first commit - working on the reverse proxy
This commit is contained in:
@@ -0,0 +1,12 @@
|
|||||||
|
FROM jenkins/jenkins:lts
|
||||||
|
USER root
|
||||||
|
RUN apt-get update -qq \
|
||||||
|
&& apt-get install -qqy apt-transport-https ca-certificates curl gnupg2 software-properties-common
|
||||||
|
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
|
||||||
|
RUN add-apt-repository \
|
||||||
|
"deb [arch=arm64] https://download.docker.com/linux/debian \
|
||||||
|
$(lsb_release -cs) \
|
||||||
|
stable"
|
||||||
|
RUN apt-get update -qq \
|
||||||
|
&& apt-get -y install docker-ce
|
||||||
|
RUN usermod -aG docker jenkins
|
||||||
@@ -0,0 +1,56 @@
|
|||||||
|
# docker-compose.yaml
|
||||||
|
version: '3.8'
|
||||||
|
|
||||||
|
networks:
|
||||||
|
jenkins:
|
||||||
|
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
jenkins_home:
|
||||||
|
driver_opts:
|
||||||
|
type: nfs
|
||||||
|
o: addr=maurice,nfsvers=4
|
||||||
|
device: :/swarm/jenkins/home
|
||||||
|
jenkins_certs:
|
||||||
|
driver_opts:
|
||||||
|
type: nfs
|
||||||
|
o: addr=maurice,nfsvers=4
|
||||||
|
device: :/swarm/jenkins/certs
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
services:
|
||||||
|
jenkins-docker:
|
||||||
|
image: docker:dind
|
||||||
|
networks:
|
||||||
|
jenkins:
|
||||||
|
aliases:
|
||||||
|
- docker
|
||||||
|
user: root
|
||||||
|
environment:
|
||||||
|
- DOCKER_TLS_CERTDIR=/certs
|
||||||
|
volumes:
|
||||||
|
- jenkins_home:/var/jenkins_home
|
||||||
|
- jenkins_certs:/certs/client
|
||||||
|
ports:
|
||||||
|
- 2376:2376
|
||||||
|
privileged: true
|
||||||
|
command: --storage-driver=overlay2
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
jenkins-blueocean:
|
||||||
|
image: jenkins/jenkins:2.375.2
|
||||||
|
networks:
|
||||||
|
- jenkins
|
||||||
|
ports:
|
||||||
|
- 8080:8080
|
||||||
|
- 50000:50000
|
||||||
|
environment:
|
||||||
|
- DOCKER_HOST=tcp://docker:2376
|
||||||
|
- DOCKER_CERT_PATH=/certs/client
|
||||||
|
- DOCKER_TLS_VERIFY=1
|
||||||
|
volumes:
|
||||||
|
- jenkins_home:/var/jenkins_home
|
||||||
|
- jenkins_certs:/certs/client
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
@@ -0,0 +1,67 @@
|
|||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
nccdata:
|
||||||
|
driver_opts:
|
||||||
|
type: nfs
|
||||||
|
o: addr=maurice,nfsvers=4
|
||||||
|
device: :/nextcloudtest/nextcloud
|
||||||
|
ncredis:
|
||||||
|
driver_opts:
|
||||||
|
type: nfs
|
||||||
|
o: addr=maurice,nfsvers=4
|
||||||
|
device: :/nextcloudtest/redis
|
||||||
|
|
||||||
|
nctestcdb:
|
||||||
|
driver_opts:
|
||||||
|
type: nfs
|
||||||
|
o: addr=maurice,nfsvers=4
|
||||||
|
device: :/nextcloudtestdb
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
services:
|
||||||
|
nextcloud:
|
||||||
|
image: nextcloud
|
||||||
|
container_name: nextcloud
|
||||||
|
environment:
|
||||||
|
- PUID=1000 #change PUID if needed
|
||||||
|
- PGID=100 #change PGID if needed
|
||||||
|
- TZ=Europe/Berlin #change Time Zone if needed
|
||||||
|
- REDIS_HOST=redis
|
||||||
|
volumes:
|
||||||
|
#- nccdata/config:/var/www/html/config #/srv/dev-disk-by-label-disk1 needs to be adjusted
|
||||||
|
#- nccdata/data:/var/www/html/data #/srv/dev-disk-by-label-disk1 needs to be adjusted
|
||||||
|
- nccdata:/var/www/html #/srv/dev-disk-by-label-disk1 needs to be adjusted
|
||||||
|
# NAS shares
|
||||||
|
# - /srv/dev-disk-by-uuid-f3ca381b-e85a-4348-8086-833317c5d96e/pictures:/pictures
|
||||||
|
# - /srv/dev-disk-by-uuid-f3ca381b-e85a-4348-8086-833317c5d96e/video:/video
|
||||||
|
depends_on:
|
||||||
|
- mariadb
|
||||||
|
ports: # uncomment this and the next line if you want to bypass the proxy
|
||||||
|
- 5443:443
|
||||||
|
- 5080:80
|
||||||
|
restart: unless-stopped
|
||||||
|
|
||||||
|
redis:
|
||||||
|
image: redis:latest
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- ncredis:/var/lib/redis
|
||||||
|
|
||||||
|
mariadb:
|
||||||
|
image: ghcr.io/linuxserver/mariadb
|
||||||
|
container_name: nextclouddb
|
||||||
|
environment:
|
||||||
|
- PUID=1000 #change PUID if needed
|
||||||
|
- PGID=1000 #change PGID if needed
|
||||||
|
- MARIADB_ROOT_PASSWORD="dbpassword"
|
||||||
|
- MYSQL_ROOT_PASSWORD=mariadbpassword #change password
|
||||||
|
- TZ=Europe/Berlin #Change Time Zone if needed
|
||||||
|
volumes:
|
||||||
|
- nctestcdb:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted
|
||||||
|
restart: unless-stopped
|
||||||
|
# ports:
|
||||||
|
# - 5306:3306
|
||||||
|
|
||||||
|
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
# This file contains important security parameters. If you modify this file
|
||||||
|
# manually, Certbot will be unable to automatically provide future security
|
||||||
|
# updates. Instead, Certbot will print and log an error message with a path to
|
||||||
|
# the up-to-date file that you will need to refer to when manually updating
|
||||||
|
# this file. Contents are based on https://ssl-config.mozilla.org
|
||||||
|
|
||||||
|
ssl_session_cache shared:le_nginx_SSL:10m;
|
||||||
|
ssl_session_timeout 1440m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
||||||
@@ -0,0 +1,36 @@
|
|||||||
|
version: '3'
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
nginx_conf:
|
||||||
|
driver_opts:
|
||||||
|
type: nfs
|
||||||
|
o: addr=dockerstorage,nfsvers=4
|
||||||
|
device: :/swarm/stacks/reverseproxy/nginx
|
||||||
|
certbot_conf:
|
||||||
|
driver_opts:
|
||||||
|
type: nfs
|
||||||
|
o: addr=dockerstorage,nfsvers=4
|
||||||
|
device: :/swarm/stacks/reverseproxy/certbot_conf
|
||||||
|
certificates:
|
||||||
|
external: true
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
services:
|
||||||
|
nginx:
|
||||||
|
image: nginx:1.15-alpine
|
||||||
|
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
volumes:
|
||||||
|
- nginx_conf:/etc/nginx/conf.d
|
||||||
|
- certbot_conf:/etc/letsencrypt
|
||||||
|
- ./data/certbot/www:/var/www/certbot
|
||||||
|
certbot:
|
||||||
|
image: certbot/certbot:arm64v8-v1.32.2
|
||||||
|
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
|
||||||
|
volumes:
|
||||||
|
- certbot_conf:/etc/letsencrypt
|
||||||
|
# - certificates:/etc/letsencrypt/live
|
||||||
|
- ./data/certbot/www:/var/www/certbot
|
||||||
Executable
+83
@@ -0,0 +1,83 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if ! [ -x "$(command -v docker-compose)" ]; then
|
||||||
|
echo 'Error: docker-compose is not installed.' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
domains=(vbchaos.ddns.net)
|
||||||
|
rsa_key_size=4096
|
||||||
|
data_path="./data/certbot"
|
||||||
|
email="matthias.mitscherlich@gmail.com" # Adding a valid address is strongly recommended
|
||||||
|
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
|
||||||
|
|
||||||
|
if [ -d "$data_path" ]; then
|
||||||
|
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
|
||||||
|
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
|
||||||
|
echo "### Downloading recommended TLS parameters ..."
|
||||||
|
mkdir -p "$data_path/conf"
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "### Creating dummy certificate for $domains ..."
|
||||||
|
path="/etc/letsencrypt/live/$domains"
|
||||||
|
mkdir -p "$data_path/conf/live/$domains"
|
||||||
|
docker-compose run --rm --entrypoint "\
|
||||||
|
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
|
||||||
|
-keyout '$path/privkey.pem' \
|
||||||
|
-out '$path/fullchain.pem' \
|
||||||
|
-subj '/CN=localhost'" certbot
|
||||||
|
echo
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Starting nginx ..."
|
||||||
|
docker-compose up --force-recreate -d nginx
|
||||||
|
echo
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
echo "### Deleting dummy certificate for $domains ..."
|
||||||
|
docker-compose run --rm --entrypoint "\
|
||||||
|
rm -Rf /etc/letsencrypt/live/$domains && \
|
||||||
|
rm -Rf /etc/letsencrypt/archive/$domains && \
|
||||||
|
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
|
||||||
|
echo
|
||||||
|
|
||||||
|
# exit 1
|
||||||
|
|
||||||
|
echo "### Requesting Let's Encrypt certificate for $domains ..."
|
||||||
|
#Join $domains to -d args
|
||||||
|
domain_args=""
|
||||||
|
for domain in "${domains[@]}"; do
|
||||||
|
domain_args="$domain_args -d $domain"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Select appropriate email arg
|
||||||
|
case "$email" in
|
||||||
|
"") email_arg="--register-unsafely-without-email" ;;
|
||||||
|
*) email_arg="--email $email" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Enable staging mode if needed
|
||||||
|
if [ $staging != "0" ]; then staging_arg="--staging"; fi
|
||||||
|
|
||||||
|
docker-compose run --rm --entrypoint "\
|
||||||
|
certbot certonly --webroot -w /var/www/certbot \
|
||||||
|
$staging_arg \
|
||||||
|
$email_arg \
|
||||||
|
$domain_args \
|
||||||
|
--rsa-key-size $rsa_key_size \
|
||||||
|
--agree-tos \
|
||||||
|
--force-renewal" certbot
|
||||||
|
echo
|
||||||
|
|
||||||
|
echo "### Reloading nginx ..."
|
||||||
|
docker-compose exec nginx nginx -s reload
|
||||||
Reference in New Issue
Block a user