Revert "A general master branch."

This reverts commit d4d48591. I'm reverting most of it but amending or mending a few things that I'm going to move to ns4.

Revert "A general master branch."
24ac95c4 · nimrod · e96c031a · 24ac95c4 · 24ac95c4 · 24ac95c4
Commit 24ac95c4 authored 4 years ago by nimrod
--- a/Dockerfile
+++ b/Dockerfile
 FROM nginx:1.19.8-alpine
+ARG TRANSMISSION
 # hadolint ignore=DL3018
 RUN rm -rf /etc/nginx/conf./* && \
    chmod 777 /run && \
@@ -15,12 +16,20 @@ RUN rm -rf /etc/nginx/conf./* && \
                -keyout /var/ssl/site.key \
                -nodes \
                -out /var/ssl/site.crt \
-                -batch && \
+                -days 2 \
+                -subj "/C=US/ST=IL/L=None/O=None/OU=None/CN=localhost/" && \
+    cp /var/ssl/site.crt /var/ssl/mail.crt && \
+    cp /var/ssl/site.key /var/ssl/mail.key && \
    setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
-    chown nginx /var/ssl/site.*
+    chown nginx /var/ssl/site.* /var/ssl/mail.*
 COPY www/ /var/www/
 COPY conf.d/ /etc/nginx/conf.d/
 COPY snippets/ /etc/nginx/snippets/
+# Another option would be to copy the file to the template directory and have
+# the environment variable substitution happen in runtime, but that way would
+# miss checking the syntax during the build process.
+# hadolint ignore=SC2097,SC2098
+RUN TRANSMISSION=$TRANSMISSION sed -i "s/TRANSMISSION/$TRANSMISSION/" /etc/nginx/conf.d/www.shore.co.il.conf
 USER nginx
 RUN nginx -t
 HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' http://localhost/ || exit 1
--- a/README.md
+++ b/README.md
@@ -4,11 +4,6 @@
 > Web proxy Dockerized setup.
-## Branches
-The `master` branch doesn't have any configuration in it. The `ns4` and `host01`
-branches have configuration for those hoss.
 ## License
 This software is licensed under the MIT license (see `LICENSE.txt`).

--- a/conf.d/git.shore.co.il.conf
+++ b/conf.d/git.shore.co.il.conf
+map $host $git { default gitlab; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name git.shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name git.shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl.conf;
+    location / {
+        proxy_pass              http://$git$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_set_header        X-Forwarded-Ssl on;
+        client_max_body_size    512m;
+    }
+}
--- a/conf.d/mail.shore.co.il.conf
+++ b/conf.d/mail.shore.co.il.conf
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il;
+    root        /var/www/mail.shore.co.il/;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+}
+server {
+    listen                      443 ssl;
+    listen                      [::]:443 ssl;
+    server_name                 mta-sts.shore.co.il;
+    root                        /var/www/mail.shore.co.il/;
+    include                     snippets/robots-disallow-all.conf;
+    include                     snippets/ads-txt.conf;
+    include                     snippets/security-txt.conf;
+    # Copied from snippetes/ssl.conf.
+    add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    add_header                  Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
+    include                     snippets/common-headers.conf;
+    ssl_certificate             /var/ssl/mail.crt;
+    ssl_certificate_key         /var/ssl/mail.key;
+    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers                 !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+    ssl_prefer_server_ciphers   on;
+    ssl_session_cache           shared:SSL:50m;
+    ssl_session_timeout         5m;
+    ssl_stapling                on;
+    ssl_stapling_verify         on;
+    ssl_trusted_certificate     /etc/ssl/ocsp.pem;
+}
--- a/conf.d/nextcloud.shore.co.il.conf
+++ b/conf.d/nextcloud.shore.co.il.conf
+map $host $nextcloud { default nextcloud; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name nextcloud.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name nextcloud.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl.conf;
+    include     snippets/nextcloud-well-known.conf;
+    location / {
+        proxy_pass              http://$nextcloud$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_hide_header       X-Frame-Options;
+        client_max_body_size    512m;
+    }
+}
--- a/conf.d/shore.co.il.conf
+++ b/conf.d/shore.co.il.conf
+map $host $z_push { default z-push; }
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    location = /        { return 301 https://$host/blog/; }
+    location /repo/     {
+        root            /var/www/www.shore.co.il/;
+        autoindex       on;
+    }
+    include     snippets/redirect-https.conf;
+}
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl.conf;
+    include     snippets/nextcloud-well-known.conf;
+    include     snippets/z-push.conf;
+    location = /        { return 301 https://www.shore.co.il/blog/; }
+    location /          { return 301 https://www.shore.co.il$request_uri; }
+}
--- a/conf.d/www.shore.co.il.conf
+++ b/conf.d/www.shore.co.il.conf
+map $host $lam { default ldap-account-manager; }
+map $host $kodi { default kodi.shore.co.il; }
+server {
+    listen              80;
+    listen              [::]:80;
+    server_name         www.shore.co.il;
+    include             snippets/robots-allow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    location = /        { return 301 https://$host/blog/; }
+    location /repo/     {
+        root            /var/www/www.shore.co.il/;
+        autoindex       on;
+    }
+    location /          { return 301 https://$host$request_uri; }
+}
+server {
+    listen                  443 ssl;
+    listen                  [::]:443 ssl;
+    server_name             www.shore.co.il;
+    include                 snippets/robots-allow-all.conf;
+    include                 snippets/ads-txt.conf;
+    include                 snippets/security-txt.conf;
+    include                 snippets/ssl.conf;
+    root                    /var/www/www.shore.co.il/;
+    error_page 404          /;
+    location /repo/         { autoindex on; }
+    location = /resume      { try_files $uri /resume/resume.html; }
+    location = /resume/     { index resume.html; }
+    location = /            { return 301 https://$host/blog/; }
+    location /about         { return 301 https://$host/blog/pages/about-me.html; }
+    location /spam          { return 301 https://$host/blog/pages/spam.html; }
+    location = /blog        {
+        try_files $uri /blog/index.html;
+        charset UTF-8;
+    }
+    location /cgit          { return 301 https://git.shore.co.il/explore; }
+    location /cgit/         { return 301 https://git.shore.co.il/explore; }
+    location /git           { return 301 https://git.shore.co.il/explore; }
+    location /git/          { return 301 https://git.shore.co.il/explore; }
+    location /lam {
+        proxy_pass          http://$lam$request_uri;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+        include             snippets/allow-private-ips.conf;
+    }
+    location /jellyfin { return 302 $scheme://$host/jellyfin/; }
+    location /jellyfin/ {
+        proxy_pass          http://$kodi:8096/jellyfin/;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+        include             snippets/common-headers.conf;
+        proxy_set_header    Upgrade $http_upgrade;
+        proxy_set_header    Connection $http_connection;
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering     off;
+    }
+    location /TRANSMISSION/ {
+        proxy_pass http://kodi.shore.co.il:9091/;
+        proxy_http_version 1.1;
+        include             snippets/proxy-headers.conf;
+    }
+}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,21 +3,30 @@ version: '3.5'
 services:
  proxy:
    build:
+      args:
+        TRANSMISSION: "${TRANSMISSION}"
      context: ./
    # command: ["nginx", "-g", "daemon off;"]
-    hostname: &hostname shore.co.il
+    hostname: &hostname www.shore.co.il
    networks:
      default:
        aliases:
          - *hostname
+          - nextcloud.shore.co.il
+          - git.shore.co.il
    ports:
      - '80:80'
      - '443:443'
    restart: always
    volumes:
      - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+      - '/var/www/mail.shore.co.il/.well-known/acme-challenge:/var/www/mail.shore.co.il/.well-known/acme-challenge:ro'
+      - '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
+      - '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
      - '/var/ssl/site.key:/var/ssl/site.key:ro'
      - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+      - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
+      - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
      - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
  vouch:

--- a/snippets/nextcloud-well-known.conf
+++ b/snippets/nextcloud-well-known.conf
+location /.well-known/caldav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+location /.well-known/carddav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+location /.well-known/webfinger {
+    return  301 https://nextcloud.shore.co.il/public.php?service=webfinger;
+}
--- a/snippets/z-push.conf
+++ b/snippets/z-push.conf
+location /AutoDiscover/ {
+    proxy_pass          http://$z_push$request_uri;
+    include             snippets/proxy-headers.conf;
+}
+location /Autodiscover/ {
+    proxy_pass          http://$z_push$request_uri;
+    include             snippets/proxy-headers.conf;
+}
+location /autodiscover/ {
+    proxy_pass          http://$z_push$request_uri;
+    include             snippets/proxy-headers.conf;
+}
+location /Microsoft-Server-ActiveSync {
+    proxy_pass          http://$z_push$request_uri;
+    include             snippets/proxy-headers.conf;
+}
--- a/www/mail.shore.co.il/.well-known/mta-sts.txt
+++ b/www/mail.shore.co.il/.well-known/mta-sts.txt
+version: STSv1
+mode: testing
+mx: smtp.shore.co.il
+max_age: 86400
--- a/www/www.shore.co.il/google88c23a5c89fa3cb3.html
+++ b/www/www.shore.co.il/google88c23a5c89fa3cb3.html
+google-site-verification: google88c23a5c89fa3cb3.html
\ No newline at end of file