eriks/docker_system
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cleanup (#1)

Browse Source 
Reviewed-on: #1
This commit is contained in:
eriks
2022-07-08 22:20:00 +03:00
parent ef6084326c
commit d2f5bb5fa6
22 changed files with 55 additions and 358 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -12,3 +12,4 @@ compose/qbit/config/*
!compose/pgdb/docker-entrypoint-initdb.d/
compose/pgdb/docker-entrypoint-initdb.d/*.sh
.idea

7
README.md
View File

@ -26,9 +26,6 @@
- **registry** - Privately hosted DockerRegistry (must generate `compose/nginx/conf/registry.htpasswd`
- **gitea** - Privately hosted Git server
- **default\_web\_app** - primitive Flask app to serve default nginx tempalte html and display request information at `/req` or `/json` endpoints
- **default\_web\_app** - primitive Flask app to serve default nginx template html and display request information at `/req` or `/json` endpoints
- **vardadienas** - private Flask app to generate and download customisable Latvian nameday calendar `.ics`
- **datne** - private Flask app for on-disk file browsing through WebUI
- **fuelkeeper** - private Django app
- **books** - private Django app
- **vardadienas** - Flask app to generate and download customisable Latvian nameday calendar `.ics`

0
compose/cloud/Dockerfile → compose/nextcloud/Dockerfile
View File

0
compose/cloud/entry_uid_change.sh → compose/nextcloud/entry_uid_change.sh
View File

0
compose/cloud/supervisord.conf → compose/nextcloud/supervisord.conf
View File

7
compose/nginx/Dockerfile
View File

@ -1,16 +1,11 @@
FROM nginx:stable-alpine
#COPY conf /etc/nginx
COPY ./entrypoint_host.sh /entrypoint_host.sh
RUN apk add shadow \
&& groupmod -g 1001 nginx \
&& usermod -u 1000 -g 1001 nginx \
&& find / -user 101 -exec chown -v -h 1000 '{}' \; \
&& find / -group 101 -exec chgrp -v 1001 '{}' \; \
&& curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > /etc/nginx/ssl.conf \
&& chmod +x /entrypoint_host.sh
&& find / -group 101 -exec chgrp -v 1001 '{}' \;
VOLUME ["/var/cache/nginx", "/var/run"]
ENTRYPOINT ["/entrypoint_host.sh"]
CMD ["nginx", "-g", "daemon off;"]

3
compose/nginx/conf/nginx.conf
View File

@ -42,8 +42,7 @@ http {
geo $local_ips {
default 0;
10.1.1.0/24 1;
83.243.93.200/32 1;
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enables/*.conf;
}

17
compose/nginx/conf/ssl-dhparams.pem
View File

@ -1,8 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
MIICCAKCAgEAzaxkoeWOsulfwhlabx/a394WaXNP33NGA0ip3qljJbWFqdpO3sgu
39he541CU3cziJGvkYXl8TTmNzZL6whFaESnx9npTP4k7s1gnF7PI8QKqlRefSnT
xhxcI1shC8L7deOM/wkEEWVn+rv0WDDzs623eOK9dA22biGZn0x9yq5NAvFnxBI7
4/DMosFspiUOoBoj5/tyXvnXWGXRxzwcmYSOE4MaZIYKYheqq6DrRyqef9mPeGQn
8dZx1a1paICIhsg2I89VwT5zwPgO1NV/w8HXB97/c07znJ3p+1xKDoxQcexGR3UK
czobKI7vuWfxxRj4T7W5Wg/jOWOXeyKqCXkX6wVyBxhTmiwcoz2oPYSIOqkOmlKk
wp6D08RRE3PJcrDP80ls1b/ChL3CZ2VfzEg9ZE2UHlikRGxNf+SGur0J/yPlZ2TZ
3l3GaBHGGEuFmRrZ+M2ZeS2v1+To2nV/jM/jJF5Xmb6FZPD/con1AYsR71oQUU+h
fTsc4W40JRbOCJTP1gwrLjq293tKJ8bN6U3tqDfLCRsJlcGUX+ZePffB1Heu6B9L
eHG6sQ7l9HM7DYkPzZldTenLuhqX7zGyxrdSlFTz/jPb8+eWSMvy54j2l8+qKgH0
i7o/yP4nrDffk0xUwUkubyX9UIY8LDyOMFttrEoLyDhzeaScSSyV6hsCAQI=
-----END DH PARAMETERS-----

3
compose/nginx/conf/ssl.conf
View File

@ -2,7 +2,7 @@
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
@ -12,3 +12,4 @@ ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

26
compose/nginx/defaults/fastcgi.conf
View File

@ -1,26 +0,0 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

25
compose/nginx/defaults/fastcgi_params
View File

@ -1,25 +0,0 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

97
compose/nginx/defaults/mime.types
View File

@ -1,97 +0,0 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

32
compose/nginx/defaults/nginx.conf
View File

@ -1,32 +0,0 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

17
compose/nginx/defaults/scgi_params
View File

@ -1,17 +0,0 @@
scgi_param REQUEST_METHOD $request_method;
scgi_param REQUEST_URI $request_uri;
scgi_param QUERY_STRING $query_string;
scgi_param CONTENT_TYPE $content_type;
scgi_param DOCUMENT_URI $document_uri;
scgi_param DOCUMENT_ROOT $document_root;
scgi_param SCGI 1;
scgi_param SERVER_PROTOCOL $server_protocol;
scgi_param REQUEST_SCHEME $scheme;
scgi_param HTTPS $https if_not_empty;
scgi_param REMOTE_ADDR $remote_addr;
scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name;

14
compose/nginx/defaults/ssl.conf
View File

@ -1,14 +0,0 @@
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

17
compose/nginx/defaults/uwsgi_params
View File

@ -1,17 +0,0 @@
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;

10
compose/nginx/entrypoint_host.sh
View File

@ -1,10 +0,0 @@
#!/bin/sh
HOST_DOMAIN="host.docker.internal"
ping -q -c1 $HOST_DOMAIN > /dev/null 2>&1
if [ $? -ne 0 ]; then
HOST_IP=$(ip route | awk 'NR==1 {print $3}')
echo -e "$HOST_IP\t$HOST_DOMAIN" >> /etc/hosts
fi
/bin/sh /docker-entrypoint.sh "$@"

12
compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example
View File

@ -2,15 +2,15 @@
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
CREATE USER books WITH PASSWORD 'books';
CREATE DATABASE books;
GRANT ALL PRIVILEGES ON DATABASE books TO books;
CREATE USER flask WITH PASSWORD 'flask';
CREATE DATABASE flask;
GRANT ALL PRIVILEGES ON DATABASE flask TO flask;
EOSQL
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
CREATE USER fuelkeeper WITH PASSWORD 'fuelkeeper';
CREATE DATABASE fuelkeeper;
GRANT ALL PRIVILEGES ON DATABASE fuelkeeper TO fuelkeeper;
CREATE USER django WITH PASSWORD 'django';
CREATE DATABASE django;
GRANT ALL PRIVILEGES ON DATABASE django TO django;
EOSQL
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL

9
default.env
View File

@ -1,7 +1,4 @@
cloud_data=/path/to/data/nextcloud
datne_media=/path/to/data/files
datne_target=/path/to/data/files
certbot_path=./compose/cb
nextcloud_data=/path/to/data/nextcloud
torrent_path=/path/to/data/files
datne_git_path="git@gitlab.com:keriks/datne.git"
fuelkeeper_git_path="git@bitbucket.org:keriks/fuelkeeper.git"
nameday_git_path="https://git.72.lv/eriks/flask-namedays"

1
default.env_certbot
View File

@ -1,3 +1,4 @@
DIGITALOCEAN_TOKEN=
DOMAINS="main example.com|secrets secret.example.com|testing test.example.com *.test.example.com"
ADMIN_EMAIL=domain@example.com
CB_STAGING=1

0
default.env_cloud → default.env_nextcloud
View File

115
docker-compose.yaml
View File

@ -10,86 +10,21 @@ services:
- "443:443"
restart: always
volumes:
- ./compose/nginx/conf/nginx.conf:/etc/nginx/nginx.conf:ro
- ./compose/nginx/conf/sites-enabled:/etc/nginx/conf.d:ro
- ./compose/nginx/conf/proxy_params:/etc/nginx/proxy_params:ro
- ./compose/nginx/conf/ssl-dhparams.pem:/etc/nginx/ssl-dhparams.pem:ro
- ./compose/nginx/conf/registry.htpasswd:/etc/nginx/registry.htpasswd:ro
- ./compose/nginx/conf:/etc/nginx:ro
- fuelkeeper_static:/var/www/app/fuelkeeper/staticfiles:ro
- fuelkeeper_media:/var/www/app/fuelkeeper/media:ro
- books_static:/var/www/app/books/static:ro
- books_media:/var/www/app/books/media:ro
- ${datne_static}:/var/www/app/datne/staticfiles:ro
- ${datne_media}:/var/www/app/datne/media:ro
- nextcloud:/var/www/app/cloud:ro
- ${cloud_data}:/var/www/app/cloud/data:ro
# All mount points are read only (:ro) - file uploads/edits are processed inside service containers
- nextcloud:/var/www/app/nextcloud:ro
- ${nextcloud_data}:/var/www/app/nextcloud/data:ro
- certbot_certs:/etc/letsencrypt:ro
- ./projects/72_lv:/var/www/72_lv:ro
depends_on:
- default_web_app
- fuelkeeper
- books
- datne
- cloud
- nextcloud
- yopass
- certbot
- registry
- gitea
- vardadienas
qbit:
image: lscr.io/linuxserver/qbittorrent
environment:
- PUID=1000
- PGID=1001
- TZ=UTC
volumes:
- qbit_config:/config
- ${datne_target}:/downloads
ports:
- "30000:30000"
- "30000:30000/udp"
restart: unless-stopped
fuelkeeper:
image: registry.72.lv/fuelkeeper:latest
volumes:
- fuelkeeper_static:/app/staticfiles
- fuelkeeper_media:/app/fuelkeeper/media
env_file: ./projects/fuelkeeper/.env
restart: unless-stopped
security_opt:
- no-new-privileges
depends_on:
- redis
- pgdb
books:
image: registry.72.lv/bookkeeping:latest
volumes:
- books_static:/app/static
- books_media:/app/media
- ./projects/bookkeeping:/app
env_file: ./projects/bookkeeping/.env
restart: unless-stopped
security_opt:
- no-new-privileges
depends_on:
- pgdb
datne:
image: registry.72.lv/datne:latest
volumes:
- ${datne_media}:/media
- ${datne_static}:/app/static
restart: unless-stopped
security_opt:
- no-new-privileges
default_web_app:
build:
context: ./projects/default
@ -102,14 +37,16 @@ services:
image: redis:alpine
restart: always
cloud:
nextcloud:
build:
context: ./compose/cloud
context: ./compose/nextcloud
dockerfile: Dockerfile
env_file: .env_cloud
env_file: .env_nextcloud
volumes:
- nextcloud:/var/www/html
- ${cloud_data}:/var/www/html/data
# Using path from variable "nextcloud_data" to place data at different disk,
# which isn't easily accomplished from compose
- ${nextcloud_data}:/var/www/html/data
restart: always
links:
- pgdb
@ -134,8 +71,6 @@ services:
vardadienas:
image: registry.72.lv/flask-namedays:latest
restart: always
security_opt:
- no-new-privileges
certbot:
image: certbot/dns-digitalocean:latest
@ -148,12 +83,6 @@ services:
env_file:
- .env_certbot
registry:
image: registry:2
restart: unless-stopped
volumes:
- registry:/var/lib/registry
gitea:
image: gitea/gitea:latest-rootless
restart: always
@ -170,14 +99,24 @@ services:
env_file:
- .env_gitea
qbit:
image: lscr.io/linuxserver/qbittorrent
environment:
- PUID=1000
- PGID=1001
- TZ=UTC
volumes:
- /config # persistent unnamed storage
- ${torrent_path}:/downloads
ports:
- "30000:30000"
- "30000:30000/udp"
restart: unless-stopped
volumes:
books_media: {}
books_static: {}
fuelkeeper_media: {}
fuelkeeper_static: {}
nextcloud: {}
# named persistent volumes
nextcloud: {} # nextcloud configuration
pgdb: {}
certbot_certs: {}
registry: {}