|
|
|
|
@ -0,0 +1,618 @@
|
|
|
|
|
version: '2'
|
|
|
|
|
|
|
|
|
|
# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required.
|
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
|
# ==== CREATING USERS AND LOGGING IN TO WEKAN ====
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/Adding-users
|
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
|
# ==== FORGOT PASSWORD ====
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/Forgot-Password
|
|
|
|
|
#---------------------------------------------------------------------------------------------------------
|
|
|
|
|
# ==== Upgrading Wekan to new version =====
|
|
|
|
|
# NOTE: MongoDB has changed from 3.x to 4.x, in that case you need backup/restore with --noIndexRestore
|
|
|
|
|
# see https://github.com/wekan/wekan/wiki/Backup
|
|
|
|
|
# 1) Stop Wekan:
|
|
|
|
|
# docker-compose stop
|
|
|
|
|
# 2) Download new version:
|
|
|
|
|
# docker-compose pull wekan
|
|
|
|
|
# 3) If you have more networks for VPN etc as described at bottom of
|
|
|
|
|
# this config, download for them too:
|
|
|
|
|
# docker-compose pull wekan2
|
|
|
|
|
# 4) Start Wekan:
|
|
|
|
|
# docker-compose start
|
|
|
|
|
#----------------------------------------------------------------------------------
|
|
|
|
|
# ==== OPTIONAL: DEDICATED DOCKER USER ====
|
|
|
|
|
# 1) Optionally create a dedicated user for Wekan, for example:
|
|
|
|
|
# sudo useradd -d /home/wekan -m -s /bin/bash wekan
|
|
|
|
|
# 2) Add this user to the docker group, then logout+login or reboot:
|
|
|
|
|
# sudo usermod -aG docker wekan
|
|
|
|
|
# 3) Then login as user wekan.
|
|
|
|
|
# 4) Create this file /home/wekan/docker-compose.yml with your modifications.
|
|
|
|
|
#----------------------------------------------------------------------------------
|
|
|
|
|
# ==== RUN DOCKER AS SERVICE ====
|
|
|
|
|
# 1a) Running Docker as service, on Systemd like Debian 9, Ubuntu 16.04, CentOS 7:
|
|
|
|
|
# sudo systemctl enable docker
|
|
|
|
|
# sudo systemctl start docker
|
|
|
|
|
# 1b) Running Docker as service, on init.d like Debian 8, Ubuntu 14.04, CentOS 6:
|
|
|
|
|
# sudo update-rc.d docker defaults
|
|
|
|
|
# sudo service docker start
|
|
|
|
|
# ----------------------------------------------------------------------------------
|
|
|
|
|
# ==== USAGE OF THIS docker-compose.yml ====
|
|
|
|
|
# 1) For seeing does Wekan work, try this and check with your webbroser:
|
|
|
|
|
# docker-compose up
|
|
|
|
|
# 2) Stop Wekan and start Wekan in background:
|
|
|
|
|
# docker-compose stop
|
|
|
|
|
# docker-compose up -d
|
|
|
|
|
# 3) See running Docker containers:
|
|
|
|
|
# docker ps
|
|
|
|
|
# 4) Stop Docker containers:
|
|
|
|
|
# docker-compose stop
|
|
|
|
|
# ----------------------------------------------------------------------------------
|
|
|
|
|
# ===== INSIDE DOCKER CONTAINERS, AND BACKUP/RESTORE ====
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/Backup
|
|
|
|
|
# If really necessary, repair MongoDB: https://github.com/wekan/wekan-mongodb/issues/6#issuecomment-424004116
|
|
|
|
|
# 1) Going inside containers:
|
|
|
|
|
# a) Wekan app, does not contain data
|
|
|
|
|
# docker exec -it wekan-app bash
|
|
|
|
|
# b) MongoDB, contains all data
|
|
|
|
|
# docker exec -it wekan-db bash
|
|
|
|
|
# 2) Copying database to outside of container:
|
|
|
|
|
# docker exec -it wekan-db bash
|
|
|
|
|
# cd /data
|
|
|
|
|
# mongodump
|
|
|
|
|
# exit
|
|
|
|
|
# docker cp wekan-db:/data/dump .
|
|
|
|
|
# 3) Restoring database
|
|
|
|
|
# # 1) Stop wekan
|
|
|
|
|
# docker stop wekan-app
|
|
|
|
|
# # 2) Go inside database container
|
|
|
|
|
# docker exec -it wekan-db bash
|
|
|
|
|
# # 3) and data directory
|
|
|
|
|
# cd /data
|
|
|
|
|
# # 4) Remove previos dump
|
|
|
|
|
# rm -rf dump
|
|
|
|
|
# # 5) Exit db container
|
|
|
|
|
# exit
|
|
|
|
|
# # 6) Copy dump to inside docker container
|
|
|
|
|
# docker cp dump wekan-db:/data/
|
|
|
|
|
# # 7) Go inside database container
|
|
|
|
|
# docker exec -it wekan-db bash
|
|
|
|
|
# # 8) and data directory
|
|
|
|
|
# cd /data
|
|
|
|
|
# # 9) Restore
|
|
|
|
|
# mongorestore --drop
|
|
|
|
|
# # 10) Exit db container
|
|
|
|
|
# exit
|
|
|
|
|
# # 11) Start wekan
|
|
|
|
|
# docker start wekan-app
|
|
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
services:
|
|
|
|
|
|
|
|
|
|
wekandb:
|
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
|
# ==== MONGODB AND METEOR VERSION ====
|
|
|
|
|
# a) For Wekan Meteor 1.8.x version at master branch, use mongo 4.x
|
|
|
|
|
image: mongo:4.0.12
|
|
|
|
|
# b) For Wekan Meteor 1.6.x version at devel branch.
|
|
|
|
|
# Only for Snap and Sandstorm while they are not upgraded yet to Meteor 1.8.x
|
|
|
|
|
#image: mongo:3.2.21
|
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
|
container_name: wekan-db
|
|
|
|
|
restart: always
|
|
|
|
|
command: mongod --smallfiles --oplogSize 128
|
|
|
|
|
networks:
|
|
|
|
|
- wekan-tier
|
|
|
|
|
expose:
|
|
|
|
|
- 27017
|
|
|
|
|
volumes:
|
|
|
|
|
- /opt/wekan/db:/data/db
|
|
|
|
|
- /opt/wekan/db-dump:/dump
|
|
|
|
|
- /opt/wekan/uploads:/uploads
|
|
|
|
|
|
|
|
|
|
wekan:
|
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
|
# ==== MONGODB AND METEOR VERSION ====
|
|
|
|
|
# NOTE: Quay is currently not updated, use Docker Hub image below c)
|
|
|
|
|
# a) For Wekan Meteor 1.8.x version at master branch,
|
|
|
|
|
# using https://quay.io/wekan/wekan automatic builds
|
|
|
|
|
#image: quay.io/wekan/wekan
|
|
|
|
|
# b) Using specific Meteor 1.6.x version tag:
|
|
|
|
|
# image: quay.io/wekan/wekan:v1.95
|
|
|
|
|
# c) Using Docker Hub automatic builds https://hub.docker.com/r/wekanteam/wekan
|
|
|
|
|
image: wekanteam/wekan:latest
|
|
|
|
|
# image: wekanteam/wekan:v2.99
|
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
|
container_name: wekan-app
|
|
|
|
|
restart: always
|
|
|
|
|
networks:
|
|
|
|
|
- wekan-tier
|
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
|
# ==== BUILD wekan-app DOCKER CONTAINER FROM SOURCE, if you uncomment these ====
|
|
|
|
|
# ==== and use commands: docker-compose up -d --build
|
|
|
|
|
#build:
|
|
|
|
|
# context: .
|
|
|
|
|
# dockerfile: Dockerfile
|
|
|
|
|
# args:
|
|
|
|
|
# - NODE_VERSION=${NODE_VERSION}
|
|
|
|
|
# - METEOR_RELEASE=${METEOR_RELEASE}
|
|
|
|
|
# - NPM_VERSION=${NPM_VERSION}
|
|
|
|
|
# - ARCHITECTURE=${ARCHITECTURE}
|
|
|
|
|
# - SRC_PATH=${SRC_PATH}
|
|
|
|
|
# - METEOR_EDGE=${METEOR_EDGE}
|
|
|
|
|
# - USE_EDGE=${USE_EDGE}
|
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
|
ports:
|
|
|
|
|
# Docker outsideport:insideport. Do not add anything extra here.
|
|
|
|
|
# For example, if you want to have wekan on port 3001,
|
|
|
|
|
# use 3001:8080 . Do not add any extra address etc here, that way it does not work.
|
|
|
|
|
# remove port mapping if you use nginx reverse proxy, port 8080 is already exposed to wekan-tier network
|
|
|
|
|
- 80:8080
|
|
|
|
|
environment:
|
|
|
|
|
- MONGO_URL=mongodb://wekandb:27017/wekan
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== ROOT_URL SETTING ====
|
|
|
|
|
# Change ROOT_URL to your real Wekan URL, for example:
|
|
|
|
|
# If you have Caddy/Nginx/Apache providing SSL
|
|
|
|
|
# - https://example.com
|
|
|
|
|
# - https://boards.example.com
|
|
|
|
|
# This can be problematic with avatars https://github.com/wekan/wekan/issues/1776
|
|
|
|
|
# - https://example.com/wekan
|
|
|
|
|
# If without https, can be only wekan node, no need for Caddy/Nginx/Apache if you don't need them
|
|
|
|
|
# - http://example.com
|
|
|
|
|
# - http://boards.example.com
|
|
|
|
|
# - http://192.168.1.100 <=== using at local LAN
|
|
|
|
|
- ROOT_URL=http://localhost # <=== using only at same laptop/desktop where Wekan is installed
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== EMAIL SETTINGS ====
|
|
|
|
|
# Email settings are required in both MAIL_URL and Admin Panel,
|
|
|
|
|
# see https://github.com/wekan/wekan/wiki/Troubleshooting-Mail
|
|
|
|
|
# For SSL in email, change smtp:// to smtps://
|
|
|
|
|
# NOTE: Special characters need to be url-encoded in MAIL_URL.
|
|
|
|
|
# You can encode those characters for example at: https://www.urlencoder.org
|
|
|
|
|
#- MAIL_URL=smtp://user:pass@mailserver.example.com:25/
|
|
|
|
|
- MAIL_URL=smtp://<mail_url>:25/?ignoreTLS=true&tls={rejectUnauthorized:false}
|
|
|
|
|
- MAIL_FROM=Wekan Notifications <noreply.wekan@mydomain.com>
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== OPTIONAL: MONGO OPLOG SETTINGS =====
|
|
|
|
|
# https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-378343587
|
|
|
|
|
# We've fixed our CPU usage problem today with an environment
|
|
|
|
|
# change around Wekan. I wasn't aware during implementation
|
|
|
|
|
# that if you're using more than 1 instance of Wekan
|
|
|
|
|
# (or any MeteorJS based tool) you're supposed to set
|
|
|
|
|
# MONGO_OPLOG_URL as an environment variable.
|
|
|
|
|
# Without setting it, Meteor will perform a pull-and-diff
|
|
|
|
|
# update of it's dataset. With it, Meteor will update from
|
|
|
|
|
# the OPLOG. See here
|
|
|
|
|
# https://blog.meteor.com/tuning-meteor-mongo-livedata-for-scalability-13fe9deb8908
|
|
|
|
|
# After setting
|
|
|
|
|
# MONGO_OPLOG_URL=mongodb://<username>:<password>@<mongoDbURL>/local?authSource=admin&replicaSet=rsWekan
|
|
|
|
|
# the CPU usage for all Wekan instances dropped to an average
|
|
|
|
|
# of less than 10% with only occasional spikes to high usage
|
|
|
|
|
# (I guess when someone is doing a lot of work)
|
|
|
|
|
# - MONGO_OPLOG_URL=mongodb://<username>:<password>@<mongoDbURL>/local?authSource=admin&replicaSet=rsWekan
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== OPTIONAL: KADIRA PERFORMANCE MONITORING FOR METEOR ====
|
|
|
|
|
# https://github.com/edemaine/kadira-compose
|
|
|
|
|
# https://github.com/meteor/meteor-apm-agent
|
|
|
|
|
# https://blog.meteor.com/kadira-apm-is-now-open-source-490469ffc85f
|
|
|
|
|
#- APM_OPTIONS_ENDPOINT=http://<kadira-ip>:11011
|
|
|
|
|
#- APM_APP_ID=
|
|
|
|
|
#- APM_APP_SECRET=
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== OPTIONAL: LOGS AND STATS ====
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/Logs
|
|
|
|
|
#
|
|
|
|
|
# Daily export of Wekan changes as JSON to Logstash and ElasticSearch / Kibana (ELK)
|
|
|
|
|
# https://github.com/wekan/wekan-logstash
|
|
|
|
|
#
|
|
|
|
|
# Statistics Python script for Wekan Dashboard
|
|
|
|
|
# https://github.com/wekan/wekan-stats
|
|
|
|
|
#
|
|
|
|
|
# Console, file, and zulip logger on database changes https://github.com/wekan/wekan/pull/1010
|
|
|
|
|
# with fix to replace console.log by winston logger https://github.com/wekan/wekan/pull/1033
|
|
|
|
|
# but there could be bug https://github.com/wekan/wekan/issues/1094
|
|
|
|
|
#
|
|
|
|
|
# There is Feature Request: Logging date and time of all activity with summary reports,
|
|
|
|
|
# and requesting reason for changing card to other column https://github.com/wekan/wekan/issues/1598
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== WEKAN API AND EXPORT BOARD ====
|
|
|
|
|
# Wekan Export Board works when WITH_API=true.
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/REST-API
|
|
|
|
|
# https://github.com/wekan/wekan-gogs
|
|
|
|
|
# If you disable Wekan API with false, Export Board does not work.
|
|
|
|
|
- WITH_API=true
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== PASSWORD BRUTE FORCE PROTECTION ====
|
|
|
|
|
#https://atmospherejs.com/lucasantoniassi/accounts-lockout
|
|
|
|
|
#Defaults below. Uncomment to change. wekan/server/accounts-lockout.js
|
|
|
|
|
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3
|
|
|
|
|
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60
|
|
|
|
|
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15
|
|
|
|
|
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3
|
|
|
|
|
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60
|
|
|
|
|
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== STORE ATTACHMENT ON SERVER FILESYSTEM INSTEAD OF MONGODB ====
|
|
|
|
|
# https://github.com/wekan/wekan/pull/2603
|
|
|
|
|
- ATTACHMENTS_STORE_PATH = /uploads # pathname can be relative or fullpath
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== RICH TEXT EDITOR IN CARD COMMENTS ====
|
|
|
|
|
# https://github.com/wekan/wekan/pull/2560
|
|
|
|
|
- RICHER_CARD_COMMENT_EDITOR=true
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== CARD OPENED, SEND WEBHOOK MESSAGE ====
|
|
|
|
|
# https://github.com/wekan/wekan/issues/2518
|
|
|
|
|
- CARD_OPENED_WEBHOOK_ENABLED=true
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== Allow to shrink attached/pasted image ====
|
|
|
|
|
# https://github.com/wekan/wekan/pull/2544
|
|
|
|
|
#-MAX_IMAGE_PIXEL=1024
|
|
|
|
|
#-IMAGE_COMPRESS_RATIO=80
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== BIGEVENTS DUE ETC NOTIFICATIONS =====
|
|
|
|
|
# https://github.com/wekan/wekan/pull/2541
|
|
|
|
|
# Introduced a system env var BIGEVENTS_PATTERN default as "NONE",
|
|
|
|
|
# so any activityType matches the pattern, system will send out
|
|
|
|
|
# notifications to all board members no matter they are watching
|
|
|
|
|
# or tracking the board or not. Owner of the wekan server can
|
|
|
|
|
# disable the feature by setting this variable to "NONE" or
|
|
|
|
|
# change the pattern to any valid regex. i.e. '|' delimited
|
|
|
|
|
# activityType names.
|
|
|
|
|
# a) Example
|
|
|
|
|
#- BIGEVENTS_PATTERN=due
|
|
|
|
|
# b) All
|
|
|
|
|
#- BIGEVENTS_PATTERN=received|start|due|end
|
|
|
|
|
# c) Disabled
|
|
|
|
|
- BIGEVENTS_PATTERN=NONE
|
|
|
|
|
#---------------------------------------------------------------
|
|
|
|
|
# ==== EMAIL DUE DATE NOTIFICATION =====
|
|
|
|
|
# https://github.com/wekan/wekan/pull/2536
|
|
|
|
|
# System timelines will be showing any user modification for
|
|
|
|
|
# dueat startat endat receivedat, also notification to
|
|
|
|
|
# the watchers and if any card is due, about due or past due.
|
|
|
|
|
#
|
|
|
|
|
# Notify due days, default is None, 2 days before and on the event day
|
|
|
|
|
#- NOTIFY_DUE_DAYS_BEFORE_AND_AFTER=2,0
|
|
|
|
|
#
|
|
|
|
|
# Notify due at hour of day. Default every morning at 8am. Can be 0-23.
|
|
|
|
|
# If env variable has parsing error, use default. Notification sent to watchers.
|
|
|
|
|
#- NOTIFY_DUE_AT_HOUR_OF_DAY=8
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== EMAIL NOTIFICATION TIMEOUT, ms =====
|
|
|
|
|
# Defaut: 30000 ms = 30s
|
|
|
|
|
#- EMAIL_NOTIFICATION_TIMEOUT=30000
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== CORS =====
|
|
|
|
|
# CORS: Set Access-Control-Allow-Origin header.
|
|
|
|
|
#- CORS=*
|
|
|
|
|
# CORS_ALLOW_HEADERS: Set Access-Control-Allow-Headers header. "Authorization,Content-Type" is required for cross-origin use of the API.
|
|
|
|
|
#- CORS_ALLOW_HEADERS=Authorization,Content-Type
|
|
|
|
|
# CORS_EXPOSE_HEADERS: Set Access-Control-Expose-Headers header. This is not needed for typical CORS situations
|
|
|
|
|
#- CORS_EXPOSE_HEADERS=*
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== MATOMO INTEGRATION ====
|
|
|
|
|
# Optional: Integration with Matomo https://matomo.org that is installed to your server
|
|
|
|
|
# The address of the server where Matomo is hosted.
|
|
|
|
|
#- MATOMO_ADDRESS=https://example.com/matomo
|
|
|
|
|
# The value of the site ID given in Matomo server for Wekan
|
|
|
|
|
#- MATOMO_SITE_ID=1
|
|
|
|
|
# The option do not track which enables users to not be tracked by matomo
|
|
|
|
|
#- MATOMO_DO_NOT_TRACK=true
|
|
|
|
|
# The option that allows matomo to retrieve the username:
|
|
|
|
|
#- MATOMO_WITH_USERNAME=true
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== BROWSER POLICY AND TRUSTED IFRAME URL ====
|
|
|
|
|
# Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.
|
|
|
|
|
# Setting this to false is not recommended, it also disables all other browser policy protections
|
|
|
|
|
# and allows all iframing etc. See wekan/server/policy.js
|
|
|
|
|
- BROWSER_POLICY_ENABLED=true
|
|
|
|
|
# When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside.
|
|
|
|
|
#- TRUSTED_URL=https://intra.example.com
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== OUTGOING WEBHOOKS ====
|
|
|
|
|
# What to send to Outgoing Webhook, or leave out. Example, that includes all that are default: cardId,listId,oldListId,boardId,comment,user,card,commentId .
|
|
|
|
|
- WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,commentId
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== Debug OIDC OAuth2 etc ====
|
|
|
|
|
#- DEBUG=true
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== OAUTH2 AZURE ====
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/Azure
|
|
|
|
|
# 1) Register the application with Azure. Make sure you capture
|
|
|
|
|
# the application ID as well as generate a secret key.
|
|
|
|
|
# 2) Configure the environment variables. This differs slightly
|
|
|
|
|
# by installation type, but make sure you have the following:
|
|
|
|
|
#- OAUTH2_ENABLED=true
|
|
|
|
|
# OAuth2 login style: popup or redirect.
|
|
|
|
|
#- OAUTH2_LOGIN_STYLE=redirect
|
|
|
|
|
# Application GUID captured during app registration:
|
|
|
|
|
#- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
|
|
|
|
|
# Secret key generated during app registration:
|
|
|
|
|
#- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
|
|
|
#- OAUTH2_SERVER_URL=https://login.microsoftonline.com/
|
|
|
|
|
#- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
|
|
|
|
|
#- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
|
|
|
|
|
#- OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token
|
|
|
|
|
# The claim name you want to map to the unique ID field:
|
|
|
|
|
#- OAUTH2_ID_MAP=email
|
|
|
|
|
# The claim name you want to map to the username field:
|
|
|
|
|
#- OAUTH2_USERNAME_MAP=email
|
|
|
|
|
# The claim name you want to map to the full name field:
|
|
|
|
|
#- OAUTH2_FULLNAME_MAP=name
|
|
|
|
|
# Tthe claim name you want to map to the email field:
|
|
|
|
|
#- OAUTH2_EMAIL_MAP=email
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== OAUTH2 KEYCLOAK ====
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/Keycloak <== MAPPING INFO, REQUIRED
|
|
|
|
|
#- OAUTH2_ENABLED=true
|
|
|
|
|
# OAuth2 login style: popup or redirect.
|
|
|
|
|
#- OAUTH2_LOGIN_STYLE=redirect
|
|
|
|
|
#- OAUTH2_CLIENT_ID=<Keycloak create Client ID>
|
|
|
|
|
#- OAUTH2_SERVER_URL=<Keycloak server name>/auth
|
|
|
|
|
#- OAUTH2_AUTH_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/auth
|
|
|
|
|
#- OAUTH2_USERINFO_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/userinfo
|
|
|
|
|
#- OAUTH2_TOKEN_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/token
|
|
|
|
|
#- OAUTH2_SECRET=<keycloak client secret>
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== OAUTH2 DOORKEEPER ====
|
|
|
|
|
# https://github.com/wekan/wekan/issues/1874
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/OAuth2
|
|
|
|
|
# Enable the OAuth2 connection
|
|
|
|
|
#- OAUTH2_ENABLED=true
|
|
|
|
|
# OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2
|
|
|
|
|
# OAuth2 login style: popup or redirect.
|
|
|
|
|
#- OAUTH2_LOGIN_STYLE=redirect
|
|
|
|
|
# OAuth2 Client ID.
|
|
|
|
|
#- OAUTH2_CLIENT_ID=abcde12345
|
|
|
|
|
# OAuth2 Secret.
|
|
|
|
|
#- OAUTH2_SECRET=54321abcde
|
|
|
|
|
# OAuth2 Server URL.
|
|
|
|
|
#- OAUTH2_SERVER_URL=https://chat.example.com
|
|
|
|
|
# OAuth2 Authorization Endpoint.
|
|
|
|
|
#- OAUTH2_AUTH_ENDPOINT=/oauth/authorize
|
|
|
|
|
# OAuth2 Userinfo Endpoint.
|
|
|
|
|
#- OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo
|
|
|
|
|
# OAuth2 Token Endpoint.
|
|
|
|
|
#- OAUTH2_TOKEN_ENDPOINT=/oauth/token
|
|
|
|
|
# OAUTH2 ID Token Whitelist Fields.
|
|
|
|
|
#- OAUTH2_ID_TOKEN_WHITELIST_FIELDS=""
|
|
|
|
|
# OAUTH2 Request Permissions.
|
|
|
|
|
#- OAUTH2_REQUEST_PERMISSIONS=openid profile email
|
|
|
|
|
# OAuth2 ID Mapping
|
|
|
|
|
#- OAUTH2_ID_MAP=
|
|
|
|
|
# OAuth2 Username Mapping
|
|
|
|
|
#- OAUTH2_USERNAME_MAP=
|
|
|
|
|
# OAuth2 Fullname Mapping
|
|
|
|
|
#- OAUTH2_FULLNAME_MAP=
|
|
|
|
|
# OAuth2 Email Mapping
|
|
|
|
|
#- OAUTH2_EMAIL_MAP=
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
# ==== LDAP: UNCOMMENT ALL TO ENABLE LDAP ====
|
|
|
|
|
# https://github.com/wekan/wekan/wiki/LDAP
|
|
|
|
|
# For Snap settings see https://github.com/wekan/wekan-snap/wiki/Supported-settings-keys
|
|
|
|
|
# Most settings work both on Snap and Docker below.
|
|
|
|
|
# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required.
|
|
|
|
|
#
|
|
|
|
|
# The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap.
|
|
|
|
|
- DEFAULT_AUTHENTICATION_METHOD=ldap
|
|
|
|
|
#
|
|
|
|
|
# Enable or not the connection by the LDAP
|
|
|
|
|
- LDAP_ENABLE=true
|
|
|
|
|
#
|
|
|
|
|
# The port of the LDAP server
|
|
|
|
|
- LDAP_PORT=389
|
|
|
|
|
#
|
|
|
|
|
# The host server for the LDAP server
|
|
|
|
|
- LDAP_HOST=dc1.k-space.lan
|
|
|
|
|
#
|
|
|
|
|
# The base DN for the LDAP Tree
|
|
|
|
|
- LDAP_BASEDN=dc=k-space,dc=lan
|
|
|
|
|
#
|
|
|
|
|
# Fallback on the default authentication method
|
|
|
|
|
- LDAP_LOGIN_FALLBACK=false
|
|
|
|
|
#
|
|
|
|
|
# Reconnect to the server if the connection is lost
|
|
|
|
|
- LDAP_RECONNECT=true
|
|
|
|
|
#
|
|
|
|
|
# Overall timeout, in milliseconds
|
|
|
|
|
- LDAP_TIMEOUT=10000
|
|
|
|
|
#
|
|
|
|
|
# Specifies the timeout for idle LDAP connections in milliseconds
|
|
|
|
|
- LDAP_IDLE_TIMEOUT=10000
|
|
|
|
|
#
|
|
|
|
|
# Connection timeout, in milliseconds
|
|
|
|
|
- LDAP_CONNECT_TIMEOUT=10000
|
|
|
|
|
#
|
|
|
|
|
# If the LDAP needs a user account to search
|
|
|
|
|
- LDAP_AUTHENTIFICATION=true
|
|
|
|
|
#
|
|
|
|
|
# The search user DN - You need quotes when you have spaces in parameters
|
|
|
|
|
# 2 examples:
|
|
|
|
|
#- LDAP_AUTHENTIFICATION_USERDN="CN=ldap admin,CN=users,DC=domainmatter,DC=lan"
|
|
|
|
|
#- LDAP_AUTHENTIFICATION_USERDN="CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com"
|
|
|
|
|
#
|
|
|
|
|
# The password for the search user
|
|
|
|
|
- LDAP_AUTHENTIFICATION_PASSWORD=pwd
|
|
|
|
|
#
|
|
|
|
|
# Enable logs for the module
|
|
|
|
|
- LDAP_LOG_ENABLED=true
|
|
|
|
|
#
|
|
|
|
|
# If the sync of the users should be done in the background
|
|
|
|
|
- LDAP_BACKGROUND_SYNC=false
|
|
|
|
|
#
|
|
|
|
|
# At which interval does the background task sync in milliseconds.
|
|
|
|
|
# Leave this unset, so it uses default, and does not crash.
|
|
|
|
|
# https://github.com/wekan/wekan/issues/2354#issuecomment-515305722
|
|
|
|
|
- LDAP_BACKGROUND_SYNC_INTERVAL=''
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false
|
|
|
|
|
#
|
|
|
|
|
# If using LDAPS: LDAP_ENCRYPTION=ssl
|
|
|
|
|
- LDAP_ENCRYPTION=ssl
|
|
|
|
|
#
|
|
|
|
|
# The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file.
|
|
|
|
|
- LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIFqDCCA5CgAwIBAgIE5hknWjANBgkqhkiG9w0BAQUFADByMR0wGwYDVQQKExRTYW1iYSBBZG1pbmlzdHJhdGlvbjE3MDUGA1UECxMuU2FtYmEgLSB0ZW1wb3JhcnkgYXV0b2dlbmVyYXRlZCBDQSBjZXJ0aWZpY2F0ZTEYMBYGA1UEAxMPREMxLmstc3BhY2UubGFuMB4XDTE3MTIwNTIyMTI1NFoXDTE5MTEwNTIyMTI1NFowdDEdMBsGA1UEChMUU2FtYmEgQWRtaW5pc3RyYXRpb24xOTA3BgNVBAsTMFNhbWJhIC0gdGVtcG9yYXJ5IGF1dG9nZW5lcmF0ZWQgSE9TVCBjZXJ0aWZpY2F0ZTEYMBYGA1UEAxMPREMxLmstc3BhY2UubGFuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5wiOgdRYZ5UTlGGQ6yLrFKQG9ZqfFOI/NBSlhw6+fs9KbHQiDwjSMzqUQa2lDWGoqJcmn4EP4v6dNEs1rxXjahVR00CzMpPumma/seHrkKx26t6DvDMgLmCuNswGU/KN5sV1wU5cEmQonkr+BH5k5M4d8fTVaGQOFGun2AaA2KRLm1dilOsr37bYhMeKHKDLnShZOGegUKw0+Dn8W7W6taVNU2yKZXmy07Hg55PAIgNT/Ni+gYjy+T4dul//zILlnuvfopd3giIJ0G8h/1rK3SzqaB/I2BHIAoVQ+LIb/bwWYAU06/vT480Uhdmr5jOyFs/EOwm+X706KTobRtr2aRzZVHLQvwGHnl4Y6Ga0ocbOFEKWzpkeIDPO+iP5Q+vWBFJID0Zv64fZYjIL1jJ2+l598JCI3lJTqBczXaaUigJzPxUyk0h/9yR+zzj7qZb0rc3loqvNFn6N+1a3y+5uXfsbtf6H7Qmugw1RT+gsWwdIlJBca+0wEzp1XDymryJW1jKTq2jcQO2VTuYgPfAAkk9E/pbFyUSdBMLyJf0yALCRgKtGmH+jio9CZKnfyH+WDZZMf64GAxFLBLbInOUBZDXjLoNcsldeejpsDQ6b8BWYHRGGmwspYvp/EBDY3oC0lfHx1dgu1xkAbIPUJarzDuLGAMD5JJUkCVwkD92ivgkCAwEAAaNEMEIwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUUXuarAUGg5SXgVTd7qjm39Jay6owDQYJKoZIhvcNAQEFBQADggIBACJDpQKuCanGQ7U0jsltgKunpJs3ZOtZP7jJhz+TeEvEYDaOFPreFLRpTOF2dTE3E5XVrUVFdCZCJcON3gkBCVDcEGfHxHTL1geGnKb6o/PY2N5l/Z8mjlqB83jxJ4xCbpELA4LWQ6jNTYcih4viInrpIyD7w05kN8bEyzet/pgms8G46+E8xAxQCCbKEM0bLrSRcUjWtqjgK34sXKYyFA0YDMafJtHgw4vDti1NdCCA88RjEdwTXJD/iiJLvA4rK7lU3JPt1sXaeawQJAK1XK7nWArmHZ3mpch+wRBX62BOvYtJAvboYMCc29bOQszQZEASnzj8cZmb5qAS2MWg2wvDgn0Z87NiGYD3xnadaVtUIYmIRb/2bOJc8qlDdasvdNvJY7zRD5xJZoUUax1eZcu/73f3PCelUsZmnUsrYhpSX5VaZyJfIBujygf9RFEeZ0q1br10ULkTN2DxAWmY6r+huywQr2wd9A3iPeo+BcUboQV3c0oFd+okDB6rbJ9U+x/CCQLXOBattZV2fqjN9C4DzSlWmLDxgFayFnG9bGUu1rfVj2S9D09hXCzY/hcM6OIhAnFVi6BxPred0RRT8q/GLgxwVlG8nN1AwMEXvDYR6q6BawDMyPAyWBE7AiV/6ubfuq94CYPxPWCaaUfuhwh5aGWn0mtyxK80rNIJZ1U1-----END CERTIFICATE-----
|
|
|
|
|
#
|
|
|
|
|
# Reject Unauthorized Certificate
|
|
|
|
|
#- LDAP_REJECT_UNAUTHORIZED=false
|
|
|
|
|
#
|
|
|
|
|
# Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key).
|
|
|
|
|
#- LDAP_USER_AUTHENTICATION="true"
|
|
|
|
|
#
|
|
|
|
|
# Which field is used to find the user for the user authentication. Default: uid.
|
|
|
|
|
#- LDAP_USER_AUTHENTICATION_FIELD="uid"
|
|
|
|
|
#
|
|
|
|
|
# Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
|
|
|
|
|
#- LDAP_USER_SEARCH_FILTER=
|
|
|
|
|
#
|
|
|
|
|
# base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree)
|
|
|
|
|
#- LDAP_USER_SEARCH_SCOPE=one
|
|
|
|
|
#
|
|
|
|
|
# Which field is used to find the user, like uid / sAMAccountName
|
|
|
|
|
#- LDAP_USER_SEARCH_FIELD=sAMAccountName
|
|
|
|
|
#
|
|
|
|
|
# Used for pagination (0=unlimited)
|
|
|
|
|
#- LDAP_SEARCH_PAGE_SIZE=0
|
|
|
|
|
#
|
|
|
|
|
# The limit number of entries (0=unlimited)
|
|
|
|
|
#- LDAP_SEARCH_SIZE_LIMIT=0
|
|
|
|
|
#
|
|
|
|
|
# Enable group filtering
|
|
|
|
|
#- LDAP_GROUP_FILTER_ENABLE=false
|
|
|
|
|
#
|
|
|
|
|
# The object class for filtering. Example: group
|
|
|
|
|
#- LDAP_GROUP_FILTER_OBJECTCLASS=
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_GROUP_FILTER_GROUP_NAME=
|
|
|
|
|
#
|
|
|
|
|
# LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid
|
|
|
|
|
#- LDAP_UNIQUE_IDENTIFIER_FIELD=
|
|
|
|
|
#
|
|
|
|
|
# LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8
|
|
|
|
|
#- LDAP_UTF8_NAMES_SLUGIFY=true
|
|
|
|
|
#
|
|
|
|
|
# LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName
|
|
|
|
|
#- LDAP_USERNAME_FIELD=sAMAccountName
|
|
|
|
|
#
|
|
|
|
|
# LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName
|
|
|
|
|
#- LDAP_FULLNAME_FIELD=fullname
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_MERGE_EXISTING_USERS=false
|
|
|
|
|
#
|
|
|
|
|
# Allow existing account matching by e-mail address when username does not match
|
|
|
|
|
#- LDAP_EMAIL_MATCH_ENABLE=true
|
|
|
|
|
#
|
|
|
|
|
# LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
|
|
|
|
|
#- LDAP_EMAIL_MATCH_REQUIRE=true
|
|
|
|
|
#
|
|
|
|
|
# LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
|
|
|
|
|
#- LDAP_EMAIL_MATCH_VERIFIED=true
|
|
|
|
|
#
|
|
|
|
|
# LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
|
|
|
|
|
#- LDAP_EMAIL_FIELD=mail
|
|
|
|
|
#-----------------------------------------------------------------
|
|
|
|
|
#- LDAP_SYNC_USER_DATA=false
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}
|
|
|
|
|
#
|
|
|
|
|
#- LDAP_SYNC_GROUP_ROLES=''
|
|
|
|
|
#
|
|
|
|
|
# The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP
|
|
|
|
|
# example :
|
|
|
|
|
- LDAP_DEFAULT_DOMAIN=k-space.lan
|
|
|
|
|
#
|
|
|
|
|
# Enable/Disable syncing of admin status based on ldap groups:
|
|
|
|
|
- LDAP_SYNC_ADMIN_STATUS=true
|
|
|
|
|
#
|
|
|
|
|
# Comma separated list of admin group names to sync.
|
|
|
|
|
#- LDAP_SYNC_ADMIN_GROUPS=group1,group2
|
|
|
|
|
#---------------------------------------------------------------------
|
|
|
|
|
# Login to LDAP automatically with HTTP header.
|
|
|
|
|
# In below example for siteminder, at right side of = is header name.
|
|
|
|
|
#- HEADER_LOGIN_ID=HEADERUID
|
|
|
|
|
#- HEADER_LOGIN_FIRSTNAME=HEADERFIRSTNAME
|
|
|
|
|
#- HEADER_LOGIN_LASTNAME=HEADERLASTNAME
|
|
|
|
|
#- HEADER_LOGIN_EMAIL=HEADEREMAILADDRESS
|
|
|
|
|
#---------------------------------------------------------------------
|
|
|
|
|
# ==== LOGOUT TIMER, probably does not work yet ====
|
|
|
|
|
# LOGOUT_WITH_TIMER : Enables or not the option logout with timer
|
|
|
|
|
# example : LOGOUT_WITH_TIMER=true
|
|
|
|
|
#- LOGOUT_WITH_TIMER=
|
|
|
|
|
#
|
|
|
|
|
# LOGOUT_IN : The number of days
|
|
|
|
|
# example : LOGOUT_IN=1
|
|
|
|
|
#- LOGOUT_IN=
|
|
|
|
|
#
|
|
|
|
|
# LOGOUT_ON_HOURS : The number of hours
|
|
|
|
|
# example : LOGOUT_ON_HOURS=9
|
|
|
|
|
#- LOGOUT_ON_HOURS=
|
|
|
|
|
#
|
|
|
|
|
# LOGOUT_ON_MINUTES : The number of minutes
|
|
|
|
|
# example : LOGOUT_ON_MINUTES=55
|
|
|
|
|
#- LOGOUT_ON_MINUTES=
|
|
|
|
|
#-------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
depends_on:
|
|
|
|
|
- wekandb
|
|
|
|
|
|
|
|
|
|
#---------------------------------------------------------------------------------
|
|
|
|
|
# ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ====
|
|
|
|
|
# When using Wekan both at office LAN and remote VPN:
|
|
|
|
|
# 1) Have above Wekan docker container config with LAN IP address
|
|
|
|
|
# 2) Copy all of above wekan container config below, look above of this part above and all config below it,
|
|
|
|
|
# before above depends_on: part:
|
|
|
|
|
#
|
|
|
|
|
# wekan:
|
|
|
|
|
# #-------------------------------------------------------------------------------------
|
|
|
|
|
# # ==== MONGODB AND METEOR VERSION ====
|
|
|
|
|
# # a) For Wekan Meteor 1.8.x version at meteor-1.8 branch, .....
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# and change name to different name like wekan2 or wekanvpn, and change ROOT_URL to server VPN IP
|
|
|
|
|
# address.
|
|
|
|
|
# 3) This way both Wekan containers can use same MongoDB database
|
|
|
|
|
# and see the same Wekan boards.
|
|
|
|
|
# 4) You could also add 3rd Wekan container for 3rd network etc.
|
|
|
|
|
# EXAMPLE:
|
|
|
|
|
# wekan2:
|
|
|
|
|
# ....COPY CONFIG FROM ABOVE TO HERE...
|
|
|
|
|
# environment:
|
|
|
|
|
# - ROOT_URL='http://10.10.10.10'
|
|
|
|
|
# ...COPY CONFIG FROM ABOVE TO HERE...
|
|
|
|
|
#---------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
# OPTIONAL NGINX CONFIG FOR REVERSE PROXY
|
|
|
|
|
# nginx:
|
|
|
|
|
# image: nginx
|
|
|
|
|
# container_name: nginx
|
|
|
|
|
# restart: always
|
|
|
|
|
# networks:
|
|
|
|
|
# - wekan-tier
|
|
|
|
|
# depends_on:
|
|
|
|
|
# - wekan
|
|
|
|
|
# ports:
|
|
|
|
|
# - 80:80
|
|
|
|
|
# - 443:443
|
|
|
|
|
# volumes:
|
|
|
|
|
# - ./nginx/ssl:/etc/nginx/ssl/:ro
|
|
|
|
|
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
|
|
|
## Alternative volume config:
|
|
|
|
|
## volumes:
|
|
|
|
|
## - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
|
|
|
|
|
## - ./nginx/ssl/ssl.conf:/etc/nginx/conf.d/ssl/ssl.conf:ro
|
|
|
|
|
## - ./nginx/ssl/testvm-ehu.crt:/etc/nginx/conf.d/ssl/certs/mycert.crt:ro
|
|
|
|
|
## - ./nginx/ssl/testvm-ehu.key:/etc/nginx/conf.d/ssl/certs/mykey.key:ro
|
|
|
|
|
## - ./nginx/ssl/pphrase:/etc/nginx/conf.d/ssl/pphrase:ro
|
|
|
|
|
|
|
|
|
|
networks:
|
|
|
|
|
wekan-tier:
|
|
|
|
|
driver: bridge
|
whysthatso