From d4d485914fd18911fbe179570c78980ce59f5c50 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Tue, 12 Jan 2021 07:29:58 +0200
Subject: [PATCH] A general master branch.
I'm moving some services to ns4, some will remain on host01. I'm
branching to have specific deployment for each host. So have a minimal
and generic master branch so common changes will be done there and I'll
rebase the other branches on top of it.
---
.gitlab-ci.yml | 32 --------
Dockerfile | 12 +--
README.md | 5 ++
conf.d/autoconfig.shore.co.il.conf | 21 ------
conf.d/git.shore.co.il.conf | 30 --------
conf.d/mail.shore.co.il.conf | 34 ---------
conf.d/nextcloud.shore.co.il.conf | 31 --------
conf.d/registry.shore.co.il.conf | 23 ------
conf.d/shore.co.il.conf | 31 --------
conf.d/www.shore.co.il.conf | 73 -------------------
docker-compose.yml | 12 +--
snippets/nextcloud-well-known.conf | 11 ---
snippets/z-push.conf | 19 -----
.../mail/config-v1.1.xml | 24 ------
www/mail.shore.co.il/.well-known/mta-sts.txt | 4 -
.../google88c23a5c89fa3cb3.html | 1 -
16 files changed, 8 insertions(+), 355 deletions(-)
delete mode 100644 conf.d/autoconfig.shore.co.il.conf
delete mode 100644 conf.d/git.shore.co.il.conf
delete mode 100644 conf.d/mail.shore.co.il.conf
delete mode 100644 conf.d/nextcloud.shore.co.il.conf
delete mode 100644 conf.d/registry.shore.co.il.conf
delete mode 100644 conf.d/shore.co.il.conf
delete mode 100644 conf.d/www.shore.co.il.conf
delete mode 100644 snippets/nextcloud-well-known.conf
delete mode 100644 snippets/z-push.conf
delete mode 100644 www/autoconfig.shore.co.il/mail/config-v1.1.xml
delete mode 100644 www/mail.shore.co.il/.well-known/mta-sts.txt
delete mode 100644 www/www.shore.co.il/google88c23a5c89fa3cb3.html
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c8c2fed..f92da7b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,35 +2,3 @@
include:
- project: shore/ci-templates
file: templates/pre-commit.yml
-
-image: adarnimrod/ci-images:docker
-
-stages:
- - test
- - build
- - run
-
-build:
- stage: build
- tags: ["host01.shore.co.il"]
- variables:
- COMPOSE_DOCKER_CLI_BUILD: "1"
- DOCKER_BUILDKIT: "1"
- script:
- - docker-compose build --no-cache --pull
- - docker-compose pull --quiet
-
-run:
- stage: run
- tags: ["host01.shore.co.il"]
- when: manual
- script:
- - docker-compose up --detach --remove-orphans
- # yamllint disable rule:line-length
- - |
- for i in $(seq 12)
- do
- docker container inspect --format '{{ .State.Health.Status }}' $(docker-compose ps -q) | grep -v '^healthy$' || break
- sleep 10
- done
- ! docker container inspect --format '{{ .State.Health.Status }}' $(docker-compose ps -q) | grep -v '^healthy$'
diff --git a/Dockerfile b/Dockerfile
index cfcca9f..0b0e2e8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,4 @@
-FROM nginx:1.19-alpine
-ARG TRANSMISSION
+FROM nginx:1.19.6-alpine
# hadolint ignore=DL3018
RUN rm -rf /etc/nginx/conf./* && \
chmod 777 /run && \
@@ -18,18 +17,11 @@ RUN rm -rf /etc/nginx/conf./* && \
-out /var/ssl/site.crt \
-days 2 \
-subj "/C=US/ST=IL/L=None/O=None/OU=None/CN=localhost/" && \
- cp /var/ssl/site.crt /var/ssl/mail.crt && \
- cp /var/ssl/site.key /var/ssl/mail.key && \
setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
- chown nginx /var/ssl/site.* /var/ssl/mail.*
+ chown nginx /var/ssl/site.*
COPY www/ /var/www/
COPY conf.d/ /etc/nginx/conf.d/
COPY snippets/ /etc/nginx/snippets/
-# Another option would be to copy the file to the template directory and have
-# the environment variable substitution happen in runtime, but that way would
-# miss checking the syntax during the build process.
-# hadolint ignore=SC2097,SC2098
-RUN TRANSMISSION=$TRANSMISSION sed -i "s/TRANSMISSION/$TRANSMISSION/" /etc/nginx/conf.d/www.shore.co.il.conf
USER nginx
RUN nginx -t
HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' http://localhost/ || exit 1
diff --git a/README.md b/README.md
index cefa360..ec8bb8e 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,11 @@
> Web proxy Dockerized setup.
+## Branches
+
+The `master` branch doesn't have any configuration in it. The `ns4` and `host01`
+branches have configuration for those hoss.
+
## License
This software is licensed under the MIT license (see `LICENSE.txt`).
diff --git a/conf.d/autoconfig.shore.co.il.conf b/conf.d/autoconfig.shore.co.il.conf
deleted file mode 100644
index 84109f9..0000000
--- a/conf.d/autoconfig.shore.co.il.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-server {
- listen 80;
- listen [::]:80;
- server_name autoconfig.shore.co.il;
- root /var/www/autoconfig.shore.co.il/;
- include snippets/www-acme-challenge.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- include snippets/robots-allow-all.conf;
-}
-
-server {
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name autoconfig.shore.co.il;
- root /var/www/autoconfig.shore.co.il/;
- include snippets/robots-allow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- include snippets/ssl.conf;
-}
diff --git a/conf.d/git.shore.co.il.conf b/conf.d/git.shore.co.il.conf
deleted file mode 100644
index 65989ac..0000000
--- a/conf.d/git.shore.co.il.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-map $host $git { default gitlab; }
-
-server {
- listen 80;
- listen [::]:80;
- server_name git.shore.co.il;
- include snippets/robots-allow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- include snippets/www-acme-challenge.conf;
- include snippets/redirect-https.conf;
-}
-
-server {
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name git.shore.co.il;
- include snippets/robots-allow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- include snippets/ssl.conf;
-
- location / {
- proxy_pass http://$git$request_uri;
- proxy_http_version 1.1;
- include snippets/proxy-headers.conf;
- proxy_set_header X-Forwarded-Ssl on;
- client_max_body_size 512m;
- }
-}
diff --git a/conf.d/mail.shore.co.il.conf b/conf.d/mail.shore.co.il.conf
deleted file mode 100644
index 40bc173..0000000
--- a/conf.d/mail.shore.co.il.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-server {
- listen 80;
- listen [::]:80;
- server_name imap.shore.co.il smtp.shore.co.il mta-sts.shore.co.il;
- root /var/www/mail.shore.co.il/;
- include snippets/robots-disallow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
-}
-
-server {
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name mta-sts.shore.co.il;
- root /var/www/mail.shore.co.il/;
- include snippets/robots-disallow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
-
- # Copied from snippetes/ssl.conf.
- add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
- add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://www.shore.co.il/about\"";
- include snippets/common-headers.conf;
- ssl_certificate /var/ssl/mail.crt;
- ssl_certificate_key /var/ssl/mail.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:50m;
- ssl_session_timeout 5m;
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/ssl/ocsp.pem;
-}
diff --git a/conf.d/nextcloud.shore.co.il.conf b/conf.d/nextcloud.shore.co.il.conf
deleted file mode 100644
index f138c70..0000000
--- a/conf.d/nextcloud.shore.co.il.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-map $host $nextcloud { default nextcloud; }
-
-server {
- listen 80;
- listen [::]:80;
- server_name nextcloud.shore.co.il;
- include snippets/robots-disallow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- include snippets/www-acme-challenge.conf;
- include snippets/redirect-https.conf;
-}
-
-server {
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name nextcloud.shore.co.il;
- include snippets/robots-disallow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- include snippets/ssl.conf;
- include snippets/nextcloud-well-known.conf;
-
- location / {
- proxy_pass http://$nextcloud$request_uri;
- proxy_http_version 1.1;
- include snippets/proxy-headers.conf;
- proxy_hide_header X-Frame-Options;
- client_max_body_size 512m;
- }
-}
diff --git a/conf.d/registry.shore.co.il.conf b/conf.d/registry.shore.co.il.conf
deleted file mode 100644
index 07a2902..0000000
--- a/conf.d/registry.shore.co.il.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-map $host $registry { default registy; }
-
-server {
- listen 80;
- listen [::]:80;
- server_name registry.shore.co.il;
- include snippets/www-acme-challenge.conf;
- include snippets/redirect-https.conf;
-}
-
-server {
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name registry.shore.co.il;
- include snippets/ssl.conf;
-
- location / {
- proxy_pass http://$registry$request_uri;
- proxy_http_version 1.1;
- include snippets/proxy-headers.conf;
- include snippets/allow-private-ips.conf;
- }
-}
diff --git a/conf.d/shore.co.il.conf b/conf.d/shore.co.il.conf
deleted file mode 100644
index 48c587e..0000000
--- a/conf.d/shore.co.il.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-map $host $z_push { default z-push; }
-
-server {
- listen 80;
- listen [::]:80;
- server_name shore.co.il;
- include snippets/robots-allow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- location = / { return 301 https://$host/blog/; }
- location /repo/ {
- root /var/www/www.shore.co.il/;
- autoindex on;
- }
- include snippets/redirect-https.conf;
-}
-
-server {
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name shore.co.il;
- include snippets/robots-allow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- include snippets/ssl.conf;
- include snippets/nextcloud-well-known.conf;
- include snippets/z-push.conf;
-
- location = / { return 301 https://www.shore.co.il/blog/; }
- location / { return 301 https://www.shore.co.il$request_uri; }
-}
diff --git a/conf.d/www.shore.co.il.conf b/conf.d/www.shore.co.il.conf
deleted file mode 100644
index 7200f5a..0000000
--- a/conf.d/www.shore.co.il.conf
+++ /dev/null
@@ -1,73 +0,0 @@
-map $host $lam { default ldap-account-manager; }
-map $host $kodi { default kodi.shore.co.il; }
-
-server {
- listen 80;
- listen [::]:80;
- server_name www.shore.co.il;
- include snippets/robots-allow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- location = / { return 301 https://$host/blog/; }
- location /repo/ {
- root /var/www/www.shore.co.il/;
- autoindex on;
- }
- location / { return 301 https://$host$request_uri; }
-}
-
-server {
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name www.shore.co.il;
- include snippets/robots-allow-all.conf;
- include snippets/ads-txt.conf;
- include snippets/security-txt.conf;
- include snippets/ssl.conf;
- root /var/www/www.shore.co.il/;
- error_page 404 /;
-
- location /repo/ { autoindex on; }
- location = /resume { try_files $uri /resume/resume.html; }
- location = /resume/ { index resume.html; }
-
- location = / { return 301 https://$host/blog/; }
- location /about { return 301 https://$host/blog/pages/about-me.html; }
- location /spam { return 301 https://$host/blog/pages/spam.html; }
- location = /blog {
- try_files $uri /blog/index.html;
- charset UTF-8;
- }
-
- location /cgit { return 301 https://git.shore.co.il/explore; }
- location /cgit/ { return 301 https://git.shore.co.il/explore; }
- location /git { return 301 https://git.shore.co.il/explore; }
- location /git/ { return 301 https://git.shore.co.il/explore; }
-
- location /lam {
- proxy_pass http://$lam$request_uri;
- proxy_http_version 1.1;
- include snippets/proxy-headers.conf;
- include snippets/allow-private-ips.conf;
- }
-
- location /jellyfin { return 302 $scheme://$host/jellyfin/; }
- location /jellyfin/ {
- proxy_pass http://$kodi:8096/jellyfin/;
- proxy_http_version 1.1;
- include snippets/proxy-headers.conf;
- include snippets/common-headers.conf;
-
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $http_connection;
-
- # Disable buffering when the nginx proxy gets very resource heavy upon streaming
- proxy_buffering off;
- }
-
- location /TRANSMISSION/ {
- proxy_pass http://kodi.shore.co.il:9091/;
- proxy_http_version 1.1;
- include snippets/proxy-headers.conf;
- }
-}
diff --git a/docker-compose.yml b/docker-compose.yml
index 046d07e..134ca62 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,30 +3,20 @@ version: '3.5'
services:
proxy:
build:
- args:
- TRANSMISSION: "${TRANSMISSION}"
context: ./
#command: ["nginx", "-g", "daemon off;"]
- hostname: &hostname www.shore.co.il
+ hostname: &hostname "${HOSTNAME}"
networks:
default:
aliases:
- *hostname
- - nextcloud.shore.co.il
- - git.shore.co.il
ports:
- '80:80'
- '443:443'
restart: always
volumes:
- - '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
- - '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
- - '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
- - '/var/www/mail.shore.co.il/.well-known/acme-challenge:/var/www/mail.shore.co.il/.well-known/acme-challenge:ro'
- '/var/ssl/site.key:/var/ssl/site.key:ro'
- '/var/ssl/site.crt:/var/ssl/site.crt:ro'
- - '/var/ssl/mail.key:/var/ssl/mail.key:ro'
- - '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
- '/var/ssl/dhparams:/var/ssl/dhparams:ro'
networks:
diff --git a/snippets/nextcloud-well-known.conf b/snippets/nextcloud-well-known.conf
deleted file mode 100644
index f615565..0000000
--- a/snippets/nextcloud-well-known.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-location /.well-known/caldav {
- return 301 https://nextcloud.shore.co.il/remote.php/dav;
-}
-
-location /.well-known/carddav {
- return 301 https://nextcloud.shore.co.il/remote.php/dav;
-}
-
-location /.well-known/webfinger {
- return 301 https://nextcloud.shore.co.il/public.php?service=webfinger;
-}
diff --git a/snippets/z-push.conf b/snippets/z-push.conf
deleted file mode 100644
index 85a21d6..0000000
--- a/snippets/z-push.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-location /AutoDiscover/ {
- proxy_pass http://$z_push$request_uri;
- include snippets/proxy-headers.conf;
-}
-
-location /Autodiscover/ {
- proxy_pass http://$z_push$request_uri;
- include snippets/proxy-headers.conf;
-}
-
-location /autodiscover/ {
- proxy_pass http://$z_push$request_uri;
- include snippets/proxy-headers.conf;
-}
-
-location /Microsoft-Server-ActiveSync {
- proxy_pass http://$z_push$request_uri;
- include snippets/proxy-headers.conf;
-}
diff --git a/www/autoconfig.shore.co.il/mail/config-v1.1.xml b/www/autoconfig.shore.co.il/mail/config-v1.1.xml
deleted file mode 100644
index 47a4197..0000000
--- a/www/autoconfig.shore.co.il/mail/config-v1.1.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<clientConfig version="1.1">
- <emailProvider id="shore.co.il">
- <domain>shore.co.il</domain>
- <displayName>Shore technologies</displayName>
- <displayShortName>Shore</displayShortName>
- <incomingServer type="imap">
- <hostname>imap.shore.co.il</hostname>
- <port>993</port>
- <socketType>SSL</socketType>
- <authentication>password-cleartext</authentication>
- <username>%EMAILLOCALPART%</username>
- </incomingServer>
- <outgoingServer type="smtp">
- <hostname>smtp.shore.co.il</hostname>
- <port>587</port>
- <socketType>STARTTLS</socketType>
- <authentication>password-cleartext</authentication>
- <username>%EMAILLOCALPART%</username>
- </outgoingServer>
- </emailProvider>
-</clientConfig>
-
diff --git a/www/mail.shore.co.il/.well-known/mta-sts.txt b/www/mail.shore.co.il/.well-known/mta-sts.txt
deleted file mode 100644
index d81ad3b..0000000
--- a/www/mail.shore.co.il/.well-known/mta-sts.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-version: STSv1
-mode: testing
-mx: smtp.shore.co.il
-max_age: 86400
diff --git a/www/www.shore.co.il/google88c23a5c89fa3cb3.html b/www/www.shore.co.il/google88c23a5c89fa3cb3.html
deleted file mode 100644
index ceace0b..0000000
--- a/www/www.shore.co.il/google88c23a5c89fa3cb3.html
+++ /dev/null
@@ -1 +0,0 @@
-google-site-verification: google88c23a5c89fa3cb3.html
\ No newline at end of file
--
GitLab