-
Notifications
You must be signed in to change notification settings - Fork 2
/
bookstack.yml
264 lines (236 loc) · 6.76 KB
/
bookstack.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
version: '3.8'
services:
mysql:
image: mysql:8.0
environment:
- MYSQL_ROOT_PASSWORD=MYSQL_PASSWORD
- MYSQL_DATABASE=bookstack
- MYSQL_USER=bookstack
- MYSQL_PASSWORD=MYSQL_PASSWORD
volumes:
- mysql_data:/var/lib/mysql
networks:
bookstack_network:
aliases:
- mysql.local
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.hetzner_location == nbg1
dockerautolabel:
image: davideshay/dockerautolabel:latest
configs:
- source: autolabel
target: /config/servicelist.txt
uid: "1000"
gid: "1000"
mode: 0644
volumes:
- /var/run/docker.sock:/var/run/docker.sock
deploy:
placement:
constraints:
- node.role==manager
mysql_backup:
image: neuroforgede/mysql_dump:8.0
command: sh -c "cd /home/user && exec bash mysql_dump.sh"
deploy:
restart_policy:
# hourly
delay: 3600s
resources:
limits:
cpus: "1"
memory: 512M
reservations:
cpus: "0.25"
memory: 256M
environment:
MYSQL_HOST: mysql.local
MYSQL_DB: bookstack
MYSQL_USER: bookstack
SFTP_USER: <snip>
SFTP_TARGET: <snip>.your-storagebox.de
SFTP_BASE_PATH: /mysql
# 336 hours = last 2 weeks
KEEP_LAST_N_DUMPS: 336
secrets:
- source: storagebox_mysql_dump_password
target: storagebox_password
uid: '1000'
gid: '1000'
mode: 0400
- source: mysql_mysqldump_mysqlpassword
target: mysql_mysqldump_mysqlpassword
uid: '1000'
gid: '1000'
mode: 0400
configs:
- source: storagebox_knownhosts
target: /home/user/.ssh/known_hosts
uid: "1000"
gid: "1000"
mode: 0400
- source: mysql_mysqldump_script
target: /home/user/mysql_dump.sh
uid: "1000"
gid: "1000"
mode: 0500
networks:
- bookstack_network
bookstack_storage_backup:
image: docker
entrypoint: "/bin/sh"
command:
- /trigger_bookstack_backup.sh
volumes:
- /var/run/docker.sock:/var/run/docker.sock
configs:
- source: trigger_bookstack_backup
target: /trigger_bookstack_backup.sh
uid: "1000"
gid: "1000"
mode: 0755
deploy:
mode: replicated
replicas: 1
restart_policy:
# hourly
delay: 3600s
resources:
limits:
cpus: "1"
memory: 1024M
reservations:
cpus: "0.25"
memory: 256M
placement:
constraints:
- node.labels.running_bookstack_bookstack == 1
bookstack:
entrypoint: /bin/sh
command:
- -c
- |
chown -R www-data:www-data /var/www/bookstack/public/uploads
chown -R www-data:www-data /var/www/bookstack/storage/uploads
exec /bin/docker-entrypoint.sh
image: ghcr.io/neuroforgede/bookstack-docker-swarm:24.2.2-1
user: root
environment:
- DB_HOST=mysql:3306
- DB_DATABASE=bookstack
- DB_USERNAME=bookstack
- DB_PASSWORD=MYSQL_PASSWORD
- CACHE_DRIVER=database
- SESSION_DRIVER=database
# improve security by only sending cookies via SSL
- SESSION_SECURE_COOKIE=true
# set the APP_ to the URL of bookstack without without a trailing slash APP_URL=https://example.com
- APP_URL=<snip>
# 32 character secret
- APP_KEY=<snip>
# configure this to trust all X-Forwarded-Headers from all proxies, disabled for security reasons
# How to do this on your traefik,
# see https://github.com/neuroforgede/swarmsible/blob/master/environments/test/test-swarm/stacks/01_traefik_public/traefik_public.yml
# - APP_PROXIES=10.0.0.0/8
# enable password protected images and use permission system
- STORAGE_TYPE=local_secure_restricted
- AZURE_APP_ID=<snip>
- AZURE_TENANT=<snip>
- AZURE_APP_SECRET=<snip>
- AZURE_AUTO_REGISTER=true
- AZURE_AUTO_CONFIRM_EMAIL=true
- DRAWIO=https://embed.diagrams.net/?embed=1&proto=json&spin=1&stealth=1
- BACKUP_SFTP_USER=<snip>
- BACKUP_SFTP_TARGET=<snip>.your-storagebox.de
- BACKUP_SFTP_BASE_PATH=/storage
# 336 hours = last 2 weeks
- BACKUP_KEEP_LAST_N_DUMPS=336
volumes:
- uploads:/var/www/bookstack/public/uploads
- storage_uploads:/var/www/bookstack/storage/uploads
networks:
- bookstack_network
- traefik-public
configs:
- source: php_ini
target: /usr/local/etc/php/php.ini
uid: "0"
gid: "0"
mode: 0664
- source: bookstack_backup
target: /bookstack_backup.sh
uid: "1000"
gid: "1000"
mode: 0755
- source: storagebox_knownhosts
target: /root/.ssh/known_hosts
uid: "0"
gid: "0"
mode: 0400
secrets:
- source: storagebox_bookstack_storage_password
target: storagebox_password
uid: '33'
gid: '33'
mode: 0400
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.labels.hetzner_location == nbg1
labels:
- "traefik.docker.network=traefik-public"
# ssl is expected to be handled outside via e.g. the Hetzner Load Balancer
- "traefik.enable=true"
- "traefik.http.routers.bookstack-frontend.rule=Host(`your.domain.tld`)"
- "traefik.http.routers.bookstack-frontend.entrypoints=http"
- "traefik.http.services.bookstack-frontend.loadbalancer.server.port=8080"
- "traefik.http.routers.bookstack-frontend.service=bookstack-frontend"
- "traefik.constraint-label=traefik-public"
networks:
bookstack_network:
driver: overlay
attachable: true
driver_opts:
encrypted: ""
traefik-public:
external: true
volumes:
mysql_data:
driver: hetzner-volume
driver_opts:
size: '25'
fstype: ext4
uploads:
driver: hetzner-volume
driver_opts:
size: '10'
fstype: ext4
storage_uploads:
driver: hetzner-volume
driver_opts:
size: '25'
fstype: ext4
secrets:
storagebox_bookstack_storage_password:
file: ./secrets/bookstack_storage_backup/sshpassword
storagebox_mysql_dump_password:
file: ./secrets/mysql_dump/sshpassword
mysql_mysqldump_mysqlpassword:
file: ./secrets/mysql_dump/mysqlpassword
configs:
storagebox_knownhosts:
file: ./configs/known_hosts
mysql_mysqldump_script:
file: ./configs/mysql_dump.sh
autolabel:
file: ./configs/autolabel
trigger_bookstack_backup:
file: ./configs/trigger_bookstack_backup.sh
bookstack_backup:
file: ./configs/bookstack_backup.sh