From: Felix Ableitner Date: Tue, 20 Aug 2019 17:43:30 +0000 (+0200) Subject: copy template files into docker/prod folder X-Git-Url: http://these/git/%22https:/image.com/%22?a=commitdiff_plain;h=5e44ac207b35a8dbe883f055bdfccb50795cb9f4;p=lemmy.git copy template files into docker/prod folder --- diff --git a/README.md b/README.md index 593cf346..bb3cc144 100644 --- a/README.md +++ b/README.md @@ -64,14 +64,32 @@ Made with [Rust](https://www.rust-lang.org), [Actix](https://actix.rs/), [Infern ## Install -### Docker +### Ansible (recommended) + +First, you need to [install Ansible on your local computer](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html), +eg using `sudo apt install ansible`, or the equivalent for you platform. + +Then run the following commands on your local computer: +```bash +git clone https://github.com/dessalines/lemmy.git +cd lemmy/ansible/ +cp inventory.example inventory +nano inventory # enter your server, domain, contact email +ansible-playbook lemmy.yml +``` + +### Manual -Make sure you have both docker and docker-compose(>=`1.24.0`) installed. +Make sure you have both docker and docker-compose installed. ``` mkdir lemmy/ cd lemmy/ wget https://raw.githubusercontent.com/dessalines/lemmy/master/docker/prod/docker-compose.yml +wget https://raw.githubusercontent.com/dessalines/lemmy/master/docker/prod/env -O .env +wget https://raw.githubusercontent.com/dessalines/lemmy/master/docker/prod/nginx.conf +# you need to edit .env and nginx.conf to replace the indicated {{ variables }} +sudo mv nginx.conf /etc/nginx/sites-enabled/lemmy.conf docker-compose up -d ``` diff --git a/ansible/lemmy.yml b/ansible/lemmy.yml index 7026200e..4ba80e90 100644 --- a/ansible/lemmy.yml +++ b/ansible/lemmy.yml @@ -33,7 +33,7 @@ template: src={{item.src}} dest={{item.dest}} with_items: - { src: 'templates/env', dest: '/lemmy/.env' } - - { src: 'templates/docker-compose.yml', dest: '/lemmy/docker-compose.yml' } + - { src: '../docker/prod/docker-compose.yml', dest: '/lemmy/docker-compose.yml' } - { src: 'templates/nginx.conf', dest: '/etc/nginx/sites-enabled/lemmy.conf' } vars: postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}" diff --git a/ansible/templates/docker-compose.yml b/docker/prod/docker-compose.yml similarity index 91% rename from ansible/templates/docker-compose.yml rename to docker/prod/docker-compose.yml index af611045..d55b2808 100644 --- a/ansible/templates/docker-compose.yml +++ b/docker/prod/docker-compose.yml @@ -18,7 +18,7 @@ services: retries: 20 lemmy: - image: dessalines/lemmy:v0.0.7.3 + image: dessalines/lemmy:v0.0.7 .3 restart: always ports: - "8536:8536" @@ -27,5 +27,5 @@ services: - DATABASE_URL=${DATABASE_URL} - JWT_SECRET=${JWT_SECRET} - HOSTNAME=${DOMAIN} - depends_on: + depends_on: - db diff --git a/docker/prod/env b/docker/prod/env new file mode 100644 index 00000000..06f3cfe2 --- /dev/null +++ b/docker/prod/env @@ -0,0 +1,4 @@ +DOMAIN={{your domain}} +DATABASE_PASSWORD={{a random password for postgres}} +DATABASE_URL=postgres://lemmy:{{ the same postgres password again }}@db:5432/lemmy +JWT_SECRET={{ a random password for jwt}} diff --git a/docker/prod/nginx.conf b/docker/prod/nginx.conf new file mode 100644 index 00000000..918851a0 --- /dev/null +++ b/docker/prod/nginx.conf @@ -0,0 +1,61 @@ +server { + listen 80; + server_name {{ your domain }}; + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + server_name {{ your domain }}; + + ssl_certificate /etc/letsencrypt/live/{{ your domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ your domain }}/privkey.pem; + + # Various TLS hardening settings + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + # Hide nginx version + server_tokens off; + + # Enable compression for JS/CSS/HTML bundle, for improved client load times. + # It might be nice to compress JSON, but leaving that out to protect against potential + # compression+encryption information leak attacks like BREACH. + gzip on; + gzip_types text/css application/javascript; + gzip_vary on; + + # Only connect to this site via HTTPS for the two years + add_header Strict-Transport-Security "max-age=63072000"; + + # Various content security headers + add_header Referrer-Policy "same-origin"; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options "DENY"; + add_header X-XSS-Protection "1; mode=block"; + + location / { + rewrite (\/(user|u|inbox|post|community|c|login|search|sponsors|communities|modlog|home)+) /static/index.html break; + proxy_pass http://0.0.0.0:8536; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +}