wululu_web/invoiceninja-docker
3
0
Fork 0
mirror of https://github.com/invoiceninja/dockerfiles.git synced 2025-12-31 19:47:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

add traefik config example

Browse Source
This commit is contained in:
Xenion1987
2023-04-25 12:39:11 +02:00
parent 15aefa698b
commit c967aaccf4
10 changed files with 272 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.gitignore vendored
View File

@@ -12,3 +12,10 @@ charts/**/charts/
# Compose filesystem
/docker
# Traefik filesystem
config/traefik/logs/*
!config/traefik/logs/.gitkeep
config/traefik/ssl/*
!config/traefik/ssl/.gitkeep

14
README.md
View File

@@ -25,17 +25,19 @@ Other resources:
## Alternatively get started with Docker Compose
The dockerfile has been revamped to make it easier to get started, by default the base image selected is 5 which will pull in the latest v5 stable image.
The dockerfile has been revamped to make it easier to get started, by default the base image selected is 5 which will pull in the latest v5 stable image.
```bash
git clone https://github.com/invoiceninja/dockerfiles.git
cd dockerfiles
```
Instead of defining our environment variables inside our docker-compose.yml file we now define this in the `env` file, open this file up and insert your `APP_URL`, `APP_KEY` and update the rest of the variables as required.
Instead of defining our environment variables inside our docker-compose.yml file we now define this in the `env` file, open this file up and insert your `APP_URL_*` variables, `APP_KEY` and update the rest of the variables as required.
```
APP_URL=http://in.localhost:8003/
APP_URL_SCHEME=http
APP_URL_DOMAIN=in.localhost
APP_URL_PORT=8003
APP_KEY=<insert your generated key in here>
APP_DEBUG=true
REQUIRE_HTTPS=false
@@ -62,6 +64,12 @@ chmod 755 docker/app/public
sudo chown -R 1500:1500 docker/app
```
If you want to modify the docker compose stack (e.g. changing the `nginx` port), please do any changes in the `docker-compose.override.yml` file. When starting the stack, both files will be merged. You can check the merged config from the terminal by executing
```bash
docker compose config
```
### Note for people running the container locally on their PC ###
If you are running the container locally, then the container will need to resolve the host, to support this you will want to insert your LAN IP address and the host name in the hosts file located in ```config/hosts```

33
config/traefik/README.md Normal file
View File

@@ -0,0 +1,33 @@
# Docker for [Invoice Ninja](https://www.invoiceninja.com/) using [Traefik proxy](https://doc.traefik.io/traefik/)
## Why use Traefik Proxy
Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them.
What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.
Traefik in combination with [Cloudflare](https://cloudflare.com) receives and serves all SSL certificates for each service domain automaticly by issuing a wildcard SSL certificate.
## Requirements
1. A domain using the Cloudflare nameservers [Cloudflare Docs](https://developers.cloudflare.com/registrar/get-started/transfer-domain-to-cloudflare/)
1. An API token with at least the following permissions: `Zone:Read, Zone Settings:Read, DNS:Edit` [Cloudflare Docs](https://developers.cloudflare.com/fundamentals/api/)
## Usage
1. Copy the [docker-compose.override.yml](./docker-compose.override.yml) to the repositorie's root directory
1. Set the Traefik proxy vars in the [env](../../env) file
1. Update the basic-auth username and password in [dynamic.yml](./config/dynamic.yml)
1. Start the docker compose stack
A few seconds later, you should be able to visit `https://${APP_URL_DOMAIN}:8080/dashboard/` and should be prompted for a username and password. If you have not changed it, it should be `username` and `EncryptedPassword`.
If there are no errors listed, you should be able to visit InvoiceNinja via `${APP_URL}`.
## Troubleshooting
If anything does not work as expected, consider checking Traefik's container logs via
```bash
docker compose logs -tf traefik
```

53
config/traefik/config/dynamic.yml Normal file
View File

@@ -0,0 +1,53 @@
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
http:
middlewares:
default:
chain:
middlewares:
- default-security-headers
- gzip
secHeaders:
chain:
middlewares:
- default-security-headers
- gzip
traefik-auth:
basicauth:
# Encrypt Password via 'echo $(htpasswd -nB username) | sed -e s/\\$/\\$\\$/g'
# Username: username
# Password: EncryptedPassword
users: username:$2y$05$lz9I2C9KoUdHwCOmPsKeBOU7EYMKMyzzCQs3KEmg4JZZL7ahLzjGO
default-security-headers:
headers:
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
frameDeny: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
referrerPolicy: "no-referrer"
customRequestHeaders:
X-Forwarded-Proto: "https"
gzip:
compress: {}

99
config/traefik/docker-compose.override.yml Normal file
View File

@@ -0,0 +1,99 @@
version: "3.7"
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
env_file: env
ports:
# Run traefik on port 80 and 443
# Feel free to modify depending what port is already occupied
- "80:80"
- "443:443"
# Run traefik dashboard on port 8080
# Feel free to modify depending what port is already occupied
- "8080:8080"
command:
# By default, the level is set to ERROR. Alternative logging levels are
# DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
- --log.level=ERROR
- --global.sendAnonymousUsage=false
# Enable Dashboard
- --api.insecure=false
- --api.dashboard=true
- --api.debug=true
# We are using Docker
- --providers.docker=true
- --providers.docker.exposedbydefault=false
# (Optional) Set default hostname if not given explicitly
- --providers.docker.defaultRule=Host(`${APP_URL_DOMAIN}`)
# Listen on port 80 (http)
- --entrypoints.web.address=:80
# Listen on port 443 (https)
- --entrypoints.websecure.address=:443
# Listen on port 8080 (traefik Dashboard)
- --entrypoints.traefik-dashboard.address=:8080
# Watch dynamic configuration file
- --providers.file.directory=/config
- --providers.file.watch=true
# Enable Access Log
- --accesslog.filepath=/var/log/www/access.log
# Automaticly redirect from http to https
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
################ START SSL configuration ################
# ---------> Cloudflare <---------
# DNS challenge via Cloudflare
- --certificatesresolvers.cloudflare.acme.email=${ACME_EMAIL}
- --certificatesresolvers.cloudflare.acme.storage=/ssl/acme.json
- --certificatesresolvers.cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.dnsChallenge.delayBeforeCheck=60
- --certificatesresolvers.cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53
# (Optional) Use testing server before receiving the productive ssl certificate
#- --certificatesresolvers.cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
- --entrypoints.websecure.http.tls.domains[0].main=${APP_URL_DOMAIN}
# (Optional) Use only, if you are able to receive a wildcard ssl certificate
# - --entrypoints.websecure.http.tls.domains[0].main=*.${CLOUDFLARE_DOMAIN}
# --------------------------------
################ END SSL configuration ################
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
# Dynamic configuration files
- ./config/traefik/config:/config
# Enable Access Log
- ./config/traefik/logs/:/var/log/www/
# LetsEncrypt Configuration Storage
- ./config/traefik/ssl:/ssl
labels:
# Enable Traefik
- traefik.enable=true
# Set Network to use
- traefik.docker.network=invoiceninja
# Load dynamic config
- traefik.http.routers.traefik-dashboard.middlewares=default@file
# Service related labels
- traefik.http.routers.traefik-dashboard.entrypoints=traefik-dashboard
- traefik.http.routers.traefik-dashboard.middlewares=traefik-auth@file
- traefik.http.routers.traefik-dashboard.service=api@internal
- traefik.http.routers.traefik-dashboard.tls=true
- traefik.http.routers.traefik-dashboard.tls.certResolver=cloudflare
- traefik.http.routers.traefik-dashboard.rule=Host(`${APP_URL_DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
networks:
- invoiceninja
server:
labels:
# Enable Traefik
- "traefik.enable=true"
# Set Network to use
- "traefik.docker.network=invoiceninja"
# Load dynamic config
- "traefik.http.routers.ninja-nginx.middlewares=default@file"
# Service related labels
- "traefik.http.routers.ninja-nginx.entrypoints=websecure"
- "traefik.http.routers.ninja-nginx.tls=true"
- "traefik.http.routers.ninja-nginx.tls.certResolver=cloudflare"
- "traefik.http.routers.ninja-nginx.rule=Host(`${APP_URL_DOMAIN}`)"

0
config/traefik/logs/.gitkeep Normal file
View File

0
config/traefik/ssl/.gitkeep Normal file
View File

13
docker-compose.override.yml Normal file
View File

@@ -0,0 +1,13 @@
version: "3.7"
services:
server:
# Run webserver nginx on port 80
# Feel free to modify depending what port is already occupied
ports:
- "80:80"
# - "443:443"
db:
# Feel free to modify depending what port is already occupied
ports:
- "3305:3306"

59
docker-compose.yml
View File

@@ -12,13 +12,9 @@ services:
- ./docker/app/public:/var/www/app/public:ro
depends_on:
- app
# Run webserver nginx on port 80
# Feel free to modify depending what port is already occupied
ports:
- "80:80"
#- "443:443"
networks:
- invoiceninja
- invoiceninja-internal
extra_hosts:
- "in5.localhost:192.168.0.124 " #host and ip
@@ -34,53 +30,52 @@ services:
- db
networks:
- invoiceninja
- invoiceninja-internal
extra_hosts:
- "in5.localhost:192.168.0.124 " #host and ip
db:
image: mysql:8
# When running on ARM64 use MariaDB instead of MySQL
# image: mariadb:10.4
# For auto DB backups comment out image and use the build block below
# build:
# context: ./config/mysql
ports:
- "3305:3306"
# When running on ARM64 use MariaDB instead of MySQL
# image: mariadb:10.4
# For auto DB backups comment out image and use the build block below
# build:
# context: ./config/mysql
restart: always
env_file: env
volumes:
- ./docker/mysql/data:/var/lib/mysql:rw,delegated
# remove comments for next 4 lines if you want auto sql backups
#- ./docker/mysql/bak:/backups:rw
#- ./config/mysql/backup-script:/etc/cron.daily/daily:ro
#- ./config/mysql/backup-script:/etc/cron.weekly/weekly:ro
#- ./config/mysql/backup-script:/etc/cron.monthly/monthly:ro
networks:
- invoiceninja
- invoiceninja-internal
extra_hosts:
- "in5.localhost:192.168.0.124 " #host and ip
# THIS IS ONLY A VALID CONFIGURATION FOR IN 4. DO NOT USE FOR IN 5.
# cron:
# image: invoiceninja/invoiceninja:alpine-4
# volumes:
# THIS IS ONLY A VALID CONFIGURATION FOR IN 4. DO NOT USE FOR IN 5.
# cron:
# image: invoiceninja/invoiceninja:alpine-4
# volumes:
# - ./docker/app/public:/var/www/app/public:rw,delegated
# - ./docker/app/storage:/var/www/app/storage:rw,delegated
# - ./docker/app/public/logo:/var/www/app/public/logo:rw,delegated
# entrypoint: |
# /bin/sh -c 'sh -s <<EOF
# trap "break;exit" SIGHUP SIGINT SIGTERM
# sleep 300s
# while /bin/true; do
# ./artisan ninja:send-invoices
# ./artisan ninja:send-reminders
# sleep 1d
# done
# EOF'
# networks:
# - invoiceninja
#
# entrypoint: |
# /bin/sh -c 'sh -s <<EOF
# trap "break;exit" SIGHUP SIGINT SIGTERM
# sleep 300s
# while /bin/true; do
# ./artisan ninja:send-invoices
# ./artisan ninja:send-reminders
# sleep 1d
# done
# EOF'
# networks:
# - invoiceninja
#
networks:
invoiceninja:
invoiceninja-internal:
internal: true

38
env
View File

@@ -1,30 +1,44 @@
# IN application vars
APP_URL=http://in.localhost:8003
APP_KEY=<insert your generated key in here>
## IN application vars
# http or https
APP_URL_SCHEME=http
# Domain name you want to use for InvoiceNinja
APP_URL_DOMAIN=in.localhost
# Port where InvoiceNinja should listen on
APP_URL_PORT=8003
## Example https variables:
# APP_URL_SCHEME=https
# APP_URL_DOMAIN=ninja.domain.tld
# APP_URL_PORT=443
# REQUIRE_HTTPS=true
# This variable should not be modified, except you know what you do
APP_URL="${APP_URL_SCHEME:-http}://${APP_URL_DOMAIN:-in.localhost}:${APP_URL_PORT:-8003}"
APP_KEY='<insert your generated key in here>'
APP_DEBUG=true
REQUIRE_HTTPS=false
PHANTOMJS_PDF_GENERATION=false
PDF_GENERATOR=snappdf
TRUSTED_PROXIES='*'
QUEUE_CONNECTION=database
# DB connection
## DB connection
DB_HOST=db
DB_PORT=3306
DB_DATABASE=ninja
DB_USERNAME=ninja
DB_PASSWORD=ninja
# Create initial user
## Create initial user
# Default to these values if empty
# IN_USER_EMAIL=admin@example.com
# IN_PASSWORD=changeme!
IN_USER_EMAIL=
IN_PASSWORD=
# Mail options
## Mail options
MAIL_MAILER=log
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
@@ -34,12 +48,18 @@ MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS='user@example.com'
MAIL_FROM_NAME='Self Hosted User'
# MySQL
## MySQL
MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
MYSQL_USER=ninja
MYSQL_PASSWORD=ninja
MYSQL_DATABASE=ninja
# V4 env vars
## V4 env vars
# DB_STRICT=false
# APP_CIPHER=AES-256-CBC
## Traefik proxy vars
CLOUDFLARE_EMAIL=cloudflare@domain.tld
CLOUDFLARE_DNS_API_TOKEN=yourApiTokenHere
CLOUDFLARE_DOMAIN=domain.tld
ACME_EMAIL=ssl-maintainer@domain.tld