diff --git a/nginx/.env.example b/nginx/.env.example index 445e483..78f88a3 100644 --- a/nginx/.env.example +++ b/nginx/.env.example @@ -1,12 +1,53 @@ -# Main domain; also name of certificate -MAIN_DOMAIN= - -# Comma-separated list of other domains which also arrive here +# =====COMMON CONFIGURATION===== +## Comma-seperated list of domains to generate certs for +## NOTE: you should only add domains here that aren't used in any of +## the specific configurations below DOMAINS= -# Admin email; used for certificates +## Admin email; used for certificates EMAIL= -# HTTP(S) Port +## HTTP(S) Port HTTP_PORT=80 HTTPS_PORT=443 + + +# =====PER-SERVICE CONFIGURATION===== +# Domain name: domain name that points to the instance +# Host name: basically the argument to proxy_pass + +## Firefly III +### Domain name +FIREFLY_DOMAIN= +### Host name +FIREFLY_HOST=firefly_app_1 + +## Koel +### Domain name +KOEL_DOMAIN= +### Host name +KOEL_HOST=koel_app_1 + +## Miniflux +### Domain name +MINIFLUX_DOMAIN= +### Host name +MINIFLUX_HOST=miniflux_app_1 + +## Monica +### Domain name +MONICA_DOMAIN= +### Host name +MONICA_HOST=monica_app_1 + +## Nextcloud +### Domain name +NEXTCLOUD_DOMAIN= +### Host name +NEXTCLOUD_HOST=nextcloud_app_1 + +## Portainer +### Domain name +PORTAINER_DOMAIN= +### Host name +PORTAINER_HOST=portainer_app_1 diff --git a/nginx/build/Dockerfile b/nginx/build/Dockerfile deleted file mode 100644 index 309ea38..0000000 --- a/nginx/build/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -FROM nginx:stable-alpine - -RUN apk add --no-cache certbot - -COPY entrypoint.sh ./entrypoint.sh -RUN chmod +x ./entrypoint.sh - -RUN mkdir /var/lib/certbot -COPY renew /etc/periodic/weekly/renew -RUN chmod +x /etc/periodic/weekly/renew - -# Default.conf file is annoying -RUN rm -rf /etc/nginx/conf.d/* - -RUN /usr/sbin/crond -f -d 8 & - -ENTRYPOINT [ "./entrypoint.sh" ] diff --git a/nginx/build/entrypoint.sh b/nginx/build/entrypoint.sh deleted file mode 100644 index d652550..0000000 --- a/nginx/build/entrypoint.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env sh - -certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand - -# The original script handles the template subsitution -exec /docker-entrypoint.sh nginx -g "daemon off;" diff --git a/nginx/build/renew b/nginx/build/renew deleted file mode 100644 index 98327d4..0000000 --- a/nginx/build/renew +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/env sh - -python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --webroot --webroot-path /var/lib/certbot/ --post-hook "/usr/sbin/nginx -s reload" diff --git a/nginx/docker-compose.yml b/nginx/docker-compose.yml index c8e51f1..2aea122 100644 --- a/nginx/docker-compose.yml +++ b/nginx/docker-compose.yml @@ -1,15 +1,12 @@ -version: '3.5' +version: '2.4' + services: app: - build: './build' + build: './nginx' image: 'nginx-certbot:stable-alpine' - environment: - - 'DOMAINS' - - 'EMAIL' - - 'HTTPS_PORT' - - 'HTTP_PORT' - - 'MAIN_DOMAIN' + env_file: + - '.env' networks: - 'nginx' ports: diff --git a/nginx/nginx/Dockerfile b/nginx/nginx/Dockerfile new file mode 100644 index 0000000..19a359b --- /dev/null +++ b/nginx/nginx/Dockerfile @@ -0,0 +1,11 @@ +FROM nginx:1.20.0-alpine + +COPY entrypoint.sh /entrypoint.sh +COPY renew /etc/periodic/weekly/renew + +# Install certbot +# Remove default configs +RUN apk add --no-cache certbot && \ + rm -rf /etc/nginx/conf.d/* + +ENTRYPOINT [ "./entrypoint.sh" ] diff --git a/nginx/nginx/entrypoint.sh b/nginx/nginx/entrypoint.sh new file mode 100755 index 0000000..bd2df4c --- /dev/null +++ b/nginx/nginx/entrypoint.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env sh + +# Start cron +/usr/sbin/crond -d 8 & + +# Renew all certificates +for url in $(env | grep '^[^=]\+_DOMAIN=' | sed 's/^.*\?=\(.*\)$/\1/g') $(echo "$DOMAINS" | sed 's/,/ /g') +do + cerbot certonly \ + --standalone \ + -d "$url" \ + --email "$EMAIL" \ + -n \ + --agree-tos \ + --expand +done + +# The original script handles the template subsitution +exec /docker-entrypoint.sh nginx -g "daemon off;" diff --git a/nginx/nginx/renew b/nginx/nginx/renew new file mode 100755 index 0000000..bdbebcf --- /dev/null +++ b/nginx/nginx/renew @@ -0,0 +1,7 @@ +#!/usr/bin/env sh + +python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && \ + certbot renew \ + --webroot \ + --webroot-path /var/lib/certbot/ \ + --post-hook "/usr/sbin/nginx -s reload" diff --git a/nginx/sites-available/firefly-iii.conf b/nginx/sites-available/firefly-iii.conf.template similarity index 60% rename from nginx/sites-available/firefly-iii.conf rename to nginx/sites-available/firefly-iii.conf.template index 1a9f1c4..e9447fc 100644 --- a/nginx/sites-available/firefly-iii.conf +++ b/nginx/sites-available/firefly-iii.conf.template @@ -1,6 +1,11 @@ server { - listen 443 ssl; - server_name DOMAIN; + # SSL Key locations + ssl_certificate /etc/letsencrypt/live/${FIREFLY_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${FIREFLY_DOMAIN}/privkey.pem; + + listen ${HTTPS_PORT} ssl; + listen [::]:${HTTPS_PORT} ssl; + server_name ${FIREFLY_DOMAIN}; location / { proxy_set_header Host $host; @@ -13,7 +18,7 @@ server { proxy_set_header Connection "upgrade"; resolver 127.0.0.11; - proxy_pass http://firefly_app_1:8080; + proxy_pass http://${FIREFLY_HOST}:8080; } } diff --git a/nginx/sites-available/koel.conf b/nginx/sites-available/koel.conf deleted file mode 100644 index 82832a5..0000000 --- a/nginx/sites-available/koel.conf +++ /dev/null @@ -1,9 +0,0 @@ -server { - listen 443 ssl; - server_name DOMAIN; - - location / { - resolver 127.0.0.11; - proxy_pass http://koel_app_1:80; - } -} diff --git a/nginx/sites-available/koel.conf.template b/nginx/sites-available/koel.conf.template new file mode 100644 index 0000000..139f463 --- /dev/null +++ b/nginx/sites-available/koel.conf.template @@ -0,0 +1,14 @@ +server { + # SSL Key locations + ssl_certificate /etc/letsencrypt/live/${KOEL_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${KOEL_DOMAIN}/privkey.pem; + + listen ${HTTPS_PORT} ssl; + listen [::]:${HTTPS_PORT} ssl; + server_name ${KOEL_DOMAIN}; + + location / { + resolver 127.0.0.11; + proxy_pass http://${KOEL_HOST}:80; + } +} diff --git a/nginx/sites-available/miniflux.conf b/nginx/sites-available/miniflux.conf deleted file mode 100644 index da25654..0000000 --- a/nginx/sites-available/miniflux.conf +++ /dev/null @@ -1,10 +0,0 @@ -server { - listen 443 ssl; - server_name DOMAIN; - - location / { - resolver 127.0.0.11; - proxy_pass http://miniflux_app_1:8080; - } -} - diff --git a/nginx/sites-available/miniflux.conf.template b/nginx/sites-available/miniflux.conf.template new file mode 100644 index 0000000..eefbe26 --- /dev/null +++ b/nginx/sites-available/miniflux.conf.template @@ -0,0 +1,15 @@ +server { + # SSL Key locations + ssl_certificate /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/privkey.pem; + + listen ${HTTPS_PORT} ssl; + listen [::]:${HTTPS_PORT} ssl; + server_name ${MINIFLUX_DOMAIN}; + + location / { + resolver 127.0.0.11; + proxy_pass http://${MINIFLUX_HOST}:8080; + } +} + diff --git a/nginx/sites-available/nefarious.conf b/nginx/sites-available/nefarious.conf.template similarity index 100% rename from nginx/sites-available/nefarious.conf rename to nginx/sites-available/nefarious.conf.template diff --git a/nginx/sites-available/nextcloud.conf b/nginx/sites-available/nextcloud.conf.template similarity index 84% rename from nginx/sites-available/nextcloud.conf rename to nginx/sites-available/nextcloud.conf.template index e36549d..9ade02e 100644 --- a/nginx/sites-available/nextcloud.conf +++ b/nginx/sites-available/nextcloud.conf.template @@ -1,7 +1,12 @@ server { - listen 443 ssl; - listen [::]:443 ssl http2; - server_name DOMAIN; + # SSL Key locations + ssl_certificate /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/privkey.pem; + + listen ${HTTPS_PORT} ssl; + # Not sure why http2 is here, but let's keep it just in case + listen [::]:${HTTPS_PORT} ssl http2; + server_name ${NEXTCLOUD_DOMAIN}; # Enable gzip but do not remove ETag headers gzip on; @@ -23,7 +28,7 @@ server { add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { - proxy_pass http://nextcloud_app_1:80/; + proxy_pass http://${NEXTCLOUD_HOST}:80/; proxy_pass_request_headers on; diff --git a/nginx/sites-available/portainer.conf b/nginx/sites-available/portainer.conf deleted file mode 100644 index 98b1e44..0000000 --- a/nginx/sites-available/portainer.conf +++ /dev/null @@ -1,11 +0,0 @@ -server { - listen 443 ssl; - server_name DOMAIN; - - location / { - proxy_set_header Connection "upgrade"; - - resolver 127.0.0.11; - proxy_pass http://portainer_app_1:9000; - } -} diff --git a/nginx/sites-available/portainer.conf.template b/nginx/sites-available/portainer.conf.template new file mode 100644 index 0000000..c9ec72c --- /dev/null +++ b/nginx/sites-available/portainer.conf.template @@ -0,0 +1,16 @@ +server { + # SSL Key locations + ssl_certificate /etc/letsencrypt/live/${PORTAINER_DOMAIN}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${PORTAINER_DOMAIN}/privkey.pem; + + listen ${HTTPS_PORT} ssl; + listen [::]:${HTTPS_PORT} ssl; + server_name ${PORTAINER_DOMAIN}; + + location / { + proxy_set_header Connection "upgrade"; + + resolver 127.0.0.11; + proxy_pass http://${PORTAINER_HOST}:9000; + } +} diff --git a/nginx/sites-enabled/.gitkeep b/nginx/sites-enabled/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/nginx/templates/http.conf.template b/nginx/templates/http.conf.template index 2b62f29..ae69504 100644 --- a/nginx/templates/http.conf.template +++ b/nginx/templates/http.conf.template @@ -1,9 +1,5 @@ http { - # SSL CONFIGURATION - # Key locations - ssl_certificate /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem; - + # COMMON SSL CONFIGURATION # Allowed protocols ssl_protocols TLSv1.2; @@ -29,7 +25,6 @@ http { return 301 https://$host:${HTTPS_PORT}$request_uri; } - # LOAD SITES include sites-enabled/*.conf; }