Completely revamped nginx config

nginx/.env.example

@@ -1,12 +1,53 @@
-# Main domain; also name of certificate
+# =====COMMON CONFIGURATION=====
-MAIN_DOMAIN=
+## Comma-seperated list of domains to generate certs for
-
+## NOTE: you should only add domains here that aren't used in any of
-# Comma-separated list of other domains which also arrive here
+## the specific configurations below
 DOMAINS=
 
-# Admin email; used for certificates
+## Admin email; used for certificates
 EMAIL=
 
-# HTTP(S) Port
+## HTTP(S) Port
 HTTP_PORT=80
 HTTPS_PORT=443
+
+
+# =====PER-SERVICE CONFIGURATION=====
+# Domain name: domain name that points to the instance
+# Host name: basically the argument to proxy_pass
+
+## Firefly III
+### Domain name
+FIREFLY_DOMAIN=
+### Host name
+FIREFLY_HOST=firefly_app_1
+
+## Koel
+### Domain name
+KOEL_DOMAIN=
+### Host name
+KOEL_HOST=koel_app_1
+
+## Miniflux
+### Domain name
+MINIFLUX_DOMAIN=
+### Host name
+MINIFLUX_HOST=miniflux_app_1
+
+## Monica
+### Domain name
+MONICA_DOMAIN=
+### Host name
+MONICA_HOST=monica_app_1
+
+## Nextcloud
+### Domain name
+NEXTCLOUD_DOMAIN=
+### Host name
+NEXTCLOUD_HOST=nextcloud_app_1
+
+## Portainer
+### Domain name
+PORTAINER_DOMAIN=
+### Host name
+PORTAINER_HOST=portainer_app_1

nginx/build/Dockerfile

@@ -1,17 +0,0 @@
-FROM nginx:stable-alpine
-
-RUN apk add --no-cache certbot
-
-COPY entrypoint.sh ./entrypoint.sh
-RUN chmod +x ./entrypoint.sh
-
-RUN mkdir /var/lib/certbot
-COPY renew /etc/periodic/weekly/renew
-RUN chmod +x /etc/periodic/weekly/renew
-
-# Default.conf file is annoying
-RUN rm -rf /etc/nginx/conf.d/*
-
-RUN /usr/sbin/crond -f -d 8 &
-
-ENTRYPOINT [ "./entrypoint.sh" ]

nginx/build/entrypoint.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env sh
-
-certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
-
-# The original script handles the template subsitution
-exec /docker-entrypoint.sh nginx -g "daemon off;"

nginx/build/renew

@@ -1,3 +0,0 @@
-#!/usr/bin/env sh
-
-python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --webroot --webroot-path /var/lib/certbot/ --post-hook "/usr/sbin/nginx -s reload"

nginx/docker-compose.yml

@@ -1,15 +1,12 @@
-version: '3.5'
+version: '2.4'
+
 services:
     app:
-        build: './build'
+        build: './nginx'
         image: 'nginx-certbot:stable-alpine'
 
-        environment:
+        env_file:
-            - 'DOMAINS'
+            - '.env'
-            - 'EMAIL'
-            - 'HTTPS_PORT'
-            - 'HTTP_PORT'
-            - 'MAIN_DOMAIN'
         networks:
             - 'nginx'
         ports:

nginx/nginx/Dockerfile

@@ -0,0 +1,11 @@
+FROM nginx:1.20.0-alpine
+
+COPY entrypoint.sh /entrypoint.sh
+COPY renew /etc/periodic/weekly/renew
+
+# Install certbot
+# Remove default configs
+RUN apk add --no-cache certbot && \
+    rm -rf /etc/nginx/conf.d/*
+
+ENTRYPOINT [ "./entrypoint.sh" ]

nginx/nginx/entrypoint.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+
+# Start cron
+/usr/sbin/crond -d 8 &
+
+# Renew all certificates
+for url in $(env | grep '^[^=]\+_DOMAIN=' | sed 's/^.*\?=\(.*\)$/\1/g') $(echo "$DOMAINS" | sed 's/,/ /g')
+do
+    cerbot certonly \
+        --standalone \
+        -d "$url" \
+        --email "$EMAIL" \
+        -n \
+        --agree-tos \
+        --expand
+done
+
+# The original script handles the template subsitution
+exec /docker-entrypoint.sh nginx -g "daemon off;"

nginx/nginx/renew

@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+
+python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && \
+    certbot renew \
+        --webroot \
+        --webroot-path /var/lib/certbot/ \
+        --post-hook "/usr/sbin/nginx -s reload"

nginx/sites-available/firefly-iii.conf.template

@@ -1,6 +1,11 @@
 server {
-    listen 443 ssl;
+    # SSL Key locations
-    server_name DOMAIN;
+    ssl_certificate     /etc/letsencrypt/live/${FIREFLY_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${FIREFLY_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${FIREFLY_DOMAIN};
 
     location / {
         proxy_set_header Host              $host;
@@ -13,7 +18,7 @@ server {
         proxy_set_header Connection        "upgrade";
 
         resolver 127.0.0.11;
-        proxy_pass http://firefly_app_1:8080;
+        proxy_pass http://${FIREFLY_HOST}:8080;
     }
 }
 

nginx/sites-available/koel.conf

@@ -1,9 +0,0 @@
-server {
-    listen 443 ssl;
-    server_name DOMAIN;
-
-    location / {
-        resolver 127.0.0.11;
-        proxy_pass http://koel_app_1:80;
-    }
-}

nginx/sites-available/koel.conf.template

@@ -0,0 +1,14 @@
+server {
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${KOEL_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${KOEL_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${KOEL_DOMAIN};
+
+    location / {
+        resolver 127.0.0.11;
+        proxy_pass http://${KOEL_HOST}:80;
+    }
+}

nginx/sites-available/miniflux.conf

@@ -1,10 +0,0 @@
-server {
-    listen 443 ssl;
-    server_name DOMAIN;
-
-    location / {
-        resolver 127.0.0.11;
-        proxy_pass http://miniflux_app_1:8080;
-    }
-}
-

nginx/sites-available/miniflux.conf.template

@@ -0,0 +1,15 @@
+server {
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${MINIFLUX_DOMAIN};
+
+    location / {
+        resolver 127.0.0.11;
+        proxy_pass http://${MINIFLUX_HOST}:8080;
+    }
+}
+

nginx/sites-available/nextcloud.conf.template

@@ -1,7 +1,12 @@
 server {
-    listen 443 ssl;
+    # SSL Key locations
-    listen [::]:443 ssl http2;
+    ssl_certificate     /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/fullchain.pem;
-    server_name DOMAIN;
+    ssl_certificate_key /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    # Not sure why http2 is here, but let's keep it just in case
+    listen [::]:${HTTPS_PORT} ssl http2;
+    server_name ${NEXTCLOUD_DOMAIN};
 
     # Enable gzip but do not remove ETag headers
     gzip on;
@@ -23,7 +28,7 @@ server {
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     location / {
-        proxy_pass http://nextcloud_app_1:80/;
+        proxy_pass http://${NEXTCLOUD_HOST}:80/;
 
         proxy_pass_request_headers on;
 

nginx/sites-available/portainer.conf

@@ -1,11 +0,0 @@
-server {
-    listen 443 ssl;
-    server_name DOMAIN;
-
-    location / {
-        proxy_set_header Connection "upgrade";
-
-        resolver 127.0.0.11;
-        proxy_pass http://portainer_app_1:9000;
-    }
-}

nginx/sites-available/portainer.conf.template

@@ -0,0 +1,16 @@
+server {
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${PORTAINER_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${PORTAINER_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${PORTAINER_DOMAIN};
+
+    location / {
+        proxy_set_header Connection "upgrade";
+
+        resolver 127.0.0.11;
+        proxy_pass http://${PORTAINER_HOST}:9000;
+    }
+}

nginx/templates/http.conf.template

@@ -1,9 +1,5 @@
 http {
-    # SSL CONFIGURATION
+    # COMMON SSL CONFIGURATION
-    # Key locations
-    ssl_certificate     /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem;
-
     # Allowed protocols
     ssl_protocols TLSv1.2;
 
@@ -29,7 +25,6 @@ http {
         return 301 https://$host:${HTTPS_PORT}$request_uri;
     }
 
-
     # LOAD SITES
     include sites-enabled/*.conf;
 }