From bdc0d6b030ff911ab8533174d402a5fa3f7a1f4a Mon Sep 17 00:00:00 2001 From: KEriks Date: Thu, 7 Jul 2022 12:32:13 +0300 Subject: [PATCH] Init --- .gitignore | 14 ++ compose/certbot/init.sh | 42 ++++ compose/cloud/Dockerfile | 17 ++ compose/cloud/entry_uid_change.sh | 6 + compose/cloud/supervisord.conf | 22 +++ compose/nginx/Dockerfile | 16 ++ compose/nginx/conf/mime.types | 105 ++++++++++ compose/nginx/conf/nginx.conf | 49 +++++ compose/nginx/conf/proxy_params | 20 ++ .../nginx/conf/sites-enabled/100-default.conf | 48 +++++ compose/nginx/conf/ssl-dhparams.pem | 8 + compose/nginx/conf/ssl.conf | 14 ++ compose/nginx/conf/uwsgi_params | 19 ++ compose/nginx/defaults/fastcgi.conf | 26 +++ compose/nginx/defaults/fastcgi_params | 25 +++ compose/nginx/defaults/mime.types | 97 +++++++++ compose/nginx/defaults/nginx.conf | 32 +++ compose/nginx/defaults/scgi_params | 17 ++ compose/nginx/defaults/ssl.conf | 14 ++ compose/nginx/defaults/uwsgi_params | 17 ++ compose/nginx/entrypoint_host.sh | 10 + .../00-init-users-db.sh.example | 26 +++ default.env | 7 + default.env_certbot | 3 + default.env_cloud | 19 ++ default.env_db | 1 + default.env_gitea | 6 + docker-compose.yaml | 186 ++++++++++++++++++ install_docker.sh | 9 + projects/default/.dockerignore | 3 + projects/default/Dockerfile | 8 + projects/default/app.py | 41 ++++ projects/default/config.py | 10 + projects/default/requirements.txt | 2 + projects/default/templates/404.html | 1 + projects/default/templates/index.html | 25 +++ projects/default/templates/request.html | 176 +++++++++++++++++ update_all.sh | 5 + 38 files changed, 1146 insertions(+) create mode 100644 .gitignore create mode 100755 compose/certbot/init.sh create mode 100644 compose/cloud/Dockerfile create mode 100755 compose/cloud/entry_uid_change.sh create mode 100644 compose/cloud/supervisord.conf create mode 100644 compose/nginx/Dockerfile create mode 100644 compose/nginx/conf/mime.types create mode 100644 compose/nginx/conf/nginx.conf create mode 100644 compose/nginx/conf/proxy_params create mode 100644 compose/nginx/conf/sites-enabled/100-default.conf create mode 100644 compose/nginx/conf/ssl-dhparams.pem create mode 100644 compose/nginx/conf/ssl.conf create mode 100644 compose/nginx/conf/uwsgi_params create mode 100644 compose/nginx/defaults/fastcgi.conf create mode 100644 compose/nginx/defaults/fastcgi_params create mode 100644 compose/nginx/defaults/mime.types create mode 100644 compose/nginx/defaults/nginx.conf create mode 100644 compose/nginx/defaults/scgi_params create mode 100644 compose/nginx/defaults/ssl.conf create mode 100644 compose/nginx/defaults/uwsgi_params create mode 100644 compose/nginx/entrypoint_host.sh create mode 100644 compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example create mode 100644 default.env create mode 100644 default.env_certbot create mode 100644 default.env_cloud create mode 100644 default.env_db create mode 100644 default.env_gitea create mode 100644 docker-compose.yaml create mode 100755 install_docker.sh create mode 100644 projects/default/.dockerignore create mode 100644 projects/default/Dockerfile create mode 100644 projects/default/app.py create mode 100644 projects/default/config.py create mode 100644 projects/default/requirements.txt create mode 100644 projects/default/templates/404.html create mode 100644 projects/default/templates/index.html create mode 100644 projects/default/templates/request.html create mode 100755 update_all.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..eb9137b --- /dev/null +++ b/.gitignore @@ -0,0 +1,14 @@ +.env* + +!projects/ + +projects/* +!projects/default/ + +!compose/nginx/conf/sites-enabled/ +compose/nginx/conf/sites-enabled/* +!compose/nginx/conf/sites-enabled/100-default.conf +compose/qbit/config/* + +!compose/pgdb/docker-entrypoint-initdb.d/ +compose/pgdb/docker-entrypoint-initdb.d/*.sh diff --git a/compose/certbot/init.sh b/compose/certbot/init.sh new file mode 100755 index 0000000..0f8e169 --- /dev/null +++ b/compose/certbot/init.sh @@ -0,0 +1,42 @@ +#!/bin/sh +set -eu +touch /var/log/letsencrypt/letsencrypt.log +echo "Initializing certbot..." +rsa_key_size=4096 +email=${ADMIN_EMAIL:-'admin@example.com'} # Adding a valid address is strongly recommended + +# Enable staging mode if needed +staging_arg=$(test $CB_STAGING && echo "--staging" || echo "") + +if [ $staging_arg ]; then + echo "Staging enabled! Will generate test certs!" +fi + +echo "dns_digitalocean_token = ${DIGITALOCEAN_TOKEN}" | tee /opt/certbot/credentials.ini +chmod 600 /opt/certbot/credentials.ini + +echo "" +echo "Generating initial domain mapping..." +if [ -n "$DOMAINS" ]; then + _IFS=$IFS + IFS="|" + for group in $DOMAINS; do + IFS=$_IFS + service=$(echo $group | head -n 1 | cut -d " " -f 1) + domains=$(echo $group | head -n 1 | cut -d " " -f 2-) + echo "### Requesting Let's Encrypt certificate for $service containing '$domains' domains..." + command="certbot certonly --dns-digitalocean --dns-digitalocean-credentials /opt/certbot/credentials.ini $staging_arg --email $email --rsa-key-size $rsa_key_size --agree-tos -n" + for domain in $domains; do command="$command -d $domain"; done + echo "executing: '$command'" + /bin/sh -c "$command" + done +else + echo "Domain mapping not found!" 1>&2 + exit 1 +fi + +echo "### Let's Encrypt certificate initialization completed!" + +SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}') +echo "0 0,12 * * * sleep $SLEEPTIME && certbot ${staging_arg} renew -q" | tee -a /var/spool/cron/crontabs/root > /dev/null +tail -fn 0 /var/log/letsencrypt/letsencrypt.log diff --git a/compose/cloud/Dockerfile b/compose/cloud/Dockerfile new file mode 100644 index 0000000..414b00f --- /dev/null +++ b/compose/cloud/Dockerfile @@ -0,0 +1,17 @@ +FROM nextcloud:23-fpm-alpine + +RUN apk add shadow && \ + groupmod -g 1001 www-data && \ + usermod -u 1000 -g 1001 www-data && \ + find / -user 82 -exec chown -v -h 1000 '{}' \; && \ + find / -group 82 -exec chgrp -v 1001 '{}' \; + +RUN apk add --no-cache supervisor imagemagick-dev imagemagick \ + && mkdir /var/log/supervisord /var/run/supervisord \ + && sed -ie 's/php /\/usr\/local\/bin\/php /g' /entrypoint.sh + +COPY supervisord.conf / + +ENV NEXTCLOUD_UPDATE=1 + +CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"] diff --git a/compose/cloud/entry_uid_change.sh b/compose/cloud/entry_uid_change.sh new file mode 100755 index 0000000..ac39efd --- /dev/null +++ b/compose/cloud/entry_uid_change.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +find / -user 82 -exec chown -v -h 1000 '{}' \; +find / -group 82 -exec chgrp -v 1001 '{}' \; + +/entrypoint.sh "php-fpm" diff --git a/compose/cloud/supervisord.conf b/compose/cloud/supervisord.conf new file mode 100644 index 0000000..4f76259 --- /dev/null +++ b/compose/cloud/supervisord.conf @@ -0,0 +1,22 @@ +[supervisord] +nodaemon=true +logfile=/var/log/supervisord/supervisord.log +pidfile=/var/run/supervisord/supervisord.pid +childlogdir=/var/log/supervisord/ +logfile_maxbytes=50MB ; maximum size of logfile before rotation +logfile_backups=10 ; number of backed up logfiles +loglevel=error + +[program:php-fpm] +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command=php-fpm + +[program:cron] +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command=/cron.sh diff --git a/compose/nginx/Dockerfile b/compose/nginx/Dockerfile new file mode 100644 index 0000000..aa24940 --- /dev/null +++ b/compose/nginx/Dockerfile @@ -0,0 +1,16 @@ +FROM nginx:stable-alpine + +#COPY conf /etc/nginx +COPY ./entrypoint_host.sh /entrypoint_host.sh +RUN apk add shadow \ + && groupmod -g 1001 nginx \ + && usermod -u 1000 -g 1001 nginx \ + && find / -user 101 -exec chown -v -h 1000 '{}' \; \ + && find / -group 101 -exec chgrp -v 1001 '{}' \; \ + && curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > /etc/nginx/ssl.conf \ + && chmod +x /entrypoint_host.sh + +VOLUME ["/var/cache/nginx", "/var/run"] + +ENTRYPOINT ["/entrypoint_host.sh"] +CMD ["nginx", "-g", "daemon off;"] diff --git a/compose/nginx/conf/mime.types b/compose/nginx/conf/mime.types new file mode 100644 index 0000000..ab17fb5 --- /dev/null +++ b/compose/nginx/conf/mime.types @@ -0,0 +1,105 @@ +types { + application/java-archive jar war ear; + application/javascript js; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/ogg ogx; + application/pdf pdf; + application/postscript ps eps ai; + application/rss+xml rss; + application/rtf rtf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream eot; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.wap.wmlc wmlc; + + application/atom+xml atom; + application/gpx+xml gpx; + application/xaml+xml xaml; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-javascript js; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-silverlight-app xap; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + + audio/midi mid midi kar; + audio/mpeg mpga mpega mp2 mp3 m4a; + audio/oga oga; + audio/ogg ogg; + audio/wav wav; + audio/webm weba; + audio/x-m4a m4a; + audio/x-realaudio ra; + + font/woff2 woff2; + font/woff woff; + + image/gif gif; + image/jpeg jpeg jpg; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + text/css css; + text/html html htm shtml; + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + text/xml xml rss; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg mpe; + video/ogg ogv; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-msvideo avi; + video/x-ms-wmv wmv; +} diff --git a/compose/nginx/conf/nginx.conf b/compose/nginx/conf/nginx.conf new file mode 100644 index 0000000..b2cd543 --- /dev/null +++ b/compose/nginx/conf/nginx.conf @@ -0,0 +1,49 @@ + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] $host "$request"' + ' $status $body_bytes_sent "$http_referer" ' + '"$http_x_forwarded_for" $request_time ' + '$upstream_response_time $gzip_ratio $sent_http_x_cache'; + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + keepalive_timeout 65; + + server_tokens off; + autoindex off; + + client_max_body_size 10G; + + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_min_length 256; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + geo $local_ips { + default 0; + 10.1.1.0/24 1; + 83.243.93.200/32 1; + } + + include /etc/nginx/conf.d/*.conf; +} diff --git a/compose/nginx/conf/proxy_params b/compose/nginx/conf/proxy_params new file mode 100644 index 0000000..7cd8b01 --- /dev/null +++ b/compose/nginx/conf/proxy_params @@ -0,0 +1,20 @@ +proxy_redirect off; +proxy_set_header Host $host; +proxy_set_header X-Real-IP ""; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Protocol ""; +proxy_set_header X-Forwarded-Protocol $scheme; +proxy_set_header X-Forwarded-Proto ""; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Requested-With $http_x_requested_with; + +proxy_headers_hash_max_size 512; +proxy_headers_hash_bucket_size 128; + +client_body_buffer_size 128k; +proxy_connect_timeout 60; +proxy_send_timeout 300; +proxy_read_timeout 300; +proxy_buffers 32 8k; +proxy_request_buffering off; diff --git a/compose/nginx/conf/sites-enabled/100-default.conf b/compose/nginx/conf/sites-enabled/100-default.conf new file mode 100644 index 0000000..f1fffd2 --- /dev/null +++ b/compose/nginx/conf/sites-enabled/100-default.conf @@ -0,0 +1,48 @@ +server { + listen 80 default_server; + client_max_body_size 1M; + + access_log off; + error_log off; + root /var/lib/nginx/html; + + # display real ip in nginx logs when connected through reverse proxy via docker network + set_real_ip_from 172.0.0.0/8; + real_ip_header X-Forwarded-For; + + location = /favicon.ico { + alias /var/www/app/datne/staticfiles/favicon.ico; + } + + location / { + include /etc/nginx/proxy_params; + proxy_pass http://default_web_app:8000/; + } +} +server { + listen 443 ssl http2 default_server; + client_max_body_size 1M; + + access_log off; + error_log off; + root /var/lib/nginx/html; + + # display real ip in nginx logs when connected through reverse proxy via docker network + set_real_ip_from 172.0.0.0/8; + real_ip_header X-Forwarded-For; + + ssl_certificate /etc/letsencrypt/live/karls.lv/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/karls.lv/privkey.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + + location = /favicon.ico { + alias /var/www/app/datne/staticfiles/favicon.ico; + } + + location / { + include /etc/nginx/proxy_params; + proxy_pass http://default_web_app:8000/; + } +} + diff --git a/compose/nginx/conf/ssl-dhparams.pem b/compose/nginx/conf/ssl-dhparams.pem new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/compose/nginx/conf/ssl-dhparams.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/compose/nginx/conf/ssl.conf b/compose/nginx/conf/ssl.conf new file mode 100644 index 0000000..978e6e8 --- /dev/null +++ b/compose/nginx/conf/ssl.conf @@ -0,0 +1,14 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/compose/nginx/conf/uwsgi_params b/compose/nginx/conf/uwsgi_params new file mode 100644 index 0000000..43c9665 --- /dev/null +++ b/compose/nginx/conf/uwsgi_params @@ -0,0 +1,19 @@ +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; + +uwsgi_param UWSGI_SCHEME $scheme; + diff --git a/compose/nginx/defaults/fastcgi.conf b/compose/nginx/defaults/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/compose/nginx/defaults/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/compose/nginx/defaults/fastcgi_params b/compose/nginx/defaults/fastcgi_params new file mode 100644 index 0000000..28decb9 --- /dev/null +++ b/compose/nginx/defaults/fastcgi_params @@ -0,0 +1,25 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/compose/nginx/defaults/mime.types b/compose/nginx/defaults/mime.types new file mode 100644 index 0000000..2961256 --- /dev/null +++ b/compose/nginx/defaults/mime.types @@ -0,0 +1,97 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/compose/nginx/defaults/nginx.conf b/compose/nginx/defaults/nginx.conf new file mode 100644 index 0000000..5e076aa --- /dev/null +++ b/compose/nginx/defaults/nginx.conf @@ -0,0 +1,32 @@ + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/compose/nginx/defaults/scgi_params b/compose/nginx/defaults/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/compose/nginx/defaults/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/compose/nginx/defaults/ssl.conf b/compose/nginx/defaults/ssl.conf new file mode 100644 index 0000000..978e6e8 --- /dev/null +++ b/compose/nginx/defaults/ssl.conf @@ -0,0 +1,14 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/compose/nginx/defaults/uwsgi_params b/compose/nginx/defaults/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/compose/nginx/defaults/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/compose/nginx/entrypoint_host.sh b/compose/nginx/entrypoint_host.sh new file mode 100644 index 0000000..78b21be --- /dev/null +++ b/compose/nginx/entrypoint_host.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +HOST_DOMAIN="host.docker.internal" +ping -q -c1 $HOST_DOMAIN > /dev/null 2>&1 +if [ $? -ne 0 ]; then + HOST_IP=$(ip route | awk 'NR==1 {print $3}') + echo -e "$HOST_IP\t$HOST_DOMAIN" >> /etc/hosts +fi + +/bin/sh /docker-entrypoint.sh "$@" diff --git a/compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example b/compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example new file mode 100644 index 0000000..53992c6 --- /dev/null +++ b/compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER books WITH PASSWORD 'books'; + CREATE DATABASE books; + GRANT ALL PRIVILEGES ON DATABASE books TO books; +EOSQL + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER fuelkeeper WITH PASSWORD 'fuelkeeper'; + CREATE DATABASE fuelkeeper; + GRANT ALL PRIVILEGES ON DATABASE fuelkeeper TO fuelkeeper; +EOSQL + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER nextcloud WITH PASSWORD 'nextcloud'; + CREATE DATABASE nextcloud; + GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; +EOSQL + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER gitea WITH PASSWORD 'gitea'; + CREATE DATABASE gitea; + GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; +EOSQL diff --git a/default.env b/default.env new file mode 100644 index 0000000..24e1602 --- /dev/null +++ b/default.env @@ -0,0 +1,7 @@ +cloud_data=/path/to/data/nextcloud +datne_media=/path/to/data/files +datne_target=/path/to/data/files +certbot_path=./compose/cb + +datne_git_path="git@gitlab.com:keriks/datne.git" +fuelkeeper_git_path="git@bitbucket.org:keriks/fuelkeeper.git" diff --git a/default.env_certbot b/default.env_certbot new file mode 100644 index 0000000..20510c5 --- /dev/null +++ b/default.env_certbot @@ -0,0 +1,3 @@ +DIGITALOCEAN_TOKEN= +DOMAINS="main example.com|secrets secret.example.com|testing test.example.com *.test.example.com" +ADMIN_EMAIL=domain@example.com diff --git a/default.env_cloud b/default.env_cloud new file mode 100644 index 0000000..b8c0d78 --- /dev/null +++ b/default.env_cloud @@ -0,0 +1,19 @@ +POSTGRES_HOST=pgdb +POSTGRES_USER=nextcloud +POSTGRES_PASSWORD=nextcloud +POSTGRES_DB=nextcloud + +# NEXTCLOUD_ADMIN_USER=admin +# NEXTCLOUD_ADMIN_PASSWORD=adminPassword +NEXTCLOUD_TRUSTED_DOMAINS="nextcloud.example.com files.example.com nextcloud.example.org" +PHP_UPLOAD_LIMIT=10G + +REDIS_HOST=redis + +SMTP_HOST=mail.example.com +SMTP_SECURE=tls +SMTP_PORT=465 +SMTP_AUTHTYPE=plain +SMTP_NAME=nextcloud-user@example.com +SMTP_PASSWORD=nc_smtp_password +MAIL_FROM_ADDRESS=nextcloud-user@example.com diff --git a/default.env_db b/default.env_db new file mode 100644 index 0000000..972226b --- /dev/null +++ b/default.env_db @@ -0,0 +1 @@ +POSTGRES_PASSWORD=postgresSystemPassword diff --git a/default.env_gitea b/default.env_gitea new file mode 100644 index 0000000..95c32c0 --- /dev/null +++ b/default.env_gitea @@ -0,0 +1,6 @@ +GITEA__database__DB_TYPE=postgres +GITEA__database__HOST=pgdb:5432 +GITEA__database__NAME=gitea +GITEA__database__USER=gitea +GITEA__database__PASSWD=gitea + diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..7ab80a6 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,186 @@ +version: '3.9' + +services: + nginx: + build: + context: ./compose/nginx + dockerfile: Dockerfile + ports: + - "80:80" + - "443:443" + restart: always + volumes: + - ./compose/nginx/conf/nginx.conf:/etc/nginx/nginx.conf:ro + - ./compose/nginx/conf/sites-enabled:/etc/nginx/conf.d:ro + - ./compose/nginx/conf/proxy_params:/etc/nginx/proxy_params:ro + - ./compose/nginx/conf/ssl-dhparams.pem:/etc/nginx/ssl-dhparams.pem:ro + - ./compose/nginx/conf/registry.htpasswd:/etc/nginx/registry.htpasswd:ro + + - fuelkeeper_static:/var/www/app/fuelkeeper/staticfiles:ro + - fuelkeeper_media:/var/www/app/fuelkeeper/media:ro + + - books_static:/var/www/app/books/static:ro + - books_media:/var/www/app/books/media:ro + + - ${datne_static}:/var/www/app/datne/staticfiles:ro + - ${datne_media}:/var/www/app/datne/media:ro + + - nextcloud:/var/www/app/cloud:ro + - ${cloud_data}:/var/www/app/cloud/data:ro + + - certbot_certs:/etc/letsencrypt:ro + - ./projects/72_lv:/var/www/72_lv:ro + depends_on: + - default_web_app + - fuelkeeper + - books + - datne + - cloud + - yopass + - certbot + - registry + - vardadienas + + qbit: + image: lscr.io/linuxserver/qbittorrent + environment: + - PUID=1000 + - PGID=1001 + - TZ=UTC + volumes: + - qbit_config:/config + - ${datne_target}:/downloads + ports: + - "30000:30000" + - "30000:30000/udp" + restart: unless-stopped + + fuelkeeper: + image: registry.72.lv/fuelkeeper:latest + volumes: + - fuelkeeper_static:/app/staticfiles + - fuelkeeper_media:/app/fuelkeeper/media + env_file: ./projects/fuelkeeper/.env + restart: unless-stopped + security_opt: + - no-new-privileges + depends_on: + - redis + - pgdb + + books: + image: registry.72.lv/bookkeeping:latest + volumes: + - books_static:/app/static + - books_media:/app/media + - ./projects/bookkeeping:/app + env_file: ./projects/bookkeeping/.env + restart: unless-stopped + security_opt: + - no-new-privileges + depends_on: + - pgdb + + datne: + image: registry.72.lv/datne:latest + volumes: + - ${datne_media}:/media + - ${datne_static}:/app/static + restart: unless-stopped + security_opt: + - no-new-privileges + + default_web_app: + build: + context: ./projects/default + dockerfile: Dockerfile + restart: unless-stopped + security_opt: + - no-new-privileges + + redis: + image: redis:alpine + restart: always + + cloud: + build: + context: ./compose/cloud + dockerfile: Dockerfile + env_file: .env_cloud + volumes: + - nextcloud:/var/www/html + - ${cloud_data}:/var/www/html/data + restart: always + links: + - pgdb + - redis + + pgdb: + image: postgres:13-alpine + restart: always + volumes: + - ./compose/pgdb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d:ro + - pgdb:/var/lib/postgresql/data + env_file: + - .env_db + + yopass: + image: jhaals/yopass + restart: always + command: "--redis=redis://redis:6379/1 --database=redis" + depends_on: + - redis + + vardadienas: + image: registry.72.lv/flask-namedays:latest + restart: always + security_opt: + - no-new-privileges + + certbot: + image: certbot/dns-digitalocean:latest + entrypoint: /cb_init.sh + restart: unless-stopped + volumes: + - ./compose/certbot/init.sh:/cb_init.sh + - certbot_certs:/etc/letsencrypt + - /var/log/letsencrypt + env_file: + - .env_certbot + + registry: + image: registry:2 + restart: unless-stopped + volumes: + - registry:/var/lib/registry + + gitea: + image: gitea/gitea:latest-rootless + restart: always + volumes: + - gitea-data:/var/lib/gitea + - gitea-config:/etc/gitea + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "22:22" + environment: + - USER_UID=1000 + - USER_GID=1000 + env_file: + - .env_gitea + + + +volumes: + books_media: {} + books_static: {} + fuelkeeper_media: {} + fuelkeeper_static: {} + nextcloud: {} + pgdb: {} + certbot_certs: {} + registry: {} + gitea-data: {} + gitea-config: {} + qbit_config: {} diff --git a/install_docker.sh b/install_docker.sh new file mode 100755 index 0000000..7c6d8c3 --- /dev/null +++ b/install_docker.sh @@ -0,0 +1,9 @@ +sudo apt update && \ + sudo apt install apt-transport-https ca-certificates curl gnupg-agent software-properties-common && \ + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - && \ + sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" && \ + sudo apt update && \ + sudo apt install docker-ce docker-ce-cli containerd.io && \ + sudo usermod -aG docker eriks && \ + sudo curl -L https://github.com/docker/compose/releases/download/1.29.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose && \ + sudo chmod +x /usr/local/bin/docker-compose diff --git a/projects/default/.dockerignore b/projects/default/.dockerignore new file mode 100644 index 0000000..0d368d1 --- /dev/null +++ b/projects/default/.dockerignore @@ -0,0 +1,3 @@ +venv +.git +.idea diff --git a/projects/default/Dockerfile b/projects/default/Dockerfile new file mode 100644 index 0000000..4038e04 --- /dev/null +++ b/projects/default/Dockerfile @@ -0,0 +1,8 @@ +FROM python:alpine + +WORKDIR /app +RUN pip install Flask==2.1.0 gunicorn==20.1.0 +COPY . /app + + +ENTRYPOINT ["gunicorn", "-c", "config.py", "app:app"] diff --git a/projects/default/app.py b/projects/default/app.py new file mode 100644 index 0000000..0e0eccc --- /dev/null +++ b/projects/default/app.py @@ -0,0 +1,41 @@ +import datetime +from flask import Flask, render_template, jsonify, request + +app = Flask(__name__) + + +@app.context_processor +def inject_now(): + return {"now": datetime.datetime.utcnow()} + + +@app.errorhandler(404) +def page_not_found(e): + return render_template("404.html"), 404 + + +@app.route("/") +def index(): + return render_template("index.html") + + +@app.route("/req", methods=["GET", "POST"]) +def detailed(): + return render_template("request.html") + + +@app.route("/json", methods=["GET", "POST"]) +def detailed_json(): + data = dict( + headers={str(k): str(v) for k, v in request.headers}, + get={k: request.args.getlist(k) for k in request.args}, + post={k: request.form.getlist(k) for k in request.form}, + form_data=request.form, + json_data=request.get_json() if request.is_json else None + ) + return jsonify(data) + + + +if __name__ == "__main__": + app.run() diff --git a/projects/default/config.py b/projects/default/config.py new file mode 100644 index 0000000..0c9c8a8 --- /dev/null +++ b/projects/default/config.py @@ -0,0 +1,10 @@ +backlog = 128 + +workers = 2 + +bind = "0.0.0.0" + +accesslog = errorlog = "-" +loglevel = "info" + +access_log_format = '%(t)s[%({x-forwarded-for}i)s] "%(r)s" %(s)s %(b)s (From: "%(f)s") "%(a)s"' diff --git a/projects/default/requirements.txt b/projects/default/requirements.txt new file mode 100644 index 0000000..5c02b98 --- /dev/null +++ b/projects/default/requirements.txt @@ -0,0 +1,2 @@ +Flask==2.1.0 +gunicorn==20.1.0 diff --git a/projects/default/templates/404.html b/projects/default/templates/404.html new file mode 100644 index 0000000..adb7b97 --- /dev/null +++ b/projects/default/templates/404.html @@ -0,0 +1 @@ +404
Error 404: Not Found
diff --git a/projects/default/templates/index.html b/projects/default/templates/index.html new file mode 100644 index 0000000..2ca3b95 --- /dev/null +++ b/projects/default/templates/index.html @@ -0,0 +1,25 @@ + + + +Welcome to nginx! + + + +

Welcome to nginx!

+

If you see this page, the nginx web server is successfully installed and +working. Further configuration is required.

+ +

For online documentation and support please refer to +nginx.org.
+Commercial support is available at +nginx.com.

+ +

Thank you for using nginx.

+ + diff --git a/projects/default/templates/request.html b/projects/default/templates/request.html new file mode 100644 index 0000000..aeaa90a --- /dev/null +++ b/projects/default/templates/request.html @@ -0,0 +1,176 @@ + + + + + + + + + + + karls.lv - Request Details + + +
+
+
+

Request info:

+

User-Agent: {{ request.user_agent }}

+

Client IP: {{ request.headers['X-Real-Ip'] }}
+ {%- if request.environ.X_REAL_IP -%} + Real IP: {{ request.environ.X_REAL_IP }}
{% endif %} + {%- if request.environ.X_FORWARDED_FOR -%} + Forwarder for IP: {{ request.environ.X_FORWARDED_FOR }} +
{% endif -%} +

+ {% if request.args %}
+

Query data:

+
+ + + {% for k in request.args.keys() %}{% for v in request.args.getlist(k) %}{% endfor %}{% endfor %} +
KeyValue
{{ k }}{{ v }}
+
{% endif -%} + {% if request.form %}
+

Form data:

+
+ + + {% for k in request.form.keys() %}{% for v in request.form.getlist(k) %}{% endfor %}{% endfor %} +
KeyValue
{{ k }}{{ v }}
+
{% endif -%} + {% if request.is_json %}
+

JSON data:

+ {{ request.get_json() }}{% endif -%} +
+

Headers:

+
+ + + {% for k,v in request.headers.items() %}{% endfor %} +
KeyValue
{{ k }}{{ v }}
+
+
+

Browser's JS data:

+
+ + + + + + + + + + + + + + + + +
KindValue
OS Name
OS Version
Browser Name
Browser Version
Browser Cookies
Navigator UA
Navigator Platform
Navigator Version
Navigator Vendor
Navigator Online
Screen Resolution
Screen Resolution
+
+
+
+
+ + + + diff --git a/update_all.sh b/update_all.sh new file mode 100755 index 0000000..b715879 --- /dev/null +++ b/update_all.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +/usr/local/bin/docker-compose pull --include-deps --quiet +/usr/local/bin/docker-compose build --pull --quiet +/usr/local/bin/docker-compose up --build --quiet-pull --detach --force-recreate