Docker: Improve cloud-init setup
This commit is contained in:
parent
678e359e68
commit
6122949bab
13
docker/examples/cloud-init/certs/ca.conf
Normal file
13
docker/examples/cloud-init/certs/ca.conf
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
[req]
|
||||||
|
default_bits = 4096
|
||||||
|
default_md = sha256
|
||||||
|
distinguished_name = dn
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[dn]
|
||||||
|
C = DE
|
||||||
|
ST = Berlin
|
||||||
|
L = Berlin
|
||||||
|
O = Default CA
|
||||||
|
emailAddress = hello@example.com
|
||||||
|
CN = example.com
|
8
docker/examples/cloud-init/certs/cert.conf
Normal file
8
docker/examples/cloud-init/certs/cert.conf
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
authorityKeyIdentifier=keyid,issuer
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = *.example.com
|
||||||
|
DNS.2 = example.com
|
9
docker/examples/cloud-init/certs/config.yml
Normal file
9
docker/examples/cloud-init/certs/config.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
tls:
|
||||||
|
stores:
|
||||||
|
default:
|
||||||
|
defaultCertificate:
|
||||||
|
certFile: "/certs/cert.crt"
|
||||||
|
keyFile: "/certs/cert.key"
|
||||||
|
certificates:
|
||||||
|
- certFile: "/certs/cert.crt"
|
||||||
|
keyFile: "/certs/cert.key"
|
25
docker/examples/cloud-init/certs/openssl.conf
Normal file
25
docker/examples/cloud-init/certs/openssl.conf
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
[req]
|
||||||
|
default_bits = 4096
|
||||||
|
prompt = no
|
||||||
|
default_md = sha256
|
||||||
|
x509_extensions = v3_req
|
||||||
|
distinguished_name = dn
|
||||||
|
|
||||||
|
[dn]
|
||||||
|
C = DE
|
||||||
|
ST = Berlin
|
||||||
|
L = Berlin
|
||||||
|
O = PhotoPrism
|
||||||
|
OU = Self-Signed
|
||||||
|
emailAddress = hello@example.com
|
||||||
|
CN = example.com
|
||||||
|
|
||||||
|
[v3_req]
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[SAN]
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = *.example.com
|
||||||
|
DNS.2 = example.com
|
|
@ -39,8 +39,19 @@ services:
|
||||||
security_opt:
|
security_opt:
|
||||||
- seccomp:unconfined
|
- seccomp:unconfined
|
||||||
- apparmor:unconfined
|
- apparmor:unconfined
|
||||||
ports:
|
# ports:
|
||||||
- "2342:2342" # [local port]:[container port]
|
# - "2342:2342" # [local port]:[container port]
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.services.photoprism.loadbalancer.server.port=2342"
|
||||||
|
- "traefik.http.routers.photoprism.entrypoints=websecure"
|
||||||
|
- "traefik.http.routers.photoprism.rule=PathPrefix(`/`)"
|
||||||
|
- "traefik.http.routers.photoprism.tls=true"
|
||||||
|
- "traefik.http.routers.photoprism.tls.domains[0].main=example.com"
|
||||||
|
- "traefik.http.routers.photoprism.tls.domains[0].sans=*.example.com"
|
||||||
|
# Uncomment if your server has a public host name for HTTPS:
|
||||||
|
# - "traefik.http.routers.photoprism.rule=Host(`photos.example.com`)"
|
||||||
|
# - "traefik.http.routers.photoprism.tls.certresolver=myresolver"
|
||||||
environment:
|
environment:
|
||||||
PHOTOPRISM_ADMIN_PASSWORD: "insecure" # PLEASE CHANGE: Your initial admin password (min 4 characters)
|
PHOTOPRISM_ADMIN_PASSWORD: "insecure" # PLEASE CHANGE: Your initial admin password (min 4 characters)
|
||||||
PHOTOPRISM_ORIGINALS_LIMIT: 5000 # File size limit for originals in MB (increase for high-res video)
|
PHOTOPRISM_ORIGINALS_LIMIT: 5000 # File size limit for originals in MB (increase for high-res video)
|
||||||
|
@ -73,6 +84,22 @@ services:
|
||||||
- "./storage:/photoprism/storage"
|
- "./storage:/photoprism/storage"
|
||||||
- "./backup:/var/lib/photoprism"
|
- "./backup:/var/lib/photoprism"
|
||||||
|
|
||||||
|
traefik:
|
||||||
|
image: traefik:v2.4
|
||||||
|
container_name: traefik
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
expose:
|
||||||
|
- "80"
|
||||||
|
- "443"
|
||||||
|
volumes:
|
||||||
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||||
|
- "./traefik/:/data/"
|
||||||
|
- "./traefik.yaml:/etc/traefik/traefik.yaml"
|
||||||
|
- "./certs/:/certs/"
|
||||||
|
|
||||||
mariadb:
|
mariadb:
|
||||||
image: mariadb:10.5
|
image: mariadb:10.5
|
||||||
container_name: mariadb
|
container_name: mariadb
|
||||||
|
|
|
@ -36,7 +36,8 @@ apt-get update
|
||||||
apt-get -qq dist-upgrade
|
apt-get -qq dist-upgrade
|
||||||
|
|
||||||
# install dependencies
|
# install dependencies
|
||||||
apt-get -qq install -y --no-install-recommends apt-transport-https ca-certificates curl software-properties-common
|
apt-get -qq install -y --no-install-recommends apt-transport-https ca-certificates \
|
||||||
|
curl software-properties-common openssl
|
||||||
|
|
||||||
# install docker if needed
|
# install docker if needed
|
||||||
if ! command -v docker &> /dev/null
|
if ! command -v docker &> /dev/null
|
||||||
|
@ -59,11 +60,35 @@ fi
|
||||||
|
|
||||||
# create user
|
# create user
|
||||||
useradd photoprism -u 1000 -G docker -o -m -d /photoprism || echo "User 'photoprism' already exists. Proceeding."
|
useradd photoprism -u 1000 -G docker -o -m -d /photoprism || echo "User 'photoprism' already exists. Proceeding."
|
||||||
mkdir -p /photoprism/originals /photoprism/import /photoprism/storage /photoprism/backup /photoprism/database
|
mkdir -p /photoprism/originals /photoprism/import /photoprism/storage /photoprism/backup \
|
||||||
|
/photoprism/database /photoprism/traefik /photoprism/certs
|
||||||
|
|
||||||
|
# download ssl config
|
||||||
|
curl -fsSL https://dl.photoprism.org/docker/cloud-init/certs/ca.conf > /photoprism/certs/ca.conf
|
||||||
|
curl -fsSL https://dl.photoprism.org/docker/cloud-init/certs/cert.conf > /photoprism/certs/cert.conf
|
||||||
|
curl -fsSL https://dl.photoprism.org/docker/cloud-init/certs/config.yml > /photoprism/certs/config.yml
|
||||||
|
curl -fsSL https://dl.photoprism.org/docker/cloud-init/certs/openssl.conf > /photoprism/certs/openssl.conf
|
||||||
|
|
||||||
|
# create ca
|
||||||
|
openssl genrsa -out /photoprism/certs/ca.key 4096
|
||||||
|
openssl req -x509 -new -nodes -key /photoprism/certs/ca.key -sha256 -days 365 \
|
||||||
|
-out /photoprism/certs/ca.pem -config /photoprism/certs/ca.conf
|
||||||
|
openssl x509 -outform der -in /photoprism/certs/ca.pem -out /photoprism/certs/ca.crt
|
||||||
|
|
||||||
|
# create certs
|
||||||
|
openssl genrsa -out /photoprism/certs/cert.key 4096
|
||||||
|
openssl req -new -config /photoprism/certs/openssl.conf -key /photoprism/certs/cert.key \
|
||||||
|
-out /photoprism/certs/cert.csr
|
||||||
|
openssl x509 -req -in /photoprism/certs/cert.csr -CA /photoprism/certs/ca.pem \
|
||||||
|
-CAkey /photoprism/certs/ca.key -CAcreateserial \
|
||||||
|
-out /photoprism/certs/cert.crt -days 365 -sha256 -extfile /photoprism/certs/cert.conf
|
||||||
|
openssl pkcs12 -export -in /photoprism/certs/cert.crt -inkey /photoprism/certs/cert.key \
|
||||||
|
-out /photoprism/certs/cert.pfx -passout pass:
|
||||||
|
|
||||||
# download service config
|
# download service config
|
||||||
curl -fsSL https://dl.photoprism.org/docker/cloud-init/docker-compose.yml > /photoprism/docker-compose.yml
|
curl -fsSL https://dl.photoprism.org/docker/cloud-init/docker-compose.yml > /photoprism/docker-compose.yml
|
||||||
curl -fsSL https://dl.photoprism.org/docker/cloud-init/jobs.ini > /photoprism/jobs.ini
|
curl -fsSL https://dl.photoprism.org/docker/cloud-init/jobs.ini > /photoprism/jobs.ini
|
||||||
|
curl -fsSL https://dl.photoprism.org/docker/cloud-init/traefik.yaml > /photoprism/traefik.yaml
|
||||||
chown -Rf photoprism:photoprism /photoprism
|
chown -Rf photoprism:photoprism /photoprism
|
||||||
|
|
||||||
# start services using docker-compose
|
# start services using docker-compose
|
||||||
|
|
39
docker/examples/cloud-init/traefik.yaml
Normal file
39
docker/examples/cloud-init/traefik.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
# Uncomment to enable debug mode:
|
||||||
|
# log:
|
||||||
|
# level: DEBUG
|
||||||
|
|
||||||
|
serversTransport:
|
||||||
|
insecureSkipVerify: true
|
||||||
|
rootCAs:
|
||||||
|
- "/certs/ca.crt"
|
||||||
|
|
||||||
|
entryPoints:
|
||||||
|
web:
|
||||||
|
address: ":80"
|
||||||
|
http:
|
||||||
|
redirections:
|
||||||
|
entryPoint:
|
||||||
|
to: websecure
|
||||||
|
scheme: https
|
||||||
|
websecure:
|
||||||
|
address: ":443"
|
||||||
|
|
||||||
|
certificatesResolvers:
|
||||||
|
myresolver:
|
||||||
|
acme:
|
||||||
|
email: info@example.com
|
||||||
|
storage: /data/letsencrypt.json
|
||||||
|
httpChallenge:
|
||||||
|
entryPoint: web
|
||||||
|
|
||||||
|
providers:
|
||||||
|
file:
|
||||||
|
filename: "/certs/config.yml"
|
||||||
|
watch: true
|
||||||
|
docker:
|
||||||
|
exposedByDefault: false
|
||||||
|
watch: true
|
||||||
|
|
||||||
|
api:
|
||||||
|
insecure: false
|
||||||
|
dashboard: false
|
Loading…
Reference in a new issue