{"id":16894094,"url":"https://github.com/firefart/rt-docker","last_synced_at":"2025-03-17T06:31:49.894Z","repository":{"id":40469561,"uuid":"338352863","full_name":"firefart/rt-docker","owner":"firefart","description":"docker compose setup to run request tracker","archived":false,"fork":false,"pushed_at":"2025-03-10T06:57:47.000Z","size":283,"stargazers_count":30,"open_issues_count":0,"forks_count":18,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-10T07:33:16.479Z","etag":null,"topics":["caddy","docker","docker-compose","request-tracker","requesttracker","ticketing-system"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/firefart.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"firefart","patreon":"firefart"}},"created_at":"2021-02-12T15:12:46.000Z","updated_at":"2025-03-10T06:57:52.000Z","dependencies_parsed_at":"2024-01-02T13:58:26.512Z","dependency_job_id":"449363d3-6d61-4299-a017-a8fb36fc9013","html_url":"https://github.com/firefart/rt-docker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firefart%2Frt-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firefart%2Frt-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firefart%2Frt-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firefart%2Frt-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/firefart","download_url":"https://codeload.github.com/firefart/rt-docker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243847061,"owners_count":20357317,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["caddy","docker","docker-compose","request-tracker","requesttracker","ticketing-system"],"created_at":"2024-10-13T17:17:39.131Z","updated_at":"2025-03-17T06:31:49.881Z","avatar_url":"https://github.com/firefart.png","language":"Dockerfile","funding_links":["https://github.com/sponsors/firefart","https://patreon.com/firefart"],"categories":[],"sub_categories":[],"readme":"# Request Tracker with Docker\n\nThis is a complete setup for [Request Tracker](https://bestpractical.com/request-tracker) with docker and docker compose. The production setup assumes you have an external postgres database and an external SMTP server for outgoing emails. A local database server is only started in the dev configuration.\n\nThe prebuilt image is available from [https://hub.docker.com/r/firefart/requesttracker](https://hub.docker.com/r/firefart/requesttracker). The image is rebuilt on a daily basis.\n\nThe [Request Tracker for Incident Response (RT-IR)](https://bestpractical.com/rtir) Extension is also installed.\n\n## Prerequisites\n\n- [Docker](https://docs.docker.com/get-docker/) with the `compose` plugin\n- an external SMTP server to send emails\n- an external IMAP server to receive emails from\n- an external Postgres database\n\n## Instruction\n\nTo start use either `./dev.sh` which builds the images locally or `./prod.sh` which uses the prebuilt ones from docker hub. Before running this you also need to add the required configuration files (see Configuration).\n\n## Configuration\n\nThe following configuration files need to be present before starting:\n\n- `RT_SiteConfig.pm` : RTs main configuration file. This needs to be present in the root of the dir. See `RT_SiteConfig.pm.example` for an example configration and the needed paths and settings for this configuration. For a full config reference have a look at the [official documentation](https://docs.bestpractical.com/rt/latest/RT_Config.html).\n- `Caddyfile`: The webserver config. See `Caddyfile.example` for an example and the [official Caddy doc](https://caddyserver.com/docs/caddyfile) for a reference.\n- `./msmtp/msmtp.conf` : config for msmtp (outgoing email). See `msmtp.conf.example` for an example. The `./msmtp` folder is also mounted to `/msmtp/` in the container so you can load certificates from the config file. [MSMTP Configuration Guide](https://marlam.de/msmtp/msmtp.html)\n- `crontab` : Crontab file that will be run as the RT user. See contab.example for an example. Crontab output will be sent to the MAILTO address (it uses the msmtp config). You can use [crontab guru](https://crontab.guru/) for help with the format.\n- `./getmail/getmailrc`: This file configures your E-Mail fetching. See `getmailrc.example` for an example. `getmail` configuration docs are available under [https://getmail6.org/configuration.html](https://getmail6.org/configuration.html). The configuration options for `rt-mailgate` which is used to store the emails in request tracker can be viewed under [https://docs.bestpractical.com/rt/latest/rt-mailgate.html](https://docs.bestpractical.com/rt/latest/rt-mailgate.html).\n\nAdditional configs:\n\n- `./certs/`: This folder should contain all optional certificates needed for caddy\n- `./gpg/` : This folder should contain the gpg keyring if used in rt. Be sure to chmod the files to user 1000 with 0600 so RT will not complain.\n- `./smime/` : This folder should contain the SMIME certificate if configured in RT\n- `./shredder/` : This directory will be used by the shredder functionality [https://docs.bestpractical.com/rt/latest/RT/Shredder.html](https://docs.bestpractical.com/rt/latest/RT/Shredder.html) so the backups are stored on the host\n\nFor output of your crontabs you can use the `/cron` directory so the output will be available on the host.\n\nIn the default configuration all output from RT, caddy, getmail and msmtp is available via `docker logs` (or `docker compose -f ... logs`).\n\n## Webserver\n\nThe setup uses Caddy as a webserver. You can find an example configuration in [Caddyfile.example](Caddyfile.example). Caddy provides features like auto https with lets encrypt and more stuff that makes it easy to set up. You can find the Caddy documentation here [https://caddyserver.com/docs/caddyfile](https://caddyserver.com/docs/caddyfile).\n\nFeel free to modify the config to your needs like auto https, certificate based authentication, basic authentication and so on. Just be sure the mailgateway host under port `:8080` is untouched and the main host contains a block for the unauth API path, otherwise everyone with access to your RT instance can create emails without the need to log in first.\n\n### Create Certificate\n\nIf you don't want to use the auto https feature (for example in dev) you can provide your own certificates.\n\nCreate a self signed certificate:\n```bash\nopenssl req -x509 -newkey rsa:4096 -keyout ./certs/priv.pem -out ./certs/pub.pem -days 3650 -nodes\n```\n\n### Example Caddy Configurations\n\n\u003cdetails\u003e\n\u003csummary\u003eCaddy on a domain with lets encrypt certificates\u003c/summary\u003e\n\n```\n{\n  admin off\n}\n\n# healthchecks\n:1337 {\n  respond \"OK\" 200\n}\n\n# mailgate\n:8080 {\n  log\n  reverse_proxy rt:9000 {\n    transport fastcgi\n  }\n}\n\n# request tracker\nrt.domain.com:443 {\n  log\n  tls user@email.com\n\n  # Block access to the unauth mail gateway endpoint\n  # we have a seperate mailgate server for that\n  @blocked path /REST/1.0/NoAuth/mail-gateway\n  respond @blocked \"Nope\" 403\n\n  reverse_proxy rt:9000 {\n    transport fastcgi\n  }\n}\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eCaddy behind a reverse proxy server with a self signed certificate\u003c/summary\u003e\n\n`pub.pem` and `priv.pem` need to be inside the `./certs` folder and will be mounted automatically.\n\n```\n{\n  admin off\n  auto_https off\n\n  servers {\n    trusted_proxies static 10.0.0.0/22\n    client_ip_headers X-Orig-Addr\n    trusted_proxies_strict\n  }\n}\n\n# healthchecks\n:1337 {\n  respond \"OK\" 200\n}\n\n# mailgate\n:8080 {\n  log\n  reverse_proxy rt:9000 {\n    transport fastcgi\n  }\n}\n\n# request tracker\n:443 {\n  log\n\n  tls /certs/pub.pem /certs/priv.pem\n\n  # Block access to the unauth mail gateway endpoint\n  # we have a seperate mailgate server for that\n  @blocked path /REST/1.0/NoAuth/mail-gateway\n  respond @blocked \"Nope\" 403\n\n  reverse_proxy rt:9000 {\n    transport fastcgi {\n      env SERVER_NAME {http.request.header.X-Orig-HostHeader}\n    }\n  }\n}\n```\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003eCaddy behind a reverse proxy server with a self signed certificate and client certificate validation\u003c/summary\u003e\n\n`pub.pem`, `priv.pem` and `root-ca.pem` need to be inside the `./certs` folder and will be mounted automatically.\n\n```\n{\n  admin off\n  auto_https off\n\n  servers {\n    trusted_proxies static 10.0.0.0/22\n    client_ip_headers X-Orig-Addr\n    trusted_proxies_strict\n  }\n}\n\n# healthchecks\n:1337 {\n  respond \"OK\" 200\n}\n\n# mailgate\n:8080 {\n  log\n  reverse_proxy rt:9000 {\n    transport fastcgi\n  }\n}\n\n# request tracker\n:443 {\n  log\n\n  tls /certs/pub.pem /certs/priv.pem {\n    protocols tls1.3\n    client_auth {\n      mode require_and_verify\n      trust_pool file /certs/root-ca.pem\n    }\n  }\n\n  # Block access to the unauth mail gateway endpoint\n  # we have a seperate mailgate server for that\n  @blocked path /REST/1.0/NoAuth/mail-gateway\n  respond @blocked \"Nope\" 403\n\n  reverse_proxy rt:9000 {\n    transport fastcgi {\n      env SERVER_NAME {http.request.header.X-Orig-HostHeader}\n    }\n  }\n}\n```\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003eCaddy behind a reverse proxy server with a self signed certificate and client certificate validation with subject validation\u003c/summary\u003e\n\n`pub.pem`, `priv.pem` and `root-ca.pem` need to be inside the `./certs` folder and will be mounted automatically.\n\n```\n{\n  admin off\n  auto_https off\n\n  servers {\n    trusted_proxies static 10.0.0.0/22\n    client_ip_headers X-Orig-Addr\n    trusted_proxies_strict\n  }\n}\n\n# healthchecks\n:1337 {\n  respond \"OK\" 200\n}\n\n# mailgate\n:8080 {\n  log\n  reverse_proxy rt:9000 {\n    transport fastcgi\n  }\n}\n\n# request tracker\n:443 {\n  @cert-auth {\n    expression {http.request.tls.client.subject} == \"CN=Subject,OU=example,O=com,C=xxx\"\n  }\n\n  log\n\n  tls /certs/pub.pem /certs/priv.pem {\n    protocols tls1.3\n    client_auth {\n      mode require_and_verify\n      trust_pool file /certs/root-ca.pem\n    }\n  }\n\n  # block everything that is not from a trusted ip range\n  @blocked_trusted not remote_ip 10.0.0.0/22\n  respond @blocked_trusted \"Nope\" 403\n\n  # Block access to the unauth mail gateway endpoint\n  # we have a seperate mailgate server for that\n  @blocked path /REST/1.0/NoAuth/mail-gateway\n  respond @blocked \"Nope\" 403\n\n  reverse_proxy @cert-auth rt:9000 {\n    transport fastcgi {\n      env SERVER_NAME {http.request.header.X-Orig-HostHeader}\n    }\n  }\n}\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eCaddy behind a reverse proxy server with a self signed certificate and client certificate validation with subject validation and on a subpath\u003c/summary\u003e\n\n`pub.pem`, `priv.pem` and `root-ca.pem` need to be inside the `./certs` folder and will be mounted automatically. The reverse proxy needs to point to `servername/rt` otherwise you will end up with wrong paths in the cookies which will lead to file uploads not working correctly.\nWe will also set the REMOTE_USER to a custom header sent from the upstream proxy.\n\n```\n{\n  admin off\n  auto_https off\n\n  servers {\n    trusted_proxies static 10.0.0.0/22\n    client_ip_headers X-Orig-Addr\n    trusted_proxies_strict\n  }\n}\n\n# healthchecks\n:1337 {\n  respond \"OK\" 200\n}\n\n# mailgate\n:8080 {\n  log\n  reverse_proxy rt:9000 {\n    transport fastcgi\n  }\n}\n\n# request tracker\n:443 {\n  @cert-auth {\n    expression {http.request.tls.client.subject} == \"CN=Subject,OU=example,O=com,C=xxx\"\n  }\n\n  log\n  tls /certs/pub.pem /certs/priv.pem {\n    protocols tls1.3\n    client_auth {\n      mode require_and_verify\n      trust_pool file /certs/root-ca.pem\n    }\n  }\n\n  # block everything that is not from a trusted ip range\n  @blocked_trusted not remote_ip 10.0.0.0/22\n  respond @blocked_trusted \"Nope\" 403\n\n  handle_path /rt/* {\n    # Block access to the unauth mail gateway endpoint\n    # we have a seperate mailgate server for that\n    @blocked path /REST/1.0/NoAuth/mail-gateway\n    respond @blocked \"Nope\" 403\n\n    reverse_proxy @cert-auth rt:9000 {\n      transport fastcgi {\n        env REMOTE_USER {http.request.header.X-Auth-Username}\n        env SERVER_NAME {http.request.header.X-Orig-HostHeader}\n        env REQUEST_URI {uri}\n      }\n    }\n  }\n}\n```\n\n\u003c/details\u003e\n\n\n## Init database\n\nThis initializes a fresh database. This is needed on the first run.\n\n```bash\ndocker compose run --rm rt bash -c 'cd /opt/rt5 \u0026\u0026 perl ./sbin/rt-setup-database --action init'\n```\n\nYou need to restart the rt service after this step as it crashes if the database is not initialized.\n\n### DEV\n\nHint: Add `--skip-create` in dev as the database is created by docker\n\n```bash\ndocker compose -f docker-compose.yml -f docker-compose.dev.yml run --rm rt bash -c 'cd /opt/rt5 \u0026\u0026 perl ./sbin/rt-setup-database --action init --skip-create'\n```\n\n## Upgrade steps\n\n### Upgrade Database\n\n```bash\ndocker compose run --rm rt bash -c 'cd /opt/rt5 \u0026\u0026 perl ./sbin/rt-setup-database --action upgrade --upgrade-from 4.4.4'\n```\n\n### Fix data inconsistencies\n\nRun multiple times with the `--resolve` switch until no errors occur\n\n```bash\ndocker compose run --rm rt bash -c 'cd /opt/rt5 \u0026\u0026 perl ./sbin/rt-validator --check --resolve'\n```\n\n## RT-IR\n\nYou can simply enable RT-IR in your `RT_SiteConfig.pm` by including `Plugin('RT::IR');`. Please refer to the [docs](https://docs.bestpractical.com/rtir/latest/index.html) for additional install or upgrade steps.\n\nTo initialize the database (ONLY ON THE FIRST RUN!!!! and only after rt is fully set up)\n\n```bash\ndocker compose run --rm rt bash -c 'cd /opt/rt5 \u0026\u0026 perl ./sbin/rt-setup-database --action insert --skip-create --datafile /opt/rtir/initialdata'\n```\n\nTo upgrade\n\n```bash\ndocker compose run --rm rt bash -c 'cd /opt/rt5 \u0026\u0026 perl ./sbin/rt-setup-database --action upgrade --skip-create --datadir /opt/rtir/upgrade --package RT::IR --ext-version 5.0.4'\n```\n\nRestart docker setup after all steps to fully load RT-IR (just run `./restart_prod.sh`).\n\n## Extending\n\nTo include additional containers in this setup like pgadmin or change a default config, you can create a `docker-compose.override.yml` file in the projects root and it will automatically picked up and merged with the default config. Run `docker compose config` to view the merged config.\n\n## Deprecated features\n\n- NGINX: The old setup used nginx for the webserver. If you want to upgrade you need to migrate your nginx config to a Caddy config. See the example Caddy Configuration section for some ideas.\n- compose profiles: Previously there were compose profile to also include `dozzle` for viewing logs and `pgadmin` to interact with the database. Both tools are now removed and `pgadmin` is only available in dev mode. If you still need pgadmin you can easily spin it up using docker compose.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffirefart%2Frt-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffirefart%2Frt-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffirefart%2Frt-docker/lists"}