Add dooris (2.0)

2025-05-29 17:42:59 +02:00 · 2025-05-29 17:42:59 +02:00 · 7526d1c6a1
commit 7526d1c6a1
parent 9c44edece2
7 changed files with 340 additions and 11 deletions
--- a/resources/z9/dooris/docker_compose/compose.yaml.j2
+++ b/resources/z9/dooris/docker_compose/compose.yaml.j2
@ -0,0 +1,22 @@
+---
+
+services:
+  dooris:
+    image: git.hamburg.ccc.de/ccchh/hmdooris/hmdooris:latest
+    environment:
+      HMDOORIS_ALLOWED_IPS: "2a07:c481:1:c8::/64 2a01:170:118b::/56"
+      HMDOORIS_CCUJACK_CERTIFICATE_PATH: false
+      HMDOORIS_CCUJACK_PASSWORD: "{{ secret__dooris_ccujack_password }}"
+      HMDOORIS_CCUJACK_URL: https://hmdooris-ccu.ccchh.net:2122
+      HMDOORIS_CCUJACK_USERNAME: dooris
+      HMDOORIS_CLIENT_ID: dooris
+      HMDOORIS_CLIENT_SECRET: "{{ secret__dooris_client_secret }}"
+      HMDOORIS_DISCOVERY_URL: https://id.hamburg.ccc.de/realms/ccchh/.well-known/openid-configuration
+      HMDOORIS_LISTEN: '0.0.0.0:3000'
+      HMDOORIS_REQUIRES_GROUP: intern
+      HMDOORIS_URL: https://dooris.ccchh.net
+      PYTHONWARNINGS: "ignore:Unverified HTTPS request"
+      #DEBUG: true
+    ports:
+      - "127.0.0.1:3000:3000"
+    restart: unless-stopped
--- a/resources/z9/dooris/nginx/dooris.ccchh.net.conf
+++ b/resources/z9/dooris/nginx/dooris.ccchh.net.conf
@ -0,0 +1,34 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    listen [::]:443 ssl http2;
+
+    server_name dooris.ccchh.net;
+
+    ssl_certificate /etc/letsencrypt/live/dooris.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dooris.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/dooris.ccchh.net/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+    proxy_intercept_errors off;
+
+    location / {
+        proxy_pass http://127.0.0.1:3000/;
+    }
+}