mirror of
https://git.unistra.fr/aius/root/ldap-overleaf-sl.git
synced 2024-10-05 23:23:59 +02:00
Bump sharelatex to v4.1.1
- bump sharelatex - init mongodb replset - format docker-compose.yml
This commit is contained in:
yzx9
parent
c4775c7d7c
commit
a99e70f3c4
@ -1,142 +1,157 @@
|
|||||||
version: '2.2'
|
version: "2.2"
|
||||||
services:
|
services:
|
||||||
sharelatex:
|
sharelatex:
|
||||||
restart: always
|
restart: always
|
||||||
image: ldap-overleaf-sl
|
image: ldap-overleaf-sl
|
||||||
container_name: ldap-overleaf-sl
|
container_name: ldap-overleaf-sl
|
||||||
depends_on:
|
depends_on:
|
||||||
mongo:
|
mongo:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
redis:
|
redis:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
simple-certbot:
|
simple-certbot:
|
||||||
condition: service_started
|
condition: service_started
|
||||||
privileged: false
|
privileged: false
|
||||||
ports:
|
ports:
|
||||||
- 443:443
|
- 443:443
|
||||||
links:
|
links:
|
||||||
- mongo
|
- mongo
|
||||||
- redis
|
- redis
|
||||||
- simple-certbot
|
- simple-certbot
|
||||||
volumes:
|
volumes:
|
||||||
- ${MYDATA}/sharelatex:/var/lib/sharelatex
|
- ${MYDATA}/sharelatex:/var/lib/sharelatex
|
||||||
- ${MYDATA}/letsencrypt:/etc/letsencrypt
|
- ${MYDATA}/letsencrypt:/etc/letsencrypt
|
||||||
- ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain
|
- ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain
|
||||||
environment:
|
environment:
|
||||||
SHARELATEX_APP_NAME: Overleaf
|
SHARELATEX_APP_NAME: Overleaf
|
||||||
SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex
|
SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex
|
||||||
SHARELATEX_SITE_URL: https://${MYDOMAIN}
|
SHARELATEX_SITE_URL: https://${MYDOMAIN}
|
||||||
SHARELATEX_NAV_TITLE: Overleaf - run by ${MYDOMAIN}
|
SHARELATEX_NAV_TITLE: Overleaf - run by ${MYDOMAIN}
|
||||||
#SHARELATEX_HEADER_IMAGE_URL: https://${MYDOMAIN}/logo.svg
|
#SHARELATEX_HEADER_IMAGE_URL: https://${MYDOMAIN}/logo.svg
|
||||||
SHARELATEX_ADMIN_EMAIL: ${MYMAIL}
|
SHARELATEX_ADMIN_EMAIL: ${MYMAIL}
|
||||||
SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"} ]'
|
SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"} ]'
|
||||||
SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]'
|
SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]'
|
||||||
SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}"
|
SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}"
|
||||||
# SHARELATEX_EMAIL_AWS_SES_ACCESS_KEY_ID:
|
# SHARELATEX_EMAIL_AWS_SES_ACCESS_KEY_ID:
|
||||||
# SHARELATEX_EMAIL_AWS_SES_SECRET_KEY:
|
# SHARELATEX_EMAIL_AWS_SES_SECRET_KEY:
|
||||||
SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN}
|
SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN}
|
||||||
SHARELATEX_EMAIL_SMTP_PORT: 587
|
SHARELATEX_EMAIL_SMTP_PORT: 587
|
||||||
SHARELATEX_EMAIL_SMTP_SECURE: 'false'
|
SHARELATEX_EMAIL_SMTP_SECURE: "false"
|
||||||
# SHARELATEX_EMAIL_SMTP_USER:
|
# SHARELATEX_EMAIL_SMTP_USER:
|
||||||
# SHARELATEX_EMAIL_SMTP_PASS:
|
# SHARELATEX_EMAIL_SMTP_PASS:
|
||||||
# SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
|
# SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
|
||||||
# SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
|
# SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
|
||||||
SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues."
|
SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues."
|
||||||
|
|
||||||
# make public links accessible w/o login (link sharing issue)
|
# make public links accessible w/o login (link sharing issue)
|
||||||
# https://github.com/overleaf/docker-image/issues/66
|
# https://github.com/overleaf/docker-image/issues/66
|
||||||
# https://github.com/overleaf/overleaf/issues/628
|
# https://github.com/overleaf/overleaf/issues/628
|
||||||
# https://github.com/overleaf/web/issues/367
|
# https://github.com/overleaf/web/issues/367
|
||||||
# Fixed in 2.0.2 (Release date: 2019-11-26)
|
# Fixed in 2.0.2 (Release date: 2019-11-26)
|
||||||
SHARELATEX_ALLOW_PUBLIC_ACCESS: 'true'
|
SHARELATEX_ALLOW_PUBLIC_ACCESS: "true"
|
||||||
SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING: 'true'
|
SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING: "true"
|
||||||
|
|
||||||
SHARELATEX_SECURE_COOKIE: 'true'
|
SHARELATEX_SECURE_COOKIE: "true"
|
||||||
SHARELATEX_BEHIND_PROXY: 'true'
|
SHARELATEX_BEHIND_PROXY: "true"
|
||||||
|
|
||||||
LDAP_SERVER: ldaps://LDAPSERVER:636
|
|
||||||
LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
|
|
||||||
|
|
||||||
### There are to ways get users from the ldap server
|
LDAP_SERVER: ldaps://LDAPSERVER:636
|
||||||
|
LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
|
||||||
|
|
||||||
## NO LDAP BIND USER:
|
### There are to ways get users from the ldap server
|
||||||
# Tries directly to bind with the login user (as uid)
|
|
||||||
# LDAP_BINDDN: uid=%u,ou=someunit,ou=people,dc=DOMAIN,dc=TLD
|
|
||||||
|
|
||||||
## Or you can use ai global LDAP_BIND_USER
|
## NO LDAP BIND USER:
|
||||||
# LDAP_BIND_USER:
|
# Tries directly to bind with the login user (as uid)
|
||||||
# LDAP_BIND_PW:
|
# LDAP_BINDDN: uid=%u,ou=someunit,ou=people,dc=DOMAIN,dc=TLD
|
||||||
|
|
||||||
# Only allow users matching LDAP_USER_FILTER
|
|
||||||
LDAP_USER_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
|
|
||||||
|
|
||||||
# If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
|
## Or you can use ai global LDAP_BIND_USER
|
||||||
# Admin Users can invite external (non ldap) users. This feature makes only sense
|
# LDAP_BIND_USER:
|
||||||
# when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
|
# LDAP_BIND_PW:
|
||||||
# system wide messages.
|
|
||||||
LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
|
|
||||||
ALLOW_EMAIL_LOGIN: 'true'
|
|
||||||
|
|
||||||
# All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts.
|
# Only allow users matching LDAP_USER_FILTER
|
||||||
LDAP_CONTACT_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
|
LDAP_USER_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)"
|
||||||
LDAP_CONTACTS: 'false'
|
|
||||||
|
|
||||||
# Same property, unfortunately with different names in
|
# If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
|
||||||
# different locations
|
# Admin Users can invite external (non ldap) users. This feature makes only sense
|
||||||
SHARELATEX_REDIS_HOST: redis
|
# when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
|
||||||
REDIS_HOST: redis
|
# system wide messages.
|
||||||
REDIS_PORT: 6379
|
LDAP_ADMIN_GROUP_FILTER: "(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)"
|
||||||
|
ALLOW_EMAIL_LOGIN: "true"
|
||||||
|
|
||||||
ENABLED_LINKED_FILE_TYPES: 'url,project_file'
|
# All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts.
|
||||||
|
LDAP_CONTACT_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)"
|
||||||
|
LDAP_CONTACTS: "false"
|
||||||
|
|
||||||
# Enables Thumbnail generation using ImageMagick
|
# Same property, unfortunately with different names in
|
||||||
ENABLE_CONVERSIONS: 'true'
|
# different locations
|
||||||
|
SHARELATEX_REDIS_HOST: redis
|
||||||
|
REDIS_HOST: redis
|
||||||
|
REDIS_PORT: 6379
|
||||||
|
|
||||||
mongo:
|
ENABLED_LINKED_FILE_TYPES: "url,project_file"
|
||||||
restart: always
|
|
||||||
image: mongo:4.4
|
|
||||||
container_name: mongo
|
|
||||||
expose:
|
|
||||||
- 27017
|
|
||||||
volumes:
|
|
||||||
- ${MYDATA}/mongo_data:/data/db
|
|
||||||
healthcheck:
|
|
||||||
test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
|
|
||||||
interval: 10s
|
|
||||||
timeout: 10s
|
|
||||||
retries: 5
|
|
||||||
|
|
||||||
redis:
|
# Enables Thumbnail generation using ImageMagick
|
||||||
restart: always
|
ENABLE_CONVERSIONS: "true"
|
||||||
image: redis:6.2
|
|
||||||
container_name: redis
|
|
||||||
expose:
|
|
||||||
- 6379
|
|
||||||
volumes:
|
|
||||||
- ${MYDATA}/redis_data:/data
|
|
||||||
healthcheck:
|
|
||||||
test: ["CMD", "redis-cli", "ping"]
|
|
||||||
interval: 10s
|
|
||||||
timeout: 5s
|
|
||||||
retries: 5
|
|
||||||
|
|
||||||
|
mongo:
|
||||||
|
restart: always
|
||||||
|
image: mongo:4.4
|
||||||
|
container_name: mongo
|
||||||
|
expose:
|
||||||
|
- 27017
|
||||||
|
volumes:
|
||||||
|
- ${MYDATA}/mongo_data:/data/db
|
||||||
|
healthcheck:
|
||||||
|
test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
|
||||||
|
interval: 10s
|
||||||
|
timeout: 10s
|
||||||
|
retries: 5
|
||||||
|
command: "--replSet overleaf"
|
||||||
|
|
||||||
simple-certbot:
|
# See also: https://github.com/overleaf/overleaf/issues/1120
|
||||||
restart: always
|
mongoinit:
|
||||||
image: certbot/certbot
|
image: mongo:4.4
|
||||||
container_name: simple-certbot
|
# this container will exit after executing the command
|
||||||
ports:
|
restart: "no"
|
||||||
- 80:80
|
depends_on:
|
||||||
volumes:
|
mongo:
|
||||||
- ${MYDATA}/letsencrypt:/etc/letsencrypt
|
condition: service_healthy
|
||||||
# a bit hacky but this docker image uses very little disk-space
|
entrypoint:
|
||||||
# best practices for ssl and nginx are set in the ldap-overleaf-sl Dockerfile
|
[
|
||||||
entrypoint:
|
"mongo",
|
||||||
- "/bin/sh"
|
"--host",
|
||||||
- -c
|
"mongo:27017",
|
||||||
- |
|
"--eval",
|
||||||
trap exit TERM;\
|
'rs.initiate({ _id: "overleaf", members: [ { _id: 0, host: "mongo:27017" } ] })',
|
||||||
certbot certonly --standalone -d ${MYDOMAIN} --agree-tos -m ${MYMAIL} -n ; \
|
]
|
||||||
while :; do certbot renew; sleep 240h & wait $${!}; done;
|
|
||||||
|
|
||||||
|
redis:
|
||||||
|
restart: always
|
||||||
|
image: redis:6.2
|
||||||
|
container_name: redis
|
||||||
|
expose:
|
||||||
|
- 6379
|
||||||
|
volumes:
|
||||||
|
- ${MYDATA}/redis_data:/data
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD", "redis-cli", "ping"]
|
||||||
|
interval: 10s
|
||||||
|
timeout: 5s
|
||||||
|
retries: 5
|
||||||
|
|
||||||
|
simple-certbot:
|
||||||
|
restart: always
|
||||||
|
image: certbot/certbot
|
||||||
|
container_name: simple-certbot
|
||||||
|
ports:
|
||||||
|
- 80:80
|
||||||
|
volumes:
|
||||||
|
- ${MYDATA}/letsencrypt:/etc/letsencrypt
|
||||||
|
# a bit hacky but this docker image uses very little disk-space
|
||||||
|
# best practices for ssl and nginx are set in the ldap-overleaf-sl Dockerfile
|
||||||
|
entrypoint:
|
||||||
|
- "/bin/sh"
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
trap exit TERM;\
|
||||||
|
certbot certonly --standalone -d ${MYDOMAIN} --agree-tos -m ${MYMAIL} -n ; \
|
||||||
|
while :; do certbot renew; sleep 240h & wait $${!}; done;
|
||||||
|
|||||||
@ -1,226 +1,243 @@
|
|||||||
version: '2.2'
|
version: "2.2"
|
||||||
services:
|
services:
|
||||||
traefik:
|
traefik:
|
||||||
image: traefik:latest
|
image: traefik:latest
|
||||||
container_name: traefik
|
container_name: traefik
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
security_opt:
|
security_opt:
|
||||||
- no-new-privileges:true
|
- no-new-privileges:true
|
||||||
networks:
|
networks:
|
||||||
- web
|
- web
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 80:80
|
||||||
- 443:443
|
- 443:443
|
||||||
- 8443:8443
|
- 8443:8443
|
||||||
# - 8080:8080
|
# - 8080:8080
|
||||||
# - 27017:27017
|
# - 27017:27017
|
||||||
volumes:
|
volumes:
|
||||||
- ${MYDATA}/letsencrypt:/letsencrypt
|
- ${MYDATA}/letsencrypt:/letsencrypt
|
||||||
- /etc/localtime:/etc/localtime:ro
|
- /etc/localtime:/etc/localtime:ro
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
- ./traefik/dynamic_conf.yml:/dynamic_conf.yml
|
- ./traefik/dynamic_conf.yml:/dynamic_conf.yml
|
||||||
- ./traefik/users.htpasswd:/users.htpasswd
|
- ./traefik/users.htpasswd:/users.htpasswd
|
||||||
|
|
||||||
command:
|
command:
|
||||||
- "--api=true"
|
- "--api=true"
|
||||||
- "--api.dashboard=true"
|
- "--api.dashboard=true"
|
||||||
#- "--api.insecure=true" # provides the dashboard on http://IPADRESS:8080
|
#- "--api.insecure=true" # provides the dashboard on http://IPADRESS:8080
|
||||||
- "--providers.docker=true"
|
- "--providers.docker=true"
|
||||||
- "--ping"
|
- "--ping"
|
||||||
- "--providers.docker.network=web"
|
- "--providers.docker.network=web"
|
||||||
- "--providers.docker.exposedbydefault=false"
|
- "--providers.docker.exposedbydefault=false"
|
||||||
- "--providers.file.filename=/dynamic_conf.yml"
|
- "--providers.file.filename=/dynamic_conf.yml"
|
||||||
- "--entrypoints.web.address=:80"
|
- "--entrypoints.web.address=:80"
|
||||||
- "--entrypoints.web-secure.address=:443"
|
- "--entrypoints.web-secure.address=:443"
|
||||||
- "--entrypoints.web-admin.address=:8443"
|
- "--entrypoints.web-admin.address=:8443"
|
||||||
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
|
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
|
||||||
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
|
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
|
||||||
- "--certificatesresolvers.myhttpchallenge.acme.email=${MYMAIL}"
|
- "--certificatesresolvers.myhttpchallenge.acme.email=${MYMAIL}"
|
||||||
- "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
|
- "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
|
||||||
- "--entrypoints.mongo.address=:27017"
|
- "--entrypoints.mongo.address=:27017"
|
||||||
#- --certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
|
#- --certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
# To Fix enable dashboard on port 8443
|
# To Fix enable dashboard on port 8443
|
||||||
- "traefik.http.routers.dashboard.entrypoints=web-admin"
|
- "traefik.http.routers.dashboard.entrypoints=web-admin"
|
||||||
- "traefik.http.routers.dashboard.rule=Host(`${MYDOMAIN}`)"
|
- "traefik.http.routers.dashboard.rule=Host(`${MYDOMAIN}`)"
|
||||||
# - "traefik.http.routers.dashboard.rule=Host(`traefik.${MYDOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
|
# - "traefik.http.routers.dashboard.rule=Host(`traefik.${MYDOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
|
||||||
- "traefik.http.routers.dashboard.tls=true"
|
- "traefik.http.routers.dashboard.tls=true"
|
||||||
- "traefik.http.routers.dashboard.middlewares=auth"
|
- "traefik.http.routers.dashboard.middlewares=auth"
|
||||||
- "traefik.http.middlewares.auth.basicauth.usersfile=/users.htpasswd"
|
- "traefik.http.middlewares.auth.basicauth.usersfile=/users.htpasswd"
|
||||||
- "traefik.http.routers.dashboard.service=api@internal"
|
- "traefik.http.routers.dashboard.service=api@internal"
|
||||||
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
|
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
|
||||||
- "traefik.http.routers.proxy-https.entrypoints=web-secure"
|
- "traefik.http.routers.proxy-https.entrypoints=web-secure"
|
||||||
- "traefik.http.routers.proxy-https.rule=Host(`${MYDOMAIN}`)"
|
- "traefik.http.routers.proxy-https.rule=Host(`${MYDOMAIN}`)"
|
||||||
|
|
||||||
logging:
|
logging:
|
||||||
driver: "json-file"
|
driver: "json-file"
|
||||||
options:
|
options:
|
||||||
max-size: "10m"
|
max-size: "10m"
|
||||||
max-file: "1"
|
max-file: "1"
|
||||||
|
|
||||||
sharelatex:
|
sharelatex:
|
||||||
restart: always
|
restart: always
|
||||||
image: ldap-overleaf-sl:latest
|
image: ldap-overleaf-sl:latest
|
||||||
depends_on:
|
depends_on:
|
||||||
mongo:
|
mongo:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
redis:
|
redis:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
traefik:
|
traefik:
|
||||||
condition: service_started
|
condition: service_started
|
||||||
#simple-certbot:
|
#simple-certbot:
|
||||||
# condition: service_started
|
# condition: service_started
|
||||||
privileged: false
|
privileged: false
|
||||||
networks:
|
networks:
|
||||||
- web
|
- web
|
||||||
expose:
|
expose:
|
||||||
- 80
|
- 80
|
||||||
- 443
|
- 443
|
||||||
links:
|
links:
|
||||||
- mongo
|
- mongo
|
||||||
- redis
|
- redis
|
||||||
volumes:
|
volumes:
|
||||||
- ${MYDATA}/sharelatex:/var/lib/sharelatex
|
- ${MYDATA}/sharelatex:/var/lib/sharelatex
|
||||||
- ${MYDATA}/letsencrypt:/etc/letsencrypt:ro
|
- ${MYDATA}/letsencrypt:/etc/letsencrypt:ro
|
||||||
# - ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain
|
# - ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
# global redirect to https
|
# global redirect to https
|
||||||
- "traefik.http.routers.http-catchall.rule=hostregexp(`${MYDOMAIN}`)"
|
- "traefik.http.routers.http-catchall.rule=hostregexp(`${MYDOMAIN}`)"
|
||||||
- "traefik.http.routers.http-catchall.entrypoints=web"
|
- "traefik.http.routers.http-catchall.entrypoints=web"
|
||||||
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
|
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
|
||||||
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
|
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
|
||||||
# handle https traffic
|
# handle https traffic
|
||||||
- "traefik.http.routers.sharel-secured.rule=Host(`${MYDOMAIN}`)"
|
- "traefik.http.routers.sharel-secured.rule=Host(`${MYDOMAIN}`)"
|
||||||
- "traefik.http.routers.sharel-secured.tls=true"
|
- "traefik.http.routers.sharel-secured.tls=true"
|
||||||
- "traefik.http.routers.sharel-secured.tls.certresolver=myhttpchallenge"
|
- "traefik.http.routers.sharel-secured.tls.certresolver=myhttpchallenge"
|
||||||
- "traefik.http.routers.sharel-secured.entrypoints=web-secure"
|
- "traefik.http.routers.sharel-secured.entrypoints=web-secure"
|
||||||
- "traefik.http.middlewares.sharel-secured.forwardauth.trustForwardHeader=true"
|
- "traefik.http.middlewares.sharel-secured.forwardauth.trustForwardHeader=true"
|
||||||
# Docker loadbalance
|
# Docker loadbalance
|
||||||
- "traefik.http.services.sharel.loadbalancer.server.port=80"
|
- "traefik.http.services.sharel.loadbalancer.server.port=80"
|
||||||
- "traefik.http.services.sharel.loadbalancer.server.scheme=http"
|
- "traefik.http.services.sharel.loadbalancer.server.scheme=http"
|
||||||
- "traefik.http.services.sharel.loadbalancer.sticky.cookie=true"
|
- "traefik.http.services.sharel.loadbalancer.sticky.cookie=true"
|
||||||
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.name=io"
|
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.name=io"
|
||||||
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.httponly=true"
|
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.httponly=true"
|
||||||
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.secure=true"
|
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.secure=true"
|
||||||
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.samesite=io"
|
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.samesite=io"
|
||||||
|
|
||||||
environment:
|
environment:
|
||||||
SHARELATEX_APP_NAME: Overleaf
|
SHARELATEX_APP_NAME: Overleaf
|
||||||
SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex
|
SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex
|
||||||
SHARELATEX_SITE_URL: https://${MYDOMAIN}
|
SHARELATEX_SITE_URL: https://${MYDOMAIN}
|
||||||
SHARELATEX_NAV_TITLE: Overleaf - run by ${MYDOMAIN}
|
SHARELATEX_NAV_TITLE: Overleaf - run by ${MYDOMAIN}
|
||||||
#SHARELATEX_HEADER_IMAGE_URL: https://${MYDOMAIN}/logo.svg
|
#SHARELATEX_HEADER_IMAGE_URL: https://${MYDOMAIN}/logo.svg
|
||||||
SHARELATEX_ADMIN_EMAIL: ${MYMAIL}
|
SHARELATEX_ADMIN_EMAIL: ${MYMAIL}
|
||||||
SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"} ]'
|
SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"} ]'
|
||||||
SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]'
|
SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]'
|
||||||
SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}"
|
SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}"
|
||||||
SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN}
|
SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN}
|
||||||
SHARELATEX_EMAIL_SMTP_PORT: 587
|
SHARELATEX_EMAIL_SMTP_PORT: 587
|
||||||
SHARELATEX_EMAIL_SMTP_SECURE: 'false'
|
SHARELATEX_EMAIL_SMTP_SECURE: "false"
|
||||||
# SHARELATEX_EMAIL_SMTP_USER:
|
# SHARELATEX_EMAIL_SMTP_USER:
|
||||||
# SHARELATEX_EMAIL_SMTP_PASS:
|
# SHARELATEX_EMAIL_SMTP_PASS:
|
||||||
# SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
|
# SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
|
||||||
# SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
|
# SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
|
||||||
SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues."
|
SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues."
|
||||||
|
|
||||||
# make public links accessible w/o login (link sharing issue)
|
# make public links accessible w/o login (link sharing issue)
|
||||||
# https://github.com/overleaf/docker-image/issues/66
|
# https://github.com/overleaf/docker-image/issues/66
|
||||||
# https://github.com/overleaf/overleaf/issues/628
|
# https://github.com/overleaf/overleaf/issues/628
|
||||||
# https://github.com/overleaf/web/issues/367
|
# https://github.com/overleaf/web/issues/367
|
||||||
# Fixed in 2.0.2 (Release date: 2019-11-26)
|
# Fixed in 2.0.2 (Release date: 2019-11-26)
|
||||||
SHARELATEX_ALLOW_PUBLIC_ACCESS: 'true'
|
SHARELATEX_ALLOW_PUBLIC_ACCESS: "true"
|
||||||
SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING: 'true'
|
SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING: "true"
|
||||||
|
|
||||||
SHARELATEX_SECURE_COOKIE: 'true'
|
SHARELATEX_SECURE_COOKIE: "true"
|
||||||
SHARELATEX_BEHIND_PROXY: 'true'
|
SHARELATEX_BEHIND_PROXY: "true"
|
||||||
|
|
||||||
LDAP_SERVER: ldaps://LDAPSERVER:636
|
|
||||||
LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
|
|
||||||
|
|
||||||
### There are to ways get users from the ldap server
|
LDAP_SERVER: ldaps://LDAPSERVER:636
|
||||||
|
LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
|
||||||
|
|
||||||
## NO LDAP BIND USER:
|
### There are to ways get users from the ldap server
|
||||||
# Tries to bind with login-user (as uid) to LDAP_BINDDN
|
|
||||||
# LDAP_BINDDN: uid=%u,ou=someunit,ou=people,dc=DOMAIN,dc=TLD
|
|
||||||
|
|
||||||
## Using a LDAP_BIND_USER/PW
|
## NO LDAP BIND USER:
|
||||||
# LDAP_BIND_USER:
|
# Tries to bind with login-user (as uid) to LDAP_BINDDN
|
||||||
# LDAP_BIND_PW:
|
# LDAP_BINDDN: uid=%u,ou=someunit,ou=people,dc=DOMAIN,dc=TLD
|
||||||
|
|
||||||
# Only allow users matching LDAP_USER_FILTER
|
|
||||||
LDAP_USER_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
|
|
||||||
|
|
||||||
# If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
|
## Using a LDAP_BIND_USER/PW
|
||||||
# Admin Users can invite external (non ldap) users. This feature makes only sense
|
# LDAP_BIND_USER:
|
||||||
# when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
|
# LDAP_BIND_PW:
|
||||||
# system wide messages.
|
|
||||||
LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
|
|
||||||
ALLOW_EMAIL_LOGIN: 'true'
|
|
||||||
|
|
||||||
# All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts.
|
# Only allow users matching LDAP_USER_FILTER
|
||||||
LDAP_CONTACT_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
|
LDAP_USER_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)"
|
||||||
LDAP_CONTACTS: 'false'
|
|
||||||
|
|
||||||
# Same property, unfortunately with different names in
|
# If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
|
||||||
# different locations
|
# Admin Users can invite external (non ldap) users. This feature makes only sense
|
||||||
SHARELATEX_REDIS_HOST: redis
|
# when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
|
||||||
REDIS_HOST: redis
|
# system wide messages.
|
||||||
REDIS_PORT: 6379
|
LDAP_ADMIN_GROUP_FILTER: "(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)"
|
||||||
|
ALLOW_EMAIL_LOGIN: "true"
|
||||||
|
|
||||||
ENABLED_LINKED_FILE_TYPES: 'url,project_file'
|
# All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts.
|
||||||
|
LDAP_CONTACT_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)"
|
||||||
|
LDAP_CONTACTS: "false"
|
||||||
|
|
||||||
# Enables Thumbnail generation using ImageMagick
|
# Same property, unfortunately with different names in
|
||||||
ENABLE_CONVERSIONS: 'true'
|
# different locations
|
||||||
|
SHARELATEX_REDIS_HOST: redis
|
||||||
|
REDIS_HOST: redis
|
||||||
|
REDIS_PORT: 6379
|
||||||
|
|
||||||
mongo:
|
ENABLED_LINKED_FILE_TYPES: "url,project_file"
|
||||||
restart: always
|
|
||||||
image: mongo
|
|
||||||
container_name: mongo
|
|
||||||
expose:
|
|
||||||
- 27017
|
|
||||||
volumes:
|
|
||||||
- ${MYDATA}/mongo_data:/data/db
|
|
||||||
healthcheck:
|
|
||||||
test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
|
|
||||||
interval: 10s
|
|
||||||
timeout: 10s
|
|
||||||
retries: 5
|
|
||||||
labels:
|
|
||||||
- "traefik.enable=true"
|
|
||||||
- "traefik.tcp.routers.mongodb.rule=HostSNI(`*`)"
|
|
||||||
- "traefik.tcp.services.mongodb.loadbalancer.server.port=27017"
|
|
||||||
- "traefik.tcp.routers.mongodb.tls=true"
|
|
||||||
- "traefik.tcp.routers.mongodb.entrypoints=mongo"
|
|
||||||
networks:
|
|
||||||
- web
|
|
||||||
|
|
||||||
redis:
|
# Enables Thumbnail generation using ImageMagick
|
||||||
restart: always
|
ENABLE_CONVERSIONS: "true"
|
||||||
image: redis:5.0.0
|
|
||||||
container_name: redis
|
mongo:
|
||||||
# modify to get rid of the redis issue #35 and #19 with a better solution
|
restart: always
|
||||||
# WARNING: /proc/sys/net/core/somaxconn is set to the lower value of 128.
|
image: mongo
|
||||||
# for vm overcommit: enable first on host system
|
container_name: mongo
|
||||||
# sysctl vm.overcommit_memory=1 (and add it to rc.local)
|
expose:
|
||||||
# then you do not need it in the redis container
|
- 27017
|
||||||
sysctls:
|
volumes:
|
||||||
- net.core.somaxconn=65535
|
- ${MYDATA}/mongo_data:/data/db
|
||||||
# - vm.overcommit_memory=1
|
healthcheck:
|
||||||
expose:
|
test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
|
||||||
- 6379
|
interval: 10s
|
||||||
volumes:
|
timeout: 10s
|
||||||
- ${MYDATA}/redis_data:/data
|
retries: 5
|
||||||
healthcheck:
|
labels:
|
||||||
test: ["CMD", "redis-cli", "ping"]
|
- "traefik.enable=true"
|
||||||
interval: 10s
|
- "traefik.tcp.routers.mongodb.rule=HostSNI(`*`)"
|
||||||
timeout: 5s
|
- "traefik.tcp.services.mongodb.loadbalancer.server.port=27017"
|
||||||
retries: 5
|
- "traefik.tcp.routers.mongodb.tls=true"
|
||||||
networks:
|
- "traefik.tcp.routers.mongodb.entrypoints=mongo"
|
||||||
- web
|
networks:
|
||||||
|
- web
|
||||||
|
command: "--replSet overleaf"
|
||||||
|
|
||||||
|
# See also: https://github.com/overleaf/overleaf/issues/1120
|
||||||
|
mongoinit:
|
||||||
|
image: mongo:4.4
|
||||||
|
# this container will exit after executing the command
|
||||||
|
restart: "no"
|
||||||
|
depends_on:
|
||||||
|
mongo:
|
||||||
|
condition: service_healthy
|
||||||
|
entrypoint:
|
||||||
|
[
|
||||||
|
"mongo",
|
||||||
|
"--host",
|
||||||
|
"mongo:27017",
|
||||||
|
"--eval",
|
||||||
|
'rs.initiate({ _id: "overleaf", members: [ { _id: 0, host: "mongo:27017" } ] })',
|
||||||
|
]
|
||||||
|
|
||||||
|
redis:
|
||||||
|
restart: always
|
||||||
|
image: redis:5.0.0
|
||||||
|
container_name: redis
|
||||||
|
# modify to get rid of the redis issue #35 and #19 with a better solution
|
||||||
|
# WARNING: /proc/sys/net/core/somaxconn is set to the lower value of 128.
|
||||||
|
# for vm overcommit: enable first on host system
|
||||||
|
# sysctl vm.overcommit_memory=1 (and add it to rc.local)
|
||||||
|
# then you do not need it in the redis container
|
||||||
|
sysctls:
|
||||||
|
- net.core.somaxconn=65535
|
||||||
|
# - vm.overcommit_memory=1
|
||||||
|
expose:
|
||||||
|
- 6379
|
||||||
|
volumes:
|
||||||
|
- ${MYDATA}/redis_data:/data
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD", "redis-cli", "ping"]
|
||||||
|
interval: 10s
|
||||||
|
timeout: 5s
|
||||||
|
retries: 5
|
||||||
|
networks:
|
||||||
|
- web
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
web:
|
web:
|
||||||
external: true
|
external: true
|
||||||
|
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
FROM sharelatex/sharelatex:4.0.5
|
FROM sharelatex/sharelatex:4.1.1
|
||||||
# FROM sharelatex/sharelatex:latest
|
# FROM sharelatex/sharelatex:latest
|
||||||
# latest might not be tested
|
# latest might not be tested
|
||||||
# e.g. the AuthenticationManager.js script had to be adapted after versions 2.3.1
|
# e.g. the AuthenticationManager.js script had to be adapted after versions 2.3.1
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user