Merge pull request #36 from veryCrunchy/nginx

feat: simplify deployment with nginx

.env

@@ -0,0 +1 @@
+huly.conf

.gitignore

@@ -1,5 +1,6 @@
 letsencrypt/
-nginx/docker-compose.yaml
 traefik/docker-compose.yaml
-compose.yaml
-nginx.conf
+nginx.conf
+nginx.conf.bak
+huly.conf
+.huly.secret

nginx/huly.nginx → .huly.nginx

@@ -19,6 +19,19 @@ server {
         proxy_pass http://account:3000/;
     }
 
+    #location /_love {
+    #    proxy_set_header Host $host;
+    #    proxy_set_header X-Real-IP $remote_addr;
+    #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #    proxy_set_header X-Forwarded-Proto $scheme;
+
+    #    proxy_http_version 1.1;
+    #    proxy_set_header Upgrade $http_upgrade;
+    #    proxy_set_header Connection "upgrade";
+    #    rewrite ^/_love(/.*)$ $1 break;
+    #    proxy_pass http://love:8096/;
+    #}
+
     location /_collaborator {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;

.template.huly.conf

@@ -0,0 +1,26 @@
+HULY_VERSION=v0.6.295
+DOCKER_NAME=huly
+
+# The address of the host or server from which you will access your Huly instance.
+# This can be a domain name (e.g., huly.example.com) or an IP address (e.g., 192.168.1.1).
+HOST_ADDRESS=${HOST_ADDRESS}
+
+# Set this variable to 'true' to enable SSL (HTTPS/WSS). 
+# Leave it empty to use non-SSL (HTTP/WS).
+SECURE=${SECURE}
+
+# Specify the IP address to bind to; leave blank to bind to all interfaces (0.0.0.0).
+# Do not use IP:PORT format in HTTP_BIND or HTTP_PORT.
+HTTP_PORT=${HTTP_PORT}
+HTTP_BIND=${HTTP_BIND}
+
+# Huly specific variables
+TITLE=${TITLE}
+DEFAULT_LANGUAGE=${DEFAULT_LANGUAGE}
+LAST_NAME_FIRST=${LAST_NAME_FIRST}
+
+# The following configs are auto-generated by the setup script. 
+# Please do not manually overwrite.
+
+# Run with --secret to regenerate.
+SECRET=${HULY_SECRET}

.template.nginx.conf

@@ -0,0 +1,14 @@
+server {
+    server_name ;
+    listen ;
+    location / {
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_pass ;
+    }
+}

README.md

@@ -12,40 +12,42 @@ If you prefer Kubernetes deployment, there is a sample Kubernetes configuration
 First, let's install `nginx` and `docker` using the commands below if you have not already installed them on your machine.
 
 ```bash
-$ sudo apt update
-$ sudo apt install nginx
-$ sudo snap install docker
+sudo apt update
+sudo apt install nginx
+sudo snap install docker
 ```
 
 ## Clone the `huly-selfhost` repository and configure `nginx`
 
-Next, let's clone the `huly-selfhost` repository and configure the server address. _Please replace **x.y.z.w** with your server's IP address_.
+Next, let's clone the `huly-selfhost` repository and configure Huly.
 
 ```bash
-$ git clone https://github.com/hcengineering/huly-selfhost.git
-$ cd huly-selfhost
-$ ./setup.sh x.y.z.w # Replace x.y.z.w with your server's IP address
-$ sudo ln -s $(pwd)/nginx.conf /etc/nginx/sites-enabled/
+git clone https://github.com/hcengineering/huly-selfhost.git
+cd huly-selfhost
+./setup.sh
 ```
+This will generate a [huly.conf](./huly.conf) file with your chosen values and create your nginx config.
 
-## Now we're ready to run Huly
+To add the generated configuration to your Nginx setup, run the following:
+```bash
+sudo ln -s $(pwd)/nginx.conf /etc/nginx/sites-enabled/huly.conf
+```
+> [!NOTE]
+> If you change `HOST_ADDRESS`, `SECURE`, `HTTP_PORT` or `HTTP_BIND` be sure to update your [nginx.conf](./nginx.conf) by running:
+> ```bash
+> ./nginx.sh
+> ```
+>You can safely execute this script after adding your custom configurations like ssl. It will only overwrite the necessary settings.
 
-Finally, let's restart `nginx` and run Huly with `docker compose`.
+Finally, let's reload `nginx` and start Huly with `docker compose`.
 
 ```bash
-$ sudo systemctl restart nginx
-$ sudo docker compose up
+sudo nginx -s reload
+sudo docker compose up -d
 ```
 
 Now, launch your web browser and enjoy Huly!
 
-## Security
-
-When exposing your self-hosted Huly deployment to the internet, it's crucial to implement some security measures to protect your server and data.
-
-1. Do not expose MongoDB, MinIO, and Elastic services to the internet. Huly does not require them to be accessible from the internet.
-2. It is highly recommended to change the default credentials. By default the services, mentioned above, require no authentication, or use default well-known credentials.
-
 ## Generating Public and Private VAPID keys for front-end
 
 You'll need `Node.js` installed on your machine. Installing `npm` on Debian based distro:

template.compose.yaml → compose.yml

@@ -1,34 +1,36 @@
-version: "3"
+name: ${DOCKER_NAME}
 services:
+  nginx:
+    image: "nginx:1.21.3"
+    ports:
+      - "${HTTP_BIND}:${HTTP_PORT}:80"
+    volumes:
+      - ./.huly.nginx:/etc/nginx/conf.d/default.conf
+    restart: unless-stopped
+
   mongodb:
     image: "mongo:7-jammy"
-    container_name: mongodb
     environment:
       - PUID=1000
       - PGID=1000
     volumes:
       - db:/data/db
-    ports:
-      - 27017:27017
     restart: unless-stopped
+
   minio:
     image: "minio/minio"
     command: server /data --address ":9000" --console-address ":9001"
-    ports:
-      - 9000:9000
-      - 9001:9001
     volumes:
       - files:/data
     restart: unless-stopped
+
   elastic:
     image: "elasticsearch:7.14.2"
     command: |
       /bin/sh -c "./bin/elasticsearch-plugin list | grep -q ingest-attachment || yes | ./bin/elasticsearch-plugin install --silent ingest-attachment;
       /usr/local/bin/docker-entrypoint.sh eswrapper"
     volumes:
       - elastic:/usr/share/elasticsearch/data
-    ports:
-      - 9200:9200
     environment:
       - ELASTICSEARCH_PORT_NUMBER=9200
       - BITNAMI_DEBUG=true
@@ -41,98 +43,104 @@ services:
       retries: 10
       test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'
     restart: unless-stopped
+
+  rekoni:
+    image: hardcoreeng/rekoni-service:${HULY_VERSION}
+    environment:
+      - SECRET=${SECRET}
+    deploy:
+      resources:
+        limits:
+          memory: 500M
+    restart: unless-stopped
+
+  transactor:
+    image: hardcoreeng/transactor:${HULY_VERSION}
+    environment:
+      - SERVER_PORT=3333
+      - SERVER_SECRET=${SECRET}
+      - SERVER_CURSOR_MAXTIMEMS=30000
+      - ELASTIC_URL=http://elastic:9200
+      - ELASTIC_INDEX_NAME=huly_storage_index
+      - DB_URL=mongodb://mongodb:27017
+      - MONGO_URL=mongodb://mongodb:27017
+      - METRICS_CONSOLE=false
+      - METRICS_FILE=metrics.txt
+      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
+      - REKONI_URL=http://rekoni:4004
+      - FRONT_URL=http://localhost:8087
+      - ACCOUNTS_URL=http://account:3000
+      - LAST_NAME_FIRST=${LAST_NAME_FIRST:-true}
+      - UPLOAD_URL=http${SECURE:+s}://${HOST_ADDRESS}/files
+    restart: unless-stopped
+
+  collaborator:
+    image: hardcoreeng/collaborator:${HULY_VERSION}
+    environment:
+      - COLLABORATOR_PORT=3078
+      - SECRET=${SECRET}
+      - ACCOUNTS_URL=http://account:3000
+      - DB_URL=mongodb://mongodb:27017
+      - MONGO_URL=mongodb://mongodb:27017
+      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
+    restart: unless-stopped
+
   account:
     image: hardcoreeng/account:${HULY_VERSION}
-    ports:
-      - 3000:3000
     environment:
       - SERVER_PORT=3000
-      - SERVER_SECRET=${HULY_SECRET}
+      - SERVER_SECRET=${SECRET}
       - DB_URL=mongodb://mongodb:27017
-      - TRANSACTOR_URL=ws://transactor:3333;ws://${SERVER_ADDRESS}:3333
+      - MONGO_URL=mongodb://mongodb:27017
+      - TRANSACTOR_URL=ws://transactor:3333;ws${SECURE:+s}://${HOST_ADDRESS}/_transactor
       - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
       - FRONT_URL=http://front:8080
       - MODEL_ENABLED=*
-      - ACCOUNTS_URL=http://${SERVER_ADDRESS}:3000
+      - ACCOUNTS_URL=http://localhost:3000
       - ACCOUNT_PORT=3000
     restart: unless-stopped
+
   workspace:
     image: hardcoreeng/workspace:${HULY_VERSION}
     environment:
-      - SERVER_SECRET=${HULY_SECRET}
+      - SERVER_SECRET=${SECRET}
       - DB_URL=mongodb://mongodb:27017
       - MONGO_URL=mongodb://mongodb:27017
-      - TRANSACTOR_URL=ws://transactor:3333;ws://${SERVER_ADDRESS}:3333
+      - TRANSACTOR_URL=ws://transactor:3333;ws${SECURE:+s}://${HOST_ADDRESS}/_transactor
       - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
       - MODEL_ENABLED=*
       - ACCOUNTS_URL=http://account:3000
       - NOTIFY_INBOX_ONLY=true
     restart: unless-stopped
+
+  # THIS REQUIRES MANUAL SETUP
+  # https://docs.livekit.io/home/self-hosting/vm/
+  #love:
+  # image: hardcoreeng/love:${HULY_VERSION}
+  # restart: unless-stopped
   front:
     image: hardcoreeng/front:${HULY_VERSION}
-    ports:
-      - 8087:8080
     environment:
       - SERVER_PORT=8080
-      - SERVER_SECRET=${HULY_SECRET}
-      - ACCOUNTS_URL=http://${SERVER_ADDRESS}:3000
-      - REKONI_URL=http://${SERVER_ADDRESS}:4004
-      - CALENDAR_URL=http://${SERVER_ADDRESS}:8095
-      - GMAIL_URL=http://${SERVER_ADDRESS}:8088
-      - TELEGRAM_URL=http://${SERVER_ADDRESS}:8086
+      - SERVER_SECRET=${SECRET}
+      - LOVE_ENDPOINT=http${SECURE:+s}://${HOST_ADDRESS}/_love
+      - ACCOUNTS_URL=http${SECURE:+s}://${HOST_ADDRESS}/_accounts
+      - REKONI_URL=http${SECURE:+s}://${HOST_ADDRESS}/_rekoni
+      - CALENDAR_URL=http${SECURE:+s}://${HOST_ADDRESS}/_calendar
+      - GMAIL_URL=http${SECURE:+s}://${HOST_ADDRESS}/_gmail
+      - TELEGRAM_URL=http${SECURE:+s}://${HOST_ADDRESS}/_telegram
       - UPLOAD_URL=/files
       - ELASTIC_URL=http://elastic:9200
-      - COLLABORATOR_URL=ws://${SERVER_ADDRESS}:3078
+      - COLLABORATOR_URL=ws${SECURE:+s}://${HOST_ADDRESS}/_collaborator
       - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
-      - MONGO_URL=mongodb://mongodb:27017
-      - TITLE=Huly Self Hosted
-      - DEFAULT_LANGUAGE=en
-      - LAST_NAME_FIRST=true
-    restart: unless-stopped
-  collaborator:
-    image: hardcoreeng/collaborator:${HULY_VERSION}
-    ports:
-      - 3078:3078
-    environment:
-      - COLLABORATOR_PORT=3078
-      - SECRET=${HULY_SECRET}
-      - ACCOUNTS_URL=http://account:3000
-      - MONGO_URL=mongodb://mongodb:27017
-      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
-    restart: unless-stopped
-  transactor:
-    image: hardcoreeng/transactor:${HULY_VERSION}
-    ports:
-      - 3333:3333
-    environment:
-      - SERVER_PORT=3333
-      - SERVER_SECRET=${HULY_SECRET}
-      - SERVER_CURSOR_MAXTIMEMS=30000
-      - ELASTIC_URL=http://elastic:9200
-      - ELASTIC_INDEX_NAME=huly_storage_index
       - DB_URL=mongodb://mongodb:27017
       - MONGO_URL=mongodb://mongodb:27017
-      - METRICS_CONSOLE=false
-      - METRICS_FILE=metrics.txt
-      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
-      - REKONI_URL=http://rekoni:4004
-      - FRONT_URL=http://${SERVER_ADDRESS}:8087
-      - ACCOUNTS_URL=http://account:3000
-      - LAST_NAME_FIRST=true
-    restart: unless-stopped
-  rekoni:
-    image: hardcoreeng/rekoni-service:${HULY_VERSION}
-    ports:
-      - 4004:4004
-    environment:
-      - SECRET=${HULY_SECRET}
-    deploy:
-      resources:
-        limits:
-          memory: 500M
+      - TITLE=${TITLE:-Huly Self Host}
+      - DEFAULT_LANGUAGE=${DEFAULT_LANGUAGE:-en}
+      - LAST_NAME_FIRST=${LAST_NAME_FIRST:-true}
     restart: unless-stopped
+
 volumes:
   db:
-  files:
   elastic:
-  etcd:
+  files: