Added 'restart: always' to nginx

gitea/.env.example

@@ -0,0 +1,16 @@
+# User to run container as
+USER_UID=1000
+USER_GID=1000
+
+# Database settings
+DB_TYPE=postgres
+DB_HOST=db:5432
+DB_NAME=gitea
+DB_USER=gitea
+DB_PASSWD=gitea
+
+# Wether to start LFS
+LFS_START_SERVER=true
+
+# Wether to allow registration
+DISABLE_REGISTRATION=true

gitea/docker-compose.yml

@@ -0,0 +1,59 @@
+version: '2.4'
+
+services:
+    app:
+        # Latest contains a development version
+        image: 'gitea/gitea:1.14.1-rootless'
+        restart: 'always'
+        
+        depends_on:
+            db:
+                condition: 'service_healthy'
+        healthcheck:
+            test: 'curl -f localhost:3000 || exit 1'
+            interval: '30s'
+            timeout: '5s'
+            retries: 3
+            start_period: '5s'
+        
+        env_file:
+            - '.env'
+        networks:
+            - 'default'
+            - 'nginx'
+        ports:
+            - '22:22'
+        volumes:
+            - 'data:/data'
+            - 'repos:/data/git/repositories'
+            - 'lfs:/data/git/lfs'
+            - '/etc/timezone:/etc/timezone:ro'
+            - '/etc/localtime:/etc/localtime:ro'
+
+    db:
+        image: 'postgres:13.2-alpine'
+        restart: 'always'
+        
+        healthcheck:
+            test: 'pg_isready -U gitea'
+            interval: '30s'
+            timeout: '5s'
+            retries: 3
+            start_period: '0s'
+        
+        environment:
+            - 'POSTGRES_USER=gitea'
+            - 'POSTGRES_PASSWORD=gitea'
+            - 'POSTGRES_DB=gitea'
+        volumes:
+            - 'db-data:/var/lib/postgresql/data'
+
+networks:
+    nginx:
+        external: true
+
+volumes:
+    data:
+    lfs:
+    db-data:
+    repos:

nginx/.env.example

@@ -1,12 +1,59 @@
-# Main domain; also name of certificate
-MAIN_DOMAIN=
-
-# Comma-separated list of other domains which also arrive here
+# =====COMMON CONFIGURATION=====
+## Comma-seperated list of domains to generate certs for
+## NOTE: you should only add domains here that aren't used in any of
+## the specific configurations below
 DOMAINS=
 
-# Admin email; used for certificates
+## Admin email; used for certificates
 EMAIL=
 
-# HTTP(S) Port
+## HTTP(S) Port
 HTTP_PORT=80
 HTTPS_PORT=443
+
+
+# =====PER-SERVICE CONFIGURATION=====
+# Domain name: domain name that points to the instance
+# Hostname: basically the argument to proxy_pass
+
+## Firefly III
+### Domain name
+FIREFLY_DOMAIN=
+### Hostname
+FIREFLY_HOST=firefly_app_1
+
+## Koel
+### Domain name
+KOEL_DOMAIN=
+### Hostname
+KOEL_HOST=koel_app_1
+
+## Miniflux
+### Domain name
+MINIFLUX_DOMAIN=
+### Hostname
+MINIFLUX_HOST=miniflux_app_1
+
+## Monica
+### Domain name
+MONICA_DOMAIN=
+### Hostname
+MONICA_HOST=monica_app_1
+
+## Nextcloud
+### Domain name
+NEXTCLOUD_DOMAIN=
+### Hostname
+NEXTCLOUD_HOST=nextcloud_app_1
+
+## Portainer
+### Domain name
+PORTAINER_DOMAIN=
+### Hostname
+PORTAINER_HOST=portainer_app_1
+
+## Gitea
+### Domain name
+GITEA_DOMAIN=
+### Hostname
+GITEA_HOST=gitea_app_1

nginx/build/Dockerfile

@@ -1,17 +0,0 @@
-FROM nginx:stable-alpine
-
-RUN apk add --no-cache certbot
-
-COPY entrypoint.sh ./entrypoint.sh
-RUN chmod +x ./entrypoint.sh
-
-RUN mkdir /var/lib/certbot
-COPY renew /etc/periodic/weekly/renew
-RUN chmod +x /etc/periodic/weekly/renew
-
-# Default.conf file is annoying
-RUN rm -rf /etc/nginx/conf.d/*
-
-RUN /usr/sbin/crond -f -d 8 &
-
-ENTRYPOINT [ "./entrypoint.sh" ]

nginx/build/entrypoint.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env sh
-
-certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
-
-# The original script handles the template subsitution
-exec /docker-entrypoint.sh nginx -g "daemon off;"

nginx/build/renew

@@ -1,3 +0,0 @@
-#!/usr/bin/env sh
-
-python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --webroot --webroot-path /var/lib/certbot/ --post-hook "/usr/sbin/nginx -s reload"

nginx/docker-compose.yml

@@ -1,15 +1,13 @@
-version: '3.5'
+version: '2.4'
+
 services:
     app:
-        build: './build'
+        build: './nginx'
         image: 'nginx-certbot:stable-alpine'
+        restart: 'always'
 
-        environment:
-            - 'DOMAINS'
-            - 'EMAIL'
-            - 'HTTPS_PORT'
-            - 'HTTP_PORT'
-            - 'MAIN_DOMAIN'
+        env_file:
+            - '.env'
         networks:
             - 'nginx'
         ports:

nginx/nginx/Dockerfile

@@ -0,0 +1,11 @@
+FROM nginx:1.20.0-alpine
+
+COPY entrypoint.sh /entrypoint.sh
+COPY renew /etc/periodic/weekly/renew
+
+# Install certbot
+# Remove default configs
+RUN apk add --no-cache certbot && \
+    rm -rf /etc/nginx/conf.d/*
+
+ENTRYPOINT [ "./entrypoint.sh" ]

nginx/nginx/entrypoint.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+
+# Start cron
+/usr/sbin/crond -d 8 &
+
+# Renew all certificates
+for url in $(env | grep '^[^=]\+_DOMAIN=' | sed 's/^.*\?=\(.*\)$/\1/g') $(echo "$DOMAINS" | sed 's/,/ /g')
+do
+    cerbot certonly \
+        --standalone \
+        -d "$url" \
+        --email "$EMAIL" \
+        -n \
+        --agree-tos \
+        --expand
+done
+
+# The original script handles the template subsitution
+exec /docker-entrypoint.sh nginx -g "daemon off;"

nginx/nginx/renew

@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+
+python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && \
+    certbot renew \
+        --webroot \
+        --webroot-path /var/lib/certbot/ \
+        --post-hook "/usr/sbin/nginx -s reload"

nginx/sites-available/firefly-iii.conf.template

@@ -1,6 +1,11 @@
 server {
-    listen 443 ssl;
-    server_name DOMAIN;
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${FIREFLY_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${FIREFLY_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${FIREFLY_DOMAIN};
 
     location / {
         proxy_set_header Host              $host;
@@ -13,7 +18,7 @@ server {
         proxy_set_header Connection        "upgrade";
 
         resolver 127.0.0.11;
-        proxy_pass http://firefly_app_1:8080;
+        proxy_pass http://${FIREFLY_HOST}:8080;
     }
 }
 

nginx/sites-available/gitea.conf.template

@@ -0,0 +1,23 @@
+server {
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${GITEA_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${GITEA_DOMAIN};
+
+    location / {
+        resolver 127.0.0.11;
+        proxy_pass http://#{GITEA_HOST}:3000/;
+
+        # Static content caching
+        location ~* \.(?:jpg|jpeg|png|gif|ico|css|js|ttf)$ {
+            expires 1h;
+            add_header Cache-Control public;
+
+            proxy_pass http://${GITEA_HOST}:3000;
+        }
+    }
+}
+

nginx/sites-available/koel.conf

@@ -1,9 +0,0 @@
-server {
-    listen 443 ssl;
-    server_name DOMAIN;
-
-    location / {
-        resolver 127.0.0.11;
-        proxy_pass http://koel_app_1:80;
-    }
-}

nginx/sites-available/koel.conf.template

@@ -0,0 +1,14 @@
+server {
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${KOEL_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${KOEL_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${KOEL_DOMAIN};
+
+    location / {
+        resolver 127.0.0.11;
+        proxy_pass http://${KOEL_HOST}:80;
+    }
+}

nginx/sites-available/miniflux.conf

@@ -1,10 +0,0 @@
-server {
-    listen 443 ssl;
-    server_name DOMAIN;
-
-    location / {
-        resolver 127.0.0.11;
-        proxy_pass http://miniflux_app_1:8080;
-    }
-}
-

nginx/sites-available/miniflux.conf.template

@@ -0,0 +1,15 @@
+server {
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${MINIFLUX_DOMAIN};
+
+    location / {
+        resolver 127.0.0.11;
+        proxy_pass http://${MINIFLUX_HOST}:8080;
+    }
+}
+

nginx/sites-available/nextcloud.conf.template

@@ -1,7 +1,12 @@
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl http2;
-    server_name DOMAIN;
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    # Not sure why http2 is here, but let's keep it just in case
+    listen [::]:${HTTPS_PORT} ssl http2;
+    server_name ${NEXTCLOUD_DOMAIN};
 
     # Enable gzip but do not remove ETag headers
     gzip on;
@@ -23,7 +28,7 @@ server {
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     location / {
-        proxy_pass http://nextcloud_app_1:80/;
+        proxy_pass http://${NEXTCLOUD_HOST}:80/;
 
         proxy_pass_request_headers on;
 

nginx/sites-available/portainer.conf

@@ -1,11 +0,0 @@
-server {
-    listen 443 ssl;
-    server_name DOMAIN;
-
-    location / {
-        proxy_set_header Connection "upgrade";
-
-        resolver 127.0.0.11;
-        proxy_pass http://portainer_app_1:9000;
-    }
-}

nginx/sites-available/portainer.conf.template

@@ -0,0 +1,16 @@
+server {
+    # SSL Key locations
+    ssl_certificate     /etc/letsencrypt/live/${PORTAINER_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${PORTAINER_DOMAIN}/privkey.pem;
+
+    listen ${HTTPS_PORT} ssl;
+    listen [::]:${HTTPS_PORT} ssl;
+    server_name ${PORTAINER_DOMAIN};
+
+    location / {
+        proxy_set_header Connection "upgrade";
+
+        resolver 127.0.0.11;
+        proxy_pass http://${PORTAINER_HOST}:9000;
+    }
+}

nginx/templates/http.conf.template

@@ -1,9 +1,5 @@
 http {
-    # SSL CONFIGURATION
-    # Key locations
-    ssl_certificate     /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem;
-
+    # COMMON SSL CONFIGURATION
     # Allowed protocols
     ssl_protocols TLSv1.2;
 
@@ -29,7 +25,6 @@ http {
         return 301 https://$host:${HTTPS_PORT}$request_uri;
     }
 
-
     # LOAD SITES
     include sites-enabled/*.conf;
 }