Workadventure self host notes

README.md

This guide is based on https://wiki.techinc.nl/Work-Adventure/install

I recommend reading it first to know what I'm updating here.

It's mainly the docker-compose.yaml and .env files (as workadventure itself made some architectural changes since the writing of their guide (eg maps is now called icon etc)).

Basically follow the technic.nl guide but use these files instead!

Things form the technic.nl guide you definitely still need to do:

• fill in your domain and contact email in both .env
• generate an admin password for the traefik admin page
• manually create the external docker network called web

Good luck!

Time of writing is 2022-02-23.

traefik-infra-docker-compose

# /opt/traefik-infra/docker-compose.yaml

version: '3'

services:
    reverse-proxy:
      image: traefik:v2.3
      command:
        - --log.level=WARN
        #- --api.insecure=true
        - --api.dashboard=true
        - --providers.docker.network=web
        - --providers.docker
        - --entryPoints.web.address=:80
        - --entrypoints.web.http.redirections.entryPoint.to=websecure
        - --entrypoints.web.http.redirections.entryPoint.scheme=https
        - --entryPoints.websecure.address=:443
        - --entryPoints.video.address=:10000/udp
        - --certificatesresolvers.le.acme.email=${ACME_EMAIL}
        - --certificatesresolvers.le.acme.storage=/etc/traefik/acme/acme.json
        # used during the challenge
        - --certificatesresolvers.le.acme.httpchallenge.entrypoint=web
      ports:
        - "80:80"
        - "443:443"
        # The Web UI (enabled by --api.insecure=true)
        - "8080:8080"
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - "${CERT_LOCATION}:/etc/traefik/acme"
      restart: unless-stopped
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.traefik.loadbalancer.server.port=888"
        - "traefik.http.routers.traefik.rule=Host(`admin.${DOMAIN}`)"
        - "traefik.http.routers.traefik.entrypoints=websecure"
        - "traefik.http.routers.traefik.tls.certresolver=le"
        - "traefik.http.routers.traefik.service=api@internal"
        - "traefik.http.routers.traefik.middlewares=traefik-auth"
        # You should modify the line below to set a password for your Traefik-dashboard
        #- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:"
      networks:
        web:
        meet.jitsi:

# Still working on a useful COTURN setup. Included for later use.
#    coturn:
#      image: coturn/coturn:4.5.2
#      command:
#        - turnserver
#        - --log-file=stdout
#        - --external-ip=$$(detect-external-ip)
#        - --listening-port=3478
#        - --min-port=10000
#        - --max-port=10010
#        - --tls-listening-port=5349
#        - --listening-ip=0.0.0.0
#        - --realm=coturn.${DOMAIN}
#        - --server-name=coturn.${DOMAIN}
#        - --lt-cred-mech
#        # Enable Coturn "REST API" to validate temporary passwords.
#        # - --use-auth-secret
#        # - --static-auth-secret=SomeStaticAuthSecret
#        # - --userdb=/var/lib/turn/turndb
#        - --user=workadventure:WorkAdventure123
#        # use real-valid certificate/privatekey files
#        # - --cert=/root/letsencrypt/fullchain.pem
#        # - --pkey=/root/letsencrypt/privkey.pem
#      network_mode: host
 
networks:
  meet.jitsi:
  web:
    external: true

traefik-infra-env

# /opt/traefik-infra/.env

# same as in the technic guide
DOMAIN=yourdomain.tld
# These are not used yet
TURN_SERVER=
TURN_USER=
TURN_PASSWORD=

# The email address used by Let's encrypt to send renewal warnings (compulsory)
ACME_EMAIL=yourmail@yourdomain.tld
# The directory on your OS that Traefik will store all ACME-produced certs in
CERT_LOCATION=/etc/traefik/acme

workadventure-env

# /opt/workadventure/.env

# Security
#

SECRET_KEY=
ADMIN_API_TOKEN=

#
# Networking
#

# The base domain
DOMAIN=yourdomain.tld

# Subdomains
# MUST match the DOMAIN variable above
FRONT_HOST=play.yourdomain.tld
PUSHER_HOST=pusher.yourdomain.tld
BACK_HOST=api.yourdomain.tld
MAPS_HOST=maps.yourdomain.tld
ICON_HOST=icon.yourdomain.tld

# SAAS admin panel
ADMIN_API_URL=

#
# Basic configuration
#

# The directory to store data in
DATA_DIR=./wa

# The URL used by default, in the form: "/_/global/map/url.json"
START_ROOM_URL=/_/global/yourmaphost.tld/main.json

# If you want to have a contact page in your menu,
# you MUST set CONTACT_URL to the URL of the page that you want
CONTACT_URL=yourcontact@yourdomain.tld

MAX_PER_GROUP=6
MAX_USERNAME_LENGTH=8
DISABLE_ANONYMOUS=false

# The version of the docker image to use
# MUST uncomment "image" keys in the docker-compose file for it to be effective
VERSION=master

TZ=Europe/Paris

#
# Jitsi
#

JITSI_URL=jitsi.yourdomain.tld
# If your Jitsi environment has authentication set up,
# you MUST set JITSI_PRIVATE_MODE to "true"
# and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
JITSI_PRIVATE_MODE=false
JITSI_ISS=
SECRET_JITSI_KEY=

#
# Turn/Stun
#

# URL of the TURN server (needed to "punch a hole" through some networks for P2P connections)
TURN_SERVER=
TURN_USER=
TURN_PASSWORD=
# If your Turn server is configured to use the Turn REST API, you MUST put the shared auth secret here.
# If you are using Coturn, this is the value of the "static-auth-secret" parameter in your coturn config file.
# Keep empty if you are sharing hard coded / clear text credentials.
TURN_STATIC_AUTH_SECRET=
# URL of the STUN server
STUN_SERVER=

#
# Certificate config
#

# The email address used by Let's encrypt to send renewal warnings (compulsory)
ACME_EMAIL=contact@yourdomain.tld

#
# Additional app configs
# Configuration for apps which are not workadventure itself
#

# openID
#OPID_CLIENT_ID=
#OPID_CLIENT_SECRET=
#OPID_CLIENT_ISSUER=
#OPID_CLIENT_REDIRECT_URL=
#OPID_LOGIN_SCREEN_PROVIDER=http://pusher.workadventure.localhost/login-screen
#OPID_PROFILE_SCREEN_PROVIDER=


#
# Advanced configuration
# Generally does not need to be changed
#

# Networking
HTTP_PORT=80
HTTPS_PORT=443

# Workadventure settings
DISABLE_NOTIFICATIONS=false
SKIP_RENDER_OPTIMIZATIONS=false
STORE_VARIABLES_FOR_LOCAL_MAPS=true

# Debugging options
DEBUG_MODE=false
LOG_LEVEL=WARNING

# Internal URLs
API_URL=back:50051

RESTART_POLICY=unless-stopped

workadvenure-docker-compose

# /opt/workadvenure/docker-compose.yaml

version: "3.3"
services:
  front:
    image: thecodingmachine/workadventure-front:${VERSION}
    environment:
      - DEBUG_MODE
      - JITSI_URL
      - JITSI_PRIVATE_MODE
      - PUSHER_URL=//${PUSHER_HOST}
      - ICON_URL=//${ICON_HOST}
      - TURN_SERVER
      - TURN_USER
      - TURN_PASSWORD
      - TURN_STATIC_AUTH_SECRET
      - STUN_SERVER
      - START_ROOM_URL
      - SKIP_RENDER_OPTIMIZATIONS
      - MAX_PER_GROUP
      - MAX_USERNAME_LENGTH
      - DISABLE_ANONYMOUS
      - DISABLE_NOTIFICATIONS
    labels:
      - "traefik.http.routers.front.rule=Host(`${FRONT_HOST}`)"
      - "traefik.http.routers.front.entryPoints=web"
      - "traefik.http.services.front.loadbalancer.server.port=80"
      - "traefik.http.routers.front-ssl.rule=Host(`${FRONT_HOST}`)"
      - "traefik.http.routers.front-ssl.entryPoints=websecure"
      - "traefik.http.routers.front-ssl.service=front"
      - "traefik.http.routers.front-ssl.tls=true"
      - "traefik.http.routers.front-ssl.tls.certresolver=myresolver"
    restart: ${RESTART_POLICY}
    networks:
      web:

  pusher:
    image: thecodingmachine/workadventure-pusher:${VERSION}
    command: yarn run runprod
    environment:
      - SECRET_JITSI_KEY
      - SECRET_KEY
      - API_URL
      - FRONT_URL=https://${FRONT_HOST}
      - JITSI_URL
      - JITSI_ISS
      - DISABLE_ANONYMOUS
    labels:
      - "traefik.http.routers.pusher.rule=Host(`${PUSHER_HOST}`)"
      - "traefik.http.routers.pusher.entryPoints=web"
      - "traefik.http.services.pusher.loadbalancer.server.port=8080"
      - "traefik.http.routers.pusher-ssl.rule=Host(`${PUSHER_HOST}`)"
      - "traefik.http.routers.pusher-ssl.entryPoints=websecure"
      - "traefik.http.routers.pusher-ssl.service=pusher"
      - "traefik.http.routers.pusher-ssl.tls=true"
      - "traefik.http.routers.pusher-ssl.tls.certresolver=myresolver"
    restart: ${RESTART_POLICY}
    networks:
      web:

  back:
    image: thecodingmachine/workadventure-back:${VERSION}
    command: yarn run runprod
    environment:
      - SECRET_JITSI_KEY
      - SECRET_KEY
      - ADMIN_API_TOKEN
      - ADMIN_API_URL
      - TURN_SERVER
      - TURN_USER
      - TURN_PASSWORD
      - TURN_STATIC_AUTH_SECRET
      - STUN_SERVER
      - JITSI_URL
      - JITSI_ISS
      - MAX_PER_GROUP
      - STORE_VARIABLES_FOR_LOCAL_MAPS
    labels:
      - "traefik.http.routers.back.rule=Host(`${BACK_HOST}`)"
      - "traefik.http.routers.back.entryPoints=web"
      - "traefik.http.services.back.loadbalancer.server.port=8080"
      - "traefik.http.routers.back-ssl.rule=Host(`${BACK_HOST}`)"
      - "traefik.http.routers.back-ssl.entryPoints=websecure"
      - "traefik.http.routers.back-ssl.service=back"
      - "traefik.http.routers.back-ssl.tls=true"
      - "traefik.http.routers.back-ssl.tls.certresolver=myresolver"
    restart: ${RESTART_POLICY}
    networks:
      web:

  icon:
    image: matthiasluedtke/iconserver:v3.13.0
    labels:
      - "traefik.http.routers.icon.rule=Host(`${ICON_HOST}`)"
      - "traefik.http.routers.icon.entryPoints=web"
      - "traefik.http.services.icon.loadbalancer.server.port=8080"
      - "traefik.http.routers.icon-ssl.rule=Host(`${ICON_HOST}`)"
      - "traefik.http.routers.icon-ssl.entryPoints=websecure"
      - "traefik.http.routers.icon-ssl.service=icon"
      - "traefik.http.routers.icon-ssl.tls=true"
      - "traefik.http.routers.icon-ssl.tls.certresolver=myresolver"
    networks:
      web:

networks:
  web:
    external: true