From 1714ff6116a99892dbe4daf4dd41a7369c6c85dc Mon Sep 17 00:00:00 2001 From: Gerardo Navarro Suarez Date: Tue, 20 Sep 2022 15:39:42 +0200 Subject: [PATCH] Provide docker-compose setup for production (#1) * chore: Add docker compose file for production * chore: Ignoring unnecessary files after initial docker-compose setup for production environment * chore: Switch to mariadb * chore: Enable ssl connection for mariadb * chore: Add ETHERPAD_PLUGINS and more env vars from the kitsteam * chore: Add config for etherpad plugin ep_delete_after_delay * chore: Finalize brnach * chore: Fix wrong chartset passed to etherpad and ueberdb2 config * docs: Add kits-specific documentation for database migration Co-authored-by: Gerardo Navarro --- .dockerignore | 6 ++++ .env.prod.default | 12 +++++++ .gitignore | 13 +++++++ README-KITS.md | 15 ++++++++ docker-compose-prod.yml | 76 +++++++++++++++++++++++++++++++++++++++++ settings.json.docker | 27 +++++++++++++-- 6 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 .env.prod.default create mode 100644 README-KITS.md create mode 100644 docker-compose-prod.yml diff --git a/.dockerignore b/.dockerignore index d8d3a3ebe..9dbda51c8 100644 --- a/.dockerignore +++ b/.dockerignore @@ -3,6 +3,12 @@ .hg Dockerfile +# Ignoring all docker compose files as they are not needed +docker-compose*.yml + +# Ignoring all env files from the host machine to avoid unexpected side effects +.env* + # Remove the git objects, logs, etc. to make final image smaller. # Some files still need to be in the .git directory, because Etherpad at # startup uses them to discover its version number. diff --git a/.env.prod.default b/.env.prod.default new file mode 100644 index 000000000..b43177ffa --- /dev/null +++ b/.env.prod.default @@ -0,0 +1,12 @@ +# Please copy and rename this file. +# +# !Attention! +# Always ensure to load the env variables in every terminal session. +# Otherwise the env variables will not be available + +DOCKER_COMPOSE_APP_PROD_PORT_PUBLISHED=9001 +DOCKER_COMPOSE_APP_PROD_PORT_TARGET=9001 + +DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_DATABASE= +DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_PASSWORD= +DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_USER= \ No newline at end of file diff --git a/.gitignore b/.gitignore index e2f0383a2..97adb6d44 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,16 @@ out/ /src/bin/convertSettings.json /src/bin/etherpad-1.deb /src/bin/node.exe + +# Ignoring the dorectory that sortes the local ssl certificates +ca + +# Extending gitignore to include also all .env files, e.g. .env.development.local, .env.test, etc. +.env* +!.env.default +!.env.prod.default + +# Avoiding accidentally adding local docker-compose*.override file to version control that might contain secrets +docker-compose-prod.override.yml +docker-compose.override.yml +docker-compose*.override.yml \ No newline at end of file diff --git a/README-KITS.md b/README-KITS.md new file mode 100644 index 000000000..2d5cdb5ce --- /dev/null +++ b/README-KITS.md @@ -0,0 +1,15 @@ +## Etherpad Lite for KITS + +## Maintenance + +### Restore MariaDB backup + +```bash +docker compose -f docker-compose-prod.yml -f docker-compose-prod.override.yml --env-file .env.prod exec -T mariadb_prod mysql -u prod_database_user --password=prod_database_user_password -D prod_database_name < path_mysql_dump.sql +``` + +If you want to create a dump in a new database then you should execute the following command beforehand: + +```bash +docker compose -f docker-compose-prod.yml -f docker-compose-prod.override.yml --env-file .env.prod exec -T mariadb_prod mysql -u root -p -e "CREATE DATABASE IF NOT EXISTS prod_database_name; GRANT ALL PRIVILEGES ON prod_database_name.* TO prod_database_user@localhost" +``` \ No newline at end of file diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml new file mode 100644 index 000000000..3feed7a1e --- /dev/null +++ b/docker-compose-prod.yml @@ -0,0 +1,76 @@ +version: "3.8" + +# Add this file to extend the docker-compose setup, e.g.: +# docker-compose -f docker-compose-prod.yml -f docker-compose-prod.override.yml --env-file .env.prod build --no-cache +# docker-compose -f docker-compose-prod.yml -f docker-compose-prod.override.yml --env-file .env.prod up -d --build --force-recreate + +services: + app_prod: + build: + context: . + args: + ETHERPAD_PLUGINS: >- + ep_comments_page + ep_image_upload + kitsteam/ep_push2delete + ep_embedded_hyperlinks2 + ep_headings2 + ep_align + ep_font_color + ep_delete_empty_pads + ep_delete_after_delay + ep_helmet + ep_font_size + ep_disable_imports + INSTALL_SOFFICE: 'true' + depends_on: + - mariadb_prod + environment: + DB_CHARSET: ${DOCKER_COMPOSE_APP_PROD_ENV_DB_CHARSET:-utf8mb4} + DB_HOST: mariadb_prod + DB_NAME: ${DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_DATABASE:?} + DB_PASS: ${DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_PASSWORD:?} + DB_PORT: ${DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_PORT:-3306} + DB_TYPE: "mysql" + DB_USER: ${DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_USER:?} + DEFAULT_PAD_TEXT: ${DOCKER_COMPOSE_APP_PROD_ENV_DEFAULT_PAD_TEXT} + DISABLE_IP_LOGGING: ${DOCKER_COMPOSE_APP_PROD_ENV_DISABLE_IP_LOGGING:-true} + SOFFICE: ${DOCKER_COMPOSE_APP_PROD_ENV_SOFFICE:-/usr/bin/soffice} + TRUST_PROXY: ${DOCKER_COMPOSE_APP_PROD_ENV_TRUST_PROXY:-true} + ports: + - "${DOCKER_COMPOSE_APP_PROD_PORT_PUBLISHED:-9001}:${DOCKER_COMPOSE_APP_PROD_PORT_TARGET:-9001}" + + mariadb_prod: + image: mariadb + # Pass config parameters to the mysql server. + # Find more information below when you need to generate the ssl-relevant file your self + command: + - --character-set-server=utf8mb4 + - --collation-server=utf8mb4_bin + - --ssl_cert=/var/lib/mysql/server.crt + - --ssl_key=/var/lib/mysql/server.key + environment: + MARIADB_DATABASE: ${DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_DATABASE:?} + MARIADB_PASSWORD: ${DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_PASSWORD:?} + MARIADB_PORT: ${DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_PORT:-3306} + MARIADB_RANDOM_ROOT_PASSWORD: 'yes' + MARIADB_USER: ${DOCKER_COMPOSE_MARIADB_PROD_ENV_MARIADB_USER:?} + volumes: + # To setup an ssl-enabled mysql server locally, you need to generate a self-signed ssl certificate. + # + # ```bash + # mkdir -p ./ca + # openssl req -new -text -passout pass:abcd -subj /CN=localhost -out ./ca/server.req -keyout ./ca/privkey.pem + # openssl rsa -in ./ca/privkey.pem -passin pass:abcd -out ./ca/server.key + # openssl req -x509 -in ./ca/server.req -text -key ./ca/server.key -out ./ca/server.crt + # chmod 600 ./ca/server.key + # test $(uname -s) = Linux && chown 70 ./ca/server.key + # ``` + # + # Afterwards, the ssl_cert_file and ssl_key_file are mounted into the docker container, see below + - ./ca/server.crt:/var/lib/mysql/server.crt + - ./ca/server.key:/var/lib/mysql/server.key + - mariadb_prod_data:/var/lib/mysql + +volumes: + mariadb_prod_data: \ No newline at end of file diff --git a/settings.json.docker b/settings.json.docker index 725af9f31..72ed7cb61 100644 --- a/settings.json.docker +++ b/settings.json.docker @@ -633,6 +633,29 @@ /* Override any strings found in locale directories */ "customLocaleStrings": {}, - /* Disable Admin UI tests */ - "enableAdminUITests": false + /* + * Allow only some file formats + */ + "ep_disable_imports": { + "allow": ["etherpad", "docx", "odt", "txt", "rtf", "pdf"] + }, + + /* + * Delete pads after delay + */ + "ep_delete_after_delay": { + "delay": 2592000, // thirty days, in seconds + "loop": true, + "loopDelay": 3600, // one hour, in seconds + "deleteAtStart": true, + "text": "The content of this pad has been deleted since it was older than the configured delay." + }, + + /* + * Configure image upload + */ + "ep_image_upload": { + "fileTypes": ["jpeg", "jpg", "bmp", "gif", "png"], + "maxFileSize": 2000000 + } }