199 lines
6.2 KiB
YAML
199 lines
6.2 KiB
YAML
version: "2.4"
|
|
|
|
services:
|
|
|
|
# we're using matrix-postgres as DB
|
|
#db:
|
|
# restart: always
|
|
# image: postgres:14-alpine
|
|
# shm_size: 256mb
|
|
# networks:
|
|
# - mastodon-fabric
|
|
|
|
# Experimentally replaced by caddy
|
|
#nginx:
|
|
# image: hub.greenbaum.cloud/nginx-dehydrated:1.19-alpine
|
|
# mem_limit: 256m
|
|
# restart: always
|
|
# environment:
|
|
# - LETSENCRYPT_DOMAIN=mastodon.pub.solar
|
|
# - UPSTREAM_NAME=mastodon
|
|
# - UPSTREAM_CNS_BASE_DOMAIN=svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.int.greenbaum.zone
|
|
# - UPSTREAM_PORT=3000
|
|
# network_mode: mastodon-fabric
|
|
# ports:
|
|
# - 80
|
|
# - 443
|
|
# labels:
|
|
# - triton.cns.services=mastodon-proxy
|
|
|
|
caddy:
|
|
image: caddy:2.6.4
|
|
mem_limit: 256m
|
|
restart: always
|
|
environment:
|
|
- SITE_DOMAIN=mastodon.pub.solar
|
|
- UPSTREAM_APP_DOMAIN=mastodon-web.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.int.greenbaum.zone
|
|
- UPSTREAM_STREAMING_DOMAIN=mastodon-streaming.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.int.greenbaum.zone
|
|
- UPSTREAM_APP_PORT=3000
|
|
- UPSTREAM_STREAMING_PORT=4000
|
|
network_mode: mastodon-fabric
|
|
ports:
|
|
- 80
|
|
- 443
|
|
labels:
|
|
- triton.cns.services=mastodon-proxy
|
|
entrypoint: /bin/sh
|
|
command:
|
|
- -c
|
|
- >-
|
|
echo "
|
|
{
|
|
email admins@pub.solar
|
|
servers {
|
|
protocols h1 h2
|
|
}
|
|
}
|
|
$$SITE_DOMAIN {
|
|
@streaming {
|
|
path /api/v1/streaming/*
|
|
}
|
|
@cache_control {
|
|
path_regexp ^/(emoji|packs|/system/accounts/avatars|/system/media_attachments/files)
|
|
}
|
|
# Uncomment only for debugging, we don't log by default
|
|
#log {
|
|
# output stderr
|
|
#}
|
|
handle /.well-known/keybase.txt {
|
|
root * /srv
|
|
file_server
|
|
}
|
|
redir /auth/sign_up /auth/sign_in temporary
|
|
redir /auth/confirmation/new https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon temporary
|
|
redir /auth/password/new https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon temporary
|
|
reverse_proxy @streaming {
|
|
to http://$$UPSTREAM_STREAMING_DOMAIN:$$UPSTREAM_STREAMING_PORT
|
|
}
|
|
reverse_proxy {
|
|
to http://$$UPSTREAM_APP_DOMAIN:$$UPSTREAM_APP_PORT
|
|
}
|
|
handle_errors {
|
|
rewrite 500.html
|
|
}
|
|
encode zstd gzip
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000"
|
|
# clickjacking protection
|
|
X-Frame-Options DENY
|
|
}
|
|
header /sw.js Cache-Control "public, max-age=0"
|
|
header @cache_control Cache-Control "public, max-age=31536000, immutable"
|
|
}
|
|
files.pub.solar {
|
|
handle {
|
|
rewrite * /s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon{uri}?download
|
|
reverse_proxy {
|
|
# backends / upstreams
|
|
to https://link.tardigradeshare.io
|
|
# header manipulation
|
|
# proxy to an HTTPS endpoint
|
|
header_up Host {upstream_hostport}
|
|
# copied from mastodon docs for nginx with s3 for files
|
|
header_up Connection ""
|
|
header_up Authorization ""
|
|
# remove these header from the backends response
|
|
header_down -Set-Cookie
|
|
header_down -Access-Control-Allow-Origin
|
|
header_down -Access-Control-Allow-Methods
|
|
header_down -Access-Control-Allow-Headers
|
|
header_down -x-amz-id-2
|
|
header_down -x-amz-request-id
|
|
header_down -x-amz-meta-server-side-encryption
|
|
header_down -x-amz-server-side-encryption
|
|
header_down -x-amz-bucket-region
|
|
header_down -x-amzn-requestid
|
|
# add these header to the backends response
|
|
# cache client side for 7 days
|
|
header_down Cache-Control "public, max-age=604800"
|
|
header_down Access-Control-Allow-Origin "*"
|
|
header_down X-Content-Type-Options "nosniff"
|
|
}
|
|
}
|
|
handle_errors {
|
|
rewrite 500.html
|
|
}
|
|
}" | caddy run --adapter caddyfile --config -
|
|
|
|
# using SmartOS native zone mastodon-redis, lx-brand redis crashes regularly,
|
|
# upstream bug: https://github.com/redis/redis/issues/8861
|
|
# redis:
|
|
# image: redis:6.2-alpine
|
|
# mem_limit: 512m
|
|
# restart: always
|
|
# network_mode: mastodon-fabric
|
|
# labels:
|
|
# - triton.cns.services=mastodon-redis
|
|
|
|
web:
|
|
image: tootsuite/mastodon:v4.2.1
|
|
mem_limit: 1g
|
|
restart: always
|
|
env_file: .env.production
|
|
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
|
|
network_mode: mastodon-fabric
|
|
# see redis service comment
|
|
#depends_on:
|
|
# - redis
|
|
labels:
|
|
- triton.cns.services=mastodon-web
|
|
|
|
streaming:
|
|
image: tootsuite/mastodon:v4.2.1
|
|
mem_limit: 1g
|
|
restart: always
|
|
env_file: .env.production
|
|
command: node ./streaming
|
|
network_mode: mastodon-fabric
|
|
# see redis service comment
|
|
#depends_on:
|
|
# - redis
|
|
labels:
|
|
- triton.cns.services=mastodon-streaming
|
|
|
|
sidekiq:
|
|
image: tootsuite/mastodon:v4.2.1
|
|
mem_limit: 1g
|
|
restart: always
|
|
env_file: .env.production
|
|
command: bundle exec sidekiq
|
|
network_mode: mastodon-fabric
|
|
labels:
|
|
- triton.cns.services=mastodon-sidekiq
|
|
|
|
elasticsearch:
|
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.13
|
|
mem_limit: 512m
|
|
restart: always
|
|
environment:
|
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
|
- "xpack.license.self_generated.type=basic"
|
|
- "xpack.security.enabled=false"
|
|
- "xpack.watcher.enabled=false"
|
|
- "xpack.graph.enabled=false"
|
|
- "xpack.ml.enabled=false"
|
|
- "bootstrap.memory_lock=true"
|
|
- "cluster.name=es-mastodon"
|
|
- "discovery.type=single-node"
|
|
- "thread_pool.write.queue_size=1000"
|
|
network_mode: mastodon-fabric
|
|
labels:
|
|
- triton.cns.services=mastodon-elasticsearch
|
|
ulimits:
|
|
memlock:
|
|
soft: -1
|
|
hard: -1
|
|
nofile:
|
|
soft: 65536
|
|
hard: 65536
|