2
0
Fork 0
mirror of https://github.com/friendica/docker synced 2024-12-29 17:06:23 +01:00

Merge pull request #246 from nupplaphil/feat/doc

Add opensocial.at as example
This commit is contained in:
Hypolite Petovan 2024-03-02 08:37:22 -05:00 committed by GitHub
commit ee363d64de
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 599 additions and 0 deletions

View file

@ -0,0 +1 @@
./friendica.conf

View file

@ -0,0 +1,49 @@
# Opensocial.at setup
This configuration running at https://opensocial.at is an example of "production-ready" environment.
It focuses on performance and scalability.
## Prerequisites
This setup needs some configuration first to be usable as-is.
1. It uses an external, dedicated database, which is not included here (you can just add a `mariadb` service directly).
2. Avatar caching needs to be enabled
1. Enable the system-config `system.avatar_cache`.
2. Set `avatar_cache_path` to `/var/www/avatar`.
3. It uses a Traefik Docker service as overall reverse proxy for the whole Docker environment.
1. Otherwise, adaptations of the two services `web` and `avatar` are necessary.
## The setup
The setup splits Friendica in as many services as possible.
### Split Frontend & Daemon
This setup splits the frontend services from the background daemon so that it's possible to scale the different aspects of the frontend without harming the state of the cronjob forks of the daemon.
### Redis
Redis is a highly optimized, in-memory key-value storage.
The current setup uses Redis for two features:
- PHP native session handling.
- Friendica-specific session handling.
### [app](./app) (php-fpm)
Each incoming HTTP request is processed by a php-fpm instance.
Thanks to the distributed session handling, it's possible to spawn as many `app` instances as you need.
### [web](./web) (nginx)
This nginx instance is a reverse proxy for incoming HTTP requests.
It serves static resources directly and passes the script requests to the php-fpm instance.
### [avatar](./avatar) (nginx)
This stateless nginx instance serves all avatar pictures of this Friendica node.
### [cron](./app) (php-fpm)
The background daemon, which is based on the same image as the app-image.

View file

@ -0,0 +1,15 @@
FROM friendica:fpm-alpine
ENV FRIENDICA_UPGRADE=true
ENV PHP_MEMORY_LIMIT 2G
# Use the default production configuration
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
ENV FRIENDICA_PHP_OUT="/var/www/html/php.out"
RUN set -ex; \
touch ${FRIENDICA_PHP_OUT:-"php.out"}; \
chown www-data:www-data ${FRIENDICA_PHP_OUT:-"php.out"};
RUN sed -i 's/access.log = \/proc\/self\/fd\/2/access.log = \/proc\/self\/fd\/1/g' /usr/local/etc/php-fpm.d/docker.conf

View file

@ -0,0 +1,18 @@
FROM nginx:latest
RUN usermod -u 82 www-data
RUN set -ex; \
mkdir -p /var/www/html; \
mkdir -p /etc/nginx/snippets;
COPY ./templates /etc/nginx/conf.d/templates
COPY nginx.conf /etc/nginx/nginx.conf
COPY error-page.html /var/www/html/error-page.html
COPY custom-error-page.conf /etc/nginx/snippets/custom-error-page.conf
COPY *.sh /
RUN chmod +x /*.sh
CMD ["/cmd.sh"]

View file

@ -0,0 +1,8 @@
#!/bin/sh
set -eu
envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active
nginx -qt
until ping app -c1 > /dev/null; do sleep 1; done
exec nginx -g 'daemon off;'

View file

@ -0,0 +1,5 @@
error_page 404 403 500 503 /error-page.html;
location = /error-page.html {
root /var/www/html;
internal;
}

View file

@ -0,0 +1,94 @@
<!DOCTYPE html>
<html>
<head>
<style type=text/css>
* {
-webkit-box-sizing: border-box;
box-sizing: border-box;
}
body {
padding: 0;
margin: 0;
}
#notfound {
position: relative;
height: 100vh;
}
#notfound .notfound {
position: absolute;
left: 50%;
top: 50%;
-webkit-transform: translate(-50%, -50%);
-ms-transform: translate(-50%, -50%);
transform: translate(-50%, -50%);
}
.notfound {
max-width: 520px;
width: 100%;
line-height: 1.4;
text-align: center;
}
.notfound .notfound-error {
position: relative;
height: 200px;
margin: 0px auto 20px;
z-index: -1;
}
.notfound .notfound-error h1 {
font-family: 'Montserrat', sans-serif;
font-size: 200px;
font-weight: 300;
margin: 0px;
color: #211b19;
position: absolute;
left: 50%;
top: 50%;
-webkit-transform: translate(-50%, -50%);
-ms-transform: translate(-50%, -50%);
transform: translate(-50%, -50%);
}
@media only screen and (max-width: 767px) {
.notfound .notfound-error h1 {
font-size: 148px;
}
}
@media only screen and (max-width: 480px) {
.notfound .notfound-error {
height: 148px;
margin: 0 auto 10px;
}
.notfound .notfound-error h1 {
font-size: 120px;
font-weight: 200;
}
.notfound .notfound-error h2 {
font-size: 30px;
}
.notfound a {
padding: 7px 15px;
font-size: 24px;
}
}
</style>
</head>
<body>
<div id="notfound">
<div class="notfound">
<h1>Sorry the page can't be loaded!</h1>
<div class="notfound-error">
<p>Contact the site's administrator or support for assistance.</p>
</div>
</div>
</div>
</body>
</html>

View file

@ -0,0 +1,70 @@
##
# Friendica Nginx configuration
# by Olaf Conradi, modified by Philipp Holzer
#
worker_processes 4;
events {
worker_connections 1024;
}
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
http {
map $request_id $formatted_id {
"~*(?<p1>[0-9a-f]{8})(?<p2>[0-9a-f]{4})(?<p3>[0-9a-f]{4})(?<p4>[0-9a-f]{4})(?<p5>.*)$" "${p1}-${p2}-${p3}-${p4}-${p5}";
}
map $http_x_request_id $uuid {
default "${request_id}";
~* "${http_x_request_id}";
}
charset utf-8;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format logger-json escape=json '{"source": "nginx", "time": $msec, "resp_body_size": $body_bytes_sent, "host": "$http_host", "address": "$remote_addr", "request_length": $request_length, "method": "$request_method", "uri": "$request_uri", "status": $status, "user_agent": "$http_user_agent", "resp_time": $request_time, "upstream_addr": "$upstream_addr", "request_id": "$uuid"}';
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log logger-json;
log_not_found off;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Real-IP;
server {
listen 80;
include /etc/nginx/conf.d/server_name.active;
include /etc/nginx/snippets/custom-error-page.conf;
#Uncomment the following line to include a standard configuration file
#Note that the most specific rule wins and your standard configuration
#will therefore *add* to this file, but not override it.
#include standard.conf
# allow uploads up to 20MB in size
client_max_body_size 20m;
client_body_buffer_size 128k;
add_header X-Request-ID $uuid;
location /avatar/ {
root /var/www/;
}
include mime.types;
# deny access to all dot files
location ~ /\. {
deny all;
}
}
}

View file

@ -0,0 +1 @@
server_name ${HOSTNAME};

View file

@ -0,0 +1,6 @@
[PHP]
memory_limit = 8G
upload_max_filesize= 10G
post_max_size = 11G
max_execution_time = 3600
max_input_time = 3600

View file

@ -0,0 +1,11 @@
[www]
pm = dynamic
pm.max_children=100
pm.start_servers=10
pm.min_spare_servers = 4
pm.max_spare_servers = 10
;pm.process_idle_timeout = 10s;
;pm.max_requests = 1000
clear_env = no
catch_workers_output = yes

View file

@ -0,0 +1 @@
friendica

View file

@ -0,0 +1 @@
PLEASE_CHANGE_ME

View file

@ -0,0 +1 @@
PLEASE_CHANGE_ME

View file

@ -0,0 +1 @@
friendica-user

View file

@ -0,0 +1,148 @@
version: '3'
services:
redis:
image: redis
restart: always
volumes:
- friendica-redis-vol-1:/data
command:
- --save 60 1
- --loglevel warning
app:
build: ./app
restart: always
command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
deploy:
replicas: 3
resources:
limits:
cpus: '5.00'
memory: '10g'
reservations:
cpus: '1.00'
memory: '1.5g'
depends_on:
- redis
volumes:
- friendica-vol-1:/var/www/html
- friendica-avatar-1:/var/www/avatar
- ./config/app/www.overload.conf:/usr/local/etc/php-fpm.d/www.overload.conf:ro
- ./config/app/friendica.ini:/usr/local/etc/php/conf.d/friendica.ini:ro
environment:
- MYSQL_USER_FILE=/run/secrets/mysql_user
- MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
- MYSQL_DATABASE_FILE=/run/secrets/mysql_database
- MYSQL_HOST=${DBHOST}
- MYSQL_PORT=${DBPORT}
- FRIENDICA_ADMIN_MAIL=${MAILNAME}
- FRIENDICA_TZ=${TZ}
- FRIENDICA_LANG=${LANGUAGE}
- FRIENDICA_UPDATE=true
- SITENAME=${SITENAME}
- SMTP=${SMTP}
- SMTP_DOMAIN=${SMTP_DOMAIN}
- SMTP_AUTH_USER=${SMTP_AUTH_USER}
- SMTP_AUTH_PASS=${SMTP_AUTH_PASS}
- SMTP_TLS=${SMTP_TLS}
- SMTP_STARTTLS=${SMTP_STARTTLS}
- REDIS_HOST=redis
- FRIENDICA_DISTRIBUTED_CACHE_DRIVER=redis
- FRIENDICA_LOGGER=syslog
- FRIENDICA_SYSLOG_FLAGS=39
- FRIENDICA_DATA=Filesystem
- FRIENDICA_DEBUGGING=true
secrets:
- mysql_database
- mysql_user
- mysql_password
cron:
build: ./app
restart: always
volumes:
- friendica-vol-1:/var/www/html
- friendica-avatar-1:/var/www/avatar
- ./config/app/www.overloaded.conf:/usr/local/etc/php-fpm.d/www.overloaded.conf:ro
- ./config/app/friendica.ini:/usr/local/etc/php/conf.d/friendica.ini:ro
environment:
- SITENAME=${SITENAME}
- SMTP=${SMTP}
- SMTP_DOMAIN=${SMTP_DOMAIN}
- SMTP_AUTH_USER=${SMTP_AUTH_USER}
- SMTP_AUTH_PASS=${SMTP_AUTH_PASS}
- SMTP_TLS=${SMTP_TLS}
- SMTP_STARTTLS=${SMTP_STARTTLS}
- MYSQL_HOST=${DBHOST}
- MYSQL_PORT=${DBPORT}
- MYSQL_USERNAME=${DBUSER}
- MYSQL_PASSWORD=${DBPASS}
- MYSQL_DATABASE=${DBDATA}
- FRIENDICA_ADMIN_MAIL=${MAILNAME}
- FRIENDICA_DISTRIBUTED_CACHE_DRIVER=redis
- FRIENDICA_DEBUGGING=true
- FRIENDICA_LOGLEVEL=notice
- FRIENDICA_LOGGER=syslog
- FRIENDICA_SYSLOG_FLAGS=39
depends_on:
- app
entrypoint: /cron.sh
avatar:
build: ./avatar
deploy:
replicas: 3
restart: on-failure:3
volumes:
- friendica-avatar-1:/var/www/avatar:ro
environment:
- HOSTNAME=${HOSTNAME}
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.avatar.entrypoints=websecure"
- "traefik.http.routers.domain.rule=(Host(`www.your.domain`) || Host(`your.domain`)) && PathPrefix(`/avatar`)"
- "traefik.http.routers.domain.middlewares=https-chain@file"
- "traefik.http.routers.domain.tls=true"
- "traefik.http.routers.domain.tls.certresolver=default"
web:
build: ./web
restart: always
deploy:
replicas: 3
volumes:
- friendica-vol-1:/var/www/html:ro
environment:
- HOSTNAME=${HOSTNAME}
depends_on:
- app
networks:
- web
- default
labels:
- "traefik.enable=true"
- "traefik.http.routers.yourdomain.entrypoints=websecure"
- "traefik.http.routers.yourdomain.rule=Host(`www.your.domain`) || Host(`your.domain`)"
- "traefik.http.routers.yourdomain.middlewares=https-chain@file"
- "traefik.http.routers.yourdomain.tls=true"
- "traefik.http.routers.yourdomain.tls.certresolver=default"
secrets:
mysql_database:
file: ./config/secrets/mysql_database.txt
mysql_user:
file: ./config/secrets/mysql_user.txt
mysql_password:
file: ./config/secrets/mysql_password.txt
volumes:
friendica-avatar-1:
friendica-vol-1:
friendica-redis-vol-1:
networks:
web:
external: true

View file

@ -0,0 +1,26 @@
# ------------------------------
# friendica configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
HOSTNAME=example.org
# ------------------------------
# SQL database configuration
# ------------------------------
DBHOST=db
DBPORT=3306
SITENAME="My SiteName"
# Your timezone
TZ=Europe/Berlin
MAILNAME=admin@philipp.info
SMTP=mail
SMTP_DOMAIN=my.domain
SMTP_AUTH_USER=smtp_user
SMTP_AUTH_PASS=smpt_pass
SMTP_TLS=true
SMTP_STARTTLS=true
LANGUAGE=de

View file

@ -0,0 +1,11 @@
FROM nginx:latest
RUN usermod -u 82 www-data
COPY ./templates /etc/nginx/conf.d/templates
COPY nginx.conf /etc/nginx/nginx.conf
COPY *.sh /
RUN chmod +x /*.sh
CMD ["/cmd.sh"]

View file

@ -0,0 +1,8 @@
#!/bin/sh
set -eu
envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active
nginx -qt
until ping app -c1 > /dev/null; do sleep 1; done
exec nginx -g 'daemon off;'

View file

@ -0,0 +1,123 @@
##
# Friendica Nginx configuration
# by Olaf Conradi, modified by Philipp Holzer
#
#worker_processes 4;
events {
worker_connections 1024;
}
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
http {
map $request_id $formatted_id {
"~*(?<p1>[0-9a-f]{8})(?<p2>[0-9a-f]{4})(?<p3>[0-9a-f]{4})(?<p4>[0-9a-f]{4})(?<p5>.*)$" "${p1}-${p2}-${p3}-${p4}-${p5}";
}
map $http_x_request_id $uuid {
default "${request_id}";
~* "${http_x_request_id}";
}
charset utf-8;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format logger-json escape=json '{"source": "nginx", "time": $msec, "resp_body_size": $body_bytes_sent, "host": "$http_host", "address": "$remote_addr", "request_length": $request_length, "method": "$request_method", "uri": "$request_uri", "status": $status, "user_agent": "$http_user_agent", "resp_time": $request_time, "upstream_addr": "$upstream_addr", "request_id": "$uuid"}';
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log logger-json;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Real-IP;
upstream php-handler {
server app:9000;
}
server {
listen 80;
include /etc/nginx/conf.d/server_name.active;
index index.php;
root /var/www/html;
#Uncomment the following line to include a standard configuration file
#Note that the most specific rule wins and your standard configuration
#will therefore *add* to this file, but not override it.
#include standard.conf
# allow uploads up to 20MB in size
client_max_body_size 20m;
client_body_buffer_size 128k;
proxy_set_header X-Request-ID $uuid;
add_header X-Request-ID $uuid;
# rewrite to front controller as default rule
location / {
try_files $uri /index.php?pagename=$uri&$args;
}
# make sure webfinger and other well known services aren't blocked
# by denying dot files and rewrite request to the front controller
location ^~ /.well-known/ {
allow all;
try_files $uri /index.php?pagename=$uri&$args;
}
# statically serve these file types when possible
# otherwise fall back to front controller
# allow browser to cache them
# added .htm for advanced source code editor library
#location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {
# expires 30d;
# try_files $uri /index.php?pagename=$uri&$args;
#}
include mime.types;
# block these file types
location ~* \.(tpl|md|tgz|log|out)$ {
deny all;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# or a unix socket
location ~* \.php$ {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this
# server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
# another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php-handler;
fastcgi_read_timeout 300;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_X_REQUEST_ID $uuid;
}
# deny access to all dot files
location ~ /\. {
deny all;
}
}
}

View file

@ -0,0 +1 @@
server_name ${HOSTNAME};