diff --git a/firefly/firefly.env.example b/firefly/.env.example similarity index 100% rename from firefly/firefly.env.example rename to firefly/.env.example diff --git a/firefly/Dockerfile b/firefly/Dockerfile new file mode 100644 index 0000000..a9a0873 --- /dev/null +++ b/firefly/Dockerfile @@ -0,0 +1,13 @@ +FROM jc5x/firefly-iii:latest + +ARG LOCALE + +# Install cron; setup locales +RUN apt update && \ +apt install --no-install-recommends -y cron && \ +echo "0 */4 * * * php /var/www/html/artisan firefly-iii:cron" | crontab && \ +echo "$LOCALE.UTF-8 UTF-8" >> /etc/locale.gen && \ +locale-gen + +# Run cron on startup +ENTRYPOINT cron && /usr/local/bin/entrypoint.sh diff --git a/firefly/db.env.example b/firefly/db.env.example deleted file mode 100644 index b291aea..0000000 --- a/firefly/db.env.example +++ /dev/null @@ -1,3 +0,0 @@ -POSTGRES_DB=firefly -POSTGRES_USER=firefly -POSTGRES_PASSWORD=password diff --git a/firefly/docker-compose.yml b/firefly/docker-compose.yml index 1ca4abf..719e814 100644 --- a/firefly/docker-compose.yml +++ b/firefly/docker-compose.yml @@ -2,36 +2,43 @@ version: '3.3' services: app: - image: jc5x/firefly-iii:latest - restart: always + build: + context: '.' + dockerfile: './Dockerfile' + args: + - 'LOCALE=$DEFAULT_LOCALE' + image: 'firefly-iii-cron:latest' + restart: 'always' depends_on: - - db - - redis + - 'db' + - 'redis' env_file: - - firefly.env + - '.env' labels: - 'com.centurylinklabs.watchtower.enable=true' networks: - - nginx - - default + - 'nginx' + - 'default' volumes: - - upload:/var/www/html/storage/upload + - 'upload:/var/www/html/storage/upload' db: - image: postgres:13-alpine - restart: always + image: 'postgres:13-alpine' + restart: 'always' - env_file: - - db.env + environment: + - 'POSTGRES_DB=$DB_DATABASE' + - 'POSTGRES_PASSWORD=$DB_PASSWORD' + - 'POSTGRES_USER=$DB_USERNAME' labels: - 'com.centurylinklabs.watchtower.enable=true' volumes: - - db-data:/var/lib/postgresql/data + - 'db-data:/var/lib/postgresql/data' redis: - image: redis:6-alpine - restart: always + image: 'redis:6-alpine' + restart: 'always' labels: - 'com.centurylinklabs.watchtower.enable=true' @@ -39,8 +46,7 @@ services: networks: nginx: - external: - name: nginx + external: true volumes: upload: diff --git a/koel/.env.example b/koel/.env.example new file mode 100644 index 0000000..d58e408 --- /dev/null +++ b/koel/.env.example @@ -0,0 +1,141 @@ +APP_NAME=Koel + +# Database connection name, which corresponds to the database driver. +# Possible values are: +# mysql (MySQL/MariaDB - default) +# pgsql (PostgreSQL) +# sqlsrv (Microsoft SQL Server) +# sqlite-persistent (Local sqlite file) +# IMPORTANT: This value must present for artisan koel:init command to work. +DB_CONNECTION=mysql +DB_HOST=db +DB_PORT=3306 +DB_DATABASE=koel +DB_USERNAME=koel +DB_PASSWORD=changeme + +# A random 32-char string. You can leave this empty if use php artisan koel:init. +APP_KEY= + +# Another random 32-char string. You can leave this empty if use php artisan koel:init. +JWT_SECRET= + +# Credentials and other info to be used when Koel is installed in non-interactive mode +# (php artisan koel:init --no-interaction) +# By default (interactive mode), Koel will still prompt for these information during installation, +# but provide the values here as the defaults (except ADMIN_PASSWORD, for security reason). +ADMIN_NAME="Koel Admin" +ADMIN_EMAIL=admin@koel.com +ADMIN_PASSWORD=SoSecureMuchWow +# The ABSOLUTE path to your media. This value can always be changed later via the web interface. +MEDIA_PATH=/media + + +# By default, Koel ignores dot files and folders. This greatly improves performance if your media +# root have folders like .git or .cache. If by any chance your media files are under a dot folder, +# set the following setting to false. +IGNORE_DOT_FILES=true + +APP_ENV=production +APP_DEBUG=true +# Change this is you're deploying it on a server +APP_URL=http://localhost + + +# The maximum scan time, in seconds. Increase this if you have a huge library. +# Note: This setting doesn't have effect when scanning via koel:sync. +APP_MAX_SCAN_TIME=600 + + +# The memory limit, in MB, used by the scanning process. +# For example, if you want to set a memory limit of 2048MB, enter "2048" (without +# quotes) here. +MEMORY_LIMIT= + + +# The streaming method. +# Can be either 'php' (default), 'x-sendfile', or 'x-accel-redirect' +# See https://docs.koel.dev/#streaming-music for more information. +# Note: This setting doesn't have effect if the media needs transcoding (e.g. FLAC). +STREAMING_METHOD=php + + +# If you want Koel to integrate with Last.fm, set the API details here. +# See https://docs.koel.dev/3rd-party.html#last-fm for more information +LASTFM_API_KEY= +LASTFM_API_SECRET= + + +# If you want to use Amazon S3 with Koel, fill the info here and follow the +# installation guide at https://docs.koel.dev/aws-s3.html +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +AWS_REGION= + + +# If you want Koel to integrate with YouTube, set the API key here. +# See https://docs.koel.dev/3rd-party.html#youtube for more information. +YOUTUBE_API_KEY= + + +# You can also configure Koel to use a CDN to serve the media files. +# This url must be mapped to the home URL of your Koel's installation. +# No trailing slash, please. +CDN_URL= + + +# If you want to transcode FLAC to MP3 and stream it on the fly, make sure the +# following settings are sane. + +# The full path of ffmpeg binary. +FFMPEG_PATH=/usr/local/bin/ffmpeg + +# The bit rate of the output mp3 stream. Higher value results in better quality, +# but slower streaming and more bandwidth. +OUTPUT_BIT_RATE=128 + +# Whether to allow song downloading. +# Note that if you're downloading more than one song, Koel will zip them up +# using PHP's ZipArchive. So if the module isn't available in the current +# environment, such a download will (silently) fail. +ALLOW_DOWNLOAD=true + +# If this is set to true, the query to get artist, album, and song information will be cached. +# This can give a boost to Koel's boot time, especially if your library is huge. +# However, the cache deserialization process can be memory sensitive, so if you encounter +# errors, try setting this to false. +CACHE_MEDIA=true + + +# Koel attempts to detect if your website use HTTPS and generates secure URLs accordingly. +# If this attempts for any reason, you can force it by setting this value to true. +FORCE_HTTPS=yes + + +# Pusher configuration, for interesting features such as remote controlling. +PUSHER_APP_ID= +PUSHER_APP_KEY= +PUSHER_APP_SECRET= +PUSHER_APP_CLUSTER= + +SQS_PUBLIC_KEY= +SQS_SECRET_KEY= +SQS_QUEUE_PREFIX= +SQS_QUEUE_NAME= +SQS_QUEUE_REGION= + +# The variables below are Laravel-specific. +# You can change them if you know what you're doing. Otherwise, just leave them as-is. +APP_LOG_LEVEL=debug +BROADCAST_DRIVER=log +CACHE_DRIVER=file +SESSION_DRIVER=file +QUEUE_DRIVER=sync + +MAIL_DRIVER=smtp +MAIL_HOST=mailtrap.io +MAIL_PORT=2525 +MAIL_USERNAME=null +MAIL_PASSWORD=null +MAIL_ENCRYPTION=null + diff --git a/koel/README.md b/koel/README.md new file mode 100644 index 0000000..7fbf68e --- /dev/null +++ b/koel/README.md @@ -0,0 +1,15 @@ +# Koel +[Koel](https://github.com/koel/koel) is a self-hostable music server. + +# Initial setup +After launching the application for the first time, you have to run the initial +setup. This can be done using the following command: + +``` +docker exec -it koel_app_1 php artisan koel:init +``` + +This will ask you to configure the admin user etc. The location for the music +can be left as the default (`/music`). The command will error out after asking +this; this is normal. Even though an error occurred, the system still +initialized successfully. diff --git a/koel/docker-compose.yml b/koel/docker-compose.yml new file mode 100644 index 0000000..19d6e1a --- /dev/null +++ b/koel/docker-compose.yml @@ -0,0 +1,42 @@ +version: '3.5' + +services: + app: + image: 'hyzual/koel:latest' + restart: 'always' + + depends_on: + - 'db' + labels: + - 'com.centurylinklabs.watchtower.enable=true' + networks: + - 'default' + - 'nginx' + volumes: + - './.env:/var/www/html/.env' + - 'covers:/var/www/html/public/img/covers' + - 'music:/music' + + db: + image: 'mysql:8' + restart: 'always' + command: '--default-authentication-plugin=mysql_native_password' + + environment: + - 'MYSQL_DATABASE=koel' + - 'MYSQL_PASSWORD=$DB_PASSWORD' + - 'MYSQL_ROOT_PASSWORD=$DB_PASSWORD' + - 'MYSQL_USER=$DB_USERNAME' + labels: + - 'com.centurylinklabs.watchtower.enable=true' + volumes: + - 'db-data:/var/lib/mysql' + +networks: + nginx: + external: true + +volumes: + covers: + db-data: + music: diff --git a/miniflux/README.md b/miniflux/README.md index e69de29..202fb1f 100644 --- a/miniflux/README.md +++ b/miniflux/README.md @@ -0,0 +1,26 @@ +# Miniflux +> [Miniflux](https://miniflux.app/) is a minimalist and opinionated feed reader. + +This description sums up Miniflux pretty well. It's very simple to setup and +operate, yet does exactly what it's supposed to: it manages RSS feeds. + +## Environment variables +Not much configuration is required by default to get things up and running. + +For the database, you have the usual PostgreSQL stuff: +* `POSTGRES_DB`: database name +* `POSTGRES_USER`: main user of the database +* `POSTGRES_PASSWORD`: password for main user + +For Miniflux, I used the following defaults: +* `DATABASE_URL`: this URL defines how to connect to the database. It follows + the form + `postgres://POSTGRES_USER:POSTGRES_PASSWORD@db/POSTGRES_DB?sslmode=disable` +* `RUN_MIGRATIONS`: this lets Miniflux auto-migrate the database when needed + (this is especially useful during initial startup) +* `CREATE_ADMIN`: this allows us to create an admin account using env vars +* `ADMIN_USERNAME`: admin username +* `ADMIN_PASSWORD`: admin password + +Miniflux has many other variables you can set, which you can find +[here](https://miniflux.app/docs/configuration.html). diff --git a/nefarious/.env.example b/nefarious/.env.example new file mode 100644 index 0000000..aeaffa3 --- /dev/null +++ b/nefarious/.env.example @@ -0,0 +1,32 @@ +# Only sqlite3 works by default +DATABASE_URL=sqlite:////config/db.sqlite3 + +# Path to download torrents to. +# In this setup, we juse use a docker volume as the downloads aren't meant to stay on the system after being watched +# You can change this to a directory if you wish to download to the host's file system instead +HOST_DOWNLOAD_PATH=downloads + +# Redis host; shouldn't be changed +REDIS_HOST=redis + +# Config path for nefarious inside container; leave as is +NEFARIOUS_CONFIG_PATH=/config + +# Admin user credentials +NEFARIOUS_USER=admin +NEFARIOUS_PASS=changeme + +# Transmission user credentials +# These are only needed if you wish to expose the transmission server +TRANSMISSION_USER= +TRANSMISSION_PASS= + +# UID and GID to run as +PUID=1000 +PGID=1000 + +# Timezone +TZ=Europe/London + +# How many worker processes celery may use; if 0, uses all cpu cores +CELERY_WORKERS=0 diff --git a/nefarious/README.md b/nefarious/README.md new file mode 100644 index 0000000..e69de29 diff --git a/nefarious/docker-compose.yml b/nefarious/docker-compose.yml new file mode 100644 index 0000000..e41d754 --- /dev/null +++ b/nefarious/docker-compose.yml @@ -0,0 +1,108 @@ +version: '3.5' + +services: + # Main nefarious app + app: + image: 'lardbit/nefarious:latest' + restart: 'always' + logging: + options: + max-size: '500k' + max-file: '10' + + depends_on: + - 'celery' + - 'jackett' + - 'redis' + environment: + - 'DATABASE_URL' + - 'REDIS_HOST' + - 'HOST_DOWNLOAD_PATH' + - 'NEFARIOUS_USER' + - 'NEFARIOUS_PASS' + - 'CONFIG_PATH=${NEFARIOUS_CONFIG_PATH}' + labels: + - 'com.centurylinklabs.watchtower.enable=true' + networks: + - 'default' + - 'nginx' + volumes: + - 'config:${NEFARIOUS_CONFIG_PATH}' + + # Caching + redis: + image: 'redis:6-alpine' + restart: 'always' + labels: + - 'com.centurylinklabs.watchtower.enable=true' + + # Background task queue + celery: + image: 'lardbit/nefarious:latest' + restart: 'always' + entrypoint: /env/bin/celery -A nefarious worker --concurrency $CELERY_WORKERS --beat --loglevel=INFO + logging: + options: + max-size: '500k' + max-file: '10' + + depends_on: + - 'redis' + environment: + - 'DATABASE_URL' + - 'REDIS_HOST' + - 'CONFIG_PATH=${NEFARIOUS_CONFIG_PATH}' + labels: + - 'com.centurylinklabs.watchtower.enable=true' + volumes: + - 'config:${NEFARIOUS_CONFIG_PATH}' + + # Tracker searching + jackett: + image: 'linuxserver/jackett:latest' + restart: 'always' + logging: + options: + max-size: '500k' + max-file: '10' + + labels: + - 'com.centurylinklabs.watchtower.enable=true' + networks: + - 'default' + - 'nginx' + volumes: + - 'jackett-config:/config' + + # Torrenting server + transmission: + image: 'linuxserver/transmission:latest' + restart: 'always' + logging: + options: + max-size: '500k' + max-file: '10' + + environment: + - 'PUID' + - 'PGID' + - 'TZ' + - 'USER=${TRANSMISSION_USER}' + - 'PASS=${TRANSMISSION_PASS}' + labels: + - 'com.centurylinklabs.watchtower.enable=true' + ports: + - '51413:51413' + - '51413:51413/udp' + volumes: + - '$HOST_DOWNLOAD_PATH:/downloads' + - './transmission_settings.json:/config/settings.json' + +networks: + nginx: + external: true + +volumes: + config: + downloads: + jackett-config: diff --git a/nefarious/transmission_settings.json b/nefarious/transmission_settings.json new file mode 100644 index 0000000..c079c8f --- /dev/null +++ b/nefarious/transmission_settings.json @@ -0,0 +1,10 @@ +{ + "download-dir": "/downloads/complete", + "incomplete-dir": "/downloads/incomplete", + "rpc-whitelist": "*", + "rpc-host-whitelist-enabled": "false", + "port-forwarding-enabled": true, + "peer-port": 51413, + "peer-port-random-on-start": false, + "peer-socket-tos": "default" +} diff --git a/nextcloud/nc.env.example b/nextcloud/.env.example similarity index 95% rename from nextcloud/nc.env.example rename to nextcloud/.env.example index 76fc4c5..526887b 100644 --- a/nextcloud/nc.env.example +++ b/nextcloud/.env.example @@ -1,8 +1,8 @@ -# Database +# Database settings +POSTGRES_HOST=db POSTGRES_DB=nextcloud POSTGRES_USER=nextcloud POSTGRES_PASSWORD=pass -POSTGRES_HOST=db # Redis REDIS_HOST=redis diff --git a/nextcloud/db.env.example b/nextcloud/db.env.example deleted file mode 100644 index f622d7f..0000000 --- a/nextcloud/db.env.example +++ /dev/null @@ -1,3 +0,0 @@ -POSTGRES_DB=nextcloud -POSTGRES_USER=nextcloud -POSTGRES_PASSWORD=pass diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml index d27f50d..b287465 100644 --- a/nextcloud/docker-compose.yml +++ b/nextcloud/docker-compose.yml @@ -9,7 +9,7 @@ services: - 'db' - 'redis' env_file: - - 'nc.env' + - '.env' labels: - 'com.centurylinklabs.watchtower.enable=true' networks: @@ -27,6 +27,8 @@ services: depends_on: - 'app' + env_file: + - '.env' labels: - 'com.centurylinklabs.watchtower.enable=true' volumes: @@ -38,8 +40,10 @@ services: image: 'postgres:13-alpine' restart: 'always' - env_file: - - 'db.env' + environment: + - 'POSTGRES_DB' + - 'POSTGRES_USER' + - 'POSTGRES_PASSWORD' labels: - 'com.centurylinklabs.watchtower.enable=true' volumes: diff --git a/nginx/.env.example b/nginx/.env.example new file mode 100644 index 0000000..445e483 --- /dev/null +++ b/nginx/.env.example @@ -0,0 +1,12 @@ +# Main domain; also name of certificate +MAIN_DOMAIN= + +# Comma-separated list of other domains which also arrive here +DOMAINS= + +# Admin email; used for certificates +EMAIL= + +# HTTP(S) Port +HTTP_PORT=80 +HTTPS_PORT=443 diff --git a/nginx/build/Dockerfile b/nginx/build/Dockerfile index b70c34b..309ea38 100644 --- a/nginx/build/Dockerfile +++ b/nginx/build/Dockerfile @@ -9,6 +9,9 @@ RUN mkdir /var/lib/certbot COPY renew /etc/periodic/weekly/renew RUN chmod +x /etc/periodic/weekly/renew +# Default.conf file is annoying +RUN rm -rf /etc/nginx/conf.d/* + RUN /usr/sbin/crond -f -d 8 & ENTRYPOINT [ "./entrypoint.sh" ] diff --git a/nginx/build/entrypoint.sh b/nginx/build/entrypoint.sh index ede0c39..d652550 100644 --- a/nginx/build/entrypoint.sh +++ b/nginx/build/entrypoint.sh @@ -1,4 +1,6 @@ #!/usr/bin/env sh -certbot certonly --standalone -d "$DOMAINS" --email "$EMAIL" -n --agree-tos --expand -/usr/sbin/nginx -g "daemon off;" +certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand + +# The original script handles the template subsitution +exec /docker-entrypoint.sh nginx -g "daemon off;" diff --git a/nginx/conf.d/http.conf b/nginx/conf.d/http.conf deleted file mode 100644 index c92194d..0000000 --- a/nginx/conf.d/http.conf +++ /dev/null @@ -1,35 +0,0 @@ -http { - # SSL CONFIGURATION - # Key locations - ssl_certificate /etc/letsencrypt/live/your.domain.here/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/your.domain.here/privkey.pem; - - # Allowed protocols - ssl_protocols TLSv1.2; - - # Allowed cyphers - # ssl_ciphers EECDH+CHACHA20:EECDH+AES; - - # Cache settings - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - # Still gotta figure out what these do - # ssl_session_tickets off; - # ssl_prefer_server_ciphers on; - # ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; - - - # Auto-route all HTTP requests to HTTPS - server { - listen 80; - listen [::]:80; - server_name _; - - return 301 https://$host:443$request_uri; - } - - - # LOAD SITES - include sites_enabled/*.conf; -} diff --git a/nginx/docker-compose.yml b/nginx/docker-compose.yml index 7b758df..c8e51f1 100644 --- a/nginx/docker-compose.yml +++ b/nginx/docker-compose.yml @@ -4,17 +4,22 @@ services: build: './build' image: 'nginx-certbot:stable-alpine' - env_file: - - 'nginx.env.example' + environment: + - 'DOMAINS' + - 'EMAIL' + - 'HTTPS_PORT' + - 'HTTP_PORT' + - 'MAIN_DOMAIN' networks: - 'nginx' ports: - - '80:80' - - '443:443' + - '$HTTP_PORT:$HTTP_PORT' + - '$HTTPS_PORT:$HTTPS_PORT' volumes: - - 'certs:/etc/letsencrypt' - './nginx.conf:/etc/nginx/nginx.conf' - - './conf.d:/etc/nginx/conf.d' + - './sites-enabled:/etc/nginx/sites-enabled' + - './templates:/etc/nginx/templates' + - 'certs:/etc/letsencrypt' networks: nginx: diff --git a/nginx/nginx.env.example b/nginx/nginx.env.example deleted file mode 100644 index b807d76..0000000 --- a/nginx/nginx.env.example +++ /dev/null @@ -1,5 +0,0 @@ -# Comma-separated list of domains -DOMAINS= - -# Admin email; used for certificates -EMAIL= diff --git a/nginx/sites-available/firefly-iii.conf b/nginx/sites-available/firefly-iii.conf index 9a677f2..1a9f1c4 100644 --- a/nginx/sites-available/firefly-iii.conf +++ b/nginx/sites-available/firefly-iii.conf @@ -1,6 +1,6 @@ server { listen 443 ssl; - server_name PLACEHOLDER; + server_name DOMAIN; location / { proxy_set_header Host $host; diff --git a/nginx/sites-available/koel.conf b/nginx/sites-available/koel.conf new file mode 100644 index 0000000..82832a5 --- /dev/null +++ b/nginx/sites-available/koel.conf @@ -0,0 +1,9 @@ +server { + listen 443 ssl; + server_name DOMAIN; + + location / { + resolver 127.0.0.11; + proxy_pass http://koel_app_1:80; + } +} diff --git a/nginx/sites-available/miniflux.conf b/nginx/sites-available/miniflux.conf new file mode 100644 index 0000000..da25654 --- /dev/null +++ b/nginx/sites-available/miniflux.conf @@ -0,0 +1,10 @@ +server { + listen 443 ssl; + server_name DOMAIN; + + location / { + resolver 127.0.0.11; + proxy_pass http://miniflux_app_1:8080; + } +} + diff --git a/nginx/sites-available/nefarious.conf b/nginx/sites-available/nefarious.conf new file mode 100644 index 0000000..0f3eed0 --- /dev/null +++ b/nginx/sites-available/nefarious.conf @@ -0,0 +1,36 @@ +server { + listen 443 ssl; + server_name DOMAIN; + + location / { + resolver 127.0.0.11; + proxy_pass http://nefarious_transmission_1:9091; + } +} + +server { + listen 443 ssl; + server_name DOMAIN; + + location / { + resolver 127.0.0.11; + proxy_pass http://nefarious_jackett_1:9117; + } +} + +server { + listen 443 ssl; + server_name DOMAIN; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Ssl on; + + resolver 127.0.0.11; + proxy_pass http://nefarious_app_1:80; + } +} diff --git a/nginx/sites-available/nextcloud.conf b/nginx/sites-available/nextcloud.conf new file mode 100644 index 0000000..e36549d --- /dev/null +++ b/nginx/sites-available/nextcloud.conf @@ -0,0 +1,55 @@ +server { + listen 443 ssl; + listen [::]:443 ssl http2; + server_name DOMAIN; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Allow unlimited download size + client_max_body_size 0; + + fastcgi_buffers 64 4K; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Recommended in Nextcloud overview + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location / { + proxy_pass http://nextcloud_app_1:80/; + + proxy_pass_request_headers on; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # All recommended in security overview + proxy_set_header Referrer-Policy "no-referrer" ; + proxy_set_header X-Content-Type-Options "nosniff" ; + proxy_set_header X-Download-Options "noopen" ; + proxy_set_header X-Frame-Options "SAMEORIGIN" ; + proxy_set_header X-Permitted-Cross-Domain-Policies "none" ; + proxy_set_header X-Robots-Tag "none" ; + proxy_set_header X-XSS-Protection "1; mode=block" ; + } + + + # Needed to make CalDAV and CardDAV work properly + location /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } +} diff --git a/nginx/sites-available/portainer.conf b/nginx/sites-available/portainer.conf index 94c9498..98b1e44 100644 --- a/nginx/sites-available/portainer.conf +++ b/nginx/sites-available/portainer.conf @@ -1,6 +1,6 @@ server { listen 443 ssl; - server_name PLACEHOLDER; + server_name DOMAIN; location / { proxy_set_header Connection "upgrade"; diff --git a/nginx/conf.d/events.conf b/nginx/templates/events.conf.template similarity index 100% rename from nginx/conf.d/events.conf rename to nginx/templates/events.conf.template diff --git a/nginx/templates/http.conf.template b/nginx/templates/http.conf.template new file mode 100644 index 0000000..2b62f29 --- /dev/null +++ b/nginx/templates/http.conf.template @@ -0,0 +1,35 @@ +http { + # SSL CONFIGURATION + # Key locations + ssl_certificate /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem; + + # Allowed protocols + ssl_protocols TLSv1.2; + + # Allowed cyphers + # ssl_ciphers EECDH+CHACHA20:EECDH+AES; + + # Cache settings + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Still gotta figure out what these do + ssl_session_tickets off; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; + + + # Auto-route all HTTP requests to HTTPS + server { + listen ${HTTP_PORT}; + listen [::]:${HTTP_PORT}; + server_name _; + + return 301 https://$host:${HTTPS_PORT}$request_uri; + } + + + # LOAD SITES + include sites-enabled/*.conf; +}