diff --git a/README.md b/README.md index 2d1ead1..c94696b 100644 --- a/README.md +++ b/README.md @@ -8,26 +8,12 @@ Ce projet a pour but de déployer la stack workadventure (https://github.com/the Pour déployer cette stack, vous aurez besoin: - Une machine pour héberger le serveur (proc 3Ghz, 4Go ram minimum) -- Un nom de domaine pour pointer vers votre serveur +- Un nom de domaine pour pointer vers votre serveur (*.adventure.nom-de-domain.tld) - L'accès à votre box internet pour la redirection des ports ## Configuration / Installation -### Nginx proxy manager - -```bash -cd nginx-proxy-manager/ -docker-compose up -d -``` - -- L'interface est disponible à cette adresse: -http://your-ip-or-domain:81 - -- identifiants: - - user: admin@example.com - - mdp: changeme - -### Workadventure +### Configuration - Renseigner le nom de domaine aux quatres endroits: ```bash @@ -35,43 +21,9 @@ cd workadventure/ nano .env ``` -- Récupérer le endpoint de la stack: -```bash -docker network list -docker network inspect -``` - -### Nginx-proxy-manager 2 - -- Sur l'interface web du Nginx-proxy-manager créer une "Proxy Host entry" - -... IMAGE ... - -- Renseigner votre nom de domaine dans l'URL - -- Renseigner le endpoint dans la config du Nginx proxy manager avec le port 9999 - -- Cocher les cases Block Common Exploits et Websockets, puis sauvegarder - -... IMAGE ... - -- Créer les certificats SSL: - -... IMAGE 1 ... - -... IMAGE 2 ... - -... IMAGE 3 ... - -### Deployer +### Deployement ```bash -# NGINX PROXY MANAGER -cd nginx-proxy-manager/ -docker-compose up -d - -# WORKADVENTURE -cd workadventure/ docker-compose up -d ``` diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..e61b027 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,268 @@ +version: "3.8" + +services: + + reverse-proxy: + image: traefik:v2.5.6 + container_name: adventure_traefik + command: + # for web ui traefik + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.swarmmode=false" + - "--log.level=DEBUG" + - "--providers.docker.exposedByDefault=false" + - "--entryPoints.web.address=:80" + - "--entryPoints.websecure.address=:443" + - "--certificatesResolvers.le.acme.email=${ACME_EMAIL}" + - "--certificatesResolvers.le.acme.storage=/acme/acme.json" + - "--certificatesResolvers.le.acme.httpChallenge=true" + - "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web" + - "--certificatesresolvers.le.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" + ports: + - "443:443" + - "80:80" + # The Web UI (enabled by --api.insecure=true) + - "8082:8080" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - acme:/acme + networks: + adventure_net: + + front: + image: thecodingmachine/workadventure-front:v1.12.10 + environment: + DEBUG_MODE: "false" + JITSI_URL: "meet.jit.si" + JITSI_PRIVATE_MODE: "false" + PUSHER_URL: https://${PUSHER_URL} + CHAT_URL: https://${CHAT_URL} + ICON_URL: https://${ICON_URL} + # CHANGE ME ----------------------------------------------------- + TURN_SERVER: ${TURN_SERVER} + TURN_USER: ${TURN_USER} + TURN_PASSWORD: ${TURN_PASSWORD} + MAX_PER_GROUP: 4 + MAX_USERNAME_LENGTH: 15 + START_ROOM_URL: ${START_ROOM_URL} + ENABLE_OPENID: ${ENABLE_OPENID} + DISABLE_ANONYMOUS: ${DISABLE_ANONYMOUS} + ENABLE_CHAT: ${ENABLE_CHAT} + labels: + - traefik.enable=true + - traefik.http.routers.adventure-front.rule=Host(`play.${DOMAIN}`) + - traefik.http.routers.adventure-front.entryPoints=web + - traefik.http.services.adventure-front.loadbalancer.server.port=80 + - traefik.http.routers.adventure-front.middlewares=https_redirect + + - traefik.http.routers.adventure-front-ssl.rule=Host(`play.${DOMAIN}`) + - traefik.http.routers.adventure-front-ssl.entryPoints=websecure + - traefik.http.routers.adventure-front-ssl.tls=true + - traefik.http.routers.adventure-front-ssl.service=adventure-front + - traefik.http.routers.adventure-front-ssl.tls.certresolver=le + - traefik.http.routers.adventure-front-ssl.middlewares=redir + # middlewares + - traefik.http.middlewares.redir.redirectregex.regex=^https://www\.(.+) + - traefik.http.middlewares.redir.redirectregex.replacement=https://$${1} + - traefik.http.middlewares.redir.redirectregex.permanent=true + - traefik.http.middlewares.https_redirect.redirectscheme.scheme=https + - traefik.http.middlewares.https_redirect.redirectscheme.permanent=true + restart: unless-stopped + networks: + adventure_net: + + pusher: + image: thecodingmachine/workadventure-pusher:v1.12.10 + environment: + # SECRET_JITSI_KEY: "${SECRET_JITSI_KEY}" + SECRET_KEY: yourSecretKey + API_URL: back:50051 + # ADMIN_API_URL: "${ADMIN_API_URL}" + # ADMIN_API_TOKEN: "${ADMIN_API_TOKEN}" + JITSI_URL: ${JITSI_URL} + # JITSI_ISS: ${JITSI_ISS} + FRONT_URL : ${FRONT_URL} + ENABLE_CHAT: ${ENABLE_CHAT} + OPID_CLIENT_ID: ${OPID_CLIENT_ID} + OPID_CLIENT_SECRET: ${OPID_CLIENT_SECRET} + OPID_CLIENT_ISSUER: ${OPID_CLIENT_ISSUER} + OPID_CLIENT_REDIRECT_URL: ${OPID_CLIENT_REDIRECT_URL} + OPID_PROFILE_SCREEN_PROVIDER: ${OPID_PROFILE_SCREEN_PROVIDER} + DISABLE_ANONYMOUS: ${DISABLE_ANONYMOUS} + # OPID_USERNAME_CLAIM: ${OPID_USERNAME_CLAIM} + EJABBERD_API_URI: http://ejabberd:5443/api + EJABBERD_DOMAIN: ejabberd + EJABBERD_WS_URI: ws://ejabberd:5443/ws + EJABBERD_JWT_SECRET: mySecretJwtToken + START_ROOM_URL: "/_/global/garagenum.github.io/garage-wa-map/map.json" + labels: + - traefik.enable=true + - traefik.http.routers.adventure-pusher.rule=Host(`pusher.${DOMAIN}`) + - traefik.http.routers.adventure-pusher.entryPoints=web + - traefik.http.services.adventure-pusher.loadbalancer.server.port=8080 + - traefik.http.routers.adventure-pusher-ssl.rule=Host(`pusher.${DOMAIN}`) + - traefik.http.routers.adventure-pusher-ssl.entryPoints=websecure + - traefik.http.routers.adventure-pusher-ssl.tls=true + - traefik.http.routers.adventure-pusher-ssl.service=adventure-pusher + - traefik.http.routers.adventure-pusher-ssl.tls.certresolver=le + restart: unless-stopped + networks: + adventure_net: + + back: + image: thecodingmachine/workadventure-back:v1.12.10 + command: yarn run runprod + environment: + # SECRET_KEY: ${SECRET_KEY} + # SECRET_JITSI_KEY: "${SECRET_JITSI_KEY}" + ADMIN_API_TOKEN: "${ADMIN_API_TOKEN}" + ADMIN_API_URL: "${ADMIN_API_URL}" + JITSI_URL: ${JITSI_URL} + JITSI_ISS: "" + MAX_PER_GROUP: 4 + # TURN_STATIC_AUTH_SECRET: "${TURN_STATIC_AUTH_SECRET}" + REDIS_HOST: redis + ENABLE_CHAT: ${ENABLE_CHAT} + EJABBERD_API_URI: http://ejabberd:5443/api + EJABBERD_DOMAIN: //xmpp.${DOMAIN} + labels: + - traefik.enable=true + - traefik.http.routers.adventure-back.rule=Host(`api.${DOMAIN}`) + - traefik.http.routers.adventure-back.entryPoints=web + - traefik.http.services.adventure-back.loadbalancer.server.port=8080 + - traefik.http.routers.adventure-back-ssl.rule=Host(`api.${DOMAIN}`) + - traefik.http.routers.adventure-back-ssl.entryPoints=websecure + - traefik.http.routers.adventure-back-ssl.tls=true + - traefik.http.routers.adventure-back-ssl.service=adventure-back + - traefik.http.routers.adventure-back-ssl.tls.certresolver=le + restart: unless-stopped + networks: + adventure_net: + +# wont work for now + uploader: + image: thecodingmachine/workadventure-uploader:v1.12.10 + environment: + UPLOADER_URL: //uploader + #REDIS + REDIS_HOST: redis + REDIS_PORT: 6379 + UPLOADER_REDIS_DB_NUMBER: 0 + #CHAT + ADMIN_API_URL: + ENABLE_CHAT_UPLOAD: "false" + UPLOAD_MAX_FILESIZE: 10485760 + labels: + - traefik.enable=true + - traefik.http.routers.adventure-uploader.rule=Host(`uploader.${DOMAIN}`) + - traefik.http.routers.adventure-uploader.entryPoints=web + - traefik.http.services.adventure-uploader.loadbalancer.server.port=8080 + - traefik.http.routers.adventure-uploader-ssl.rule=Host(`uploader.${DOMAIN}`) + - traefik.http.routers.adventure-uploader-ssl.entryPoints=websecure + - traefik.http.routers.adventure-uploader-ssl.service=adventure-uploader + - traefik.http.routers.adventure-uploader-ssl.tls=true + - traefik.http.routers.adventure-uploader-ssl.tls.certresolver=le + networks: + adventure_net: + + chat: + image: thecodingmachine/workadventure-chat:v1.12.10 + environment: + PUSHER_URL: //pusher.${DOMAIN} + UPLOADER_URL: //uploader.${DOMAIN} + # EMBEDLY_KEY: ${EMBEDLY_KEY} + ENABLE_CHAT_UPLOAD: "false" + EJABBERD_DOMAIN: //xmpp.${DOMAIN} + ENABLE_OPENID: 1 + + labels: + - traefik.enable=true + - traefik.http.routers.adventure-chat.rule=Host(`chat.${DOMAIN}`) + - traefik.http.routers.adventure-chat.entryPoints=web + - traefik.http.services.adventure-chat.loadbalancer.server.port=80 + - traefik.http.routers.adventure-chat-ssl.rule=Host(`chat.${DOMAIN}`) + - traefik.http.routers.adventure-chat-ssl.entryPoints=websecure + - traefik.http.routers.adventure-chat-ssl.service=adventure-chat + - traefik.http.routers.adventure-chat-ssl.tls=true + - traefik.http.routers.adventure-chat-ssl.tls.certresolver=le + networks: + adventure_net: + + icon: + image: matthiasluedtke/iconserver:v3.13.0 + labels: + - traefik.enable=true + - traefik.http.routers.adventure-icon.rule=Host(`icon.${DOMAIN}`) + - traefik.http.routers.adventure-icon.entryPoints=web,traefik + - traefik.http.services.adventure-icon.loadbalancer.server.port=8080 + - traefik.http.routers.adventure-icon-ssl.rule=Host(`icon.${DOMAIN}`) + - traefik.http.routers.adventure-icon-ssl.entryPoints=websecure + - traefik.http.routers.adventure-icon-ssl.tls=true + - traefik.http.routers.adventure-icon-ssl.service=adventure-icon + - traefik.http.routers.adventure-icon-ssl.tls.certresolver=le + networks: + adventure_net: + + ejabberd: + container_name: adventure-ejabberd + image: ghcr.io/processone/ejabberd:22.05 + networks: + adventure_net: + volumes: + - ./ejabberd.yml:/opt/ejabberd/conf/ejabberd.yml + labels: + - traefik.enable=true + - traefik.http.routers.xmpp.rule=Host(`xmpp.${DOMAIN}`) + - traefik.http.routers.xmpp.entryPoints=web + - traefik.http.services.xmpp.loadbalancer.server.port=5380 + - traefik.http.routers.xmpp-ssl.rule=Host(`xmpp.${DOMAIN}`) + - traefik.http.routers.xmpp-ssl.entryPoints=websecure + - traefik.http.routers.xmpp-ssl.tls=true + - traefik.http.routers.xmpp-ssl.service=xmpp + + + redis: + container_name: adventure-redis + image: redis:6 + volumes: + - redisdata:/data + networks: + adventure_net: + + + coturn: + image: coturn/coturn:4.5.2 + command: + - turnserver + #- -c=/etc/coturn/turnserver.conf + - --log-file=stdout + + # change me + - --external-ip=92.243.20.228 + - --realm=turn.${DOMAIN} + - --server-name=turn.${DOMAIN} + + - --listening-port=3478 + - --min-port=10002 + - --max-port=10100 + - --tls-listening-port=5349 + - --listening-ip=0.0.0.0 + - --lt-cred-mech + # Enable Coturn REST API to validate temporary passwords. + #- --use-auth-secret + #- --static-auth-secret=SomeStaticAuthSecret + #- --userdb=/var/lib/turn/turndb + - --user=workadventure:WorkAdventure123 + # use real-valid certificate/privatekey files + #- --cert=/root/letsencrypt/fullchain.pem + #- --pkey=/root/letsencrypt/privkey.pem + network_mode: host + + +networks: + adventure_net: + +volumes: + acme: + redisdata: \ No newline at end of file diff --git a/ejabberd.yml b/ejabberd.yml new file mode 100644 index 0000000..f2db4c5 --- /dev/null +++ b/ejabberd.yml @@ -0,0 +1,264 @@ +### +### ejabberd configuration file +### +### The parameters used in this configuration file are explained at +### +### https://docs.ejabberd.im/admin/configuration +### +hosts: + - ejabberd + +loglevel: 4 +log_rotate_size: 10485760 +log_rotate_count: 1 + +certfiles: + - /opt/ejabberd/conf/server.pem + +ca_file: "/opt/ejabberd/conf/cacert.pem" + +## When using let's encrypt to generate certificates +##certfiles: +## - /etc/letsencrypt/live/localhost/fullchain.pem +## - /etc/letsencrypt/live/localhost/privkey.pem +## +##ca_file: "/etc/letsencrypt/live/localhost/fullchain.pem" + +auth_method: + - anonymous +anonymous_protocol: login_anon +allow_multiple_connections: true + +#jwt_jid_field: "identifier" +#jwt_key: "/opt/ejabberd/conf/jwtKey" + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + #tls: true + request_handlers: + "/admin": ejabberd_web_admin + "/api": mod_http_api + "/bosh": mod_bosh + "/captcha": ejabberd_captcha + "/upload": mod_http_upload + "/ws": ejabberd_http_ws + "/oauth": ejabberd_oauth + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + #"/admin": ejabberd_web_admin + "/api": mod_http_api + "/bosh": mod_bosh + "/captcha": ejabberd_captcha + "/upload": mod_http_upload + "/ws": ejabberd_http_ws + "/oauth": ejabberd_oauth + - + port: 5380 + ip: "::" + module: ejabberd_http + request_handlers: + "/": ejabberd_web_admin + - + port: 1883 + ip: "::" + module: mod_mqtt + backlog: 1000 + +s2s_use_starttls: optional + +acl: + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + - ::FFFF:127.0.0.1/128 + admin: + user: + - "admin@ejabberd" + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: all + configure: + allow: all + muc_create: + - allow: all + - deny: blocked + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + - all + what: + - "*" + - "muc_online_rooms" + - "!stop" + - "!start" + "public commands": + who: + - all + what: + - "status" + - "connected_users_number" + - "muc_online_rooms" + +shaper: + normal: 1000 + fast: 50000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +max_fsm_queue: 10000 + +acme: +# CHANGE ME ---------------------------------------- + contact: "mailto:contact@nom-de-domain.tld" + ca_url: "https://acme-staging-v02.api.letsencrypt.org/directory" + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + ##mod_restful_admin: + ## api: + ## - path: [ "admin" ] + ## module: mod_restful_admin + ## params: + ## key: "secret" + ## allowed_commands: [ register, unregister,status, add_rosteritem, create_room, send_direct_invitation, set_room_affiliation ] + ## - path: [ "register" ] + ## module: mod_restful_register + ## params: + ## key: "secret" + mod_http_upload: + put_url: https://@HOST@:5443/upload + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + ## db_type: sql + assume_mam_usage: true + default: never + mod_mqtt: {} + mod_muc: + hosts: + - conference.ejabberd + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + allow_subscription: true # enable MucSub + mam: true + persistent: true + anonymous: false + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: + resume_timeout: 72 + wake_on_start: false + wake_on_timeout: true + mod_register: + ## Only accept registration requests from the "trusted" + ## network (see access_rules section above). + ## Think twice before enabling registration from any + ## address. See the Jabber SPAM Manifesto for details: + ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ip_access: trusted_network + mod_roster: + versioning: true + store_current_id: false + mod_sip: {} + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_stream_mgmt: + ack_timeout: infinity + resend_on_timeout: if_offline + resume_timeout: 0 + mod_vcard: {} + mod_vcard_xupdate: {} + mod_version: + show_os: false + +websocket_ping_interval: 300 +websocket_timeout: 900 +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8