From e7670f430db00f82921d20ff909e5ca678b5f249 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 11 Feb 2023 17:15:13 +0200
Subject: [PATCH] Web proxy: New Compose setup.
This is a copy of the web-proxy-docker repo but the base image is now in
the [dockerfiles](https://git.shore.co.il/shore/dockerfiles) repo.
---
.gitlab-ci.yml | 38 +++++++++++++--
Compose/web-proxy/README.md | 4 ++
Compose/web-proxy/kodi/.dockerignore | 4 ++
Compose/web-proxy/kodi/.env | 1 +
Compose/web-proxy/kodi/Dockerfile | 4 ++
.../kodi/conf.d/kodi.shore.co.il.conf | 31 +++++++++++++
.../kodi/conf.d/library.shore.co.il.conf | 30 ++++++++++++
.../kodi/conf.d/transmission.shore.co.il.conf | 30 ++++++++++++
Compose/web-proxy/kodi/docker-compose.yml | 46 +++++++++++++++++++
9 files changed, 184 insertions(+), 4 deletions(-)
create mode 100644 Compose/web-proxy/README.md
create mode 100644 Compose/web-proxy/kodi/.dockerignore
create mode 100644 Compose/web-proxy/kodi/.env
create mode 100644 Compose/web-proxy/kodi/Dockerfile
create mode 100644 Compose/web-proxy/kodi/conf.d/kodi.shore.co.il.conf
create mode 100644 Compose/web-proxy/kodi/conf.d/library.shore.co.il.conf
create mode 100644 Compose/web-proxy/kodi/conf.d/transmission.shore.co.il.conf
create mode 100644 Compose/web-proxy/kodi/docker-compose.yml
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8d09add..3637cee 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,7 @@
---
include:
+ - project: shore/ci-stuff
+ file: templates/docker.yml
- project: shore/ci-stuff
file: templates/pre-commit.yml
- project: shore/ci-stuff
@@ -13,17 +15,45 @@ default:
AWS Terraform plan:
extends: .tf_plan
stage: test
- #rules: &aws_tf_rules
- # - changes:
- # - ${TF_ROOT}/
variables: &aws_tf_vars
TF_ROOT: Terraform/AWS
+ rules: &tf_rules
+ - changes:
+ - $TF_ROOT/*
+ - $TF_ROOT/**/*
AWS Terraform apply:
extends: .tf_apply
stage: deploy
- #rules: *aws_tf_rules
+ rules: *tf_rules
needs:
- job: AWS Terraform plan
artifacts: true
variables: *aws_tf_vars
+
+web-proxy kodi build:
+ extends: .compose-build
+ tags: ["kodi.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/kodi
+ # rules: &compose-rules
+ # - if: $CI_PIPELINE_SOURCE == "schedule"
+ # - if: $CI_PIPELINE_SOURCE == "push"
+ # changes:
+ # - $WORKDIR/*
+ # - $WORKDIR/**/*
+
+web-proxy kodi pull:
+ extends: .compose-pull
+ tags: ["kodi.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/kodi
+ # rules: *compose-rules
+
+web-proxy kodi run:
+ extends: .compose-run
+ tags: ["kodi.shore.co.il"]
+ variables:
+ WORKDIR: Compose/web-proxy/kodi
+ when: manual
+ # rules: *compose-rules
diff --git a/Compose/web-proxy/README.md b/Compose/web-proxy/README.md
new file mode 100644
index 0000000..0d1eaaa
--- /dev/null
+++ b/Compose/web-proxy/README.md
@@ -0,0 +1,4 @@
+# Web proxy
+
+Nginx proxy and SSL termination for web sites and services on different hosts.
+Each directory is in a different host.
diff --git a/Compose/web-proxy/kodi/.dockerignore b/Compose/web-proxy/kodi/.dockerignore
new file mode 100644
index 0000000..380e2e6
--- /dev/null
+++ b/Compose/web-proxy/kodi/.dockerignore
@@ -0,0 +1,4 @@
+*
+!conf.d/
+!www/
+!snippets/
diff --git a/Compose/web-proxy/kodi/.env b/Compose/web-proxy/kodi/.env
new file mode 100644
index 0000000..2f5dd33
--- /dev/null
+++ b/Compose/web-proxy/kodi/.env
@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=web-proxy
diff --git a/Compose/web-proxy/kodi/Dockerfile b/Compose/web-proxy/kodi/Dockerfile
new file mode 100644
index 0000000..521391c
--- /dev/null
+++ b/Compose/web-proxy/kodi/Dockerfile
@@ -0,0 +1,4 @@
+# hadolint ignore=DL3006
+FROM registry.shore.co.il/nginx
+COPY --chown=root:root conf.d/ /etc/nginx/conf.d/
+RUN nginx -t
diff --git a/Compose/web-proxy/kodi/conf.d/kodi.shore.co.il.conf b/Compose/web-proxy/kodi/conf.d/kodi.shore.co.il.conf
new file mode 100644
index 0000000..6f380b9
--- /dev/null
+++ b/Compose/web-proxy/kodi/conf.d/kodi.shore.co.il.conf
@@ -0,0 +1,31 @@
+# vim: ft=nginx
+map $host $kodi { default 172.18.0.1; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name kodi.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name kodi.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-legacy.conf;
+ include snippets/ldap-auth.conf;
+
+ location / {
+ proxy_pass http://$kodi:8080;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ include snippets/websockets.conf;
+ }
+}
diff --git a/Compose/web-proxy/kodi/conf.d/library.shore.co.il.conf b/Compose/web-proxy/kodi/conf.d/library.shore.co.il.conf
new file mode 100644
index 0000000..99d9ed9
--- /dev/null
+++ b/Compose/web-proxy/kodi/conf.d/library.shore.co.il.conf
@@ -0,0 +1,30 @@
+# vim: ft=nginx
+map $host $library { default transmission-webdav; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name library.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name library.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-legacy.conf;
+ include snippets/ldap-auth.conf;
+
+ location / {
+ proxy_pass http://$library:80;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/Compose/web-proxy/kodi/conf.d/transmission.shore.co.il.conf b/Compose/web-proxy/kodi/conf.d/transmission.shore.co.il.conf
new file mode 100644
index 0000000..0fb970f
--- /dev/null
+++ b/Compose/web-proxy/kodi/conf.d/transmission.shore.co.il.conf
@@ -0,0 +1,30 @@
+# vim: ft=nginx
+map $host $transmission { default transmission-daemon; }
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name transmission.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/www-acme-challenge.conf;
+ include snippets/redirect-https.conf;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name transmission.shore.co.il;
+ include snippets/robots-disallow-all.conf;
+ include snippets/ads-txt.conf;
+ include snippets/security-txt.conf;
+ include snippets/ssl-legacy.conf;
+ include snippets/ldap-auth.conf;
+
+ location / {
+ proxy_pass http://$transmission:9091;
+ proxy_http_version 1.1;
+ include snippets/proxy-headers.conf;
+ }
+}
diff --git a/Compose/web-proxy/kodi/docker-compose.yml b/Compose/web-proxy/kodi/docker-compose.yml
new file mode 100644
index 0000000..558fe80
--- /dev/null
+++ b/Compose/web-proxy/kodi/docker-compose.yml
@@ -0,0 +1,46 @@
+---
+version: '3.5'
+services:
+ proxy:
+ build:
+ context: ./
+ # command: ["nginx", "-g", "daemon off;"]
+ hostname: &hostname kodi.shore.co.il
+ networks:
+ default:
+ aliases:
+ - *hostname
+ - jellyfin.shore.co.il
+ - library.shore.co.il
+ - transmission.shore.co.il
+ ports:
+ - '80:80'
+ - '443:443'
+ restart: always
+ volumes:
+ - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+ - '/var/ssl/site.key:/var/ssl/site.key:ro'
+ - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+ - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
+
+ vouch:
+ environment:
+ OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+ OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+ OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+ # yamllint disable-line rule:line-length
+ OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}" # pragma: allowlist secret
+ OAUTH_PROVIDER: nextcloud
+ OAUTH_SCOPES: 'openid,email.profile'
+ OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+ # yamllint disable-line rule:line-length
+ OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+ VOUCH_DOMAINS: shore.co.il
+ VOUCH_JWT_MAXAGE: 10080 # 1 week.
+ VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}" # pragma: allowlist secret
+ image: quay.io/vouch/vouch-proxy:alpine-0.36.0
+ restart: always
+
+networks:
+ default:
+ name: shore
--
GitLab