Merge pull request 'New Instance: stream.whateveritworks.org' (#6) from WhateverItWorks/my-safetwitch-docker-compose:master into master

Reviewed-on: https://codeberg.org/dragongoose/safetwitch/pulls/6

README.md

@@ -204,5 +204,4 @@ Community hosted instances:
 | URL                         | Country | Info |
 |-----------------------------|---------|------|
 | [safetwitch.projectsegfau.lt](https://safetwitch.projectsegfau.lt/) | 🇺🇸 🇮🇳 🇱🇺 | #2   |
-
+| [stream.whateveritworks.org](https://stream.whateveritworks.org) | :DE: | Hosted on Hetzner/Dedicated Server with Encryption at rest
-

backend-nginx.conf

@@ -0,0 +1,42 @@
+server {
+  server_name changethis;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    add_header strict_sni on;
+    add_header strict_sni_header on;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options "DENY";
+    add_header Clear-Site-Data "cookies";
+    add_header Referrer-Policy "no-referrer";
+    add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
+    resolver 1.1.1.1;
+
+    ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    access_log /dev/null;
+    error_log  /dev/null;
+
+   location / {
+   proxy_set_header X-Forwarded-For $remote_addr;
+   proxy_pass http://localhost:7100;
+        }
+}
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name changethis;
+  return 301 https://changethis$request_uri;
+  }

docker-compose.yml

@@ -1,20 +1,41 @@
-version: "3.9"
+version: "3.7"
+
 services:
-  frontend:
+  safetwitch-frontend:
-    image: codeberg.org/dragongoose/safetwitch
+    container_name: safetwitch-frontend
+    hostname: safetwitch-frontend
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    restart: always
+    image: codeberg.org/dragongoose/safetwitch:latest
     ports:
-      - "8080:80"
+      - "127.0.0.1:8280:80"
     environment:
-      - SAFETWITCH_BACKEND_DOMAIN=localhost:7000
+      - SAFETWITCH_BACKEND_DOMAIN=changethis
-      - SAFETWITCH_INSTANCE_DOMAIN=localhost:80
+      - SAFETWITCH_INSTANCE_DOMAIN=changethis
-      - SAFETWITCH_HTTPS=false
+      - SAFETWITCH_HTTPS=true
       - SAFETWITCH_DEFAULT_LOCALE=en
-      - SAFETWITCH_FALLBACK_LOCALE=ja
+      - SAFETWITCH_FALLBACK_LOCALE=en
-  backend:
+
-    image: codeberg.org/dragongoose/safetwitch-backend
+  safetwitch-backend:
+    container_name: safetwitch-backend
+    hostname: safetwitch-backend
+    user: 65534:65534
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    restart: always
+    image: codeberg.org/dragongoose/safetwitch-backend:latest
     ports:
-      - "7000:7000"
+      - "127.0.0.1:7100:7000"
     environment:
       - PORT=7000
-      - URL=http://localhost:7000
+      - URL=https://changethis
-

docker/docker-compose.yml

@@ -1,15 +0,0 @@
-version: "3.9"
-services:
-  frontend:
-    build: 
-      context: "../"
-      dockerfile: ./docker/Dockerfile
-    ports:
-      - "8080:80"
-    environment: 
-      - SAFETWITCH_BACKEND_DOMAIN=localhost:7000
-      - SAFETWITCH_INSTANCE_DOMAIN=localhost:80
-      - SAFETWITCH_HTTPS=false
-      - SAFETWITCH_DEFAULT_LOCALE=en
-      - SAFETWITCH_FALLBACK_LOCALE=ja
-

frontend-nginx.conf

@@ -0,0 +1,42 @@
+server {
+  server_name changethis;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    add_header strict_sni on;
+    add_header strict_sni_header on;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options "DENY";
+    add_header Clear-Site-Data "cookies";
+    add_header Referrer-Policy "no-referrer";
+    add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
+    resolver 1.1.1.1;
+
+    ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    access_log /dev/null;
+    error_log  /dev/null;
+
+   location / {
+   proxy_set_header X-Forwarded-For $remote_addr;
+   proxy_pass http://localhost:8280;
+        }
+}
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name changethis;
+  return 301 https://changethis$request_uri;
+  }