Revert "A general master branch."

This reverts commit d4d48591. I'm reverting most of it but amending or mending a few things that I'm going to move to ns4.

Revert "A general master branch."
8c7aad77 · nimrod · 468f3143 · 8c7aad77 · 8c7aad77 · 8c7aad77
Commit 8c7aad77 authored 4 years ago by nimrod
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,3 +2,35 @@
 include:
  - project: shore/ci-templates
    file: templates/pre-commit.yml
+
+image: adarnimrod/ci-images:docker
+
+stages:
+  - test
+  - build
+  - run
+
+build:
+  stage: build
+  tags: ["host01.shore.co.il"]
+  variables:
+    COMPOSE_DOCKER_CLI_BUILD: "1"
+    DOCKER_BUILDKIT: "1"
+  script:
+    - docker-compose build --no-cache --pull
+    - docker-compose pull --quiet
+
+run:
+  stage: run
+  tags: ["host01.shore.co.il"]
+  when: manual
+  script:
+    - docker-compose up --detach --remove-orphans
+    # yamllint disable rule:line-length
+    - |
+        for i in $(seq 12)
+        do
+            docker container inspect --format '{{ .State.Health.Status }}' $(docker-compose ps -q) | grep -v '^healthy$' || break
+            sleep 10
+        done
+        ! docker container inspect --format '{{ .State.Health.Status }}' $(docker-compose ps -q) | grep -v '^healthy$'
--- a/Dockerfile
+++ b/Dockerfile
-FROM nginx:1.19.6-alpine
+FROM nginx:1.19-alpine
+ARG TRANSMISSION
 # hadolint ignore=DL3018
 RUN rm -rf /etc/nginx/conf./* && \
    chmod 777 /run && \
@@ -17,11 +18,18 @@ RUN rm -rf /etc/nginx/conf./* && \
                -out /var/ssl/site.crt \
                -days 2 \
                -subj "/C=US/ST=IL/L=None/O=None/OU=None/CN=localhost/" && \
+    cp /var/ssl/site.crt /var/ssl/mail.crt && \
+    cp /var/ssl/site.key /var/ssl/mail.key && \
    setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
-    chown nginx /var/ssl/site.*
+    chown nginx /var/ssl/site.* /var/ssl/mail.*
 COPY www/ /var/www/
 COPY conf.d/ /etc/nginx/conf.d/
 COPY snippets/ /etc/nginx/snippets/
+# Another option would be to copy the file to the template directory and have
+# the environment variable substitution happen in runtime, but that way would
+# miss checking the syntax during the build process.
+# hadolint ignore=SC2097,SC2098
+RUN TRANSMISSION=$TRANSMISSION sed -i "s/TRANSMISSION/$TRANSMISSION/" /etc/nginx/conf.d/www.shore.co.il.conf
 USER nginx
 RUN nginx -t
 HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' http://localhost/ || exit 1
--- a/README.md
+++ b/README.md
@@ -4,11 +4,6 @@

 > Web proxy Dockerized setup.

-## Branches
-
-The `master` branch doesn't have any configuration in it. The `ns4` and `host01`
-branches have configuration for those hoss.
-
 ## License

 This software is licensed under the MIT license (see `LICENSE.txt`).

--- a/conf.d/git.shore.co.il.conf
+++ b/conf.d/git.shore.co.il.conf
+map $host $git { default gitlab; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name git.shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name git.shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl.conf;
+
+    location / {
+        proxy_pass              http://$git$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_set_header        X-Forwarded-Ssl on;
+        client_max_body_size    512m;
+    }
+}
--- a/conf.d/mail.shore.co.il.conf
+++ b/conf.d/mail.shore.co.il.conf
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il;
+    root        /var/www/mail.shore.co.il/;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+}
+
+server {
+    listen                      443 ssl;
+    listen                      [::]:443 ssl;
+    server_name                 mta-sts.shore.co.il;
+    root                        /var/www/mail.shore.co.il/;
+    include                     snippets/robots-disallow-all.conf;
+    include                     snippets/ads-txt.conf;
+    include                     snippets/security-txt.conf;
+
+    # Copied from snippetes/ssl.conf.
+    add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    add_header                  Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
+    include                     snippets/common-headers.conf;
+    ssl_certificate             /var/ssl/mail.crt;
+    ssl_certificate_key         /var/ssl/mail.key;
+    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers                 !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+    ssl_prefer_server_ciphers   on;
+    ssl_session_cache           shared:SSL:50m;
+    ssl_session_timeout         5m;
+    ssl_stapling                on;
+    ssl_stapling_verify         on;
+    ssl_trusted_certificate     /etc/ssl/ocsp.pem;
+}
--- a/conf.d/nextcloud.shore.co.il.conf
+++ b/conf.d/nextcloud.shore.co.il.conf
+map $host $nextcloud { default nextcloud; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name nextcloud.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name nextcloud.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl.conf;
+    include     snippets/nextcloud-well-known.conf;
+
+    location / {
+        proxy_pass              http://$nextcloud$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_hide_header       X-Frame-Options;
+        client_max_body_size    512m;
+    }
+}
--- a/conf.d/shore.co.il.conf
+++ b/conf.d/shore.co.il.conf
+map $host $z_push { default z-push; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    location = /        { return 301 https://$host/blog/; }
+    location /repo/     {
+        root            /var/www/www.shore.co.il/;
+        autoindex       on;
+    }
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name shore.co.il;
+    include     snippets/robots-allow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl.conf;
+    include     snippets/nextcloud-well-known.conf;
+    include     snippets/z-push.conf;
+
+    location = /        { return 301 https://www.shore.co.il/blog/; }
+    location /          { return 301 https://www.shore.co.il$request_uri; }
+}
--- a/conf.d/www.shore.co.il.conf
+++ b/conf.d/www.shore.co.il.conf
+map $host $lam { default ldap-account-manager; }
+map $host $kodi { default kodi.shore.co.il; }
+
+server {
+    listen              80;
+    listen              [::]:80;
+    server_name         www.shore.co.il;
+    include             snippets/robots-allow-all.conf;
+    include             snippets/ads-txt.conf;
+    include             snippets/security-txt.conf;
+    location = /        { return 301 https://$host/blog/; }
+    location /repo/     {
+        root            /var/www/www.shore.co.il/;
+        autoindex       on;
+    }
+    location /          { return 301 https://$host$request_uri; }
+}
+
+server {
+    listen                  443 ssl;
+    listen                  [::]:443 ssl;
+    server_name             www.shore.co.il;
+    include                 snippets/robots-allow-all.conf;
+    include                 snippets/ads-txt.conf;
+    include                 snippets/security-txt.conf;
+    include                 snippets/ssl.conf;
+    root                    /var/www/www.shore.co.il/;
+    error_page 404          /;
+
+    location /repo/         { autoindex on; }
+    location = /resume      { try_files $uri /resume/resume.html; }
+    location = /resume/     { index resume.html; }
+
+    location = /            { return 301 https://$host/blog/; }
+    location /about         { return 301 https://$host/blog/pages/about-me.html; }
+    location /spam          { return 301 https://$host/blog/pages/spam.html; }
+    location = /blog        {
+        try_files $uri /blog/index.html;
+        charset UTF-8;
+    }
+
+    location /cgit          { return 301 https://git.shore.co.il/explore; }
+    location /cgit/         { return 301 https://git.shore.co.il/explore; }
+    location /git           { return 301 https://git.shore.co.il/explore; }
+    location /git/          { return 301 https://git.shore.co.il/explore; }
+
+    location /lam {
+        proxy_pass          http://$lam$request_uri;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+        include             snippets/allow-private-ips.conf;
+    }
+
+    location /jellyfin { return 302 $scheme://$host/jellyfin/; }
+    location /jellyfin/ {
+        proxy_pass          http://$kodi:8096/jellyfin/;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+        include             snippets/common-headers.conf;
+
+        proxy_set_header    Upgrade $http_upgrade;
+        proxy_set_header    Connection $http_connection;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering     off;
+    }
+
+    location /TRANSMISSION/ {
+        proxy_pass http://kodi.shore.co.il:9091/;
+        proxy_http_version 1.1;
+        include             snippets/proxy-headers.conf;
+    }
+}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,20 +3,30 @@ version: '3.5'
 services:
  proxy:
    build:
+      args:
+        TRANSMISSION: "${TRANSMISSION}"
      context: ./
    #command: ["nginx", "-g", "daemon off;"]
-    hostname: &hostname "${HOSTNAME}"
+    hostname: &hostname www.shore.co.il
    networks:
      default:
        aliases:
          - *hostname
+          - nextcloud.shore.co.il
+          - git.shore.co.il
    ports:
      - '80:80'
      - '443:443'
    restart: always
    volumes:
+      - '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
+      - '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
+      - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+      - '/var/www/mail.shore.co.il/.well-known/acme-challenge:/var/www/mail.shore.co.il/.well-known/acme-challenge:ro'
      - '/var/ssl/site.key:/var/ssl/site.key:ro'
      - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+      - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
+      - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
      - '/var/ssl/dhparams:/var/ssl/dhparams:ro'

 networks:

--- a/snippets/nextcloud-well-known.conf
+++ b/snippets/nextcloud-well-known.conf
+location /.well-known/caldav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/carddav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/webfinger {
+    return  301 https://nextcloud.shore.co.il/public.php?service=webfinger;
+}
--- a/snippets/z-push.conf
+++ b/snippets/z-push.conf
+location /AutoDiscover/ {
+    proxy_pass          http://$z_push$request_uri;
+    include             snippets/proxy-headers.conf;
+}
+
+location /Autodiscover/ {
+    proxy_pass          http://$z_push$request_uri;
+    include             snippets/proxy-headers.conf;
+}
+
+location /autodiscover/ {
+    proxy_pass          http://$z_push$request_uri;
+    include             snippets/proxy-headers.conf;
+}
+
+location /Microsoft-Server-ActiveSync {
+    proxy_pass          http://$z_push$request_uri;
+    include             snippets/proxy-headers.conf;
+}
--- a/www/mail.shore.co.il/.well-known/mta-sts.txt
+++ b/www/mail.shore.co.il/.well-known/mta-sts.txt
+version: STSv1
+mode: testing
+mx: smtp.shore.co.il
+max_age: 86400
--- a/www/www.shore.co.il/google88c23a5c89fa3cb3.html
+++ b/www/www.shore.co.il/google88c23a5c89fa3cb3.html
+google-site-verification: google88c23a5c89fa3cb3.html
\ No newline at end of file