diff --git a/.env b/ external_ports_config_http/.env similarity index 100% rename from .env rename to external_ports_config_http/.env diff --git a/docker-compose.yml b/ external_ports_config_http/docker-compose.yml similarity index 100% rename from docker-compose.yml rename to external_ports_config_http/docker-compose.yml diff --git a/minio/minio-bucket-policy.json b/ external_ports_config_http/minio/minio-bucket-policy.json similarity index 100% rename from minio/minio-bucket-policy.json rename to external_ports_config_http/minio/minio-bucket-policy.json diff --git a/minio/minio-user-policy.json b/ external_ports_config_http/minio/minio-user-policy.json similarity index 100% rename from minio/minio-user-policy.json rename to external_ports_config_http/minio/minio-user-policy.json diff --git a/nginx/default.conf.tmpl b/ external_ports_config_http/nginx/default.conf.tmpl similarity index 100% rename from nginx/default.conf.tmpl rename to external_ports_config_http/nginx/default.conf.tmpl diff --git a/postgres/init-keycloak-db.sh b/ external_ports_config_http/postgres/init-keycloak-db.sh similarity index 100% rename from postgres/init-keycloak-db.sh rename to external_ports_config_http/postgres/init-keycloak-db.sh diff --git a/external_ports_https_v2/.env b/external_ports_https_v2/.env new file mode 100644 index 0000000..6fb638d --- /dev/null +++ b/external_ports_https_v2/.env @@ -0,0 +1,147 @@ +########## Обязательные переменные ########## + +# Система Yonote поставляется с несколькими дополнительными сервисами: +# - PostgreSQL - основная БД для хранения данных +# - Keycloak - сервер авторизации +# - Minio - S3 файловое хранилище +# - Redis - key-value хранилище +# - Nginx - используется как reverse-proxy для всех сервисов +# +# Мы рекомендуем для каждого сервиса (кроме nginx) создать поддомены: +# Если мы хотим, чтобы Yonote был доступен по адресу domain.ru -> 80.11.121.12 (пример), +# то необходимо также создать следующие DNS записи для корректной работы системы: +# - domain.ru -> 80.11.121.12 +# - auth.domain.ru -> domain.ru +# - s3.domain.ru -> domain.ru +# +# Если вы запускаете сервис с HTTPS, +# необходимо соответсвенно поменять на https:// и wss:// + +### Keycloak +AUTH_VERSION=latest + +# Адрес сервера авторизации (с http/https) +KC_YNT_HOST=auth.demoqtech.ru +KC_YNT_HOST_PROTOCOL=https:// +KC_YNT_EXTERNAL_PORT=9443 # Внешний порт обращения по адресу +KC_YNT_URL=${KC_YNT_HOST_PROTOCOL}${KC_YNT_HOST}:${KC_YNT_EXTERNAL_PORT} # Адрес для клиентской стороны +KC_YNT_INTERNAL_URL=${KC_YNT_HOST_PROTOCOL}${KC_YNT_HOST} # Адрес для серверной стороны + +# Подключение к базе данных (база создается автоматически) +KC_DB=keycloak +KC_DB_USERNAME=keycloak +KC_DB_PASSWORD= + +# Настройка клиента авторизации (ключ от OIDC провайдера) +KC_CLIENT_SECRET= + +# Адрес сервера S3/Minio (с http/https) +MINIO_YNT_HOST=s3.demoqtech.ru +MINIO_ADMIN_YNT_HOST=s3-admin.demoqtech.ru +MINIO_YNT_EXTERNAL_PORT=9443 +MINIO_YNT_HOST_PROTOCOL=https:// +MINIO_YNT_URL=${MINIO_YNT_HOST_PROTOCOL}${MINIO_YNT_HOST}:${MINIO_YNT_EXTERNAL_PORT} +MINIO_ADMIN_YNT_URL=${MINIO_YNT_HOST_PROTOCOL}${MINIO_ADMIN_YNT_HOST}:${MINIO_YNT_EXTERNAL_PORT} +# Логин и пароль для администратора S3 (пользователь создается автоматически) +MINIO_ADMIN_USERNAME=admin +MINIO_ADMIN_PASSWORD= + +# Адрес для Yonote (укажите домен или адрес сервера) +BASENAME_FOR_SUBDOMAIN=demoqtech.ru:9443 +YNT_HTTP_PROTOCOL=https:// +YNT_WEBSOCKET_PROTOCOL=wss:// +# YNT_INTERNAL_URL=app.kb.demoqtech.ru + +### OAuth/OIDC (Keycloak) - сервер авторизации +KC_USERNAME=admin +KC_PASSWORD= + +### S3 совместимое хранилище (Minio) +MINIO_ACCESS_KEY_ID=yonote +MINIO_SECRET_ACCESS_KEY= + +### Yonote +APP_VERSION=latest + +# Данные для подключения к БД (БД и пользователь будут созданны автоматически) +YNT_DB_NAME=yonote +YNT_DB_USER=postgres +YNT_DB_PASSWORD= + +# Максимальный размер одно файла для загрузки в хранилище (в байтах) +AWS_S3_UPLOAD_MAX_SIZE=226214400 + +# Ключ шыфрования (32 байта). Рекомендуем использовать команду ниже для генерации ключа: +# `openssl rand -hex 32` +# храните данный ключ в надежном месте +SECRET_KEY= + +# Уникальный random ключ. Используется для различных крипто-функций, +# рекомендуем так же использовать команду ниже для генерации ключа: +# `openssl rand -hex 32` +UTILS_SECRET= + +# SMTP сервер +SMTP_HOST= +SMTP_PORT= +SMTP_USERNAME= +SMTP_PASSWORD= +SMTP_FROM_EMAIL= +SMTP_REPLY_EMAIL= +SMTP_TLS_CIPHERS= +SMTP_SECURE= + +# Лицензионный ключ +# Для получения, обратитесь в отдел продаж hello@yonote.ru +LICENSE_KEY= + +############ OPTIONAL ################ + +# Производить редирект на HTTPS если запрос пришел на HTTP +FORCE_HTTPS=false + +# Отслеживать появление новых версий +ENABLE_UPDATES=false + +# Как много подпроцессов множно запускать. +# Самый простой вариант подсчета: разделить доступный объем памяти сервера на 512Мб +WEB_CONCURRENCY=1 + +# Максимальный размер файла импорта (Для импорта из Notion, Confluence и тд) +MAXIMUM_IMPORT_SIZE=5120000 + +# Логировать HTTP запросы. +# DEBUG=http + +# Список почтовых доменов с которых разрешена регистрация. Домены разделяются запятыми. +# По умолчанию разрешены любые домены +# ALLOWED_DOMAINS= + +# Отправка отчетов об ошибках разработчикам. +# Закомментируйте, если не хотите делиться отчетами об ошибках +SENTRY_DSN=https://5bdaaba1cf8043ba9cc43933b65f3b46@sentry.wilix.dev/7 + +# Логотип команды, который будет отображаться при входе в систему. +# Будет уменьшен до height: 60px +# TEAM_LOGO=https://example.com/images/logo.png + +# Язык по умолчанию +DEFAULT_LANGUAGE=ru_RU + +# Ключи для отправки WEB Push уведомлений +# Инструкция по получению ключей https://yo.yonote.ru/share/onprem/doc/ustanovka-i-nastrojka-KbTxPbAUoo#h-generaciya-klyuchej-web-push-service-worker +SERVICE_WORKER_PUBLIC_KEY= +SERVICE_WORKER_PRIVATE_KEY= + +# Интеграция с Telegram. Если TELEGRAM_BOT_TOKEN не указан, то интеграция отключена +# Инструкция по настройке https://yo.yonote.ru/share/onprem/doc/integraciya-s-telegram-9d2l0erXGN +# TELEGRAM_BOT_TOKEN= +# TELEGRAM_BOT_URL= + +# Интеграция с Loop https://loop.ru/. Если LOOP_KEY не указан, то интеграция отключена +# LOOP_KEY= +# LOOP_SECRET= +# LOOP_VERIFICATION_TOKEN= +# LOOP_MESSAGE_ACTIONS=true + +OPENAI_API_KEY=123 \ No newline at end of file diff --git a/external_ports_https_v2/docker-compose.yml b/external_ports_https_v2/docker-compose.yml new file mode 100644 index 0000000..39d2ec8 --- /dev/null +++ b/external_ports_https_v2/docker-compose.yml @@ -0,0 +1,176 @@ +services: + yonote: + container_name: yonote + image: images.updates.yonote.ru/yonote:${APP_VERSION} + env_file: + - .env + ports: + - "3000" + depends_on: + - postgres + - redis + - keycloak + - s3 + command: yarn start:selfhosted + environment: + BIND_HOST: 0.0.0.0 + PORT: 3000 + URL: ${YNT_HTTP_PROTOCOL}app.${BASENAME_FOR_SUBDOMAIN} + COLLABORATION_URL: ${YNT_WEBSOCKET_PROTOCOL}app.${BASENAME_FOR_SUBDOMAIN} + DATABASE_URL: postgres://${YNT_DB_USER}:${YNT_DB_PASSWORD}@postgres:5432/${YNT_DB_NAME} + OIDC_CLIENT_ID: yonote + OIDC_CLIENT_SECRET: ${KC_CLIENT_SECRET} + OIDC_AUTH_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/auth + OIDC_TOKEN_URI: ${KC_YNT_INTERNAL_URL}/realms/yonote/protocol/openid-connect/token + OIDC_USERINFO_URI: ${KC_YNT_INTERNAL_URL}/realms/yonote/protocol/openid-connect/userinfo + OIDC_LOGOUT_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/logout + AWS_S3_UPLOAD_BUCKET_URL: ${MINIO_YNT_URL} + AWS_ACCESS_KEY_ID: ${MINIO_ACCESS_KEY_ID} + AWS_SECRET_ACCESS_KEY: ${MINIO_SECRET_ACCESS_KEY} + AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket + AWS_REGION: xx-xxxx-x + TELEGRAM_API_URL: https://api.telegram.org + OIDC_DISPLAY_NAME: email + OIDC_SCOPES: openid email + REDIS_URL: redis://redis:6379 + PGSSLMODE: disable + USE_LEGACY_LOGOUT: true + AWS_S3_FORCE_PATH_STYLE: true + AWS_S3_ACL: private + NODE_TLS_REJECT_UNAUTHORIZED: 0 + SUBDOMAINS_ENABLED: true + volumes: + - ./License.key:/opt/yonote/License.key + networks: + - yonote-network + external_links: + - "nginx:${KC_YNT_HOST}" + + redis: + container_name: redis + image: redis:7-alpine + restart: unless-stopped + user: "redis:redis" + networks: + - yonote-network + + postgres: + container_name: postgres + image: postgres:14 + restart: unless-stopped + environment: + POSTGRES_DB: ${YNT_DB_NAME} + POSTGRES_USER: ${YNT_DB_USER} + POSTGRES_PASSWORD: ${YNT_DB_PASSWORD} + KC_DB_USERNAME: ${KC_DB_USERNAME} + KC_DB_PASSWORD: ${KC_DB_PASSWORD} + user: "postgres:postgres" + volumes: + - ./db-data:/var/lib/postgresql/data + - ./postgres/init-keycloak-db.sh:/docker-entrypoint-initdb.d/init-keycloak-db.sh + networks: + - yonote-network + + s3: + container_name: minio + image: minio/minio:RELEASE.2022-08-26T19-53-15Z + restart: unless-stopped + environment: + MINIO_ROOT_USER: ${MINIO_ADMIN_USERNAME} + MINIO_ROOT_PASSWORD: ${MINIO_ADMIN_PASSWORD} + MINIO_BROWSER_REDIRECT_URL: ${MINIO_ADMIN_YNT_URL} + command: server --address :9000 --console-address :9001 /data + ports: + - "9000" + - "9001" + volumes: + - ./s3-data:/data + # - minio:/data + networks: + - yonote-network + + s3-client: + container_name: minio-client + image: minio/mc:RELEASE.2022-08-28T20-08-11Z + volumes: + - ./minio:/tmp/policies + environment: + MINIO_ACCESS_KEY_ID: ${MINIO_ACCESS_KEY_ID} + MINIO_SECRET_ACCESS_KEY: ${MINIO_SECRET_ACCESS_KEY} + MINIO_ADMIN_USERNAME: ${MINIO_ADMIN_USERNAME} + MINIO_ADMIN_PASSWORD: ${MINIO_ADMIN_PASSWORD} + entrypoint: > + /bin/sh -c " + /usr/bin/mc config host add myminio http://minio:9000 ${MINIO_ADMIN_USERNAME} ${MINIO_ADMIN_PASSWORD}; + /usr/bin/mc mb myminio/yonote-bucket; + /usr/bin/mc policy set-json /tmp/policies/minio-bucket-policy.json myminio/yonote-bucket; + /usr/bin/mc admin user add myminio ${MINIO_ACCESS_KEY_ID} ${MINIO_SECRET_ACCESS_KEY}; + /usr/bin/mc admin policy add myminio yonote-policy /tmp/policies/minio-user-policy.json; + /usr/bin/mc admin policy set myminio yonote-policy user=${MINIO_ACCESS_KEY_ID}; + exit 0; + " + networks: + - yonote-network + depends_on: + - nginx + + keycloak: + container_name: keycloak + image: images.updates.yonote.ru/yonote-keycloak:${AUTH_VERSION} + ports: + - "8080" + environment: + KC_HOSTNAME: ${KC_YNT_HOST} + KC_HOSTNAME_PORT: ${KC_YNT_EXTERNAL_PORT} + OIDC_CLIENT_SECRET: ${KC_CLIENT_SECRET} + YNT_HTTP_PROTOCOL: ${YNT_HTTP_PROTOCOL} + BASENAME_FOR_SUBDOMAIN: app.${BASENAME_FOR_SUBDOMAIN} + KEYCLOAK_ADMIN: ${KC_USERNAME} + KEYCLOAK_ADMIN_PASSWORD: ${KC_PASSWORD} + KC_DB: postgres + KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak + KC_DB_USERNAME: ${KC_DB_USERNAME} + KC_DB_PASSWORD: ${KC_DB_PASSWORD} + KC_PROXY_ADDRESS_FORWARDING: true + PROXY_ADDRESS_FORWARDING: true + KC_PROXY: edge + KC_HOSTNAME_STRICT: false + command: start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm + networks: + - yonote-network + depends_on: + - postgres + + nginx: + container_name: nginx + image: nginx + ports: + - 80:80 + - 443:443 + environment: + BASENAME_FOR_SUBDOMAIN: ${BASENAME_FOR_SUBDOMAIN} + MINIO_YNT_HOST: ${MINIO_YNT_HOST} + MINIO_ADMIN_YNT_HOST: ${MINIO_ADMIN_YNT_HOST} + KC_YNT_HOST: ${KC_YNT_HOST} + DOLLAR: "$" + volumes: + - ./nginx/default.conf.tmpl:/etc/nginx/conf.d/default.conf.tmpl + - ./nginx/server.crt.pem:/etc/nginx/ssl/server.crt.pem + - ./nginx/server.key.pem:/etc/nginx/ssl/server.key.pem + networks: + yonote-network: + depends_on: + - postgres + - redis + - keycloak + - s3 + - yonote + command: /bin/bash -c "envsubst < /etc/nginx/conf.d/default.conf.tmpl > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'" + +networks: + yonote-network: + name: yonote-internal-network + +volumes: + db: + minio: \ No newline at end of file diff --git a/external_ports_https_v2/minio/minio-bucket-policy.json b/external_ports_https_v2/minio/minio-bucket-policy.json new file mode 100644 index 0000000..2c90ee0 --- /dev/null +++ b/external_ports_https_v2/minio/minio-bucket-policy.json @@ -0,0 +1,33 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "*" + ] + }, + "Action": [ + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::yonote-bucket" + ] + }, + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "*" + ] + }, + "Action": [ + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::yonote-bucket/*" + ] + } + ] +} \ No newline at end of file diff --git a/external_ports_https_v2/minio/minio-user-policy.json b/external_ports_https_v2/minio/minio-user-policy.json new file mode 100644 index 0000000..c16709f --- /dev/null +++ b/external_ports_https_v2/minio/minio-user-policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor", + "Effect": "Allow", + "Action": [ + "s3:DeleteObject", + "s3:GetObject", + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::yonote-bucket/*" + ] + } + ] +} \ No newline at end of file diff --git a/external_ports_https_v2/nginx/default.conf.tmpl b/external_ports_https_v2/nginx/default.conf.tmpl new file mode 100644 index 0000000..cbaec7f --- /dev/null +++ b/external_ports_https_v2/nginx/default.conf.tmpl @@ -0,0 +1,169 @@ +server { + server_name ${BASENAME_FOR_SUBDOMAIN} ${MINIO_YNT_HOST} ${MINIO_ADMIN_YNT_HOST} ${KC_YNT_HOST}; + listen 80; + return 301 https://${DOLLAR}host${DOLLAR}request_uri; +} + +server { + server_name ${BASENAME_FOR_SUBDOMAIN}; + listen 443 ssl; + + ssl_certificate /etc/nginx/ssl/server.crt.pem; + ssl_certificate_key /etc/nginx/ssl/server.key.pem; + + proxy_http_version 1.1; + proxy_busy_buffers_size 512k; + proxy_buffers 4 512k; + proxy_buffer_size 256k; + proxy_connect_timeout 75s; + + location / { + proxy_pass http://yonote:3000; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header Connection ''; + chunked_transfer_encoding off; + proxy_cache off; + } + + location ^~/realtime { + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_pass http://yonote:3000; + } + location ^~/collaboration { + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_pass http://yonote:3000; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name ${MINIO_YNT_HOST}; + + ssl_certificate /etc/nginx/ssl/server.crt.pem; + ssl_certificate_key /etc/nginx/ssl/server.key.pem; + + # To allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # To disable buffering + proxy_buffering off; + + # Use Docker DNS + # You might not need this section but in case you need to resolve + # docker service names inside the container then this can be useful. + # resolver 127.0.0.11 valid=10s; + # resolver_timeout 5s; + + # Apparently the following line might prevent caching of DNS lookups + # and force nginx to resolve the name on each request via the internal + # Docker DNS. + # set ${DOLLAR}upstream "s3"; + + # Proxy requests to the Minio API on port 9000 + location / { + proxy_pass http://s3:9000; + + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_set_header Host ${DOLLAR}http_host; + + proxy_connect_timeout 300; + + # To support websocket + # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "upgrade"; + chunked_transfer_encoding off; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name ${MINIO_ADMIN_YNT_HOST}; + + ssl_certificate /etc/nginx/ssl/server.crt.pem; + ssl_certificate_key /etc/nginx/ssl/server.key.pem; + + # To allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # To disable buffering + proxy_buffering off; + + # Use Docker DNS + # You might not need this section but in case you need to resolve + # docker service names inside the container then this can be useful. + # resolver 127.0.0.11 valid=10s; + # resolver_timeout 5s; + + # Apparently the following line might prevent caching of DNS lookups + # and force nginx to resolve the name on each request via the internal + # Docker DNS. + # set ${DOLLAR}upstream "s3"; + + # Minio Console (UI) + location / { + # This was really the key for me. Even though the Nginx docs say + # that with a URI part in the `proxy_pass` directive, the `/console/` + # URI should automatically be rewritten, this wasn't working for me. + # rewrite ^/console/(.*)${DOLLAR} /${DOLLAR}1 break; + + proxy_pass http://s3:9001; + + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_set_header Host ${DOLLAR}http_host; + + proxy_connect_timeout 300; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + + # To support websocket + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Origin ''; + } +} + +server { + server_name ${KC_YNT_HOST}; + listen 443 ssl; + + ssl_certificate /etc/nginx/ssl/server.crt.pem; + ssl_certificate_key /etc/nginx/ssl/server.key.pem; + + proxy_http_version 1.1; + proxy_busy_buffers_size 512k; + proxy_buffers 4 512k; + proxy_buffer_size 256k; + proxy_read_timeout 300s; + proxy_connect_timeout 75s; + + proxy_set_header Host ${DOLLAR}host; # to forward the original host requested by the client + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-Host ${DOLLAR}host; + proxy_set_header X-Forwarded-Port 9443; + proxy_set_header X-Forwarded-Server ${DOLLAR}host; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; # To forward the original client's IP address + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; # to forward the original protocol (HTTP or HTTPS) + + location / { + proxy_pass http://keycloak:8080; + } +} \ No newline at end of file diff --git a/external_ports_https_v2/postgres/init-keycloak-db.sh b/external_ports_https_v2/postgres/init-keycloak-db.sh new file mode 100644 index 0000000..e74ed6f --- /dev/null +++ b/external_ports_https_v2/postgres/init-keycloak-db.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -e + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL +CREATE DATABASE keycloak; +CREATE USER ${KC_DB_USERNAME} WITH PASSWORD '${KC_DB_PASSWORD}'; +GRANT ALL PRIVILEGES ON DATABASE keycloak TO ${KC_DB_USERNAME}; +EOSQL \ No newline at end of file