Fully working stack

master
Meliurwen 4 years ago
commit 85e7dc0e4e
Signed by: meliurwen
GPG Key ID: 818A8B35E9F1CE10
  1. 6
      .env.example
  2. 3
      .gitignore
  3. 17
      build.sh
  4. 9
      config.js
  5. 40
      docker-compose.yml
  6. 15
      nginx.env.example
  7. 15
      nginx/Dockerfile
  8. 13
      nginx/root/entrypoint.sh
  9. 57
      nginx/root/etc/nginx/conf.d/default.template
  10. 14
      nginx/root/etc/nginx/conf.d/realip.conf

@ -0,0 +1,6 @@
# Networks
NETWORK=
# Reverse Proxy
BG_CONTAINER_NAME=
BG_RESTART=

3
.gitignore vendored

@ -0,0 +1,3 @@
*.env
bibliogram/
config.js

@ -0,0 +1,17 @@
#!/bin/sh
set -e
REPO_URL=https://git.sr.ht/~cadence/bibliogram
REPO_DIR_PATH=bibliogram
# If repo exists update, else clone it
if [ -d "$REPO_DIR_PATH" ]; then
# Save the root dir path, enter the repo, pull new changes and come back
ROOT_DIR=$(pwd)
cd "$REPO_DIR_PATH"
git pull
cd "$ROOT_DIR"
else
git clone "$REPO_URL" "$REPO_DIR_PATH"
fi

@ -0,0 +1,9 @@
/*
Welcome to the config file!
Add keys here to override values from /src/lib/constants.js. Please look at that file for override recommendations.
This file should hopefully never be altered upstream.
You must restart Bibliogram to apply these changes.
*/
module.exports = {
}

@ -0,0 +1,40 @@
version: '3'
services:
nginx:
build:
context: nginx/.
args:
- IMAGE=${NGINX_IMG:-nginx}
- TAG=${NGINX_TAG:-alpine}
container_name: ${NGINX_CONTAINER_NAME:-bibliogram-nginx}
restart: ${NGINX_RESTART:-unless-stopped}
expose:
- 80
env_file:
- nginx.env
networks:
- default
- bibliogram
bibliogram:
build:
context: bibliogram/
container_name: ${BG_CONTAINER_NAME:-bibliogram}
restart: ${BG_RESTART:-unless-stopped}
expose:
- "10407"
volumes:
- db:/app/db
- ./config.js:/app/config.js
networks:
- bibliogram
volumes:
db:
networks:
default:
external:
name: ${NETWORK:-webservices}
bibliogram:

@ -0,0 +1,15 @@
# Domain name used for myip (this parameter is required)
# Note: issue the domain NAME only
# CORRECT -> sub.domain.tld
# WRONG -> http://sub.domain.tld
BG_HOSTNAME=
BG_ADDR=bibliogram
BG_PORT=10407
NGINX_LISTEN_PORT=80
# Reverse-proxy and certbot
VIRTUAL_HOST=domain.tld
VIRTUAL_PORT=80
LETSENCRYPT_HOST=domain.tld
LETSENCRYPT_EMAIL=user@domain.tld

@ -0,0 +1,15 @@
ARG IMAGE
ARG TAG
FROM ${IMAGE}:${TAG}
LABEL maintainer="Meliurwen <meliruwen@gmail.com>"
COPY root/ /
ENV BG_HOSTNAME=
ENV BG_ADDR=bibliogram
ENV BG_PORT=10407
ENV NGINX_LISTEN_PORT=80
ENTRYPOINT ["/entrypoint.sh"]

@ -0,0 +1,13 @@
#!/bin/sh
# Exit at first error
set -e
# Fill the varibles in default.template and put the result in default.conf
envsubst "`env | awk -F = '{printf \" $$%s\", $$1}'`" < \
/etc/nginx/conf.d/default.template > \
/etc/nginx/conf.d/default.conf
cat /etc/nginx/conf.d/default.conf
nginx -g 'daemon off;'

@ -0,0 +1,57 @@
# Apply fix for very long server names
server_names_hash_bucket_size 128;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
upstream bibliogram {
# Cannot connect to network of this container
server 127.0.0.1 down;
## Can be connected with the network
server ${BG_ADDR}:${BG_PORT};
}
server {
# This is a catch-all hostname (it will never trigger on a real hostname).
# If an access by IP or by an unhandled domain linking to this IP is tried,
# a 503 response will be issued.
# See: https://nginx.org/en/docs/http/server_names.html
server_name _;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# Security Headers
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header 'Referrer-Policy' 'strict-origin';
# Proxy
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
server {
listen ${NGINX_LISTEN_PORT};
server_name ${BG_HOSTNAME};
# Disable do not add the server version in the header
server_tokens off;
location / {
proxy_pass http://bibliogram;
}
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
}

@ -0,0 +1,14 @@
# Real IP Settings
# This option get user's real ip address
# to be fowared to your service container
# The option 'set_real_ip_from'
# must correspont to your docker network address
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
# Header for Real IP Address
real_ip_header X-Forwarded-For;
#real_ip_header X-Real-IP;
real_ip_recursive on;
Loading…
Cancel
Save