Add phanpy service #188

reynir · 2024-01-06T12:48:27Z

reynir commented

2024-01-06 12:48:27 +00:00

Together with this hack we can deploy phanpy and update the content on new releases https://git.data.coop/reynir/phanpy

reynir added 1 commit 2024-01-06 12:48:28 +00:00

722a4aba9c Add phanpy service

samsapti reviewed 2024-01-06 17:18:43 +00:00

roles/docker/templates/compose-files/phanpy_website.yml.j2 Outdated

					
				@ -0,0 +15,4 @@

				    cap_add:

				      - NET_ADMIN

				    devices:

				      - "/dev/net/tun"

samsapti commented

2024-01-06 17:18:32 +00:00

What's this needed for?

reynir commented

2024-01-06 18:48:00 +00:00

It is needed to deconfigure the network, set up a bridge and a tap device like in the other unipi instances we run. For further details see entrypoint.sh in docker-unipi. Ideally, this would be handled by a docker network provider, but who has time to learn that?!

It is needed to deconfigure the network, set up a bridge and a tap device like in the other unipi instances we run. For further details see [entrypoint.sh](https://git.data.coop/reynir/docker-unipi/src/branch/main/entrypoint.sh) in docker-unipi. Ideally, this would be handled by a docker network provider, but who has time to learn that?!

reynir commented

2024-01-06 18:52:10 +00:00

There is definitely room for deduplicating code. Each unipi instance requires largely the same configuration except the domain name and --remote is different. I haven't figured out how to refactor this yet.

There is definitely room for deduplicating code. Each unipi instance requires largely the same configuration except the domain name and `--remote` is different. I haven't figured out how to refactor this yet.

samsapti commented

2024-03-31 01:47:12 +00:00

But doesn't it just need to set up the network interface for the container itself? I.e. inside the container? It doesn't need to modify anything outside the container, right?

reynir commented

2024-04-02 08:10:39 +00:00

Correct, but you still need CAP_NET_ADMIN.

Correct, but you still need `CAP_NET_ADMIN`.

samsapti requested changes 2024-03-31 01:46:14 +00:00

roles/docker/defaults/main.yml Outdated

					
				@ -157,2 +157,4 @@

				    volume_folder: "{{ volume_website_folder }}/cryptoaarhus"

				  phanpy_website:

				    domain: "phanpy.data.coop"

samsapti commented

2024-03-31 01:42:30 +00:00

Let's change this to phanpy.{{ base_domain }}.

Let's change this to `phanpy.{{ base_domain }}`.

reynir commented

2024-04-02 08:13:07 +00:00

Done in 65527be1f0.

Done in 65527be1f03408ba0a323c54cad282ad793704a7.

reynir marked this conversation as resolved

reynir force-pushed phanpy from 722a4aba9c to 65527be1f0

2024-04-02 08:12:32 +00:00

Compare

benjaoming commented

2024-04-02 12:09:15 +00:00

If phanpy had an XSS vulnerability, for instance through unescaped messages or third-party libraries, do we then restrict through HTTP Headers?

reynir commented

2024-04-02 13:05:48 +00:00

No. How does that work?

benjaoming commented

2024-04-02 19:55:28 +00:00

Sorry, was writing while distracted. I mean security headers like in this example: https://gist.github.com/ambroisemaupate/bce4b760405558f358ae

I can try to dig out what is appropriate for phanpy...

Sorry, was writing while distracted. I mean security headers like in this example: https://gist.github.com/ambroisemaupate/bce4b760405558f358ae I can try to dig out what is appropriate for phanpy...

👍 1

reynir commented

2024-04-03 12:07:59 +00:00

Unipi (the http server used for this) doesn't support adding extra headers at the moment (it would be nice to add and likely not too difficult to do; I'll look into it). In the interim we can add a vhost file to the nginx proxy.

👍 1

benjaoming commented

2024-04-03 12:10:40 +00:00

I should maybe try to add an Nginx configuration file in my own setup and see if it works... https://git.data.coop/benjaoming/phanpy/src/branch/main/Dockerfile

❤️ 1

This pull request can be merged automatically.

You are not authorized to merge this pull request.

You can also view command line instructions.