Merge pull request bunkerity#1433 from jbbandos/master

Photoprism example config
keyman9848 · Sep 17, 2024 · 13444ed · 13444ed
2 parents d285dc9 + dfb614c
commit 13444ed
Show file tree

Hide file tree

Showing 4 changed files with 328 additions and 0 deletions.
diff --git a/examples/community/photoprism/README.md b/examples/community/photoprism/README.md
@@ -0,0 +1,23 @@
+Photoprism app configuration example for bunkerweb. The app works and synchronization with the android PhotoSync app also works for every funtion that was tested.
+
+# Procedure:
+
+Start with the photoprism [docker compose file][PhotoprismComposeFile]. The basic file (https://dl.photoprism.app/docker/docker-compose.yml) is taken from [photoprism documentation][PhotoprismDockerDocs]
+Bunkerweb specific changes are noted with *"#For bunkerweb"* at the end of the line
+
+Check and adapt the bunkerweb configuration. Use the example [docker compose file][BunkerwebComposeFile]. 
+Photoprism specific changes are noted with *"#photoprism specific config"*.
+Adapt the rest as needed for your configurations.
+
+Start services with `docker-compose up -d`
+
+Configure the bunkerweb ui (https://docs.bunkerweb.io/latest/web-ui/#setup-wizard).
+Use the bunkerweb ui to upload the [modsec override file][AllowmediaConfig] to configs->modsec-crs->photos.example.com app specific folder.
+If prefered, copy the file manually to a folder as described in the guide (https://docs.bunkerweb.io/latest/quickstart-guide/#custom-configurations). Place it under configs/modsec-crs/.
+
+If using the provided configuration with autoconf enabled, the photoprism app should now be working without further intervention
+
+[PhotoprismDockerDocs]: https://docs.photoprism.app/getting-started/docker-compose/
+[PhotoprismComposeFile]: photoprism-compose.yml
+[BunkerwebComposeFile]: docker-compose.yml
+[AllowmediaConfig]: bw.data/configs/modsec-crs/allowmedia.conf
diff --git a/examples/community/photoprism/bw.data/configs/modsec-crs/allowmedia.conf b/examples/community/photoprism/bw.data/configs/modsec-crs/allowmedia.conf
@@ -0,0 +1,7 @@
+SecAction \
+ "id:900220,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain|video/mp4|video/quicktime|video/ogg|video/3gpp|video/mpeg|video/webm|video/3gpp2|video/mp2t|video/x-msvideo|image/apng|image/avif|image/bmp|image/gif|image/jpeg|image/png|image/svg+xml|image/tiff|image/webp'"
diff --git a/examples/community/photoprism/docker-compose.yml b/examples/community/photoprism/docker-compose.yml
@@ -0,0 +1,117 @@
+#bunkerweb 1.5.9 docker compose file with changes for photoprism app
+#Configured for custom ssl cert, autoconf, and BunkerWeb UI
+#photoprism specific lines indicated.
+
+services:
+  bunkerweb:
+    image: bunkerity/bunkerweb:1.5.9
+    ports:
+      - 80:8080
+      - 443:8443
+    labels:
+      - "bunkerweb.INSTANCE=yes"
+    environment:
+      - SERVER_NAME=photoprism.example.com  # replace with your domains
+      - UI_HOST=http://UiHost.example.com:7000
+      - DATABASE_URI=mariadb+pymysql://bunkerweb:DBPassword@bw-db:3306/db   # Remember to set a stronger password for the database
+      - AUTOCONF_MODE=yes
+      - MULTISITE=yes
+      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      - AUTO_LETS_ENCRYPT=no    # using custom ssl certificate
+      - USE_CUSTOM_SSL=yes      # using custom ssl certificate
+      - CUSTOM_SSL_CERT=/ssl/fullchain.pem    # using custom ssl certificate
+      - CUSTOM_SSL_KEY=/ssl/privkey.pem       # using custom ssl certificate
+      - ALLOWED_METHODS=GET|POST|HEAD|DELETE|PUT|MKCOL|PROPFIND|PROPPATCH     #photoprism specific config - allow methods used by photoprism app and the PhotoSync android client
+      - MAX_CLIENT_SIZE=1024m   #photoprism specific config - Increase as needed, depending on the size of the videos you want to uppload
+      - LIMIT_REQ_RATE=20r/s    #photoprism specific config - possibly overkill, tune as needed. The default of 2r/s makes it impossible to play videos in photoprism
+    networks:
+      - bw-universe
+      - bw-services
+    volumes:
+      - /etc/bunkerweb/certs/fullchain.pem:/ssl/fullchain.pem:ro    # using custom ssl certificate
+      - /etc/bunkerweb/certs/privkey.pem:/ssl/privkey.pem:ro        # using custom ssl certificate
+
+  bw-autoconf:
+    image: bunkerity/bunkerweb-autoconf:1.5.9
+    depends_on:
+      - bunkerweb
+      - bw-docker
+    environment:
+      - DATABASE_URI=mariadb+pymysql://bunkerweb:DBPassword@bw-db:3306/db   # Remember to set a stronger password for the database
+      - AUTOCONF_MODE=yes
+      - DOCKER_HOST=tcp://bw-docker:2375
+    networks:
+      - bw-universe
+      - bw-docker
+
+  bw-scheduler:
+    image: bunkerity/bunkerweb-scheduler:1.5.9
+    depends_on:
+      - bunkerweb
+      - bw-docker
+    environment:
+      - DATABASE_URI=mariadb+pymysql://bunkerweb:DBPassword@bw-db:3306/db   # Remember to set a stronger password for the database
+      - DOCKER_HOST=tcp://bw-docker:2375
+      - AUTOCONF_MODE=yes
+    networks:
+      - bw-universe
+      - bw-docker
+    volumes:
+      - /etc/bunkerweb/certs/fullchain.pem:/ssl/fullchain.pem:ro      # using custom ssl certificate
+      - /etc/bunkerweb/certs/privkey.pem:/ssl/privkey.pem:ro          # using custom ssl certificate
+
+  bw-docker:
+    image: tecnativa/docker-socket-proxy:nightly
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - LOG_LEVEL=warning
+    networks:
+      - bw-docker
+
+  bw-db:
+    image: mariadb:10.10
+    environment:
+      - MYSQL_RANDOM_ROOT_PASSWORD=yes
+      - MYSQL_DATABASE=db
+      - MYSQL_USER=bunkerweb
+      - MYSQL_PASSWORD=DBPassword   # Remember to set a stronger password for the database 
+    volumes:
+      - bw-data:/var/lib/mysql
+    networks:
+      - bw-docker
+
+  UiHost:
+    image: bunkerity/bunkerweb-ui:1.5.9
+    networks:
+      bw-docker:
+      bw-universe:
+        aliases:
+          - UiHost.example.com
+    environment:
+      - USE_CUSTOM_SSL=yes    # using custom ssl certificate
+      - CUSTOM_SSL_CERT=/ssl/fullchain.pem    # using custom ssl certificate
+      - CUSTOM_SSL_KEY=/ssl/privkey.pem       # using custom ssl certificate
+      - AUTOCONF_MODE=yes
+      - DOCKER_HOST=tcp://bw-docker:2375
+      - DATABASE_URI=mariadb+pymysql://bunkerweb:DBPassword@bw-db:3306/db # Remember to set a stronger password for the database
+
+volumes:
+  bw-data:
+  certs:
+
+networks:
+  bw-universe:
+    name: bw-universe
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.20.30.0/24
+  bw-services:
+    name: bw-services
+  bw-docker:
+    name: bw-docker
diff --git a/examples/community/photoprism/photoprism-compose.yml b/examples/community/photoprism/photoprism-compose.yml
@@ -0,0 +1,181 @@
+# Adapted Example Docker Compose config file for PhotoPrism (Linux / AMD64)
+#
+# ----------------------------------------------------------------------------------
+# Added labels and network configurationfor bunkerweb integration
+# Part of the photoprism app example for bunkerweb
+# ----------------------------------------------------------------------------------
+#
+# Note:
+# - Running PhotoPrism on a server with less than 4 GB of swap space or setting a memory/swap limit can cause unexpected
+#   restarts ("crashes"), for example, when the indexer temporarily needs more memory to process large files.
+# - If you install PhotoPrism on a public server outside your home network, please always run it behind a secure
+#   HTTPS reverse proxy such as Traefik or Caddy. Your files and passwords will otherwise be transmitted
+#   in clear text and can be intercepted by anyone, including your provider, hackers, and governments:
+#   https://docs.photoprism.app/getting-started/proxies/traefik/
+#
+# Setup Guides:
+# - https://docs.photoprism.app/getting-started/docker-compose/
+# - https://docs.photoprism.app/getting-started/raspberry-pi/
+# - https://www.photoprism.app/kb/activation
+#
+# Troubleshooting Checklists:
+# - https://docs.photoprism.app/getting-started/troubleshooting/
+# - https://docs.photoprism.app/getting-started/troubleshooting/docker/
+# - https://docs.photoprism.app/getting-started/troubleshooting/mariadb/
+#
+# CLI Commands:
+# - https://docs.photoprism.app/getting-started/docker-compose/#command-line-interface
+#
+# All commands may have to be prefixed with "sudo" when not running as root.
+# This will point the home directory shortcut ~ to /root in volume mounts.
+
+services:
+  photoprism:
+    ## Use photoprism/photoprism:preview for testing preview builds:
+    image: photoprism/photoprism:latest
+    container_name: photoprism
+    networks:                                                     #For bunkerweb
+        bw-services:                                              #For bunkerweb
+            aliases:                                              #For bunkerweb
+              - photoprism                                        #For bunkerweb
+    ## Don't enable automatic restarts until PhotoPrism has been properly configured and tested!
+    ## If the service gets stuck in a restart loop, this points to a memory, filesystem, network, or database issue:
+    ## https://docs.photoprism.app/getting-started/troubleshooting/#fatal-server-errors
+    # restart: unless-stopped
+    stop_grace_period: 10s
+    depends_on:
+      - mariadb
+    security_opt:
+      - seccomp:unconfined
+      - apparmor:unconfined
+    ## Server port mapping in the format "Host:Container". To use a different port, change the host port on
+    ## the left-hand side and keep the container port, e.g. "80:2342" (for HTTP) or "443:2342 (for HTTPS):
+    ports:
+      - "2342:2342"
+    ## Before you start the service, please check the following config options (and change them as needed):
+    ## https://docs.photoprism.app/getting-started/config-options/
+    labels:
+        - "bunkerweb.SERVER_NAME=photos.example.com"              #For bunkerweb
+        - "bunkerweb.USE_REVERSE_PROXY=yes"                       #For bunkerweb
+        - "bunkerweb.REVERSE_PROXY_URL=/"                         #For bunkerweb
+        - "bunkerweb.REVERSE_PROXY_HOST=http://photoprism:2342"   #For bunkerweb
+        - "bunkerweb.REVERSE_PROXY_WS=yes"                        #For bunkerweb
+    environment:
+      PHOTOPRISM_ADMIN_USER: "admin"                 # admin login username
+      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # initial admin password (8-72 characters)
+      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
+      PHOTOPRISM_SITE_URL: "http://localhost:2342/"  # server URL in the format "http(s)://domain.name(:port)/(path)"
+      PHOTOPRISM_DISABLE_TLS: "false"                # disables HTTPS/TLS even if the site URL starts with https:// and a certificate is available
+      PHOTOPRISM_DEFAULT_TLS: "false"                 # defaults to a self-signed HTTPS/TLS certificate if no other certificate is available
+      PHOTOPRISM_ORIGINALS_LIMIT: 50000               # file size limit for originals in MB (increase for high-res video)
+      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
+      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
+      PHOTOPRISM_READONLY: "false"                   # do not modify originals directory (reduced functionality)
+      PHOTOPRISM_EXPERIMENTAL: "false"               # enables experimental features
+      PHOTOPRISM_DISABLE_CHOWN: "false"              # disables updating storage permissions via chmod and chown on startup
+      PHOTOPRISM_DISABLE_WEBDAV: "false"             # disables built-in WebDAV server
+      PHOTOPRISM_DISABLE_SETTINGS: "false"           # disables settings UI and API
+      PHOTOPRISM_DISABLE_TENSORFLOW: "false"         # disables all features depending on TensorFlow
+      PHOTOPRISM_DISABLE_FACES: "false"              # disables face detection and recognition (requires TensorFlow)
+      PHOTOPRISM_DISABLE_CLASSIFICATION: "false"     # disables image classification (requires TensorFlow)
+      PHOTOPRISM_DISABLE_VECTORS: "false"            # disables vector graphics support
+      PHOTOPRISM_DISABLE_RAW: "false"                # disables indexing and conversion of RAW images
+      PHOTOPRISM_RAW_PRESETS: "false"                # enables applying user presets when converting RAW images (reduces performance)
+      PHOTOPRISM_SIDECAR_YAML: "true"                # creates YAML sidecar files to back up picture metadata
+      PHOTOPRISM_BACKUP_PATH: "/photoprism/storage/backups"
+      PHOTOPRISM_BACKUP_ALBUMS: "true"               # creates YAML files to back up album metadata
+      PHOTOPRISM_BACKUP_DATABASE: "true"             # creates regular backups based on the configured schedule
+      PHOTOPRISM_BACKUP_SCHEDULE: "daily"            # backup SCHEDULE in cron format (e.g. "0 12 * * *" for daily at noon) or at a random time (daily, weekly)
+      PHOTOPRISM_INDEX_SCHEDULE: ""                  # indexing SCHEDULE in cron format (e.g. "@every 3h" for every 3 hours; "" to disable)
+      PHOTOPRISM_AUTO_INDEX: 300                     # delay before automatically indexing files in SECONDS when uploading via WebDAV (-1 to disable)
+      PHOTOPRISM_AUTO_IMPORT: -1                     # delay before automatically importing files in SECONDS when uploading via WebDAV (-1 to disable)
+      PHOTOPRISM_DETECT_NSFW: "false"                # automatically flags photos as private that MAY be offensive (requires TensorFlow)
+      PHOTOPRISM_UPLOAD_NSFW: "true"                 # allows uploads that MAY be offensive (no effect without TensorFlow)
+      # PHOTOPRISM_DATABASE_DRIVER: "sqlite"         # SQLite is an embedded database that does not require a separate database server
+      PHOTOPRISM_DATABASE_DRIVER: "mysql"            # MariaDB 10.5.12+ (MySQL successor) offers significantly better performance compared to SQLite
+      PHOTOPRISM_DATABASE_SERVER: "mariadb:3306"     # MariaDB database server (hostname:port)
+      PHOTOPRISM_DATABASE_NAME: "photoprism"         # MariaDB database schema name
+      PHOTOPRISM_DATABASE_USER: "photoprism"         # MariaDB database user name
+      PHOTOPRISM_DATABASE_PASSWORD: "photoprism"       # MariaDB database user password
+      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
+      PHOTOPRISM_SITE_DESCRIPTION: "AI-Powered Photos App for the Decentralized Web"                # meta site description
+      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
+      ## Video Transcoding (https://docs.photoprism.app/getting-started/advanced/transcoding/):
+      # PHOTOPRISM_FFMPEG_ENCODER: "software"        # H.264/AVC encoder (software, intel, nvidia, apple, raspberry, or vaapi)
+      # PHOTOPRISM_FFMPEG_SIZE: "1920"               # video size limit in pixels (720-7680) (default: 3840)
+      # PHOTOPRISM_FFMPEG_BITRATE: "32"              # video bitrate limit in Mbit/s (default: 50)
+      ## Run/install on first startup (options: update https gpu ffmpeg tensorflow davfs clitools clean):
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
+      ## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
+      PHOTOPRISM_UID: 995
+      PHOTOPRISM_GID: 100
+      # PHOTOPRISM_UID: 1000
+      # PHOTOPRISM_GID: 1000
+      # PHOTOPRISM_UMASK: 0000
+    ## Start as non-root user before initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
+    # user: "1000:1000"
+    ## Share hardware devices with FFmpeg and TensorFlow (optional):
+    # devices:
+    #  - "/dev/dri:/dev/dri"                         # Intel QSV
+    #  - "/dev/nvidia0:/dev/nvidia0"                 # Nvidia CUDA
+    #  - "/dev/nvidiactl:/dev/nvidiactl"
+    #  - "/dev/nvidia-modeset:/dev/nvidia-modeset"
+    #  - "/dev/nvidia-nvswitchctl:/dev/nvidia-nvswitchctl"
+    #  - "/dev/nvidia-uvm:/dev/nvidia-uvm"
+    #  - "/dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools"
+    #  - "/dev/video11:/dev/video11"                 # Video4Linux Video Encode Device (h264_v4l2m2m)
+    working_dir: "/photoprism" # do not change or remove
+    ## Storage Folders: "~" is a shortcut for your home directory, "." for the current directory
+    volumes:
+      # "/host/folder:/photoprism/folder"                # Example
+      - "/host/folder/Pictures:/photoprism/originals"               # Original media files (DO NOT REMOVE)
+      # - "/example/family:/photoprism/originals/family" # *Additional* media folders can be mounted like this
+      - "/host/folder/NewPhotos:/photoprism/import"                  # *Optional* base folder from which files can be imported to originals
+      - "/host/folder/SSDPhotopData/storage:/photoprism/storage"                  # *Writable* storage folder for cache, database, and sidecar files (DO NOT REMOVE)
+
+  ## MariaDB Database Server (recommended)
+  ## see https://docs.photoprism.app/getting-started/faq/#should-i-use-sqlite-mariadb-or-mysql
+  mariadb:
+    image: mariadb:latest
+    container_name: mariadb
+    networks:
+        bw-services:
+            aliases:
+              - mariadb
+    ## If MariaDB gets stuck in a restart loop, this points to a memory or filesystem issue:
+    ## https://docs.photoprism.app/getting-started/troubleshooting/#fatal-server-errors
+    restart: unless-stopped
+    stop_grace_period: 5s
+    security_opt: # see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239
+      - seccomp:unconfined
+      - apparmor:unconfined
+    command: --innodb-buffer-pool-size=512M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120
+    ## Never store database files on an unreliable device such as a USB flash drive, an SD card, or a shared network folder:
+    volumes:
+      - "/host/folder/SSDPhotopData/db/:/var/lib/mysql" # DO NOT REMOVE
+    environment:
+      MARIADB_AUTO_UPGRADE: "1"
+      MARIADB_INITDB_SKIP_TZINFO: "1"
+      MARIADB_DATABASE: "photoprism"
+      MARIADB_USER: "photoprism"
+      MARIADB_PASSWORD: "photoprism"
+      MARIADB_ROOT_PASSWORD: "photoprism"
+
+  ## Watchtower upgrades services automatically (optional)
+  ## see https://docs.photoprism.app/getting-started/updates/#watchtower
+  ## activate via "COMPOSE_PROFILES=update docker compose up -d"
+  watchtower:
+    restart: unless-stopped
+    image: containrrr/watchtower
+    profiles: ["update"]
+    environment:
+      WATCHTOWER_CLEANUP: "true"
+      WATCHTOWER_POLL_INTERVAL: 7200 # checks for updates every two hours
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "/root/.docker/config.json:/config.json" # optional, for authentication if you have a Docker Hub account
+
+networks:                                                     #For bunkerweb
+  bw-services:                                                #For bunkerweb
+    external: true                                            #For bunkerweb
+    name: bw-services                                         #For bunkerweb