From 7dbb9e2b918f611a0353447c9deacbeafdcabe1d Mon Sep 17 00:00:00 2001 From: KEriks Date: Thu, 7 Jul 2022 16:44:00 +0300 Subject: [PATCH 1/5] Nginx cleanup --- compose/nginx/Dockerfile | 7 +- compose/nginx/conf/ssl-dhparams.pem | 17 ++-- compose/nginx/conf/ssl.conf | 3 +- compose/nginx/defaults/fastcgi.conf | 26 ----- compose/nginx/defaults/fastcgi_params | 25 ----- compose/nginx/defaults/mime.types | 97 ------------------- compose/nginx/defaults/nginx.conf | 32 ------ compose/nginx/defaults/scgi_params | 17 ---- compose/nginx/defaults/ssl.conf | 14 --- compose/nginx/defaults/uwsgi_params | 17 ---- compose/nginx/entrypoint_host.sh | 10 -- .../100-default.conf | 0 docker-compose.yaml | 7 +- 13 files changed, 16 insertions(+), 256 deletions(-) delete mode 100644 compose/nginx/defaults/fastcgi.conf delete mode 100644 compose/nginx/defaults/fastcgi_params delete mode 100644 compose/nginx/defaults/mime.types delete mode 100644 compose/nginx/defaults/nginx.conf delete mode 100644 compose/nginx/defaults/scgi_params delete mode 100644 compose/nginx/defaults/ssl.conf delete mode 100644 compose/nginx/defaults/uwsgi_params delete mode 100644 compose/nginx/entrypoint_host.sh rename compose/nginx/{conf/sites-enabled => site-configs}/100-default.conf (100%) diff --git a/compose/nginx/Dockerfile b/compose/nginx/Dockerfile index aa24940..b4cc66f 100644 --- a/compose/nginx/Dockerfile +++ b/compose/nginx/Dockerfile @@ -1,16 +1,11 @@ FROM nginx:stable-alpine -#COPY conf /etc/nginx -COPY ./entrypoint_host.sh /entrypoint_host.sh RUN apk add shadow \ && groupmod -g 1001 nginx \ && usermod -u 1000 -g 1001 nginx \ && find / -user 101 -exec chown -v -h 1000 '{}' \; \ - && find / -group 101 -exec chgrp -v 1001 '{}' \; \ - && curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > /etc/nginx/ssl.conf \ - && chmod +x /entrypoint_host.sh + && find / -group 101 -exec chgrp -v 1001 '{}' \; VOLUME ["/var/cache/nginx", "/var/run"] -ENTRYPOINT ["/entrypoint_host.sh"] CMD ["nginx", "-g", "daemon off;"] diff --git a/compose/nginx/conf/ssl-dhparams.pem b/compose/nginx/conf/ssl-dhparams.pem index 9b182b7..4ed7ab8 100644 --- a/compose/nginx/conf/ssl-dhparams.pem +++ b/compose/nginx/conf/ssl-dhparams.pem @@ -1,8 +1,13 @@ -----BEGIN DH PARAMETERS----- -MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +MIICCAKCAgEAzaxkoeWOsulfwhlabx/a394WaXNP33NGA0ip3qljJbWFqdpO3sgu +39he541CU3cziJGvkYXl8TTmNzZL6whFaESnx9npTP4k7s1gnF7PI8QKqlRefSnT +xhxcI1shC8L7deOM/wkEEWVn+rv0WDDzs623eOK9dA22biGZn0x9yq5NAvFnxBI7 +4/DMosFspiUOoBoj5/tyXvnXWGXRxzwcmYSOE4MaZIYKYheqq6DrRyqef9mPeGQn +8dZx1a1paICIhsg2I89VwT5zwPgO1NV/w8HXB97/c07znJ3p+1xKDoxQcexGR3UK +czobKI7vuWfxxRj4T7W5Wg/jOWOXeyKqCXkX6wVyBxhTmiwcoz2oPYSIOqkOmlKk +wp6D08RRE3PJcrDP80ls1b/ChL3CZ2VfzEg9ZE2UHlikRGxNf+SGur0J/yPlZ2TZ +3l3GaBHGGEuFmRrZ+M2ZeS2v1+To2nV/jM/jJF5Xmb6FZPD/con1AYsR71oQUU+h +fTsc4W40JRbOCJTP1gwrLjq293tKJ8bN6U3tqDfLCRsJlcGUX+ZePffB1Heu6B9L +eHG6sQ7l9HM7DYkPzZldTenLuhqX7zGyxrdSlFTz/jPb8+eWSMvy54j2l8+qKgH0 +i7o/yP4nrDffk0xUwUkubyX9UIY8LDyOMFttrEoLyDhzeaScSSyV6hsCAQI= -----END DH PARAMETERS----- diff --git a/compose/nginx/conf/ssl.conf b/compose/nginx/conf/ssl.conf index 978e6e8..7f4c98e 100644 --- a/compose/nginx/conf/ssl.conf +++ b/compose/nginx/conf/ssl.conf @@ -2,7 +2,7 @@ # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating -# this file. +# this file. Contents are based on https://ssl-config.mozilla.org ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; @@ -12,3 +12,4 @@ ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + diff --git a/compose/nginx/defaults/fastcgi.conf b/compose/nginx/defaults/fastcgi.conf deleted file mode 100644 index 091738c..0000000 --- a/compose/nginx/defaults/fastcgi.conf +++ /dev/null @@ -1,26 +0,0 @@ - -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param REQUEST_SCHEME $scheme; -fastcgi_param HTTPS $https if_not_empty; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; diff --git a/compose/nginx/defaults/fastcgi_params b/compose/nginx/defaults/fastcgi_params deleted file mode 100644 index 28decb9..0000000 --- a/compose/nginx/defaults/fastcgi_params +++ /dev/null @@ -1,25 +0,0 @@ - -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param REQUEST_SCHEME $scheme; -fastcgi_param HTTPS $https if_not_empty; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; diff --git a/compose/nginx/defaults/mime.types b/compose/nginx/defaults/mime.types deleted file mode 100644 index 2961256..0000000 --- a/compose/nginx/defaults/mime.types +++ /dev/null @@ -1,97 +0,0 @@ - -types { - text/html html htm shtml; - text/css css; - text/xml xml; - image/gif gif; - image/jpeg jpeg jpg; - application/javascript js; - application/atom+xml atom; - application/rss+xml rss; - - text/mathml mml; - text/plain txt; - text/vnd.sun.j2me.app-descriptor jad; - text/vnd.wap.wml wml; - text/x-component htc; - - image/png png; - image/svg+xml svg svgz; - image/tiff tif tiff; - image/vnd.wap.wbmp wbmp; - image/webp webp; - image/x-icon ico; - image/x-jng jng; - image/x-ms-bmp bmp; - - font/woff woff; - font/woff2 woff2; - - application/java-archive jar war ear; - application/json json; - application/mac-binhex40 hqx; - application/msword doc; - application/pdf pdf; - application/postscript ps eps ai; - application/rtf rtf; - application/vnd.apple.mpegurl m3u8; - application/vnd.google-earth.kml+xml kml; - application/vnd.google-earth.kmz kmz; - application/vnd.ms-excel xls; - application/vnd.ms-fontobject eot; - application/vnd.ms-powerpoint ppt; - application/vnd.oasis.opendocument.graphics odg; - application/vnd.oasis.opendocument.presentation odp; - application/vnd.oasis.opendocument.spreadsheet ods; - application/vnd.oasis.opendocument.text odt; - application/vnd.openxmlformats-officedocument.presentationml.presentation - pptx; - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet - xlsx; - application/vnd.openxmlformats-officedocument.wordprocessingml.document - docx; - application/vnd.wap.wmlc wmlc; - application/x-7z-compressed 7z; - application/x-cocoa cco; - application/x-java-archive-diff jardiff; - application/x-java-jnlp-file jnlp; - application/x-makeself run; - application/x-perl pl pm; - application/x-pilot prc pdb; - application/x-rar-compressed rar; - application/x-redhat-package-manager rpm; - application/x-sea sea; - application/x-shockwave-flash swf; - application/x-stuffit sit; - application/x-tcl tcl tk; - application/x-x509-ca-cert der pem crt; - application/x-xpinstall xpi; - application/xhtml+xml xhtml; - application/xspf+xml xspf; - application/zip zip; - - application/octet-stream bin exe dll; - application/octet-stream deb; - application/octet-stream dmg; - application/octet-stream iso img; - application/octet-stream msi msp msm; - - audio/midi mid midi kar; - audio/mpeg mp3; - audio/ogg ogg; - audio/x-m4a m4a; - audio/x-realaudio ra; - - video/3gpp 3gpp 3gp; - video/mp2t ts; - video/mp4 mp4; - video/mpeg mpeg mpg; - video/quicktime mov; - video/webm webm; - video/x-flv flv; - video/x-m4v m4v; - video/x-mng mng; - video/x-ms-asf asx asf; - video/x-ms-wmv wmv; - video/x-msvideo avi; -} diff --git a/compose/nginx/defaults/nginx.conf b/compose/nginx/defaults/nginx.conf deleted file mode 100644 index 5e076aa..0000000 --- a/compose/nginx/defaults/nginx.conf +++ /dev/null @@ -1,32 +0,0 @@ - -user nginx; -worker_processes auto; - -error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/compose/nginx/defaults/scgi_params b/compose/nginx/defaults/scgi_params deleted file mode 100644 index 6d4ce4f..0000000 --- a/compose/nginx/defaults/scgi_params +++ /dev/null @@ -1,17 +0,0 @@ - -scgi_param REQUEST_METHOD $request_method; -scgi_param REQUEST_URI $request_uri; -scgi_param QUERY_STRING $query_string; -scgi_param CONTENT_TYPE $content_type; - -scgi_param DOCUMENT_URI $document_uri; -scgi_param DOCUMENT_ROOT $document_root; -scgi_param SCGI 1; -scgi_param SERVER_PROTOCOL $server_protocol; -scgi_param REQUEST_SCHEME $scheme; -scgi_param HTTPS $https if_not_empty; - -scgi_param REMOTE_ADDR $remote_addr; -scgi_param REMOTE_PORT $remote_port; -scgi_param SERVER_PORT $server_port; -scgi_param SERVER_NAME $server_name; diff --git a/compose/nginx/defaults/ssl.conf b/compose/nginx/defaults/ssl.conf deleted file mode 100644 index 978e6e8..0000000 --- a/compose/nginx/defaults/ssl.conf +++ /dev/null @@ -1,14 +0,0 @@ -# This file contains important security parameters. If you modify this file -# manually, Certbot will be unable to automatically provide future security -# updates. Instead, Certbot will print and log an error message with a path to -# the up-to-date file that you will need to refer to when manually updating -# this file. - -ssl_session_cache shared:le_nginx_SSL:10m; -ssl_session_timeout 1440m; -ssl_session_tickets off; - -ssl_protocols TLSv1.2 TLSv1.3; -ssl_prefer_server_ciphers off; - -ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/compose/nginx/defaults/uwsgi_params b/compose/nginx/defaults/uwsgi_params deleted file mode 100644 index 09c732c..0000000 --- a/compose/nginx/defaults/uwsgi_params +++ /dev/null @@ -1,17 +0,0 @@ - -uwsgi_param QUERY_STRING $query_string; -uwsgi_param REQUEST_METHOD $request_method; -uwsgi_param CONTENT_TYPE $content_type; -uwsgi_param CONTENT_LENGTH $content_length; - -uwsgi_param REQUEST_URI $request_uri; -uwsgi_param PATH_INFO $document_uri; -uwsgi_param DOCUMENT_ROOT $document_root; -uwsgi_param SERVER_PROTOCOL $server_protocol; -uwsgi_param REQUEST_SCHEME $scheme; -uwsgi_param HTTPS $https if_not_empty; - -uwsgi_param REMOTE_ADDR $remote_addr; -uwsgi_param REMOTE_PORT $remote_port; -uwsgi_param SERVER_PORT $server_port; -uwsgi_param SERVER_NAME $server_name; diff --git a/compose/nginx/entrypoint_host.sh b/compose/nginx/entrypoint_host.sh deleted file mode 100644 index 78b21be..0000000 --- a/compose/nginx/entrypoint_host.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh - -HOST_DOMAIN="host.docker.internal" -ping -q -c1 $HOST_DOMAIN > /dev/null 2>&1 -if [ $? -ne 0 ]; then - HOST_IP=$(ip route | awk 'NR==1 {print $3}') - echo -e "$HOST_IP\t$HOST_DOMAIN" >> /etc/hosts -fi - -/bin/sh /docker-entrypoint.sh "$@" diff --git a/compose/nginx/conf/sites-enabled/100-default.conf b/compose/nginx/site-configs/100-default.conf similarity index 100% rename from compose/nginx/conf/sites-enabled/100-default.conf rename to compose/nginx/site-configs/100-default.conf diff --git a/docker-compose.yaml b/docker-compose.yaml index 3b6fdb7..da455da 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -10,11 +10,8 @@ services: - "443:443" restart: always volumes: - - ./compose/nginx/conf/nginx.conf:/etc/nginx/nginx.conf:ro - - ./compose/nginx/conf/sites-enabled:/etc/nginx/conf.d:ro - - ./compose/nginx/conf/proxy_params:/etc/nginx/proxy_params:ro - - ./compose/nginx/conf/ssl-dhparams.pem:/etc/nginx/ssl-dhparams.pem:ro - - ./compose/nginx/conf/registry.htpasswd:/etc/nginx/registry.htpasswd:ro + - ./compose/nginx/conf:/etc/nginx:ro + - ./compose/nginx/site-configs:/etc/nginx/conf.d:ro - fuelkeeper_static:/var/www/app/fuelkeeper/staticfiles:ro - fuelkeeper_media:/var/www/app/fuelkeeper/media:ro -- 2.49.0 From afbbc1f573e45561487e7f624d246a3590982505 Mon Sep 17 00:00:00 2001 From: KEriks Date: Thu, 7 Jul 2022 16:54:44 +0300 Subject: [PATCH 2/5] minified compose file --- docker-compose.yaml | 60 +-------------------------------------------- 1 file changed, 1 insertion(+), 59 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index da455da..ed1b125 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -29,64 +29,12 @@ services: - ./projects/72_lv:/var/www/72_lv:ro depends_on: - default_web_app - - fuelkeeper - - books - - datne - cloud - yopass - certbot - - registry + - gitea - vardadienas - qbit: - image: lscr.io/linuxserver/qbittorrent - environment: - - PUID=1000 - - PGID=1001 - - TZ=UTC - volumes: - - qbit_config:/config - - ${datne_target}:/downloads - ports: - - "30000:30000" - - "30000:30000/udp" - restart: unless-stopped - - fuelkeeper: - image: registry.72.lv/fuelkeeper:latest - volumes: - - fuelkeeper_static:/app/staticfiles - - fuelkeeper_media:/app/fuelkeeper/media - env_file: ./projects/fuelkeeper/.env - restart: unless-stopped - security_opt: - - no-new-privileges - depends_on: - - redis - - pgdb - - books: - image: registry.72.lv/bookkeeping:latest - volumes: - - books_static:/app/static - - books_media:/app/media - - ./projects/bookkeeping:/app - env_file: ./projects/bookkeeping/.env - restart: unless-stopped - security_opt: - - no-new-privileges - depends_on: - - pgdb - - datne: - image: registry.72.lv/datne:latest - volumes: - - ${datne_media}:/media - - ${datne_static}:/app/static - restart: unless-stopped - security_opt: - - no-new-privileges - default_web_app: build: context: ./projects/default @@ -145,12 +93,6 @@ services: env_file: - .env_certbot - registry: - image: registry:2 - restart: unless-stopped - volumes: - - registry:/var/lib/registry - gitea: image: gitea/gitea:latest-rootless restart: always -- 2.49.0 From 722c06b6d6ec38cf5270a1ce5321ca2f00da9f62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=84riks=20K?= Date: Fri, 8 Jul 2022 18:28:33 +0300 Subject: [PATCH 3/5] JetBrains .idea config --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index eb9137b..325f193 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ compose/qbit/config/* !compose/pgdb/docker-entrypoint-initdb.d/ compose/pgdb/docker-entrypoint-initdb.d/*.sh +.idea \ No newline at end of file -- 2.49.0 From 09dd78670d18481662709a355f57dd542c3eae9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=84riks=20K?= Date: Fri, 8 Jul 2022 18:45:26 +0300 Subject: [PATCH 4/5] Nginx service defaults --- compose/nginx/site-configs/110-registry.conf | 55 ++++++++ compose/nginx/site-configs/200-static.conf | 46 ++++++ compose/nginx/site-configs/210-flask.conf | 40 ++++++ compose/nginx/site-configs/220-django.conf | 39 +++++ compose/nginx/site-configs/300-qbit.conf | 31 ++++ compose/nginx/site-configs/310-cloud.conf | 141 +++++++++++++++++++ compose/nginx/site-configs/320-secret.conf | 28 ++++ compose/nginx/site-configs/330-gitea.conf | 28 ++++ 8 files changed, 408 insertions(+) create mode 100644 compose/nginx/site-configs/110-registry.conf create mode 100644 compose/nginx/site-configs/200-static.conf create mode 100644 compose/nginx/site-configs/210-flask.conf create mode 100644 compose/nginx/site-configs/220-django.conf create mode 100644 compose/nginx/site-configs/300-qbit.conf create mode 100644 compose/nginx/site-configs/310-cloud.conf create mode 100644 compose/nginx/site-configs/320-secret.conf create mode 100644 compose/nginx/site-configs/330-gitea.conf diff --git a/compose/nginx/site-configs/110-registry.conf b/compose/nginx/site-configs/110-registry.conf new file mode 100644 index 0000000..d500e00 --- /dev/null +++ b/compose/nginx/site-configs/110-registry.conf @@ -0,0 +1,55 @@ +upstream docker-registry { + server registry:5000; +} + +map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { + '' 'registry/2.0'; +} + +server { + listen 80; + server_name registry.example.com; + return 301 https://$host$request_uri; +} +server { + listen 443 ssl http2; + server_name registry.example.com; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + #include /etc/nginx/proxy_params; + + add_header Strict-Transport-Security max-age=31536000 always; + + ssl_certificate /etc/letsencrypt/live/registry.example.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/registry.example.com/privkey.pem; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + + # To add basic authentication to v2 use auth_basic setting. + auth_basic "Registry realm"; + auth_basic_user_file /etc/nginx/registry.htpasswd; + + ## If $docker_distribution_api_version is empty, the header is not added. + ## See the map directive above where this variable is defined. + add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; + + proxy_pass http://registry:5000; + proxy_set_header Host $http_host; # required for docker client's sake + proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; + } +} \ No newline at end of file diff --git a/compose/nginx/site-configs/200-static.conf b/compose/nginx/site-configs/200-static.conf new file mode 100644 index 0000000..343f8cc --- /dev/null +++ b/compose/nginx/site-configs/200-static.conf @@ -0,0 +1,46 @@ +server { + listen 80; + server_name example.com example.org; + return 301 https://$host$request_uri; + + # display real ip in nginx logs when connected through reverse proxy via docker network + set_real_ip_from 172.0.0.0/8; + real_ip_header X-Forwarded-For; +} + +server { + listen 443 ssl http2; + server_name example.com; + + # display real ip in nginx logs when connected through reverse proxy via docker network + set_real_ip_from 172.0.0.0/8; + real_ip_header X-Forwarded-For; + + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + + root /var/www/72_lv; + location / { + try_files $uri /index.html; + } +} +server { + listen 443 ssl http2; + server_name example.org; + + # display real ip in nginx logs when connected through reverse proxy via docker network + set_real_ip_from 172.0.0.0/8; + real_ip_header X-Forwarded-For; + + ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + + root /var/www/72_lv; + location / { + try_files $uri /index.html; + } +} \ No newline at end of file diff --git a/compose/nginx/site-configs/210-flask.conf b/compose/nginx/site-configs/210-flask.conf new file mode 100644 index 0000000..2907629 --- /dev/null +++ b/compose/nginx/site-configs/210-flask.conf @@ -0,0 +1,40 @@ +server { + listen 80; + server_name flask.example.com; + location / { + return 301 https://$host$request_uri; + } +} +server { + listen 443 ssl http2; + server_name flask.example.com; + client_max_body_size 10G; + + ssl_certificate /etc/letsencrypt/live/flask.example.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/flask.example.com/privkey.pem; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + + location = /robots.txt { + alias /var/www/app/flask/staticfiles/robots.txt; + } + location = /favicon.ico { + alias /var/www/app/flask/staticfiles/favicon.ico; + } + + location /static { + expires max; + alias /var/www/app/flask/staticfiles; + } + + location /media { + #expires max; + proxy_max_temp_file_size 0; + proxy_buffering off; + alias /var/www/app/flask/media; + } + location / { + include /etc/nginx/proxy_params; + proxy_pass http://flask:5000/; + } +} \ No newline at end of file diff --git a/compose/nginx/site-configs/220-django.conf b/compose/nginx/site-configs/220-django.conf new file mode 100644 index 0000000..967ce48 --- /dev/null +++ b/compose/nginx/site-configs/220-django.conf @@ -0,0 +1,39 @@ +server { + listen 80; + server_name django.example.com; + return 301 https://$host$request_uri; +} +server { + listen 443 ssl http2; + server_name django.example.com; + client_max_body_size 500M; + + ssl_certificate /etc/letsencrypt/live/django.example.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/django.example.com/privkey.pem; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + + location = /robots.txt { + access_log off; + alias /var/www/app/django/staticfiles/robots.txt; + } + location = /favicon.ico { + access_log off; + alias /var/www/app/django/staticfiles/favicon.ico; + } + + location /static { + access_log off; + expires max; + alias /var/www/app/django/staticfiles; + } + + location /media { + expires max; + alias /var/www/app/django/media; + } + location / { + include /etc/nginx/proxy_params; + proxy_pass http://django:5000/; + } +} \ No newline at end of file diff --git a/compose/nginx/site-configs/300-qbit.conf b/compose/nginx/site-configs/300-qbit.conf new file mode 100644 index 0000000..24f70b7 --- /dev/null +++ b/compose/nginx/site-configs/300-qbit.conf @@ -0,0 +1,31 @@ +server { + listen 80; + server_name qbit.example.com; + return 301 https://$host$request_uri; +} +server { + listen 443 ssl http2; + server_name qbit.example.com; + client_max_body_size 25M; + + access_log off; + error_log off; + + add_header Strict-Transport-Security max-age=31536000 always; + + ssl_certificate /etc/letsencrypt/live/qbit.example.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/qbit.example.com/privkey.pem; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + + location / { + include /etc/nginx/proxy_params; + proxy_set_header X-Forwarded-Host $host:3000; + proxy_hide_header Referer; + proxy_hide_header Origin; + proxy_set_header Referer ''; + proxy_set_header Origin ''; + add_header X-Frame-Options "SAMEORIGIN"; + proxy_pass http://qbit:8080; + } +} \ No newline at end of file diff --git a/compose/nginx/site-configs/310-cloud.conf b/compose/nginx/site-configs/310-cloud.conf new file mode 100644 index 0000000..8bf488e --- /dev/null +++ b/compose/nginx/site-configs/310-cloud.conf @@ -0,0 +1,141 @@ +upstream php-handler { + server cloud:9000; +} +server { + listen 80; + server_name cloud.example.org cloud.example.com; + return 301 https://$host$request_uri; +} +server { + listen 443 ssl http2; + server_name cloud.example.org cloud.example.com; + + ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + + add_header Strict-Transport-Security "max-age=5184000; includeSubDomains; preload;" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/app/cloud; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + # fastcgi_param HTTPS on; + + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } +} \ No newline at end of file diff --git a/compose/nginx/site-configs/320-secret.conf b/compose/nginx/site-configs/320-secret.conf new file mode 100644 index 0000000..1116059 --- /dev/null +++ b/compose/nginx/site-configs/320-secret.conf @@ -0,0 +1,28 @@ +server { + listen 80; + server_name secret.example.com; + return 301 https://$host$request_uri; +} +server { + listen 443 ssl http2; + server_name secret.example.com; + client_max_body_size 25M; + + add_header Strict-Transport-Security max-age=5184000 always; + + ssl_certificate /etc/letsencrypt/live/secret.example.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/secret.example.com/privkey.pem; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + + location / { + include /etc/nginx/proxy_params; + proxy_set_header X-Forwarded-Host $host:3000; + proxy_hide_header Referer; + proxy_hide_header Origin; + proxy_set_header Referer ''; + proxy_set_header Origin ''; + add_header X-Frame-Options "SAMEORIGIN"; + proxy_pass http://yopass:1337; + } +} \ No newline at end of file diff --git a/compose/nginx/site-configs/330-gitea.conf b/compose/nginx/site-configs/330-gitea.conf new file mode 100644 index 0000000..327e494 --- /dev/null +++ b/compose/nginx/site-configs/330-gitea.conf @@ -0,0 +1,28 @@ +server { + listen 80; + server_name git.example.com; + return 301 https://$host$request_uri; +} +server { + listen 443 ssl http2; + server_name git.example.com; + client_max_body_size 250M; + + add_header Strict-Transport-Security max-age=5184000 always; + + ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem; # managed by Certbot + ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot + include /etc/nginx/ssl.conf; # managed by Certbot + + location / { + include /etc/nginx/proxy_params; + proxy_set_header X-Forwarded-Host $host:3000; + proxy_hide_header Referer; + proxy_hide_header Origin; + proxy_set_header Referer ''; + proxy_set_header Origin ''; + add_header X-Frame-Options "SAMEORIGIN"; + proxy_pass http://gitea:3000; + } +} \ No newline at end of file -- 2.49.0 From 41470ced845fd81fa05512d99efa140a741af84d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=84riks=20K?= Date: Fri, 8 Jul 2022 22:17:49 +0300 Subject: [PATCH 5/5] Configuration changes --- README.md | 7 +- compose/{cloud => nextcloud}/Dockerfile | 0 .../{cloud => nextcloud}/entry_uid_change.sh | 0 compose/{cloud => nextcloud}/supervisord.conf | 0 compose/nginx/conf/nginx.conf | 3 +- .../sites-enabled}/100-default.conf | 0 compose/nginx/site-configs/110-registry.conf | 55 ------- compose/nginx/site-configs/200-static.conf | 46 ------ compose/nginx/site-configs/210-flask.conf | 40 ----- compose/nginx/site-configs/220-django.conf | 39 ----- compose/nginx/site-configs/300-qbit.conf | 31 ---- compose/nginx/site-configs/310-cloud.conf | 141 ------------------ compose/nginx/site-configs/320-secret.conf | 28 ---- compose/nginx/site-configs/330-gitea.conf | 28 ---- .../00-init-users-db.sh.example | 12 +- default.env | 9 +- default.env_certbot | 1 + default.env_cloud => default.env_nextcloud | 0 docker-compose.yaml | 50 +++---- 19 files changed, 38 insertions(+), 452 deletions(-) rename compose/{cloud => nextcloud}/Dockerfile (100%) rename compose/{cloud => nextcloud}/entry_uid_change.sh (100%) rename compose/{cloud => nextcloud}/supervisord.conf (100%) rename compose/nginx/{site-configs => conf/sites-enabled}/100-default.conf (100%) delete mode 100644 compose/nginx/site-configs/110-registry.conf delete mode 100644 compose/nginx/site-configs/200-static.conf delete mode 100644 compose/nginx/site-configs/210-flask.conf delete mode 100644 compose/nginx/site-configs/220-django.conf delete mode 100644 compose/nginx/site-configs/300-qbit.conf delete mode 100644 compose/nginx/site-configs/310-cloud.conf delete mode 100644 compose/nginx/site-configs/320-secret.conf delete mode 100644 compose/nginx/site-configs/330-gitea.conf rename default.env_cloud => default.env_nextcloud (100%) diff --git a/README.md b/README.md index ed5df3e..55e6d32 100644 --- a/README.md +++ b/README.md @@ -26,9 +26,6 @@ - **registry** - Privately hosted DockerRegistry (must generate `compose/nginx/conf/registry.htpasswd` - **gitea** - Privately hosted Git server -- **default\_web\_app** - primitive Flask app to serve default nginx tempalte html and display request information at `/req` or `/json` endpoints +- **default\_web\_app** - primitive Flask app to serve default nginx template html and display request information at `/req` or `/json` endpoints -- **vardadienas** - private Flask app to generate and download customisable Latvian nameday calendar `.ics` -- **datne** - private Flask app for on-disk file browsing through WebUI -- **fuelkeeper** - private Django app -- **books** - private Django app +- **vardadienas** - Flask app to generate and download customisable Latvian nameday calendar `.ics` diff --git a/compose/cloud/Dockerfile b/compose/nextcloud/Dockerfile similarity index 100% rename from compose/cloud/Dockerfile rename to compose/nextcloud/Dockerfile diff --git a/compose/cloud/entry_uid_change.sh b/compose/nextcloud/entry_uid_change.sh similarity index 100% rename from compose/cloud/entry_uid_change.sh rename to compose/nextcloud/entry_uid_change.sh diff --git a/compose/cloud/supervisord.conf b/compose/nextcloud/supervisord.conf similarity index 100% rename from compose/cloud/supervisord.conf rename to compose/nextcloud/supervisord.conf diff --git a/compose/nginx/conf/nginx.conf b/compose/nginx/conf/nginx.conf index b2cd543..785af54 100644 --- a/compose/nginx/conf/nginx.conf +++ b/compose/nginx/conf/nginx.conf @@ -42,8 +42,7 @@ http { geo $local_ips { default 0; 10.1.1.0/24 1; - 83.243.93.200/32 1; } - include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enables/*.conf; } diff --git a/compose/nginx/site-configs/100-default.conf b/compose/nginx/conf/sites-enabled/100-default.conf similarity index 100% rename from compose/nginx/site-configs/100-default.conf rename to compose/nginx/conf/sites-enabled/100-default.conf diff --git a/compose/nginx/site-configs/110-registry.conf b/compose/nginx/site-configs/110-registry.conf deleted file mode 100644 index d500e00..0000000 --- a/compose/nginx/site-configs/110-registry.conf +++ /dev/null @@ -1,55 +0,0 @@ -upstream docker-registry { - server registry:5000; -} - -map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { - '' 'registry/2.0'; -} - -server { - listen 80; - server_name registry.example.com; - return 301 https://$host$request_uri; -} -server { - listen 443 ssl http2; - server_name registry.example.com; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) - chunked_transfer_encoding on; - - #include /etc/nginx/proxy_params; - - add_header Strict-Transport-Security max-age=31536000 always; - - ssl_certificate /etc/letsencrypt/live/registry.example.com/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/registry.example.com/privkey.pem; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - - location /v2/ { - # Do not allow connections from docker 1.5 and earlier - # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents - if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { - return 404; - } - - # To add basic authentication to v2 use auth_basic setting. - auth_basic "Registry realm"; - auth_basic_user_file /etc/nginx/registry.htpasswd; - - ## If $docker_distribution_api_version is empty, the header is not added. - ## See the map directive above where this variable is defined. - add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; - - proxy_pass http://registry:5000; - proxy_set_header Host $http_host; # required for docker client's sake - proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - } -} \ No newline at end of file diff --git a/compose/nginx/site-configs/200-static.conf b/compose/nginx/site-configs/200-static.conf deleted file mode 100644 index 343f8cc..0000000 --- a/compose/nginx/site-configs/200-static.conf +++ /dev/null @@ -1,46 +0,0 @@ -server { - listen 80; - server_name example.com example.org; - return 301 https://$host$request_uri; - - # display real ip in nginx logs when connected through reverse proxy via docker network - set_real_ip_from 172.0.0.0/8; - real_ip_header X-Forwarded-For; -} - -server { - listen 443 ssl http2; - server_name example.com; - - # display real ip in nginx logs when connected through reverse proxy via docker network - set_real_ip_from 172.0.0.0/8; - real_ip_header X-Forwarded-For; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - - root /var/www/72_lv; - location / { - try_files $uri /index.html; - } -} -server { - listen 443 ssl http2; - server_name example.org; - - # display real ip in nginx logs when connected through reverse proxy via docker network - set_real_ip_from 172.0.0.0/8; - real_ip_header X-Forwarded-For; - - ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - - root /var/www/72_lv; - location / { - try_files $uri /index.html; - } -} \ No newline at end of file diff --git a/compose/nginx/site-configs/210-flask.conf b/compose/nginx/site-configs/210-flask.conf deleted file mode 100644 index 2907629..0000000 --- a/compose/nginx/site-configs/210-flask.conf +++ /dev/null @@ -1,40 +0,0 @@ -server { - listen 80; - server_name flask.example.com; - location / { - return 301 https://$host$request_uri; - } -} -server { - listen 443 ssl http2; - server_name flask.example.com; - client_max_body_size 10G; - - ssl_certificate /etc/letsencrypt/live/flask.example.com/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/flask.example.com/privkey.pem; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - - location = /robots.txt { - alias /var/www/app/flask/staticfiles/robots.txt; - } - location = /favicon.ico { - alias /var/www/app/flask/staticfiles/favicon.ico; - } - - location /static { - expires max; - alias /var/www/app/flask/staticfiles; - } - - location /media { - #expires max; - proxy_max_temp_file_size 0; - proxy_buffering off; - alias /var/www/app/flask/media; - } - location / { - include /etc/nginx/proxy_params; - proxy_pass http://flask:5000/; - } -} \ No newline at end of file diff --git a/compose/nginx/site-configs/220-django.conf b/compose/nginx/site-configs/220-django.conf deleted file mode 100644 index 967ce48..0000000 --- a/compose/nginx/site-configs/220-django.conf +++ /dev/null @@ -1,39 +0,0 @@ -server { - listen 80; - server_name django.example.com; - return 301 https://$host$request_uri; -} -server { - listen 443 ssl http2; - server_name django.example.com; - client_max_body_size 500M; - - ssl_certificate /etc/letsencrypt/live/django.example.com/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/django.example.com/privkey.pem; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - - location = /robots.txt { - access_log off; - alias /var/www/app/django/staticfiles/robots.txt; - } - location = /favicon.ico { - access_log off; - alias /var/www/app/django/staticfiles/favicon.ico; - } - - location /static { - access_log off; - expires max; - alias /var/www/app/django/staticfiles; - } - - location /media { - expires max; - alias /var/www/app/django/media; - } - location / { - include /etc/nginx/proxy_params; - proxy_pass http://django:5000/; - } -} \ No newline at end of file diff --git a/compose/nginx/site-configs/300-qbit.conf b/compose/nginx/site-configs/300-qbit.conf deleted file mode 100644 index 24f70b7..0000000 --- a/compose/nginx/site-configs/300-qbit.conf +++ /dev/null @@ -1,31 +0,0 @@ -server { - listen 80; - server_name qbit.example.com; - return 301 https://$host$request_uri; -} -server { - listen 443 ssl http2; - server_name qbit.example.com; - client_max_body_size 25M; - - access_log off; - error_log off; - - add_header Strict-Transport-Security max-age=31536000 always; - - ssl_certificate /etc/letsencrypt/live/qbit.example.com/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/qbit.example.com/privkey.pem; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - - location / { - include /etc/nginx/proxy_params; - proxy_set_header X-Forwarded-Host $host:3000; - proxy_hide_header Referer; - proxy_hide_header Origin; - proxy_set_header Referer ''; - proxy_set_header Origin ''; - add_header X-Frame-Options "SAMEORIGIN"; - proxy_pass http://qbit:8080; - } -} \ No newline at end of file diff --git a/compose/nginx/site-configs/310-cloud.conf b/compose/nginx/site-configs/310-cloud.conf deleted file mode 100644 index 8bf488e..0000000 --- a/compose/nginx/site-configs/310-cloud.conf +++ /dev/null @@ -1,141 +0,0 @@ -upstream php-handler { - server cloud:9000; -} -server { - listen 80; - server_name cloud.example.org cloud.example.com; - return 301 https://$host$request_uri; -} -server { - listen 443 ssl http2; - server_name cloud.example.org cloud.example.com; - - ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - - add_header Strict-Transport-Security "max-age=5184000; includeSubDomains; preload;" always; - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/app/cloud; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - - # The following rule is only needed for the Social app. - # Uncomment it if you're planning to use this app. - rewrite ^/.well-known/webfinger /public.php?service=webfinger last; - - location = /.well-known/carddav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - - location = /.well-known/caldav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - location / { - rewrite ^ /index.php; - } - - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - include fastcgi_params; - #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - # fastcgi_param HTTPS on; - - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - - # Enable pretty urls - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} \ No newline at end of file diff --git a/compose/nginx/site-configs/320-secret.conf b/compose/nginx/site-configs/320-secret.conf deleted file mode 100644 index 1116059..0000000 --- a/compose/nginx/site-configs/320-secret.conf +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen 80; - server_name secret.example.com; - return 301 https://$host$request_uri; -} -server { - listen 443 ssl http2; - server_name secret.example.com; - client_max_body_size 25M; - - add_header Strict-Transport-Security max-age=5184000 always; - - ssl_certificate /etc/letsencrypt/live/secret.example.com/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/secret.example.com/privkey.pem; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - - location / { - include /etc/nginx/proxy_params; - proxy_set_header X-Forwarded-Host $host:3000; - proxy_hide_header Referer; - proxy_hide_header Origin; - proxy_set_header Referer ''; - proxy_set_header Origin ''; - add_header X-Frame-Options "SAMEORIGIN"; - proxy_pass http://yopass:1337; - } -} \ No newline at end of file diff --git a/compose/nginx/site-configs/330-gitea.conf b/compose/nginx/site-configs/330-gitea.conf deleted file mode 100644 index 327e494..0000000 --- a/compose/nginx/site-configs/330-gitea.conf +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen 80; - server_name git.example.com; - return 301 https://$host$request_uri; -} -server { - listen 443 ssl http2; - server_name git.example.com; - client_max_body_size 250M; - - add_header Strict-Transport-Security max-age=5184000 always; - - ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem; # managed by Certbot - ssl_dhparam /etc/nginx/ssl-dhparams.pem; # managed by Certbot - include /etc/nginx/ssl.conf; # managed by Certbot - - location / { - include /etc/nginx/proxy_params; - proxy_set_header X-Forwarded-Host $host:3000; - proxy_hide_header Referer; - proxy_hide_header Origin; - proxy_set_header Referer ''; - proxy_set_header Origin ''; - add_header X-Frame-Options "SAMEORIGIN"; - proxy_pass http://gitea:3000; - } -} \ No newline at end of file diff --git a/compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example b/compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example index 53992c6..552ce01 100644 --- a/compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example +++ b/compose/pgdb/docker-entrypoint-initdb.d/00-init-users-db.sh.example @@ -2,15 +2,15 @@ set -e psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL - CREATE USER books WITH PASSWORD 'books'; - CREATE DATABASE books; - GRANT ALL PRIVILEGES ON DATABASE books TO books; + CREATE USER flask WITH PASSWORD 'flask'; + CREATE DATABASE flask; + GRANT ALL PRIVILEGES ON DATABASE flask TO flask; EOSQL psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL - CREATE USER fuelkeeper WITH PASSWORD 'fuelkeeper'; - CREATE DATABASE fuelkeeper; - GRANT ALL PRIVILEGES ON DATABASE fuelkeeper TO fuelkeeper; + CREATE USER django WITH PASSWORD 'django'; + CREATE DATABASE django; + GRANT ALL PRIVILEGES ON DATABASE django TO django; EOSQL psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL diff --git a/default.env b/default.env index 24e1602..db68e27 100644 --- a/default.env +++ b/default.env @@ -1,7 +1,4 @@ -cloud_data=/path/to/data/nextcloud -datne_media=/path/to/data/files -datne_target=/path/to/data/files -certbot_path=./compose/cb +nextcloud_data=/path/to/data/nextcloud +torrent_path=/path/to/data/files -datne_git_path="git@gitlab.com:keriks/datne.git" -fuelkeeper_git_path="git@bitbucket.org:keriks/fuelkeeper.git" +nameday_git_path="https://git.72.lv/eriks/flask-namedays" diff --git a/default.env_certbot b/default.env_certbot index 20510c5..ef77949 100644 --- a/default.env_certbot +++ b/default.env_certbot @@ -1,3 +1,4 @@ DIGITALOCEAN_TOKEN= DOMAINS="main example.com|secrets secret.example.com|testing test.example.com *.test.example.com" ADMIN_EMAIL=domain@example.com +CB_STAGING=1 \ No newline at end of file diff --git a/default.env_cloud b/default.env_nextcloud similarity index 100% rename from default.env_cloud rename to default.env_nextcloud diff --git a/docker-compose.yaml b/docker-compose.yaml index ed1b125..4724d3f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -11,25 +11,15 @@ services: restart: always volumes: - ./compose/nginx/conf:/etc/nginx:ro - - ./compose/nginx/site-configs:/etc/nginx/conf.d:ro - - fuelkeeper_static:/var/www/app/fuelkeeper/staticfiles:ro - - fuelkeeper_media:/var/www/app/fuelkeeper/media:ro - - - books_static:/var/www/app/books/static:ro - - books_media:/var/www/app/books/media:ro - - - ${datne_static}:/var/www/app/datne/staticfiles:ro - - ${datne_media}:/var/www/app/datne/media:ro - - - nextcloud:/var/www/app/cloud:ro - - ${cloud_data}:/var/www/app/cloud/data:ro + # All mount points are read only (:ro) - file uploads/edits are processed inside service containers + - nextcloud:/var/www/app/nextcloud:ro + - ${nextcloud_data}:/var/www/app/nextcloud/data:ro - certbot_certs:/etc/letsencrypt:ro - - ./projects/72_lv:/var/www/72_lv:ro depends_on: - default_web_app - - cloud + - nextcloud - yopass - certbot - gitea @@ -47,14 +37,16 @@ services: image: redis:alpine restart: always - cloud: + nextcloud: build: - context: ./compose/cloud + context: ./compose/nextcloud dockerfile: Dockerfile - env_file: .env_cloud + env_file: .env_nextcloud volumes: - nextcloud:/var/www/html - - ${cloud_data}:/var/www/html/data + # Using path from variable "nextcloud_data" to place data at different disk, + # which isn't easily accomplished from compose + - ${nextcloud_data}:/var/www/html/data restart: always links: - pgdb @@ -79,8 +71,6 @@ services: vardadienas: image: registry.72.lv/flask-namedays:latest restart: always - security_opt: - - no-new-privileges certbot: image: certbot/dns-digitalocean:latest @@ -109,14 +99,24 @@ services: env_file: - .env_gitea + qbit: + image: lscr.io/linuxserver/qbittorrent + environment: + - PUID=1000 + - PGID=1001 + - TZ=UTC + volumes: + - /config # persistent unnamed storage + - ${torrent_path}:/downloads + ports: + - "30000:30000" + - "30000:30000/udp" + restart: unless-stopped volumes: - books_media: {} - books_static: {} - fuelkeeper_media: {} - fuelkeeper_static: {} - nextcloud: {} + # named persistent volumes + nextcloud: {} # nextcloud configuration pgdb: {} certbot_certs: {} registry: {} -- 2.49.0