Completely revamped nginx config

pull/13/head
Jef Roosens 2021-04-23 16:26:32 +02:00
parent 3411f3d0a9
commit d13573f87d
Signed by: Jef Roosens
GPG Key ID: B580B976584B5F30
19 changed files with 152 additions and 83 deletions

View File

@ -1,12 +1,53 @@
# Main domain; also name of certificate # =====COMMON CONFIGURATION=====
MAIN_DOMAIN= ## Comma-seperated list of domains to generate certs for
## NOTE: you should only add domains here that aren't used in any of
# Comma-separated list of other domains which also arrive here ## the specific configurations below
DOMAINS= DOMAINS=
# Admin email; used for certificates ## Admin email; used for certificates
EMAIL= EMAIL=
# HTTP(S) Port ## HTTP(S) Port
HTTP_PORT=80 HTTP_PORT=80
HTTPS_PORT=443 HTTPS_PORT=443
# =====PER-SERVICE CONFIGURATION=====
# Domain name: domain name that points to the instance
# Host name: basically the argument to proxy_pass
## Firefly III
### Domain name
FIREFLY_DOMAIN=
### Host name
FIREFLY_HOST=firefly_app_1
## Koel
### Domain name
KOEL_DOMAIN=
### Host name
KOEL_HOST=koel_app_1
## Miniflux
### Domain name
MINIFLUX_DOMAIN=
### Host name
MINIFLUX_HOST=miniflux_app_1
## Monica
### Domain name
MONICA_DOMAIN=
### Host name
MONICA_HOST=monica_app_1
## Nextcloud
### Domain name
NEXTCLOUD_DOMAIN=
### Host name
NEXTCLOUD_HOST=nextcloud_app_1
## Portainer
### Domain name
PORTAINER_DOMAIN=
### Host name
PORTAINER_HOST=portainer_app_1

View File

@ -1,17 +0,0 @@
FROM nginx:stable-alpine
RUN apk add --no-cache certbot
COPY entrypoint.sh ./entrypoint.sh
RUN chmod +x ./entrypoint.sh
RUN mkdir /var/lib/certbot
COPY renew /etc/periodic/weekly/renew
RUN chmod +x /etc/periodic/weekly/renew
# Default.conf file is annoying
RUN rm -rf /etc/nginx/conf.d/*
RUN /usr/sbin/crond -f -d 8 &
ENTRYPOINT [ "./entrypoint.sh" ]

View File

@ -1,6 +0,0 @@
#!/usr/bin/env sh
certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
# The original script handles the template subsitution
exec /docker-entrypoint.sh nginx -g "daemon off;"

View File

@ -1,3 +0,0 @@
#!/usr/bin/env sh
python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --webroot --webroot-path /var/lib/certbot/ --post-hook "/usr/sbin/nginx -s reload"

View File

@ -1,15 +1,12 @@
version: '3.5' version: '2.4'
services: services:
app: app:
build: './build' build: './nginx'
image: 'nginx-certbot:stable-alpine' image: 'nginx-certbot:stable-alpine'
environment: env_file:
- 'DOMAINS' - '.env'
- 'EMAIL'
- 'HTTPS_PORT'
- 'HTTP_PORT'
- 'MAIN_DOMAIN'
networks: networks:
- 'nginx' - 'nginx'
ports: ports:

View File

@ -0,0 +1,11 @@
FROM nginx:1.20.0-alpine
COPY entrypoint.sh /entrypoint.sh
COPY renew /etc/periodic/weekly/renew
# Install certbot
# Remove default configs
RUN apk add --no-cache certbot && \
rm -rf /etc/nginx/conf.d/*
ENTRYPOINT [ "./entrypoint.sh" ]

View File

@ -0,0 +1,19 @@
#!/usr/bin/env sh
# Start cron
/usr/sbin/crond -d 8 &
# Renew all certificates
for url in $(env | grep '^[^=]\+_DOMAIN=' | sed 's/^.*\?=\(.*\)$/\1/g') $(echo "$DOMAINS" | sed 's/,/ /g')
do
cerbot certonly \
--standalone \
-d "$url" \
--email "$EMAIL" \
-n \
--agree-tos \
--expand
done
# The original script handles the template subsitution
exec /docker-entrypoint.sh nginx -g "daemon off;"

View File

@ -0,0 +1,7 @@
#!/usr/bin/env sh
python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && \
certbot renew \
--webroot \
--webroot-path /var/lib/certbot/ \
--post-hook "/usr/sbin/nginx -s reload"

View File

@ -1,6 +1,11 @@
server { server {
listen 443 ssl; # SSL Key locations
server_name DOMAIN; ssl_certificate /etc/letsencrypt/live/${FIREFLY_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${FIREFLY_DOMAIN}/privkey.pem;
listen ${HTTPS_PORT} ssl;
listen [::]:${HTTPS_PORT} ssl;
server_name ${FIREFLY_DOMAIN};
location / { location / {
proxy_set_header Host $host; proxy_set_header Host $host;
@ -13,7 +18,7 @@ server {
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
resolver 127.0.0.11; resolver 127.0.0.11;
proxy_pass http://firefly_app_1:8080; proxy_pass http://${FIREFLY_HOST}:8080;
} }
} }

View File

@ -1,9 +0,0 @@
server {
listen 443 ssl;
server_name DOMAIN;
location / {
resolver 127.0.0.11;
proxy_pass http://koel_app_1:80;
}
}

View File

@ -0,0 +1,14 @@
server {
# SSL Key locations
ssl_certificate /etc/letsencrypt/live/${KOEL_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${KOEL_DOMAIN}/privkey.pem;
listen ${HTTPS_PORT} ssl;
listen [::]:${HTTPS_PORT} ssl;
server_name ${KOEL_DOMAIN};
location / {
resolver 127.0.0.11;
proxy_pass http://${KOEL_HOST}:80;
}
}

View File

@ -1,10 +0,0 @@
server {
listen 443 ssl;
server_name DOMAIN;
location / {
resolver 127.0.0.11;
proxy_pass http://miniflux_app_1:8080;
}
}

View File

@ -0,0 +1,15 @@
server {
# SSL Key locations
ssl_certificate /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/privkey.pem;
listen ${HTTPS_PORT} ssl;
listen [::]:${HTTPS_PORT} ssl;
server_name ${MINIFLUX_DOMAIN};
location / {
resolver 127.0.0.11;
proxy_pass http://${MINIFLUX_HOST}:8080;
}
}

View File

@ -1,7 +1,12 @@
server { server {
listen 443 ssl; # SSL Key locations
listen [::]:443 ssl http2; ssl_certificate /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/fullchain.pem;
server_name DOMAIN; ssl_certificate_key /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/privkey.pem;
listen ${HTTPS_PORT} ssl;
# Not sure why http2 is here, but let's keep it just in case
listen [::]:${HTTPS_PORT} ssl http2;
server_name ${NEXTCLOUD_DOMAIN};
# Enable gzip but do not remove ETag headers # Enable gzip but do not remove ETag headers
gzip on; gzip on;
@ -23,7 +28,7 @@ server {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / { location / {
proxy_pass http://nextcloud_app_1:80/; proxy_pass http://${NEXTCLOUD_HOST}:80/;
proxy_pass_request_headers on; proxy_pass_request_headers on;

View File

@ -1,11 +0,0 @@
server {
listen 443 ssl;
server_name DOMAIN;
location / {
proxy_set_header Connection "upgrade";
resolver 127.0.0.11;
proxy_pass http://portainer_app_1:9000;
}
}

View File

@ -0,0 +1,16 @@
server {
# SSL Key locations
ssl_certificate /etc/letsencrypt/live/${PORTAINER_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${PORTAINER_DOMAIN}/privkey.pem;
listen ${HTTPS_PORT} ssl;
listen [::]:${HTTPS_PORT} ssl;
server_name ${PORTAINER_DOMAIN};
location / {
proxy_set_header Connection "upgrade";
resolver 127.0.0.11;
proxy_pass http://${PORTAINER_HOST}:9000;
}
}

View File

View File

@ -1,9 +1,5 @@
http { http {
# SSL CONFIGURATION # COMMON SSL CONFIGURATION
# Key locations
ssl_certificate /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem;
# Allowed protocols # Allowed protocols
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
@ -29,7 +25,6 @@ http {
return 301 https://$host:${HTTPS_PORT}$request_uri; return 301 https://$host:${HTTPS_PORT}$request_uri;
} }
# LOAD SITES # LOAD SITES
include sites-enabled/*.conf; include sites-enabled/*.conf;
} }