gcch/haiku-atelier-2024
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

2025-11-04

Browse source
This commit is contained in:
gcch 2025-11-04 13:21:41 +01:00
commit c986904382
1626 changed files with 5641 additions and 1921 deletions
Download patch file Download diff file Expand all files Collapse all files

56
containers/conf/angie/angie.conf Executable file
View file

@ -0,0 +1,56 @@
worker_processes 1;
user root;
# Modules
include /etc/angie/modules-enabled/*.conf;
pcre_jit on;
pid /run/angie.pid;
error_log /dev/stdout info;
events {
worker_connections 2048;
multi_accept on;
use epoll;
}
http {
############# Angie conf
include /etc/angie/mime.types;
include /etc/angie/compression.conf;
include /etc/angie/fastcgi.conf;
error_log /dev/stdout info;
aio threads;
aio_write on;
directio 256k;
sendfile on;
sendfile_max_chunk 256k;
server_names_hash_bucket_size 128;
tcp_nodelay on;
tcp_nopush on;
http2 on;
source_charset utf-8; # same value as "charset"
############## Let Angie see client real IPs
real_ip_header X-Forwarded-For;
set_real_ip_from traefik;
############## Angie security
client_body_buffer_size 10K;
client_body_timeout 12;
client_header_buffer_size 1k;
client_header_timeout 12;
client_max_body_size 8M;
keepalive_timeout 15;
large_client_header_buffers 4 8k;
proxy_hide_header X-Powered-By;
send_timeout 10;
server_tokens off;
############# WP conf
include /etc/angie/haikuatelier.conf;
}

117
containers/conf/angie/angie.conf-original Normal file
View file

@ -0,0 +1,117 @@
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/angie.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with Angie's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}

201
containers/conf/angie/angie.conf-packaged Normal file
View file

@ -0,0 +1,201 @@
###
## This file comes with the "Angie modules" on https://deb.paranoid.nl/angie-modules
## It contains various optimizations, examples and tweaks.
####
user www-data;
worker_processes auto;
worker_rlimit_nofile 10000;
pid /run/angie.pid;
include /etc/angie/modules-enabled/*.conf;
pcre_jit on;
events {
worker_connections 8192; # this can go as high as ulimit -n
multi_accept on;
use epoll;
}
http {
##
# Basic Settings
##
aio threads;
aio_write on;
sendfile on;
directio 256k;
sendfile_max_chunk 256k;
tcp_nopush on;
tcp_nodelay on;
include /etc/angie/mime.types;
server_name_in_redirect off; # if off, angie will use the requested Host header
source_charset utf-8; # same value as "charset"
###
## Enable security_headers only if you installed/enabled the module
###
# security_headers on;
###
## Enable other security headers.
###
# hide_server_tokens on;
# fastcgi_hide_header X-Powered-By;
# server_tokens off;
##
# Optimizing TLS over TCP to reduce latency (Cloudflare patch)
##
# ssl_dyn_rec_enable on;
##
# Enable HTTP2 and HTTP3
#
http2 on;
#http3 on;
##
# SSL Settings
##
# Enable only if you are running on a openssl3 build and kernel 4.17 or higher
# You need to do `modprobe tls` to load the kernel TLS module
#ssl_conf_command Options KTLS;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_dhparam /etc/angie/dhparam.pem;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_session_tickets off;
ssl_early_data on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1440m;
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
# Please enter your own nameservers for security
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300;
##
# Logging Settings
##
## Log Format
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
access_log /var/log/angie/access.log;
error_log /var/log/angie/error.log;
##
# Gzip Settings
##
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 250;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Brotli settings (Please load module first!)
##
#brotli on;
#brotli_comp_level 4;
#brotli_buffers 32 8k;
#brotli_min_length 1000;
#brotli_static on;
#brotli_types image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;
##
# ZSTD Settings (Please load module first!)
##
#zstd on;
#zstd_min_length 256; # no less than 256 bytes
#zstd_comp_level 3; # set the level to #
#zstd_buffers 32 8k;
#zstd_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/ xml+rss text/javascript image/x-icon;
###
## Miscellaneous
###
# cache informations about FDs, frequently accessed files
# can boost performance, but you need to test those values
#open_file_cache max=200000 inactive=20s;
#open_file_cache_valid 30s;
#open_file_cache_min_uses 2;
#open_file_cache_errors on;
server_names_hash_bucket_size 256;
server_names_hash_max_size 2048;
variables_hash_bucket_size 256;
variables_hash_max_size 2048;
map_hash_max_size 2048;
map_hash_bucket_size 256;
#postpone_output 1440; # postpone sends to match our machine's MSS
read_ahead 512K; # kernel read head set to the output_buffers
output_buffers 4 512k;
# Buffer size for POST submissions
client_body_buffer_size 80K;
client_max_body_size 16m;
# Buffer size for Headers
client_header_buffer_size 1k;
# Timeouts, do not keep connections open longer then necessary to reduce
# resource usage and deny Slowloris type attacks.
client_body_timeout 12; # maximum time between packets the client can pause when sending angie any data
client_header_timeout 12;# maximum time the client has to send the entire header to ngin
keepalive_timeout 15; # timeout which a single keep-alive client connection will stay open
keepalive_disable none; # allow all browsers to use keepalive connections
keepalive_requests 5000; # number of requests per connection, does not affect SPDY
reset_timedout_connection on; # Allow the server to close the connection after a client stops responding.
send_timeout 12;
##
# Virtual Host Configs
##
include /etc/angie/conf.d/*.conf;
include /etc/angie/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.angie.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

102
containers/conf/angie/compression.conf Executable file
View file

@ -0,0 +1,102 @@
gzip on;
gzip_comp_level 9;
gzip_http_version 1.1;
gzip_min_length 512;
gzip_buffers 32 4K;
gzip_proxied any;
gzip_vary on;
gzip_disable "msie6";
gzip_static on;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.api+json
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-opentype
application/x-font-truetype
application/x-font-ttf
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/opentype
font/otf
font/ttf
image/bmpg
image/svg+xml
image/vnd.microsoft.icon
image/x-icon
text/cache-manifest
text/css
text/html
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml;
brotli on;
brotli_buffers 32 4K;
brotli_comp_level 6;
brotli_min_length 1000;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
zstd on;
zstd_buffers 32 4K;
zstd_comp_level 3;
zstd_min_length 1000;
zstd_static on;
zstd_types
application/atom+xml
application/geo+json
application/javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.api+json
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-opentype
application/x-font-truetype
application/x-font-ttf
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/opentype
font/otf
font/ttf
image/bmpg
image/svg+xml
image/vnd.microsoft.icon
image/x-icon
text/cache-manifest
text/css
text/html
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml;

20
containers/conf/angie/fastcgi.conf Executable file
View file

@ -0,0 +1,20 @@
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_index index.php;

52
containers/conf/angie/haikuatelier.conf Executable file
View file

@ -0,0 +1,52 @@
server {
listen 80;
server_name _;
root /var/www/wordpress/web;
index index.html index.php;
access_log /var/log/angie/haikuatelier-access.log;
error_log /var/log/angie/haikuatelier-error.log;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Point d'accès pour vérifier la santé du conteneur Angie.
location = /health {
access_log off;
add_header "Content-Type" "text/plain";
return 200 "UP";
}
location = /robots.txt {
log_not_found off;
access_log off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~ \.php$ {
fastcgi_pass wordpress:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/angie/fastcgi.conf;
try_files $uri =404;
}
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location * {
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS";
add_header "Access-Control-Allow-Origin" "*";
add_header "Cross-Origin-Opener-Policy" "unsafe-none";
add_header "Cross-Origin-Resource-Policy" "cross-origin";
}
}

99
containers/conf/angie/mime.types Normal file
View file

@ -0,0 +1,99 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

14
containers/conf/php.ini Executable file
View file

@ -0,0 +1,14 @@
allow_url_fopen = 0
allow_url_include = 0
cgi.fix_pathinfo = 0
display_errors = 0
display_startup_errors = 0
expose_php = 0
file_uploads = On
max_execution_time = 600
max_input_time = 600
max_input_vars = 2000
memory_limit = 1024M
post_max_size = 32M
register_globals = Off
upload_max_filesize = 32M

7
containers/conf/traefik/dynamic/certs.yaml Executable file
View file

@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
tls:
certificates:
- certFile: "/etc/certs/_wildcard.gcch.local.pem"
keyFile: "/etc/certs/_wildcard.gcch.local-key.pem"

59
containers/conf/traefik/dynamic/general.yaml Executable file
View file

@ -0,0 +1,59 @@
---
# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
http:
middlewares:
compression:
compress:
excludedContentTypes:
- text/event-stream
security:
headers:
accessControlAllowCredentials: true
accessControlAllowHeaders: "content-type"
accessControlAllowMethods:
- GET
- OPTIONS
- POST
- PUT
accessControlAllowOriginListRegex: "https://.*\\.gcch\\.local(.*)"
accessControlMaxAge: 100
addVaryHeader: true
browserXssFilter: true
contentTypeNosniff: true
customFrameOptionsValue: SAMEORIGIN
featurePolicy: "camera 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none'; vibrate 'self';"
forceSTSHeader: false
frameDeny: true
hostsProxyHeaders:
- "X-Forwarded-Host"
isDevelopment: true
referrerPolicy: "origin"
stsPreload: true
stsSeconds: 315360000
tls:
options:
default:
alpnProtocols:
- h2
- http/1.1
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
minVersion: VersionTLS12
sniStrict: true
mintls13:
minVersion: VersionTLS13

48
containers/conf/traefik/dynamic/routers.yaml Executable file
View file

@ -0,0 +1,48 @@
---
# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
http:
routers:
haikuatelier:
entryPoints:
- websecure
middlewares:
- compression
- security
rule: Host(`haikuatelier.gcch.local`)
service: service-haikuatelier
tls: true
jaeger:
entryPoints:
- websecure
middlewares:
- compression
- security
rule: Host(`jaeger.gcch.local`)
service: service-jaeger
tls: true
jaeger-http:
entryPoints:
- websecure
middlewares:
- compression
- security
rule: Host(`jaeger-http.gcch.local`)
service: service-jaeger-http
tls: true
monitor:
entryPoints:
- websecure
rule: Host(`monitor.gcch.local`)
service: api@internal
tls: true
whoami:
entryPoints:
- websecure
rule: Host(`gcch.local`)
service: service-whoami
tls: true

24
containers/conf/traefik/dynamic/services.yaml Executable file
View file

@ -0,0 +1,24 @@
---
# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
http:
services:
service-haikuatelier:
loadBalancer:
servers:
- url: "http://proxy:80"
service-jaeger:
loadBalancer:
servers:
- url: "http://jaeger:16686"
service-jaeger-http:
loadBalancer:
servers:
- url: "http://jaeger:4318"
service-whoami:
loadBalancer:
servers:
- url: "http://whoami"

60
containers/conf/traefik/traefik.yaml Executable file
View file

@ -0,0 +1,60 @@
---
# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
accessLog:
# Journalise l'accès aux ressources internes.
addInternals: false
# Chemin du fichier où les journaux seront enregistrés.
bufferingSize: 100
# Format des journaux.
filePath: "/var/log/traefik/access_log.log"
# Créé un buffer de n lignes avant d'écrire les journaux. Permet de journaliser de manière asynchrone.
format: "common"
api:
# Active le tableau de bord Traefik.
dashboard: true
# Active des points d'accès de déboguage.
debug: false
# Rend l'API directement disponible sans sécurisation.
insecure: true
entryPoints:
ping:
address: ":8082"
web:
address: ":80"
http:
redirections:
entryPoint:
scheme: https
to: websecure
websecure:
address: ":443"
global:
# Vérifie la disponibilité d'une version plus récente de Traefik.
checkNewVersion: true
# Partage des données avec l'éditeur de Traefik.
sendAnonymousUsage: false
log:
filePath: "/var/log/traefik/traefik.log"
format: common
level: "INFO"
maxBackups: 0
maxSize: 100
ping:
# Nom du point d'entrée de ping.
entryPoint: "ping"
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
network: haiku-network
watch: true
file:
directory: "/etc/traefik/dynamic"
watch: true

3
containers/conf/valkey.conf Executable file
View file

@ -0,0 +1,3 @@
appendonly yes
maxmemory 1024mb
maxmemory-policy allkeys-lru