diff --git a/README.md b/README.md index f64bc5a..be5c048 100644 --- a/README.md +++ b/README.md @@ -174,11 +174,23 @@ docker network create web to create a network for the docker instances. -## Startup +## Startup + +### Using without proxy + +In most cases, you should use a gateway reverse proxy for your requests (see the next section), as they can offer many benefits such as enhanced security and easier SSL certificate updates. This simple startup method is used for 1. Development 2. When you know what you're doing, for example, when there is an additional gateway layer outside your server. + +Start docker containers: + +``` +docker-compose up -d +``` + +### Using proxy There are 2 different ways of starting either using Traefik or using Certbot. Adapt the one you want to use. -### Using Traefik +#### Using Traefik Then start docker containers (with loadbalancer): ``` @@ -186,7 +198,7 @@ export NUMINSTANCES=1 docker-compose -f docker-compose.traefik.yml up -d --scale sharelatex=$NUMINSTANCES ``` -### Using Certbot +#### Using Certbot Enable line 65/66 and 69/70 in ldapoverleaf-sl/Dockerfile and ``make`` again. ``` diff --git a/docker-compose.certbot.yml b/docker-compose.certbot.yml index 3bf1245..4563d76 100644 --- a/docker-compose.certbot.yml +++ b/docker-compose.certbot.yml @@ -81,6 +81,17 @@ services: LDAP_CONTACT_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)" LDAP_CONTACTS: "false" + # OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID + # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET + # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE + # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL + # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL + # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL + # OAUTH2_USER_ATTR_EMAIL: email + # OAUTH2_USER_ATTR_UID: id + # OAUTH2_USER_ATTR_FIRSTNAME: name + # OAUTH2_USER_ATTR_LASTNAME: + # Same property, unfortunately with different names in # different locations SHARELATEX_REDIS_HOST: redis diff --git a/docker-compose.traefik.yml b/docker-compose.traefik.yml index f5e7895..1719396 100644 --- a/docker-compose.traefik.yml +++ b/docker-compose.traefik.yml @@ -162,6 +162,17 @@ services: LDAP_CONTACT_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)" LDAP_CONTACTS: "false" + # OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID + # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET + # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE + # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL + # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL + # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL + # OAUTH2_USER_ATTR_EMAIL: email + # OAUTH2_USER_ATTR_UID: id + # OAUTH2_USER_ATTR_FIRSTNAME: name + # OAUTH2_USER_ATTR_LASTNAME: + # Same property, unfortunately with different names in # different locations SHARELATEX_REDIS_HOST: redis diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..073f9b6 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,147 @@ +version: "2.2" +services: + sharelatex: + restart: always + image: ldap-overleaf-sl + container_name: ldap-overleaf-sl + depends_on: + mongo: + condition: service_healthy + redis: + condition: service_healthy + privileged: false + ports: + - 80:80 + links: + - mongo + - redis + volumes: + - ${MYDATA}/sharelatex:/var/lib/sharelatex + - ${MYDATA}/letsencrypt:/etc/letsencrypt + - ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain + environment: + SHARELATEX_APP_NAME: Overleaf + SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex + SHARELATEX_SITE_URL: https://${MYDOMAIN} + SHARELATEX_NAV_TITLE: Overleaf - run by ${MYDOMAIN} + #SHARELATEX_HEADER_IMAGE_URL: https://${MYDOMAIN}/logo.svg + SHARELATEX_ADMIN_EMAIL: ${MYMAIL} + SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by ShareLaTeX 2016"} ]' + SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]' + SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}" + # SHARELATEX_EMAIL_AWS_SES_ACCESS_KEY_ID: + # SHARELATEX_EMAIL_AWS_SES_SECRET_KEY: + SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN} + SHARELATEX_EMAIL_SMTP_PORT: 587 + SHARELATEX_EMAIL_SMTP_SECURE: "false" + # SHARELATEX_EMAIL_SMTP_USER: + # SHARELATEX_EMAIL_SMTP_PASS: + # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true + # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false + SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues." + + # make public links accessible w/o login (link sharing issue) + # https://github.com/overleaf/docker-image/issues/66 + # https://github.com/overleaf/overleaf/issues/628 + # https://github.com/overleaf/web/issues/367 + # Fixed in 2.0.2 (Release date: 2019-11-26) + SHARELATEX_ALLOW_PUBLIC_ACCESS: "true" + SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING: "true" + + SHARELATEX_SECURE_COOKIE: "true" + SHARELATEX_BEHIND_PROXY: "true" + + LDAP_SERVER: ldaps://LDAPSERVER:636 + LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD + + ### There are to ways get users from the ldap server + + ## NO LDAP BIND USER: + # Tries directly to bind with the login user (as uid) + # LDAP_BINDDN: uid=%u,ou=someunit,ou=people,dc=DOMAIN,dc=TLD + + ## Or you can use ai global LDAP_BIND_USER + # LDAP_BIND_USER: + # LDAP_BIND_PW: + + # Only allow users matching LDAP_USER_FILTER + LDAP_USER_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)" + + # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. + # Admin Users can invite external (non ldap) users. This feature makes only sense + # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send + # system wide messages. + LDAP_ADMIN_GROUP_FILTER: "(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)" + ALLOW_EMAIL_LOGIN: "true" + + # All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts. + LDAP_CONTACT_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)" + LDAP_CONTACTS: "false" + + # OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID + # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET + # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE + # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL + # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL + # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL + # OAUTH2_USER_ATTR_EMAIL: email + # OAUTH2_USER_ATTR_UID: id + # OAUTH2_USER_ATTR_FIRSTNAME: name + # OAUTH2_USER_ATTR_LASTNAME: + + # Same property, unfortunately with different names in + # different locations + SHARELATEX_REDIS_HOST: redis + REDIS_HOST: redis + REDIS_PORT: 6379 + + ENABLED_LINKED_FILE_TYPES: "url,project_file" + + # Enables Thumbnail generation using ImageMagick + ENABLE_CONVERSIONS: "true" + + mongo: + restart: always + image: mongo:4.4 + container_name: mongo + expose: + - 27017 + volumes: + - ${MYDATA}/mongo_data:/data/db + healthcheck: + test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet + interval: 10s + timeout: 10s + retries: 5 + command: "--replSet overleaf" + + # See also: https://github.com/overleaf/overleaf/issues/1120 + mongoinit: + image: mongo:4.4 + # this container will exit after executing the command + restart: "no" + depends_on: + mongo: + condition: service_healthy + entrypoint: + [ + "mongo", + "--host", + "mongo:27017", + "--eval", + 'rs.initiate({ _id: "overleaf", members: [ { _id: 0, host: "mongo:27017" } ] })', + ] + + redis: + restart: always + image: redis:6.2 + container_name: redis + expose: + - 6379 + volumes: + - ${MYDATA}/redis_data:/data + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5