bb93b0bc61
Signed-off-by: Adrian Nöthlich <git@promasu.tech> |
||
---|---|---|
cryptpad@5979aafdee | ||
customize | ||
.dockerignore | ||
.gitmodules | ||
docker-compose.yml | ||
docker-entrypoint.sh | ||
Dockerfile | ||
Dockerfile-alpine | ||
Dockerfile-nginx | ||
Dockerfile-nginx-alpine | ||
LICENSE | ||
MIGRATION.md | ||
README.md | ||
supervisord.conf | ||
traefik2.yml |
CryptPad docker
This repository has been created as part of an ongoing effort to separate docker from the CryptPad platform repo.
The officially recommended deployment method is to use the example.nginx.conf
file provided by the core repo and to manage updates directly on the host system using git
, npm
(as provided by nvm) and bower
.
🚧 Disclaimer
The Docker images here and their supporting configuration files are provided as is, without warranty, as a community effort. Support is provided by the community and CryptPad developers on a best-effort basis. Please keep in mind, that the core team neither uses nor tests these Docker images, so your results may vary.
Migration
Please see the migration guide for further information on switching to this repository.
General notices
-
Important: New images tagged
nginx
andnginx-alpine
have been added to this repository. Thedocker-compose.yml
andtraefik2.yml
examples files have been modified to use thenginx
image because the legacy versions didn't provide Content-Security-Policy headers which is a requirement to properly expose CryptPad to the internet.
It is recommended to use thepromasu/cryptpad:nginx
image (see CryptPad proxied by Nginx). -
Mounted files and folders for CryptPad have to be owned by userid 4001. It is possible you have to run
sudo chown -R 4001:4001 filename
. If your container engine uses namespacing to shift uids and gids in the containers, you need correct the uid and gid or to run the command from within the container.
Standalone CryptPad
Tags: latest
and alpine
Files: Dockerfile
and Dockerfile-alpine
This image provides CryptPad served by Node without certs or CSP. It is up to you to deploy it behind a reverse proxy as per CryptPad's devs recommendations (see Opening CryptPad to the Internet).
It is kept in order to avoid breaking existing deployment.
If you already have a reverse proxy with CSP properly configured, you can keep using this image.
Otherwise you should use the nginx
or nginx-alpine
versions.
Usage
Run:
docker run -d -p 3000:3000 -p 3001:3001 promasu/cryptpad
Run with customizations:
docker run -d -p 3000:3000 -p 3001:3001 -v ${PWD}/customize:/cryptpad/customize promasu/cryptpad
Run with configuration:
docker run -d -p 3000:3000 -p 3001:3001 -v ${PWD}/config.js:/cryptpad/config/config.js promasu/cryptpad
Run with persistent data:
docker run -d -p 3000:3000 -p 3001:3001 -v ${PWD}/data/blob:/cryptpad/blob \
-v ${PWD}/data/block:/cryptpad/block -v ${PWD}/customize:/cryptpad/customize \
-v ${PWD}/data/data:/cryptpad/data -v ${PWD}/data/files:/cryptpad/datastore promasu/cryptpad
CryptPad proxied by Nginx
Tags: nginx
and nginx-alpine
Files: Dockerfile-nginx
and Dockerfile-nginx-alpine
This image provides CryptPad proxied by Nginx. It offers more configuration options than the standalone version (but will not run if the bare minimum options aren't set) and lets Nginx handle the different HTTP headers like CSP.
The docker-entrypoint.sh
script copies Nginx configuration from the example provided in CryptPad repository (see file example.nginx.conf
) and substitutes the deployment environment variables.
-
With minimum settings, Nginx will listen for unencrypted HTTP2 requests on port 80. Most browsers won't be able to connect without a reverse proxy to upgrade the connection (also if you use Traefik, see this).
To disable HTTP2 set the environment variableCPAD_HTTP2_DISABLE
totrue
. -
If you'd prefer Nginx to terminate TLS connections, provide a fullchain certificate and a key and set
CPAD_TLS_CERT
andCPAD_TLS_KEY
. Both variables MUST be set for the entrypoint script to set paths in config. You can also provide Diffie-Hellman parameters withCPAD_TLS_DHPARAM
. If nodhparam.pem
file is provided, it will be generated upon container start. Beware that this is a time consuming step.
Environment variables
Variables | Description | Required | Default |
---|---|---|---|
CPAD_MAIN_DOMAIN |
CryptPad main domain FQDN | Yes | None |
CPAD_SANDBOX_DOMAIN |
CryptPad sandbox subdomain FQDN | Yes | None |
CPAD_API_DOMAIN |
CryptPad API subdomain FQDN | No | $CPAD_MAIN_DOMAIN |
CPAD_FILES_DOMAIN |
CryptPad files subdomain FQDN | No | $CPAD_MAIN_DOMAIN |
CPAD_TRUSTED_PROXY |
Trusted proxy address or CIDR | No | None |
CPAD_REALIP_HEADER |
Header to get client IP from (X-Real-IP or X-Forwarded-For ) |
No | X-Real-IP |
CPAD_REALIP_RECURSIVE |
Instruct Nginx to perform a recursive search to find client's real IP (on /off ) (see ngx_http_realip_module) |
No | off |
CPAD_TLS_CERT |
Path to TLS certificate file | No | None |
CPAD_TLS_KEY |
Path to TLS private key file | No | None |
CPAD_TLS_DHPARAM |
Path to Diffie-Hellman parameters file | No | /etc/nginx/dhparam.pem |
CPAD_HTTP2_DISABLE |
Disable HTTP2 | No | false |
Usage
Run with minimal settings:
docker run -d -e "CPAD_MAIN_DOMAIN=example.com" -e "CPAD_SANDBOX_DOMAIN=sandbox.example.com" -p 80:80 promasu/cryptpad:nginx
Run with configuration:
docker run -d -e "CPAD_MAIN_DOMAIN=example.com" -e "CPAD_SANDBOX_DOMAIN=sandbox.example.com" \
-v ${PWD}/config.js:/cryptpad/config/config.js -p 80:80 promasu/cryptpad:nginx
Run with TLS:
docker run -d -e "CPAD_MAIN_DOMAIN=example.com" -e "CPAD_SANDBOX_DOMAIN=sandbox.example.com" \
-e "CPAD_TLS_CERT=/path/to/cert.pem" -e "CPAD_TLS_KEY=/path/to/key.pem" \
-e "CPAD_TLS_DHPARAM=/path/to/dhparam.pem" -v ${PWD}/cert.pem:/path/to/cert.pem \
-v ${PWD}/key.pem:/path/to/key.pem -v ${PWD}/dhparam.pem:/path/to/dhparam.pem \
-p 443:443 promasu/cryptpad:nginx
Run behind a reverse proxy
docker run -d -e "CPAD_MAIN_DOMAIN=example.com" -e "CPAD_SANDBOX_DOMAIN=sandbox.example.com" \
-e "CPAD_TRUSTED_PROXY=10.0.0.0/8" -e "CPAD_REALIP_HEADER=X-Forwarded-For" \
-e "CPAD_REALIP_RECURSIVE=on" -p 80:80 promasu/cryptpad:nginx
Run with customizations:
docker run -d -e "CPAD_MAIN_DOMAIN=example.com" -e "CPAD_SANDBOX_DOMAIN=sandbox.example.com" \
-v ${PWD}/customize:/cryptpad/customize -p 80:80 promasu/cryptpad:nginx
Run with persistent data:
docker run -d -e "CPAD_MAIN_DOMAIN=example.com" -e "CPAD_SANDBOX_DOMAIN=sandbox.example.com" \
-v ${PWD}/data/blob:/cryptpad/blob -v ${PWD}/data/block:/cryptpad/block \
-v ${PWD}/customize:/cryptpad/customize -v ${PWD}/data/data:/cryptpad/data \
-v ${PWD}/data/files:/cryptpad/datastore -p 80:80 promasu/cryptpad:nginx
Docker-compose
Run:
docker-compose up
Run with traefik2 labels:
docker-compose -f docker-compose.yml -f traefik2.yml up
Know bugs
Use the Nginx version with Traefik
If Traefik is used as reverse proxy (e.g. to handle SSL certs) the CryptPad WebSocket is unreachable if Nginx listens with HTTP2.
A workaround is to disable HTTP2 by setting the CPAD_HTTP2_DISABLE
environment variable.
Nginx version not working with some browser configurations
See [https://github.com/xwiki-labs/cryptpad/issues/633]
License
This software is and will always be available under the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.