Docker Installation
Minimum hardware requirements
- vCPU: 4 virtual cores (>= 2GHz, more is recommended on larger instances)
- RAM: 6GB (more is recommended for large instances)
- Storage: 40GB (more is recommended, especially if you have a lot of remote/local magazines and/or have a lot of (local) users)
You can start with a smaller server and add more resources later if you are using a VPS for example.
System Prerequisites
-
Docker Engine
-
Docker Compose V2
If you are using Compose V1, replace
docker compose
withdocker-compose
in those commands below.
Docker Install
The most convenient way to install docker is using an official convenience script provided at get.docker.com:
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
Alternatively, you can follow the official Docker install documentation for your platform.
Once Docker is installed on your system, it is recommended to create a docker
group and add it to your user:
sudo groupadd docker
sudo usermod -aG docker $USER
Mbin Installation
Preparation
Clone git repository:
git clone https://github.com/MbinOrg/mbin.git
cd mbin
Environment configuration
Use either the automatic environment setup script OR manually configure the .env
, compose.override.yaml
, and OAuth2 keys. Select one of the two options.
Everything configured for your specific instance is in .env
, compose.override.yaml
, and storage/
(assuming you haven't modified anything else). If you'd like to backup, or even completely reset/delete your instance, then these are the files to do so with.
Automatic setup script
Run the setup script and pass in a mode (either prod
or dev
) and your domain (which can be localhost
if you plan to just test locally):
./docker/setup.sh prod mbin.domain.tld
Once the script has been run, you will not be able to run it again, in order to prevent data loss. You can always edit the .env
and compose.override.yaml
files manually if you'd like to make changes.
Continue on to the Docker image preparation section for the next steps.
Manually configure .env
and compose.override.yaml
Create config files and storage directories:
cp .env.example_docker .env
touch compose.override.yaml
mkdir -p storage/{caddy_config,caddy_data,media,messenger_logs,oauth,php_logs,postgres,rabbitmq_data,rabbitmq_logs}
- Choose your Valkey password, PostgreSQL password, RabbitMQ password, and Mercure password.
- Place the passwords in the corresponding variables in
.env
. - Update the
SERVER_NAME
,KBIN_DOMAIN
andKBIN_STORAGE_URL
in.env
. - Update
APP_SECRET
in.env
, see the note below to generate one. - Update
MBIN_USER
in.env
to match your user and group id (id -u
&id -g
). - Optionally: Use a newer PostgreSQL version. Update/set the
POSTGRES_VERSION
variable in your.env
.
To generate a random password or secret, use the following command:
tr -dc A-Za-z0-9 < /dev/urandom | head -c 32 && echo
Configure OAuth2 keys
- Create an RSA key pair using OpenSSL:
# If you protect the key with a passphrase, make sure to remember it!
# You will need it later
openssl genrsa -des3 -out ./storage/oauth/private.pem 4096
openssl rsa -in ./storage/oauth/private.pem --outform PEM -pubout -out ./storage/oauth/public.pem
- Generate a random hex string for the OAuth2 encryption key:
openssl rand -hex 16
- Add the public and private key paths to
.env
:
OAUTH_PRIVATE_KEY=%kernel.project_dir%/config/oauth2/private.pem
OAUTH_PUBLIC_KEY=%kernel.project_dir%/config/oauth2/public.pem
OAUTH_PASSPHRASE=<Your passphrase from above here>
OAUTH_ENCRYPTION_KEY=<Hex string generated in previous step>
Docker image preparation
If you're using a version of Docker Engine earlier than 23.0, run export DOCKER_BUILDKIT=1
, prior to building the image. This does not apply to users running Docker Desktop. More info can be found here
Use the Mbin provided Docker image (default) OR build the docker image locally. Select one of the two options.
The default is to use our prebuilt images from ghcr.io. Reference the next section if you'd like to build the Docker image locally instead.
In production a recommended practice is to pin the image tag to a specific release (example: v1.8.2) instead of using latest
.
Pinning the docker image version can be done by editing the compose.override.yaml
file and uncommenting the following lines
(update the version number to one you want to pin to and is available on ghcr.io):
services:
php:
image: ghcr.io/mbinorg/mbin:v1.8.2
messenger:
image: ghcr.io/mbinorg/mbin:v1.8.2
Build your own image
If you want to build your own image, add pull_policy: build
to both the php
and messenger
services in compose.override.yaml
:
services:
php:
pull_policy: build
messenger:
pull_policy: build
Once that's done, run docker compose build --no-cache
in order to build the Mbin Docker image.
Uploaded media files
Uploaded media files (e.g. photos uploaded by users) will be stored on the host directory storage/media
. They will be served by the web server in the php
container as static files.
Make sure KBIN_STORAGE_URL
in your .env
configuration file is set to be https://yourdomain.tld/media
.
You can also serve those media files on another server by mirroring the files at storage/media
and changing KBIN_STORAGE_URL
correspondingly.
S3 can also be utilized to store images in the cloud. Just fill in the S3_
fields in .env
and Mbin will take care of the rest. See this page for more info.
Running behind a reverse proxy
A reverse proxy is unneeded with this Docker setup, as HTTPS is automatically applied through the built in Caddy server. If you'd like to use a reverse proxy regardless, then you'll need to make a few changes:
- In
.env
, change yourSERVER_NAME
to":80"
:
SERVER_NAME=":80"
- In
compose.override.yaml
, addCADDY_GLOBAL_OPTIONS: auto_https off
to your php service environment:
services:
php:
environment:
CADDY_GLOBAL_OPTIONS: auto_https off
- Also in
compose.override.yaml
, add!override
to your phpports
to override the current configuration and add your own based on what your reverse proxy needs:
services:
php:
ports: !override
- 8080:80
In this example, port 8080
will connect to your Mbin server.
- Make sure your reverse proxy correctly sets the common
X-Forwarded
headers (especiallyX-Forwarded-Proto
). This is needed so that both rate limiting works correctly, but especially so that your server can detect its correct outward facing protocol (HTTP vs HTTPS).
TRUSTED_PROXIES
in .env
needs to be a valid value (which is the default) in order for your server to work correctly behind a reverse proxy.
In order to verify your server is correctly detecting it's public protocol (HTTP vs HTTPS), visit /.well-known/nodeinfo
and look at which protocol is being used in the href
fields. A public server should always be using HTTPS and not contain port numbers (i.e., https://DOMAINHERE/
).
Running the containers
By default docker compose
will execute the compose.yaml
and compose.override.yaml
files.
Run the container in the background (-d
means detach, but this can also be omitted for testing or debugging purposes):
docker compose up -d
See your running containers via: docker ps
.
This docker setup comes with automatic HTTPS support. Assuming you have set up your DNS and firewall (allow ports 80
& 443
) configured correctly, then you should be able to access the new instance via your domain.
If you specified localhost
as your domain, then a self signed HTTPS certificate is provided and you should be able to access your instance here: https://localhost.
You can also access the RabbitMQ management UI via http://localhost:15672.
Be sure not to forget the Mbin first setup instructions in order to create your admin user, random
magazine, and AP & Push Notification keys.