diff options
author | Felix Ableitner <me@nutomic.com> | 2019-08-20 19:43:30 +0200 |
---|---|---|
committer | Felix Ableitner <me@nutomic.com> | 2019-08-20 19:51:07 +0200 |
commit | 5e44ac207b35a8dbe883f055bdfccb50795cb9f4 (patch) | |
tree | ff6133bb16b4719de4de54751c7d2552c6886d4b /docker | |
parent | ac28ed6875f36ab0e3f0640cd725bab066959887 (diff) |
copy template files into docker/prod folder
Diffstat (limited to 'docker')
-rw-r--r-- | docker/prod/docker-compose.yml | 31 | ||||
-rw-r--r-- | docker/prod/env | 4 | ||||
-rw-r--r-- | docker/prod/nginx.conf | 61 |
3 files changed, 96 insertions, 0 deletions
diff --git a/docker/prod/docker-compose.yml b/docker/prod/docker-compose.yml new file mode 100644 index 00000000..d55b2808 --- /dev/null +++ b/docker/prod/docker-compose.yml @@ -0,0 +1,31 @@ +version: "3.3" + +services: + + db: + image: postgres:12-alpine + restart: always + environment: + - POSTGRES_USER=lemmy + - POSTGRES_PASSWORD=${DATABASE_PASSWORD} + - POSTGRES_DB=lemmy + volumes: + - ./volumes/db:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U lemmy"] + interval: 5s + timeout: 5s + retries: 20 + + lemmy: + image: dessalines/lemmy:v0.0.7
.3 + restart: always + ports: + - "8536:8536" + environment: + - LEMMY_FRONT_END_DIR=/app/dist + - DATABASE_URL=${DATABASE_URL} + - JWT_SECRET=${JWT_SECRET} + - HOSTNAME=${DOMAIN} + depends_on: + - db diff --git a/docker/prod/env b/docker/prod/env new file mode 100644 index 00000000..06f3cfe2 --- /dev/null +++ b/docker/prod/env @@ -0,0 +1,4 @@ +DOMAIN={{your domain}} +DATABASE_PASSWORD={{a random password for postgres}} +DATABASE_URL=postgres://lemmy:{{ the same postgres password again }}@db:5432/lemmy +JWT_SECRET={{ a random password for jwt}} diff --git a/docker/prod/nginx.conf b/docker/prod/nginx.conf new file mode 100644 index 00000000..918851a0 --- /dev/null +++ b/docker/prod/nginx.conf @@ -0,0 +1,61 @@ +server { + listen 80; + server_name {{ your domain }}; + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + server_name {{ your domain }}; + + ssl_certificate /etc/letsencrypt/live/{{ your domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ your domain }}/privkey.pem; + + # Various TLS hardening settings + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + # Hide nginx version + server_tokens off; + + # Enable compression for JS/CSS/HTML bundle, for improved client load times. + # It might be nice to compress JSON, but leaving that out to protect against potential + # compression+encryption information leak attacks like BREACH. + gzip on; + gzip_types text/css application/javascript; + gzip_vary on; + + # Only connect to this site via HTTPS for the two years + add_header Strict-Transport-Security "max-age=63072000"; + + # Various content security headers + add_header Referrer-Policy "same-origin"; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options "DENY"; + add_header X-XSS-Protection "1; mode=block"; + + location / { + rewrite (\/(user|u|inbox|post|community|c|login|search|sponsors|communities|modlog|home)+) /static/index.html break; + proxy_pass http://0.0.0.0:8536; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} |