Nginx now uses template syntax for easier config

nginx/.env.example

@@ -0,0 +1,12 @@
+# Main domain; also name of certificate
+MAIN_DOMAIN=
+
+# Comma-separated list of other domains which also arrive here
+DOMAINS=
+
+# Admin email; used for certificates
+EMAIL=
+
+# HTTP(S) Port
+HTTP_PORT=80
+HTTPS_PORT=443

nginx/build/entrypoint.sh

@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 
-certbot certonly --standalone -d "$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
+certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
 /usr/sbin/nginx -g "daemon off;"

nginx/conf.d/http.conf

@@ -1,35 +0,0 @@
-http {
-    # SSL CONFIGURATION
-    # Key locations
-    ssl_certificate     /etc/letsencrypt/live/your.domain.here/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/your.domain.here/privkey.pem;
-
-    # Allowed protocols
-    ssl_protocols TLSv1.2;
-
-    # Allowed cyphers
-    # ssl_ciphers EECDH+CHACHA20:EECDH+AES;
-
-    # Cache settings
-    ssl_session_cache           shared:SSL:10m;
-    ssl_session_timeout         10m;
-
-    # Still gotta figure out what these do
-    # ssl_session_tickets         off;
-    # ssl_prefer_server_ciphers   on;
-    # ssl_ecdh_curve              X25519:prime256v1:secp521r1:secp384r1;
-
-
-    # Auto-route all HTTP requests to HTTPS
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name _;
-
-        return 301 https://$host:443$request_uri;
-    }
-
-
-    # LOAD SITES
-    include sites_enabled/*.conf;
-}

nginx/docker-compose.yml

@@ -4,17 +4,22 @@ services:
         build: './build'
         image: 'nginx-certbot:stable-alpine'
 
-        env_file:
-            - 'nginx.env.example'
+        environment:
+            - 'DOMAINS'
+            - 'EMAIL'
+            - 'HTTPS_PORT'
+            - 'HTTP_PORT'
+            - 'MAIN_DOMAIN'
         networks:
             - 'nginx'
         ports:
-            - '80:80'
-            - '443:443'
+            - '$HTTP_PORT:$HTTP_PORT'
+            - '$HTTPS_PORT:$HTTPS_PORT'
         volumes:
-            - 'certs:/etc/letsencrypt'
             - './nginx.conf:/etc/nginx/nginx.conf'
-            - './conf.d:/etc/nginx/conf.d'
+            - './sites-enabled:/etc/nginx/sites-enabled'
+            - './templates:/etc/nginx/templates'
+            - 'certs:/etc/letsencrypt'
 
 networks:
     nginx:

nginx/nginx.env.example

@@ -1,5 +0,0 @@
-# Comma-separated list of domains
-DOMAINS=
-
-# Admin email; used for certificates
-EMAIL=

nginx/sites-available/nextcloud.conf

@@ -0,0 +1,55 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl http2;
+    server_name DOMAIN;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Allow unlimited download size
+    client_max_body_size 0;
+
+    fastcgi_buffers 64 4K;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Recommended in Nextcloud overview
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+        proxy_pass http://nextcloud_app_1:80/;
+
+        proxy_pass_request_headers on;
+
+        proxy_set_header Host              $host;
+        proxy_set_header X-Forwarded-Host  $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # All recommended in security overview
+        proxy_set_header Referrer-Policy                   "no-referrer" ;
+        proxy_set_header X-Content-Type-Options            "nosniff" ;
+        proxy_set_header X-Download-Options                "noopen" ;
+        proxy_set_header X-Frame-Options                   "SAMEORIGIN" ;
+        proxy_set_header X-Permitted-Cross-Domain-Policies "none" ;
+        proxy_set_header X-Robots-Tag                      "none" ;
+        proxy_set_header X-XSS-Protection                  "1; mode=block" ;
+    }
+
+    
+    # Needed to make CalDAV and CardDAV work properly
+    location /.well-known/carddav {
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location /.well-known/caldav {
+        return 301 $scheme://$host/remote.php/dav;
+    }
+}

nginx/templates/http.conf.template

@@ -0,0 +1,35 @@
+http {
+    # SSL CONFIGURATION
+    # Key locations
+    ssl_certificate     /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem;
+
+    # Allowed protocols
+    ssl_protocols TLSv1.2;
+
+    # Allowed cyphers
+    # ssl_ciphers EECDH+CHACHA20:EECDH+AES;
+
+    # Cache settings
+    ssl_session_cache           shared:SSL:10m;
+    ssl_session_timeout         10m;
+
+    # Still gotta figure out what these do
+    ssl_session_tickets         off;
+    ssl_prefer_server_ciphers   on;
+    ssl_ecdh_curve              X25519:prime256v1:secp521r1:secp384r1;
+
+
+    # Auto-route all HTTP requests to HTTPS
+    server {
+        listen ${HTTP_PORT};
+        listen [::]:${HTTP_PORT};
+        server_name _;
+
+        return 301 https://$host:${HTTPS_PORT}$request_uri;
+    }
+
+
+    # LOAD SITES
+    include sites-enabled/*.conf;
+}