commit 85e7dc0e4e50bebf458b1131cc4be59b279f2350 Author: meliurwen Date: Wed Mar 31 02:03:34 2021 +0200 Fully working stack diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..64a82ce --- /dev/null +++ b/.env.example @@ -0,0 +1,6 @@ +# Networks +NETWORK= + +# Reverse Proxy +BG_CONTAINER_NAME= +BG_RESTART= diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c26842c --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*.env +bibliogram/ +config.js diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..e09aaf8 --- /dev/null +++ b/build.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +REPO_URL=https://git.sr.ht/~cadence/bibliogram +REPO_DIR_PATH=bibliogram + +# If repo exists update, else clone it +if [ -d "$REPO_DIR_PATH" ]; then + # Save the root dir path, enter the repo, pull new changes and come back + ROOT_DIR=$(pwd) + cd "$REPO_DIR_PATH" + git pull + cd "$ROOT_DIR" +else + git clone "$REPO_URL" "$REPO_DIR_PATH" +fi diff --git a/config.js b/config.js new file mode 100644 index 0000000..3dc7b38 --- /dev/null +++ b/config.js @@ -0,0 +1,9 @@ +/* + Welcome to the config file! + Add keys here to override values from /src/lib/constants.js. Please look at that file for override recommendations. + This file should hopefully never be altered upstream. + You must restart Bibliogram to apply these changes. +*/ + +module.exports = { +} \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..dd68244 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,40 @@ +version: '3' + +services: + nginx: + build: + context: nginx/. + args: + - IMAGE=${NGINX_IMG:-nginx} + - TAG=${NGINX_TAG:-alpine} + container_name: ${NGINX_CONTAINER_NAME:-bibliogram-nginx} + restart: ${NGINX_RESTART:-unless-stopped} + expose: + - 80 + env_file: + - nginx.env + networks: + - default + - bibliogram + + bibliogram: + build: + context: bibliogram/ + container_name: ${BG_CONTAINER_NAME:-bibliogram} + restart: ${BG_RESTART:-unless-stopped} + expose: + - "10407" + volumes: + - db:/app/db + - ./config.js:/app/config.js + networks: + - bibliogram + +volumes: + db: + +networks: + default: + external: + name: ${NETWORK:-webservices} + bibliogram: diff --git a/nginx.env.example b/nginx.env.example new file mode 100644 index 0000000..41eb7b2 --- /dev/null +++ b/nginx.env.example @@ -0,0 +1,15 @@ +# Domain name used for myip (this parameter is required) +# Note: issue the domain NAME only +# CORRECT -> sub.domain.tld +# WRONG -> http://sub.domain.tld +BG_HOSTNAME= +BG_ADDR=bibliogram +BG_PORT=10407 + +NGINX_LISTEN_PORT=80 + +# Reverse-proxy and certbot +VIRTUAL_HOST=domain.tld +VIRTUAL_PORT=80 +LETSENCRYPT_HOST=domain.tld +LETSENCRYPT_EMAIL=user@domain.tld diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..d29975b --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,15 @@ +ARG IMAGE +ARG TAG + +FROM ${IMAGE}:${TAG} + +LABEL maintainer="Meliurwen " + +COPY root/ / + +ENV BG_HOSTNAME= +ENV BG_ADDR=bibliogram +ENV BG_PORT=10407 +ENV NGINX_LISTEN_PORT=80 + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/nginx/root/entrypoint.sh b/nginx/root/entrypoint.sh new file mode 100755 index 0000000..ee3f5a9 --- /dev/null +++ b/nginx/root/entrypoint.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +# Exit at first error +set -e + +# Fill the varibles in default.template and put the result in default.conf +envsubst "`env | awk -F = '{printf \" $$%s\", $$1}'`" < \ + /etc/nginx/conf.d/default.template > \ + /etc/nginx/conf.d/default.conf + +cat /etc/nginx/conf.d/default.conf + +nginx -g 'daemon off;' diff --git a/nginx/root/etc/nginx/conf.d/default.template b/nginx/root/etc/nginx/conf.d/default.template new file mode 100644 index 0000000..57386ae --- /dev/null +++ b/nginx/root/etc/nginx/conf.d/default.template @@ -0,0 +1,57 @@ +# Apply fix for very long server names +server_names_hash_bucket_size 128; + +log_format vhost '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; +access_log off; + +upstream bibliogram { + # Cannot connect to network of this container + server 127.0.0.1 down; + ## Can be connected with the network + server ${BG_ADDR}:${BG_PORT}; +} + +server { + # This is a catch-all hostname (it will never trigger on a real hostname). + # If an access by IP or by an unhandled domain linking to this IP is tried, + # a 503 response will be issued. + # See: https://nginx.org/en/docs/http/server_names.html + server_name _; + listen 80; + access_log /var/log/nginx/access.log vhost; + return 503; +} + + +# Security Headers +add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"; +add_header X-Content-Type-Options nosniff; +add_header X-Frame-Options DENY; +add_header X-XSS-Protection "1; mode=block"; +add_header 'Referrer-Policy' 'strict-origin'; + +# Proxy +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_redirect off; + +server { + listen ${NGINX_LISTEN_PORT}; + server_name ${BG_HOSTNAME}; + + # Disable do not add the server version in the header + server_tokens off; + + location / { + proxy_pass http://bibliogram; + } + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + +} diff --git a/nginx/root/etc/nginx/conf.d/realip.conf b/nginx/root/etc/nginx/conf.d/realip.conf new file mode 100644 index 0000000..7203bef --- /dev/null +++ b/nginx/root/etc/nginx/conf.d/realip.conf @@ -0,0 +1,14 @@ +# Real IP Settings +# This option get user's real ip address +# to be fowared to your service container + +# The option 'set_real_ip_from' +# must correspont to your docker network address +set_real_ip_from 172.16.0.0/12; +set_real_ip_from 10.0.0.0/8; +set_real_ip_from 192.168.0.0/16; + +# Header for Real IP Address +real_ip_header X-Forwarded-For; +#real_ip_header X-Real-IP; +real_ip_recursive on;