first commit - working on the reverse proxy

This commit is contained in:
2023-01-21 19:33:14 +00:00
commit 22e6a432ad
7 changed files with 276 additions and 0 deletions
+12
View File
@@ -0,0 +1,12 @@
FROM jenkins/jenkins:lts
USER root
RUN apt-get update -qq \
&& apt-get install -qqy apt-transport-https ca-certificates curl gnupg2 software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN add-apt-repository \
"deb [arch=arm64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"
RUN apt-get update -qq \
&& apt-get -y install docker-ce
RUN usermod -aG docker jenkins
+56
View File
@@ -0,0 +1,56 @@
# docker-compose.yaml
version: '3.8'
networks:
jenkins:
volumes:
jenkins_home:
driver_opts:
type: nfs
o: addr=maurice,nfsvers=4
device: :/swarm/jenkins/home
jenkins_certs:
driver_opts:
type: nfs
o: addr=maurice,nfsvers=4
device: :/swarm/jenkins/certs
services:
jenkins-docker:
image: docker:dind
networks:
jenkins:
aliases:
- docker
user: root
environment:
- DOCKER_TLS_CERTDIR=/certs
volumes:
- jenkins_home:/var/jenkins_home
- jenkins_certs:/certs/client
ports:
- 2376:2376
privileged: true
command: --storage-driver=overlay2
jenkins-blueocean:
image: jenkins/jenkins:2.375.2
networks:
- jenkins
ports:
- 8080:8080
- 50000:50000
environment:
- DOCKER_HOST=tcp://docker:2376
- DOCKER_CERT_PATH=/certs/client
- DOCKER_TLS_VERIFY=1
volumes:
- jenkins_home:/var/jenkins_home
- jenkins_certs:/certs/client
- /var/run/docker.sock:/var/run/docker.sock
+67
View File
@@ -0,0 +1,67 @@
version: "3.8"
volumes:
nccdata:
driver_opts:
type: nfs
o: addr=maurice,nfsvers=4
device: :/nextcloudtest/nextcloud
ncredis:
driver_opts:
type: nfs
o: addr=maurice,nfsvers=4
device: :/nextcloudtest/redis
nctestcdb:
driver_opts:
type: nfs
o: addr=maurice,nfsvers=4
device: :/nextcloudtestdb
services:
nextcloud:
image: nextcloud
container_name: nextcloud
environment:
- PUID=1000 #change PUID if needed
- PGID=100 #change PGID if needed
- TZ=Europe/Berlin #change Time Zone if needed
- REDIS_HOST=redis
volumes:
#- nccdata/config:/var/www/html/config #/srv/dev-disk-by-label-disk1 needs to be adjusted
#- nccdata/data:/var/www/html/data #/srv/dev-disk-by-label-disk1 needs to be adjusted
- nccdata:/var/www/html #/srv/dev-disk-by-label-disk1 needs to be adjusted
# NAS shares
# - /srv/dev-disk-by-uuid-f3ca381b-e85a-4348-8086-833317c5d96e/pictures:/pictures
# - /srv/dev-disk-by-uuid-f3ca381b-e85a-4348-8086-833317c5d96e/video:/video
depends_on:
- mariadb
ports: # uncomment this and the next line if you want to bypass the proxy
- 5443:443
- 5080:80
restart: unless-stopped
redis:
image: redis:latest
restart: always
volumes:
- ncredis:/var/lib/redis
mariadb:
image: ghcr.io/linuxserver/mariadb
container_name: nextclouddb
environment:
- PUID=1000 #change PUID if needed
- PGID=1000 #change PGID if needed
- MARIADB_ROOT_PASSWORD="dbpassword"
- MYSQL_ROOT_PASSWORD=mariadbpassword #change password
- TZ=Europe/Berlin #Change Time Zone if needed
volumes:
- nctestcdb:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted
restart: unless-stopped
# ports:
# - 5306:3306
@@ -0,0 +1,14 @@
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
@@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
+36
View File
@@ -0,0 +1,36 @@
version: '3'
volumes:
nginx_conf:
driver_opts:
type: nfs
o: addr=dockerstorage,nfsvers=4
device: :/swarm/stacks/reverseproxy/nginx
certbot_conf:
driver_opts:
type: nfs
o: addr=dockerstorage,nfsvers=4
device: :/swarm/stacks/reverseproxy/certbot_conf
certificates:
external: true
services:
nginx:
image: nginx:1.15-alpine
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
ports:
- "80:80"
- "443:443"
volumes:
- nginx_conf:/etc/nginx/conf.d
- certbot_conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
certbot:
image: certbot/certbot:arm64v8-v1.32.2
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
volumes:
- certbot_conf:/etc/letsencrypt
# - certificates:/etc/letsencrypt/live
- ./data/certbot/www:/var/www/certbot
+83
View File
@@ -0,0 +1,83 @@
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=(vbchaos.ddns.net)
rsa_key_size=4096
data_path="./data/certbot"
email="matthias.mitscherlich@gmail.com" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
# exit 1
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload