My work thus far.

8e7b0839 · nimrod · 232f9cb3 · 8e7b0839 · 8e7b0839 · 8e7b0839
Commit 8e7b0839 authored 4 years ago by nimrod
--- a/.dockerignore
+++ b/.dockerignore
+*
+!conf.d/
+!www/
+!snippets/
--- a/.env
+++ b/.env
+COMPOSE_PROJECT_NAME=web-proxy
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+---
+image: adarnimrod/ci-images:docker
+
+stages:
+  - test
+  - build
+  - run
+
+pre-commit:
+  stage: test
+  image: adarnimrod/ci-images:pre-commit
+  variables:
+    XDG_CACHE_HOME: "$CI_PROJECT_DIR/.cache"
+    # Disabled until https://github.com/pre-commit/pre-commit/issues/1387 is
+    # resolved.
+    SKIP: "hadolint,docker-compose"
+  script:
+    - pre-commit run --all-files
+  cache:
+    paths:
+      - .cache/
+
+build:
+  stage: build
+  tags: ["host01.shore.co.il"]
+  variables:
+    COMPOSE_DOCKER_CLI_BUILD: "1"
+    DOCKER_BUILDKIT: "1"
+  script:
+    - docker-compose build --no-cache --pull
+    - docker-compose pull --quiet
+
+run:
+  stage: run
+  tags: ["host01.shore.co.il"]
+  when: manual
+  script:
+    - docker-compose up --detach --remove-orphans
+    # yamllint disable rule:line-length
+    - |
+        for i in $(seq 12)
+        do
+            docker container inspect --format '{{ .State.Health.Status }}' $(docker-compose ps -q) | grep -v '^healthy$' || break
+            sleep 10
+        done
+        ! docker container inspect --format '{{ .State.Health.Status }}' $(docker-compose ps -q) | grep -v '^healthy$'
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
+# vim:ff=unix ts=2 sw=2 ai expandtab
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v2.3.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: detect-private-key
+      - id: trailing-whitespace
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.17.0
+    hooks:
+      - id: yamllint
+  - repo: https://github.com/amperser/proselint/
+    rev: 0.10.2
+    hooks:
+      - id: proselint
+        types: [plain-text]
+        exclude: LICENSE
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v0.13.0
+    hooks:
+      - id: detect-secrets
+  - repo: https://git.shore.co.il/nimrod/docker-pre-commit.git/
+    rev: v0.3.0
+    hooks:
+      - id: docker-compose
+      - id: hadolint
+  - repo: https://git.shore.co.il/nimrod/shell-pre-commit.git/
+    rev: v0.6.0
+    hooks:
+      - id: shell-lint
+      - id: shellcheck
--- a/Dockerfile
+++ b/Dockerfile
+FROM nginx:1.19-alpine
+# hadolint ignore=DL3018
+RUN rm -rf /etc/nginx/conf./* && \
+    chmod 777 /run && \
+    apk add --no-cache --update libcap openssl && \
+    curl https://letsencrypt.org/certs/isrg-root-ocsp-x1.pem.txt > /etc/ssl/ocsp.pem && \
+    mkdir /var/ssl &&\
+    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /var/ssl/dhparams &&\
+    chmod 644 /var/ssl/dhparams && \
+    install -d -m 755 -o root -g root /etc/nginx/snippets && \
+    install -d -m 755 -o root -g root /var/ssl && \
+    install -d -m 700 -o nginx -g nginx /var/cache/nginx && \
+    openssl req -x509 \
+                -newkey rsa:4096 \
+                -keyout /var/ssl/site.key \
+                -nodes \
+                -out /var/ssl/site.crt \
+                -days 2 \
+                -subj "/C=US/ST=IL/L=None/O=None/OU=None/CN=localhost/" && \
+    cp /var/ssl/site.crt /var/ssl/mail.crt && \
+    cp /var/ssl/site.key /var/ssl/mail.key && \
+    setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
+    chown nginx /var/ssl/site.* /var/ssl/mail.*
+COPY www/ /var/www/
+COPY conf.d/ /etc/nginx/conf.d/
+COPY snippets/ /etc/nginx/snippets/
+USER nginx
+RUN nginx -t
+HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' http://localhost/ || exit 1
--- a/conf.d/autoconfig.shore.co.il.conf
+++ b/conf.d/autoconfig.shore.co.il.conf
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name autoconfig.shore.co.il;
+    root        /var/www/autoconfig.shore.co.il/;
+    include     snippets/www-acme-challenge.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name autoconfig.shore.co.il;
+    root        /var/www/autoconfig.shore.co.il/;
+    include     snippets/ssl.conf;
+}
--- a/conf.d/git.shore.co.il.conf
+++ b/conf.d/git.shore.co.il.conf
+map $host $git { default gitlab; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name git.shore.co.il;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name git.shore.co.il;
+    include     snippets/ssl.conf;
+
+    location / {
+        proxy_pass              http://$git$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_set_header        X-Forwarded-Ssl on;
+        client_max_body_size    512m;
+    }
+}
--- a/conf.d/global.conf
+++ b/conf.d/global.conf
+# The resolver for the Docker network.
+resolver        127.0.0.11;
+gzip            on;
+tcp_nopush      on;
+tcp_nodelay     on;
+server_tokens   off;
+include snippets/common-headers.conf;
--- a/conf.d/mail.shore.co.il.conf
+++ b/conf.d/mail.shore.co.il.conf
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il;
+    root        /var/www/mail.shore.co.il/;
+}
+
+server {
+    listen                      443 ssl;
+    listen                      [::]:443 ssl;
+    server_name                 mta-sts.shore.co.il;
+    root                        /var/www/mail.shore.co.il/;
+
+    # Copied from snippetes/ssl.conf.
+    add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    include                     snippets/common-headers.conf;
+    ssl_certificate             /var/ssl/mail.crt;
+    ssl_certificate_key         /var/ssl/mail.key;
+    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers                 !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+    ssl_prefer_server_ciphers   on;
+    ssl_session_cache           shared:SSL:50m;
+    ssl_session_timeout         5m;
+    ssl_stapling                on;
+    ssl_stapling_verify         on;
+    ssl_trusted_certificate     /etc/ssl/ocsp.pem;
+}
--- a/conf.d/nextcloud.shore.co.il.conf
+++ b/conf.d/nextcloud.shore.co.il.conf
+map $host $nextcloud { default nextcloud; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name nextcloud.shore.co.il;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name nextcloud.shore.co.il;
+    include     snippets/ssl.conf;
+    include     snippets/nextcloud-well-known.conf;
+
+    location / {
+        proxy_pass              http://$nextcloud$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        proxy_hide_header       X-Frame-Options;
+        client_max_body_size    512m;
+    }
+}
--- a/conf.d/registry.shore.co.il.conf
+++ b/conf.d/registry.shore.co.il.conf
+map $host $registry { default registy; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name registry.shore.co.il;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name registry.shore.co.il;
+    include     snippets/ssl.conf;
+
+    location / {
+        proxy_pass          http://$registry$request_uri;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+        include             snippets/allow-private-ips.conf;
+    }
+}
--- a/conf.d/shore.co.il.conf
+++ b/conf.d/shore.co.il.conf
+map $host $z_push { default z-push; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name shore.co.il;
+    location = /        { return 301 https://$host/blog/; }
+    location /repo/     {
+        root            /var/www/www.shore.co.il/;
+        autoindex       on;
+    }
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    server_name shore.co.il;
+    include     snippets/ssl.conf;
+    include     snippets/nextcloud-well-known.conf;
+    include     snippets/z-push.conf;
+
+    location = /        { return 301 https://www.shore.co.il/blog/; }
+    location /          { return 301 https://www.shore.co.il$request_uri; }
+}
--- a/conf.d/status.conf
+++ b/conf.d/status.conf
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name status;
+    location = /        { stub_status; }
+    include     snippets/allow-private-ips.conf;
+}
--- a/conf.d/www.shore.co.il.conf
+++ b/conf.d/www.shore.co.il.conf
+map $host $cgit { default cgit; }
+map $host $lam { default ldap-account-manager; }
+map $host $kodi { default kodi.shore.co.il; }
+
+server {
+    listen              80 default_server;
+    listen              [::]:80 default_server;
+    server_name         www.shore.co.il;
+    location = /        { return 301 https://$host/blog/; }
+    location /repo/     {
+        root            /var/www/www.shore.co.il/;
+        autoindex       on;
+    }
+    location /          { return 301 https://$host$request_uri; }
+}
+
+server {
+    listen                  443 ssl default_server;
+    listen                  [::]:443 ssl default_server;
+    server_name             www.shore.co.il;
+    include                 snippets/ssl.conf;
+    root                    /var/www/www.shore.co.il/;
+    error_page 404          /;
+
+    location /repo/         { autoindex on; }
+    location = /resume      { try_files $uri /resume/resume.html; }
+    location = /resume/     { index resume.html; }
+
+    location = /            { return 301 https://$host/blog/; }
+    location /about         { return 301 https://$host/blog/pages/about-me.html; }
+    location /spam          { return 301 https://$host/blog/pages/spam.html; }
+    location = /blog        {
+        try_files $uri /blog/index.html;
+        charset UTF-8;
+    }
+
+    location /cgit/ {
+        proxy_pass          http://$cgit$uri;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+    }
+
+    location /git {
+        rewrite             ^/git /cgit/;
+    }
+
+    location /git/ {
+        rewrite             ^/git/(.*) /cgit/$1;
+    }
+
+    location /cgit-css/ {
+        proxy_pass          http://$cgit$request_uri;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+    }
+
+    location /lam {
+        proxy_pass          http://$lam$request_uri;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+        include             snippets/allow-private-ips.conf;
+    }
+
+    location /jellyfin { return 302 $scheme://$host/jellyfin/; }
+    location /jellyfin/ {
+        proxy_pass          http://$kodi:8096/jellyfin/;
+        proxy_http_version  1.1;
+        include             snippets/proxy-headers.conf;
+        include             snippets/common-headers.conf;
+
+        proxy_set_header    Upgrade $http_upgrade;
+        proxy_set_header    Connection $http_connection;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering     off;
+    }
+
+    location /d16ebf5287f85724083b0e20a9c300f3/ {
+        proxy_pass http://kodi.shore.co.il:9091/;
+        proxy_http_version 1.1;
+        include             snippets/proxy-headers.conf;
+    }
+}
--- a/docker-compose.yml
+++ b/docker-compose.yml
+---
+version: '3.5'
+services:
+  proxy:
+    build:
+      context: ./
+    #command: ["nginx", "-g", "daemon off;"]
+    hostname: &hostname www.shore.co.il
+    networks:
+      default:
+        aliases:
+          - *hostname
+          - nextcloud.shore.co.il
+          - git.shore.co.il
+    ports:
+      - '80:80'
+      - '443:443'
+    restart: always
+    volumes:
+      - '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
+      - '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
+      - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
+      - '/var/www/mail.shore.co.il/.well-known/acme-challenge:/var/www/mail.shore.co.il/.well-known/acme-challenge:ro'
+      - '/var/ssl/site.key:/var/ssl/site.key:ro'
+      - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
+      - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
+      - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
+      - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
+
+networks:
+  default:
+    name: shore
--- a/snippets/allow-private-ips.conf
+++ b/snippets/allow-private-ips.conf
+allow 127.0.0.0/8;
+allow 10.0.0.0/8;
+allow 192.168.0.0/16;
+allow 172.16.0.0/12;
+deny all;
--- a/snippets/common-headers.conf
+++ b/snippets/common-headers.conf
+# add_headers are inherited from previous level if and only if there are no
+# add_header directives defined on the current level. So any time there's an
+# add_header directive there should be an `include snippets/common-headers.conf`
+# directive as well.
+add_header      X-Frame-Options SAMEORIGIN always;
--- a/snippets/nextcloud-well-known.conf
+++ b/snippets/nextcloud-well-known.conf
+location /.well-known/caldav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/carddav {
+    return  301 https://nextcloud.shore.co.il/remote.php/dav;
+}
+
+location /.well-known/webfinger {
+    return  301 https://nextcloud.shore.co.il/public.php?service=webfinger;
+}
--- a/snippets/proxy-headers.conf
+++ b/snippets/proxy-headers.conf
+proxy_set_header    X-Forwarded-Host $host;
+proxy_set_header    X-Forwarded-Proto $scheme;
+proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header    Host $host;
+proxy_set_header    X-Real-IP $remote_addr;
--- a/snippets/redirect-https.conf
+++ b/snippets/redirect-https.conf
+location    / { return 301 https://$host$request_uri; }