public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-13 17:56:26 +00:00
Code Issues Releases Wiki Activity

Add phpIPAM

Browse Source
This commit is contained in:
David Young
2018-12-18 22:12:28 +13:00
parent b8aeb3dfd9
commit 2309e51bd1
10 changed files with 500 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
manuscript/CHANGELOG.md
View File

@@ -15,13 +15,12 @@
## Recently added recipes ## Recently added recipes
* Added [KeyCloak](/recipes/keycloak), an open source identity and access management solution which backends neatly into [OpenLDAP](/recipes/openldap/) (among other providers), providing true SSO (_13 Dec 2018_) * Added [phpIPAM])(/reipes/phpipam), an IP address managament tool (_18 Dec 2018_)
* Added [KeyCloak](/recipes/keycloak), an open source identity and access management solution which backends neatly into [OpenLDAP](/recipes/openldap/) (_among other providers_), providing true SSO (_13 Dec 2018_)
* Added [OpenLDAP](/recipes/openldap/), a 20-year old project which [refuses to die](https://www.youtube.com/watch?v=cnQEo4bazIo), underpinning many of today's authentication platforms, and providing a single authentication backend for multiple recipes (_9 Dec 2018_) * Added [OpenLDAP](/recipes/openldap/), a 20-year old project which [refuses to die](https://www.youtube.com/watch?v=cnQEo4bazIo), underpinning many of today's authentication platforms, and providing a single authentication backend for multiple recipes (_9 Dec 2018_)
* Added [Wetty](/recipes/wetty/), a remote terminal client in your web browser (_22 Nov 2018_) * Added [Wetty](/recipes/wetty/), a remote terminal client in your web browser (_22 Nov 2018_)
* Added [PrivateBin](/recipes/privatebin/), a self-hosted pastebin alternative (_5 Nov 2018_) * Added [PrivateBin](/recipes/privatebin/), a self-hosted pastebin alternative (_5 Nov 2018_)
* Added [Realms](/recipes/realms/), another git-based wiki, like [Gollum](/recipes/gollum/), but including basic user auth and registration
* Added a list of useful funkypenguin Docker [containers](/reference/containers/) (_7 Oct 2018_)
* Added [Swarmprom](/recipes/swarmprom/), the sexiest way visualise detailed performance metrics from your swarm (_17 Sep 2018_)
## Recent improvements ## Recent improvements

BIN
manuscript/images/phpipam.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.6 MiB

245
manuscript/recipes/collabora-online.md Normal file
View File

@@ -0,0 +1,245 @@
# Collabora Online
!!! important
Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
[![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
Collabora Online Development Edition (or "[CODE](https://www.collaboraoffice.com/code/#what_is_code)"), is the lightweight, or "home" edition of the commercially-supported [Collabora Online](https://www.collaboraoffice.com/collabora-online/) platform. It
It's basically the [LibreOffice](https://www.libreoffice.org/) interface in a web-browser. CODE is not a standalone app, it's a backend intended to be accessed via "WOPI" from an existing interface (_in our case, [NextCloud](/recipes/nextcloud/)_)
![CODE Screenshot](../images/collabora-online-development-environment.png)
## Ingredients
1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md)
2. [Traefik](/ha-docker-swarm/traefik_public) configured per design
3. DNS entry for the hostname (_i.e. "collabora.your-domain.com"_) you intend to use for LDAP Account Manager, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP
4. [NextCloud](/recipes/nextcloud/) installed and operational
5. [Docker-compose](https://docs.docker.com/compose/install/) installed on your node(s) - this is a special case which needs to run outside of Docker Swarm
## Preparation
### Explanation for complexity
Due to the clever magic that Collabora does to present a "headless" LibreOffice UI to the browser, the CODE docker container requires system capabilities which cannot be granted under Docker Swarm (_specifically, MKNOD_).
So we have to run Collabora itself in the next best thing to Docker swarm - a docker-compose stack. Using docker-compose will at least provide us with consistent and version-able configuration files.
This presents another problem though - Docker Swarm with Traefik is superb at making all our stacks "just work" with ingress routing and LetsEncyrpt certificates. We don't want to have to do this manually (_like a cave-man_), so we engage in some trickery to allow us to still use our swarmed Traefik to terminate SSL.
We run a single swarmed Nginx instance, which forwards all requests to an upstream, with the target IP of the docker0 interface, on port 9980 (the port exposed by the CODE container_)
We attach the necessary labels to the Nginx container to instruct Trafeik to setup a front/backend for collabora.<ourdomain\>. Now incoming requests to https://collabora.<ourdomain\> will hit Traefik, be forwarded to nginx (wherever in the swarm it's running), and then to port 9980 on the same node that nginx is running on.
What if we're running multiple nodes in our swarm, and nginx ends up on a different node to the one running Collabora via docker-compose? Well, either constrain nginx to the same node as Collabora, or just launch an instance of Collabora on _every_ node then. It's just a rendering / GUI engine after all, it doesn't hold any persistent data.
Here's a diagram to illustrate:
![CODE traffic flow](../images/collabora-traffic-flow.png)
### Setup data locations
We'll need a directory for holding config to bind-mount into our containers, so create ```/var/data/collabora```, and ```/var/data/config/collabora``` for holding the docker/swarm config
```
mkdir /var/data/collabora/
mkdir /var/data/config/collabora/
```
### Prepare environment
Create /var/data/config/collabora/collabora.env, and populate with the following variables, customized for your installation.
!!! warning
Note the following:
1. Variables are in lower-case, unlike our standard convention. This is to align with the CODE container
2. Set domain to your [NextCloud](/recipes/nextcloud/) domain, and escape all the periods as per the example
3. Set your server_name to collabora.<yourdomain\>. Escaping periods is unnecessary
4. Your password cannot include triangular brackets - the entrypoint script will insert this password into an XML document, and triangular brackets will make bad(tm) things happen 🔥
```
username=admin
password=ilovemypassword
domain=nextcloud\.batcave\.com
server_name=collabora.batcave.com
termination=true
```
### Create docker-compose.yml
Create ```/var/data/config/collabora/docker-compose.yml``` as follows:
```
version: "3.0"
services:
local-collabora:
image: funkypenguin/collabora
# the funkypenguin version has a patch to include "termination" behind SSL-terminating reverse proxy (traefik), see CODE PR #50.
# Once merged, the official container can be used again.
#image: collabora/code
env_file: /var/data/config/collabora/collabora.env
volumes:
- /var/data/collabora/loolwsd.xml:/etc/loolwsd/loolwsd.xml
cap_add:
- MKNOD
ports:
- 9980:9980
```
### Create nginx.conf
Create ```/var/data/config/collabora/nginx.conf``` as follows, changing the ```server_name``` value to match the environment variable you established above.
```
upstream collabora-upstream {
# Run collabora under docker-compose, since it needs MKNOD cap, which can't be provided by Docker Swarm.
# The IP here is the typical IP of docker0 - change if yours is different.
server 172.17.0.1:9980;
}
server {
listen 80;
server_name collabora.batcave.com;
# static files
location ^~ /loleaflet {
proxy_pass http://collabora-upstream;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://collabora-upstream;
proxy_set_header Host $http_host;
}
# Main websocket
location ~ /lool/(.*)/ws$ {
proxy_pass http://collabora-upstream;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_buffering off;
proxy_pass http://collabora-upstream;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ /lool {
proxy_pass https://collabora-upstream;
proxy_set_header Host $http_host;
}
}
```
# FIXME
```
wsd-00030-00031 2018-12-15 07:52:49.973053 [ prisoner_poll ] INF Have 1 spare child after adding [36].| wsd/LOOLWSD.cpp:431
wsd-00030-00030 2018-12-15 07:52:49.978874 [ loolwsd ] TRC Have 1 new children.| wsd/LOOLWSD.cpp:2987
wsd-00030-00030 2018-12-15 07:52:49.978940 [ loolwsd ] INF WSD initialization complete: setting log-level to [warning] as configured.| wsd/LOOLWSD.cpp:2994
wsd-00030-00051 2018-12-15 07:55:06.385786 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.20.0.1| wsd/LOOLWSD.cpp:1851
```
### Setup Docker Swarm
Create ```/var/data/config/collabora/collabora.yml``` as follows, changing the traefik frontend_rule as necessary:
!!! tip
I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍
```
version: "3.0"
services:
nginx:
image: nginx:latest
networks:
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:collabora.observe.global
- traefik.docker.network=traefik_public
- traefik.port=80
- traefik.frontend.passHostHeader=true
# uncomment this line if you want to force nginx to always run on one node (i.e., the one running collabora)
#placement:
# constraints:
# - node.hostname == ds1
volumes:
- /var/data/collabora/nginx.conf:/etc/nginx/conf.d/default.conf:ro
networks:
traefik_public:
external: true
```
### Obtain loolwsd.xml
Where do we find this? Do we still need it given we patched it?
## Serving
### Launch Collabora
Launching Collabora is a 2-step process. First we launch collabora itself, by running:
```
cd /var/data/config/collabora/
docker-compose -d up
```
Output looks something like this:
```
root@ds1:/var/data/config/collabora# docker-compose up -d
WARNING: The Docker Engine you're using is running in swarm mode.
Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.
To deploy your application across the swarm, use `docker stack deploy`.
Pulling local-collabora (funkypenguin/collabora:latest)...
latest: Pulling from funkypenguin/collabora
7b8b6451c85f: Pull complete
ab4d1096d9ba: Pull complete
e6797d1788ac: Pull complete
e25c5c290bde: Pull complete
4b8e1b074e06: Pull complete
f51a3d1fb75e: Pull complete
8b826e2ae5ad: Pull complete
Digest: sha256:6cd38cb5cbd170da0e3f0af85cecf07a6bc366e44555c236f81d5b433421a39d
Status: Downloaded newer image for funkypenguin/collabora:latest
Creating collabora_local-collabora_1 ...
Creating collabora_local-collabora_1 ... done
root@ds1:/var/data/config/collabora#
```
Once collabora is up, we launch the swarm stack, by running:
```
docker stack deploy collabora -c /var/data/config/collabora/collabora.yml
```
Visit https://collabora.<yourdomain\> and confirm you can login with the user/password you specified in collabora.env
### Integrate into NextCloud
Create the auth_internal overlay network, by running ```docker stack deploy auth -c /var/data/config/openldap/auth.yml`, then launch the OpenLDAP stack by running ```docker stack deploy openldap -c /var/data/config/openldap/openldap.yml```
PR is https://github.com/CollaboraOnline/Docker-CODE/pull/50

2
manuscript/recipes/cryptominer.md
View File

@@ -8,7 +8,7 @@ I honestly didn't expect to enjoy the mining process as much as I did. Part of t
Since a [mining rig](/recipes/cryptominer/mining-rig/) relies on hardware, we can't really use a docker swarm for this one! Since a [mining rig](/recipes/cryptominer/mining-rig/) relies on hardware, we can't really use a docker swarm for this one!
![NAME Screenshot](../images/cryptominer.png) ![CryptoMiner Screenshot](../images/cryptominer.png)
This recipe isn't for everyone - if you just want to make some money from cryptocurrency, then you're better off learning to [invest](https://www.reddit.com/r/CryptoCurrency/) or [trade](https://www.reddit.com/r/CryptoMarkets/). However, if you want to (_ideally_) make money **and** you like tinkering, playing with hardware, optimising and monitoring, read on! This recipe isn't for everyone - if you just want to make some money from cryptocurrency, then you're better off learning to [invest](https://www.reddit.com/r/CryptoCurrency/) or [trade](https://www.reddit.com/r/CryptoMarkets/). However, if you want to (_ideally_) make money **and** you like tinkering, playing with hardware, optimising and monitoring, read on!

24
manuscript/recipes/homeassistant/ibeacon.md Normal file
View File

@@ -0,0 +1,24 @@
# iBeacons with Home assistant
!!! warning
This is not a complete recipe - it's an optional additional of the [HomeAssistant](/recipes/homeassistant/) "recipe", since it only applies to a subset of users
One of the most useful features of Home Assistant is location awareness. I don't care if someone opens my office door when I'm home, but you bet I care about (_and want to be notified_) it if I'm away!
## Ingredients
1. [HomeAssistant](/recipes/home-assistant/) per recipe
2. iBeacon(s) - This recipe is for https://s.click.aliexpress.com/e/bzyLCnAp
4. [LightBlue Explorer](https://itunes.apple.com/nz/app/lightblue-explorer/id557428110?mt=8)
## Preparation
### Write UUID to iBeacon
The iBeacons come with no UUID. We use the LightBlue Explorer app to pair with them (_code is "123456"_), and assign own own UUID.
Generate your own UUID, or get a random one at https://www.uuidgenerator.net/
Plug in your iBeacon, launch LightBlue Explorer, and find your iBeacon. The first time you attempt to interrogate it, you'll be prompted to pair. Although it's not recorded anywhere in the documentation (_grr!_), the pairing code is **123456**
Having paired, you'll be able to see the vital statistics of your iBeacon.

8
manuscript/recipes/mattermost.md
View File

@@ -2,7 +2,7 @@
Intro Intro
![NAME Screenshot](../images/mattermost.jpg) ![MatterMost Screenshot](../images/mattermost.jpg)
Details Details
@@ -16,7 +16,7 @@ Details
### Setup data locations ### Setup data locations
We'll need several directories to bind-mount into our container, so create them in /var/data/wekan: We'll need several directories to bind-mount into our container, so create them in /var/data/mattermost:
``` ```
mkdir -p /var/data/mattermost/{cert,config,data,logs,plugins,database-dump} mkdir -p /var/data/mattermost/{cert,config,data,logs,plugins,database-dump}
@@ -110,9 +110,9 @@ networks:
## Serving ## Serving
### Launch Wekan stack ### Launch MatterMost stack
Launch the Wekan stack by running ```docker stack deploy wekan -c <path -to-docker-compose.yml>``` Launch the MatterMost stack by running ```docker stack deploy mattermost -c <path -to-docker-compose.yml>```
Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env.

216
manuscript/recipes/phpipam.md Normal file
View File

@@ -0,0 +1,216 @@
# phpIPAM
phpipam is an open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and HTML5/CSS3 features.
![phpIPAM Screenshot](../images/phpipam.png)
phpIPAM fulfils a non-sexy, but important role. It helps you manage your IP address allocation.
## Why should you care about this?
You probably have a home network, with 20-30 IP addresses, for your family devices, your IOT devices, your smart TV, etc. If you want to (a) monitor them, and (b) audit who does what, you care about what IPs they're assigned by your DHCP server.
You could simple keep track of all devices with leases in your DHCP server, but what happens if your (_hypothetical_) Ubiquity Edge Router X crashes and burns due to lack of disk space, and you loose track of all your leases? Well, you have to start from scratch, is what!
And that [HomeAssistant](/recipes/homeassistant/) config, which you so carefully compiled, refers to each device by IP/DNS name, so you'd better make sure you recreate it consistently!
Enter phpIPAM. A tool designed to help home keeps as well as large organisations keep track of their IP (_and VLAN, VRF, and AS number_) allocations.
## Ingredients
1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md)
2. [Traefik](/ha-docker-swarm/traefik_public) configured per design
3. DNS entry for the hostname (_i.e. "phpipam.your-domain.com"_) you intend to use for phpIPAM, pointed to your [keepalived](ha-docker-swarm/keepalived/) IPIP
## Preparation
### Setup data locations
We'll need several directories to bind-mount into our container, so create them in /var/data/phpipam:
```
mkdir /var/data/phpipam/databases-dump -p
mkdir /var/data/runtime/phpipam -p
```
### Prepare environment
Create phpipam.env, and populate with the following variables
```
# Setup for github, phpipam application
OAUTH2_PROXY_CLIENT_ID=
OAUTH2_PROXY_CLIENT_SECRET=
OAUTH2_PROXY_COOKIE_SECRET=
# For MariaDB/MySQL database
MYSQL_ROOT_PASSWORD=imtoosecretformyshorts
MYSQL_DATABASE=phpipam
MYSQL_USER=phpipam
MYSQL_PASSWORD=secret
# phpIPAM-specific variables
MYSQL_ENV_MYSQL_USER=phpipam
MYSQL_ENV_MYSQL_PASSWORD=secret
MYSQL_ENV_MYSQL_DB=phpipam
MYSQL_ENV_MYSQL_HOST=db
# For backup
BACKUP_NUM_KEEP=7
BACKUP_FREQUENCY=1d
```
Additionally, create phpipam-backup.env, and populate with the following variables:
```
# For MariaDB/MySQL database
MYSQL_ROOT_PASSWORD=imtoosecretformyshorts
MYSQL_DATABASE=phpipam
MYSQL_USER=phpipam
MYSQL_PASSWORD=secret
# For backup
BACKUP_NUM_KEEP=7
BACKUP_FREQUENCY=1d
```
### Create nginx.conf
I usually protect my stacks using an [oauth proxy](/reference/oauth_proxy/) container in front of the app. This protects me from either accidentally exposing a platform to the world, or having a insecure platform accessed and abused.
In the case of phpIPAM, the oauth_proxy creates an additional complexity, since it passes the "Authorization" HTTP header to the phpIPAM container. phpIPAH then examines the header, determines that the provided username (_my email address associated with my oauth provider_) doesn't match a local user account, and denies me access without the opportunity to retry.
The (_dirty_) solution I've come up with is to insert an Nginx instance in the path between the oauth_proxy and the phpIPAM container itself. Nginx can remove the authorization header, so that phpIPAM can prompt me to login with a web-based form.
Create /var/data/phpipam/nginx.conf as follows:
```
upstream app-upstream {
server app:80;
}
server {
listen 80;
server_name ~.;
# Just redirect everything to the upstream
# Yes, it's embarassing. We are just a mechanism to strip an AUTH header :(
location ^~ / {
proxy_pass http://app-upstream;
proxy_set_header Authorization "";
}
}
```
### Setup Docker Swarm
Create a docker swarm config file in docker-compose syntax (v3), something like this:
!!! tip
I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍
```
version: '3'
services:
db:
image: mariadb:10
env_file: /var/data/config/phpipam/phpipam.env
networks:
- internal
volumes:
- /var/data/runtime/phpipam/db:/var/lib/mysql
proxy:
image: funkypenguin/oauth2_proxy
env_file: /var/data/config/phpipam/phpipam.env
networks:
- internal
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:phpipam.example.com
- traefik.docker.network=traefik_public
- traefik.port=4180
volumes:
- /var/data/config/phpipam/authenticated-emails.txt:/authenticated-emails.txt
command: |
-cookie-secure=false
-upstream=http://nginx
-redirect-url=https://phpipam.example.com
-http-address=http://0.0.0.0:4180
-email-domain=example.com
-provider=github
-authenticated-emails-file=/authenticated-emails.txt
# Wait, what? Why do we have an oauth_proxy _and_ an nginx frontend for a simple webapp?
# Well, it's a long story. Basically, the phpipam container sees the "auth" headers passed by the
# oauth_proxy, and decides to use these exclusively to authenticate users. So no web-based login form, just "access denied"
# To work around this, we add nginx reverse proxy to the mix. A PITA, but an easy way to solve without altering the PHPIPAM code
nginx:
image: nginx:latest
networks:
- internal
volumes:
- /var/data/phpipam/nginx.conf:/etc/nginx/conf.d/default.conf:ro
app:
image: pierrecdn/phpipam
env_file: /var/data/config/phpipam/phpipam.env
networks:
- internal
db-backup:
image: mariadb:10
env_file: /var/data/config/phpipam/phpipam.env
volumes:
- /var/data/phpipam/database-dump:/dump
- /etc/localtime:/etc/localtime:ro
entrypoint: |
bash -c 'bash -s <<EOF
trap "break;exit" SIGHUP SIGINT SIGTERM
sleep 2m
while /bin/true; do
mysqldump -h db --all-databases | gzip -c > /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.sql.gz
(ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {}
sleep $$BACKUP_FREQUENCY
done
EOF'
networks:
- internal
networks:
traefik_public:
external: true
internal:
driver: overlay
ipam:
config:
- subnet: 172.16.47.0/24
```
!!! note
Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here.
## Serving
### Launch phpIPAM stack
Launch the phpIPAM stack by running ```docker stack deploy phpipam -c <path -to-docker-compose.yml>```
Log into your new instance at https://**YOUR-FQDN**, and follow the on-screen prompts to set your first user/password.
## Chef's Notes
1. If you wanted to expose the phpIPAM UI directly, you could remove the oauth2_proxy and the nginx services from the design, and move the traefik_public-related labels directly to the phpipam container. You'd also need to add the traefik_public network to the phpipam container.
### Tip your waiter (donate) 👏
Did you receive excellent service? Want to make your waiter happy? (_..and support development of current and future recipes!_) See the [support](/support/) page for (_free or paid)_ ways to say thank you! 👏
### Your comments? 💬

100
manuscript/recipes/sso-stack/collabora.md
View File

@@ -1,100 +0,0 @@
don't use special characetrs in your password
perl -pi -e "s/<termination (.*)>.*<\/termination>/<termination \1>${termination}<\/termination>/" /etc/loolwsd/loolwsd.xml
Cretaed /var/data/collabora/loolwsd.xml and bind-mounted it for editing ssl bool = false
docker-compose.yml
```
version: "3.0"
services:
local-collabora:
image: funkypenguin/collabora
# the funkypenguin version has a patch to include "termination" behind SSL-terminating reverse proxy (traefik)
#image: collabora/code
env_file: /var/data/config/collabora/collabora.env
volumes:
- /var/data/collabora/loolwsd.xml:/etc/loolwsd/loolwsd.xml
cap_add:
- MKNOD
ports:
- 9980:9980
```
nginx.conf
```
upstream collabora-upstream {
# Run collabora under docker-compose, since it needs MKNOD cap, which can't be provided by Docker
server 172.17.0.1:9980;
}
server {
listen 80;
server_name collabora.observe.global;
# static files
location ^~ /loleaflet {
proxy_pass http://collabora-upstream;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://collabora-upstream;
proxy_set_header Host $http_host;
}
# Main websocket
location ~ /lool/(.*)/ws$ {
proxy_pass http://collabora-upstream;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_buffering off;
proxy_pass http://collabora-upstream;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ /lool {
proxy_pass https://collabora-upstream;
proxy_set_header Host $http_host;
}
}
```
collabora.yml
```
version: "3.0"
services:
nginx:
image: nginx:latest
networks:
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:collabora.observe.global
- traefik.docker.network=traefik_public
- traefik.port=80
- traefik.frontend.passHostHeader=true
volumes:
- /var/data/collabora/nginx.conf:/etc/nginx/conf.d/default.conf:ro
networks:
traefik_public:
external: true
```

1
manuscript/reference/networks.md
View File

@@ -46,6 +46,7 @@ Network | Range
[FlightAirMap](https://geek-cookbook.funkypenguin.co.nz/recipes/flightairmap/) |172.16.44.0/24 [FlightAirMap](https://geek-cookbook.funkypenguin.co.nz/recipes/flightairmap/) |172.16.44.0/24
[Wetty](https://geek-cookbook.funkypenguin.co.nz/recipes/wetty/) | 172.16.45.0/24 [Wetty](https://geek-cookbook.funkypenguin.co.nz/recipes/wetty/) | 172.16.45.0/24
[FileBrowser](https://geek-cookbook.funkypenguin.co.nz/recipes/filebrowser/) | 172.16.46.0/24 [FileBrowser](https://geek-cookbook.funkypenguin.co.nz/recipes/filebrowser/) | 172.16.46.0/24
[phpIPAM](https://geek-cookbook.funkypenguin.co.nz/recipes/phpipam/) | 172.16.47.0/24
## Chef's Notes ## Chef's Notes

6
mkdocs.yml
View File

@@ -55,13 +55,16 @@ pages:
- Heimdall: recipes/autopirate/heimdall.md - Heimdall: recipes/autopirate/heimdall.md
- End: recipes/autopirate/end.md - End: recipes/autopirate/end.md
- Emby: recipes/emby.md - Emby: recipes/emby.md
- Home Assistant: recipes/homeassistant.md - Home Assistant:
- Start: recipes/homeassistant.md
- iBeacon: recipes/homeassistant/ibeacon.md
- Huginn: recipes/huginn.md - Huginn: recipes/huginn.md
- Kanboard: recipes/kanboard.md - Kanboard: recipes/kanboard.md
- Miniflux: recipes/miniflux.md - Miniflux: recipes/miniflux.md
- Munin: recipes/munin.md - Munin: recipes/munin.md
- NextCloud: recipes/nextcloud.md - NextCloud: recipes/nextcloud.md
- OwnTracks: recipes/owntracks.md - OwnTracks: recipes/owntracks.md
- phpIPAM: recipes/phpipam.md
- Plex: recipes/plex.md - Plex: recipes/plex.md
- PrivateBin: recipes/privatebin.md - PrivateBin: recipes/privatebin.md
- Swarmprom: recipes/swarmprom.md - Swarmprom: recipes/swarmprom.md
@@ -80,6 +83,7 @@ pages:
- Monitoring: recipes/cryptominer/monitor.md - Monitoring: recipes/cryptominer/monitor.md
- Profit!: recipes/cryptominer/profit.md - Profit!: recipes/cryptominer/profit.md
- Calibre-Web: recipes/calibre-web.md - Calibre-Web: recipes/calibre-web.md
# - Collabora Online: recipes/collabora-online.md
- Ghost: recipes/ghost.md - Ghost: recipes/ghost.md
- GitLab: recipes/gitlab.md - GitLab: recipes/gitlab.md
- GitLab Runner: recipes/gitlab-runner.md - GitLab Runner: recipes/gitlab-runner.md