Skeleton web stack using Docker Compose, PostgreSQL, PostgREST, Nginx and Auth0.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
acme-challenge
certificates
data
database
log
www
.gitignore
LICENSE
README.md
docker-compose.yml
live.yml
make-backup
make-dhparam
nginx-init
post-receive
rebuild
restore-backup
server.key
site.conf

README.md

Postgrest Skeleton

Stack:

Setting up a server

Assuming an Ubuntu Xenial 16.04 server.

sudo apt-get install apt-transport-https ca-certificates
sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get purge lxc-docker
sudo apt-get update
sudo apt-get install linux-image-extra-$(uname -r) git curl docker-engine openssl
curl -L https://github.com/docker/compose/releases/download/1.6.2/docker-compose-`uname -s`-`uname -m` | sudo tee /usr/local/bin/docker-compose > /dev/null
sudo chmod +x /usr/local/bin/docker-compose
sudo service docker start
sudo docker run hello-world
docker-compose --version
sudo gpasswd -a $USER docker
sudo mkdir -p /srv/live.git /srv/live/certificates /srv/backups
sudo chown -R :adm /srv/live.git /srv/live /srv/backups
sudo chmod -R g+rwx /srv/live.git /srv/live /srv/backups
git init --bare /srv/live.git
openssl dhparam -out /srv/live/certificates/dhparam.pem 4096
crontab -e # Add '00 00 * * * /srv/live/make-backup'

git remote add staging staging.example.com:/srv/live.git
scp post-receive staging.example.com:/srv/live.git/hooks
nano site.conf
scp site.conf staging.example.com:/srv/live.git/
git push staging

Local testing

docker-compose start

Staging

source site.conf
export DOMAIN CERT_EMAIL JWT_SECRET POSTGRES_PASSWORD AUTHENTICATOR_PASSWORD
alias dc=docker-compose -f docker-compose.yml -f live.yml 
dc stop; dc rm -f; dc create; dc start; dc logs

Production

docker-compose -f docker-compose.yml -f staging.yml  -f production.yml start

Using

Staging

Deployment

docker-compose -f docker-compose.yml -f production.yml start

Dependencies

Make sure you have a recent version of docker, at least version 1.10.0.

https://docs.docker.com/engine/installation/linux/ubuntulinux/

Make sure you have a recent version of docker-compose, at least version 1.6.

curl -L https://github.com/docker/compose/releases/download/1.6.2/docker-compose-`uname -s`-`uname -m` | sudo tee /usr/local/bin/docker-compose > /dev/null
sudo chmod +x /usr/local/bin/docker-compose

To recompile the javascript you need Google Closure.

closure-compiler --language_out ECMASCRIPT5_STRICT --js js/*.js > www/min.js

Starting

docker-compose up

To start with a clean build

docker-compose stop
sudo rm -rf data/data
docker-compose rm -f
docker-compose create
docker-compose start

Raw database access

docker exec -ti -u postgres example_dbm_1 psql -d example -P pager=off

Dump database for backups

docker exec -ti -u postgres example_dbm_1 pg_dump -a --insert example

JWT token:

Example token (with signature removed):

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiYXV0aG9yIiwidXNlcmlkIjoiYXV0aDB8NTZkZWEwYjM4MWRlMjkyZTBjYjc1OTY1IiwiaXNzIjoiaHR0cHM6Ly9vcGVuZXRoLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1NmRlYTBiMzgxZGUyOTJlMGNiNzU5NjUiLCJhdWQiOiJBWm10a0JONXpER0VSSmVzRlpHRlM4dllKWXlaVHJEbyIsImV4cCI6MTQ1NzQ4NjM5MywiaWF0IjoxNDU3NDUwMzkzfQ.2DIZz2bf19Jr9UaNA3DLl263JqzXvrAUky3Vr_ZgIbQ
{
	"role": "author",
	"userid": "auth0|56dea0b381de292e0cb75965",
	"iss": "https://example.auth0.com/",
	"sub": "auth0|56dea0b381de292e0cb75965",
	"aud": "AZmtkBN5zDGERJesFZGFS8vYJYyZTrDo",
	"exp": 1457486393,
	"iat": 1457450393
}

The role gets mapped to a PostgreSQL role, sub is used to uniquely identify users.

Regenerating Diffie-Hellman parameters

Goal:

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

openssl dhparam -out certificates/dhparam.pem 4096

Content Security Policy