renovate docs
This commit is contained in:
parent
ff3a292779
commit
aeb565e58f
14 changed files with 342 additions and 21 deletions
|
@ -4,9 +4,9 @@
|
|||
Alle Apps die per SSO angebunden werden sollen, müssen später in der Administrationsoberfläche konfiguriert werden.
|
||||
|
||||
```
|
||||
abra app new --domain example.com --server servername --app-name servername_authentik --secrets authentik
|
||||
abra app config servername_authentik # only if custom config needed
|
||||
abra app deploy servername_authentik
|
||||
abra app new authentik
|
||||
abra app config app_name
|
||||
abra app deploy app_name
|
||||
```
|
||||
|
||||
TODO: SECRETS
|
||||
|
|
38
docs/apps/bigbluebutton.md
Normal file
38
docs/apps/bigbluebutton.md
Normal file
|
@ -0,0 +1,38 @@
|
|||
bbb
|
||||
===
|
||||
|
||||
# Big Blue Button
|
||||
|
||||
https://github.com/bigbluebutton/docker/
|
||||
|
||||
|
||||
|
||||
### Telefoneinwahl
|
||||
|
||||
Account mit Rufnummer bei https://app.sipgate.com
|
||||
`./conf/dialplan_public`
|
||||
`./conf/sip_profiles`
|
||||
im .env noch: `SIP_IP_ALLOWLIST`, `WELCOME_FOOTER`
|
||||
|
||||
### Networking
|
||||
|
||||
talk.local-it.org
|
||||
|
||||
|
||||
|
||||
https://docs.bigbluebutton.org/admin/configure-firewall.html
|
||||
|
||||
### docker setup
|
||||
|
||||
https://github.com/bigbluebutton/docker
|
||||
https://docs.bigbluebutton.org/admin/configure-firewall.html
|
||||
|
||||
|
||||
---
|
||||
changing smth:
|
||||
```
|
||||
vim .env
|
||||
./scripts/generate-compose
|
||||
docker-compose up -d
|
||||
|
||||
```
|
22
docs/apps/email.md
Normal file
22
docs/apps/email.md
Normal file
|
@ -0,0 +1,22 @@
|
|||
# EMail
|
||||
|
||||
* DebianTemplate duplizieren
|
||||
* HA einrichten
|
||||
|
||||
https://github.com/mailcow/mailcow-dockerized
|
||||
|
||||
[DNS](https://mailcow.github.io/mailcow-dockerized-docs/prerequisite-dns/)
|
||||
[installation](https://mailcow.github.io/mailcow-dockerized-docs/i_u_m_install/)
|
||||
|
||||
[backup](https://mailcow.github.io/mailcow-dockerized-docs/third_party-borgmatic/)
|
||||
|
||||
|
||||
ssh://u263336@u263336.your-storagebox.de:23/home/mailcow
|
||||
|
||||
|
||||
## ToDo
|
||||
|
||||
* PTR einträge (windcloud fragen)
|
||||
wo dns hosten?
|
||||
|
||||
* bei problemen ipv6 deaktivieren
|
32
docs/apps/foodsoft.md
Normal file
32
docs/apps/foodsoft.md
Normal file
|
@ -0,0 +1,32 @@
|
|||
# Foodsoft
|
||||
|
||||
|
||||
|
||||
|
||||
### Migration
|
||||
|
||||
1. Neue instanz aufsetzen
|
||||
2. Backup aus alter instanz erstellen
|
||||
|
||||
|
||||
```
|
||||
docker exec foodcoops_mariadb_1 bash -c "mysqldump -ufoodsoft -p${DB_PASSWORD} foodsoft_demo" > 2022-02-27.sql
|
||||
```
|
||||
|
||||
3. Backup einspielen
|
||||
|
||||
```
|
||||
➜ docker cp 2022-01-04.sql wandelgut-foodsoft_db.1.b1nspplwa49o55pwj5ddcnn0r:/tmp/
|
||||
➜ docker exec -it wandelgut-foodsoft_db.1.b1nspplwa49o55pwj5ddcnn0r bash
|
||||
root@dcdca844b2f1:/# cd /tmp/
|
||||
|
||||
mysql -p$(cat /run/secrets/db_root_password)
|
||||
|
||||
MariaDB [(none)]> create database tantewandel;
|
||||
|
||||
root@dcdca844b2f1:/tmp# mysql -p$(cat /run/secrets/db_root_password) tantewandel < 2022-01-04.sql
|
||||
root@dcdca844b2f1:/tmp# exit
|
||||
➜ docker exec -it wandelgut-foodsoft_app.1.zvlhnq4vvmlf4iuck7ymz96xu bash
|
||||
nobody@22e376ecea83:/usr/src/app$ SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base) bundle exec rake db:migrate
|
||||
```
|
||||
|
10
docs/apps/mobilizon.md
Normal file
10
docs/apps/mobilizon.md
Normal file
|
@ -0,0 +1,10 @@
|
|||
# Mobilizon
|
||||
|
||||
Ziel: Lübecks veranstaltungen auf einer freien Plattform
|
||||
|
||||
These: Bürgis wollen eine andere Plattform als fb für Veranstaltungen
|
||||
Experiment:
|
||||
|
||||
https://mobilizon.org/de/
|
||||
https://docs.joinmobilizon.org/administration/install/docker/
|
||||
https://framagit.org/framasoft/joinmobilizon/docker/-/blob/master/docker-compose.yml
|
|
@ -15,3 +15,24 @@ abra app deploy servername_onlyoffice
|
|||
#### Nextcloud Konfiguration anpassen:
|
||||
https://office.example.com
|
||||
JWT_SECRET
|
||||
|
||||
|
||||
##### enable forcepush
|
||||
|
||||
|
||||
https://api.onlyoffice.com/editors/save#forcesave
|
||||
|
||||
im onlyoffice container / volume hinzufügen:
|
||||
|
||||
/etc/onlyoffice/documentserver/local.json
|
||||
{
|
||||
"services": {
|
||||
"CoAuthoring": {
|
||||
"autoAssembly": {
|
||||
"enable": true,
|
||||
"interval": "5m"
|
||||
}
|
||||
|
||||
|
||||
in Nextcloud
|
||||
-> Admin -> Onlyoffice -> Editor-Einstellungen -> force save
|
|
@ -3,18 +3,17 @@
|
|||
[Wekan](https://github.com/wekan/wekan/wiki) ist ein Kanban Board.
|
||||
|
||||
|
||||
```
|
||||
abra app new wekan
|
||||
abra app secret generate -A app_name
|
||||
abra config app_name
|
||||
abra deploy app_name
|
||||
```
|
||||
|
||||
im authentik:
|
||||
openid-provider anlegen
|
||||
app anlegen
|
||||
|
||||
!!! note "Auf lit.cloud Infrastruktur"
|
||||
`git clone https://git.local-it.org/LIT/wekan ~/.abra/apps/wekan`
|
||||
|
||||
```
|
||||
abra app new --domain example.com --server servername --app-name servername_wekan wekan
|
||||
abra config servername_wekan # OAUTH2_SECRET anpassen
|
||||
abra deploy servername_wekan
|
||||
```
|
||||
|
||||
|
||||
Login Button umbenennen: User -> Administration -> Layout -> Benutzerdefinierter Text der OIDC-Schaltfläche
|
||||
|
|
45
docs/architecture/architecture-presentation.md
Normal file
45
docs/architecture/architecture-presentation.md
Normal file
|
@ -0,0 +1,45 @@
|
|||
## Architekturkriterien
|
||||
|
||||
* Modularität
|
||||
* Einfache, Paketbasierte Installation
|
||||
* Überprüfbarkeit (Monitoring, Tests)
|
||||
* Security und Datensicherheit
|
||||
* Datenschutz (Logging, DSGVO)
|
||||
* Federation und Verknüpfung mit anderen Diensten
|
||||
* Freie Software
|
||||
|
||||
## Anforderungen an Apps
|
||||
|
||||
* Cloud-native
|
||||
* Container
|
||||
* Konfiguration per Umgebungsvariable
|
||||
* Health- / Monitoring-Endpoint
|
||||
* Single-Sign-On
|
||||
* API-Zugriff
|
||||
* Aktive Entwicklung (mind. security updates)
|
||||
* FOSS (Free and Open Source) Lizenz
|
||||
|
||||
|
||||
## System Überblick
|
||||
|
||||
![](system-view.png)
|
||||
|
||||
## Design Decisions
|
||||
|
||||
### Containerisierung
|
||||
Docker:whale:
|
||||
|
||||
### Single-Sign-On
|
||||
Openid Connect (oAuth2)
|
||||
|
||||
### Automatisierung
|
||||
Abra (coop-cloud)
|
||||
|
||||
### Monitoring
|
||||
WiP (Grafana, Prometheus, CAdvisor)
|
||||
|
||||
### Backup
|
||||
Backupbot (automated volume backup with Restic)
|
||||
|
||||
### Reverse Proxy
|
||||
traefik
|
1
docs/architecture/single-sign-on/oidc.svg
Normal file
1
docs/architecture/single-sign-on/oidc.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 139 KiB |
3
docs/architecture/single-sign-on/single-sign-on.md
Normal file
3
docs/architecture/single-sign-on/single-sign-on.md
Normal file
|
@ -0,0 +1,3 @@
|
|||
# Single-Sign-On
|
||||
|
||||
[Wip](https://pad.local-it.org/sgHdC9ejQ8OQSpg_NM9lUQ?both#)
|
104
docs/architecture/single-sign-on/sso.drawio
Normal file
104
docs/architecture/single-sign-on/sso.drawio
Normal file
File diff suppressed because one or more lines are too long
BIN
docs/architecture/system-view.png
Normal file
BIN
docs/architecture/system-view.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 63 KiB |
51
docs/faq.md
51
docs/faq.md
|
@ -7,3 +7,54 @@
|
|||
* I accidientially removed myself from the admin group in Authentik and lost access
|
||||
`abra app run swe-hospiz-sso server ak create_admin_group admin`
|
||||
[see docs](https://goauthentik.io/docs/troubleshooting/missing_admin_group)
|
||||
|
||||
|
||||
|
||||
## WiP
|
||||
|
||||
Warum Opensource?
|
||||
* kein Vendor-Lockin
|
||||
* Weltweite Softwareentwicklung
|
||||
* Nachweisbare software qualität
|
||||
* Individualisierbar
|
||||
* Sicherer (mehr Augen)
|
||||
* Community
|
||||
* Public Money, Public Code
|
||||
* Use, Study, Share, Improve
|
||||
|
||||
Warum selbst hosten?
|
||||
* Datenhohheit
|
||||
* Souveränität
|
||||
|
||||
Warum openid-connect?
|
||||
* moderner Offener Standard
|
||||
* flexible anbindung von apps
|
||||
sso session nicht auf eine domäne begrenzt
|
||||
Google Session authentifiziert
|
||||
|
||||
Warum Containerisieren? (vs one system)
|
||||
* unterschiedliche Apps, unterschiedliche Bedürfnisse
|
||||
* Isolation (Security)
|
||||
* Update einfacher
|
||||
* trennung von image - volumes
|
||||
* besser skalieren
|
||||
|
||||
Container vs VM
|
||||
* weniger ressourcen, schneller
|
||||
(container enhält nur das was benötigt wird, gleiche images sparen speicher)
|
||||
* leichter zu orchestrieren
|
||||
|
||||
Warum so viele einzelne DBs?
|
||||
* Unterschiedliche bedarfe Postgres/Mysql/Mongo
|
||||
* in unterschiedlichen Versionen
|
||||
* leicht zu migrieren
|
||||
|
||||
Warum nicht Kubernetes?
|
||||
* Zu komplex
|
||||
* single node systeme für unsere zielgruppe
|
||||
|
||||
Aber sind container nicht unsicher?
|
||||
* nicht wenn man weiß was man tut
|
||||
* privilieged container mit vorsicht genießen
|
||||
* gut prüfen wo die images herkommen (selber bauen)
|
||||
* apparmor, ressourcen limits
|
||||
|
|
|
@ -42,23 +42,18 @@ Für weitere Details: [docs.coopcloud.tech](https://docs.coopcloud.tech/deploy/)
|
|||
|
||||
Wir verwenden Traefik als Reverse-Proxy. Er erkennt automatisch Apps im Docker Swarm und leitet von den konfigurierten Subdomains auf die entsprechenden Apps um.
|
||||
|
||||
!!! note "Auf lit.cloud Infrastruktur"
|
||||
`git clone https://git.local-it.org/LIT/traefik ~/.abra/apps/traefik`
|
||||
|
||||
|
||||
Docker Netzwerk erstellen
|
||||
```
|
||||
docker network create -d overlay --scope swarm proxy
|
||||
```
|
||||
|
||||
|
||||
```
|
||||
abra app new --domain example.com --server servername --app-name servername_traefik traefik
|
||||
abra app config servername_traefik # only if custom config needed
|
||||
abra app deploy servername_traefik
|
||||
abra app new traefik
|
||||
abra app config example_traefik # only if custom config needed
|
||||
abra app deploy example_traefik
|
||||
```
|
||||
|
||||
Du kannst den Status der Installation mit `abra app ps servername_traefik` überprüfen
|
||||
Du kannst den Status der Installation mit `abra app ps example_traefik` überprüfen
|
||||
|
||||
|
||||
## Apps
|
||||
|
|
Loading…
Reference in a new issue