Fully working stack

.env.example

@@ -0,0 +1,6 @@
+# Networks
+NETWORK=
+
+# Reverse Proxy
+BG_CONTAINER_NAME=
+BG_RESTART=

.gitignore

@@ -0,0 +1,3 @@
+*.env
+bibliogram/
+config.js

build.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+REPO_URL=https://git.sr.ht/~cadence/bibliogram
+REPO_DIR_PATH=bibliogram
+
+# If repo exists update, else clone it
+if [ -d "$REPO_DIR_PATH" ]; then
+    # Save the root dir path, enter the repo, pull new changes and come back
+    ROOT_DIR=$(pwd)
+    cd "$REPO_DIR_PATH"
+    git pull
+    cd "$ROOT_DIR"
+else
+   git clone "$REPO_URL" "$REPO_DIR_PATH"
+fi

config.js

@@ -0,0 +1,9 @@
+/*
+        Welcome to the config file!
+        Add keys here to override values from /src/lib/constants.js. Please look at that file for override recommendations.
+        This file should hopefully never be altered upstream.
+        You must restart Bibliogram to apply these changes.
+*/
+
+module.exports = {
+}

docker-compose.yml

@@ -0,0 +1,40 @@
+version: '3'
+
+services:
+  nginx:
+    build:
+      context: nginx/.
+      args:
+        - IMAGE=${NGINX_IMG:-nginx}
+        - TAG=${NGINX_TAG:-alpine}
+    container_name: ${NGINX_CONTAINER_NAME:-bibliogram-nginx}
+    restart: ${NGINX_RESTART:-unless-stopped}
+    expose:
+      - 80
+    env_file:
+      - nginx.env
+    networks:
+      - default
+      - bibliogram
+
+  bibliogram:
+    build:
+      context: bibliogram/
+    container_name: ${BG_CONTAINER_NAME:-bibliogram}
+    restart: ${BG_RESTART:-unless-stopped}
+    expose:
+      - "10407"
+    volumes:
+      - db:/app/db
+      - ./config.js:/app/config.js
+    networks:
+      - bibliogram
+
+volumes:
+    db:
+
+networks:
+  default:
+    external:
+      name: ${NETWORK:-webservices}
+  bibliogram:

nginx.env.example

@@ -0,0 +1,15 @@
+# Domain name used for myip (this parameter is required)
+# Note: issue the domain NAME only
+# CORRECT -> sub.domain.tld
+# WRONG   -> http://sub.domain.tld
+BG_HOSTNAME=
+BG_ADDR=bibliogram
+BG_PORT=10407
+
+NGINX_LISTEN_PORT=80
+
+# Reverse-proxy and certbot
+VIRTUAL_HOST=domain.tld
+VIRTUAL_PORT=80
+LETSENCRYPT_HOST=domain.tld
+LETSENCRYPT_EMAIL=user@domain.tld

nginx/Dockerfile

@@ -0,0 +1,15 @@
+ARG IMAGE
+ARG TAG
+
+FROM ${IMAGE}:${TAG}
+
+LABEL maintainer="Meliurwen <meliruwen@gmail.com>"
+
+COPY root/ /
+
+ENV BG_HOSTNAME=
+ENV BG_ADDR=bibliogram
+ENV BG_PORT=10407
+ENV NGINX_LISTEN_PORT=80
+
+ENTRYPOINT ["/entrypoint.sh"]

nginx/root/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# Exit at first error
+set -e
+
+# Fill the varibles in default.template and put the result in default.conf
+envsubst "`env | awk -F = '{printf \" $$%s\", $$1}'`" <  \
+         /etc/nginx/conf.d/default.template > \
+         /etc/nginx/conf.d/default.conf
+
+cat /etc/nginx/conf.d/default.conf
+
+nginx -g 'daemon off;'

nginx/root/etc/nginx/conf.d/default.template

@@ -0,0 +1,57 @@
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent"';
+access_log off;
+
+upstream bibliogram {
+        # Cannot connect to network of this container
+        server 127.0.0.1 down;
+        ## Can be connected with the network
+        server ${BG_ADDR}:${BG_PORT};
+}
+
+server {
+    # This is a catch-all hostname (it will never trigger on a real hostname).
+    # If an access by IP or by an unhandled domain linking to this IP is tried,
+    # a 503 response will be issued.
+    # See: https://nginx.org/en/docs/http/server_names.html
+    server_name _;
+    listen 80;
+    access_log /var/log/nginx/access.log vhost;
+    return 503;
+}
+
+
+# Security Headers
+add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'";
+add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options DENY;
+add_header X-XSS-Protection "1; mode=block";
+add_header 'Referrer-Policy' 'strict-origin';
+
+# Proxy
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_redirect off;
+
+server {
+    listen ${NGINX_LISTEN_PORT};
+    server_name ${BG_HOSTNAME};
+
+    # Disable do not add the server version in the header
+    server_tokens off;
+
+    location / {
+        proxy_pass http://bibliogram;
+    }
+
+    location = /robots.txt {
+        add_header Content-Type text/plain;
+        return 200 "User-agent: *\nDisallow: /\n";
+    }
+
+}

nginx/root/etc/nginx/conf.d/realip.conf

@@ -0,0 +1,14 @@
+# Real IP Settings
+# This option get user's real ip address
+# to be fowared to your service container
+
+# The option 'set_real_ip_from'
+# must correspont to your docker network address
+set_real_ip_from 172.16.0.0/12;
+set_real_ip_from 10.0.0.0/8;
+set_real_ip_from 192.168.0.0/16;
+
+# Header for Real IP Address
+real_ip_header X-Forwarded-For;
+#real_ip_header    X-Real-IP;
+real_ip_recursive on;