diff --git a/.gitignore b/.gitignore index ea6ab22..0f0535e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -data_* +*_data .env diff --git a/README.md b/README.md index db5edb0..3aa319b 100644 --- a/README.md +++ b/README.md @@ -4,15 +4,14 @@ Ensemble des recettes Docker d'Aurore. L'idée est de pouvoir redonder les services « légers » entre les résidences. -Pour lancer un service, aller dans le dossier puis +Pour lancer un service, cloner le repo, aller dans le dossier puis `sudo docker-compose up --build -d`. ## Fichiers à protéger Les fichiers suivant ne doivent être lisibles que par root : - * les fichiers `.env` (s'inspirer des `example.env`) - * grafana/ldap.toml + * le fichier `.env` (s'inspirer de `example.env`) * django-cas/docker-compose.yml Mettez dedans les mots de passe de base de données ou du LDAP. diff --git a/codimd/docker-compose.yml b/codimd/docker-compose.yml deleted file mode 100644 index aa4a570..0000000 --- a/codimd/docker-compose.yml +++ /dev/null @@ -1,44 +0,0 @@ -# From https://github.com/codimd/container/ -version: '3' -services: - database: - # Don't upgrade PostgreSQL by simply changing the version number - # You need to migrate the Database to the new PostgreSQL version - image: postgres:9.6-alpine - environment: - POSTGRES_USER: codimd - POSTGRES_PASSWORD: codimdpass - POSTGRES_DB: codimd - volumes: - - ./data_db:/var/lib/postgresql/data - restart: always - - app: - image: quay.io/codimd/server:1.4.0 - environment: - DEBUG: "false" - CMD_DB_URL: "postgres://codimd:codimdpass@database:5432/codimd" - CMD_URL_ADDPORT: "false" - CMD_EMAIL: "false" - CMD_DOMAIN: "${DOMAIN}" - CMD_PROTOCOL_USESSL: "true" - CMD_USECDN: "false" - CMD_ALLOW_FREEURL: "true" - CMD_IMAGE_UPLOAD_TYPE: "filesystem" - CMD_LDAP_URL: "${LDAP_URL}" - CMD_LDAP_BINDDN: "${LDAP_BINDDN}" - CMD_LDAP_BINDCREDENTIALS: "${LDAP_BINDCREDENTIALS}" - CMD_LDAP_SEARCHBASE: "${LDAP_SEARCHBASE}" - CMD_LDAP_SEARCHFILTER: "(uid={{username}})" - CMD_LDAP_SEARCHATTRIBUTES: "uid, givenName, mail" - CMD_LDAP_USERIDFIELD: "uid" - CMD_LDAP_USERNAMEFIELD: "uid" - CMD_LDAP_PROVIDERNAME: "${LDAP_PROVIDERNAME}" - ports: - - "8081:3000" - volumes: - - ./data_uploads:/codimd/public/uploads - restart: always - depends_on: - - database - diff --git a/codimd/example.env b/codimd/example.env deleted file mode 100644 index f6c8eee..0000000 --- a/codimd/example.env +++ /dev/null @@ -1,6 +0,0 @@ -DOMAIN=codimd.auro.re -LDAP_URL=ldap://10.128.0.11 -LDAP_BINDDN=cn=codimd,ou=service-users,dc=auro,dc=re -LDAP_BINDCREDENTIALS=Change me -LDAP_SEARCHBASE=cn=Utilisateurs,dc=auro,dc=re -LDAP_PROVIDERNAME=Aurore diff --git a/django-cas/Dockerfile b/django-cas/Dockerfile deleted file mode 100644 index be9df11..0000000 --- a/django-cas/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# Django CAS server Dockerfile -# -# https://github.com/nitmir/django-cas-server -# -# Author: erdnaxe - -FROM debian:buster-slim - -RUN apt-get update && apt-get install -y \ - python3-pip \ - python3-django \ - python3-lxml \ - python3-requests \ - python3-requests-futures \ - python3-six \ - python3-psycopg2 \ - python3-whitenoise \ - python3-ldap3 \ - gunicorn3 - -RUN pip3 install django-cas-server - -COPY ./code /code/ -WORKDIR /code/ -EXPOSE 8000 -ENTRYPOINT ["./docker-entrypoint.sh"] - diff --git a/django-cas/code/cas/__init__.py b/django-cas/code/cas/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/django-cas/code/cas/settings.py b/django-cas/code/cas/settings.py deleted file mode 100644 index 313ada1..0000000 --- a/django-cas/code/cas/settings.py +++ /dev/null @@ -1,176 +0,0 @@ -""" -Django settings for cas project. - -Generated by 'django-admin startproject' using Django 1.11. - -For more information on this file, see -https://docs.djangoproject.com/en/1.11/topics/settings/ - -For the full list of settings and their values, see -https://docs.djangoproject.com/en/1.11/ref/settings/ -""" - -import os - -# Build paths inside the project like this: os.path.join(BASE_DIR, ...) -BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) - - -# Quick-start development settings - unsuitable for production -# See https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/ - -# SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = os.getenv('DJANGO_SECRET_KEY') - -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = os.getenv('DJANGO_DEBUG', False) - -ALLOWED_HOSTS = [os.getenv('DJANGO_HOST')] - -# Suivi des erreurs sur root@ -EMAIL_SUBJECT_PREFIX = "[CAS] " -ADMINS = ( - ('Intranet', 'root@crans.org'), -) - -# Application definition - -INSTALLED_APPS = [ - 'django.contrib.admin', - 'django.contrib.auth', - 'django.contrib.contenttypes', - 'django.contrib.sessions', - 'django.contrib.messages', - 'django.contrib.staticfiles', - 'cas_server', -] - -MIDDLEWARE = [ - 'django.middleware.security.SecurityMiddleware', - 'whitenoise.middleware.WhiteNoiseMiddleware', - 'django.contrib.sessions.middleware.SessionMiddleware', - 'django.middleware.common.CommonMiddleware', - 'django.middleware.csrf.CsrfViewMiddleware', - 'django.contrib.auth.middleware.AuthenticationMiddleware', - 'django.contrib.messages.middleware.MessageMiddleware', - 'django.middleware.clickjacking.XFrameOptionsMiddleware', - 'django.middleware.locale.LocaleMiddleware', -] - -ROOT_URLCONF = 'cas.urls' - -TEMPLATES = [ - { - 'BACKEND': 'django.template.backends.django.DjangoTemplates', - 'DIRS': [], - 'APP_DIRS': True, - 'OPTIONS': { - 'context_processors': [ - 'django.template.context_processors.debug', - 'django.template.context_processors.request', - 'django.contrib.auth.context_processors.auth', - 'django.contrib.messages.context_processors.messages', - ], - }, - }, -] - -WSGI_APPLICATION = 'cas.wsgi.application' - - -# Database -# https://docs.djangoproject.com/en/1.11/ref/settings/#databases - -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql', - 'NAME': os.getenv('DJANGO_DB_NAME'), - 'HOST': os.getenv('DJANGO_DB_HOST'), - 'USER': os.getenv('DJANGO_DB_USER'), - 'PASSWORD': os.getenv('DJANGO_DB_PASSWORD'), - } -} - - -# Password validation -# https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators - -AUTH_PASSWORD_VALIDATORS = [ - { - 'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator', - }, - { - 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator', - }, - { - 'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator', - }, - { - 'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator', - }, -] - - -# Internationalization -# https://docs.djangoproject.com/en/1.11/topics/i18n/ - -LANGUAGE_CODE = 'en-us' - -TIME_ZONE = 'UTC' - -USE_I18N = True - -USE_L10N = True - -USE_TZ = True - - -# Static files (CSS, JavaScript, Images) -# https://docs.djangoproject.com/en/1.11/howto/static-files/ - -STATIC_URL = '/static/' - - -# Below are custom parameters - -STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage' -STATICFILES_DIRS = [os.path.join(BASE_DIR, "static")] -STATIC_ROOT = os.path.join(BASE_DIR, "staticfiles") - -CAS_AUTH_CLASS = "cas_server.auth.LdapAuthUser" -CAS_LDAP_SERVER = os.getenv('DJANGO_CAS_LDAP_SERVER') -CAS_LDAP_USER = os.getenv('DJANGO_CAS_LDAP_USER') -CAS_LDAP_PASSWORD = os.getenv('DJANGO_CAS_LDAP_PASSWORD') -CAS_LDAP_BASE_DN = os.getenv('DJANGO_CAS_LDAP_BASE_DN') - -CAS_INFO_MESSAGES_ORDER = ["cas_explained"] - -SESSION_COOKIE_AGE = 86400 -SESSION_EXPIRE_AT_BROWSER_CLOSE = True -SESSION_COOKIE_HTTPONLY = True - -LOGGING = { - 'version': 1, - 'disable_existing_loggers': False, - 'formatters': { - 'cas_syslog': { - 'format': 'cas: %(levelname)s %(message)s' - }, - }, - 'handlers': { - 'cas_syslog': { - 'level': 'INFO', - 'class': 'logging.handlers.SysLogHandler', - 'address': '/dev/log', - 'formatter': 'cas_syslog', - }, - }, - 'loggers': { - 'cas_server': { - 'handlers': ['cas_syslog'], - 'level': 'INFO', - 'propagate': True, - }, - }, -} - diff --git a/django-cas/code/cas/urls.py b/django-cas/code/cas/urls.py deleted file mode 100644 index f182d34..0000000 --- a/django-cas/code/cas/urls.py +++ /dev/null @@ -1,23 +0,0 @@ -"""cas URL Configuration - -The `urlpatterns` list routes URLs to views. For more information please see: - https://docs.djangoproject.com/en/1.11/topics/http/urls/ -Examples: -Function views - 1. Add an import: from my_app import views - 2. Add a URL to urlpatterns: url(r'^$', views.home, name='home') -Class-based views - 1. Add an import: from other_app.views import Home - 2. Add a URL to urlpatterns: url(r'^$', Home.as_view(), name='home') -Including another URLconf - 1. Import the include() function: from django.conf.urls import url, include - 2. Add a URL to urlpatterns: url(r'^blog/', include('blog.urls')) -""" -from django.conf.urls import include, url -from django.contrib import admin - -urlpatterns = [ - url(r'^admin/', admin.site.urls), - url(r'^', include('cas_server.urls', namespace="cas_server")), -] - diff --git a/django-cas/code/cas/wsgi.py b/django-cas/code/cas/wsgi.py deleted file mode 100644 index 804320f..0000000 --- a/django-cas/code/cas/wsgi.py +++ /dev/null @@ -1,16 +0,0 @@ -""" -WSGI config for cas project. - -It exposes the WSGI callable as a module-level variable named ``application``. - -For more information on this file, see -https://docs.djangoproject.com/en/1.11/howto/deployment/wsgi/ -""" - -import os - -from django.core.wsgi import get_wsgi_application - -os.environ.setdefault("DJANGO_SETTINGS_MODULE", "cas.settings") - -application = get_wsgi_application() diff --git a/django-cas/code/docker-entrypoint.sh b/django-cas/code/docker-entrypoint.sh deleted file mode 100755 index 375830a..0000000 --- a/django-cas/code/docker-entrypoint.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -# Collect static files -echo "Collect static files" -python3 manage.py collectstatic --noinput - -# Apply database migrations -echo "Apply database migrations" -sleep 5 # wait for db -python3 manage.py migrate - -# Start server -echo "Starting server" -gunicorn3 cas.wsgi:application --bind 0.0.0.0:8000 --workers 2 --log-level debug diff --git a/django-cas/code/manage.py b/django-cas/code/manage.py deleted file mode 100755 index aff64b6..0000000 --- a/django-cas/code/manage.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python -import os -import sys - -if __name__ == "__main__": - os.environ.setdefault("DJANGO_SETTINGS_MODULE", "cas.settings") - try: - from django.core.management import execute_from_command_line - except ImportError: - # The above import may fail for some other reason. Ensure that the - # issue is really that Django is missing to avoid masking other - # exceptions on Python 2. - try: - import django - except ImportError: - raise ImportError( - "Couldn't import Django. Are you sure it's installed and " - "available on your PYTHONPATH environment variable? Did you " - "forget to activate a virtual environment?" - ) - raise - execute_from_command_line(sys.argv) diff --git a/django-cas/code/static/cas_server/logo.png b/django-cas/code/static/cas_server/logo.png deleted file mode 100644 index 7b12fba..0000000 Binary files a/django-cas/code/static/cas_server/logo.png and /dev/null differ diff --git a/django-cas/docker-compose.yml b/django-cas/docker-compose.yml deleted file mode 100644 index db57fa0..0000000 --- a/django-cas/docker-compose.yml +++ /dev/null @@ -1,35 +0,0 @@ -version: '3.7' - -services: - database: - # Don't upgrade PostgreSQL by simply changing the version number - # You need to migrate the Database to the new PostgreSQL version - image: postgres:9.6-alpine - environment: - POSTGRES_USER: cas - POSTGRES_PASSWORD: caspass - POSTGRES_DB: cas - volumes: - - ./data_db:/var/lib/postgresql/data - restart: always - - cas: - build: - context: . - environment: - DJANGO_DB_NAME: cas - DJANGO_DB_HOST: database - DJANGO_DB_USER: cas - DJANGO_DB_PASSWORD: caspass - DJANGO_SECRET_KEY: "Please change me in production !" - DJANGO_HOST: localhost - DJANGO_CAS_LDAP_SERVER: "re2o-ldap.adm.auro.re" - DJANGO_CAS_LDAP_USER: "cn=cas,ou=service-users,dc=auro,dc=re" - DJANGO_CAS_LDAP_PASSWORD: "Change me in prod !" - DJANGO_CAS_LDAP_BASE_DN: "cn=Utilisateurs,dc=auro,dc=re" - ports: - - "8085:8000" - restart: always - depends_on: - - database - diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..dd77702 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,55 @@ +version: "3" + +services: + riot: + build: riot + restart: always + ports: + - 8080:80 + + privatebin: + image: privatebin/nginx-fpm-alpine + restart: always + volumes: + - ./privatebin_data:/srv/data + ports: + - 8083:80 + + etherpad: + build: etherpad + restart: always + environment: + - "POSTGRES_PASSWORD=${ETHERPAD_POSTGRES_PASSWD}" + ports: + - 8084:9001 + + grafana: + build: grafana + restart: always + environment: + - "ENV_PASSWORD=${GRAFANA_LDAP_BIND_PASSWD}" + volumes: + - ./grafana_data:/var/lib/grafana + ports: + - 8082:3000 + + matrix-appservice-discord: + image: halfshot/matrix-appservice-discord + restart: always + volumes: + - ./matrix-appservice-discord_data:/data + - ./matrix-appservice-discord_data/discord.db:/discord.db + ports: + - 9005:9005 + + prometheus-alertmanager: + build: prometheus-alertmanager + restart: always + ports: + - 9093:9093 + + prometheus-alertmanager-discord: + build: prometheus-alertmanager-discord + restart: always + environment: + - "DISCORD_WEBHOOK=${PROMETHEUS_DISCORD_WEBHOOK}" diff --git a/env.example b/env.example new file mode 100644 index 0000000..17a189c --- /dev/null +++ b/env.example @@ -0,0 +1,4 @@ +# Copy this as .env and make it only readable by root +ETHERPAD_POSTGRES_PASSWD=CHANGE ME +GRAFANA_LDAP_BIND_PASSWD=CHANGE ME +PROMETHEUS_DISCORD_WEBHOOK=CHANGE ME diff --git a/etherpad/Dockerfile b/etherpad/Dockerfile new file mode 100644 index 0000000..cba6fe7 --- /dev/null +++ b/etherpad/Dockerfile @@ -0,0 +1,6 @@ +FROM etherpad/etherpad + +# Change instance settings +ENV NODE_ENV=production +ENV TRUST_PROXY=true +COPY settings.json /opt/etherpad-lite/settings.json diff --git a/etherpad/docker-compose.yml b/etherpad/docker-compose.yml deleted file mode 100644 index 636546a..0000000 --- a/etherpad/docker-compose.yml +++ /dev/null @@ -1,15 +0,0 @@ -version: "3" - -services: - etherpad: - image: etherpad/etherpad - environment: - - NODE_ENV=production - - POSTGRES_USER=etherpad - - "POSTGRES_PASSWORD=${POSTGRES_PASSWD}" - - POSTGRES_DB=etherpad - ports: - - 8084:9001 - volumes: - - ./settings.json:/opt/etherpad-lite/settings.json:ro - restart: always diff --git a/etherpad/example.env b/etherpad/example.env deleted file mode 100644 index 3982410..0000000 --- a/etherpad/example.env +++ /dev/null @@ -1 +0,0 @@ -POSTGRES_PASSWD=asupersecurepassword diff --git a/etherpad/settings.json b/etherpad/settings.json index cd493f5..aee2f1e 100644 --- a/etherpad/settings.json +++ b/etherpad/settings.json @@ -22,6 +22,7 @@ * * Would read the configuration values for those items from the environment * variables PORT, MINIFY and SKIN_NAME. + * * If PORT and SKIN_NAME variables were not defined, the default values 9001 and * "colibris" would be used. The configuration value "minify", on the other * hand, does not have a default indicated. Thus, if the environment variable @@ -50,13 +51,13 @@ /* * Name your instance! */ - "title": "Etherpad", + "title": "${TITLE:Etherpad}", /* * favicon default name * alternatively, set up a fully specified Url to your own favicon */ - "favicon": "favicon.ico", + "favicon": "${FAVICON:favicon.ico}", /* * Skin name. @@ -69,20 +70,20 @@ * - "colibris": the new experimental skin (since Etherpad 1.8), candidate to * become the default in Etherpad 2.0 */ - "skinName": "no-skin", + "skinName": "${SKIN_NAME:colibris}", /* * IP and port which etherpad should bind at */ - "ip": "0.0.0.0", - "port" : 9001, + "ip": "${IP:0.0.0.0}", + "port": "${PORT:9001}", /* * Option to hide/show the settings.json in admin page. * * Default option is set to true */ - "showSettingsInAdminPage" : true, + "showSettingsInAdminPage": "${SHOW_SETTINGS_IN_ADMIN_PAGE:true}", /* * Node native SSL support @@ -118,32 +119,14 @@ * https://www.npmjs.com/package/ueberdb2 */ - "dbType" : "postgres", - "dbSettings" : { - "user" : "${POSTGRES_USER}", - "host" : "10.128.0.31", - "port" : 5432, - "password": "${POSTGRES_PASSWORD}", - "database": "${POSTGRES_DB}" - }, - - /* - * An Example of MySQL Configuration (commented out). - * - * See: https://github.com/ether/etherpad-lite/wiki/How-to-use-Etherpad-Lite-with-MySQL - */ - - /* - "dbType" : "mysql", - "dbSettings" : { - "user" : "etherpaduser", - "host" : "localhost", - "port" : 3306, - "password": "PASSWORD", - "database": "etherpad_lite_db", - "charset" : "utf8mb4" - }, - */ + "dbType": "postgres", + "dbSettings": { + "host": "10.128.0.31", + "port": 5432, + "database": "etherpad", + "user": "etherpad", + "password": "${POSTGRES_PASSWORD}" + }, /* * The default text of a pad @@ -156,57 +139,57 @@ * Change them if you want to override. */ "padOptions": { - "noColors": false, - "showControls": true, - "showChat": true, - "showLineNumbers": true, + "noColors": false, + "showControls": true, + "showChat": true, + "showLineNumbers": true, "useMonospaceFont": false, - "userName": false, - "userColor": false, - "rtl": false, - "alwaysShowChat": false, - "chatAndUsers": false, - "lang": "en-gb" + "userName": false, + "userColor": false, + "rtl": false, + "alwaysShowChat": false, + "chatAndUsers": false, + "lang": "en-gb" }, /* * Pad Shortcut Keys */ "padShortcutEnabled" : { - "altF9" : true, /* focus on the File Menu and/or editbar */ - "altC" : true, /* focus on the Chat window */ - "cmdShift2" : true, /* shows a gritter popup showing a line author */ - "delete" : true, - "return" : true, - "esc" : true, /* in mozilla versions 14-19 avoid reconnecting pad */ - "cmdS" : true, /* save a revision */ - "tab" : true, /* indent */ - "cmdZ" : true, /* undo/redo */ - "cmdY" : true, /* redo */ - "cmdI" : true, /* italic */ - "cmdB" : true, /* bold */ - "cmdU" : true, /* underline */ - "cmd5" : true, /* strike through */ - "cmdShiftL" : true, /* unordered list */ - "cmdShiftN" : true, /* ordered list */ - "cmdShift1" : true, /* ordered list */ - "cmdShiftC" : true, /* clear authorship */ - "cmdH" : true, /* backspace */ - "ctrlHome" : true, /* scroll to top of pad */ - "pageUp" : true, - "pageDown" : true + "altF9": true, /* focus on the File Menu and/or editbar */ + "altC": true, /* focus on the Chat window */ + "cmdShift2": true, /* shows a gritter popup showing a line author */ + "delete": true, + "return": true, + "esc": true, /* in mozilla versions 14-19 avoid reconnecting pad */ + "cmdS": true, /* save a revision */ + "tab": true, /* indent */ + "cmdZ": true, /* undo/redo */ + "cmdY": true, /* redo */ + "cmdI": true, /* italic */ + "cmdB": true, /* bold */ + "cmdU": true, /* underline */ + "cmd5": true, /* strike through */ + "cmdShiftL": true, /* unordered list */ + "cmdShiftN": true, /* ordered list */ + "cmdShift1": true, /* ordered list */ + "cmdShiftC": true, /* clear authorship */ + "cmdH": true, /* backspace */ + "ctrlHome": true, /* scroll to top of pad */ + "pageUp": true, + "pageDown": true }, /* * Should we suppress errors from being visible in the default Pad Text? */ - "suppressErrorsInPadText" : false, + "suppressErrorsInPadText": false, /* * If this option is enabled, a user must have a session to access pads. * This effectively allows only group pads to be accessed. */ - "requireSession" : false, + "requireSession": false, /* * Users may edit pads but not create new ones. @@ -214,13 +197,13 @@ * Pad creation is only via the API. * This applies both to group pads and regular pads. */ - "editOnly" : false, + "editOnly": false, /* * If set to true, those users who have a valid session will automatically be * granted access to password protected pads. */ - "sessionNoPassword" : false, + "sessionNoPassword": false, /* * If true, all css & js will be minified before sending to the client. @@ -228,7 +211,7 @@ * This will improve the loading performance massively, but makes it difficult * to debug the javascript/css */ - "minify" : true, + "minify": true, /* * How long may clients use served javascript code (in seconds)? @@ -236,7 +219,7 @@ * Not setting this may cause problems during deployment. * Set to 0 to disable caching. */ - "maxAge" : 21600, // 60 * 60 * 6 = 6 hours + "maxAge": 21600, // 60 * 60 * 6 = 6 hours /* * Absolute path to the Abiword executable. @@ -245,7 +228,7 @@ * it to null disables Abiword and will only allow plain text and HTML * import/exports. */ - "abiword" : null, + "abiword": null, /* * This is the absolute path to the soffice executable. @@ -253,7 +236,7 @@ * LibreOffice can be used in lieu of Abiword to export pads. * Setting it to null disables LibreOffice exporting. */ - "soffice" : null, + "soffice": null, /* * Path to the Tidy executable. @@ -261,35 +244,41 @@ * Tidy is used to improve the quality of exported pads. * Setting it to null disables Tidy. */ - "tidyHtml" : null, + "tidyHtml": null, /* * Allow import of file types other than the supported ones: * txt, doc, docx, rtf, odt, html & htm */ - "allowUnknownFileEnds" : true, + "allowUnknownFileEnds": true, /* * This setting is used if you require authentication of all users. * * Note: "/admin" always requires authentication. */ - "requireAuthentication" : false, + "requireAuthentication": false, /* * Require authorization by a module, or a user with is_admin set, see below. */ - "requireAuthorization" : false, + "requireAuthorization": false, /* * When you use NGINX or another proxy/load-balancer set this to true. + * + * This is especially necessary when the reverse proxy performs SSL + * termination, otherwise the cookies will not have the "secure" flag. + * + * The other effect will be that the logs will contain the real client's IP, + * instead of the reverse proxy's IP. */ - "trustProxy" : false, + "trustProxy": "${TRUST_PROXY:false}", /* * Privacy: disable IP logging */ - "disableIPlogging" : false, + "disableIPlogging": false, /* * Time (in seconds) to automatically reconnect pad when a "Force reconnect" @@ -297,7 +286,7 @@ * * Set to 0 to disable automatic reconnection. */ - "automaticReconnectionTimeout" : 0, + "automaticReconnectionTimeout": 0, /* * By default, when caret is moved out of viewport, it scrolls the minimum @@ -351,20 +340,20 @@ * follow the section "secure your installation" in README.md */ - /* "users": { "admin": { - // "password" can be replaced with "hash" if you install ep_hash_auth - "password": "changeme1", + // 1) "password" can be replaced with "hash" if you install ep_hash_auth + // 2) please note that if password is null, the user will not be created + "password": "${ADMIN_PASSWORD}", "is_admin": true }, "user": { - // "password" can be replaced with "hash" if you install ep_hash_auth - "password": "changeme1", + // 1) "password" can be replaced with "hash" if you install ep_hash_auth + // 2) please note that if password is null, the user will not be created + "password": "${USER_PASSWORD}", "is_admin": false } }, - */ /* * Restrict socket.io transport methods @@ -419,12 +408,12 @@ */ "exposeVersion": false, - /* + /* * The log level we are using. * * Valid values: DEBUG, INFO, WARN, ERROR */ - "loglevel": "INFO", + "loglevel": "${LOGLEVEL:INFO}", /* * Logging configuration. See log4js documentation for further information: diff --git a/grafana/Dockerfile b/grafana/Dockerfile new file mode 100644 index 0000000..d83025b --- /dev/null +++ b/grafana/Dockerfile @@ -0,0 +1,14 @@ +FROM grafana/grafana + +ENV GF_SERVER_ROOT_URL=https://grafana.auro.re +ENV GF_SESSION_COOKIE_SECURE=true +ENV GF_ANALYTICS_REPORTING_ENABLED=false +ENV GF_SNAPSHOTS_EXTERNAL_ENABLED=false +ENV GF_USERS_ALLOW_SIGN_UP=false +ENV GF_USERS_ALLOW_ORG_CREATE=false +ENV GF_AUTH_BASIC_ENABLED=false +ENV GF_AUTH_LDAP_ENABLED=true +ENV GF_AUTH_LDAP_CONFIG_FILE=/etc/grafana/ldap.toml + +COPY ldap.toml /etc/grafana/ldap.toml + diff --git a/grafana/docker-compose.yml b/grafana/docker-compose.yml deleted file mode 100644 index ef2e785..0000000 --- a/grafana/docker-compose.yml +++ /dev/null @@ -1,29 +0,0 @@ -# For the moment, the LDAP password need to be in ldap.toml -# In the future, we will be able to make a secret -# See https://github.com/grafana/grafana/pull/17526 - -version: "3.7" - -services: - grafana: - image: grafana/grafana - environment: - - GF_SERVER_ROOT_URL=https://grafana.auro.re - - GF_SESSION_COOKIE_SECURE=true - - GF_ANALYTICS_REPORTING_ENABLED=false - - GF_SNAPSHOTS_EXTERNAL_ENABLED=false - - GF_USERS_ALLOW_SIGN_UP=false - - GF_USERS_ALLOW_ORG_CREATE=false - - GF_AUTH_BASIC_ENABLED=false - - GF_AUTH_LDAP_ENABLED=true - - GF_AUTH_LDAP_CONFIG_FILE=/etc/grafana/ldap.toml - - # Install Grafana plugins at startup - - GF_INSTALL_PLUGINS=grafana-worldmap-panel - volumes: - - ./data_grafana:/var/lib/grafana - - ./ldap.toml:/etc/grafana/ldap.toml:ro - ports: - - 8082:3000 - restart: always - diff --git a/grafana/ldap.toml b/grafana/ldap.toml index 6f60911..2bd64e9 100644 --- a/grafana/ldap.toml +++ b/grafana/ldap.toml @@ -23,7 +23,7 @@ ssl_skip_verify = false bind_dn = "cn=grafana,ou=service-users,dc=auro,dc=re" # Search user bind password # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" -bind_password = 'CHANGE ME IN PRODUCTION, I WILL DIFFER !' +bind_password = '${ENV_PASSWORD}' # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" search_filter = "(cn=%s)" @@ -50,7 +50,7 @@ email = "mail" group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re" org_role = "Admin" # To make user an instance admin (Grafana Admin) uncomment line below -grafana_admin = true +# grafana_admin = true # The Grafana organization database id, optional, if left out the default org (id 1) will be used # org_id = 1 diff --git a/privatebin/docker-compose.yml b/privatebin/docker-compose.yml deleted file mode 100644 index 328c8b4..0000000 --- a/privatebin/docker-compose.yml +++ /dev/null @@ -1,11 +0,0 @@ -version: "3.7" - -services: - privatebin: - image: privatebin/nginx-fpm-alpine - volumes: - - ./data_privatebin:/srv/data - ports: - - 8083:80 - restart: always - diff --git a/prometheus-alertmanager-discord/Dockerfile b/prometheus-alertmanager-discord/Dockerfile new file mode 100644 index 0000000..5489508 --- /dev/null +++ b/prometheus-alertmanager-discord/Dockerfile @@ -0,0 +1,43 @@ +# Built following https://medium.com/@chemidy/create-the-smallest-and-secured-golang-docker-image-based-on-scratch-4752223b7324 + +# STEP 1 build executable binary +FROM golang:alpine as builder + +# BUILD_DATE and VCS_REF are immaterial, since this is a 2-stage build, but our build +# hook won't work unless we specify the args +ARG BUILD_DATE +ARG VCS_REF + +# Install SSL ca certificates +RUN apk update && apk add git && apk add ca-certificates +# Create appuser +RUN adduser -D -g '' appuser +COPY . $GOPATH/src/mypackage/myapp/ +WORKDIR $GOPATH/src/mypackage/myapp/ +#get dependancies +RUN go get -d -v +#build the binary +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/alertmanager-discord + + +# STEP 2 build a small image +# start from scratch +FROM scratch +# Now we DO need these, for the auto-labeling of the image +ARG BUILD_DATE +ARG VCS_REF + +# Good docker practice, plus we get microbadger badges +LABEL org.label-schema.build-date=$BUILD_DATE \ + org.label-schema.vcs-url="https://github.com/funkypenguin/alertmanager-discord.git" \ + org.label-schema.vcs-ref=$VCS_REF \ + org.label-schema.schema-version="2.2-r1" + +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /etc/passwd /etc/passwd +# Copy our static executable +COPY --from=builder /go/bin/alertmanager-discord /go/bin/alertmanager-discord + +EXPOSE 9094 +USER appuser +ENTRYPOINT ["/go/bin/alertmanager-discord"] diff --git a/prometheus-alertmanager-discord/main.go b/prometheus-alertmanager-discord/main.go new file mode 100644 index 0000000..944dc73 --- /dev/null +++ b/prometheus-alertmanager-discord/main.go @@ -0,0 +1,82 @@ +package main + +import ( + "bytes" + "encoding/json" + "flag" + "fmt" + "os" + "io/ioutil" + "net/http" +) + +type alertManOut struct { + Alerts []struct { + Annotations struct { + Description string `json:"description"` + Summary string `json:"summary"` + } `json:"annotations"` + EndsAt string `json:"endsAt"` + GeneratorURL string `json:"generatorURL"` + Labels map[string]string `json:"labels"` + StartsAt string `json:"startsAt"` + Status string `json:"status"` + } `json:"alerts"` + CommonAnnotations struct { + Summary string `json:"summary"` + } `json:"commonAnnotations"` + CommonLabels struct { + Alertname string `json:"alertname"` + } `json:"commonLabels"` + ExternalURL string `json:"externalURL"` + GroupKey string `json:"groupKey"` + GroupLabels struct { + Alertname string `json:"alertname"` + } `json:"groupLabels"` + Receiver string `json:"receiver"` + Status string `json:"status"` + Version string `json:"version"` +} + +type discordOut struct { + Content string `json:"content"` + Name string `json:"username"` +} + +func main() { + webhookUrl := os.Getenv("DISCORD_WEBHOOK") + if webhookUrl == "" { + fmt.Fprintf(os.Stderr, "error: environment variable DISCORD_WEBHOOK not found\n") + os.Exit(1) + } + whURL := flag.String("webhook.url", webhookUrl, "") + flag.Parse() + fmt.Fprintf(os.Stdout, "info: Listening on 0.0.0.0:9094\n") + http.ListenAndServe(":9094", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + b, err := ioutil.ReadAll(r.Body) + if err != nil { + panic(err) + } + + amo := alertManOut{} + err = json.Unmarshal(b, &amo) + if err != nil { + panic(err) + } + + // Format alerts + Content := "\n" + for _, alert := range amo.Alerts { + Content += fmt.Sprintf("*%s* **%s** %s\n", alert.Labels["alertname"], alert.Labels["severity"], alert.Annotations.Summary) + } + + // Send to Discord + DO := discordOut{ + Name: "Prometheus 🦋️", + Content: Content, + } + DOD, _ := json.Marshal(DO) + http.Post(*whURL, "application/json", bytes.NewReader(DOD)) + })) +} + diff --git a/prometheus-alertmanager/Dockerfile b/prometheus-alertmanager/Dockerfile new file mode 100644 index 0000000..03dcac5 --- /dev/null +++ b/prometheus-alertmanager/Dockerfile @@ -0,0 +1,3 @@ +FROM prom/alertmanager + +COPY alertmanager.yml /etc/alertmanager/alertmanager.yml diff --git a/prometheus-alertmanager/alertmanager.yml b/prometheus-alertmanager/alertmanager.yml new file mode 100644 index 0000000..a8186d4 --- /dev/null +++ b/prometheus-alertmanager/alertmanager.yml @@ -0,0 +1,61 @@ +# See https://prometheus.io/docs/alerting/configuration/ for documentation. + +global: + # The smarthost and SMTP sender used for mail notifications. + smtp_smarthost: 'localhost:25' + smtp_from: 'alertmanager@example.org' + #smtp_auth_username: 'alertmanager' + #smtp_auth_password: 'password' + # The auth token for Hipchat. + hipchat_auth_token: '1234556789' + # Alternative host for Hipchat. + hipchat_api_url: 'https://hipchat.foobar.org/' + +# The directory from which notification templates are read. +templates: +- '/etc/prometheus/alertmanager_templates/*.tmpl' + +# The root route on which each incoming alert enters. +route: + # The labels by which incoming alerts are grouped together. For example, + # multiple alerts coming in for cluster=A and alertname=LatencyHigh would + # be batched into a single group. + group_by: ['instance'] # group per instance + + # When a new group of alerts is created by an incoming alert, wait at + # least 'group_wait' to send the initial notification. + # This way ensures that you get multiple alerts for the same group that start + # firing shortly after another are batched together on the first + # notification. + group_wait: 30s + + # When the first notification was sent, wait 'group_interval' to send a batch + # of new alerts that started firing for that group. + group_interval: 5m + + # If an alert has successfully been sent, wait 'repeat_interval' to + # resend them. + repeat_interval: 12h + + # A default receiver + receiver: webhook + + +# Inhibition rules allow to mute a set of alerts given that another alert is +# firing. +# We use this to mute any warning-level notifications if the same alert is +# already critical. +inhibit_rules: +- source_match: + severity: 'critical' + target_match: + severity: 'warning' + # Apply inhibition if the alertname is the same. + equal: ['alertname', 'cluster', 'service'] + + +receivers: +- name: 'webhook' + webhook_configs: + - url: 'http://prometheus-alertmanager-discord:9094' + send_resolved: true diff --git a/riot/Dockerfile b/riot/Dockerfile new file mode 100644 index 0000000..bdbf29b --- /dev/null +++ b/riot/Dockerfile @@ -0,0 +1,5 @@ +FROM vectorim/riot-web + +# Customize instance settings and background +COPY config.json /app/config.json +COPY bg.jpg /app/bg.jpg diff --git a/riot/docker-compose.yml b/riot/docker-compose.yml deleted file mode 100644 index 2eea68d..0000000 --- a/riot/docker-compose.yml +++ /dev/null @@ -1,13 +0,0 @@ -version: "3" - -services: - riot: - image: vectorim/riot-web - volumes: - - ./config.json:/app/config.json:ro - - ./bg.jpg:/app/bg.jpg:ro - # - ./welcome.html:/app/welcome.html:ro - ports: - - 8080:80 - restart: always -