add docker support

14 files changed, 315 insertions, 0 deletions

diff --git a/docker/chibi.ps1 b/docker/chibi.ps1
new file mode 100644
index 0000000..d6494f3
--- /dev/null
+++ b/docker/chibi.ps1
@@ -0,0 +1,3 @@
+$env = $args[0]
+$cmd = $args | Select-Object -Skip 1
+docker-compose -f docker-compose.yml -f docker-compose.$env.yml -f docker-compose.config.yml $cmd
diff --git a/docker/chibi.sh b/docker/chibi.sh
new file mode 100644
index 0000000..9c8b22b
--- /dev/null
+++ b/docker/chibi.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+docker-compose -f docker-compose.yml -f docker-compose.$1.yml -f docker-compose.config.yml ${@%$1}
diff --git a/docker/chibisafe/Dockerfile b/docker/chibisafe/Dockerfile
new file mode 100644
index 0000000..3c50116
--- /dev/null
+++ b/docker/chibisafe/Dockerfile
@@ -0,0 +1,20 @@
+FROM jrottenberg/ffmpeg:4.3-alpine312 as ffmpeg
+
+FROM node:alpine3.12
+
+WORKDIR /usr/chibisafe
+COPY package.json package-lock.json ./
+
+RUN apk add --update \
+&& apk add --no-cache ca-certificates libwebp libwebp-tools expat \
+&& apk add --no-cache vidstab-dev --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \
+&& apk add --no-cache --virtual .build-deps git curl build-base python3 g++ make \
+&& npm ci \
+&& apk del .build-deps
+
+COPY --from=ffmpeg /usr/local /usr/local
+
+COPY . .
+RUN mkdir uploads && mkdir database
+
+CMD ["sh", "-c", "npm run migrate && npm run seed && npm run build && npm start"]
diff --git a/docker/docker-compose.config.example.yml b/docker/docker-compose.config.example.yml
new file mode 100644
index 0000000..745f8b1
--- /dev/null
+++ b/docker/docker-compose.config.example.yml
@@ -0,0 +1,37 @@
+version: "3.7"
+
+services:
+    chibisafe:
+        environment:
+            CHUNK_SIZE: 90
+            SECRET: "wowfcgMHqZHwOIMLadWrKu3liyqPOOILpDLSDvuxq3YGhJmiZXJCVpnF96l11WfR"
+            ADMIN_ACCOUNT: "admin"
+            ADMIN_PASSWORD: "admin"
+            # ROUTE_PREFIX: /api
+            # RATE_LIMIT_WINDOW: 2
+            # RATE_LIMIT_MAX: 5
+            # BLOCKED_EXTENSIONS: '.jar,.exe,.msi,.com,.bat,.cmd,.scr,.ps1,.sh'
+            # UPLOAD_FOLDER: uploads
+            # MAX_LINKS_PER_ALBUM: 5
+            # META_THEME_COLOR: '#20222b'
+            # META_DESCRIPTION: 'Blazing fast file uploader and bunker written in node! 🚀'
+            # META_KEYWORDS: 'chibisafe,upload,uploader,file,vue,images,ssr,file uploader,free'
+            # META_TWITTER_HANDLE: ''
+            # SERVER_PORT: 5000
+            # WEBSITE_PORT: 5001
+            # DOMAIN: 'http://chibisafe.moe'
+            # SERVICE_NAME: chibisafe
+            # MAX_SIZE: 5000
+            # GENERATE_THUMBNAILS: 'true'
+            # GENERATE_ZIPS: 'true'
+            # STRIP_EXIF: 'true'
+            # SERVE_WITH_NODE: 'true'
+            # GENERATED_FILENAME_LENGTH: 6
+            # GENERATED_ALBUM_LENGTH: 4
+            # PUBLIC_MODE: 'false'
+            # USER_ACCOUNTS: 'true'
+            # DB_CLIENT: 'sqlite3'
+            # DB_HOST: ''
+            # DB_USER: ''
+            # DB_PASSWORD: ''
+            # DB_DATABASE: ''
diff --git a/docker/docker-compose.local.yml b/docker/docker-compose.local.yml
new file mode 100644
index 0000000..982370a
--- /dev/null
+++ b/docker/docker-compose.local.yml
@@ -0,0 +1,19 @@
+version: "3.7"
+
+services:
+    nginx:
+        volumes:
+            - nginx-data:/etc/nginx
+
+    chibisafe:
+        volumes:
+            - chibisafe-data:/usr/chibisafe/uploads
+            - chibisafe-database:/usr/chibisafe/database
+
+volumes:
+    nginx-data:
+        name: "nginx-data"
+    chibisafe-data:
+        name: "chibisafe-data"
+    chibisafe-database:
+        name: "chibisafe-database"
diff --git a/docker/docker-compose.prod.yml b/docker/docker-compose.prod.yml
new file mode 100644
index 0000000..9683a98
--- /dev/null
+++ b/docker/docker-compose.prod.yml
@@ -0,0 +1,11 @@
+version: "3.7"
+
+services:
+    nginx:
+        volumes:
+            - ./nginx-data:/etc/nginx
+
+    chibisafe:
+        volumes:
+            - ./chibisafe-data:/usr/chibisafe/uploads
+            - ./chibisafe-database:/usr/chibisafe/database
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
new file mode 100644
index 0000000..fc44689
--- /dev/null
+++ b/docker/docker-compose.yml
@@ -0,0 +1,63 @@
+version: "3.7"
+
+services:
+    nginx:
+        build:
+            context: ./nginx
+            dockerfile: Dockerfile
+        expose:
+            - "80"
+            - "443"
+        ports:
+            - "80:80"
+            - "443:443"
+        restart: unless-stopped
+        healthcheck:
+            test: ["CMD", "service", "nginx", "status"]
+            interval: 60s
+            timeout: 5s
+
+    chibisafe:
+        build:
+            context: ../
+            dockerfile: ./docker/chibisafe/Dockerfile
+        expose:
+            - "5000"
+            - "5001"
+        ports:
+            - "5000"
+            - "5001"
+        restart: unless-stopped
+        environment:
+            CHUNK_SIZE: 90
+            ROUTE_PREFIX: /api
+            RATE_LIMIT_WINDOW: 2
+            RATE_LIMIT_MAX: 5
+            BLOCKED_EXTENSIONS: ".jar,.exe,.msi,.com,.bat,.cmd,.scr,.ps1,.sh"
+            UPLOAD_FOLDER: uploads
+            SECRET: ""
+            MAX_LINKS_PER_ALBUM: 5
+            META_THEME_COLOR: "#20222b"
+            META_DESCRIPTION: "Blazing fast file uploader and bunker written in node! 🚀"
+            META_KEYWORDS: "chibisafe,upload,uploader,file,vue,images,ssr,file uploader,free"
+            META_TWITTER_HANDLE: ""
+            SERVER_PORT: 5000
+            WEBSITE_PORT: 5001
+            DOMAIN: "http://chibisafe.moe"
+            SERVICE_NAME: chibisafe
+            MAX_SIZE: 5000
+            GENERATE_THUMBNAILS: "true"
+            GENERATE_ZIPS: "true"
+            STRIP_EXIF: "true"
+            SERVE_WITH_NODE: "true"
+            GENERATED_FILENAME_LENGTH: 6
+            GENERATED_ALBUM_LENGTH: 4
+            PUBLIC_MODE: "false"
+            USER_ACCOUNTS: "true"
+            ADMIN_ACCOUNT: ""
+            ADMIN_PASSWORD: ""
+            DB_CLIENT: "sqlite3"
+            DB_HOST: ""
+            DB_USER: ""
+            DB_PASSWORD: ""
+            DB_DATABASE: ""
diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile
new file mode 100644
index 0000000..60626ba
--- /dev/null
+++ b/docker/nginx/Dockerfile
@@ -0,0 +1,5 @@
+FROM nginx
+
+COPY nginxconfig.io /etc/nginx/nginxconfig.io
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY chibisafe.moe.conf /etc/nginx/conf.d/chibisafe.moe.conf
diff --git a/docker/nginx/chibisafe.moe.http.example.conf b/docker/nginx/chibisafe.moe.http.example.conf
new file mode 100644
index 0000000..0a0d507
--- /dev/null
+++ b/docker/nginx/chibisafe.moe.http.example.conf
@@ -0,0 +1,21 @@
+server {
+    listen              80;
+    listen              [::]:80;
+    server_name         chibisafe.moe;
+
+    # security
+    include             nginxconfig.io/security.conf;
+
+    # logging
+    access_log          /var/log/nginx/chibisafe.moe.access.log;
+    error_log           /var/log/nginx/chibisafe.moe.error.log warn;
+
+    # reverse proxy
+    location / {
+        proxy_pass http://localhost:5000;
+        include    nginxconfig.io/proxy.conf;
+    }
+
+    # additional config
+    include nginxconfig.io/general.conf;
+}
diff --git a/docker/nginx/chibisafe.moe.https.example.conf b/docker/nginx/chibisafe.moe.https.example.conf
new file mode 100644
index 0000000..fce9e9a
--- /dev/null
+++ b/docker/nginx/chibisafe.moe.https.example.conf
@@ -0,0 +1,32 @@
+server {
+    listen              443 ssl http2;
+    listen              [::]:443 ssl http2;
+    server_name         chibisafe.moe;
+
+    # SSL
+    ssl_certificate     /etc/nginx/ssl/chibisafe.moe.crt;
+    ssl_certificate_key /etc/nginx/ssl/chibisafe.moe.key;
+
+    # security
+    include             nginxconfig.io/security.conf;
+
+    # logging
+    access_log          /var/log/nginx/chibisafe.moe.access.log;
+    error_log           /var/log/nginx/chibisafe.moe.error.log warn;
+
+    # reverse proxy
+    location / {
+        proxy_pass http://localhost:5000;
+        include    nginxconfig.io/proxy.conf;
+    }
+
+    # additional config
+    include nginxconfig.io/general.conf;
+}
+
+# HTTP redirect
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://$server_name$request_uri;
+}
diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf
new file mode 100644
index 0000000..a878b9b
--- /dev/null
+++ b/docker/nginx/nginx.conf
@@ -0,0 +1,54 @@
+# Generated by nginxconfig.io
+# https://www.digitalocean.com/community/tools/nginx?domains.0.server.domain=tourneys.naval-base.com&domains.0.server.documentRoot=&domains.0.https.certType=custom&domains.0.php.php=false&domains.0.reverseProxy.reverseProxy=true&domains.0.reverseProxy.proxyPass=http%3A%2F%2F127.0.0.1%3A3001&domains.0.routing.root=false&domains.0.logging.accessLog=true&domains.0.logging.errorLog=true
+
+user                 www-data;
+pid                  /run/nginx.pid;
+worker_processes     auto;
+worker_rlimit_nofile 65535;
+
+events {
+    multi_accept       on;
+    worker_connections 65535;
+}
+
+http {
+    charset              utf-8;
+    sendfile             on;
+    tcp_nopush           on;
+    tcp_nodelay          on;
+    server_tokens        off;
+    log_not_found        off;
+    types_hash_max_size  2048;
+    client_max_body_size 90M;
+	client_body_timeout  600s;
+
+    # MIME
+    include              mime.types;
+    default_type         application/octet-stream;
+
+    # Logging
+    access_log           /var/log/nginx/access.log;
+    error_log            /var/log/nginx/error.log warn;
+
+    # SSL
+    ssl_session_timeout  1d;
+    ssl_session_cache    shared:SSL:10m;
+    ssl_session_tickets  off;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    # ssl_dhparam          /etc/nginx/dhparam.pem;
+
+    # Mozilla Intermediate configuration
+    ssl_protocols        TLSv1.2 TLSv1.3;
+    ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+    # OCSP Stapling
+    ssl_stapling         off;
+    ssl_stapling_verify  off;
+    resolver             1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+    resolver_timeout     2s;
+
+    # Load configs
+    include              /etc/nginx/conf.d/*.conf;
+    # include              /etc/nginx/sites-enabled/*;
+}
diff --git a/docker/nginx/nginxconfig.io/general.conf b/docker/nginx/nginxconfig.io/general.conf
new file mode 100644
index 0000000..a9df8d6
--- /dev/null
+++ b/docker/nginx/nginxconfig.io/general.conf
@@ -0,0 +1,18 @@
+# favicon.ico
+location = /favicon.ico {
+    log_not_found off;
+    access_log    off;
+}
+
+# robots.txt
+location = /robots.txt {
+    log_not_found off;
+    access_log    off;
+}
+
+# gzip
+gzip            on;
+gzip_vary       on;
+gzip_proxied    any;
+gzip_comp_level 6;
+gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
diff --git a/docker/nginx/nginxconfig.io/proxy.conf b/docker/nginx/nginxconfig.io/proxy.conf
new file mode 100644
index 0000000..874b041
--- /dev/null
+++ b/docker/nginx/nginxconfig.io/proxy.conf
@@ -0,0 +1,18 @@
+proxy_http_version                 1.1;
+proxy_cache_bypass                 $http_upgrade;
+
+# Proxy headers
+proxy_set_header Upgrade           $http_upgrade;
+proxy_set_header Connection        "upgrade";
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host  $host;
+proxy_set_header X-Forwarded-Port  $server_port;
+proxy_set_header X-NginX-Proxy     true;
+
+# Proxy timeouts
+proxy_connect_timeout              60s;
+proxy_send_timeout                 60s;
+proxy_read_timeout                 60s;
diff --git a/docker/nginx/nginxconfig.io/security.conf b/docker/nginx/nginxconfig.io/security.conf
new file mode 100644
index 0000000..03b1ef6
--- /dev/null
+++ b/docker/nginx/nginxconfig.io/security.conf
@@ -0,0 +1,12 @@
+# security headers
+add_header X-Frame-Options           "SAMEORIGIN" always;
+add_header X-XSS-Protection          "1; mode=block" always;
+add_header X-Content-Type-Options    "nosniff" always;
+add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+# . files
+location ~ /\.(?!well-known) {
+    deny all;
+}