diff options
| -rw-r--r-- | compose.yaml | 5 | ||||
| -rw-r--r-- | readme.md | 4 | ||||
| -rw-r--r-- | services/nginx/fs/etc/nginx/templates/default.conf.template | 8 | ||||
| -rw-r--r-- | services/nginx/fs/etc/nginx/templates/services/cgit.conf.template | 4 | ||||
| -rw-r--r-- | services/nginx/fs/etc/nginx/templates/services/radicale.conf.template | 4 | ||||
| -rw-r--r-- | services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template | 4 | ||||
| -rwxr-xr-x | services/nginx/fs/sbin/cmd.bash | 11 | ||||
| -rwxr-xr-x | tools/net_services | 105 |
8 files changed, 92 insertions, 53 deletions
diff --git a/compose.yaml b/compose.yaml index 326e830..f1f9879 100644 --- a/compose.yaml +++ b/compose.yaml @@ -7,7 +7,6 @@ services: dockerfile_inline: | FROM nginx:1.31-trixie ADD fs.tar.gz / - CMD ["/sbin/cmd.bash"] environment: - NGINX__HOST=${NGINX__HOST} networks: @@ -17,10 +16,8 @@ services: ports: - ${HOST__HTTP_PORT:?}:80 - ${HOST__HTTPS_PORT:?}:443 - tmpfs: - - /run/secrets:mode=400 volumes: - - ${HOST__SECRET_DIR:?}:/run/host_secrets:ro + - ${HOST__SECRET_DIR:?}:/etc/certs:ro depends_on: - cgit - radicale @@ -7,8 +7,8 @@ Sensitive data is not stored on the disk when containers start. It is copied int ## Requirements - `docker` -- `mkcert` for local CA certificate generation -- `htpasswd` for generating credentials for nginx +- `mkcert` +- `htpasswd` - `tar` ## How-to diff --git a/services/nginx/fs/etc/nginx/templates/default.conf.template b/services/nginx/fs/etc/nginx/templates/default.conf.template index f90b61a..e35cc41 100644 --- a/services/nginx/fs/etc/nginx/templates/default.conf.template +++ b/services/nginx/fs/etc/nginx/templates/default.conf.template @@ -20,8 +20,8 @@ server { server_name ${NGINX__HOST} www.${NGINX__HOST}; - ssl_certificate /run/secrets/server.crt; - ssl_certificate_key /run/secrets/server.key; + ssl_certificate /etc/certs/server.crt; + ssl_certificate_key /etc/certs/server.key; location / { root /srv; @@ -34,8 +34,8 @@ server { server_name _; - ssl_certificate /run/secrets/server.crt; - ssl_certificate_key /run/secrets/server.key; + ssl_certificate /etc/certs/server.crt; + ssl_certificate_key /etc/certs/server.key; return 444; } diff --git a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template index c0fa070..4abcee9 100644 --- a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template +++ b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template @@ -4,8 +4,8 @@ server { server_name git.${NGINX__HOST}; - ssl_certificate /run/secrets/server.crt; - ssl_certificate_key /run/secrets/server.key; + ssl_certificate /etc/certs/server.crt; + ssl_certificate_key /etc/certs/server.key; location / { proxy_pass http://cgit:80; diff --git a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template index d6e4617..d0fd944 100644 --- a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template +++ b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template @@ -4,8 +4,8 @@ server { server_name dav.${NGINX__HOST}; - ssl_certificate /run/secrets/server.crt; - ssl_certificate_key /run/secrets/server.key; + ssl_certificate /etc/certs/server.crt; + ssl_certificate_key /etc/certs/server.key; location / { proxy_pass http://radicale:5232; diff --git a/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template b/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template index 31c90bb..1060588 100644 --- a/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template +++ b/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template @@ -4,8 +4,8 @@ server { server_name sync.${NGINX__HOST}; - ssl_certificate /run/secrets/server.crt; - ssl_certificate_key /run/secrets/server.key; + ssl_certificate /etc/certs/server.crt; + ssl_certificate_key /etc/certs/server.key; location / { proxy_pass http://syncthing:8384; diff --git a/services/nginx/fs/sbin/cmd.bash b/services/nginx/fs/sbin/cmd.bash deleted file mode 100755 index e024b4f..0000000 --- a/services/nginx/fs/sbin/cmd.bash +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/bash -set -eu - -# Install sensitive data in tmpfs -install --mode 400 /run/host_secrets/server.crt /run/secrets/server.crt -install --mode 400 /run/host_secrets/server.key /run/secrets/server.key - -# We have to run the entrypoint again -# Because if the first positional parameter is not "nginx" or "nginx-debug" the scripts in /docker-entrypoint.d are not ran. -# https://github.com/nginx/docker-nginx/blob/master/stable/debian/docker-entrypoint.sh -exec /docker-entrypoint.sh nginx -g "daemon off;" diff --git a/tools/net_services b/tools/net_services index 64a4fb5..9652948 100755 --- a/tools/net_services +++ b/tools/net_services @@ -4,13 +4,68 @@ set -euo pipefail script_dir="$(dirname "$(realpath "$0")")" root_dir="$(realpath "$script_dir/..")" -env_file="$script_dir/../.env" -if ! [[ -r "$env_file" ]]; then - echo "$env_file is missing" >&2 - exit 1 -fi -# shellcheck disable=1090 -source "$env_file" +# generate_self_signed_cert <domain> <crt_dst> <key_dst> [<subdomains>...] +_generate_self_signed_cert() { + local crt_dst=${1:?missing crt_dst argument} + local key_dst=${2:?missing key_dst argument} + local domain=${3:?missing domain argument} + shift 3 + local -a subdomains=("$@") + mkcert -install + mkcert -cert-file "$crt_dst" -key-file "$key_dst" "${subdomains[@]/%/.$domain}" "$domain" +} + +# _generate_ovh_cert ovh_api_creds.ini example.com www dav sftp +_generate_ovh_cert() { + ini="${1:?missing ini argument}" + domain="${2:?missing domain argument}" + shift 2 + subdomains=("$@") + + shopt -s patsub_replacement + # Certificates are stored in `/etc/letsencrypt` by default + # shellcheck disable=SC2068 + sudo certbot certonly \ + --non-interactive \ + --expand \ + --dns-ovh \ + --dns-ovh-credentials "$ini" \ + --dns-ovh-propagation-seconds 60 \ + --domain "$domain" \ + ${subdomains[@]/*/--domain &."$domain"} +} + +setup_ssh_git_user() { + repo_folder="${1:-/home/git/git}" + + if ! id git &>/dev/null; then + sudo useradd --create-home git + fi + sudo usermod --shell "$(command -v git-shell)" git + + sudo mkdir --parent --mode 0755 /home/git/{git-shell-commands,.ssh} + sudo chown --recursive git /home/git + sudo mkdir --parent --mode 0755 "$repo_folder" + sudo chown --recursive git "$repo_folder" + + echo " +Match User git + PasswordAuthentication no + PubkeyAuthentication yes +" | sudo tee /etc/ssh/sshd_config.d/50-git-user.conf >/dev/null + + sudo systemctl restart sshd +} + +source_env() { + env_file="$script_dir/../.env" + if ! [[ -r "$env_file" ]]; then + echo "$env_file is missing" >&2 + exit 1 + fi + # shellcheck disable=1090 + source "$env_file" +} init() { for service in nginx radicale; do @@ -31,26 +86,22 @@ init() { mkdir --parents "$dir" done - # generate_self_signed_cert <domain> <crt_dst> <key_dst> [<subdomains>...] - generate_self_signed_cert() { - local crt_dst=${1:?missing crt_dst argument} - local key_dst=${2:?missing key_dst argument} - local domain=${3:?missing domain argument} - shift 3 - local -a subdomains=("$@") - mkcert -install - mkcert -cert-file "$crt_dst" -key-file "$key_dst" "${subdomains[@]/%/.$domain}" "$domain" - } local crt_file="$HOST__SECRET_DIR/server.crt" local key_file="$HOST__SECRET_DIR/server.key" - if ! [[ -e "$crt_file" && -e "$key_file" ]]; then - echo "$crt_file or $key_file missing" - read -rn 1 -p "Create? (y/n)" input - echo - if [[ $input == y ]]; then - generate_self_signed_cert "$crt_file" "$key_file" "$NGINX__HOST" www git sync dav - fi - fi + local -a subdomains=(www dav git sync) + echo "Generate/renew TLS certificate?" + select choice in OVH self-signed no; do + case $choice in + OVH) + read -rep "Enter path (relative or absolute) to your OVH API credentials:" ovh_api_creds_file + _generate_ovh_cert "$ovh_api_creds_file" "$NGINX__HOST" "${subdomains[@]}" + sudo ln --symbolic --relative --force "/etc/letsencrypt/live/$NGINX__HOST/fullchain.pem" /etc/letsencrypt/server.crt + sudo ln --symbolic --relative --force "/etc/letsencrypt/live/$NGINX__HOST/privkey.pem" /etc/letsencrypt/server.key + ;; + self-signed) _generate_self_signed_cert "$crt_file" "$key_file" "$NGINX__HOST" "${subdomains[@]}" ;; + esac + break + done if ! [[ -e "$HOST__RADICALE_USERS_DIR/.htpasswd" ]]; then read -rp "Initial Radicale username: " username @@ -67,10 +118,12 @@ init() { cp_if_absent "$root_dir/services/cgit/examples/commit-filter.sh" "$HOST__CGIT_FILTER_DIR/commit-filter.sh" } +source_env case ${1:-} in init) init ;; +git) setup_ssh_git_user ;; *) - echo "usage: net_services init" + echo "usage: net_services init|git" exit 1 ;; esac |