libresh / applications Goto Github PK

My mailserver is coming along nicely - incoming email is now working, although there still is some problem with relaying outgoing email. I have to move it from gh:michielbdejong/mail to here.

Not very urgent maybe, but right now, to update DNS I have to log in to namecheap and to gandi. Running the authoritative DNS server on our own servers (one each, for instance?) would allow to automate things more in the long run. It would also be nice to make sure we implement things like ipv6, dnssec, and dane.

https://registry.hub.docker.com/search?q=bind

• discard the current format without tagging it
• start a branch for the proper data format, with /data/server-wide/IMG/ and /data/per-user/DOMAIN/IMG/.
• from there on, data format versioning is 100% per IMG, meaning we don't really need to tag the server-wide portion (being just this super minimal directory path scheme).
• if we ever need to make a breaking change in the data format of an image, then we rename the image, and possibly create a migration script. This means some users may be running 'resite' and some may be running 'resite2', on the same server, without any problem.

Yep!

What do you think of moving these 3 apps to IndieHosters repo?
https://github.com/IndiePaaS

I prefer to have each app on a separate repo, then it is really easy to keep track of everything. It's really modular this way.
We could have then one repo, like this one, that have them all as git submodules.

If you like these 3 images and are ready to merge them into IndieHosters app, and ready to offer them to your clients as well, then, I'll start to rewrite the other apps to fit this "standard" nad move them little by little to this repo.

For me this is the best plan.

What do you think?

Moved from michielbdejong/snickers-applications#13

http://www.open-xchange.com/en/home

After reading all:
http://www.slideshare.net/bobtfish/docker-confjune2014
http://nerds.airbnb.com/smartstack-service-discovery-cloud/
http://clockworkcubed.com/2014/05/consul-and-synapse-service-discovery-and-elastic-load-balancing/
http://jasonwilder.com/blog/2014/02/04/service-discovery-in-the-cloud/
http://jasonwilder.com/blog/2014/07/15/docker-service-discovery/
http://www.consul.io/intro/vs/smartstack.html
http://igor.moomers.org/smartstack-vs-consul/
I feel this is the path:
https://coreos.com/blog/docker-dynamic-ambassador-powered-by-etcd/

Ouh, I'm getting excited :)

So the idea would be to have a manifest file for each of app we support.

I will write a BDD scenario:
Given a user (john) wants to access his wordpress the first time
And the user has already an account with indiehosters
When he goes to his app store page
And he clicks on wordpress
Then he is redirected to john.indiegue.st/wordpress
And our user sees a waiting page
Then our backend catches this http request
And our backend understands that there is no wordpress for this user
And our backend read the manifest file for wordpress
And our backend satisfies MySQl dependencie
(Given a user (john) wants to access his mysql the first time...)
And our backend satisfies all dependencies
And our backend send the http request to the service ambassador
And the service ambassador responds

The idea is that I don't want poor failover made by hand. Technology is mature for kickass failover. I want to have a rocking service. When one of the VM is down, I don't want the service down for the user :) So yes, one MySQL per user, but a replicated master-master one! And every services consuming MySQL are able to do it so, even if one MySQL instance is down :)

I'm still hoping that we don't have to write this manifest file, and could handle it at the Fleet or Docker level.

And about some services that are shared among users (mail, jabber..), I strongly believe we should use the same scemas as for users. We should dog food it ;) It's not a special case, it's just that the user is Michiel instead of John ;)

And I don't think we will run backup of services of each others (cross hosters). I will personaly have 3 VMs, and they'll backup each other. It's either that, or we share a common cluster (3 VMs also, but we can grow them to more).

@pierreozoux we're now both running our personal website on Docker, but we're each using a different setup to do so. Let's talk about how we can converge our setups, so that they become compatible with each other and we can develop it twice as fast! :)

https://github.com/michielbdejong/owncloud

https://github.com/michielbdejong/idno

https://registry.hub.docker.com/search?q=gitlab&searchfield=

https://github.com/search?utf8=%E2%9C%93&q=docker+gitlab&type=Repositories&ref=searchresults

so /data/michielbdejong.com/ instead of /data/michiel/

moved from michielbdejong/snickers-applications#4

https://registry.hub.docker.com/search?q=ghost

https://github.com/search?utf8=%E2%9C%93&q=docker+ghost&type=Repositories&ref=searchresults

I think it's quite clear we want to offer certain base functionality:

• identity: a domain name you control, with a (static) website served over https
• decentralized communication: email, jabber, pubsubhubbub
• blogging: tools so that you can more easily publish content on the web
• file hosting: tools so that you can keep your photos and files on your server

And then there are miscellaneous apps that have some specific functionality, which are each sort of isolated and light-weight to add, like maybe:

• gitlab,
• etherpad,
• bugzilla,
• addressbook,
• calendar,
• etcetera.

but at another level, there is a number of important meta-software projects out there that we may just want to offer hosting for, without them being necessarily a miscellaneous app. Each of them covers basically file sharing + a lot of miscellaneous apps, and each user would need only one of those, because they replace each other. i think at the moment the most important ones in terms of momentum are (my knowledge may be incomplete here?):

• owncloud
• cozycloud
• sandstorm
• yunohost
• arkos
• turnkeylinux

i'm sure there will be others over the years. would it make sense to just try to offer hosting for each of these? i guess each have their pros and cons, and it's good if people can try them out, compare them, and use the best one for daily use on their domain name, hosted by their indiehoster.

Moved from michielbdejong/snickers-applications#5

To install the wordpress wp cli, the setup procedure of the WordPress Dockerfile should run the following as root:

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp
chmod +x /usr/local/bin/wp
wp --allow-root --info
DB_HOST=172.17.0.5 DB_PORT=3306 DB_NAME=wordpress DB_USER=admin DB_PASS=foo wp --allow-root plugin install wordpress-https
DB_HOST=172.17.0.5 DB_PORT=3306 DB_NAME=wordpress DB_USER=admin DB_PASS=foo wp --allow-root plugin activate wordpress-https

Work-around, on a server that is not live, while using the current wordpress image after you run systemctl start [email protected] on your server, do the following:

• systemctl stop haproxy-confd

• edit /data/runtime/haproxy/haproxy.cfg, changing the line:

  redirect scheme https code 301

to:

use_backend domain.com

If you want to add a wordpress domain to a live server, you will have to do something smarter. :)

• systemctl restart haproxy
• cd /data/domains/domain.com/wordpress/wp-content/
• mkdir plugins
• set the owner and permissions to be the same as for ./uploads, so in my case this was:
  • chown 33:33 plugins
  • chmod 770 plugins
• visit http://domain.com/wp-login.php?a with your browser (the '?a' will clear the 301 out of the browser cache)
• run the setup wizard if you hadn't already
• log in and go to plugins -> add new -> https
• install "WordPress HTTPS (SSL)" by Mike Ems
• make sure to also activate it! Just installing it does nothing.
• systemctl start haproxy-confd
• cat /data/runtime/haproxy/haproxy.cfg, and make sure the 301 redirect is back in place.

https://github.com/cozy/cozy-setup

Moved from michielbdejong/snickers-applications#7

@pierreozoux - which dockerfile are you running for wordpress on your server? can you add it to this repo?

for integration in CoreOS and also on other operating systems, a good to make sure containers are restarted when they die

I think a better name would be michiel-app-store or michiel-implementation. I'll have my own also, and then from October, we'll work on merging both. (it will be easier to do this AFK)

right now, the server-wide services assume that the user's data volume is on the same server. They also assume that all per-user containers are running on the same server. It would be nice to allow for bigger server farms, where one server acts as a load balancer, one as a file server, one as an application server, etcetera.

moved from michielbdejong/snickers-applications#14

We can leave the IndiePaas images where they are https://registry.hub.docker.com/search?q=indiepaas and then add in a mysql server and a /snapshot.sh script where desired/necessary. This is maybe easier than the git submodule approach we tried last week.

@pierreozoux do you agree with this approach?

i just learned a bit about how ynh does this: http://community.remotestorage.io/t/sandstorm-io-personal-cloud-platform/212/5

@pierreozoux you brought this up already, that it's a shitty experience to not have SSO / one single password reset option. maybe we could at least use LDAP as much as possible? we could actually reuse a lot of the packaging work from ynh, there (maybe just Dockerize each ynh app? or even run a ynh server inside Docker or even just without Docker?)

so not specific to the mailserver

This application has a simple manifest file (author: Tim Berners-Lee ;) ) and tared data folder.

I think that our implementation, should be system-wide. For this particular case, I imagine an nginx conf for every /data/user/static-file.
In this folder (like every FOSIA package) there might be a CNAME file, and a corresponding SSL certificate. The nginx conf must take the appropriate decisions regarding these files. (It means either using it, or in case not present, using the default name scheme: user-name.indiehosters.net/service with our certificate)
The folder /data/server-wide/static-html/ link to every per-user folder.
There is also a /data/server-wide/static-html/site-available link to /data/server-wide/static-html/site-available-{timestamp}/.

Then, there is a process watching /data/*/static-html/CNAME,*.cert directory for changes. In case of change, it must:

• re-render nginx.conf template of each relevant site. /data/server-wide/static-html/site-available-{timestamp}/
• check nginx conf files
• update link /data/server-wide/static-html/site-available
• start a new nginx with these confs
• re-render HAproxy/bouncer configuration to point to the new nginx docker (and kill the old one)
• re-render relevant DNS configuration template.
• clean
  (if any of the operations fail, it stops the pipeline)

For now, all the automatic part, I'll do by hand. But what do you think in a general manner about this?

(this implementation is compatible with multi servers if you reconfigure the main HAproxy)

Comments?

Yesterday I moved everything from Chicago (my CoreOS virtual server at rackspace) to Luxemburg (an ubuntu virtual server at Gandi). Bouncer now supports multiple domains, and the run scripts changed a bit - still have to update them here.

I think this is concerning from a security point of view to use this piece of software for the most important part - namely serving ssl certificates. Especially when there is something Industry proven that is doing great job.

Right now, we're using the docker run --restart flag for restart after failure (and the default docker -d -r flag for restart after reboot), but it could have advantages [?-like what?] to switch to systemd or upstart.

Apart from the https plugin, I think we should add:

• IndieWeb plugin, by pfefferle (including all the plugins it requires and recommends!)
• IndieAuth plugin, by pfefferle
• SemPress theme
• A 'Follow me on social media' text widget with content for instance:

<div>
<a href="https://twitter.com/username" rel="me">@username on Twitter</a>
<a href="https://github.com/username" rel="me">@username on GitHub</a>
<div>

I am testing this right now, to see if it is enough to enable login with IndieAuth.

looking at https://github.com/idno/idno/blob/master/docs/install/instructions.rst#use-environment-variables I think what they mean is config.ini is needed for the things that don't change, but we can get rid of the lines that paste env vars into that file