Build docker image in gitlab, add docs for turn key docker setup

.editorconfig

@@ -22,3 +22,7 @@ indent_style = tab
 
 [*.bat]
 indent_style = tab
+
+[{Dockerfile,*.dockerfile}]
+indent_style = space
+indent_size = 4

.gitlab-ci.yml

@@ -1,8 +1,15 @@
+.only-default: &only-default
+  only:
+    - master
+    - branches
+    - merge_requests
+
 stages:
 - pre-commit
 - gitlab
 - test
 - deploy
+- docker
 
 include:
 - template: Dependency-Scanning.gitlab-ci.yml
@@ -15,6 +22,7 @@ before_script:
   - pip install wheel tox
 
 pre-commit-check:
+  <<: *only-default
   stage: pre-commit
   image: python:3.6-buster
   variables:
@@ -39,6 +47,7 @@ dependency_scanning:
   - pip install wheel tox
 
 test-3.7-core:
+  <<: *only-default
   image: python:3.7-bullseye
   script:
   - tox -e py37-core
@@ -48,6 +57,7 @@ test-3.7-core:
       cobertura: coverage.xml
 
 test-3.8-core:
+  <<: *only-default
   image: python:3.8-bullseye
   script:
   - tox -e py38-core
@@ -57,6 +67,7 @@ test-3.8-core:
       cobertura: coverage.xml
 
 test-3.9-core:
+  <<: *only-default
   image: python:3.9-bullseye
   script:
   - tox -e py39-core
@@ -66,6 +77,7 @@ test-3.9-core:
       cobertura: coverage.xml
 
 test-3.10-core:
+  <<: *only-default
   image: python:3.10-bullseye
   script:
   - tox -e py310-core
@@ -75,6 +87,7 @@ test-3.10-core:
       cobertura: coverage.xml
 
 test-3.7-all:
+  <<: *only-default
   image: python:3.7-bullseye
   script:
   - tox -e py37-all
@@ -84,6 +97,7 @@ test-3.7-all:
       cobertura: coverage.xml
 
 test-3.8-all:
+  <<: *only-default
   image: python:3.8-bullseye
   script:
   - tox -e py38-all
@@ -93,6 +107,7 @@ test-3.8-all:
       cobertura: coverage.xml
 
 test-3.9-all:
+  <<: *only-default
   image: python:3.9-bullseye
   script:
   - tox -e py39-all
@@ -102,6 +117,7 @@ test-3.9-all:
       cobertura: coverage.xml
 
 test-3.10-all:
+  <<: *only-default
   image: python:3.10-bullseye
   script:
   - tox -e py310-all
@@ -123,3 +139,65 @@ deploy_production:
 
   rules:
     - if: $CI_COMMIT_TAG
+
+build-image:
+  before_script: []
+  image: docker:20.10.10
+  stage: docker
+  services:
+    - docker:20.10.10-dind
+  script: |
+    CURRENT_DATE=$(echo $CI_COMMIT_TIMESTAMP | head -c 10 | tr -d -)
+    IMAGE_TAG=$CI_REGISTRY_IMAGE/auth:$CURRENT_DATE-$CI_COMMIT_SHORT_SHA
+    CURRENT_TAG=$CI_REGISTRY_IMAGE/auth:$CI_COMMIT_TAG
+    MINOR_TAG=$CI_REGISTRY_IMAGE/auth:$(echo $CI_COMMIT_TAG | cut -d '.' -f 1-2)
+    MAJOR_TAG=$CI_REGISTRY_IMAGE/auth:$(echo $CI_COMMIT_TAG | cut -d '.' -f 1)
+    LATEST_TAG=$CI_REGISTRY_IMAGE/auth:latest
+
+    docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    docker build . -t $IMAGE_TAG -f docker/Dockerfile --build-arg AUTH_VERSION=$(echo $CI_COMMIT_TAG | cut -c 2-)
+    docker tag $IMAGE_TAG $CURRENT_TAG
+    docker tag $IMAGE_TAG $MINOR_TAG
+    docker tag $IMAGE_TAG $MAJOR_TAG
+    docker tag $IMAGE_TAG $LATEST_TAG
+    docker image push --all-tags $CI_REGISTRY_IMAGE/auth
+  rules:
+    - if: $CI_COMMIT_TAG
+
+build-image-dev:
+  before_script: []
+  image: docker:20.10.10
+  stage: docker
+  services:
+    - docker:20.10.10-dind
+  script: |
+    CURRENT_DATE=$(echo $CI_COMMIT_TIMESTAMP | head -c 10 | tr -d -)
+    IMAGE_TAG=$CI_REGISTRY_IMAGE/auth:$CURRENT_DATE-$CI_COMMIT_BRANCH-$CI_COMMIT_SHORT_SHA
+
+    docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    docker build . -t $IMAGE_TAG -f docker/Dockerfile --build-arg AUTH_PACKAGE=git+https://gitlab.com/allianceauth/allianceauth@$CI_COMMIT_BRANCH
+    docker push $IMAGE_TAG
+  rules:
+    - if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == ""'
+      when: manual
+    - if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME != ""'
+      when: never
+
+build-image-mr:
+  before_script: []
+  image: docker:20.10.10
+  stage: docker
+  services:
+    - docker:20.10.10-dind
+  script: |
+    CURRENT_DATE=$(echo $CI_COMMIT_TIMESTAMP | head -c 10 | tr -d -)
+    IMAGE_TAG=$CI_REGISTRY_IMAGE/auth:$CURRENT_DATE-$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME-$CI_COMMIT_SHORT_SHA
+
+    docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    docker build . -t $IMAGE_TAG -f docker/Dockerfile --build-arg AUTH_PACKAGE=git+$CI_MERGE_REQUEST_SOURCE_PROJECT_URL@$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME
+    docker push $IMAGE_TAG
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: manual
+    - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+      when: never

docker/.env.example

@@ -0,0 +1,32 @@
+PROTOCOL=https://
+AUTH_SUBDOMAIN=%AUTH_SUBDOMAIN%
+DOMAIN=%DOMAIN%
+AA_DOCKER_TAG=registry.gitlab.com/allianceauth/allianceauth/auth:v2.9
+
+# Nginx Proxy Manager
+PROXY_HTTP_PORT=80
+PROXY_HTTPS_PORT=443
+PROXY_DASH_PORT=81
+PROXY_MYSQL_PASS=%PROXY_MYSQL_PASS%
+PROXY_MYSQL_PASS_ROOT=%PROXY_MYSQL_PASS_ROOT%
+
+# grafana
+GRAFANA_DB_PASSWORD=%GRAFANA_DB_PASSWORD%
+
+# Alliance Auth Environment Config
+AA_SITENAME=%AA_SITENAME%
+AA_SECRET_KEY=%AA_SECRET_KEY%
+AA_DB_HOST=auth_mysql
+AA_DB_NAME=alliance_auth
+AA_DB_USER=aauth
+AA_DB_PASSWORD=%AA_DB_PASSWORD%
+AA_DB_ROOT_PASSWORD=%AA_DB_ROOT_PASSWORD%
+AA_EMAIL_HOST=''
+AA_EMAIL_PORT=587
+AA_EMAIL_HOST_USER=''
+AA_EMAIL_HOST_PASSWORD=''
+AA_EMAIL_USE_TLS=True
+AA_DEFAULT_FROM_EMAIL=''
+ESI_SSO_CLIENT_ID=%ESI_SSO_CLIENT_ID%
+ESI_SSO_CLIENT_SECRET=%ESI_SSO_CLIENT_SECRET%
+ESI_USER_CONTACT_EMAIL=%ESI_USER_CONTACT_EMAIL%

docker/.gitignore

@@ -0,0 +1,2 @@
+.env
+setup.sql

docker/Dockerfile

@@ -0,0 +1,49 @@
+FROM python:3.9-slim
+ARG AUTH_VERSION=2.9.0
+ARG AUTH_PACKAGE=allianceauth==${AUTH_VERSION}
+ENV VIRTUAL_ENV=/opt/venv
+ENV AUTH_USER=allianceauth
+ENV AUTH_GROUP=allianceauth
+ENV AUTH_USERGROUP=${AUTH_USER}:${AUTH_GROUP}
+ENV STATIC_BASE=/var/www
+ENV AUTH_HOME=/home/allianceauth
+
+# Setup user and directory permissions
+SHELL ["/bin/bash", "-c"]
+RUN groupadd -g 61000 ${AUTH_GROUP}
+RUN useradd -g 61000 -l -M -s /bin/false -u 61000 ${AUTH_USER}
+RUN mkdir -p ${VIRTUAL_ENV} \
+    && chown ${AUTH_USERGROUP} ${VIRTUAL_ENV} \
+    && mkdir -p ${STATIC_BASE} \
+    && chown ${AUTH_USERGROUP} ${STATIC_BASE} \
+    && mkdir -p ${AUTH_HOME} \
+    && chown ${AUTH_USERGROUP} ${AUTH_HOME}
+
+# Install build dependencies
+RUN apt-get update && apt-get upgrade -y && apt-get install -y \
+    libmariadb-dev gcc supervisor git htop
+
+# Switch to non-root user
+USER ${AUTH_USER}
+RUN python3 -m venv $VIRTUAL_ENV
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+WORKDIR ${AUTH_HOME}
+
+# Install python dependencies
+RUN pip install --upgrade pip
+RUN pip install wheel gunicorn
+RUN pip install ${AUTH_PACKAGE}
+
+# Initialize auth
+RUN allianceauth start myauth
+COPY /allianceauth/project_template/project_name/settings/local.py ${AUTH_HOME}/myauth/myauth/settings/local.py
+RUN allianceauth update myauth
+RUN mkdir -p ${STATIC_BASE}/myauth/static
+RUN python ${AUTH_HOME}/myauth/manage.py collectstatic --noinput
+COPY /docker/conf/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+RUN echo 'alias auth="python $AUTH_HOME/myauth/manage.py"' >> ~/.bashrc && \
+    echo 'alias supervisord="supervisord -c /etc/supervisor/conf.d/supervisord.conf"' >> ~/.bashrc && \
+    source ~/.bashrc
+
+EXPOSE 8000
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

docker/README.md

@@ -0,0 +1,69 @@
+# Alliance Auth -- Docker
+
+## Prerequesites
+You should have the following available on the system you are using to set this up:
+* Docker - https://docs.docker.com/get-docker/
+* git
+* curl
+
+## Setup Guide
+
+1. run `bash <(curl -s https://gitlab.com/allianceauth/allianceauth/-/raw/v2.9.x/docker/scripts/download.sh)`. This will download all the files you need to install auth and place them in a directory named `aa-docker`. Feel free to rename/move this folder.
+1. run `./scripts/prepare-env.sh` to set up your environment
+1. (optional) Change `PROTOCOL` to `http://` if not using SSL in `.env`
+1. run `docker-compose --env-file=.env up -d` (NOTE: if this command hangs, follow the instructions [here](https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged))
+1. run `docker-compose exec allianceauth bash` to open up a terminal inside your auth container
+1. run `auth migrate`
+1. run `auth collectstatic`
+1. run `auth createsuperuser`
+1. visit http://yourdomain:81 to set up nginx proxy manager (NOTE: if this doesn't work, the machine likely has a firewall. You'll want to open up ports 80,443, and 81. [Instructions for ufw](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands))
+1. login with user `admin@example.com` and password `changeme`, then update your password as requested
+1. click on "Proxy Hosts"
+1. click "Add Proxy Host", with the following settings for auth. The example uses `auth.localhost` for the domain, but you'll want to use whatever address you have auth configured on
+  ![](./docs/images/nginx-host.png)
+1. click "Add Proxy Host", with the following settings for grafana. The example uses `grafana.localhost` for the domain
+  ![](./docs/images/grafana-host.png)
+
+Congrats! You should now see auth running at http://auth.yourdomain and grafana at http://grafana.yourdomain!
+
+## SSL Guide
+Unless you're running auth locally in docker for testing, you should be using SSL.
+Thankfully, setting up SSL in nginx Proxy Manager takes about three clicks.
+1. Edit your existing proxy host, and go to the SSL tab. Select "Request a new SSL Certificate" from the drop down.
+1. Now, enable "Force SSL" and "HTTP/2 Support". (NOTE: Do not enable HSTS unless you know what you're doing. This will force your domains to only work with SSL enabled, and is cached extremely hard in browsers. )
+  ![](./docs/images/proxy-manager-ssl.png)
+1. (optional) select "Use a DNS Challenge". This is not a required option, but it is recommended if you use a supported DNS provider. You'll then be asked for an API key for the provider you choose. If you use Cloudflare, you'll probably have issues getting SSL certs unless you use a DNS Challenge.
+1. The email address here will be used to notify you if there are issues renewing your certificates.
+1. Repeat for any other services, like grafana.
+
+That's it! You should now be able to access your auth install at https://auth.yourdomain
+
+## Adding extra packages
+There are a handful of ways to add packages:
+* Running `pip install` in the container
+* Modifying the container's initial command to install packages
+* Building a custom Docker image (recommended, and less scary than it sounds!)
+
+### Using a custom docker image
+Using a custom docker image is the preferred approach, as it gives you the stability of packages only changing when you tell them to, along with packages not having to be downloaded every time your container restarts
+
+1. Add each additional package that you want to install to a single line in `conf/requirements.txt`. It is recommended, but not required, that you include a version number as well. This will keep your packages from magically updating. You can lookup packages on https://package.wiki, and copy everything after `pip install` from the top of the page to use the most recent version. It should look something like `allianceauth-signal-pings==0.0.7`. Every entry in this file should be on a separate line
+1. In `docker-compose.yml`, comment out the `image` line under `allianceauth` (line 36... ish) and uncomment the `build` section
+1. Now run `docker-compose --env-file=.env up -d`, your custom container will be built, and auth will have your new packages. Make sure to follow the package's instructions on config values that go in `local.py`
+
+_NOTE: It is recommended that you put any secret values (API keys, database credentials, etc) in an environment variable instead of hardcoding them into `local.py`. This gives you the ability to track your config in git without committing passwords. To do this, just add it to your `.env` file, and then reference in `local.py` with `os.environ.get("SECRET_NAME")`_
+
+## Updating Auth
+
+### Base Image
+Whether you're using a custom image or not, the version of auth is dictated by $AA_DOCKER_TAG in your `.env` file.
+1. To update to a new version of auth, update the version number at the end (or replace the whole value with the tag in the release notes).
+1. Next, run `docker-compose pull`
+1. Finally, run `docker-compose --env-file=.env up -d`
+
+_NOTE: If you specify a version of allianceauth in your `requirements.txt` in a custom image it will override the version from the base image. Not recommended unless you know what you're doing_
+
+### Custom Packages
+1. Update the versions in your `requirements.txt` file
+1. Run `docker-compose build`
+1. Run `docker-compose --env-file=.env up -d`

docker/conf/local.py

@@ -0,0 +1,81 @@
+# Every setting in base.py can be overloaded by redefining it here.
+from .base import *
+
+SECRET_KEY = os.environ.get("AA_SECRET_KEY")
+SITE_NAME = os.environ.get("AA_SITENAME")
+DEBUG = os.environ.get("AA_DEBUG", False)
+DATABASES['default'] = {
+    'ENGINE': 'django.db.backends.mysql',
+    'NAME': os.environ.get("AA_DB_NAME"),
+    'USER': os.environ.get("AA_DB_USER"),
+    'PASSWORD': os.environ.get("AA_DB_PASSWORD"),
+    'HOST': os.environ.get("AA_DB_HOST"),
+    'PORT': os.environ.get("AA_DB_PORT", "3306"),
+}
+
+# Register an application at https://developers.eveonline.com for Authentication
+# & API Access and fill out these settings. Be sure to set the callback URL
+# to https://example.com/sso/callback substituting your domain for example.com
+# Logging in to auth requires the publicData scope (can be overridden through the
+# LOGIN_TOKEN_SCOPES setting). Other apps may require more (see their docs).
+
+ESI_SSO_CLIENT_ID = os.environ.get("ESI_SSO_CLIENT_ID")
+ESI_SSO_CLIENT_SECRET = os.environ.get("ESI_SSO_CLIENT_SECRET")
+ESI_SSO_CALLBACK_URL = (f"{os.environ.get('PROTOCOL')}"
+                        f"{os.environ.get('AUTH_SUBDOMAIN')}."
+                        f"{os.environ.get('DOMAIN')}/sso/callback")
+ESI_USER_CONTACT_EMAIL = os.environ.get("ESI_USER_CONTACT_EMAIL")    # A server maintainer that CCP can contact in case of issues.
+
+# By default emails are validated before new users can log in.
+# It's recommended to use a free service like SparkPost or Elastic Email to send email.
+# https://www.sparkpost.com/docs/integrations/django/
+# https://elasticemail.com/resources/settings/smtp-api/
+# Set the default from email to something like 'noreply@example.com'
+# Email validation can be turned off by uncommenting the line below. This can break some services.
+REGISTRATION_VERIFY_EMAIL = False
+EMAIL_HOST = os.environ.get("AA_EMAIL_HOST", "")
+EMAIL_PORT = os.environ.get("AA_EMAIL_PORT", 587)
+EMAIL_HOST_USER = os.environ.get("AA_EMAIL_HOST_USER", "")
+EMAIL_HOST_PASSWORD = os.environ.get("AA_EMAIL_HOST_PASSWORD", "")
+EMAIL_USE_TLS = os.environ.get("AA_EMAIL_USE_TLS", True)
+DEFAULT_FROM_EMAIL = os.environ.get("AA_DEFAULT_FROM_EMAIL", "")
+
+ROOT_URLCONF = 'myauth.urls'
+WSGI_APPLICATION = 'myauth.wsgi.application'
+STATIC_ROOT = "/var/www/myauth/static/"
+BROKER_URL = F"redis://{os.environ.get('AA_REDIS', 'redis:6379')}/0"
+CELERY_RESULT_BACKEND = F"redis://{os.environ.get('AA_REDIS', 'redis:6379')}/0"
+CACHES = {
+    "default": {
+        "BACKEND": "redis_cache.RedisCache",
+        "LOCATION": os.environ.get('AA_REDIS', 'redis:6379'),
+        "OPTIONS": {
+            "DB": 1,
+        }
+    }
+}
+
+# Add any additional apps to this list.
+INSTALLED_APPS += [
+# https://allianceauth.readthedocs.io/en/latest/features/apps/index.html
+# 'allianceauth.corputils',
+# 'allianceauth.fleetactivitytracking',
+# 'allianceauth.optimer',
+# 'allianceauth.permissions_tool',
+# 'allianceauth.srp',
+# 'allianceauth.timerboard',
+
+# https://allianceauth.readthedocs.io/en/latest/features/services/index.html
+# 'allianceauth.services.modules.discord',
+# 'allianceauth.services.modules.discourse',
+# 'allianceauth.services.modules.ips4',
+# 'allianceauth.services.modules.openfire',
+# 'allianceauth.services.modules.phpbb3',
+# 'allianceauth.services.modules.smf',
+# 'allianceauth.services.modules.teamspeak3',
+# 'allianceauth.services.modules.xenforo',
+]
+
+#######################################
+# Add any custom settings below here. #
+#######################################

docker/conf/nginx.conf

@@ -0,0 +1,20 @@
+server {
+    listen 80;
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location /static {
+        alias /var/www/myauth/static;
+        autoindex off;
+    }
+
+    location /robots.txt {
+        alias /var/www/myauth/static/robots.txt;
+    }
+
+    location / {
+        proxy_pass http://allianceauth:8000;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header  X-Real-IP   $remote_addr;
+        proxy_redirect off;
+    }
+}

docker/conf/supervisord.conf

@@ -0,0 +1,56 @@
+[supervisord]
+nodaemon=true
+user=allianceauth
+
+[program:beat]
+command=/opt/venv/bin/celery -A myauth beat
+directory=/home/allianceauth/myauth
+user=allianceauth
+stdout_logfile=/dev/stdout
+stderr_logfile=/dev/stderr
+stdout_logfile_maxbytes=0
+stderr_logfile_maxbytes=0
+autostart=true
+autorestart=true
+startsecs=10
+priority=998
+stdout_events_enabled=true
+stderr_events_enabled=true
+
+[program:worker]
+command=/opt/venv/bin/celery -A myauth worker -l INFO --max-tasks-per-child=250
+directory=/home/allianceauth/myauth
+user=allianceauth
+stdout_logfile=/dev/stdout
+stderr_logfile=/dev/stderr
+stdout_logfile_maxbytes=0
+stderr_logfile_maxbytes=0
+numprocs=1
+autostart=true
+autorestart=true
+startsecs=10
+stopwaitsecs = 600
+killasgroup=true
+priority=998
+stdout_events_enabled=true
+stderr_events_enabled=true
+
+[program:gunicorn]
+user=allianceauth
+directory=/home/allianceauth/myauth
+command=/opt/venv/bin/gunicorn myauth.wsgi --bind :8000 --workers=3 --timeout 120
+stdout_logfile=/dev/stdout
+stderr_logfile=/dev/stderr
+stdout_logfile_maxbytes=0
+stderr_logfile_maxbytes=0
+stdout_events_enabled=true
+stderr_events_enabled=true
+autostart=true
+autorestart=true
+stopsignal=INT
+
+[group:myauth]
+programs=beat,worker,gunicorn
+priority=999
+
+[supervisorctl]

docker/custom.dockerfile

@@ -0,0 +1,8 @@
+ARG AA_DOCKER_TAG
+FROM $AA_DOCKER_TAG
+
+RUN cd /home/allianceauth
+COPY /conf/requirements.txt requirements.txt
+RUN pip install -r requirements.txt
+RUN python $AUTH_HOME/myauth/manage.py collectstatic --noinput
+RUN allianceauth update myauth

docker/docker-compose.yml

@@ -0,0 +1,96 @@
+version: '3.8'
+
+services:
+  auth_mysql:
+    image: mysql:8.0
+    command: [mysqld, --character-set-server=utf8mb4, --collation-server=utf8mb4_unicode_ci, --default-authentication-plugin=mysql_native_password]
+    volumes:
+      - ./mysql-data:/var/lib/mysql
+      - ./setup.sql:/docker-entrypoint-initdb.d/setup.sql
+    environment:
+      - MYSQL_ROOT_PASSWORD=${AA_DB_ROOT_PASSWORD?err}
+    healthcheck:
+      test: ["CMD", "mysqladmin", "-uroot", "-proot", "-h", "localhost", "ping"]
+      interval: 5s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+
+  nginx:
+    image: nginx:1.21
+    restart: always
+    volumes:
+      - ./conf/nginx.conf:/etc/nginx/conf.d/default.conf
+      - static-volume:/var/www/myauth/static
+    depends_on:
+      - allianceauth
+
+  redis:
+    image: redis:6.2
+    command: redis-server
+    restart: always
+    volumes:
+      - "redis-data:/data"
+
+  allianceauth:
+    image: ${AA_DOCKER_TAG?err}
+    # build:
+    #   context: .
+    #   dockerfile: custom.dockerfile
+    #   args:
+    #     AA_DOCKER_TAG: ${AA_DOCKER_TAG?err}
+    restart: always
+    env_file:
+      - ./.env
+    volumes:
+      - ./conf/local.py:/home/allianceauth/myauth/myauth/settings/local.py
+      - ./templates:/home/allianceauth/myauth/myauth/templates/
+      - ./conf/supervisord.conf:/etc/supervisor/conf.d/supervisord.conf
+      - static-volume:/var/www/myauth/static
+    depends_on:
+      - redis
+      - auth_mysql
+
+  grafana:
+    image: grafana/grafana:8.2
+    restart: always
+    depends_on:
+      - auth_mysql
+    volumes:
+      - grafana-data:/var/lib/grafana
+  proxy:
+    image: 'jc21/nginx-proxy-manager:latest'
+    restart: always
+    ports:
+      - '${PROXY_HTTP_PORT:-80}:80'
+      - '${PROXY_DASH_PORT:-81}:81'
+      - '${PROXY_HTTPS_PORT:-443}:443'
+    environment:
+      DB_MYSQL_HOST: "proxy-db"
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: "npm"
+      DB_MYSQL_PASSWORD: "${PROXY_MYSQL_PASS?err}"
+      DB_MYSQL_NAME: "npm"
+    volumes:
+      - proxy-data:/data
+      - proxy-le:/etc/letsencrypt
+  proxy-db:
+    image: 'jc21/mariadb-aria:latest'
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: "${PROXY_MYSQL_PASS_ROOT?err}"
+      MYSQL_DATABASE: 'npm'
+      MYSQL_USER: 'npm'
+      MYSQL_PASSWORD: "${PROXY_MYSQL_PASS?err}"
+    ports:
+      - 3306
+    volumes:
+      - proxy-db:/var/lib/mysql
+
+volumes:
+    redis-data:
+    static-volume:
+    grafana-data:
+    proxy-data:
+    proxy-le:
+    proxy-db:

docker/scripts/download.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+git clone -b build-docker-image https://gitlab.com/allianceauth/allianceauth.git aa-git
+cp -R aa-git/docker ./aa-docker
+rm -rf aa-git

docker/scripts/prepare-env.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -e
+FILE=./.env
+if test -f "$FILE"; then
+    echo "$FILE exists. If you wish to recreate your auth environment variables (which will break everything), delete the .env file."
+    exit;
+fi
+cp .env.example .env
+
+# Autogenerate 24 character hexadecimal strings for all passwords + secret key
+sed -i.bak 's/%PROXY_MYSQL_PASS%/'"$(openssl rand -hex 24)"'/g' .env
+sed -i.bak 's/%PROXY_MYSQL_PASS_ROOT%/'"$(openssl rand -hex 24)"'/g' .env
+sed -i.bak 's/%GRAFANA_DB_PASSWORD%/'"$(openssl rand -hex 24)"'/g' .env
+sed -i.bak 's/%AA_SECRET_KEY%/'"$(openssl rand -hex 24)"'/g' .env
+sed -i.bak 's/%AA_DB_PASSWORD%/'"$(openssl rand -hex 24)"'/g' .env
+sed -i.bak 's/%AA_DB_ROOT_PASSWORD%/'"$(openssl rand -hex 24)"'/g' .env
+
+#Prompts to collect user information
+IFS= read -p "Enter the display name for your auth instance: " sitename
+sed -i.bak 's/%AA_SITENAME%/'\""${sitename}"\"'/g' .env
+
+read -p "Enter the base domain: " domain
+sed -i.bak 's/%DOMAIN%/'${domain}'/g' .env
+
+read -p "Enter the subdomain for auth: " subdomain
+sed -i.bak 's/%AUTH_SUBDOMAIN%/'${subdomain}'/g' .env
+
+read -p "Enter an email address. This is requested by CCP if there are any issues with your ESI application, and is not used in any other way by AllianceAuth: " email
+sed -i.bak 's/%ESI_USER_CONTACT_EMAIL%/'${email}'/g' .env
+
+echo "Visit https://developers.eveonline.com/ and create an application with the callback url https://${subdomain}.${domain}/sso/callback"
+
+read -p "Enter ESI Client ID: " clientid
+sed -i.bak 's/%ESI_SSO_CLIENT_ID%/'${clientid}'/g' .env
+
+read -p "Enter ESI Client Secret: " clientsecret
+sed -i.bak 's/%ESI_SSO_CLIENT_SECRET%/'${clientsecret}'/g' .env
+
+source ./.env
+cp setup.base.sql setup.sql
+
+# Create init SQL file for auth database with users
+sed -i.bak 's/authpass/'"$AA_DB_PASSWORD"'/g' setup.sql
+sed -i.bak 's/grafanapass/'"$GRAFANA_DB_PASSWORD"'/g' setup.sql
+rm *.bak
+rm .env.bak

docker/setup.base.sql

@@ -0,0 +1,7 @@
+CREATE USER 'aauth'@'%' IDENTIFIED BY 'authpass';
+CREATE USER 'grafana'@'%' IDENTIFIED BY 'grafanapass';
+CREATE DATABASE alliance_auth CHARACTER SET utf8mb4;
+GRANT ALL PRIVILEGES ON alliance_auth.* TO 'aauth'@'%';
+GRANT
+SELECT,
+    SHOW VIEW ON alliance_auth.* TO 'grafana'@'%';