commit
85e7dc0e4e
@ -0,0 +1,6 @@ |
||||
# Networks |
||||
NETWORK= |
||||
|
||||
# Reverse Proxy |
||||
BG_CONTAINER_NAME= |
||||
BG_RESTART= |
@ -0,0 +1,3 @@ |
||||
*.env |
||||
bibliogram/ |
||||
config.js |
@ -0,0 +1,17 @@ |
||||
#!/bin/sh |
||||
|
||||
set -e |
||||
|
||||
REPO_URL=https://git.sr.ht/~cadence/bibliogram |
||||
REPO_DIR_PATH=bibliogram |
||||
|
||||
# If repo exists update, else clone it |
||||
if [ -d "$REPO_DIR_PATH" ]; then |
||||
# Save the root dir path, enter the repo, pull new changes and come back |
||||
ROOT_DIR=$(pwd) |
||||
cd "$REPO_DIR_PATH" |
||||
git pull |
||||
cd "$ROOT_DIR" |
||||
else |
||||
git clone "$REPO_URL" "$REPO_DIR_PATH" |
||||
fi |
@ -0,0 +1,9 @@ |
||||
/* |
||||
Welcome to the config file! |
||||
Add keys here to override values from /src/lib/constants.js. Please look at that file for override recommendations. |
||||
This file should hopefully never be altered upstream. |
||||
You must restart Bibliogram to apply these changes. |
||||
*/ |
||||
|
||||
module.exports = { |
||||
} |
@ -0,0 +1,40 @@ |
||||
version: '3' |
||||
|
||||
services: |
||||
nginx: |
||||
build: |
||||
context: nginx/. |
||||
args: |
||||
- IMAGE=${NGINX_IMG:-nginx} |
||||
- TAG=${NGINX_TAG:-alpine} |
||||
container_name: ${NGINX_CONTAINER_NAME:-bibliogram-nginx} |
||||
restart: ${NGINX_RESTART:-unless-stopped} |
||||
expose: |
||||
- 80 |
||||
env_file: |
||||
- nginx.env |
||||
networks: |
||||
- default |
||||
- bibliogram |
||||
|
||||
bibliogram: |
||||
build: |
||||
context: bibliogram/ |
||||
container_name: ${BG_CONTAINER_NAME:-bibliogram} |
||||
restart: ${BG_RESTART:-unless-stopped} |
||||
expose: |
||||
- "10407" |
||||
volumes: |
||||
- db:/app/db |
||||
- ./config.js:/app/config.js |
||||
networks: |
||||
- bibliogram |
||||
|
||||
volumes: |
||||
db: |
||||
|
||||
networks: |
||||
default: |
||||
external: |
||||
name: ${NETWORK:-webservices} |
||||
bibliogram: |
@ -0,0 +1,15 @@ |
||||
# Domain name used for myip (this parameter is required) |
||||
# Note: issue the domain NAME only |
||||
# CORRECT -> sub.domain.tld |
||||
# WRONG -> http://sub.domain.tld |
||||
BG_HOSTNAME= |
||||
BG_ADDR=bibliogram |
||||
BG_PORT=10407 |
||||
|
||||
NGINX_LISTEN_PORT=80 |
||||
|
||||
# Reverse-proxy and certbot |
||||
VIRTUAL_HOST=domain.tld |
||||
VIRTUAL_PORT=80 |
||||
LETSENCRYPT_HOST=domain.tld |
||||
LETSENCRYPT_EMAIL=user@domain.tld |
@ -0,0 +1,15 @@ |
||||
ARG IMAGE |
||||
ARG TAG |
||||
|
||||
FROM ${IMAGE}:${TAG} |
||||
|
||||
LABEL maintainer="Meliurwen <meliruwen@gmail.com>" |
||||
|
||||
COPY root/ / |
||||
|
||||
ENV BG_HOSTNAME= |
||||
ENV BG_ADDR=bibliogram |
||||
ENV BG_PORT=10407 |
||||
ENV NGINX_LISTEN_PORT=80 |
||||
|
||||
ENTRYPOINT ["/entrypoint.sh"] |
@ -0,0 +1,13 @@ |
||||
#!/bin/sh |
||||
|
||||
# Exit at first error |
||||
set -e |
||||
|
||||
# Fill the varibles in default.template and put the result in default.conf |
||||
envsubst "`env | awk -F = '{printf \" $$%s\", $$1}'`" < \ |
||||
/etc/nginx/conf.d/default.template > \ |
||||
/etc/nginx/conf.d/default.conf |
||||
|
||||
cat /etc/nginx/conf.d/default.conf |
||||
|
||||
nginx -g 'daemon off;' |
@ -0,0 +1,57 @@ |
||||
# Apply fix for very long server names |
||||
server_names_hash_bucket_size 128; |
||||
|
||||
log_format vhost '$host $remote_addr - $remote_user [$time_local] ' |
||||
'"$request" $status $body_bytes_sent ' |
||||
'"$http_referer" "$http_user_agent"'; |
||||
access_log off; |
||||
|
||||
upstream bibliogram { |
||||
# Cannot connect to network of this container |
||||
server 127.0.0.1 down; |
||||
## Can be connected with the network |
||||
server ${BG_ADDR}:${BG_PORT}; |
||||
} |
||||
|
||||
server { |
||||
# This is a catch-all hostname (it will never trigger on a real hostname). |
||||
# If an access by IP or by an unhandled domain linking to this IP is tried, |
||||
# a 503 response will be issued. |
||||
# See: https://nginx.org/en/docs/http/server_names.html |
||||
server_name _; |
||||
listen 80; |
||||
access_log /var/log/nginx/access.log vhost; |
||||
return 503; |
||||
} |
||||
|
||||
|
||||
# Security Headers |
||||
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"; |
||||
add_header X-Content-Type-Options nosniff; |
||||
add_header X-Frame-Options DENY; |
||||
add_header X-XSS-Protection "1; mode=block"; |
||||
add_header 'Referrer-Policy' 'strict-origin'; |
||||
|
||||
# Proxy |
||||
proxy_set_header Host $http_host; |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
proxy_redirect off; |
||||
|
||||
server { |
||||
listen ${NGINX_LISTEN_PORT}; |
||||
server_name ${BG_HOSTNAME}; |
||||
|
||||
# Disable do not add the server version in the header |
||||
server_tokens off; |
||||
|
||||
location / { |
||||
proxy_pass http://bibliogram; |
||||
} |
||||
|
||||
location = /robots.txt { |
||||
add_header Content-Type text/plain; |
||||
return 200 "User-agent: *\nDisallow: /\n"; |
||||
} |
||||
|
||||
} |
@ -0,0 +1,14 @@ |
||||
# Real IP Settings |
||||
# This option get user's real ip address |
||||
# to be fowared to your service container |
||||
|
||||
# The option 'set_real_ip_from' |
||||
# must correspont to your docker network address |
||||
set_real_ip_from 172.16.0.0/12; |
||||
set_real_ip_from 10.0.0.0/8; |
||||
set_real_ip_from 192.168.0.0/16; |
||||
|
||||
# Header for Real IP Address |
||||
real_ip_header X-Forwarded-For; |
||||
#real_ip_header X-Real-IP; |
||||
real_ip_recursive on; |
Loading…
Reference in new issue