📝(doc): add documentation to install with compose

Signed-off-by: unteem <timothee@indie.host>

f

Author: unteem

docker/files/production/etc/nginx/conf.d/default.conf.template

@@ -0,0 +1,81 @@
+upstream docs_backend {
+    server ${BACKEND_HOST}:8000 fail_timeout=0;
+}
+
+upstream docs_frontend {
+    server ${FRONTEND_HOST}:3000 fail_timeout=0;
+}
+
+server {
+    listen 8083;
+    server_name localhost;
+    charset utf-8;
+
+    # Disables server version feedback on pages and in headers
+    server_tokens off;
+
+    proxy_ssl_server_name on;
+
+    location @proxy_to_docs_backend {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_redirect off;
+        proxy_pass http://docs_backend;
+    }
+
+    location @proxy_to_docs_frontend {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_redirect off;
+        proxy_pass http://docs_frontend;
+    }
+
+    location / {
+        try_files $uri @proxy_to_docs_frontend;
+    }
+
+    location /api {
+        try_files $uri @proxy_to_docs_backend;
+    }
+
+    location /admin {
+        try_files $uri @proxy_to_docs_backend;
+    }
+
+    # Proxy auth for media
+    location /media/ {
+        # Auth request configuration
+        auth_request /media-auth;
+        auth_request_set $authHeader $upstream_http_authorization;
+        auth_request_set $authDate $upstream_http_x_amz_date;
+        auth_request_set $authContentSha256 $upstream_http_x_amz_content_sha256;
+
+        # Pass specific headers from the auth response
+        proxy_set_header Authorization $authHeader;
+        proxy_set_header X-Amz-Date $authDate;
+        proxy_set_header X-Amz-Content-SHA256 $authContentSha256;
+
+        # Get resource from Minio
+        proxy_pass https://${S3_HOST}/${BUCKET_NAME}/;
+        proxy_set_header Host ${S3_HOST};
+
+        proxy_ssl_name ${S3_HOST};
+
+        add_header Content-Security-Policy "default-src 'none'" always;
+    }
+
+    location /media-auth {
+        proxy_pass http://docs_backend/api/v1.0/documents/media-auth/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Original-URL $request_uri;
+
+        # Prevent the body from being passed
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+        proxy_set_header X-Original-Method $request_method;
+    }
+}

docs/examples/compose/compose.yaml

@@ -0,0 +1,73 @@
+services:
+  postgresql:
+    image: postgres:16
+    healthcheck:
+      test: ["CMD", "pg_isready", "-q", "-U", "docs", "-d", "docs"]
+      interval: 1s
+      timeout: 2s
+      retries: 300
+    env_file:
+    - env.d/postgresql
+    - env.d/common
+    environment:
+    - PGDATA=/var/lib/postgresql/data/pgdata
+    volumes:
+    - ./data/databases/backend:/var/lib/postgresql/data/pgdata
+
+  redis:
+    image: redis:5
+
+  backend:
+    image: lasuite/impress-backend:latest
+    user: ${DOCKER_USER:-1000}
+    restart: always
+    environment:
+    - DJANGO_CONFIGURATION=Production
+    env_file:
+    - env.d/backend
+    - env.d/postgresql
+    - env.d/common
+    healthcheck:
+      test: ["CMD", "python", "manage.py", "check"]
+      interval: 15s
+      timeout: 30s
+      retries: 20
+      start_period: 10s
+    depends_on:
+      postgresql:
+        condition: service_healthy
+        restart: true
+      redis:
+        condition: service_started
+
+  y-provider:
+    image: lasuite/impress-y-provider:latest
+    user: ${DOCKER_USER:-1000}
+    env_file:
+    - env.d/yprovider
+    - env.d/common
+
+  frontend:
+    image: lasuite/impress-frontend:latest
+    user: "101"
+    env_file:
+    - env.d/common
+    # Uncomment and set your values if using our nginx proxy example
+    #environment:
+    # - VIRTUAL_HOST=${DOCS_HOST} # used by nginx proxy 
+    # - VIRTUAL_PORT=8083 # used by nginx proxy
+    # - LETSENCRYPT_HOST=${DOCS_HOST} # used by lets encrypt to generate TLS certificate
+    volumes:
+    - ./default.conf.template:/etc/nginx/templates/default.conf.template
+    depends_on:
+      backend:
+        condition: service_healthy
+# Uncomment if using our nginx proxy example
+#    networks:
+#    - proxy-tier
+#    - default
+
+# Uncomment if using our nginx proxy example
+#networks:
+#  proxy-tier:
+#    external: true

docs/examples/compose/keycloak/README.md

@@ -0,0 +1,88 @@
+# Deploy and Configure Keycloak for Docs
+
+## Installation
+
+> \[!CAUTION\]
+> We provide those instructions as an example, for production environments, you should follow the [official documentation](https://www.keycloak.org/documentation).
+
+### Step 1: Prepare your working environment:
+
+```bash
+mkdir keycloak
+curl -o compose.yaml https://raw.githubusercontent.com/suitenumerique/docs/refs/heads/main/docs/examples/compose/keycloak/compose.yaml
+curl -o env.d/kc_postgresql https://raw.githubusercontent.com/suitenumerique/docs/refs/heads/main/docs/env.d/production/kc_postgresql
+curl -o env.d/keycloak https://raw.githubusercontent.com/suitenumerique/docs/refs/heads/main/docs/env.d/production/keycloak
+```
+
+### Step 2:. Update `env.d/` files
+
+The following variables need to be updated with your own values, others can be left as is:
+
+```env
+POSTGRES_PASSWORD=<generate postgres password>
+KC_HOSTNAME=https://id.yourdomain.tld # Change with your own URL
+KC_BOOTSTRAP_ADMIN_PASSWORD=<generate your password>
+```
+
+### Step 3: Expose keycloak instance on https
+
+> \[!NOTE\]
+> You can skip this section if you already have your own setup.
+
+To access your Keycloak instance on the public network, it needs to be exposed on a domain with SSL termination. You can use our [example with nginx proxy and Let's Encrypt companion](../nginx-proxy/README.md) for automated creation/renewal of certificates using [acme.sh](http://acme.sh).
+
+If following our example, uncomment the environment and network sections in compose file and update it with your values.
+
+```yaml
+version: '3'
+services:
+  keycloak:
+   ...
+    # Uncomment and set your values if using our nginx proxy example
+    # environment:
+    # - VIRTUAL_HOST=id.yourdomain.tld # used by nginx proxy 
+    # - VIRTUAL_PORT=8080 # used by nginx proxy
+    # - LETSENCRYPT_HOST=id.yourdomain.tld # used by lets encrypt to generate TLS certificate
+   ...
+# Uncomment if using our nginx proxy example
+#    networks:
+#    - proxy-tier
+#    - default
+
+# Uncomment if using our nginx proxy example
+#networks:
+#  proxy-tier:
+#    external: true
+```
+
+### Step 4: Start the service
+
+```bash
+`docker compose up -d`
+```
+
+Your keycloak instance is now available on https://doc.yourdomain.tld
+
+## Creating an OIDC Client for Docs Application
+
+### Step 1: Create a New Realm
+
+1. Log in to the Keycloak administration console.
+2. Navigate to the realm tab and click on the "Create realm" button.
+3. Enter the name of the realm  - `docs`.
+4. Click "Create".
+
+#### Step 2: Create a New Client
+
+1. Navigate to the "Clients" tab.
+2. Click on the "Create client" button.
+3. Enter the client ID - e.g. `docs`.
+4. Enable "Client authentification" option.
+6. Set the "Valid redirect URIs" to the URL of your docs application suffixed with `/*` - e.g., "https://docs.example.com/*".
+1. Set the "Web Origins" to the URL of your docs application - e.g. `https://docs.example.com`.
+1. Click "Save".
+
+#### Step 3: Get Client Credentials
+
+1. Go to the "Credentials" tab.
+2. Copy the client ID (`docs` in this example) and the client secret.

docs/examples/compose/keycloak/compose.yaml

@@ -0,0 +1,36 @@
+services:
+  kc_postgresql:
+    image: postgres:16
+    healthcheck:
+      test: ["CMD", "pg_isready", "-q", "-U", "keycloak", "-d", "keycloak"]
+      interval: 1s
+      timeout: 2s
+      retries: 300
+    env_file:
+    - env.d/kc_postgresql
+    volumes:
+    - ./data/keycloak:/var/lib/postgresql/data/pgdata
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:26.1.3
+    command: ["start"]
+    env_file:
+    - env.d/kc_postgresql
+    - env.d/keycloak
+    # Uncomment and set your values if using our nginx proxy example
+    # environment:
+    # - VIRTUAL_HOST=id.yourdomain.tld # used by nginx proxy 
+    # - VIRTUAL_PORT=8080 # used by nginx proxy
+    # - LETSENCRYPT_HOST=id.yourdomain.tld # used by lets encrypt to generate TLS certificate
+    depends_on:
+      kc_postgresql::
+        condition: service_healthy
+        restart: true
+# Uncomment if using our nginx proxy example
+#    networks:
+#    - proxy-tier
+#    - default
+#
+#networks:
+#  proxy-tier:
+#    external: true

docs/examples/compose/minio/README.md

@@ -0,0 +1,103 @@
+# Deploy and Configure Minio for Docs
+
+## Installation
+
+> \[!CAUTION\]
+> We provide those instructions as an example, it should not be run in production. For production environments, deploy MinIO [in a Multi-Node Multi-Drive (Distributed)](https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.html#minio-mnmd) topology
+
+### Step 1: Prepare your working environment:
+
+```bash
+mkdir minio
+curl -o compose.yaml https://raw.githubusercontent.com/suitenumerique/docs/refs/heads/main/docs/examples/compose/minio/compose.yaml 
+```
+
+### Step 2:. Update compose file with your own values
+
+```yaml
+version: '3'
+services:
+  minio:
+   ...
+    environment:
+    - MINIO_ROOT_USER=<Set minio root username>
+    - MINIO_ROOT_PASSWORD=<Set minio root password>
+```
+
+### Step 3: Expose MinIO instance
+
+#### Option 1: Internal network
+
+You may not need to expose your MinIO instance to the public if only services hosted on the same private network need to access to your MinIO instance.
+
+You should create a docker network that will be shared between those services
+
+```bash
+docker network create storage-tier
+```
+
+#### Option 2: Public network
+
+If you want to expose your MinIO instance to the public, it needs to be exposed on a domain with SSL termination. You can use our [example](../nginx-proxy/README.md) with an nginx proxy and Let's Encrypt companion for automated creation/renewal of Let's Encrypt certificates using [acme.sh](http://acme.sh).
+
+If following our example, uncomment the environment and network sections in compose file and update it with your values.
+
+```yaml
+version: '3'
+services:
+   docs:
+   ...
+  minio:
+   ...
+    environment:
+   ...
+    # - VIRTUAL_HOST=storage.yourdomain.tld # used by nginx proxy 
+    # - VIRTUAL_PORT=9000 # used by nginx proxy
+    # - LETSENCRYPT_HOST=storage.yourdomain.tld # used by lets encrypt to generate TLS certificate
+   ...
+# Uncomment if using our nginx proxy example
+#    networks:
+#    - proxy-tier
+#    - default
+
+# Uncomment if using our nginx proxy example
+#networks:
+#  proxy-tier:
+#    external: true
+```
+
+In this example we are only exposing MinIO API service. Follow the official documentation to configure Minio WebUI.
+
+### Step 4: Start the service
+
+```bash
+`docker compose up -d`
+```
+
+Your minio instance is now available on https://storage.yourdomain.tld
+
+## Creating a user and bucket for your Docs instance
+
+### Installing mc
+
+Follow the [official documentation](https://min.io/docs/minio/linux/reference/minio-mc.html#install-mc) to install mc
+
+### Step 1: Configure `mc` to connect to your MinIO Server with your root user
+
+```shellscript
+mc alias set minio <MINIO_SERVER_URL> <MINIO_ROOT_USER> <MINIO_ROOT_PASSWORD>
+```
+
+Replace the values with those you have set in the previous steps
+
+### Step 2: Create a new bucket with versioning enabled
+
+```shellscript
+mc mb --with-versioning minio/<your-bucket-name>
+```
+
+Replace `your-bucket-name` with the desired name for your bucket e.g. `docs-media-storage`
+
+### Additional notes:
+
+For increased security you should create a dedicated user with `readwrite` access to the Bucket. In the following example we will use MinIO root user.