Merge pull request 'New Instance: stream.whateveritworks.org' (#6) from WhateverItWorks/my-safetwitch-docker-compose:master into master

Reviewed-on: https://codeberg.org/dragongoose/safetwitch/pulls/6
2023-07-15 17:00:53 +00:00 · 2023-07-15 17:00:53 +00:00 · 4d5645f2d0
commit 4d5645f2d0
parent a8fa45c9f4 19cadf69f3
6 changed files with 120 additions and 31 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
--- a/README.md
+++ b/README.md
@ -204,5 +204,4 @@ Community hosted instances:
 | URL                         | Country | Info |
 |-----------------------------|---------|------|
 | [safetwitch.projectsegfau.lt](https://safetwitch.projectsegfau.lt/) | 🇺🇸 🇮🇳 🇱🇺 | #2   |
-
-
+| [stream.whateveritworks.org](https://stream.whateveritworks.org) | :DE: | Hosted on Hetzner/Dedicated Server with Encryption at rest
--- a/backend-nginx.conf
+++ b/backend-nginx.conf
@ -0,0 +1,42 @@
+server {
+  server_name changethis;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    add_header strict_sni on;
+    add_header strict_sni_header on;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options "DENY";
+    add_header Clear-Site-Data "cookies";
+    add_header Referrer-Policy "no-referrer";
+    add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
+    resolver 1.1.1.1;
+
+    ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    access_log /dev/null;
+    error_log  /dev/null;
+
+   location / {
+   proxy_set_header X-Forwarded-For $remote_addr;
+   proxy_pass http://localhost:7100;
+        }
+}
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name changethis;
+  return 301 https://changethis$request_uri;
+  }
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,20 +1,41 @@
-version: "3.9"
+version: "3.7"
+
 services:
-  frontend:
-    image: codeberg.org/dragongoose/safetwitch
+  safetwitch-frontend:
+    container_name: safetwitch-frontend
+    hostname: safetwitch-frontend
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    restart: always
+    image: codeberg.org/dragongoose/safetwitch:latest
    ports:
-      - "8080:80"
-    environment: 
-      - SAFETWITCH_BACKEND_DOMAIN=localhost:7000
-      - SAFETWITCH_INSTANCE_DOMAIN=localhost:80
-      - SAFETWITCH_HTTPS=false
+      - "127.0.0.1:8280:80"
+    environment:
+      - SAFETWITCH_BACKEND_DOMAIN=changethis
+      - SAFETWITCH_INSTANCE_DOMAIN=changethis
+      - SAFETWITCH_HTTPS=true
      - SAFETWITCH_DEFAULT_LOCALE=en
-      - SAFETWITCH_FALLBACK_LOCALE=ja
-  backend:
-    image: codeberg.org/dragongoose/safetwitch-backend
+      - SAFETWITCH_FALLBACK_LOCALE=en
+
+  safetwitch-backend:
+    container_name: safetwitch-backend
+    hostname: safetwitch-backend
+    user: 65534:65534
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    restart: always
+    image: codeberg.org/dragongoose/safetwitch-backend:latest
    ports:
-      - "7000:7000"
+      - "127.0.0.1:7100:7000"
    environment:
      - PORT=7000
-      - URL=http://localhost:7000
-
+      - URL=https://changethis
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -1,15 +0,0 @@
-version: "3.9"
-services:
-  frontend:
-    build: 
-      context: "../"
-      dockerfile: ./docker/Dockerfile
-    ports:
-      - "8080:80"
-    environment: 
-      - SAFETWITCH_BACKEND_DOMAIN=localhost:7000
-      - SAFETWITCH_INSTANCE_DOMAIN=localhost:80
-      - SAFETWITCH_HTTPS=false
-      - SAFETWITCH_DEFAULT_LOCALE=en
-      - SAFETWITCH_FALLBACK_LOCALE=ja
-
--- a/frontend-nginx.conf
+++ b/frontend-nginx.conf
@ -0,0 +1,42 @@
+server {
+  server_name changethis;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    add_header strict_sni on;
+    add_header strict_sni_header on;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options "DENY";
+    add_header Clear-Site-Data "cookies";
+    add_header Referrer-Policy "no-referrer";
+    add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
+    resolver 1.1.1.1;
+
+    ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    access_log /dev/null;
+    error_log  /dev/null;
+
+   location / {
+   proxy_set_header X-Forwarded-For $remote_addr;
+   proxy_pass http://localhost:8280;
+        }
+}
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name changethis;
+  return 301 https://changethis$request_uri;
+  }