add docker-madone

master
Paul Wako 2019-09-01 21:37:44 -04:00
parent 929d6796b0
commit 57c819d80e
15 changed files with 174 additions and 397 deletions

View File

@ -0,0 +1 @@
Mostly stolen from https://github.com/vtluug/docker-manifests/tree/master/sczi/nginx

23
docker-madone/nginx/launch.sh Executable file
View File

@ -0,0 +1,23 @@
#!/bin/bash
docker run \
--name nginx \
--detach \
--restart unless-stopped \
--env PUID=1000 \
--env PGID=1000 \
--env EMAIL=sysadmin@seaturtle.pw \
--env URL=seaturtle.pw \
--env ONLY_SUBDOMAINS=true \
--env SUBDOMAINS=madone \
--env VALIDATION=html \
--env TZ=US/Eastern \
--volume $PWD/config:/config:rw \
--volume $PWD/nginx.conf:/config/nginx/nginx.conf:ro \
--volume $PWD/site-confs:/config/nginx/site-confs:ro \
--publish 51.159.29.122:80:80 \
--publish 51.159.29.122:443:443 \
--publish [2001:bc8:6005:19:208:a2ff:fe0c:917c]:80:80 \
--publish [2001:bc8:6005:19:208:a2ff:fe0c:917c]:443:443 \
--network pew-net \
linuxserver/letsencrypt:latest

View File

@ -0,0 +1,63 @@
## Version 2018/04/07 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/default;
include /config/nginx/site-confs/*.enabled;
}
daemon off;

View File

@ -4,13 +4,26 @@
# This is the main file that will be pe present no matter what # This is the main file that will be pe present no matter what
# Individual sites are specified in /config/nginx/sites/*.enabled # Individual sites are specified in /config/nginx/sites/*.enabled
# Redirect HTTP traffic to HTTPS # Redirect unknown HTTP traffic to https://seaturtle.pw
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
server_name _; server_name _;
return 301 https://$host$request_uri; return 301 https://seaturtle.pw;
}
# Redirect unknown HTTPS traffic to https://seaturtle.pw
# If we don't have a cert for the site the client get an error but that's fine
server {
listen 443 default_server;
listen [::]:443 default_server;
server_name _;
# ssl conf
include /config/nginx/ssl.conf;
return 301 https://seaturtle.pw;
} }
# Enabled sites are included in /config/nginx/nginx.conf # Enabled sites are included in /config/nginx/nginx.conf

View File

@ -0,0 +1,51 @@
server {
listen 80;
listen [::]:80;
server_name madone.seaturtle.pw;
return 301 https://seaturtle.pw$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name madone.seaturtle.pw;
# ssl conf
include /config/nginx/ssl.conf;
client_max_body_size 1M;
# Proxy syncthing
location /syncthing/ {
auth_basic "not today buddy";
auth_basic_user_file /config/nginx/syncthing-htpasswd;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-proto $scheme;
proxy_pass http://syncthing:8384/;
}
# Proxy weechat
location /weechat {
proxy_pass http://172.17.0.1:9001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 8h;
}
# Serve misc files
location /files {
alias /files-docker;
autoindex on;
}
# Serve syncthing files
location /sync {
auth_basic "nope definitely not today buddy";
auth_basic_user_file /config/nginx/sync-htpasswd;
alias /sync-docker;
autoindex on;
}
}

View File

@ -0,0 +1,19 @@
#!/bin/bash
# Assumes pew-net exists
# Create mounted dirs (as non-root) before launching
docker run \
--name syncthing \
--detach \
--restart unless-stopped \
--env PUID=1000 \
--env PGID=1000 \
--env TZ=Europe/London \
--env UMASK_SET=022 \
--volume $PWD/config:/config:rw \
--volume $PWD/sync:/sync-docker:rw \
--publish 22000:22000 \
--publish 21027:21027/udp \
--network pew-net \
linuxserver/syncthing:latest

View File

@ -1,3 +1,5 @@
#!/usr/bin/env python3
import json import json
from selenium import webdriver from selenium import webdriver
from selenium.webdriver.common.by import By from selenium.webdriver.common.by import By

View File

@ -1,3 +0,0 @@
[irc-etc]
# User must be changed from root to admin user after initial run
joe@madone.seaturtle.pw

View File

@ -1,104 +0,0 @@
---
- hosts: irc-etc
become: yes
handlers:
- name: Restart ssh
service:
name: ssh
state: restarted
tasks:
- name: ping host
ping:
- name: Allow passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD:ALL'
validate: 'visudo -cf %s'
- name: Create admin user
user:
name: joe
groups: sudo
shell: /bin/bash
- name: Create normal user
user:
name: pew
shell: /bin/bash
- name: Add authorized ssh key from localhost
authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
with_items:
- joe
- pew
- name: Disable password ssh
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication no"
state=present
notify: Restart ssh
# May have to be done manually
- name: Disallow root SSH access
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PermitRootLogin"
line="PermitRootLogin no"
state=present
notify: Restart ssh
- name: Update apt and upgrade packages
apt:
update_cache: yes
upgrade: yes
- name: Install packages
apt:
pkg:
- apt-transport-https
- ca-certificates
- curl
- git
- gnupg
- htop
- iodine
- mosh
- oidentd
- software-properties-common
- tmux
- weechat
- zsh
state: latest
- name: Add Docker and Syncthing GPG key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
- name: Add Docker and Syncthing APT repository
apt_repository:
repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable
- name: Update apt
apt:
update_cache: yes
# May require a reboot
- name: Install Docker & Synthing
apt:
pkg:
- docker-ce
- docker-compose
state: latest
- name: Add admin user to docker group
user:
name: joe
groups: docker
append: yes

View File

@ -1,49 +0,0 @@
version: '3'
services:
letsencrypt:
restart: unless-stopped
image: linuxserver/letsencrypt
cap_add:
- NET_ADMIN
environment:
PUID: 1000
PGID: 1000
EMAIL: sysadmin@seaturtle.pw
# URL field must be working since nginx only starts if letsencrypt works
URL: seaturtle.pw
SUBDOMAINS: madone
EXTRA_DOMAINS: www.paul.walko.org,paul.walko.org
VALIDATION: html # TODO Switch to dns + gandi api once pr is merged
TZ: America/New_York
volumes:
# nginx persistent storage
- /home/joe/docker/nginx/config:/config
# RO settings
- ./htpasswd:/secrets/htpasswd # Create once deployed
- ./nginx.conf:/config/nginx/nginx.conf:ro
- ./ssl.conf:/config/nginx/ssl.conf:ro
- ./site-confs:/config/nginx/site-confs:ro
- ./jail.local:/config/jail2ban/jail.local:ro
# etc files
- /home/joe/docker/syncthing/sync:/sync:ro
ports:
- 10.21.2.155:80:80
- 10.21.2.155:443:443
- 2001:bc8:4728:8d0d::1:80:80
- 2001:bc8:4728:8d0d::1:443:443
syncthing:
restart: unless-stopped
image: linuxserver/syncthing
environment:
PUID: 1000
PGID: 1000
TZ: America/Eastern
UMASK_SET: <022>
volumes:
- /home/joe/docker/syncthing/config:/config
- /home/joe/docker/syncthing/sync:/sync
ports:
- 22000:22000
- 21027:21027/udp

View File

@ -1,46 +0,0 @@
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
[ssh]
enabled = false
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /config/log/nginx/error.log
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /config/log/nginx/access.log
maxretry = 2
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /config/log/nginx/access.log

View File

@ -1,101 +0,0 @@
## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/default;
include /config/nginx/site-confs/*.enabled;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
daemon off;

View File

@ -1,43 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name seaturtle.pw paul.walko.org www.paul.walko.org;
# ssl conf
include /config/nginx/ssl.conf;
client_max_body_size 1M;
# Main site
location / {
proxy_pass https://paulwalko.github.io;
}
location /files {
alias /files;
autoindex on;
}
location /sync {
auth_basic "Restricted Content";
auth_basic_user_file /secrets/htpasswd;
alias /sync;
autoindex on;
}
location /syncthing/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://syncthing:8384/;
}
location /weechat {
proxy_pass http://127.0.0.1:9001/weechat;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 604800;
proxy_set_header X-RealIP $remote_addr;
}
}

View File

@ -1,36 +0,0 @@
## Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf
# session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE cipher suites
ssl_dhparam /config/nginx/dhparams.pem;
# ssl certs
#ssl_certificate /config/keys/letsencrypt/fullchain.pem;
#ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_certificate /etc/letsencrypt/live/seaturtle.pw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/seaturtle.pw/privkey.pem;
# protocols
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
# Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests";
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header Cache-Control "no-transform" always;
#add_header Referrer-Policy "same-origin" always;

View File

@ -1,13 +0,0 @@
[Unit]
Description=Weechat IRC Client (in tmux)
After=network.target
[Service]
User=pew
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/tmux new-session -d -s irc /usr/bin/weechat
ExecStop=/usr/bin/tmux kill-session -t irc
[Install]
WantedBy=multi-user.target