22 changed files with 83 additions and 257 deletions
--- a/gitea/.env.example
+++ b/gitea/.env.example
@ -1,16 +0,0 @@
 # User to run container as
 USER_UID=1000
 USER_GID=1000
 # Database settings
 DB_TYPE=postgres
 DB_HOST=db:5432
 DB_NAME=gitea
 DB_USER=gitea
 DB_PASSWD=gitea
 # Wether to start LFS
 LFS_START_SERVER=true
 # Wether to allow registration
 DISABLE_REGISTRATION=true
--- a/gitea/docker-compose.yml
+++ b/gitea/docker-compose.yml
@ -1,59 +0,0 @@
 version: '2.4'
 services:
    app:
        # Latest contains a development version
        image: 'gitea/gitea:1.14.1-rootless'
        restart: 'always'
        depends_on:
            db:
                condition: 'service_healthy'
        healthcheck:
            test: 'curl -f localhost:3000 || exit 1'
            interval: '30s'
            timeout: '5s'
            retries: 3
            start_period: '5s'
        env_file:
            - '.env'
        networks:
            - 'default'
            - 'nginx'
        ports:
            - '22:22'
        volumes:
            - 'data:/data'
            - 'repos:/data/git/repositories'
            - 'lfs:/data/git/lfs'
            - '/etc/timezone:/etc/timezone:ro'
            - '/etc/localtime:/etc/localtime:ro'
    db:
        image: 'postgres:13.2-alpine'
        restart: 'always'
        healthcheck:
            test: 'pg_isready -U gitea'
            interval: '30s'
            timeout: '5s'
            retries: 3
            start_period: '0s'
        environment:
            - 'POSTGRES_USER=gitea'
            - 'POSTGRES_PASSWORD=gitea'
            - 'POSTGRES_DB=gitea'
        volumes:
            - 'db-data:/var/lib/postgresql/data'
 networks:
    nginx:
        external: true
 volumes:
    data:
    lfs:
    db-data:
    repos:
--- a/nginx/.env.example
+++ b/nginx/.env.example
@ -1,59 +1,12 @@
-# =====COMMON CONFIGURATION=====
+# Main domain; also name of certificate
-## Comma-seperated list of domains to generate certs for
+MAIN_DOMAIN=
-## NOTE: you should only add domains here that aren't used in any of
+
-## the specific configurations below
+# Comma-separated list of other domains which also arrive here
 DOMAINS=
-## Admin email; used for certificates
+# Admin email; used for certificates
 EMAIL=
-## HTTP(S) Port
+# HTTP(S) Port
 HTTP_PORT=80
 HTTPS_PORT=443
 # =====PER-SERVICE CONFIGURATION=====
 # Domain name: domain name that points to the instance
 # Hostname: basically the argument to proxy_pass
 ## Firefly III
 ### Domain name
 FIREFLY_DOMAIN=
 ### Hostname
 FIREFLY_HOST=firefly_app_1
 ## Koel
 ### Domain name
 KOEL_DOMAIN=
 ### Hostname
 KOEL_HOST=koel_app_1
 ## Miniflux
 ### Domain name
 MINIFLUX_DOMAIN=
 ### Hostname
 MINIFLUX_HOST=miniflux_app_1
 ## Monica
 ### Domain name
 MONICA_DOMAIN=
 ### Hostname
 MONICA_HOST=monica_app_1
 ## Nextcloud
 ### Domain name
 NEXTCLOUD_DOMAIN=
 ### Hostname
 NEXTCLOUD_HOST=nextcloud_app_1
 ## Portainer
 ### Domain name
 PORTAINER_DOMAIN=
 ### Hostname
 PORTAINER_HOST=portainer_app_1
 ## Gitea
 ### Domain name
 GITEA_DOMAIN=
 ### Hostname
 GITEA_HOST=gitea_app_1
--- a/nginx/build/Dockerfile
+++ b/nginx/build/Dockerfile
@ -0,0 +1,17 @@
 FROM nginx:stable-alpine
 RUN apk add --no-cache certbot
 COPY entrypoint.sh ./entrypoint.sh
 RUN chmod +x ./entrypoint.sh
 RUN mkdir /var/lib/certbot
 COPY renew /etc/periodic/weekly/renew
 RUN chmod +x /etc/periodic/weekly/renew
 # Default.conf file is annoying
 RUN rm -rf /etc/nginx/conf.d/*
 RUN /usr/sbin/crond -f -d 8 &
 ENTRYPOINT [ "./entrypoint.sh" ]
--- a/nginx/build/entrypoint.sh
+++ b/nginx/build/entrypoint.sh
@ -0,0 +1,6 @@
 #!/usr/bin/env sh
 certbot certonly --standalone -d "$MAIN_DOMAIN,$DOMAINS" --email "$EMAIL" -n --agree-tos --expand
 # The original script handles the template subsitution
 exec /docker-entrypoint.sh nginx -g "daemon off;"
--- a/nginx/build/renew
+++ b/nginx/build/renew
@ -0,0 +1,3 @@
 #!/usr/bin/env sh
 python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --webroot --webroot-path /var/lib/certbot/ --post-hook "/usr/sbin/nginx -s reload"
--- a/nginx/docker-compose.yml
+++ b/nginx/docker-compose.yml
@ -1,13 +1,15 @@
-version: '2.4'
+version: '3.5'
 services:
    app:
-        build: './nginx'
+        build: './build'
        image: 'nginx-certbot:stable-alpine'
        restart: 'always'
-        env_file:
+        environment:
-            - '.env'
+            - 'DOMAINS'
            - 'EMAIL'
            - 'HTTPS_PORT'
            - 'HTTP_PORT'
            - 'MAIN_DOMAIN'
        networks:
            - 'nginx'
        ports:
--- a/nginx/nginx/Dockerfile
+++ b/nginx/nginx/Dockerfile
@ -1,11 +0,0 @@
 FROM nginx:1.20.0-alpine
 COPY entrypoint.sh /entrypoint.sh
 COPY renew /etc/periodic/weekly/renew
 # Install certbot
 # Remove default configs
 RUN apk add --no-cache certbot && \
    rm -rf /etc/nginx/conf.d/*
 ENTRYPOINT [ "./entrypoint.sh" ]
--- a/nginx/nginx/entrypoint.sh
+++ b/nginx/nginx/entrypoint.sh
@ -1,19 +0,0 @@
 #!/usr/bin/env sh
 # Start cron
 /usr/sbin/crond -d 8 &
 # Renew all certificates
 for url in $(env | grep '^[^=]\+_DOMAIN=' | sed 's/^.*\?=\(.*\)$/\1/g') $(echo "$DOMAINS" | sed 's/,/ /g')
 do
    cerbot certonly \
        --standalone \
        -d "$url" \
        --email "$EMAIL" \
        -n \
        --agree-tos \
        --expand
 done
 # The original script handles the template subsitution
 exec /docker-entrypoint.sh nginx -g "daemon off;"
--- a/nginx/nginx/renew
+++ b/nginx/nginx/renew
@ -1,7 +0,0 @@
 #!/usr/bin/env sh
 python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && \
    certbot renew \
        --webroot \
        --webroot-path /var/lib/certbot/ \
        --post-hook "/usr/sbin/nginx -s reload"
--- a/nginx/sites-available/firefly-iii.conf.template
+++ b/nginx/sites-available/firefly-iii.conf.template
@ -1,11 +1,6 @@
 server {
-    # SSL Key locations
+    listen 443 ssl;
-    ssl_certificate     /etc/letsencrypt/live/${FIREFLY_DOMAIN}/fullchain.pem;
+    server_name DOMAIN;
    ssl_certificate_key /etc/letsencrypt/live/${FIREFLY_DOMAIN}/privkey.pem;
    listen ${HTTPS_PORT} ssl;
    listen [::]:${HTTPS_PORT} ssl;
    server_name ${FIREFLY_DOMAIN};
    location / {
        proxy_set_header Host              $host;
@ -18,7 +13,7 @@ server {
        proxy_set_header Connection        "upgrade";
        resolver 127.0.0.11;
-        proxy_pass http://${FIREFLY_HOST}:8080;
+        proxy_pass http://firefly_app_1:8080;
    }
 }
--- a/nginx/sites-available/gitea.conf.template
+++ b/nginx/sites-available/gitea.conf.template
@ -1,23 +0,0 @@
 server {
    # SSL Key locations
    ssl_certificate     /etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${GITEA_DOMAIN}/privkey.pem;
    listen ${HTTPS_PORT} ssl;
    listen [::]:${HTTPS_PORT} ssl;
    server_name ${GITEA_DOMAIN};
    location / {
        resolver 127.0.0.11;
        proxy_pass http://#{GITEA_HOST}:3000/;
        # Static content caching
        location ~* \.(?:jpg|jpeg|png|gif|ico|css|js|ttf)$ {
            expires 1h;
            add_header Cache-Control public;
            proxy_pass http://${GITEA_HOST}:3000;
        }
    }
 }
--- a/nginx/sites-available/koel.conf
+++ b/nginx/sites-available/koel.conf
@ -0,0 +1,9 @@
 server {
    listen 443 ssl;
    server_name DOMAIN;
    location / {
        resolver 127.0.0.11;
        proxy_pass http://koel_app_1:80;
    }
 }
--- a/nginx/sites-available/koel.conf.template
+++ b/nginx/sites-available/koel.conf.template
@ -1,14 +0,0 @@
 server {
    # SSL Key locations
    ssl_certificate     /etc/letsencrypt/live/${KOEL_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${KOEL_DOMAIN}/privkey.pem;
    listen ${HTTPS_PORT} ssl;
    listen [::]:${HTTPS_PORT} ssl;
    server_name ${KOEL_DOMAIN};
    location / {
        resolver 127.0.0.11;
        proxy_pass http://${KOEL_HOST}:80;
    }
 }
--- a/nginx/sites-available/miniflux.conf
+++ b/nginx/sites-available/miniflux.conf
@ -0,0 +1,10 @@
 server {
    listen 443 ssl;
    server_name DOMAIN;
    location / {
        resolver 127.0.0.11;
        proxy_pass http://miniflux_app_1:8080;
    }
 }
--- a/nginx/sites-available/miniflux.conf.template
+++ b/nginx/sites-available/miniflux.conf.template
@ -1,15 +0,0 @@
 server {
    # SSL Key locations
    ssl_certificate     /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${MINIFLUX_DOMAIN}/privkey.pem;
    listen ${HTTPS_PORT} ssl;
    listen [::]:${HTTPS_PORT} ssl;
    server_name ${MINIFLUX_DOMAIN};
    location / {
        resolver 127.0.0.11;
        proxy_pass http://${MINIFLUX_HOST}:8080;
    }
 }
--- a/nginx/sites-available/nefarious.conf.template
+++ b/nginx/sites-available/nefarious.conf.template
--- a/nginx/sites-available/nextcloud.conf.template
+++ b/nginx/sites-available/nextcloud.conf.template
@ -1,12 +1,7 @@
 server {
-    # SSL Key locations
+    listen 443 ssl;
-    ssl_certificate     /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/fullchain.pem;
+    listen [::]:443 ssl http2;
-    ssl_certificate_key /etc/letsencrypt/live/${NEXTCLOUD_DOMAIN}/privkey.pem;
+    server_name DOMAIN;
    listen ${HTTPS_PORT} ssl;
    # Not sure why http2 is here, but let's keep it just in case
    listen [::]:${HTTPS_PORT} ssl http2;
    server_name ${NEXTCLOUD_DOMAIN};
    # Enable gzip but do not remove ETag headers
    gzip on;
@ -28,7 +23,7 @@ server {
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    location / {
-        proxy_pass http://${NEXTCLOUD_HOST}:80/;
+        proxy_pass http://nextcloud_app_1:80/;
        proxy_pass_request_headers on;
--- a/nginx/sites-available/portainer.conf
+++ b/nginx/sites-available/portainer.conf
@ -0,0 +1,11 @@
 server {
    listen 443 ssl;
    server_name DOMAIN;
    location / {
        proxy_set_header Connection "upgrade";
        resolver 127.0.0.11;
        proxy_pass http://portainer_app_1:9000;
    }
 }
--- a/nginx/sites-available/portainer.conf.template
+++ b/nginx/sites-available/portainer.conf.template
@ -1,16 +0,0 @@
 server {
    # SSL Key locations
    ssl_certificate     /etc/letsencrypt/live/${PORTAINER_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${PORTAINER_DOMAIN}/privkey.pem;
    listen ${HTTPS_PORT} ssl;
    listen [::]:${HTTPS_PORT} ssl;
    server_name ${PORTAINER_DOMAIN};
    location / {
        proxy_set_header Connection "upgrade";
        resolver 127.0.0.11;
        proxy_pass http://${PORTAINER_HOST}:9000;
    }
 }
--- a/nginx/sites-enabled/.gitkeep
+++ b/nginx/sites-enabled/.gitkeep
--- a/nginx/templates/http.conf.template
+++ b/nginx/templates/http.conf.template
@ -1,5 +1,9 @@
 http {
-    # COMMON SSL CONFIGURATION
+    # SSL CONFIGURATION
    # Key locations
    ssl_certificate     /etc/letsencrypt/live/${MAIN_DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${MAIN_DOMAIN}/privkey.pem;
    # Allowed protocols
    ssl_protocols TLSv1.2;
@ -25,6 +29,7 @@ http {
        return 301 https://$host:${HTTPS_PORT}$request_uri;
    }
    # LOAD SITES
    include sites-enabled/*.conf;
 }
		`@ -0,0 +1,3 @@`
							`#!/usr/bin/env sh`

							`python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --webroot --webroot-path /var/lib/certbot/ --post-hook "/usr/sbin/nginx -s reload"`