Web proxy: New Compose setup.

This is a copy of the web-proxy-docker repo but the base image is now in the [dockerfiles](https://git.shore.co.il/shore/dockerfiles) repo.

Web proxy: New Compose setup.
e7670f43 · nimrod · 3d028688 · e7670f43 · e7670f43 · e7670f43
Commit e7670f43 authored 2 years ago by nimrod
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 ---
 include:
+  - project: shore/ci-stuff
+    file: templates/docker.yml
  - project: shore/ci-stuff
    file: templates/pre-commit.yml
  - project: shore/ci-stuff
@@ -13,17 +15,45 @@ default:
 AWS Terraform plan:
  extends: .tf_plan
  stage: test
-  #rules: &aws_tf_rules
-  #  - changes:
-  #      - ${TF_ROOT}/
  variables: &aws_tf_vars
    TF_ROOT: Terraform/AWS
+  rules: &tf_rules
+    - changes:
+        - $TF_ROOT/*
+        - $TF_ROOT/**/*

 AWS Terraform apply:
  extends: .tf_apply
  stage: deploy
-  #rules: *aws_tf_rules
+  rules: *tf_rules
  needs:
    - job: AWS Terraform plan
      artifacts: true
  variables: *aws_tf_vars
+
+web-proxy kodi build:
+  extends: .compose-build
+  tags: ["kodi.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/kodi
+  # rules: &compose-rules
+  #   - if: $CI_PIPELINE_SOURCE == "schedule"
+  #   - if: $CI_PIPELINE_SOURCE == "push"
+  #     changes:
+  #       - $WORKDIR/*
+  #       - $WORKDIR/**/*
+
+web-proxy kodi pull:
+  extends: .compose-pull
+  tags: ["kodi.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/kodi
+  # rules: *compose-rules
+
+web-proxy kodi run:
+  extends: .compose-run
+  tags: ["kodi.shore.co.il"]
+  variables:
+    WORKDIR: Compose/web-proxy/kodi
+  when: manual
+  # rules: *compose-rules
--- a/Compose/web-proxy/README.md
+++ b/Compose/web-proxy/README.md
+# Web proxy
+
+Nginx proxy and SSL termination for web sites and services on different hosts.
+Each directory is in a different host.
--- a/Compose/web-proxy/kodi/.dockerignore
+++ b/Compose/web-proxy/kodi/.dockerignore
+*
+!conf.d/
+!www/
+!snippets/
--- a/Compose/web-proxy/kodi/.env
+++ b/Compose/web-proxy/kodi/.env
+COMPOSE_PROJECT_NAME=web-proxy
--- a/Compose/web-proxy/kodi/Dockerfile
+++ b/Compose/web-proxy/kodi/Dockerfile
+# hadolint ignore=DL3006
+FROM registry.shore.co.il/nginx
+COPY --chown=root:root conf.d/ /etc/nginx/conf.d/
+RUN nginx -t
--- a/Compose/web-proxy/kodi/conf.d/kodi.shore.co.il.conf
+++ b/Compose/web-proxy/kodi/conf.d/kodi.shore.co.il.conf
+# vim: ft=nginx
+map $host $kodi { default 172.18.0.1; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name kodi.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name kodi.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+    include     snippets/ldap-auth.conf;
+
+    location / {
+        proxy_pass              http://$kodi:8080;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        include                 snippets/websockets.conf;
+    }
+}
--- a/Compose/web-proxy/kodi/conf.d/library.shore.co.il.conf
+++ b/Compose/web-proxy/kodi/conf.d/library.shore.co.il.conf
+# vim: ft=nginx
+map $host $library { default transmission-webdav; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name library.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name library.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+    include     snippets/ldap-auth.conf;
+
+    location / {
+        proxy_pass              http://$library:80;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+}
--- a/Compose/web-proxy/kodi/conf.d/transmission.shore.co.il.conf
+++ b/Compose/web-proxy/kodi/conf.d/transmission.shore.co.il.conf
+# vim: ft=nginx
+map $host $transmission { default transmission-daemon; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name transmission.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+    server_name transmission.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-legacy.conf;
+    include     snippets/ldap-auth.conf;
+
+    location / {
+        proxy_pass              http://$transmission:9091;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+    }
+}
--- a/Compose/web-proxy/kodi/docker-compose.yml
+++ b/Compose/web-proxy/kodi/docker-compose.yml
+---
+version: '3.5'
+services:
+  proxy:
+    build:
+      context: ./
+    # command: ["nginx", "-g", "daemon off;"]
+    hostname: &hostname kodi.shore.co.il
+    networks:
+      default:
+        aliases:
+          - *hostname
+          - jellyfin.shore.co.il
+          - library.shore.co.il
+          - transmission.shore.co.il
+    ports:
+      - '80:80'
+      - '443:443'
+    restart: always
+    volumes:
+      - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+      - '/var/ssl/site.key:/var/ssl/site.key:ro'
+      - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+      - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
+
+  vouch:
+    environment:
+      OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+      OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+      OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+      # yamllint disable-line rule:line-length
+      OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}"  # pragma: allowlist secret
+      OAUTH_PROVIDER: nextcloud
+      OAUTH_SCOPES: 'openid,email.profile'
+      OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+      # yamllint disable-line rule:line-length
+      OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+      VOUCH_DOMAINS: shore.co.il
+      VOUCH_JWT_MAXAGE: 10080  # 1 week.
+      VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}"  # pragma: allowlist secret
+    image: quay.io/vouch/vouch-proxy:alpine-0.36.0
+    restart: always
+
+networks:
+  default:
+    name: shore