ajout main

2022-11-06 08:58:51 +01:00 · 2022-11-06 08:58:51 +01:00 · 9331f241c9
commit 9331f241c9
parent 0c088215fc
3 changed files with 535 additions and 51 deletions
--- a/README.md
+++ b/README.md
@ -8,26 +8,12 @@ Ce projet a pour but de déployer la stack workadventure (https://github.com/the

 Pour déployer cette stack, vous aurez besoin:
 - Une machine pour héberger le serveur (proc 3Ghz, 4Go ram minimum)
- Un nom de domaine pour pointer vers votre serveur
+- Un nom de domaine pour pointer vers votre serveur (*.adventure.nom-de-domain.tld)
 - L'accès à votre box internet pour la redirection des ports

 ## Configuration / Installation

-### Nginx proxy manager
-
-```bash
-cd nginx-proxy-manager/
-docker-compose up -d
-```
-
- L'interface est disponible à cette adresse:
-http://your-ip-or-domain:81
-
- identifiants:
-    - user: admin@example.com
-    - mdp: changeme
-
-### Workadventure
+### Configuration

 - Renseigner le nom de domaine aux quatres endroits:
 ```bash
@ -35,43 +21,9 @@ cd workadventure/
 nano .env
 ```

- Récupérer le endpoint de la stack:
-```bash
-docker network list
-docker network inspect <your workadventure network name>
-```
-
-### Nginx-proxy-manager 2
-
- Sur l'interface web du Nginx-proxy-manager créer une "Proxy Host entry"
-
-... IMAGE ...
-
- Renseigner votre nom de domaine dans l'URL
-
- Renseigner le endpoint dans la config du Nginx proxy manager avec le port 9999
-
- Cocher les cases Block Common Exploits et Websockets, puis sauvegarder
-
-... IMAGE ...
-
- Créer les certificats SSL:
-
-... IMAGE 1 ...
-
-... IMAGE 2 ...
-
-... IMAGE 3 ...
-
-### Deployer
+### Deployement

 ```bash
-# NGINX PROXY MANAGER
-cd nginx-proxy-manager/
-docker-compose up -d
-
-# WORKADVENTURE
-cd workadventure/
 docker-compose up -d
 ```

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,268 @@
+version: "3.8"
+
+services:
+  
+  reverse-proxy:
+    image: traefik:v2.5.6
+    container_name: adventure_traefik
+    command:
+      # for web ui traefik
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.swarmmode=false"
+      - "--log.level=DEBUG"
+      - "--providers.docker.exposedByDefault=false"
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.websecure.address=:443"
+      - "--certificatesResolvers.le.acme.email=${ACME_EMAIL}"
+      - "--certificatesResolvers.le.acme.storage=/acme/acme.json"
+      - "--certificatesResolvers.le.acme.httpChallenge=true"
+      - "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
+      - "--certificatesresolvers.le.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
+    ports:
+      - "443:443"
+      - "80:80"
+      # The Web UI (enabled by --api.insecure=true)
+      - "8082:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - acme:/acme
+    networks:
+      adventure_net:
+
+  front:
+    image: thecodingmachine/workadventure-front:v1.12.10
+    environment:
+      DEBUG_MODE: "false"
+      JITSI_URL: "meet.jit.si"
+      JITSI_PRIVATE_MODE: "false"
+      PUSHER_URL: https://${PUSHER_URL}
+      CHAT_URL: https://${CHAT_URL}
+      ICON_URL: https://${ICON_URL}
+      # CHANGE ME -----------------------------------------------------
+      TURN_SERVER: ${TURN_SERVER}
+      TURN_USER: ${TURN_USER}
+      TURN_PASSWORD: ${TURN_PASSWORD}
+      MAX_PER_GROUP: 4
+      MAX_USERNAME_LENGTH: 15
+      START_ROOM_URL: ${START_ROOM_URL}
+      ENABLE_OPENID: ${ENABLE_OPENID}
+      DISABLE_ANONYMOUS: ${DISABLE_ANONYMOUS}
+      ENABLE_CHAT: ${ENABLE_CHAT}
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.adventure-front.rule=Host(`play.${DOMAIN}`)
+      - traefik.http.routers.adventure-front.entryPoints=web
+      - traefik.http.services.adventure-front.loadbalancer.server.port=80
+      - traefik.http.routers.adventure-front.middlewares=https_redirect
+
+      - traefik.http.routers.adventure-front-ssl.rule=Host(`play.${DOMAIN}`)
+      - traefik.http.routers.adventure-front-ssl.entryPoints=websecure
+      - traefik.http.routers.adventure-front-ssl.tls=true
+      - traefik.http.routers.adventure-front-ssl.service=adventure-front
+      - traefik.http.routers.adventure-front-ssl.tls.certresolver=le
+      - traefik.http.routers.adventure-front-ssl.middlewares=redir
+      # middlewares
+      - traefik.http.middlewares.redir.redirectregex.regex=^https://www\.(.+)
+      - traefik.http.middlewares.redir.redirectregex.replacement=https://$${1}
+      - traefik.http.middlewares.redir.redirectregex.permanent=true
+      - traefik.http.middlewares.https_redirect.redirectscheme.scheme=https
+      - traefik.http.middlewares.https_redirect.redirectscheme.permanent=true
+    restart: unless-stopped
+    networks:
+      adventure_net:
+
+  pusher:
+    image: thecodingmachine/workadventure-pusher:v1.12.10
+    environment:
+      # SECRET_JITSI_KEY: "${SECRET_JITSI_KEY}"
+      SECRET_KEY: yourSecretKey
+      API_URL: back:50051
+      # ADMIN_API_URL: "${ADMIN_API_URL}"
+      # ADMIN_API_TOKEN: "${ADMIN_API_TOKEN}"
+      JITSI_URL: ${JITSI_URL}
+      # JITSI_ISS: ${JITSI_ISS}
+      FRONT_URL : ${FRONT_URL}
+      ENABLE_CHAT: ${ENABLE_CHAT}
+      OPID_CLIENT_ID: ${OPID_CLIENT_ID}
+      OPID_CLIENT_SECRET: ${OPID_CLIENT_SECRET}
+      OPID_CLIENT_ISSUER: ${OPID_CLIENT_ISSUER}
+      OPID_CLIENT_REDIRECT_URL: ${OPID_CLIENT_REDIRECT_URL}
+      OPID_PROFILE_SCREEN_PROVIDER: ${OPID_PROFILE_SCREEN_PROVIDER}
+      DISABLE_ANONYMOUS: ${DISABLE_ANONYMOUS}
+      # OPID_USERNAME_CLAIM: ${OPID_USERNAME_CLAIM}
+      EJABBERD_API_URI: http://ejabberd:5443/api
+      EJABBERD_DOMAIN: ejabberd
+      EJABBERD_WS_URI: ws://ejabberd:5443/ws
+      EJABBERD_JWT_SECRET: mySecretJwtToken
+      START_ROOM_URL: "/_/global/garagenum.github.io/garage-wa-map/map.json"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.adventure-pusher.rule=Host(`pusher.${DOMAIN}`)
+      - traefik.http.routers.adventure-pusher.entryPoints=web
+      - traefik.http.services.adventure-pusher.loadbalancer.server.port=8080
+      - traefik.http.routers.adventure-pusher-ssl.rule=Host(`pusher.${DOMAIN}`)
+      - traefik.http.routers.adventure-pusher-ssl.entryPoints=websecure
+      - traefik.http.routers.adventure-pusher-ssl.tls=true
+      - traefik.http.routers.adventure-pusher-ssl.service=adventure-pusher
+      - traefik.http.routers.adventure-pusher-ssl.tls.certresolver=le
+    restart: unless-stopped
+    networks:
+      adventure_net:
+
+  back:
+    image: thecodingmachine/workadventure-back:v1.12.10
+    command: yarn run runprod
+    environment:
+      # SECRET_KEY: ${SECRET_KEY}
+      # SECRET_JITSI_KEY: "${SECRET_JITSI_KEY}"
+      ADMIN_API_TOKEN: "${ADMIN_API_TOKEN}"
+      ADMIN_API_URL: "${ADMIN_API_URL}"
+      JITSI_URL: ${JITSI_URL}
+      JITSI_ISS: ""
+      MAX_PER_GROUP: 4
+      # TURN_STATIC_AUTH_SECRET: "${TURN_STATIC_AUTH_SECRET}"
+      REDIS_HOST: redis
+      ENABLE_CHAT: ${ENABLE_CHAT}
+      EJABBERD_API_URI: http://ejabberd:5443/api
+      EJABBERD_DOMAIN: //xmpp.${DOMAIN}
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.adventure-back.rule=Host(`api.${DOMAIN}`)
+      - traefik.http.routers.adventure-back.entryPoints=web
+      - traefik.http.services.adventure-back.loadbalancer.server.port=8080
+      - traefik.http.routers.adventure-back-ssl.rule=Host(`api.${DOMAIN}`)
+      - traefik.http.routers.adventure-back-ssl.entryPoints=websecure
+      - traefik.http.routers.adventure-back-ssl.tls=true
+      - traefik.http.routers.adventure-back-ssl.service=adventure-back
+      - traefik.http.routers.adventure-back-ssl.tls.certresolver=le
+    restart: unless-stopped
+    networks:
+      adventure_net:
+
+# wont work for now
+  uploader:
+    image: thecodingmachine/workadventure-uploader:v1.12.10
+    environment:
+      UPLOADER_URL: //uploader
+      #REDIS
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+      UPLOADER_REDIS_DB_NUMBER: 0
+      #CHAT
+      ADMIN_API_URL: 
+      ENABLE_CHAT_UPLOAD: "false"
+      UPLOAD_MAX_FILESIZE: 10485760
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.adventure-uploader.rule=Host(`uploader.${DOMAIN}`)
+      - traefik.http.routers.adventure-uploader.entryPoints=web
+      - traefik.http.services.adventure-uploader.loadbalancer.server.port=8080
+      - traefik.http.routers.adventure-uploader-ssl.rule=Host(`uploader.${DOMAIN}`)
+      - traefik.http.routers.adventure-uploader-ssl.entryPoints=websecure
+      - traefik.http.routers.adventure-uploader-ssl.service=adventure-uploader
+      - traefik.http.routers.adventure-uploader-ssl.tls=true
+      - traefik.http.routers.adventure-uploader-ssl.tls.certresolver=le
+    networks:
+      adventure_net:
+
+  chat:
+    image: thecodingmachine/workadventure-chat:v1.12.10
+    environment:
+      PUSHER_URL: //pusher.${DOMAIN}
+      UPLOADER_URL: //uploader.${DOMAIN}
+      # EMBEDLY_KEY: ${EMBEDLY_KEY}
+      ENABLE_CHAT_UPLOAD: "false"
+      EJABBERD_DOMAIN: //xmpp.${DOMAIN}
+      ENABLE_OPENID: 1
+
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.adventure-chat.rule=Host(`chat.${DOMAIN}`)
+      - traefik.http.routers.adventure-chat.entryPoints=web
+      - traefik.http.services.adventure-chat.loadbalancer.server.port=80
+      - traefik.http.routers.adventure-chat-ssl.rule=Host(`chat.${DOMAIN}`)
+      - traefik.http.routers.adventure-chat-ssl.entryPoints=websecure
+      - traefik.http.routers.adventure-chat-ssl.service=adventure-chat
+      - traefik.http.routers.adventure-chat-ssl.tls=true
+      - traefik.http.routers.adventure-chat-ssl.tls.certresolver=le
+    networks:
+      adventure_net:
+
+  icon:
+    image: matthiasluedtke/iconserver:v3.13.0
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.adventure-icon.rule=Host(`icon.${DOMAIN}`)
+      - traefik.http.routers.adventure-icon.entryPoints=web,traefik
+      - traefik.http.services.adventure-icon.loadbalancer.server.port=8080
+      - traefik.http.routers.adventure-icon-ssl.rule=Host(`icon.${DOMAIN}`)
+      - traefik.http.routers.adventure-icon-ssl.entryPoints=websecure
+      - traefik.http.routers.adventure-icon-ssl.tls=true
+      - traefik.http.routers.adventure-icon-ssl.service=adventure-icon
+      - traefik.http.routers.adventure-icon-ssl.tls.certresolver=le
+    networks:
+      adventure_net:
+
+  ejabberd:
+    container_name: adventure-ejabberd
+    image: ghcr.io/processone/ejabberd:22.05
+    networks:
+      adventure_net:
+    volumes:
+      - ./ejabberd.yml:/opt/ejabberd/conf/ejabberd.yml
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.xmpp.rule=Host(`xmpp.${DOMAIN}`)
+      - traefik.http.routers.xmpp.entryPoints=web
+      - traefik.http.services.xmpp.loadbalancer.server.port=5380
+      - traefik.http.routers.xmpp-ssl.rule=Host(`xmpp.${DOMAIN}`)
+      - traefik.http.routers.xmpp-ssl.entryPoints=websecure
+      - traefik.http.routers.xmpp-ssl.tls=true
+      - traefik.http.routers.xmpp-ssl.service=xmpp
+
+
+  redis:
+    container_name: adventure-redis
+    image: redis:6
+    volumes:
+      - redisdata:/data
+    networks:
+      adventure_net:
+
+
+  coturn:
+    image: coturn/coturn:4.5.2
+    command:
+      - turnserver
+      #- -c=/etc/coturn/turnserver.conf
+      - --log-file=stdout
+
+      # change me
+      - --external-ip=92.243.20.228
+      - --realm=turn.${DOMAIN}
+      - --server-name=turn.${DOMAIN}
+
+      - --listening-port=3478
+      - --min-port=10002
+      - --max-port=10100
+      - --tls-listening-port=5349
+      - --listening-ip=0.0.0.0
+      - --lt-cred-mech
+      # Enable Coturn REST API to validate temporary passwords.
+      #- --use-auth-secret
+      #- --static-auth-secret=SomeStaticAuthSecret
+      #- --userdb=/var/lib/turn/turndb
+      - --user=workadventure:WorkAdventure123
+      # use real-valid certificate/privatekey files
+      #- --cert=/root/letsencrypt/fullchain.pem
+      #- --pkey=/root/letsencrypt/privkey.pem
+    network_mode: host
+
+
+networks:
+  adventure_net:
+
+volumes:
+  acme:
+  redisdata:
--- a/ejabberd.yml
+++ b/ejabberd.yml
@ -0,0 +1,264 @@
+###
+###              ejabberd configuration file
+###
+### The parameters used in this configuration file are explained at
+###
+###       https://docs.ejabberd.im/admin/configuration
+###
+hosts:
+  - ejabberd
+
+loglevel: 4
+log_rotate_size: 10485760
+log_rotate_count: 1
+
+certfiles:
+  - /opt/ejabberd/conf/server.pem
+
+ca_file: "/opt/ejabberd/conf/cacert.pem"
+
+## When using let's encrypt to generate certificates
+##certfiles:
+##  - /etc/letsencrypt/live/localhost/fullchain.pem
+##  - /etc/letsencrypt/live/localhost/privkey.pem
+##
+##ca_file: "/etc/letsencrypt/live/localhost/fullchain.pem"
+
+auth_method:
+  - anonymous
+anonymous_protocol: login_anon
+allow_multiple_connections: true
+
+#jwt_jid_field: "identifier"
+#jwt_key: "/opt/ejabberd/conf/jwtKey"
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls_required: true
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  -
+    port: 5443
+    ip: "::"
+    module: ejabberd_http
+    #tls: true
+    request_handlers:
+      "/admin": ejabberd_web_admin
+      "/api": mod_http_api
+      "/bosh": mod_bosh
+      "/captcha": ejabberd_captcha
+      "/upload": mod_http_upload
+      "/ws": ejabberd_http_ws
+      "/oauth": ejabberd_oauth
+  -
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    request_handlers:
+      #"/admin": ejabberd_web_admin
+      "/api": mod_http_api
+      "/bosh": mod_bosh
+      "/captcha": ejabberd_captcha
+      "/upload": mod_http_upload
+      "/ws": ejabberd_http_ws
+      "/oauth": ejabberd_oauth
+  -
+    port: 5380
+    ip: "::"
+    module: ejabberd_http
+    request_handlers:
+      "/": ejabberd_web_admin
+  -
+    port: 1883
+    ip: "::"
+    module: mod_mqtt
+    backlog: 1000
+
+s2s_use_starttls: optional
+
+acl:
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+      - ::FFFF:127.0.0.1/128
+  admin:
+    user:
+      - "admin@ejabberd"
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: all
+  configure:
+    allow: all
+  muc_create:
+    - allow: all
+    - deny: blocked
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who: 
+     - all
+    what:
+      - "*"
+      - "muc_online_rooms"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who: 
+     - all
+    what:
+      - "status"
+      - "connected_users_number"
+      - "muc_online_rooms"
+
+shaper:
+  normal: 1000
+  fast: 50000
+
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+max_fsm_queue: 10000
+
+acme:
+# CHANGE ME ----------------------------------------
+  contact: "mailto:contact@nom-de-domain.tld"
+  ca_url: "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  mod_disco: {}
+  mod_fail2ban: {}
+  mod_http_api: {}
+  ##mod_restful_admin:
+  ##  api:
+  ##    - path: [ "admin" ]
+  ##      module: mod_restful_admin
+  ##      params:
+  ##        key: "secret"
+  ##        allowed_commands: [ register, unregister,status, add_rosteritem, create_room, send_direct_invitation, set_room_affiliation ]
+  ##    - path: [ "register" ]
+  ##      module: mod_restful_register
+  ##      params:
+  ##        key: "secret"
+  mod_http_upload:
+    put_url: https://@HOST@:5443/upload
+  mod_last: {}
+  mod_mam:
+    ## Mnesia is limited to 2GB, better to use an SQL backend
+    ## For small servers SQLite is a good fit and is very easy
+    ## to configure. Uncomment this when you have SQL configured:
+    ## db_type: sql
+    assume_mam_usage: true
+    default: never
+  mod_mqtt: {}
+  mod_muc:
+    hosts:
+      - conference.ejabberd
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+    default_room_options:
+      allow_subscription: true  # enable MucSub
+      mam: true
+      persistent: true
+      anonymous: false
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+    access: local
+    max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    force_node_config:
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive:
+    resume_timeout: 72
+    wake_on_start: false
+    wake_on_timeout: true
+  mod_register:
+    ## Only accept registration requests from the "trusted"
+    ## network (see access_rules section above).
+    ## Think twice before enabling registration from any
+    ## address. See the Jabber SPAM Manifesto for details:
+    ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+    ip_access: trusted_network
+  mod_roster:
+    versioning: true
+    store_current_id: false
+  mod_sip: {}
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_stream_mgmt:
+    ack_timeout: infinity
+    resend_on_timeout: if_offline
+    resume_timeout: 0
+  mod_vcard: {}
+  mod_vcard_xupdate: {}
+  mod_version:
+    show_os: false
+
+websocket_ping_interval: 300
+websocket_timeout: 900
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8