diff --git a/onlyoffice-docserver.nomad.hcl b/onlyoffice-docserver.nomad.hcl index ebb2543..104b61c 100644 --- a/onlyoffice-docserver.nomad.hcl +++ b/onlyoffice-docserver.nomad.hcl @@ -41,7 +41,7 @@ job [[ .oo.instance | toJSON ]] { timeout = "8s" check_restart { - limit = 90 + limit = 30 grace = "2m" } } @@ -74,10 +74,9 @@ job [[ .oo.instance | toJSON ]] { pids_limit = 200 readonly_rootfs = true volumes = [ + "local/:/tmp", "local/metrics.js:/var/www/onlyoffice/documentserver/server/Metrics/config/config.js:ro" ] -[[ template "common/tmpfs.tpl" dict "target" "/tmp" "size" 3000000 ]] - } vault { diff --git a/variables.yml b/variables.yml index 4ac289a..67739ab 100644 --- a/variables.yml +++ b/variables.yml @@ -1,14 +1,25 @@ --- oo: + + # Name of this instance. Will control the name of the service and of various default settings (like DB name etc.) + # You must use different instance names if you want to run several copies on the same cluster instance: onlyoffice + # Document Services ds: + # Docker image to use image: danielberteaud/onlyoffice-docserver:latest + + # Resource allocation for OnlyOffice itself resources: cpu: 200 memory: 512 + + # The URL where OnlyOffice is available public_url: https://oods.example.org + + # Additional env vars to set in the container env: OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}' OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .oo.instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}' @@ -17,42 +28,62 @@ oo: OO_DB_NAME: '[[ .oo.instance ]]' OO_DB_USER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.username }}{{ end }}' OO_DB_PASS: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .oo.instance ]]" }}{{ .Data.password }}{{ end }}' + + # Controls how the service will be exposed with Traefik traefik: enabled: true + + # OnlyOffice needs some specific CSP rules csp: default-src: "'self'" img-src: "'self' data: https://*" - script-src: "'self' 'wasm-unsafe-eval' 'unsafe-inline' 'unsafe-eval' blob: https://ajax.googleapis.com https://www.youtube.com/ https://*.cloudfront.net https://cdn.rawgit.com https://code.jquery.com https://translate.googleapis.com https://code.responsivevoice.org https://cdn.jsdelivr.net" - style-src: "'self' 'unsafe-inline' data: https://fonts.googleapis.com https://translate.googleapis.com" + script-src: "'self' 'wasm-unsafe-eval' 'unsafe-inline' 'unsafe-eval' blob: https://ajax.googleapis.com https://www.youtube.com/ https://*.cloudfront.net https://cdn.rawgit.com https://code.jquery.com https://translate.googleapis.com https://code.responsivevoice.org https://cdn.jsdelivr.net https://onlyoffice.github.io" + style-src: "'self' 'unsafe-inline' data: https://fonts.googleapis.com https://translate.googleapis.com https://onlyoffice.github.io" font-src: "'self' data: https://fonts.googleapis.com https://fonts.gstatic.com" connect-src: "'self' https://www.zotero.org https://cdn.jsdelivr.net https://cdn.rawgit.com https://translate.googleapis.com https://code.responsivevoice.org https://onlyoffice.github.io" media-src: "'self' https://code.responsivevoice.org" frame-src: "'self' https://www.youtube.com https://onlyoffice.github.io" + + # Override base_middlewares to remove csp-relaxed@file base_middlewares: - - rate-limit-std@file - - inflight-std@file + - rate-limit-high@file + - inflight-high@file - security-headers@file - hsts@file - compression@file + + # Wait for the database server to be ready before starting wait_for: - service: 'master.postgres[[ .consul.suffix ]]' + + # Connect to the database server with the mesh consul: connect: upstreams: - destination_name: 'postgres[[ .consul.suffix ]]' local_bind_port: 5432 + # Rabbitmq service rabbitmq: + # Docker image to use image: rabbitmq:alpine + + # Additional env vars to set in the container env: {} + + # Resource allocation resources: cpu: 80 memory: 156 + # Volume used volumes: + # This is for DocumentServer Data data: type: csi source: '[[ .oo.instance ]]-data' + + # This is for RabbitMQ rabbitmq: type: csi source: '[[ .oo.instance ]]-rabbitmq'