Sign upLogin

200ok-ch/organice

View on GitHub
Star
contrib/organice-webdav-traefik/README.org

Summary

Maintainability
Test Coverage
#+TITLE: Docker Webdav backend for Organice

This repository provides a ~docker compose~ file which makes it easy for [[https://traefik.io][Traefik]]
users to set up a Webdav backend for [[https://organice.200ok.ch][Organice]]. Please note that this is still a WIP.
Moreover, my knowledge of network security is very minimal. Use at your own risk.

The webdav container in this repository was forked from https://github.com/gallofeliz/simple-docker-webdav
- I have only applied minor modifications to the original version.

** docker compose file
This is a sample =docker-compose.yml= file which will set up an instance
of Organice and a Webdav backend with Traefik. Please note that this
Webdav backend provides neither authentication nor traffic encryption.
You /must/ set up a reverse proxy (such as Traefik) in front of it in
order to make it secure.

The following example sets up HTTP Basic Auth (via Traefik) in front of
the Webdav container. Other options - such as IP whitelisting - are
available; please refer to the comments in the ~docker-compose~ file below. It also
sets up Let's Encrypt certificates automatically.

#+begin_src yaml :tangle docker-compose.yml
version: "3.7"

services:
  traefik:
    container_name: traefik
    image: "traefik:v2.10"
    command:
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --certificatesresolvers.le.acme.email=${EMAIL}
      - --certificatesresolvers.le.acme.storage=/acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --api
      - --log.filePath=/var/log/error.log
      - --log.level=INFO
      - --accesslog.filepath=/var/log/access.log
      - --accesslog=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik/acme.json:/acme.json"
      - "./traefik/log:/var/log"
    labels:
      - "traefik.http.routers.traefik.tls.certresolver=le"
      - "traefik.http.routers.traefik.entrypoints=websecure"
    restart: unless-stopped

  organice:
    image: "twohundredok/organice:latest"
    container_name: organice
    restart: unless-stopped
    evironment:
      - ORGANICE_WEBDAV_URL=https://${DOMAIN}/${WEBDAV_PREFIX}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.organice.rule=Host(`${DOMAIN}`)"
      # Remove either of the following lines to disable IP whitelisting or basic auth.
      - "traefik.http.middlewares.auth.basicauth.users=${HTTP_AUTH}"
      - "traefik.http.middlewares.ipwl.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.2.0/24"
      # Remove either 'auth' or 'ipwl' below accordingly. Eg:
      # - "traefik.http.routers.organice.middlewares=auth"
      - "traefik.http.routers.organice.middlewares=auth, ipwl"
      - "traefik.http.routers.organice.tls.certresolver=le"
      - "traefik.http.routers.organice.entrypoints=websecure"
      - "traefik.http.services.organice.loadbalancer.server.port=5000"

  webdav:
    build:
      context: ./webdav/
    container_name: webdav
    environment:
      - "PUID=${PUID}"
      - "PGID=${PGID}"
      - "WEBDAV_PREFIX=${WEBDAV_PREFIX}"
    volumes:
      - "${ORG_DIR}:/data"
      - "./webdav/log:/var/log/nginx"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webdav.rule=Host(`${DOMAIN}`) && PathPrefix(`/${WEBDAV_PREFIX}`)"
      - "traefik.http.routers.webdav.tls.certresolver=le"
      - "traefik.http.routers.webdav.entrypoints=websecure"
      - "traefik.http.services.webdav.loadbalancer.server.port=80"
      # See above comments to configure IP whitelisting.
      - "traefik.http.routers.webdav.middlewares=auth"
#+end_src

** Environment variables
Configure the following variables in the ~.env~ file as described below.

#+begin_src sh :tangle .env
# User/password pair for Basic Auth.
# Generate a hash of the password with:
# echo $(htpasswd -nb user password)
# Don't forget to escape '$' with an extra '$'
HTTP_AUTH="foobar:$$apr1$$Sb95q920$$ALXNRKanXaXrH1pLS.4Bp."
# Domain name used to access Organice
DOMAIN=organice.example.com
# UID of the user your Org files belong to
PUID=1000
# GID of the group your Org files belong to
PGID=1000
# Subpath of ${DOMAIN} the Webdav server will be providing your Org files from, without slashes.
WEBDAV_PREFIX=webdav
# Directory which contains your Org files
ORG_DIR=/home/foobar/Org
# Email for Let's Encrypt registration
EMAIL=foobar@example.com
# List of Dav methods, as they would be listed in nginx.conf, separated by spaces.
# Set to 'off' for read-only. If not set, all methods are enabled.
DAV_METHODS=
#+end_src

** Setup
Before running ~docker-compose up~, in the directory in which the ~docker-compose.yml~ file is stored, run:

#+begin_src sh
mkdir traefik
touch traefik/acme.json
chmod 600 traefik/acme.json
docker compose build
#+end_src

After running ~docker compose up~, open organice by accessing the domain you have set in the
~.env~ file, then log in using the Webdav backend, whose URL is ~$DOMAIN/$WEBDAV_PREFIX~
and the username and password you have chosen.