commit 22e6a432addb21cdbdf983ce8f1728c7c7841fc2 Author: Matthias Date: Sat Jan 21 19:33:14 2023 +0000 first commit - working on the reverse proxy diff --git a/jenkins/Dockerfile b/jenkins/Dockerfile new file mode 100644 index 0000000..3909176 --- /dev/null +++ b/jenkins/Dockerfile @@ -0,0 +1,12 @@ +FROM jenkins/jenkins:lts +USER root +RUN apt-get update -qq \ + && apt-get install -qqy apt-transport-https ca-certificates curl gnupg2 software-properties-common +RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - +RUN add-apt-repository \ + "deb [arch=arm64] https://download.docker.com/linux/debian \ + $(lsb_release -cs) \ + stable" +RUN apt-get update -qq \ + && apt-get -y install docker-ce +RUN usermod -aG docker jenkins diff --git a/jenkins/docker-compose.yml b/jenkins/docker-compose.yml new file mode 100644 index 0000000..c9861e2 --- /dev/null +++ b/jenkins/docker-compose.yml @@ -0,0 +1,56 @@ +# docker-compose.yaml +version: '3.8' + +networks: + jenkins: + + +volumes: + jenkins_home: + driver_opts: + type: nfs + o: addr=maurice,nfsvers=4 + device: :/swarm/jenkins/home + jenkins_certs: + driver_opts: + type: nfs + o: addr=maurice,nfsvers=4 + device: :/swarm/jenkins/certs + + + +services: + jenkins-docker: + image: docker:dind + networks: + jenkins: + aliases: + - docker + user: root + environment: + - DOCKER_TLS_CERTDIR=/certs + volumes: + - jenkins_home:/var/jenkins_home + - jenkins_certs:/certs/client + ports: + - 2376:2376 + privileged: true + command: --storage-driver=overlay2 + + + + jenkins-blueocean: + image: jenkins/jenkins:2.375.2 + networks: + - jenkins + ports: + - 8080:8080 + - 50000:50000 + environment: + - DOCKER_HOST=tcp://docker:2376 + - DOCKER_CERT_PATH=/certs/client + - DOCKER_TLS_VERIFY=1 + volumes: + - jenkins_home:/var/jenkins_home + - jenkins_certs:/certs/client + - /var/run/docker.sock:/var/run/docker.sock diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml new file mode 100644 index 0000000..86bd6c9 --- /dev/null +++ b/nextcloud/docker-compose.yml @@ -0,0 +1,67 @@ +version: "3.8" + +volumes: + nccdata: + driver_opts: + type: nfs + o: addr=maurice,nfsvers=4 + device: :/nextcloudtest/nextcloud + ncredis: + driver_opts: + type: nfs + o: addr=maurice,nfsvers=4 + device: :/nextcloudtest/redis + + nctestcdb: + driver_opts: + type: nfs + o: addr=maurice,nfsvers=4 + device: :/nextcloudtestdb + + + +services: + nextcloud: + image: nextcloud + container_name: nextcloud + environment: + - PUID=1000 #change PUID if needed + - PGID=100 #change PGID if needed + - TZ=Europe/Berlin #change Time Zone if needed + - REDIS_HOST=redis + volumes: + #- nccdata/config:/var/www/html/config #/srv/dev-disk-by-label-disk1 needs to be adjusted + #- nccdata/data:/var/www/html/data #/srv/dev-disk-by-label-disk1 needs to be adjusted + - nccdata:/var/www/html #/srv/dev-disk-by-label-disk1 needs to be adjusted + # NAS shares + # - /srv/dev-disk-by-uuid-f3ca381b-e85a-4348-8086-833317c5d96e/pictures:/pictures + # - /srv/dev-disk-by-uuid-f3ca381b-e85a-4348-8086-833317c5d96e/video:/video + depends_on: + - mariadb + ports: # uncomment this and the next line if you want to bypass the proxy + - 5443:443 + - 5080:80 + restart: unless-stopped + + redis: + image: redis:latest + restart: always + volumes: + - ncredis:/var/lib/redis + + mariadb: + image: ghcr.io/linuxserver/mariadb + container_name: nextclouddb + environment: + - PUID=1000 #change PUID if needed + - PGID=1000 #change PGID if needed + - MARIADB_ROOT_PASSWORD="dbpassword" + - MYSQL_ROOT_PASSWORD=mariadbpassword #change password + - TZ=Europe/Berlin #Change Time Zone if needed + volumes: + - nctestcdb:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted + restart: unless-stopped +# ports: +# - 5306:3306 + + diff --git a/reverseproxy/data/certbot/conf/options-ssl-nginx.conf b/reverseproxy/data/certbot/conf/options-ssl-nginx.conf new file mode 100644 index 0000000..f2aadba --- /dev/null +++ b/reverseproxy/data/certbot/conf/options-ssl-nginx.conf @@ -0,0 +1,14 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. Contents are based on https://ssl-config.mozilla.org + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/reverseproxy/data/certbot/conf/ssl-dhparams.pem b/reverseproxy/data/certbot/conf/ssl-dhparams.pem new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/reverseproxy/data/certbot/conf/ssl-dhparams.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/reverseproxy/docker-compose.yml b/reverseproxy/docker-compose.yml new file mode 100644 index 0000000..fab6c0c --- /dev/null +++ b/reverseproxy/docker-compose.yml @@ -0,0 +1,36 @@ +version: '3' + +volumes: + nginx_conf: + driver_opts: + type: nfs + o: addr=dockerstorage,nfsvers=4 + device: :/swarm/stacks/reverseproxy/nginx + certbot_conf: + driver_opts: + type: nfs + o: addr=dockerstorage,nfsvers=4 + device: :/swarm/stacks/reverseproxy/certbot_conf + certificates: + external: true + + + +services: + nginx: + image: nginx:1.15-alpine + command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" + ports: + - "80:80" + - "443:443" + volumes: + - nginx_conf:/etc/nginx/conf.d + - certbot_conf:/etc/letsencrypt + - ./data/certbot/www:/var/www/certbot + certbot: + image: certbot/certbot:arm64v8-v1.32.2 + entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" + volumes: + - certbot_conf:/etc/letsencrypt +# - certificates:/etc/letsencrypt/live + - ./data/certbot/www:/var/www/certbot diff --git a/reverseproxy/init-letsencrypt.sh b/reverseproxy/init-letsencrypt.sh new file mode 100755 index 0000000..3a1db05 --- /dev/null +++ b/reverseproxy/init-letsencrypt.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +if ! [ -x "$(command -v docker-compose)" ]; then + echo 'Error: docker-compose is not installed.' >&2 + exit 1 +fi + +domains=(vbchaos.ddns.net) +rsa_key_size=4096 +data_path="./data/certbot" +email="matthias.mitscherlich@gmail.com" # Adding a valid address is strongly recommended +staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits + +if [ -d "$data_path" ]; then + read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision + if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then + exit + fi +fi + + +if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then + echo "### Downloading recommended TLS parameters ..." + mkdir -p "$data_path/conf" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" + echo +fi + +echo "### Creating dummy certificate for $domains ..." +path="/etc/letsencrypt/live/$domains" +mkdir -p "$data_path/conf/live/$domains" +docker-compose run --rm --entrypoint "\ + openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\ + -keyout '$path/privkey.pem' \ + -out '$path/fullchain.pem' \ + -subj '/CN=localhost'" certbot +echo + + +echo "### Starting nginx ..." +docker-compose up --force-recreate -d nginx +echo + + + +echo "### Deleting dummy certificate for $domains ..." +docker-compose run --rm --entrypoint "\ + rm -Rf /etc/letsencrypt/live/$domains && \ + rm -Rf /etc/letsencrypt/archive/$domains && \ + rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot +echo + +# exit 1 + +echo "### Requesting Let's Encrypt certificate for $domains ..." +#Join $domains to -d args +domain_args="" +for domain in "${domains[@]}"; do + domain_args="$domain_args -d $domain" +done + +# Select appropriate email arg +case "$email" in + "") email_arg="--register-unsafely-without-email" ;; + *) email_arg="--email $email" ;; +esac + +# Enable staging mode if needed +if [ $staging != "0" ]; then staging_arg="--staging"; fi + +docker-compose run --rm --entrypoint "\ + certbot certonly --webroot -w /var/www/certbot \ + $staging_arg \ + $email_arg \ + $domain_args \ + --rsa-key-size $rsa_key_size \ + --agree-tos \ + --force-renewal" certbot +echo + +echo "### Reloading nginx ..." +docker-compose exec nginx nginx -s reload