Switch to nginx-proxy

2025-07-20 22:21:37 +01:00
parent 650bb88bc0
commit a1e0fb1ebb
10 changed files with 349 additions and 160 deletions
--- a/.env.example
+++ b/.env.example
@@ -7,6 +7,7 @@ USER_PASSWORD=
 DOMAIN=scarif.local
 LOCAL_IP=192.168.10.10
 SSH_KEY= # Will be added to authorized keys
 COMPOSE_PROFILES=prod
 #
 # Database settings
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,10 +1,3 @@
 # Options for building certificates
 x-certs: &certs
  image: paulczar/omgwtfssl
  restart: "no"
  volumes:
    - /opt/ssl:/certs
 x-logging: &logging
  logging:
    driver: "local"
@@ -13,19 +6,24 @@ x-logging: &logging
      max-file: "2"
 services:
-  change:
+  # change:
-    <<: *logging
+  #   <<: *logging
-    container_name: change
+  #   profiles: ["prod"]
-    image: node:alpine
+  #   container_name: change
-    build: ./change-game
+  #   image: node:alpine
-    environment:
+  #   build: ./change-game
-      - PORT=9000
+  #   environment:
-    networks:
+  #     - PORT=9000
-      - nginx
+  #     - VIRTUAL_HOST=rec.${DOMAIN}
-    volumes:
+  #     - CERT_NAME=${DOMAIN}
-      - change:/change/public
+  #     - VIRTUAL_PORT=9000
  #   networks:
  #     - nginx
  #   volumes:
  #     - change:/change/public
  foundry:
    profiles: ["prod"]
    <<: *logging
    image: felddy/foundryvtt:release
    volumes:
@@ -45,13 +43,18 @@ services:
      - CONTAINER_PATCHES=/data/patches
      - FOUNDRY_UID=1000
      - FOUNDRY_GID=1000
      - VIRTUAL_HOST=rec.${DOMAIN}
      - CERT_NAME=${DOMAIN}
      - VIRTUAL_PORT=30000
      - VIRTUAL_PATH=/foundry
    networks:
      - nginx
  nextcloud:
    profiles: ["prod"]
    <<: *logging
    build: ./nextcloud
-    image: nextcloud
+    image: nextcloud:31-fpm-alpine
    restart: unless-stopped
    user: 1000:1000
    volumes:
@@ -59,6 +62,10 @@ services:
      - /mnt/tower/stardust:/var/www/html/data
      - /mnt/tower/foundry:/var/www/foundry
    environment:
      - VIRTUAL_HOST=tower.${DOMAIN}
      - CERT_NAME=${DOMAIN}
      - VIRTUAL_PORT=9000
      - VIRTUAL_PROTO=fastcgi
      - REDIS_HOST=redis
      - MYSQL_HOST=db
      - MYSQL_PASSWORD=${DB_PASSWORD}
@@ -88,12 +95,16 @@ services:
      - "office.${DOMAIN}:${LOCAL_IP}" 
  collabora:
    profiles: ["prod", "dev"]
    <<: *logging
    image: collabora/code
    restart: unless-stopped
    cap_add:
      - MKNOD
    environment:
      - VIRTUAL_HOST=office.${DOMAIN}
      - CERT_NAME=${DOMAIN}
      - VIRTUAL_PORT=9980
      - "DONT_GEN_SSL_CERT=True"
      - domain=tower.${DOMAIN}
      - cert_domain=office.${DOMAIN}
@@ -108,28 +119,14 @@ services:
      - "tower.${DOMAIN}:${LOCAL_IP}"
      - "office.${DOMAIN}:${LOCAL_IP}"
  homebox:
    <<: *logging
    image: ghcr.io/hay-kot/homebox:latest
    restart: unless-stopped
    environment:
      - HBOX_LOG_LEVEL=info
      - HBOX_LOG_FORMAT=text
      - HBOX_WEB_MAX_UPLOAD_SIZE=10
      - HBOX_OPTIONS_ALLOW_REGISTRATION=false
      - HBOX_MAILER_HOST=${MAIL_HOST}
      - HBOX_MAILER_PORT=${MAIL_PORT}
      - HBOX_MAILER_USERNAME=${MAIL_USER}
      - HBOX_MAILER_PASSWORD=${MAIL_PASSWORD}
    volumes:
      - homebox:/data/
    networks:
      - nginx
  gitea:
    profiles: ["prod", "dev"]
    <<: *logging
    image: gitea/gitea:1
    environment:
      - VIRTUAL_HOST=labs.${DOMAIN}
      - CERT_NAME=${DOMAIN}
      - VIRTUAL_PORT=3000
      - "APP_NAME=Labs: Where the good stuff happens"
      - RUN_MODE=prod
      - DOMAIN=labs.${DOMAIN}
@@ -158,6 +155,7 @@ services:
      - db
  minecraft:
    profiles: ["prod"]
    <<: *logging
    image: itzg/minecraft-server
    tty: true
@@ -176,6 +174,7 @@ services:
      - minecraft:/data
  mc-backup:
    profiles: ["prod"]
    <<: *logging
    image: itzg/mc-backup
    depends_on:
@@ -193,53 +192,15 @@ services:
      - minecraft:/data:ro
      - /mnt/tower/backups/minecraft:/backups
  tt-rss:
    <<: *logging
    image: cthulhoo/ttrss-fpm-pgsql-static:latest
    restart: unless-stopped
    environment:
      - TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
      - TTRSS_DB_USER=${DB_USER}
      - TTRSS_DB_NAME=scarif
      - TTRSS_DB_PASS=${DB_PASSWORD}
      - TTRSS_DB_HOST=psqldb
        #- AUTO_CREATE_USER=${TTRSS_USER}
        #- AUTO_CREATE_USER_PASS=${TTRSS_USER_PASS}
        #- ADMIN_USER_ACCESS_LEVEL=-2
    volumes:
      - tt-rss:/var/www/html
      - ./tt-rss/config.d:/opt/tt-rss/config.d:ro
    depends_on:
      - psqldb
    networks:
      - db
      - nginx
  tt-rss-updater:
    <<: *logging
    image: cthulhoo/ttrss-fpm-pgsql-static:latest
    restart: unless-stopped
    environment:
      - TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
      - TTRSS_DB_USER=${DB_USER}
      - TTRSS_DB_NAME=scarif
      - TTRSS_DB_PASS=${DB_PASSWORD}
      - TTRSS_DB_HOST=psqldb
    volumes:
      - tt-rss:/var/www/html
      - ./tt-rss/config.d:/opt/tt-rss/config.d:ro
    depends_on:
      - tt-rss
      - psqldb
    command: /opt/tt-rss/updater.sh
    networks:
      - db
  navidrome:
    profiles: ["prod"]
    <<: *logging
    image: deluan/navidrome:latest
    restart: unless-stopped
    environment:
      - VIRTUAL_HOST=radio.${DOMAIN}
      - CERT_NAME=${DOMAIN}
      - VIRTUAL_PORT=4533
      - ND_SCANSCHEDULE=1h
      - ND_LOGLEVEL=info
      - ND_SESSIONTIMEOUT=24h
@@ -251,15 +212,17 @@ services:
      - nginx
  pihole:
    profiles: ["prod"]
    <<: *logging
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
    environment:
-      TZ: "Europe/London"
+      - VIRTUAL_HOST=net.${DOMAIN}
-      WEBPASSWORD: ${PIHOLE_PASSWORD}
+      - CERT_NAME=${DOMAIN}
-      VIRTUAL_HOST: net.${DOMAIN}
+      - TZ="Europe/London"
      - WEBPASSWORD=${PIHOLE_PASSWORD}
    volumes:
      - "/docker/pihole/etc-pihole:/etc/pihole"
      - "/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
@@ -267,22 +230,8 @@ services:
    networks:
      - nginx
  pdf2audiobook:
    <<: *logging
    build: ./pdf-to-audiobook
    image: pdf2audiobook:latest
    container_name: pdf2audiobook
    working_dir: /app
    volumes:
      - ./pdf-to-audiobook:/app
      - /mnt/tower/stardust/chris/files/Library:/books:ro
      - /mnt/tower/stardust/chris/files/Audiobooks:/audio
    environment:
      - OPENAI_API_KEY=${OPENAI_API_KEY}
      - OPENAI_API_BASE=${OPENAI_API_BASE:-https://aihubmix.com/v1}
      - OPENAI_MODEL=${OPENAI_MODEL:-aihubmix-Llama-3-3-70B-Instruct}
  jitsi:
    profiles: ["prod"]
    <<: *logging
    image: jitsi/web:stable
    restart: unless-stopped
@@ -291,6 +240,9 @@ services:
      - ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
      - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
    environment:
      - VIRTUAL_HOST=comms.${DOMAIN}
      - VIRTUAL_PORT=80
      - CERT_NAME=${DOMAIN}
      - AMPLITUDE_ID
      - ANALYTICS_SCRIPT_URLS
      - ANALYTICS_WHITELISTED_EVENTS
@@ -435,6 +387,7 @@ services:
  # XMPP server
  prosody:
    profiles: ["prod"]
    <<: *logging
    image: jitsi/prosody:stable
    restart: unless-stopped
@@ -532,6 +485,7 @@ services:
  # Focus component
  jicofo:
    profiles: ["prod"]
    <<: *logging
    image: jitsi/jicofo:stable
    restart: unless-stopped
@@ -581,6 +535,7 @@ services:
  # Video bridge
  jvb:
    profiles: ["prod"]
    <<: *logging
    image: jitsi/jvb:stable
    restart: unless-stopped
@@ -627,6 +582,7 @@ services:
  db:
    profiles: ["prod", "dev"]
    <<: *logging
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
@@ -642,41 +598,40 @@ services:
      - db
  redis:
    profiles: ["prod", "dev"]
    image: redis:alpine
    restart: always
    networks:
      - redis
  nginx:
-    <<: *logging
+    profiles: ["prod", "dev"]
-    image: nginx:alpine
+    image: nginxproxy/nginx-proxy
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /opt/ssl:/etc/nginx/certs:ro
-      - ./nginx/nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template
+      - ./nginx-proxy/vhost.d/labs_location:/etc/nginx/vhost.d/labs.${DOMAIN}_location:ro
-      - ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh
+      - ./nginx-proxy/vhost.d/office:/etc/nginx/vhost.d/office.${DOMAIN}:ro
      - ./nginx-proxy/vhost.d/rec:/etc/nginx/vhost.d/rec.${DOMAIN}:ro
      - ./nginx-proxy/vhost.d/tower_location_override:/etc/nginx/vhost.d/tower.${DOMAIN}_location_override:ro
      - ./nginx-proxy/vhost.d/tower:/etc/nginx/vhost.d/tower.${DOMAIN}:ro
      - ./nginx-proxy/conf.d/custom_proxy.conf:/etc/nginx/conf.d/custom_proxy.conf:ro
      - nextcloud:/var/www/html/nextcloud:ro
      - ./christmas:/var/www/html/christmas:ro
      - tt-rss:/var/www/html/tt-rss:ro
      - change:/var/www/html/change:ro
    environment:
      - DOMAIN=${DOMAIN}
    depends_on:
      - nextcloud
      - gitea
      - collabora
      - pihole
      - foundry
      - tt-rss
      - homebox
      - navidrome
    ports:
      - 443:443
    networks:
      - nginx
  certs:
-    <<: *certs
+    profiles: ["dev"]
    image: paulczar/omgwtfssl
    restart: "no"
    volumes:
      - /opt/ssl:/certs
    environment:
      - SSL_SUBJECT=${DOMAIN}
      - CA_SUBJECT=chris@${DOMAIN}
@@ -684,27 +639,11 @@ services:
      - SSL_CSR=/certs/${DOMAIN}.csr
      - SSL_CERT=/certs/${DOMAIN}.crt
  psqldb:
    <<: *logging
    image: postgres:12-alpine
    restart: unless-stopped
    environment:
      - POSTGRES_USER=${DB_USER}
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_DB=scarif
    volumes:
      - psqldb:/var/lib/postgresql/data
    networks:
      - db
 volumes:
  db:
  psqldb:
  tt-rss:
  gitea:
  nextcloud:
  foundry:
  homebox:
  navidrome:
  minecraft:
  change:
--- a/nextcloud/Dockerfile
+++ b/nextcloud/Dockerfile
@@ -34,7 +34,7 @@ RUN set -ex; \
 RUN mkdir -p \
    /var/log/supervisord \
    /var/run/supervisord \
-;
+    ;
 RUN addgroup -S -g 1000 nextcloud; \
    adduser -S -u 1000 -G nextcloud nextcloud; \
--- a/nginx/conf.d/custom_proxy.conf
+++ b/nginx/conf.d/custom_proxy.conf
@@ -0,0 +1,20 @@
 # server {
 #     listen 443 ssl http2;
 #
 #     ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
 #     ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
 #
 #     server_name christmas.${DOMAIN};
 #
 #     gzip_types text/plain text/css application/json application/x-javascript
 #         text/xml application/xml application/xml+rss text/javascript;
 #
 #     root "/var/www/html/christmas";
 #
 #     location / {
 #         try_files $uri.html $uri /default.html;
 #     }
 # }
 proxy_buffering off;
--- a/nginx/nginx.conf.template
+++ b/nginx/nginx.conf.template
@@ -376,7 +376,6 @@ http {
        client_max_body_size 300M;
        location /foundry {
            # Set proxy headers
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -385,7 +384,6 @@ http {
            # These are important to support WebSockets;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_pass http://foundry-handler;
        }
--- a/nginx/vhost.d/labs_location
+++ b/nginx/vhost.d/labs_location
@@ -0,0 +1,6 @@
 if ($http_origin ~* (https?://(?:www\.)?5e\.tools|https?://(?:www\.)?rec\.scarif\.space)) {
    add_header 'Access-Control-Allow-Origin' "$http_origin";
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
 }
--- a/nginx/vhost.d/office
+++ b/nginx/vhost.d/office
@@ -0,0 +1,42 @@
 # static files
 location ^~ /browser {
    proxy_pass http://$server_name;
    proxy_set_header Host $http_host;
 }
 # WOPI discovery URL
 location ^~ /hosting/discovery {
    proxy_pass http://$server_name;
    proxy_set_header Host $http_host;
 }
 # Capabilities
 location ^~ /hosting/capabilities {
    proxy_pass http://$server_name;
    proxy_set_header Host $http_host;
 }
 # main websocket
 location ~ ^/cool/(.*)/ws$ {
    proxy_pass http://$server_name;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
    proxy_read_timeout 36000s;
 }
 # download, presentation and image upload
 location ~ ^/(c|l)ool {
    proxy_pass http://$server_name;
    proxy_set_header Host $http_host;
 }
 # Admin Console websocket
 location ^~ /cool/adminws {
    proxy_pass http://$server_name;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
    proxy_read_timeout 36000s;
 }
--- a/nginx/vhost.d/rec
+++ b/nginx/vhost.d/rec
@@ -0,0 +1,23 @@
 Need to figure out how to get this working with nginx-proxy
 # This file is for the /change/socket.io and /change/peer paths
 location ~ ^/change/(socket\.io|peer) {
 # Set proxy headers
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
 # WebSocket specific headers
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
 # WebSocket specific settings
    proxy_buffering off;
    proxy_redirect off;
    proxy_connect_timeout 90s;
    proxy_send_timeout 90s;
    proxy_read_timeout 90s;
    proxy_pass http://$server_name;
 }
--- a/nginx/vhost.d/tower
+++ b/nginx/vhost.d/tower
@@ -0,0 +1,67 @@
 root /var/www/html/nextcloud;
 # Prevent nginx HTTP Server Detection
 server_tokens off;
 # HSTS settings
 # WARNING: Only add the preload option once you read about
 # the consequences in https://hstspreload.org/. This option
 # will add the domain to a hardcoded list that is shipped
 # in all major browsers and getting removed from this list
 # could take several months.
 #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 # set max upload size and increase upload timeout:
 client_max_body_size 10G;
 client_body_timeout 300s;
 fastcgi_buffers 64 4K;
 # Enable gzip but do not remove ETag headers
 gzip on;
 gzip_vary on;
 gzip_comp_level 4;
 gzip_min_length 256;
 gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
 gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 # Pagespeed is not supported by Nextcloud, so if your server is built
 # with the `ngx_pagespeed` module, uncomment this line to disable it.
 #pagespeed off;
 # The settings allows you to optimize the HTTP2 bandwidth.
 # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
 # for tuning hints
 client_body_buffer_size 512k;
 # HTTP response headers borrowed from Nextcloud `.htaccess`
 add_header Referrer-Policy "no-referrer" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-Permitted-Cross-Domain-Policies "none" always;
 add_header X-Robots-Tag "none" always;
 # Remove X-Powered-By, which is an information leak
 fastcgi_hide_header X-Powered-By;
 # Set .mjs and .wasm MIME types
 # Either include it in the default mime.types list
 # and include that list explicitly or add the file extension
 # only for Nextcloud like below:
 include mime.types;
 types {
    text/javascript mjs;
    application/wasm wasm;
 }
 # Specify how to handle directories -- specifying `/index.php$request_uri`
 # here as the fallback means that Nginx always exhibits the desired behaviour
 # when a client requests a path that corresponds to a directory that exists
 # on the server. In particular, if that directory contains an index.php file,
 # that file is correctly served; if it doesn't, then the request is passed to
 # the front-end controller. This consistent behaviour means that we don't need
 # to specify custom rules for certain paths (e.g. images and other assets,
 # `/updater`, `/ocs-provider`), and thus
 # `try_files $uri $uri/ /index.php$request_uri`
 # always provides the desired behaviour.
 index index.php index.html /index.php$request_uri;
--- a/nginx/vhost.d/tower_location_override
+++ b/nginx/vhost.d/tower_location_override
@@ -0,0 +1,93 @@
 # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
 location = / {
    if ( $http_user_agent ~ ^DavClnt ) {
        return 302 /remote.php/webdav/$is_args$args;
    }
 }
 location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
 }
 # Make a regex exception for `/.well-known` so that clients can still
 # access it despite the existence of the regex rule
 # `location ~ /(\.|autotest|...)` which would otherwise handle requests
 # for `/.well-known`.
 location ^~ /.well-known {
    # The rules in this block are an adaptation of the rules
    # in `.htaccess` that concern `/.well-known`.
    location = /.well-known/carddav { return 301 /remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
    # Let Nextcloud's API for `/.well-known` URIs handle all other
    # requests by passing them to the front-end controller.
    return 301 /index.php$request_uri;
 }
 # Rules borrowed from `.htaccess` to hide certain paths from clients
 location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
 location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
 # Ensure this block, which passes PHP files to the PHP process, is above the blocks
 # which handle static assets (as seen below). If this block is not declared first,
 # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
 # to the URI, resulting in a HTTP 500 error response.
 location ~ \.php(?:$|/) {
    # Required for legacy support
    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
    fastcgi_param front_controller_active true;     # Enable pretty urls
    fastcgi_pass http://$server_name;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
    fastcgi_max_temp_file_size 0;
 }
 # Serve static files
 location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
    try_files $uri /index.php$request_uri;
    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;
    access_log off;     # Optional: Don't log access to assets
 }
 location ~ \.(otf|woff2?)$ {
    try_files $uri /index.php$request_uri;
    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
    access_log off;     # Optional: Don't log access to assets
 }
 # Rule borrowed from `.htaccess`
 location /remote {
    return 301 /remote.php$request_uri;
 }
 location / {
    try_files $uri $uri/ /index.php$request_uri;
 }