A lot of improvements (#65)

* change all images to be based on Alpine, easier env file, upgrade Caddy to v2

* postgres username need to me smaller

* add TWITTER to refresher

* fix typo on readme

* remove commented dependency on feedbin Dockerfile

* ignore DL3018 lint rule

.env.example

@@ -1,53 +1,45 @@
-# Minio
-MINIO_ACCESS_KEY=
-MINIO_SECRET_KEY=
-
-# Caddy
-CADDYPATH=/etc/ssl/caddy
-
-# Camo
-CAMO_HOST=https://camo.feedbin.domain.tld
-CAMO_KEY=
-
-# Rails
+# Feedbin
 RACK_ENV=production
 RAILS_ENV=production
 PORT=3000
-SECRET_KEY_BASE=
+SECRET_KEY_BASE= #generate with openssl rand -hex 32
 DEFAULT_URL_OPTIONS_HOST=feedbin.domain.tld
 PUSH_URL=https://feedbin.domain.tld
 FEEDBIN_URL=https://feedbin.domain.tld
 FEEDBIN_HOST=feedbin.domain.tld
 FORCE_SSL=
+FEEDBIN_API_HOST=api.feedbin.domain.tld
 
 # Databases
 ELASTICSEARCH_URL=http://feedbin-elasticsearch:9200
 MEMCACHED_HOSTS=feedbin-memcached:11211
 REDIS_URL=redis://feedbin-redis:6379
 
-POSTGRES=feedbin-postgres
-POSTGRES_USERNAME=feedbin
-POSTGRES_USER=feedbin
-POSTGRES_PASSWORD=
-DATABASE_URL=postgres://feedbin:[Your POSTGRESS_PASSWORD Here]@feedbin-postgres/feedbin_production
+POSTGRES_USER= #generate with openssl rand -hex 16. Don't use long usernames.
+POSTGRES_PASSWORD= #generate with openssl rand -hex 32
 
-# S3
-AWS_ACCESS_KEY_ID=
-AWS_SECRET_ACCESS_KEY=
-AWS_S3_BUCKET=feedbin
-AWS_S3_BUCKET_FAVICONS=feedbin
-AWS_S3_ENDPOINT=https://minio.feedbin.domain.tld
-AWS_S3_PATH_STYLE="true"
-ENTRY_IMAGE_HOST=minio.feedbin.domain.tld
+# Minio
+MINIO_ACCESS_KEY= #generate with openssl rand -hex 32
+MINIO_SECRET_KEY= #generate with openssl rand -hex 32
+MINIO_BUCKET=feedbin
+MINIO_HOST=minio.feedbin.domain.tld
 
 # Extract service (needs to run behind HTTPS:443)
 EXTRACT_HOST=extract.feedbin.domain.tld
-EXTRACT_USER=username
-EXTRACT_SECRET=secret
+EXTRACT_USER= #generate with openssl rand -hex 32
+EXTRACT_SECRET= #generate with openssl rand -hex 32
+
+# Camo
+CAMO_HOST=camo.feedbin.domain.tld
+CAMO_KEY= #generate with openssl rand -hex 32
 
 # SMTP
 SMTP_ADDRESS=
 SMTP_USERNAME=
 SMTP_PASSWORD=
 SMTP_DOMAIN=
 FROM_ADDRESS=
+
+# Twitter
+TWITTER_KEY=
+TWITTER_SECRET=

.github/linters/.hadolint.yml

@@ -1,3 +1,4 @@
 ignored:
   - DL3008
+  - DL3018
   - DL3028

README.md

@@ -41,7 +41,7 @@ git clone https://github.com/angristan/feedbin-docker.git
 
 * Copy `.env.example` to `.env` and fill **ALL** the variables
 * Copy `docker-compose-example.yml` to `docker-compose.yml`. If you want to disable a service this is the place.
-* Copy `caddy/example.Caddyfile` to `caddy/Caddyfile` and update the domains.
+* Copy `caddy/example.Caddyfile` to `caddy/Caddyfile` and update the configuration if you need.
 
 Run the database migrations:
 
@@ -57,16 +57,6 @@ docker-compose up -d
 
 You can check if everything is going well with `docker-compose logs -f` or `docker-compose ps`.
 
-Go to `minio.feedbin.domain.tld`, login with your keys. Then:
-
-* Create a bucket with the button in the bottom right hand corner.
-* Make the bucket public:
-  * On the left sidebar, clic on the 3 dots on thee bucket line
-  * Select add policy
-  * Leave prefix empty (or `*`) and `Read Only` and then select `Add`.
-
-Your bucket is ready.
-
 Now go to `feedbin.domain.tld` and create a new account. You're set!
 
 You can make yourself an admin to manage users and to view the Sidekiq web interface.
@@ -77,4 +67,4 @@ To do so, run:
 docker-compose exec feedbin-web rake feedbin:make_admin[youremail@domain.tld]
 ```
 
-Once you're done, you can prevent new users from registering by [modifying cour Caddy config](https://github.com/angristan/feedbin-docker/issues/3#issuecomment-700286769).
+Once you're done, you can prevent new users from registering by modifying Caddy config and uncommenting the `respond` directive for `/signup` and `/users` routes.

caddy/example.Caddyfile

@@ -1,27 +1,62 @@
-feedbin.domain.tld {
-  gzip
-  proxy / http://feedbin-web:3000 {
-    transparent
+(headers) {
+  header {
+    # enable HSTS
+    Strict-Transport-Security max-age=31536000;
+    # keep referrer data off of HTTP connections
+    Referrer-Policy no-referrer-when-downgrade
+    # Enable cross-site filter (XSS) and tell browser to block detected attacks
+    X-XSS-Protection "1; mode=block"
+    # Disallow the site to be rendered within a frame (clickjacking protection)
+    #X-Frame-Options "DENY"
+    # Prevent search engines from indexing (optional)
+    X-Robots-Tag "none"
+    # Server name removing
+    -Server
+    # opt-out Google FLoC
+    Permissions-Policy "interest-cohort=()"
   }
 }
 
-camo.feedbin.domain.tld {
-  gzip
-  proxy / http://camo:8081 {
-    transparent
-  }
+(encode) {
+  encode zstd gzip
 }
 
-minio.feedbin.domain.tld {
-  gzip
-  proxy / http://minio:9000 {
-    transparent
-  }
+{$FEEDBIN_HOST} {
+  import encode
+  import headers
+
+  reverse_proxy feedbin-web:3000
+
+  # respond /signup/* 403
+  # respond /users/* 403
 }
 
-extract.feedbin.domain.tld {
-  gzip
-  proxy / http://feedbin-extract:3000 {
-    transparent
+{$FEEDBIN_API_HOST} {
+  import encode
+  import headers
+
+  reverse_proxy feedbin-web:3000 {
+    header_up Host api.feedbin.com
   }
 }
+
+{$MINIO_HOST} {
+  import encode
+  import headers
+
+  reverse_proxy feedbin-minio:9000
+}
+
+{$EXTRACT_HOST} {
+  import encode
+  import headers
+
+  reverse_proxy feedbin-extract:3000
+}
+
+{$CAMO_HOST} {
+  import encode
+  import headers
+
+  reverse_proxy feedbin-camo:8081
+}