Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
8c4558a
commit 8152ff2
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| # This file is an example .container file for eLabFTW service. Also place the .network file and possible configure HAProxy accordingly. | ||
| # Place it in /etc/containers/systemd so a quadlet is generated and the service can be managed by systemd. | ||
| # Documentation: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html | ||
|
|
||
| [Unit] | ||
| Description=elabftw container service | ||
| After=network.target | ||
|
|
||
| [Container] | ||
| # Note: it is recommended to pin to a specific version instead of using the "stable" tag. | ||
| Image=docker.io/elabftw/elabimg:stable | ||
| ContainerName=elabftw | ||
|
|
||
| # CAPABILITIES | ||
| DropCapability=ALL | ||
| AddCapability=CHOWN | ||
| AddCapability=SETGID | ||
| AddCapability=SETUID | ||
| AddCapability=FOWNER | ||
| AddCapability=DAC_OVERRIDE | ||
| AddCapability=NET_BIND_SERVICE | ||
|
|
||
| NoNewPrivileges=true | ||
|
|
||
| # HEALTHCHECK | ||
| HealthCmd=curl http://localhost:443/healthcheck | ||
| HealthInterval=5s | ||
| HealthTimeout=5s | ||
| HealthRetries=20 | ||
|
|
||
| # ENVIRONMENT VARIABLES | ||
| Environment=DB_HOST=10.X.Y.Z | ||
| Environment=DB_NAME=elabftw | ||
| Environment=DB_USER=elabftw | ||
| Environment=DB_PORT=3306 | ||
| Secret=elabftw-db-password,type=env,target=DB_PASSWORD | ||
| Environment=DB_CERT_PATH=/mysql-cert/mysql.pem | ||
| Secret=elabftw-secret-key,type=env,target=SECRET_KEY | ||
| Environment=SERVER_NAME=eln.example.org | ||
| # in this example we run http server behind TLS terminating proxy | ||
| Environment=DISABLE_HTTPS=true | ||
| Environment=MAX_PHP_MEMORY=512M | ||
| Environment=MAX_UPLOAD_SIZE=1G | ||
| Environment=PHP_TIMEZONE=Europe/Paris | ||
| Environment=TZ=Europe/Paris | ||
| Environment=SET_REAL_IP=true | ||
| Environment=SET_REAL_IP_FROM=10.X.Y.Z | ||
| Environment=PHP_MAX_CHILDREN=50 | ||
| Environment=PHP_MAX_EXECUTION_TIME=90 | ||
| Environment=USE_REDIS=true | ||
| Environment=REDIS_HOST=10.X.Y.Z | ||
| Environment=REDIS_PORT=6379 | ||
| Environment=REDIS_USERNAME=elabftw_php_sessions | ||
| Secret=redis-password,type=env,target=REDIS_PASSWORD | ||
| Environment=ENABLE_IPV6=false | ||
| Environment=SITE_URL=https://eln.example.org | ||
| Environment=ELABFTW_USER=nobody | ||
| Environment=ELABFTW_GROUP=nobody | ||
| Environment=ELABFTW_USERID=65534 | ||
| Environment=ELABFTW_GROUPID=65534 | ||
| Environment=STATUS_PASSWORD=secr3t | ||
| # if using S3 storage | ||
| Secret=elabftw-s3-ak,type=env,target=ELAB_AWS_ACCESS_KEY | ||
| Secret=elabftw-s3-sk,type=env,target=ELAB_AWS_SECRET_KEY | ||
|
|
||
| # VOLUMES | ||
| # if not using s3, bind mount the uploads folder in the host | ||
| # do NOT add :z here because NFS cause an issue # | ||
| # host:container | ||
| Volume=/mnt/data/elabftw_uploads:/elabftw/uploads | ||
| # this is necessary if you enrypt mysql connection and thus want the container to have access to the mysql cert | ||
| Volume=/deltablot/mysql:/mysql-cert:z | ||
|
|
||
| # NETWORKS | ||
| Network=elabftw.network | ||
|
|
||
| [Service] | ||
| # see: https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 | ||
| LockPersonality=yes | ||
| PrivateTmp=yes | ||
| ProtectHome=yes | ||
| ProtectKernelModules=yes | ||
| Restart=unless-stopped | ||
| RestrictAddressFamilies=AF_UNIX AF_INET AF_NETLINK | ||
| RestrictRealtime=yes | ||
|
|
||
| # these ones break container execution | ||
| #NoNewPrivileges=yes | ||
| #PrivateDevices=yes | ||
| #DevicePolicy=closed | ||
| #ProtectSystem=strict | ||
| #ProtectControlGroups=yes | ||
| #ProtectKernelTunables=yes | ||
| #RestrictNamespaces=yes | ||
| #RestrictSUIDSGID=yes | ||
| #MemoryDenyWriteExecute=yes | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| [Unit] | ||
| Description=network for elabftw | ||
|
|
||
| [Network] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| [Unit] | ||
| Description=HAProxy Service | ||
| Wants=network.target | ||
| After=network.target | ||
|
|
||
| [Container] | ||
| Image=docker.io/haproxy:3.0 | ||
| ContainerName=haproxy | ||
| ReadOnly=true | ||
| NoNewPrivileges=true | ||
| PidsLimit=12 | ||
|
|
||
| # Port mapping | ||
| PublishPort=80:8080 | ||
| ExposeHostPort=80 | ||
| PublishPort=443:4443 | ||
| ExposeHostPort=443 | ||
|
|
||
| # Volume mounts | ||
| Volume=/usr/local/etc/haproxy:/usr/local/etc/haproxy:ro,z | ||
|
|
||
| Network=elabftw.network | ||
|
|
||
| [Service] | ||
| Restart=always | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters