This repository has been created as part of an ongoing effort to separate docker from [the CryptPad platform repo](https://github.com/xwiki-labs/cryptpad).
The officially recommended deployment method is to use the `example.nginx.conf` file provided by the core repo and to manage updates directly on the host system using `git`, `npm` (as provided by [nvm](https://github.com/nvm-sh/nvm)) and `bower`.
Docker images and their supporting configuration files are provided as a community effort by those using them, with support provided by the core development team on a _best-effort_ basis. Keep in mind that the core team neither uses nor tests Docker images, so your results may vary.
* **Important**: New images tagged `nginx` and `nginx-alpine` have been added to this repository. The `docker-compose.yml` and `traefik2.yml` examples files have been modified to use the `nginx` image because the legacy versions didn't provide Content-Security-Policy headers which is a requirement to properly expose CryptPad to the internet.
* Mounted files and folders for CryptPad have to be owned by userid 4001. It is possible you have to run `sudo chown -R 4001:4001 filename`. If your container engine uses namespacing to shift uids and gids in the containers, you need correct the uid and gid or to run the command from within the container.
This image provides CryptPad served by Node without certs or CSP. It is up to you to deploy it behind a reverse proxy as per CryptPad's devs recommendations (see [Opening CryptPad to the Internet](https://github.com/xwiki-labs/cryptpad/wiki/Installation-guide#opening-cryptpad-to-the-internet)).
It is kept in order to avoid breaking existing deployment.
If you already have a reverse proxy with CSP properly configured, you can keep using this image.
Otherwise you should use the `nginx` or `nginx-alpine` versions.
Files: `Dockerfile-nginx` and `Dockerfile-nginx-alpine`
This image provides CryptPad proxied by Nginx. It offers more configuration options than the standalone version (but will not run if the bare minimum options aren't set) and lets Nginx handle the different HTTP headers like CSP.
The `docker-entrypoint.sh` script copies Nginx configuration from the example provided in CryptPad repository (see file [`example.nginx.conf`](https://github.com/xwiki-labs/cryptpad/blob/main/docs/example.nginx.conf)) and substitutes the deployment environment variables.
* With minimum settings, Nginx will listen for unencrypted HTTP2 requests on port 80. Most browsers won't be able to connect without a reverse proxy to upgrade the connection (also if you use Traefik, please read `docker-compose.yml` comment above this option).
To disable HTTP2 set the environment variable `CPAD_HTTP2_DISABLE` to `true`.
* If you'd prefer Nginx to terminate TLS connections, provide a fullchain certificate and a key and set `CPAD_TLS_CERT` and `CPAD_TLS_KEY`. Both variables MUST be set for the entrypoint script to set paths in config. You can also provide Diffie-Hellman parameters with `CPAD_TLS_DHPARAM`. If no `dhparam.pem` file is provided, it will be generated upon container start. Beware that this is a time consuming step.
| `CPAD_TRUSTED_PROXY` | Trusted proxy address or CIDR | No | None |
| `CPAD_REALIP_HEADER`| Header to get client IP from (`X-Real-IP` or `X-Forwarded-For`) | No | `X-Real-IP` |
| `CPAD_REALIP_RECURSIVE`| Instruct Nginx to perform a recursive search to find client's real IP (`on`/`off`) (see [ngx_http_realip_module](https://nginx.org/en/docs/http/ngx_http_realip_module.html)) | No | `off` |
| `CPAD_TLS_CERT` | Path to TLS certificate file | No | None |
| `CPAD_TLS_KEY` | Path to TLS private key file | No | None |
| `CPAD_TLS_DHPARAM` | Path to Diffie-Hellman parameters file | No | `/etc/nginx/dhparam.pem` |
| `CPAD_HTTP2_DISABLE` | Disable HTTP2, mostly meant for test purpose | No | `false` |
#### Usage
##### Run with minimal settings:
```
docker run -d -e "CPAD_MAIN_DOMAIN=example.com" -e "CPAD_SANDBOX_DOMAIN=sandbox.example.com" -p 80:80 promasu/cryptpad:nginx
```
##### Run with configuration:
```
docker run -d -e "CPAD_MAIN_DOMAIN=example.com" -e "CPAD_SANDBOX_DOMAIN=sandbox.example.com" \
