diff options
Diffstat (limited to 'services/nginx')
| -rw-r--r-- | services/nginx/Dockerfile | 3 | ||||
| -rw-r--r-- | services/nginx/fs/etc/nginx/templates/default.conf.template | 45 | ||||
| -rw-r--r-- | services/nginx/fs/etc/nginx/templates/services/cgit.conf.template | 17 | ||||
| -rw-r--r-- | services/nginx/fs/etc/nginx/templates/services/radicale.conf.template | 19 | ||||
| -rwxr-xr-x | services/nginx/fs/sbin/cmd.bash | 11 |
5 files changed, 95 insertions, 0 deletions
diff --git a/services/nginx/Dockerfile b/services/nginx/Dockerfile new file mode 100644 index 0000000..bb8e645 --- /dev/null +++ b/services/nginx/Dockerfile @@ -0,0 +1,3 @@ +FROM nginx:1.29.4-trixie +ADD fs.tar.gz / +CMD ["/sbin/cmd.bash"] diff --git a/services/nginx/fs/etc/nginx/templates/default.conf.template b/services/nginx/fs/etc/nginx/templates/default.conf.template new file mode 100644 index 0000000..306a074 --- /dev/null +++ b/services/nginx/fs/etc/nginx/templates/default.conf.template @@ -0,0 +1,45 @@ +server { + listen 80; + listen [::]:80; + + server_name ${NGINX__HOST} + www.${NGINX__HOST} + dav.${NGINX__HOST} + git.${NGINX__HOST}; + + # Prevent nginx HTTP Server Detection + server_tokens off; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name ${NGINX__HOST} www.${NGINX__HOST}; + + ssl_certificate /run/secrets/server.crt; + ssl_certificate_key /run/secrets/server.key; + + location / { + root /srv; + } +} + +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + + ssl_certificate /run/secrets/server.crt; + ssl_certificate_key /run/secrets/server.key; + + return 444; +} + +# Docker embedded DNS server +resolver 127.0.0.11 valid=2s; + +include /etc/nginx/conf.d/services/*.conf; diff --git a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template new file mode 100644 index 0000000..c0fa070 --- /dev/null +++ b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template @@ -0,0 +1,17 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name git.${NGINX__HOST}; + + ssl_certificate /run/secrets/server.crt; + ssl_certificate_key /run/secrets/server.key; + + location / { + proxy_pass http://cgit:80; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template new file mode 100644 index 0000000..d6e4617 --- /dev/null +++ b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template @@ -0,0 +1,19 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name dav.${NGINX__HOST}; + + ssl_certificate /run/secrets/server.crt; + ssl_certificate_key /run/secrets/server.key; + + location / { + proxy_pass http://radicale:5232; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_pass_header Authorization; + } +} diff --git a/services/nginx/fs/sbin/cmd.bash b/services/nginx/fs/sbin/cmd.bash new file mode 100755 index 0000000..e024b4f --- /dev/null +++ b/services/nginx/fs/sbin/cmd.bash @@ -0,0 +1,11 @@ +#!/usr/bin/bash +set -eu + +# Install sensitive data in tmpfs +install --mode 400 /run/host_secrets/server.crt /run/secrets/server.crt +install --mode 400 /run/host_secrets/server.key /run/secrets/server.key + +# We have to run the entrypoint again +# Because if the first positional parameter is not "nginx" or "nginx-debug" the scripts in /docker-entrypoint.d are not ran. +# https://github.com/nginx/docker-nginx/blob/master/stable/debian/docker-entrypoint.sh +exec /docker-entrypoint.sh nginx -g "daemon off;" |