From 66baf8edd9f9e060af045d456ccdb5bd6ffd9dc6 Mon Sep 17 00:00:00 2001
From: Gabriel Carneiro <gabriel.chaves.carneiro@gmail.com>
Date: Thu, 27 Feb 2025 10:27:59 -0300
Subject: [PATCH] initial commit

---
 .env.example       |  19 +++++
 docker-compose.yml | 205 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 224 insertions(+)
 create mode 100644 .env.example
 create mode 100644 docker-compose.yml

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..06b5c70
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,19 @@
+# do not use quotes (")
+MYDOMAIN=overleaf.example.ufsj.edu.br
+MYMAIL=noreply@example.ufsj.edu.br
+MYDATA=/data
+LOGIN_TEXT=username
+COLLAB_TEXT=Direct share with collaborators is enabled only for activated users!
+ADMIN_IS_SYSADMIN=false
+
+LDAP_SERVER="ldap://openldap"
+LDAP_BASE="ou=users,dc=ldap,dc=example"
+# LDAP_SERVER_CACERT: ""
+# Tries directly to bind with the login user (as uid)
+# LDAP_BINDDN: "cn=%u,ou=users,dc=ldap,dc=example"
+LDAP_BIND_USER="cn=binduser,dc=ldap,dc=example"
+LDAP_BIND_PW="bindpw"
+LDAP_USER_FILTER="(&(objectClass=posixAccount)(cn=%u))"
+LDAP_ADMIN_GROUP_FILTER="(memberOf=cn=ldap_admin,ou=groups,dc=ldap,dc=example)"
+ALLOW_EMAIL_LOGIN="false"
+LDAP_CONTACTS="false"
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..8d2c3c7
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,205 @@
+version: "2.2"
+services:
+  sharelatex:
+    sysctls:
+    - net.ipv6.conf.all.disable_ipv6=1
+    restart: always
+    image: ldap-overleaf-sl
+    container_name: ldap-overleaf-sl
+    depends_on:
+      mongo:
+        condition: service_healthy
+      redis_sl:
+        condition: service_healthy
+    privileged: false
+    networks:
+      - traefik-public
+    # ports:
+    #   - 8008:80
+    links:
+      - mongo
+      - redis_sl
+    volumes:
+      - ${MYDATA}/sharelatex:/var/lib/sharelatex
+      # - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
+      # - ${MYDATA}/letsencrypt:/etc/letsencrypt
+      # - ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain
+
+    labels:
+      traefik.enable: true
+
+      # handle https traffic
+      traefik.http.routers.overleaf.rule: Host(`overleaf.alice.ufsj.edu.br`)
+      traefik.http.routers.overleaf.tls: true
+      traefik.http.routers.overleaf.tls.certresolver: letsencrypt
+      traefik.http.routers.overleaf.entrypoints: websecure
+      traefik.http.services.overleaf.loadbalancer.server.port: 80
+      traefik.http.middlewares.overleaf.forwardauth.trustForwardHeader: true
+      traefik.http.middlewares.overleaf.headers.customrequestheaders.X-Forwarded-Proto: https
+      traefik.http.middlewares.overleaf.headers.customrequestheaders.X-Frame-Options: SAMEORIGIN
+      traefik.http.middlewares.overleaf.headers.customrequestheaders.X-Content-Type-Options: nosniff
+      traefik.http.middlewares.overleaf.headers.customrequestheaders.Connection: "upgrade"
+
+      # traefik.http.middlewares.overleaf.headers.contentTypeNosniff: true
+      # traefik.http.middlewares.overleaf.headers.browserXssFilter: true
+      # traefik.http.middlewares.overleaf.headers.frameDeny: true
+      # traefik.http.middlewares.overleaf.headers.stsIncludeSubdomains: true
+      # traefik.http.middlewares.overleaf.headers.stsPreload: true
+      # traefik.http.middlewares.overleaf.headers.stsSeconds: 31536000
+      # traefik.http.middlewares.overleaf.headers.customFrameOptionsValue: true
+      # traefik.http.middlewares.overleaf.headers.trustForwardHeader: "SAMEORIGIN"
+
+      # Docker loadbalance
+      # traefik.http.services.overleaf.loadbalancer.server.port: 80
+      # traefik.http.services.overleaf.loadbalancer.server.scheme: http
+      # traefik.http.services.overleaf.loadbalancer.sticky.cookie: true
+      # traefik.http.services.overleaf.loadbalancer.sticky.cookie.name: io
+      # traefik.http.services.overleaf.loadbalancer.sticky.cookie.httponly: true
+      # traefik.http.services.overleaf.loadbalancer.sticky.cookie.secure: true
+      # traefik.http.services.overleaf.loadbalancer.sticky.cookie.samesite: io
+    environment:                  
+      LOG_LEVEL: debug            
+      SHARELATEX_APP_NAME: Overleaf
+      SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex
+      SHARELATEX_SITE_URL: https://${MYDOMAIN}
+      SHARELATEX_NAV_TITLE: Overleaf - run by ${MYDOMAIN}
+      #SHARELATEX_HEADER_IMAGE_URL: https://${MYDOMAIN}/logo.svg
+      SHARELATEX_ADMIN_EMAIL: ${MYMAIL}
+      SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"} ]'
+      SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]'
+      SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}"
+      # SHARELATEX_EMAIL_AWS_SES_ACCESS_KEY_ID:
+      # SHARELATEX_EMAIL_AWS_SES_SECRET_KEY:
+      SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN}
+      SHARELATEX_EMAIL_SMTP_PORT: 587
+      SHARELATEX_EMAIL_SMTP_SECURE: "false"
+      # SHARELATEX_EMAIL_SMTP_USER:
+      # SHARELATEX_EMAIL_SMTP_PASS:
+      # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
+      # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
+      SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues."
+
+      # make public links accessible w/o login (link sharing issue)
+      # https://github.com/overleaf/docker-image/issues/66
+      # https://github.com/overleaf/overleaf/issues/628
+      # https://github.com/overleaf/web/issues/367
+      # Fixed in 2.0.2 (Release date: 2019-11-26)
+      SHARELATEX_ALLOW_PUBLIC_ACCESS: "true"
+      SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING: "true"
+
+      # Uncomment the following line to enable secure cookies if you are using SSL
+      #SHARELATEX_SECURE_COOKIE: "true"
+      SHARELATEX_BEHIND_PROXY: "true"
+
+      # por algum motivo ele não consegue acessar o ldaps na 33004, 
+      # então usei o hostname na rede docker
+      LDAP_SERVER: ${LDAP_SERVER}
+      LDAP_BASE: ${LDAP_BASE}
+      # LDAP_SERVER_CACERT: ""
+
+      ### There are to ways get users from the ldap server
+
+      ## NO LDAP BIND USER:
+      # Tries directly to bind with the login user (as uid)
+      # LDAP_BINDDN: "cn=%u,ou=users,dc=alice,dc=ufsj"
+
+      ## Or you can use ai global LDAP_BIND_USER
+      LDAP_BIND_USER: ${LDAP_BIND_USER}
+      LDAP_BIND_PW: ${LDAP_BIND_PW}
+
+      # Only allow users matching LDAP_USER_FILTER
+      LDAP_USER_FILTER: ${LDAP_USER_FILTER}
+
+      # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
+      # Admin Users can invite external (non ldap) users. This feature makes only sense
+      # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
+      # system wide messages.
+      LDAP_ADMIN_GROUP_FILTER: ${LDAP_ADMIN_GROUP_FILTER}
+      ALLOW_EMAIL_LOGIN: "false"
+
+      # All users in the LDAP_CONTACT_FILTER are loaded from the ldap server into contacts.
+      # LDAP_CONTACT_FILTER: "(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)"
+      LDAP_CONTACTS: "false"
+
+      ## OAuth2 Settings
+      # OAUTH2_ENABLED: "true"
+      # OAUTH2_PROVIDER: YOUR_OAUTH2_PROVIDER
+      # OAUTH2_CLIENT_ID: YOUR_OAUTH2_CLIENT_ID
+      # OAUTH2_CLIENT_SECRET: YOUR_OAUTH2_CLIENT_SECRET
+      # OAUTH2_SCOPE: YOUR_OAUTH2_SCOPE
+      # OAUTH2_AUTHORIZATION_URL: YOUR_OAUTH2_AUTHORIZATION_URL
+      # OAUTH2_TOKEN_URL: YOUR_OAUTH2_TOKEN_URL
+      # OAUTH2_TOKEN_CONTENT_TYPE: # One of ['application/x-www-form-urlencoded', 'application/json']
+      # OAUTH2_PROFILE_URL: YOUR_OAUTH2_PROFILE_URL
+      # OAUTH2_USER_ATTR_EMAIL: email
+      # OAUTH2_USER_ATTR_UID: id
+      # OAUTH2_USER_ATTR_FIRSTNAME: name
+      # OAUTH2_USER_ATTR_LASTNAME:
+      # OAUTH2_USER_ATTR_IS_ADMIN: site_admin
+
+      # Same property, unfortunately with different names in
+      # different locations
+      SHARELATEX_REDIS_HOST: redis_sl
+      REDIS_HOST: redis_sl
+      REDIS_PORT: 6379
+
+      ENABLED_LINKED_FILE_TYPES: "url,project_file"
+
+      # Enables Thumbnail generation using ImageMagick
+      ENABLE_CONVERSIONS: "true"
+
+  mongo:
+    restart: always
+    image: mongo:4.4
+    container_name: mongo
+    networks:
+      - traefik-public
+    expose:
+      - 27017
+    volumes:
+      - ${MYDATA}/mongo_data:/data/db
+    healthcheck:
+      test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
+      interval: 10s
+      timeout: 10s
+      retries: 5
+    command: "--replSet overleaf"
+
+  # See also: https://github.com/overleaf/overleaf/issues/1120
+  mongoinit:
+    image: mongo:4.4
+    # this container will exit after executing the command
+    restart: "no"
+    networks:
+      - traefik-public
+    depends_on:
+      mongo:
+        condition: service_healthy
+    entrypoint:
+      [
+        "mongo",
+        "--host",
+        "mongo:27017",
+        "--eval",
+        'rs.initiate({ _id: "overleaf", members: [ { _id: 0, host: "mongo:27017" } ] })',
+      ]
+
+  redis_sl:
+    restart: always
+    image: redis:6.2
+    container_name: redis_sl
+    expose:
+      - 6379
+    volumes:
+      - ${MYDATA}/redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - traefik-public
+
+networks:
+  traefik-public:
+    external: true