 # To configure Microsoft/Azure auth, you'll need to create an OAuth Client. See
 # the guide for details on setting up your Azure App:
 # => https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4
 AZURE_CLIENT_ID=
 AZURE_CLIENT_SECRET=
 AZURE_RESOURCE_APP_ID=
 # To configure generic OIDC auth, you'll need some kind of identity provider.
 # See documentation for whichever IdP you use to acquire the following info:
 # Redirect URI is https://<URL>/auth/oidc.callback
 OIDC_CLIENT_ID=
 OIDC_CLIENT_SECRET=
 OIDC_AUTH_URI=
 OIDC_TOKEN_URI=
 OIDC_USERINFO_URI=
 OIDC_LOGOUT_URI=
 # Specify which claims to derive user information from
 # Supports any valid JSON path with the JWT payload
 OIDC_USERNAME_CLAIM=preferred_username
 # Display name for OIDC authentication
 OIDC_DISPLAY_NAME=OpenID Connect
 # Space separated auth scopes.
 OIDC_SCOPES=openid profile email
 # To configure the GitHub integration, you'll need to create a GitHub App at
 # => https://github.com/settings/apps
 #
 # When configuring the Client ID, add a redirect URL under "Permissions & events":
 # https://<URL>/api/github.callback
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
 GITHUB_APP_NAME=
 GITHUB_APP_ID=
 GITHUB_APP_PRIVATE_KEY=
 # To configure Discord auth, you'll need to create a Discord Application at
 # => https://discord.com/developers/applications/
 #
 # When configuring the Client ID, add a redirect URL under "OAuth2":
 # https://<URL>/auth/discord.callback
 DISCORD_CLIENT_ID=
 DISCORD_CLIENT_SECRET=
 # DISCORD_SERVER_ID should be the ID of the Discord server that Outline is
 # integrated with. 
 # Used to verify that the user is a member of the server as well as server
 # metadata such as nicknames, server icon and name.
 DISCORD_SERVER_ID=
 # DISCORD_SERVER_ROLES should be a comma separated list of role IDs that are
 # allowed to access Outline. If this is not set, all members of the server
 # will be allowed to access Outline.
 # DISCORD_SERVER_ID and DISCORD_SERVER_ROLES must be set together.
 DISCORD_SERVER_ROLES=
 # –––––––––––––––– OPTIONAL ––––––––––––––––
 # Base64 encoded private key and certificate for HTTPS termination. This is only
 # required if you do not use an external reverse proxy. See documentation:
 # https://wiki.generaloutline.com/share/1c922644-40d8-41fe-98f9-df2b67239d45
 SSL_KEY=
 SSL_CERT=
 # If using a Cloudfront/Cloudflare distribution or similar it can be set below.
 # This will cause paths to javascript, stylesheets, and images to be updated to
 # the hostname defined in CDN_URL. In your CDN configuration the origin server
 # should be set to the same as URL.
 CDN_URL=
 # Auto-redirect to https in production. The default is true but you may set to
 # false if you can be sure that SSL is terminated at an external loadbalancer.
 FORCE_HTTPS=true
 # Have the installation check for updates by sending anonymized statistics to
 # the maintainers
 ENABLE_UPDATES=true
 # How many processes should be spawned. As a reasonable rule divide your servers
 # available memory by 512 for a rough estimate
 WEB_CONCURRENCY=1
 # You can remove this line if your reverse proxy already logs incoming http
 # requests and this ends up being duplicative
 DEBUG=http
 # Configure lowest severity level for server logs. Should be one of
 # error, warn, info, http, verbose, debug and silly
 LOG_LEVEL=info
 # For a complete Slack integration with search and posting to channels the
 # following configs are also needed, some more details
 # => https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a
 #
 SLACK_VERIFICATION_TOKEN=your_token
 SLACK_APP_ID=A0XXXXXXX
 SLACK_MESSAGE_ACTIONS=true
 # For Dropbox integration, follow these instructions to get the key https://www.dropbox.com/developers/embedder#setup
 # and do not forget to whitelist your domain name in the app settings
 DROPBOX_APP_KEY=
 # Optionally enable Sentry (sentry.io) to track errors and performance,
 # and optionally add a Sentry proxy tunnel for bypassing ad blockers in the UI:
 # https://docs.sentry.io/platforms/javascript/troubleshooting/#using-the-tunnel-option)
 SENTRY_DSN=
 SENTRY_TUNNEL=
 # To support sending outgoing transactional emails such as "document updated" or
 # "you've been invited" you'll need to provide authentication for an SMTP server
 SMTP_HOST=
 SMTP_PORT=
 SMTP_USERNAME=
 SMTP_PASSWORD=
 SMTP_FROM_EMAIL=
 SMTP_REPLY_EMAIL=
 SMTP_TLS_CIPHERS=
 SMTP_SECURE=true
 # The default interface language. See translate.getoutline.com for a list of
 # available language codes and their rough percentage translated.
 DEFAULT_LANGUAGE=en_US
 # Optionally enable rate limiter at application web server
 RATE_LIMITER_ENABLED=true
 # Configure default throttling parameters for rate limiter
 RATE_LIMITER_REQUESTS=1000
 RATE_LIMITER_DURATION_WINDOW=60
 # Iframely API config
 IFRAMELY_URL=
 IFRAMELY_API_KEY=
--- a/settings/oidc/howtodoinjava-realm.json
+++ b/settings/oidc/howtodoinjava-realm.json