Use a unified docker-compose file

This commit is contained in:
erdnaxe 2020-02-02 23:55:37 +01:00
parent 370e8dc871
commit 47b7980502
29 changed files with 354 additions and 525 deletions

2
.gitignore vendored
View file

@ -1,2 +1,2 @@
data_*
*_data
.env

View file

@ -4,15 +4,14 @@ Ensemble des recettes Docker d'Aurore.
L'idée est de pouvoir redonder les services « légers » entre les résidences.
Pour lancer un service, aller dans le dossier puis
Pour lancer un service, cloner le repo, aller dans le dossier puis
`sudo docker-compose up --build -d`.
## Fichiers à protéger
Les fichiers suivant ne doivent être lisibles que par root :
* les fichiers `.env` (s'inspirer des `example.env`)
* grafana/ldap.toml
* le fichier `.env` (s'inspirer de `example.env`)
* django-cas/docker-compose.yml
Mettez dedans les mots de passe de base de données ou du LDAP.

View file

@ -1,44 +0,0 @@
# From https://github.com/codimd/container/
version: '3'
services:
database:
# Don't upgrade PostgreSQL by simply changing the version number
# You need to migrate the Database to the new PostgreSQL version
image: postgres:9.6-alpine
environment:
POSTGRES_USER: codimd
POSTGRES_PASSWORD: codimdpass
POSTGRES_DB: codimd
volumes:
- ./data_db:/var/lib/postgresql/data
restart: always
app:
image: quay.io/codimd/server:1.4.0
environment:
DEBUG: "false"
CMD_DB_URL: "postgres://codimd:codimdpass@database:5432/codimd"
CMD_URL_ADDPORT: "false"
CMD_EMAIL: "false"
CMD_DOMAIN: "${DOMAIN}"
CMD_PROTOCOL_USESSL: "true"
CMD_USECDN: "false"
CMD_ALLOW_FREEURL: "true"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_LDAP_URL: "${LDAP_URL}"
CMD_LDAP_BINDDN: "${LDAP_BINDDN}"
CMD_LDAP_BINDCREDENTIALS: "${LDAP_BINDCREDENTIALS}"
CMD_LDAP_SEARCHBASE: "${LDAP_SEARCHBASE}"
CMD_LDAP_SEARCHFILTER: "(uid={{username}})"
CMD_LDAP_SEARCHATTRIBUTES: "uid, givenName, mail"
CMD_LDAP_USERIDFIELD: "uid"
CMD_LDAP_USERNAMEFIELD: "uid"
CMD_LDAP_PROVIDERNAME: "${LDAP_PROVIDERNAME}"
ports:
- "8081:3000"
volumes:
- ./data_uploads:/codimd/public/uploads
restart: always
depends_on:
- database

View file

@ -1,6 +0,0 @@
DOMAIN=codimd.auro.re
LDAP_URL=ldap://10.128.0.11
LDAP_BINDDN=cn=codimd,ou=service-users,dc=auro,dc=re
LDAP_BINDCREDENTIALS=Change me
LDAP_SEARCHBASE=cn=Utilisateurs,dc=auro,dc=re
LDAP_PROVIDERNAME=Aurore

View file

@ -1,27 +0,0 @@
# Django CAS server Dockerfile
#
# https://github.com/nitmir/django-cas-server
#
# Author: erdnaxe
FROM debian:buster-slim
RUN apt-get update && apt-get install -y \
python3-pip \
python3-django \
python3-lxml \
python3-requests \
python3-requests-futures \
python3-six \
python3-psycopg2 \
python3-whitenoise \
python3-ldap3 \
gunicorn3
RUN pip3 install django-cas-server
COPY ./code /code/
WORKDIR /code/
EXPOSE 8000
ENTRYPOINT ["./docker-entrypoint.sh"]

View file

@ -1,176 +0,0 @@
"""
Django settings for cas project.
Generated by 'django-admin startproject' using Django 1.11.
For more information on this file, see
https://docs.djangoproject.com/en/1.11/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/1.11/ref/settings/
"""
import os
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = os.getenv('DJANGO_SECRET_KEY')
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = os.getenv('DJANGO_DEBUG', False)
ALLOWED_HOSTS = [os.getenv('DJANGO_HOST')]
# Suivi des erreurs sur root@
EMAIL_SUBJECT_PREFIX = "[CAS] "
ADMINS = (
('Intranet', 'root@crans.org'),
)
# Application definition
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'cas_server',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.locale.LocaleMiddleware',
]
ROOT_URLCONF = 'cas.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
WSGI_APPLICATION = 'cas.wsgi.application'
# Database
# https://docs.djangoproject.com/en/1.11/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': os.getenv('DJANGO_DB_NAME'),
'HOST': os.getenv('DJANGO_DB_HOST'),
'USER': os.getenv('DJANGO_DB_USER'),
'PASSWORD': os.getenv('DJANGO_DB_PASSWORD'),
}
}
# Password validation
# https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/1.11/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/1.11/howto/static-files/
STATIC_URL = '/static/'
# Below are custom parameters
STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
STATICFILES_DIRS = [os.path.join(BASE_DIR, "static")]
STATIC_ROOT = os.path.join(BASE_DIR, "staticfiles")
CAS_AUTH_CLASS = "cas_server.auth.LdapAuthUser"
CAS_LDAP_SERVER = os.getenv('DJANGO_CAS_LDAP_SERVER')
CAS_LDAP_USER = os.getenv('DJANGO_CAS_LDAP_USER')
CAS_LDAP_PASSWORD = os.getenv('DJANGO_CAS_LDAP_PASSWORD')
CAS_LDAP_BASE_DN = os.getenv('DJANGO_CAS_LDAP_BASE_DN')
CAS_INFO_MESSAGES_ORDER = ["cas_explained"]
SESSION_COOKIE_AGE = 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_COOKIE_HTTPONLY = True
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'formatters': {
'cas_syslog': {
'format': 'cas: %(levelname)s %(message)s'
},
},
'handlers': {
'cas_syslog': {
'level': 'INFO',
'class': 'logging.handlers.SysLogHandler',
'address': '/dev/log',
'formatter': 'cas_syslog',
},
},
'loggers': {
'cas_server': {
'handlers': ['cas_syslog'],
'level': 'INFO',
'propagate': True,
},
},
}

View file

@ -1,23 +0,0 @@
"""cas URL Configuration
The `urlpatterns` list routes URLs to views. For more information please see:
https://docs.djangoproject.com/en/1.11/topics/http/urls/
Examples:
Function views
1. Add an import: from my_app import views
2. Add a URL to urlpatterns: url(r'^$', views.home, name='home')
Class-based views
1. Add an import: from other_app.views import Home
2. Add a URL to urlpatterns: url(r'^$', Home.as_view(), name='home')
Including another URLconf
1. Import the include() function: from django.conf.urls import url, include
2. Add a URL to urlpatterns: url(r'^blog/', include('blog.urls'))
"""
from django.conf.urls import include, url
from django.contrib import admin
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^', include('cas_server.urls', namespace="cas_server")),
]

View file

@ -1,16 +0,0 @@
"""
WSGI config for cas project.
It exposes the WSGI callable as a module-level variable named ``application``.
For more information on this file, see
https://docs.djangoproject.com/en/1.11/howto/deployment/wsgi/
"""
import os
from django.core.wsgi import get_wsgi_application
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "cas.settings")
application = get_wsgi_application()

View file

@ -1,14 +0,0 @@
#!/bin/bash
# Collect static files
echo "Collect static files"
python3 manage.py collectstatic --noinput
# Apply database migrations
echo "Apply database migrations"
sleep 5 # wait for db
python3 manage.py migrate
# Start server
echo "Starting server"
gunicorn3 cas.wsgi:application --bind 0.0.0.0:8000 --workers 2 --log-level debug

View file

@ -1,22 +0,0 @@
#!/usr/bin/env python
import os
import sys
if __name__ == "__main__":
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "cas.settings")
try:
from django.core.management import execute_from_command_line
except ImportError:
# The above import may fail for some other reason. Ensure that the
# issue is really that Django is missing to avoid masking other
# exceptions on Python 2.
try:
import django
except ImportError:
raise ImportError(
"Couldn't import Django. Are you sure it's installed and "
"available on your PYTHONPATH environment variable? Did you "
"forget to activate a virtual environment?"
)
raise
execute_from_command_line(sys.argv)

Binary file not shown.

Before

Width:  |  Height:  |  Size: 126 KiB

View file

@ -1,35 +0,0 @@
version: '3.7'
services:
database:
# Don't upgrade PostgreSQL by simply changing the version number
# You need to migrate the Database to the new PostgreSQL version
image: postgres:9.6-alpine
environment:
POSTGRES_USER: cas
POSTGRES_PASSWORD: caspass
POSTGRES_DB: cas
volumes:
- ./data_db:/var/lib/postgresql/data
restart: always
cas:
build:
context: .
environment:
DJANGO_DB_NAME: cas
DJANGO_DB_HOST: database
DJANGO_DB_USER: cas
DJANGO_DB_PASSWORD: caspass
DJANGO_SECRET_KEY: "Please change me in production !"
DJANGO_HOST: localhost
DJANGO_CAS_LDAP_SERVER: "re2o-ldap.adm.auro.re"
DJANGO_CAS_LDAP_USER: "cn=cas,ou=service-users,dc=auro,dc=re"
DJANGO_CAS_LDAP_PASSWORD: "Change me in prod !"
DJANGO_CAS_LDAP_BASE_DN: "cn=Utilisateurs,dc=auro,dc=re"
ports:
- "8085:8000"
restart: always
depends_on:
- database

55
docker-compose.yml Normal file
View file

@ -0,0 +1,55 @@
version: "3"
services:
riot:
build: riot
restart: always
ports:
- 8080:80
privatebin:
image: privatebin/nginx-fpm-alpine
restart: always
volumes:
- ./privatebin_data:/srv/data
ports:
- 8083:80
etherpad:
build: etherpad
restart: always
environment:
- "POSTGRES_PASSWORD=${ETHERPAD_POSTGRES_PASSWD}"
ports:
- 8084:9001
grafana:
build: grafana
restart: always
environment:
- "ENV_PASSWORD=${GRAFANA_LDAP_BIND_PASSWD}"
volumes:
- ./grafana_data:/var/lib/grafana
ports:
- 8082:3000
matrix-appservice-discord:
image: halfshot/matrix-appservice-discord
restart: always
volumes:
- ./matrix-appservice-discord_data:/data
- ./matrix-appservice-discord_data/discord.db:/discord.db
ports:
- 9005:9005
prometheus-alertmanager:
build: prometheus-alertmanager
restart: always
ports:
- 9093:9093
prometheus-alertmanager-discord:
build: prometheus-alertmanager-discord
restart: always
environment:
- "DISCORD_WEBHOOK=${PROMETHEUS_DISCORD_WEBHOOK}"

4
env.example Normal file
View file

@ -0,0 +1,4 @@
# Copy this as .env and make it only readable by root
ETHERPAD_POSTGRES_PASSWD=CHANGE ME
GRAFANA_LDAP_BIND_PASSWD=CHANGE ME
PROMETHEUS_DISCORD_WEBHOOK=CHANGE ME

6
etherpad/Dockerfile Normal file
View file

@ -0,0 +1,6 @@
FROM etherpad/etherpad
# Change instance settings
ENV NODE_ENV=production
ENV TRUST_PROXY=true
COPY settings.json /opt/etherpad-lite/settings.json

View file

@ -1,15 +0,0 @@
version: "3"
services:
etherpad:
image: etherpad/etherpad
environment:
- NODE_ENV=production
- POSTGRES_USER=etherpad
- "POSTGRES_PASSWORD=${POSTGRES_PASSWD}"
- POSTGRES_DB=etherpad
ports:
- 8084:9001
volumes:
- ./settings.json:/opt/etherpad-lite/settings.json:ro
restart: always

View file

@ -1 +0,0 @@
POSTGRES_PASSWD=asupersecurepassword

View file

@ -22,6 +22,7 @@
*
* Would read the configuration values for those items from the environment
* variables PORT, MINIFY and SKIN_NAME.
*
* If PORT and SKIN_NAME variables were not defined, the default values 9001 and
* "colibris" would be used. The configuration value "minify", on the other
* hand, does not have a default indicated. Thus, if the environment variable
@ -50,13 +51,13 @@
/*
* Name your instance!
*/
"title": "Etherpad",
"title": "${TITLE:Etherpad}",
/*
* favicon default name
* alternatively, set up a fully specified Url to your own favicon
*/
"favicon": "favicon.ico",
"favicon": "${FAVICON:favicon.ico}",
/*
* Skin name.
@ -69,20 +70,20 @@
* - "colibris": the new experimental skin (since Etherpad 1.8), candidate to
* become the default in Etherpad 2.0
*/
"skinName": "no-skin",
"skinName": "${SKIN_NAME:colibris}",
/*
* IP and port which etherpad should bind at
*/
"ip": "0.0.0.0",
"port" : 9001,
"ip": "${IP:0.0.0.0}",
"port": "${PORT:9001}",
/*
* Option to hide/show the settings.json in admin page.
*
* Default option is set to true
*/
"showSettingsInAdminPage" : true,
"showSettingsInAdminPage": "${SHOW_SETTINGS_IN_ADMIN_PAGE:true}",
/*
* Node native SSL support
@ -118,33 +119,15 @@
* https://www.npmjs.com/package/ueberdb2
*/
"dbType" : "postgres",
"dbSettings" : {
"user" : "${POSTGRES_USER}",
"host" : "10.128.0.31",
"port" : 5432,
"password": "${POSTGRES_PASSWORD}",
"database": "${POSTGRES_DB}"
"dbType": "postgres",
"dbSettings": {
"host": "10.128.0.31",
"port": 5432,
"database": "etherpad",
"user": "etherpad",
"password": "${POSTGRES_PASSWORD}"
},
/*
* An Example of MySQL Configuration (commented out).
*
* See: https://github.com/ether/etherpad-lite/wiki/How-to-use-Etherpad-Lite-with-MySQL
*/
/*
"dbType" : "mysql",
"dbSettings" : {
"user" : "etherpaduser",
"host" : "localhost",
"port" : 3306,
"password": "PASSWORD",
"database": "etherpad_lite_db",
"charset" : "utf8mb4"
},
*/
/*
* The default text of a pad
*/
@ -173,40 +156,40 @@
* Pad Shortcut Keys
*/
"padShortcutEnabled" : {
"altF9" : true, /* focus on the File Menu and/or editbar */
"altC" : true, /* focus on the Chat window */
"cmdShift2" : true, /* shows a gritter popup showing a line author */
"delete" : true,
"return" : true,
"esc" : true, /* in mozilla versions 14-19 avoid reconnecting pad */
"cmdS" : true, /* save a revision */
"tab" : true, /* indent */
"cmdZ" : true, /* undo/redo */
"cmdY" : true, /* redo */
"cmdI" : true, /* italic */
"cmdB" : true, /* bold */
"cmdU" : true, /* underline */
"cmd5" : true, /* strike through */
"cmdShiftL" : true, /* unordered list */
"cmdShiftN" : true, /* ordered list */
"cmdShift1" : true, /* ordered list */
"cmdShiftC" : true, /* clear authorship */
"cmdH" : true, /* backspace */
"ctrlHome" : true, /* scroll to top of pad */
"pageUp" : true,
"pageDown" : true
"altF9": true, /* focus on the File Menu and/or editbar */
"altC": true, /* focus on the Chat window */
"cmdShift2": true, /* shows a gritter popup showing a line author */
"delete": true,
"return": true,
"esc": true, /* in mozilla versions 14-19 avoid reconnecting pad */
"cmdS": true, /* save a revision */
"tab": true, /* indent */
"cmdZ": true, /* undo/redo */
"cmdY": true, /* redo */
"cmdI": true, /* italic */
"cmdB": true, /* bold */
"cmdU": true, /* underline */
"cmd5": true, /* strike through */
"cmdShiftL": true, /* unordered list */
"cmdShiftN": true, /* ordered list */
"cmdShift1": true, /* ordered list */
"cmdShiftC": true, /* clear authorship */
"cmdH": true, /* backspace */
"ctrlHome": true, /* scroll to top of pad */
"pageUp": true,
"pageDown": true
},
/*
* Should we suppress errors from being visible in the default Pad Text?
*/
"suppressErrorsInPadText" : false,
"suppressErrorsInPadText": false,
/*
* If this option is enabled, a user must have a session to access pads.
* This effectively allows only group pads to be accessed.
*/
"requireSession" : false,
"requireSession": false,
/*
* Users may edit pads but not create new ones.
@ -214,13 +197,13 @@
* Pad creation is only via the API.
* This applies both to group pads and regular pads.
*/
"editOnly" : false,
"editOnly": false,
/*
* If set to true, those users who have a valid session will automatically be
* granted access to password protected pads.
*/
"sessionNoPassword" : false,
"sessionNoPassword": false,
/*
* If true, all css & js will be minified before sending to the client.
@ -228,7 +211,7 @@
* This will improve the loading performance massively, but makes it difficult
* to debug the javascript/css
*/
"minify" : true,
"minify": true,
/*
* How long may clients use served javascript code (in seconds)?
@ -236,7 +219,7 @@
* Not setting this may cause problems during deployment.
* Set to 0 to disable caching.
*/
"maxAge" : 21600, // 60 * 60 * 6 = 6 hours
"maxAge": 21600, // 60 * 60 * 6 = 6 hours
/*
* Absolute path to the Abiword executable.
@ -245,7 +228,7 @@
* it to null disables Abiword and will only allow plain text and HTML
* import/exports.
*/
"abiword" : null,
"abiword": null,
/*
* This is the absolute path to the soffice executable.
@ -253,7 +236,7 @@
* LibreOffice can be used in lieu of Abiword to export pads.
* Setting it to null disables LibreOffice exporting.
*/
"soffice" : null,
"soffice": null,
/*
* Path to the Tidy executable.
@ -261,35 +244,41 @@
* Tidy is used to improve the quality of exported pads.
* Setting it to null disables Tidy.
*/
"tidyHtml" : null,
"tidyHtml": null,
/*
* Allow import of file types other than the supported ones:
* txt, doc, docx, rtf, odt, html & htm
*/
"allowUnknownFileEnds" : true,
"allowUnknownFileEnds": true,
/*
* This setting is used if you require authentication of all users.
*
* Note: "/admin" always requires authentication.
*/
"requireAuthentication" : false,
"requireAuthentication": false,
/*
* Require authorization by a module, or a user with is_admin set, see below.
*/
"requireAuthorization" : false,
"requireAuthorization": false,
/*
* When you use NGINX or another proxy/load-balancer set this to true.
*
* This is especially necessary when the reverse proxy performs SSL
* termination, otherwise the cookies will not have the "secure" flag.
*
* The other effect will be that the logs will contain the real client's IP,
* instead of the reverse proxy's IP.
*/
"trustProxy" : false,
"trustProxy": "${TRUST_PROXY:false}",
/*
* Privacy: disable IP logging
*/
"disableIPlogging" : false,
"disableIPlogging": false,
/*
* Time (in seconds) to automatically reconnect pad when a "Force reconnect"
@ -297,7 +286,7 @@
*
* Set to 0 to disable automatic reconnection.
*/
"automaticReconnectionTimeout" : 0,
"automaticReconnectionTimeout": 0,
/*
* By default, when caret is moved out of viewport, it scrolls the minimum
@ -351,20 +340,20 @@
* follow the section "secure your installation" in README.md
*/
/*
"users": {
"admin": {
// "password" can be replaced with "hash" if you install ep_hash_auth
"password": "changeme1",
// 1) "password" can be replaced with "hash" if you install ep_hash_auth
// 2) please note that if password is null, the user will not be created
"password": "${ADMIN_PASSWORD}",
"is_admin": true
},
"user": {
// "password" can be replaced with "hash" if you install ep_hash_auth
"password": "changeme1",
// 1) "password" can be replaced with "hash" if you install ep_hash_auth
// 2) please note that if password is null, the user will not be created
"password": "${USER_PASSWORD}",
"is_admin": false
}
},
*/
/*
* Restrict socket.io transport methods
@ -424,7 +413,7 @@
*
* Valid values: DEBUG, INFO, WARN, ERROR
*/
"loglevel": "INFO",
"loglevel": "${LOGLEVEL:INFO}",
/*
* Logging configuration. See log4js documentation for further information:

14
grafana/Dockerfile Normal file
View file

@ -0,0 +1,14 @@
FROM grafana/grafana
ENV GF_SERVER_ROOT_URL=https://grafana.auro.re
ENV GF_SESSION_COOKIE_SECURE=true
ENV GF_ANALYTICS_REPORTING_ENABLED=false
ENV GF_SNAPSHOTS_EXTERNAL_ENABLED=false
ENV GF_USERS_ALLOW_SIGN_UP=false
ENV GF_USERS_ALLOW_ORG_CREATE=false
ENV GF_AUTH_BASIC_ENABLED=false
ENV GF_AUTH_LDAP_ENABLED=true
ENV GF_AUTH_LDAP_CONFIG_FILE=/etc/grafana/ldap.toml
COPY ldap.toml /etc/grafana/ldap.toml

View file

@ -1,29 +0,0 @@
# For the moment, the LDAP password need to be in ldap.toml
# In the future, we will be able to make a secret
# See https://github.com/grafana/grafana/pull/17526
version: "3.7"
services:
grafana:
image: grafana/grafana
environment:
- GF_SERVER_ROOT_URL=https://grafana.auro.re
- GF_SESSION_COOKIE_SECURE=true
- GF_ANALYTICS_REPORTING_ENABLED=false
- GF_SNAPSHOTS_EXTERNAL_ENABLED=false
- GF_USERS_ALLOW_SIGN_UP=false
- GF_USERS_ALLOW_ORG_CREATE=false
- GF_AUTH_BASIC_ENABLED=false
- GF_AUTH_LDAP_ENABLED=true
- GF_AUTH_LDAP_CONFIG_FILE=/etc/grafana/ldap.toml
# Install Grafana plugins at startup
- GF_INSTALL_PLUGINS=grafana-worldmap-panel
volumes:
- ./data_grafana:/var/lib/grafana
- ./ldap.toml:/etc/grafana/ldap.toml:ro
ports:
- 8082:3000
restart: always

View file

@ -23,7 +23,7 @@ ssl_skip_verify = false
bind_dn = "cn=grafana,ou=service-users,dc=auro,dc=re"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'CHANGE ME IN PRODUCTION, I WILL DIFFER !'
bind_password = '${ENV_PASSWORD}'
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(cn=%s)"
@ -50,7 +50,7 @@ email = "mail"
group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=auro,dc=re"
org_role = "Admin"
# To make user an instance admin (Grafana Admin) uncomment line below
grafana_admin = true
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

View file

@ -1,11 +0,0 @@
version: "3.7"
services:
privatebin:
image: privatebin/nginx-fpm-alpine
volumes:
- ./data_privatebin:/srv/data
ports:
- 8083:80
restart: always

View file

@ -0,0 +1,43 @@
# Built following https://medium.com/@chemidy/create-the-smallest-and-secured-golang-docker-image-based-on-scratch-4752223b7324
# STEP 1 build executable binary
FROM golang:alpine as builder
# BUILD_DATE and VCS_REF are immaterial, since this is a 2-stage build, but our build
# hook won't work unless we specify the args
ARG BUILD_DATE
ARG VCS_REF
# Install SSL ca certificates
RUN apk update && apk add git && apk add ca-certificates
# Create appuser
RUN adduser -D -g '' appuser
COPY . $GOPATH/src/mypackage/myapp/
WORKDIR $GOPATH/src/mypackage/myapp/
#get dependancies
RUN go get -d -v
#build the binary
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/alertmanager-discord
# STEP 2 build a small image
# start from scratch
FROM scratch
# Now we DO need these, for the auto-labeling of the image
ARG BUILD_DATE
ARG VCS_REF
# Good docker practice, plus we get microbadger badges
LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.vcs-url="https://github.com/funkypenguin/alertmanager-discord.git" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.schema-version="2.2-r1"
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /etc/passwd /etc/passwd
# Copy our static executable
COPY --from=builder /go/bin/alertmanager-discord /go/bin/alertmanager-discord
EXPOSE 9094
USER appuser
ENTRYPOINT ["/go/bin/alertmanager-discord"]

View file

@ -0,0 +1,82 @@
package main
import (
"bytes"
"encoding/json"
"flag"
"fmt"
"os"
"io/ioutil"
"net/http"
)
type alertManOut struct {
Alerts []struct {
Annotations struct {
Description string `json:"description"`
Summary string `json:"summary"`
} `json:"annotations"`
EndsAt string `json:"endsAt"`
GeneratorURL string `json:"generatorURL"`
Labels map[string]string `json:"labels"`
StartsAt string `json:"startsAt"`
Status string `json:"status"`
} `json:"alerts"`
CommonAnnotations struct {
Summary string `json:"summary"`
} `json:"commonAnnotations"`
CommonLabels struct {
Alertname string `json:"alertname"`
} `json:"commonLabels"`
ExternalURL string `json:"externalURL"`
GroupKey string `json:"groupKey"`
GroupLabels struct {
Alertname string `json:"alertname"`
} `json:"groupLabels"`
Receiver string `json:"receiver"`
Status string `json:"status"`
Version string `json:"version"`
}
type discordOut struct {
Content string `json:"content"`
Name string `json:"username"`
}
func main() {
webhookUrl := os.Getenv("DISCORD_WEBHOOK")
if webhookUrl == "" {
fmt.Fprintf(os.Stderr, "error: environment variable DISCORD_WEBHOOK not found\n")
os.Exit(1)
}
whURL := flag.String("webhook.url", webhookUrl, "")
flag.Parse()
fmt.Fprintf(os.Stdout, "info: Listening on 0.0.0.0:9094\n")
http.ListenAndServe(":9094", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
b, err := ioutil.ReadAll(r.Body)
if err != nil {
panic(err)
}
amo := alertManOut{}
err = json.Unmarshal(b, &amo)
if err != nil {
panic(err)
}
// Format alerts
Content := "\n"
for _, alert := range amo.Alerts {
Content += fmt.Sprintf("*%s* **%s** %s\n", alert.Labels["alertname"], alert.Labels["severity"], alert.Annotations.Summary)
}
// Send to Discord
DO := discordOut{
Name: "Prometheus 🦋️",
Content: Content,
}
DOD, _ := json.Marshal(DO)
http.Post(*whURL, "application/json", bytes.NewReader(DOD))
}))
}

View file

@ -0,0 +1,3 @@
FROM prom/alertmanager
COPY alertmanager.yml /etc/alertmanager/alertmanager.yml

View file

@ -0,0 +1,61 @@
# See https://prometheus.io/docs/alerting/configuration/ for documentation.
global:
# The smarthost and SMTP sender used for mail notifications.
smtp_smarthost: 'localhost:25'
smtp_from: 'alertmanager@example.org'
#smtp_auth_username: 'alertmanager'
#smtp_auth_password: 'password'
# The auth token for Hipchat.
hipchat_auth_token: '1234556789'
# Alternative host for Hipchat.
hipchat_api_url: 'https://hipchat.foobar.org/'
# The directory from which notification templates are read.
templates:
- '/etc/prometheus/alertmanager_templates/*.tmpl'
# The root route on which each incoming alert enters.
route:
# The labels by which incoming alerts are grouped together. For example,
# multiple alerts coming in for cluster=A and alertname=LatencyHigh would
# be batched into a single group.
group_by: ['instance'] # group per instance
# When a new group of alerts is created by an incoming alert, wait at
# least 'group_wait' to send the initial notification.
# This way ensures that you get multiple alerts for the same group that start
# firing shortly after another are batched together on the first
# notification.
group_wait: 30s
# When the first notification was sent, wait 'group_interval' to send a batch
# of new alerts that started firing for that group.
group_interval: 5m
# If an alert has successfully been sent, wait 'repeat_interval' to
# resend them.
repeat_interval: 12h
# A default receiver
receiver: webhook
# Inhibition rules allow to mute a set of alerts given that another alert is
# firing.
# We use this to mute any warning-level notifications if the same alert is
# already critical.
inhibit_rules:
- source_match:
severity: 'critical'
target_match:
severity: 'warning'
# Apply inhibition if the alertname is the same.
equal: ['alertname', 'cluster', 'service']
receivers:
- name: 'webhook'
webhook_configs:
- url: 'http://prometheus-alertmanager-discord:9094'
send_resolved: true

5
riot/Dockerfile Normal file
View file

@ -0,0 +1,5 @@
FROM vectorim/riot-web
# Customize instance settings and background
COPY config.json /app/config.json
COPY bg.jpg /app/bg.jpg

View file

@ -1,13 +0,0 @@
version: "3"
services:
riot:
image: vectorim/riot-web
volumes:
- ./config.json:/app/config.json:ro
- ./bg.jpg:/app/bg.jpg:ro
# - ./welcome.html:/app/welcome.html:ro
ports:
- 8080:80
restart: always