From cab33b7005e9857dfdfdc0670b96d2cd100582ae Mon Sep 17 00:00:00 2001 From: thekettu Date: Sun, 22 Apr 2018 16:15:55 -0700 Subject: Add IPv6 NAT and use Nginx in a container --- deploy/conf/nginx.conf | 42 ++++------ deploy/docker-compose.yml | 149 ++++++++++++++++++++++++++++-------- deploy/scripts/update-containers.sh | 2 +- 3 files changed, 134 insertions(+), 59 deletions(-) diff --git a/deploy/conf/nginx.conf b/deploy/conf/nginx.conf index e005f86..7804345 100644 --- a/deploy/conf/nginx.conf +++ b/deploy/conf/nginx.conf @@ -3,8 +3,8 @@ map $http_upgrade $connection_upgrade { '' close; } -upstream netdata { - server 127.0.0.1:19999; +upstream dockernetdata { + server netdata:19999; keepalive 64; } @@ -12,8 +12,8 @@ server { listen 80; listen [::]:80; - server_name plural.cafe; - root /home/mastodon/public; + server_name $NGINX_HOST; + root /var/www/html; location /.well-known/acme-challenge/ { allow all; @@ -32,15 +32,14 @@ server { server_tokens off; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; - ssl_ecdh_curve X25519:secp521r1:secp384r1; + ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; + ssl_ecdh_curve X25519:secp384r1; ssl_prefer_server_ciphers on; ssl_session_cache shared:TLS:2m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; - ssl_dhparam /etc/ssl/dhparam.pem; keepalive_timeout 70; sendfile on; @@ -66,19 +65,18 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name plural.cafe; + server_name $NGINX_HOST; server_tokens off; - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; - ssl_ecdh_curve X25519:secp521r1:secp384r1; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; + ssl_ecdh_curve X25519:secp384r1; ssl_prefer_server_ciphers on; ssl_session_cache shared:TLS:2m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; - ssl_dhparam /etc/ssl/dhparam.pem; keepalive_timeout 70; sendfile on; @@ -90,14 +88,14 @@ server { add_header Referrer-Policy "same-origin"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - ssl_certificate /home/mastodon/.acme.sh/certs/fullchain.pem; - ssl_certificate_key /home/mastodon/.acme.sh/certs/privkey.pem; - ssl_trusted_certificate /home/mastodon/.acme.sh/certs/cert.pem; + ssl_certificate /etc/ssl/fullchain.pem; + ssl_certificate_key /etc/ssl/privkey.pem; + ssl_trusted_certificate /etc/ssl/cert.pem; resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; resolver_timeout 5s; - root /home/mastodon/public; + root /var/www/html; #add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';"; add_header Access-Control-Allow-Origin "https://$host"; @@ -107,12 +105,6 @@ server { try_files $uri @proxy; } -# location /_matrix { -# proxy_pass http://127.0.0.1:8008; -# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# proxy_pass_request_headers on; -# } - location /sw.js { add_header Cache-Control "public, max-age=0"; try_files $uri @proxy; @@ -133,7 +125,7 @@ server { proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; - proxy_pass http://netdata/$ndpath$is_args$args; + proxy_pass http://dockernetdata/$ndpath$is_args$args; gzip on; gzip_proxied any; @@ -167,7 +159,7 @@ server { proxy_set_header Proxy ""; proxy_pass_header Server; - proxy_pass http://127.0.0.1:3000; + proxy_pass http://mstweb:3000; proxy_buffering on; proxy_redirect off; proxy_http_version 1.1; @@ -190,7 +182,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header Proxy ""; - proxy_pass http://127.0.0.1:4000; + proxy_pass http://mststreaming:4000; proxy_buffering off; proxy_redirect off; proxy_http_version 1.1; diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index f89755f..ed09d0c 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -1,23 +1,50 @@ -version: '2.3' +version: '2.4' services: + nginx: + restart: always + image: nginx:mainline-alpine + ports: + - 80:80 + - 443:443 + environment: + - NGINX_HOST=plural.cafe + volumes: + - /etc/localtime:/etc/localtime:ro + - ./.docker/nginx/nginx.conf:/etc/nginx/conf.d/web.template:ro + - ./.acme.sh/${NGINX_HOST}_ecc/${NGINX_HOST}.cer:/etc/ssl/cert.pem:ro + - ./.acme.sh/${NGINX_HOST}_ecc/${NGINX_HOST}.key:/etc/ssl/privkey.pem:ro + - ./.acme.sh/${NGINX_HOST}_ecc/fullchain.cer:/etc/ssl/fullchain.pem:ro + - ./public:/var/www/html:ro + command: sh -c "envsubst \"`env | awk -F = '{printf \" $$%s\", $$1}'`\" < /etc/nginx/conf.d/web.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'" + networks: + - external_network + - mstweb_network + - mststreaming_network + - netdata_network + netdata: restart: always image: titpetric/netdata - restart: unless-stopped cap_add: - SYS_PTRACE - ports: - - "127.0.0.1:19999:19999" volumes: + - /etc/localtime:/etc/localtime:ro - ./.docker/netdata:/etc/netdata - /proc:/host/proc:ro - /sys:/host/sys:ro - /var/run/docker.sock:/var/run/docker.sock - - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro networks: - - external_network + - netdata_network + + ipv6nat: + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /lib/modules:/lib/modules:ro + privileged: true + network_mode: host + image: robbertkl/ipv6nat mstdb: restart: always @@ -26,59 +53,115 @@ services: - mstdb_network volumes: - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro - ./.docker/mastodon/db:/var/lib/postgresql/data mstredis: restart: always - image: redis:alpine + image: redis:4-alpine networks: - mstredis_network volumes: - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro - ./.docker/mastodon/redis:/data -# mstes: -# restart: always -# image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.3 -# environment: -# - bootstrap.memory_lock=true -# - "ES_JAVA_OPTS=-Xms512m -Xmx512m" -# ulimits: -# memlock: -# soft: -1 -# hard: -1 -# networks: -# - mstes_network -# volumes: -# - /etc/localtime:/etc/localtime:ro -# - /etc/timezone:/etc/timezone:ro -# - ./.docker/mastodon/es:/usr/share/elasticsearch/data + mstes: + restart: always + image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.3 + environment: + - bootstrap.memory_lock=true + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + networks: + - mstes_network + volumes: + - /etc/localtime:/etc/localtime:ro + - ./.docker/mastodon/es:/usr/share/elasticsearch/data mstweb: image: pluralcafe/mastodon:stable restart: always env_file: ./.docker/mastodon/.env.production + environment: + - WEB_CONCURRENCY=1 + - MAX_THREADS=15 + command: sh -c "rm -f /mastodon/tmp/pids/server.pid; rake db:migrate; bundle exec rails s -p 3000 -b '0.0.0.0'" networks: - - external_network - mstdb_network + - mstes_network - mstredis_network - ports: - - "127.0.0.1:3000:3000" - - "127.0.0.1:4000:4000" + - mstweb_network depends_on: - mstdb - mstredis -# - mstes + - mstes volumes: - - ./public/system:/mastodon/public/system - /etc/localtime:/etc/localtime:ro - - /etc/timezone:/etc/timezone:ro + - ./public/system:/mastodon/public/system + + mststreaming: + image: pluralcafe/mastodon:stable + restart: always + env_file: .docker/mastodon/.env.production + command: yarn start + networks: + - mstdb_network + - mstredis_network + - mststreaming_network + depends_on: + - mstdb + - mstredis + + mstsidekiq: + image: pluralcafe/mastodon:stable + restart: always + env_file: .docker/mastodon/.env.production + environment: + - DB_POOL=10 + command: bundle exec sidekiq -q default -q mailers -q pull -q push + depends_on: + - mstdb + - mstes + - mstredis + networks: + - external_network + - mstdb_network + - mstes_network + - mstredis_network + volumes: + - ./public/system:/mastodon/public/system + + mstbarkeep: + image: pluralcafe/barkeep + restart: always + env_file: ./.docker/mastodon/.env.ambassador + command: yarn start + depends_on: + - mstdb + networks: + - external_network + - mstdb_network networks: external_network: + driver: bridge + enable_ipv6: true + ipam: + driver: default + config: + - subnet: 172.18.0.0/16 + - subnet: fd00:dead:beef::/48 mstdb_network: internal: true + mstes_network: + internal: true mstredis_network: internal: true + mststreaming_network: + internal: true + mstweb_network: + internal: true + netdata_network: + internal: true diff --git a/deploy/scripts/update-containers.sh b/deploy/scripts/update-containers.sh index 668e4b4..302731c 100644 --- a/deploy/scripts/update-containers.sh +++ b/deploy/scripts/update-containers.sh @@ -13,7 +13,7 @@ cd "$HOME" || exit docker cp "$($COMPOSE ps -q mstweb):/mastodon/public/assets" public/ docker cp "$($COMPOSE ps -q mstweb):/mastodon/public/packs" public/ - docker image prune -f + docker system prune --all -f curl -sS "https://raw.githubusercontent.com/pluralcafe/utils/master/deploy/docker-compose.yml" > docker-compose.yml } -- cgit