From f205dbfcd5f35482279d5dce0716786cbb3b8b71 Mon Sep 17 00:00:00 2001 From: Chad Date: Mon, 21 Aug 2023 22:07:46 +0000 Subject: [PATCH] Add DNS Server, Many Other Fixes/Enhancements (#12) * Add 443 just in case since docker ps is showing it as active. * Add two new projects. * Add pre-testing content for DNS. * Initial untested stab at the GitLab config. * This project uses build, image name is not needed. * Cleanup, untested guess at how to handle the variables in the pipe section. * Filled out all files for DNS. Ready for testing. * This seems to work, Ubuntu is hoarding port 53 though even though local services are shut off. * `dnsmasq` container is testing successfully now. * Don't allow a run unless the config files exist. * Correct the crontab entry so that $RANDOM works correctly. * Certs were not being saved by LetsEncrypt for Nginx correctly. Should be working now. * Do not allow disabled folders into Git. * Do not allow disabled folders into Git, 2. * Do not allow disabled folders into Git, 3. * Do not allow disabled folders into Git, 4. * Do not allow disabled folders into Git, 5. * Do not allow disabled folders into Git, 6. * Don't add logs from anywhere. * Add ping and dig to Nextcloud container for troubleshooting. * Fix tabs. * Make unfinished suffix consistent. * Clean whitespace. * Multiple names for a single IP address. * Add 2nd example domain from hosts file. * Add caching program Redis for Nextcloud. * Add REDIS_HOST variable for automatic setup through config/redis.config.php. * Upgrade to compose version 3. * Move OnlyOffice to Nextcloud area. * Change container name. * Add container_name to all compose services. * Shorten names for Nextcloud services. * Comment possible OO fixes while trying to get container to use DNS. * Remove OnlyOffice setting tests. * Do not commit .env files, only their examples. * Move OnlyOffice to be its own configuration again. Add sourcing of DNS settings so that local traffic routes correctly. * Fix source file, BASH_SROUCE did not work without the shebang. Also fix bug for when it sees `..` and assumes current directory. * dns.env file did not work out, env_file: element not being read before dns: element. Using folder-specific .env files instead, seems to be loaded before dns: element. Also move other values to the env files for better password privacy. * Keep commands for cleaning up environment in one file. * Update examples. * Fix cd moving the user to the file's directory. * Add note for user to set up the env file. * Replace README files by unhiding the example files. * Still need to specify the variables in the environment: element. * Add header variable. * Place host above database. * Fix "JWS" typo. * Do not use the HEADER parameter. * Add vim to fix packages. * Forget about the manual DNS servers for a minute, ensure host is set up properly first. Ubuntu is happy but Debian is not. * Try using the host network explicitly. * Temporarily give up on having Nextcloud server see local OnlyOffice server. Works when they are different machines but need them together. --- .gitignore | 11 +++- Config/DNS/Dockerfile | 26 ++++++++ Config/DNS/README.md | 5 ++ Config/DNS/config/dnsmasq.conf.example | 31 ++++++++++ Config/DNS/config/hosts.example | 25 ++++++++ Config/DNS/config/resolv.conf.example | 21 +++++++ Config/DNS/docker-compose.yml | 17 ++++++ Config/DNS/run.sh | 60 +++++++++++++++++++ Config/DNS/undo.sh | 46 ++++++++++++++ Config/DynamicDNS/README.md | 2 +- Config/Gitlab/docker-compose.yml.TBD | 22 +++++++ Config/Hyperling.com/docker-compose.yml | 4 +- Config/Invidious/docker-compose.yml.TBD | 24 ++++---- Config/Nextcloud/docker-compose.yml | 34 +++++++---- Config/Nextcloud/env.example | 29 +++++++++ Config/Nextcloud/fixes.sh | 31 +++++----- Config/OnlyOffice/docker-compose.yml | 8 ++- Config/OnlyOffice/env.example | 17 ++++++ .../ReverseProxy/create_letsencrypt_certs.sh | 34 ++++++++--- .../ReverseProxy/create_placeholder_certs.sh | 6 +- Config/ReverseProxy/docker-compose.yml | 6 +- bin/clean.sh | 16 +++++ source.env | 8 ++- 23 files changed, 427 insertions(+), 56 deletions(-) create mode 100644 Config/DNS/Dockerfile create mode 100644 Config/DNS/README.md create mode 100644 Config/DNS/config/dnsmasq.conf.example create mode 100644 Config/DNS/config/hosts.example create mode 100644 Config/DNS/config/resolv.conf.example create mode 100644 Config/DNS/docker-compose.yml create mode 100755 Config/DNS/run.sh create mode 100755 Config/DNS/undo.sh create mode 100644 Config/Gitlab/docker-compose.yml.TBD create mode 100644 Config/Nextcloud/env.example create mode 100644 Config/OnlyOffice/env.example create mode 100755 bin/clean.sh diff --git a/.gitignore b/.gitignore index 7749165..52497f6 100644 --- a/.gitignore +++ b/.gitignore @@ -7,7 +7,7 @@ Volumes/* *.yml.*BACKUP* # Ignore logs -logs/* +logs # Ignore private reverse proxy configurations. Config/ReverseProxy/config/conf.d/* @@ -24,3 +24,12 @@ private.key # Ignore secrets for Invidious. Config/Invidious/*.env + +# Ignore DNS config files, contain private settings. +Config/DNS/config/* + +# Ignore anything in disabled folders. +disabled + +# Ignore any .env files which are not explicitly committed to the project. +*.env diff --git a/Config/DNS/Dockerfile b/Config/DNS/Dockerfile new file mode 100644 index 0000000..e81763e --- /dev/null +++ b/Config/DNS/Dockerfile @@ -0,0 +1,26 @@ +# 2023-07-29 +# +# Create a Debian container which runs dnsmasq. +# https://wiki.debian.org/dnsmasq +# https://computingforgeeks.com/run-and-use-dnsmasq-in-docker-container/?expand_article=1 +# + +FROM debian + +# Install Dependencies +RUN apt-get update && apt-get install -y dnsmasq vim inetutils-ping + +# Copy Configuration Files +RUN mkdir -pv /etc/dnsmasq +COPY ./config/hosts /etc/dnsmasq/hosts +COPY ./config/resolv.conf /etc/dnsmasq/resolv.conf +COPY ./config/dnsmasq.conf /etc/dnsmasq/dnsmasq.conf + +# Stop Default Service +RUN service dnsmasq stop + +# Load Specific Config Files +CMD dnsmasq -k --log-facility=- --log-queries=extra \ + --conf-file=/etc/dnsmasq/dnsmasq.conf \ + --no-hosts --addn-hosts=/etc/dnsmasq/hosts \ + --resolv-file=/etc/dnsmasq/resolv.conf diff --git a/Config/DNS/README.md b/Config/DNS/README.md new file mode 100644 index 0000000..f6f0767 --- /dev/null +++ b/Config/DNS/README.md @@ -0,0 +1,5 @@ +# Local DNS +Host a local DNS server in case your router/gateway is not cutting it. Allows +the ability to use simple names across the network witrhout editing `/etc/hosts` +on each machine. The IP of this server should be added to the router/gateway's +settings so that all machines on the network know to use it and can benefit. diff --git a/Config/DNS/config/dnsmasq.conf.example b/Config/DNS/config/dnsmasq.conf.example new file mode 100644 index 0000000..17f01fb --- /dev/null +++ b/Config/DNS/config/dnsmasq.conf.example @@ -0,0 +1,31 @@ +# 2023-07-29 +# +# Description: +# Settings specific to DNS Masquerade. The parameters in this file are the +# same which can be passed to the dnsmasq program directly using '--', but the +# '--' is not necessary in this file. Otherwise this file has no manpage. +# +# Futher Reading: +# Commands: +# https://manpages.debian.org/bookworm/dnsmasq-base/dnsmasq.8.en.html +# Tutorials: +# Basic: +# https://www.howtoforge.com/how-to-setup-local-dns-server-using-dnsmasq-on-ubuntu-20-04/ +# Split DNS: +# https://www.gluster.org/use-dnsmasq-for-separating-dns-queries/ + +# Who this server is. +port=53 +domain=example.com + +# FQDN must be provided in order for this server to check upstream for it. +domain-needed + +# Do not forward requests for private IPs to upstream domains. +bogus-priv + +# Automatically add FQDN to any simple names in /etc/hosts. +#expand-hosts + +# Default cache size is 150. 0 disables caching. Large values lower performance. +cache-size=1000 diff --git a/Config/DNS/config/hosts.example b/Config/DNS/config/hosts.example new file mode 100644 index 0000000..7a4215a --- /dev/null +++ b/Config/DNS/config/hosts.example @@ -0,0 +1,25 @@ +# 2023-07-29 +# +# Description: +# Example file of how to use the hosts file. It contains local servers running +# inside the domain that need accessed directly rather than traversing outside +# the WAN. This saves time and prevents some routers from dropping data. +# +# Format: +# XXX.XXX.XXX.XXX subdomain.domain.extension subdomain +# +# Futher Reading: +# https://manpages.debian.org/bookworm/manpages/hosts.5.en.html +# + +127.0.0.1 localhost +127.0.1.1 dns.example.com dns + +192.168.1.22 ssh.example.com ssh + +192.168.1.25 mail.example.com mail +192.168.1.25 imap.example.com +192.168.1.25 smtp.example.com + +192.168.1.80 www.example.com example.com +192.168.1.80 www.example.net example.net diff --git a/Config/DNS/config/resolv.conf.example b/Config/DNS/config/resolv.conf.example new file mode 100644 index 0000000..21f6886 --- /dev/null +++ b/Config/DNS/config/resolv.conf.example @@ -0,0 +1,21 @@ +# 2023-07-29 +# +# Description: +# Generic DNS settings unrelated to dnsmasq are provided here. +# +# Futher Reading: +# https://manpages.debian.org/bookworm/manpages/resolv.conf.5.en.html +# + +# The local domains being hosted. +search example.com example.net anotherdomain.com + +# Explicitly set local caching with hosts file on. +nameserver 127.0.0.1 + +# Add any extra settings. +#options rotate + +# Use Cloudflare for upstream DNS. +nameserver 1.1.1.1 +nameserver 1.0.0.1 diff --git a/Config/DNS/docker-compose.yml b/Config/DNS/docker-compose.yml new file mode 100644 index 0000000..2cfd1a9 --- /dev/null +++ b/Config/DNS/docker-compose.yml @@ -0,0 +1,17 @@ +# 2023-07-29 +# +# Local DNS server which properly handles DNS splitting. +# Necessary when using junk ISP gateways and running a domain. +# https://thekelleys.org.uk/dnsmasq/doc.html +# + +version: '3' + +services: + app: + container_name: dns-app + build: ./ + restart: always + ports: + - "53:53/udp" + - "53:53/tcp" diff --git a/Config/DNS/run.sh b/Config/DNS/run.sh new file mode 100755 index 0000000..229fe15 --- /dev/null +++ b/Config/DNS/run.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# +# 2023-07-29 +# Config/DNS/run.sh +# Fix common issues when trying to run this container. + +function stop-service { + service="" + if [[ -n $1 ]]; then + service=$1 + else + echo "ERROR: A parameter was not provided for stop-service, aborting." >&2 + exit 1 + fi + if [[ -n $2 ]]; then + echo "ERROR: A second parameter to stop-service is not expected, aborting." >&2 + exit 1 + fi + systemctl disable --now $service && + echo "$service stopped successfully!" || + echo "* If $service was not found then there is no problem." +} + +## Validations ## + +# Ensure the necessary config files have been created. +if [[ ! -s ./config/hosts + || ! -s ./config/resolv.conf + || ! -s ./config/dnsmasq.conf +]]; then + echo "ERROR: Please ensure all 3 files have been created in the config folder." >&2 + exit 1 +fi + +echo -e "\n*** Turn off any local DNS programs ***" +# These programs use port 53 but this container needs to be able to listen on it. +stop-service systemd-resolved +stop-service dnsmasq + +echo -e "\n*** Create a working DNS file ***" +# Allows the domains needed during the docker pull/build to be accessed. +if [[ ! -e /etc/resolv.conf.save ]]; then + # Save the existing file if a backup does not already exist. + mv /etc/resolv.conf /etc/resolv.conf.save +fi +echo "nameserver 1.1.1.1" > /etc/resolv.conf + +echo -e "\n*** Start the docker container ***" +docker compose down +docker compose build +docker compose up -d + +echo -e "\n*** Now use the local process for DNS ***\n/etc/resolv.conf:" +echo "nameserver 127.0.0.1" > /etc/resolv.conf +echo "nameserver 127.0.1.1" >> /etc/resolv.conf +cat /etc/resolv.conf + +# Finish +echo " " +exit 0 diff --git a/Config/DNS/undo.sh b/Config/DNS/undo.sh new file mode 100755 index 0000000..12612c5 --- /dev/null +++ b/Config/DNS/undo.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# +# 2023-07-29 +# Config/DNS/undo.sh +# Easy way to stop using this container. + +function start-service { + service="" + if [[ -n $1 ]]; then + service=$1 + else + echo "ERROR: A parameter was not provided for start-service, aborting." + exit 1 + fi + if [[ -n $2 ]]; then + echo "ERROR: A second parameter to start-service is not expected, aborting." + exit 1 + fi + systemctl enable --now $service && + echo "$service started successfully!" || + echo "* If $service was not found then there is no problem." +} + +echo -e "\n*** Stop the docker container ***" +docker compose down + +echo -en "\n*** Restore the DNS file " +if [[ -e /etc/resolv.conf.save ]]; then + echo "from backup ***" + cp /etc/resolv.conf.save /etc/resolv.conf +else + echo "with Cloudflare ***" + echo "nameserver 1.1.1.1" > /etc/resolv.conf + echo "nameserver 1.0.0.1" >> /etc/resolv.conf + echo "options rotate" >> /etc/resolv.conf +fi +echo "/etc/resolv.conf:" +cat /etc/resolv.conf + +echo -e "\n*** Turn on any local DNS programs ***" +start-service systemd-resolved +start-service dnsmasq + +# Finish +echo " " +exit 0 diff --git a/Config/DynamicDNS/README.md b/Config/DynamicDNS/README.md index 8729cb8..9946cd2 100644 --- a/Config/DynamicDNS/README.md +++ b/Config/DynamicDNS/README.md @@ -21,7 +21,7 @@ The sleep waits anywhere from 0 to 55 minutes due to the [Random/10](https://tldp.org/LDP/abs/html/randomvar.html). ``` - @hourly sleep $(( $RANDOM / 10 )); $PROJECT_DIR/Config/DynamicDNS/update_dns.sh + @hourly bash -c 'sleep $(( $RANDOM / 10 )); $PROJECT_DIR/Config/DynamicDNS/update_dns.sh' ``` ### TESTING diff --git a/Config/Gitlab/docker-compose.yml.TBD b/Config/Gitlab/docker-compose.yml.TBD new file mode 100644 index 0000000..1e1dbed --- /dev/null +++ b/Config/Gitlab/docker-compose.yml.TBD @@ -0,0 +1,22 @@ +# 2023-07-29 +# Employ a personal Gitlab rather than strictly depending on GitHub's existence. +# https://docs.gitlab.com/ee/install/docker.html#install-gitlab-using-docker-compose + +# TBD Add the hostname and environment-GITLAB_OMNIBUS_CONFIG setup using env. + +version: '3' + +services: + app: + container_name: gitlab-app + image: 'gitlab/gitlab-ce:latest' + restart: always + ports: + - 8180:80 + - 8143:443 + - 8122:22 + volumes: + - ../../Volumes/GitLab/config:/etc/gitlab' + - ../../Volumes/GitLab/logs:/var/log/gitlab' + - ../../Volumes/GitLab/data:/var/opt/gitlab' + shm_size: '256m' diff --git a/Config/Hyperling.com/docker-compose.yml b/Config/Hyperling.com/docker-compose.yml index 3fb1a51..b677d07 100644 --- a/Config/Hyperling.com/docker-compose.yml +++ b/Config/Hyperling.com/docker-compose.yml @@ -5,8 +5,8 @@ version: '2' services: app: - image: node - restart: always + container_name: website-app build: ./ + restart: always ports: - 8317:8080 diff --git a/Config/Invidious/docker-compose.yml.TBD b/Config/Invidious/docker-compose.yml.TBD index c83bc53..af73a4a 100644 --- a/Config/Invidious/docker-compose.yml.TBD +++ b/Config/Invidious/docker-compose.yml.TBD @@ -1,14 +1,13 @@ +# 2023-07-25 # Invidious configuration. # This is a revised version of the original work here: # https://hub.docker.com/_/nextcloud -# Changelog: -# 2023-07-16 Change from mariadb:10.5 to 10.6. - version: "3" -services: - invidious: +services: + app: + container_name: invidious-app image: quay.io/invidious/invidious:latest restart: always ports: @@ -22,8 +21,8 @@ services: INVIDIOUS_CONFIG: | db: dbname: invidious - user: - password: + user: ${INV_DB_USER} + password: ${INV_DB_PASS} host: invidious-db port: 5432 check_tables: true @@ -31,7 +30,7 @@ services: domain: # https_only: false # statistics_enabled: false - hmac_key: + hmac_key: "${INV_HMAC_KEY}" healthcheck: test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1 interval: 30s @@ -44,7 +43,8 @@ services: depends_on: - invidious-db - invidious-db: + db: + container_name: invidious-db image: docker.io/library/postgres:14 restart: always volumes: @@ -52,10 +52,10 @@ services: - ../../Volumes/Invidious/postgres/config/sql:/config/sql - ../../Volumes/Invidious/postgres/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh env_file: - - ./pg.env + - ./inv.env environment: POSTGRES_DB: invidious - POSTGRES_USER: - POSTGRES_PASSWORD: + POSTGRES_USER: "${INV_DB_USER}" + POSTGRES_PASSWORD: "${INV_DB_PASS}" healthcheck: test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] diff --git a/Config/Nextcloud/docker-compose.yml b/Config/Nextcloud/docker-compose.yml index 27796f8..b81b2f7 100644 --- a/Config/Nextcloud/docker-compose.yml +++ b/Config/Nextcloud/docker-compose.yml @@ -4,34 +4,48 @@ # Changelog: # 2023-07-16 Change from mariadb:10.5 to 10.6. +# 2023-08-20 Add Redis. (https://markontech.com/docker/setup-nextcloud-with-redis-using-docker/) -version: '2' +version: '3' services: db: + container_name: nc-db image: mariadb:10.6 restart: always command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW volumes: - ../../Volumes/Nextcloud/mariadb:/var/lib/mysql environment: - - MYSQL_ROOT_PASSWORD=ChangeMe - - MYSQL_DATABASE=nextcloud - - MYSQL_USER=nc - - MYSQL_PASSWORD=changeme + - MYSQL_DATABASE=$MYSQL_DATABASE + - MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD + - MYSQL_USER=$MYSQL_USER + - MYSQL_PASSWORD=$MYSQL_PASSWORD + + redis: + container_name: nc-redis + image: redis + restart: always + command: redis-server --requirepass $REDIS_HOST_PASSWORD app: + container_name: nc-app image: nextcloud restart: always ports: - 8080:80 links: - db + - redis volumes: - ../../Volumes/Nextcloud/nextcloud:/var/www/html environment: - - MYSQL_DATABASE=nextcloud - - MYSQL_USER=nc - - MYSQL_PASSWORD=changeme - - MYSQL_HOST=db - - PHP_UPLOAD_LIMIT=5G + - MYSQL_HOST=$MYSQL_HOST + - MYSQL_DATABASE=$MYSQL_DATABASE + - MYSQL_USER=$MYSQL_USER + - MYSQL_PASSWORD=$MYSQL_PASSWORD + - PHP_UPLOAD_LIMIT=$PHP_UPLOAD_LIMIT + - REDIS_HOST=$REDIS_HOST + - REDIS_HOST_PASSWORD=$REDIS_HOST_PASSWORD + #dns: + # - $DNS diff --git a/Config/Nextcloud/env.example b/Config/Nextcloud/env.example new file mode 100644 index 0000000..f5bdce3 --- /dev/null +++ b/Config/Nextcloud/env.example @@ -0,0 +1,29 @@ +# Example environment file for Nextcloud stack, should be copied as `.env`. + +## Nextcloud ## + +PHP_UPLOAD_LIMIT=5G + +## MySQL ## + +MYSQL_HOST=db +MYSQL_DATABASE=nextcloud +MYSQL_ROOT_PASSWORD=ChangeMe +MYSQL_USER=nc +MYSQL_PASSWORD=changeme + +## REDIS ## + +REDIS_HOST=redis +REDIS_HOST_PASSWORD=someredispassword + +## Other ## + +# This has not helped, not sure why containers are not uing hosts's DNS, or why +# the requests are failing. Needs further research/testing but works on Ubuntu +# laptop, just not Debian VM. VM can use the DNS server properly though. +### # If you have both Nextcloud and OnlyOffice on the same internal network you +### # will likely want to set this to an internal DNS server. Some routers will +### # drop traffic if an internal IP tries to communicate with the WAN IP, causing +### # the curl to OnlyOffice's /healthcheck to fail. Do the same in both configs. +### DNS=10.110.1.53 diff --git a/Config/Nextcloud/fixes.sh b/Config/Nextcloud/fixes.sh index f02f09e..15e0239 100755 --- a/Config/Nextcloud/fixes.sh +++ b/Config/Nextcloud/fixes.sh @@ -2,30 +2,29 @@ # 2022-09-25 Hyperling # Put fixes in a file so they do not need remembered. -docker exec -it nextcloud-app-1 apt update -y -docker exec -it nextcloud-app-1 apt install -y sudo libmagickcore-6.q16-6-extra htop +docker exec -it nc-app apt update -y +docker exec -it nc-app apt install -y sudo libmagickcore-6.q16-6-extra htop iputils-ping dnsutils vim # 2022-10-30 More additions after moving to Nextcloud version 25. -docker exec -itu www-data nextcloud-app-1 ./occ db:add-missing-columns -docker exec -itu www-data nextcloud-app-1 ./occ db:add-missing-indices -docker exec -itu www-data nextcloud-app-1 ./occ db:add-missing-primary-keys -docker exec -itu www-data nextcloud-app-1 ./occ db:convert-filecache-bigint -docker exec -it nextcloud-app-1 chown -Rc www-data:www-data . +docker exec -itu www-data nc-app ./occ db:add-missing-columns +docker exec -itu www-data nc-app ./occ db:add-missing-indices +docker exec -itu www-data nc-app ./occ db:add-missing-primary-keys +docker exec -itu www-data nc-app ./occ db:convert-filecache-bigint +docker exec -it nc-app chown -Rc www-data:www-data . # 2023-02-12 Just for good measure. -docker exec -itu www-data nextcloud-app-1 ./occ app:update --all +docker exec -itu www-data nc-app ./occ app:update --all -# 2023-07-02 +# 2023-07-02 # This maybe used to exist, but make sure that Files app is correct. -docker exec -itu www-data nextcloud-app-1 ./occ files:scan --all +docker exec -itu www-data nc-app ./occ files:scan --all # This one takes a while. -docker exec -itu www-data nextcloud-app-1 ./occ files:scan-app-data +docker exec -itu www-data nc-app ./occ files:scan-app-data # Extras? Have used the commands in the past and may help in the future. -docker exec -itu www-data nextcloud-app-1 ./occ maintenance:theme:update -docker exec -itu www-data nextcloud-app-1 ./occ maintenance:repair +docker exec -itu www-data nc-app ./occ maintenance:theme:update +docker exec -itu www-data nc-app ./occ maintenance:repair # May alsp be useful but do not have much experience with them. -docker exec -itu www-data nextcloud-app-1 ./occ versions:cleanup -docker exec -itu www-data nextcloud-app-1 ./occ files:cleanup +docker exec -itu www-data nc-app ./occ versions:cleanup +docker exec -itu www-data nc-app ./occ files:cleanup exit 0 - diff --git a/Config/OnlyOffice/docker-compose.yml b/Config/OnlyOffice/docker-compose.yml index ecdf587..fdaafa6 100644 --- a/Config/OnlyOffice/docker-compose.yml +++ b/Config/OnlyOffice/docker-compose.yml @@ -1,11 +1,17 @@ # 2023-07-25 -# OnlyOffice server for Nextcloud. +# OnlyOffice server, primarily used for Nextcloud. version: '3' services: app: + container_name: oo-app image: onlyoffice/documentserver restart: always ports: - 8000:80 + - 4443:443 + environment: + - JWT_SECRET=$JWT_SECRET + #dns: + # - $DNS diff --git a/Config/OnlyOffice/env.example b/Config/OnlyOffice/env.example new file mode 100644 index 0000000..013b3e6 --- /dev/null +++ b/Config/OnlyOffice/env.example @@ -0,0 +1,17 @@ +# Example environment file for OnlyOffice, should be copied as `.env`. + +## Relating to the Nextcloud Admin Settings UI ## + +# Secret +JWT_SECRET=abc123 + +## Other ## + +# This has not helped, not sure why containers are not uing hosts's DNS, or why +# the requests are failing. Needs further research/testing but works on Ubuntu +# laptop, just not Debian VM. VM can use the DNS server properly though. +### # If you have both Nextcloud and OnlyOffice on the same internal network you +### # will likely want to set this to an internal DNS server. Some routers will +### # drop traffic if an internal IP tries to communicate with the WAN IP, causing +### # the curl to OnlyOffice's /healthcheck to fail. Do the same in both configs. +### DNS=10.110.1.53 diff --git a/Config/ReverseProxy/create_letsencrypt_certs.sh b/Config/ReverseProxy/create_letsencrypt_certs.sh index 09a3067..8b4267d 100755 --- a/Config/ReverseProxy/create_letsencrypt_certs.sh +++ b/Config/ReverseProxy/create_letsencrypt_certs.sh @@ -28,8 +28,8 @@ if [[ $certbot_running != 1 ]]; then fi ## Input ## - # Gather information from the user. + echo -n "Please provide the email address you would like the certs bound to: " read email if [[ -z $email ]]; then @@ -45,19 +45,34 @@ if [[ $confirm != "Y"* ]]; then exit 0 fi +echo -n "Is this a test run? [Y/n]: " +typeset -l test dry_run +read test +if [[ $test == "y"* || -z $test ]]; then + dry_run="--dry-run" + echo " Great! Running with $dry_run to avoid using up requests." +else + echo " Requesting live certificates for new domains." +fi + ## Main ## # Loop over the proxy configuration files and ensure they have certs. grep -l proxy_pass $DIR/config/conf.d/*.* | while read file; do filename=`basename $file` + echo -e "\n" if [[ $filename == *"example.com"* ]]; then echo "Skipping $filename since it is only an example." continue fi - echo "*** Checking $filename ***" - if [[ -d $CERT_DIR/$filename ]]; then + echo "*** Checking $filename ***" + if [[ -f $CERT_DIR/$filename/SELF ]]; then + echo "Removing self-signed certs." + rm -rfv $CERT_DIR/$filename + fi + if [[ ! -d $CERT_DIR/$filename ]]; then echo "Getting the domains which need the cert." domains=`grep -v '$server_name' $file | grep server_name` @@ -69,13 +84,18 @@ grep -l proxy_pass $DIR/config/conf.d/*.* | while read file; do domains=${domains// /,} echo "Domains='$domains'" - echo "Attempting to create real certs at $CERT_DIR/$filename." - docker exec reverseproxy-certbot-1 certbot certonly -n --webroot \ + echo "Attempting to create certs at $CERT_DIR/$filename." + docker exec reverseproxy-certbot-1 \ + certbot certonly -n --webroot $dry_run \ -w /etc/letsencrypt --agree-tos -m $email -d $filename - ls -lh $CERT_DIR/$filename/* + if [[ -z $dry_run ]]; then + docker exec reverseproxy-certbot-1 \ + sh -c "cp -rL /etc/letsencrypt/live/$filename /etc/letsencrypt/nginx/" + ls -lh $CERT_DIR/$filename/* + fi else - echo "Website's certificate folder does not exist, skipping." + echo "Website's certificate folder already exists, skipping." continue fi done diff --git a/Config/ReverseProxy/create_placeholder_certs.sh b/Config/ReverseProxy/create_placeholder_certs.sh index a591d41..72e245c 100755 --- a/Config/ReverseProxy/create_placeholder_certs.sh +++ b/Config/ReverseProxy/create_placeholder_certs.sh @@ -18,12 +18,14 @@ echo "CERT_DIR=$CERT_DIR" mkdir -pv $CERT_DIR # Loop over the proxy configuration files and ensure they have certs. -grep -l proxy_pass $DIR/config/conf.d/*.* | while read file; do +#grep -l proxy_pass $DIR/config/conf.d/*.* | while read file; do +ls $DIR/config/conf.d/*.* | while read file; do filename=`basename $file` - echo "*** Checking $filename ***" + echo -e "\n\n*** Checking $filename ***" if [[ ! -d $CERT_DIR/$filename ]]; then echo "Creating self-signed certs at $CERT_DIR/$filename." mkdir -pv $CERT_DIR/$filename + touch $CERT_DIR/$filename/SELF openssl req -new -x509 -days 3 -nodes \ -out $CERT_DIR/$filename/fullchain.pem \ -keyout $CERT_DIR/$filename/privkey.pem \ diff --git a/Config/ReverseProxy/docker-compose.yml b/Config/ReverseProxy/docker-compose.yml index f457c62..1dad73c 100644 --- a/Config/ReverseProxy/docker-compose.yml +++ b/Config/ReverseProxy/docker-compose.yml @@ -10,6 +10,7 @@ version: '3' services: app: + container_name: rp-app build: ./ restart: always ports: @@ -21,9 +22,10 @@ services: command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" certbot: + container_name: rp-certbot image: certbot/certbot restart: always volumes: - ../../Volumes/ReverseProxy/letsencrypt:/etc/letsencrypt - - ../../Volumes/ReverseProxy/letsencrypt-certs:/var/www/certbot - entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" + - ../../Volumes/ReverseProxy/letsencrypt-certs:/etc/letsencrypt/nginx + entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; cp -rL /etc/letsencrypt/live/* /etc/letsencrypt/nginx/; sleep 12h & wait $${!}; done;'" diff --git a/bin/clean.sh b/bin/clean.sh new file mode 100755 index 0000000..29689d1 --- /dev/null +++ b/bin/clean.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# 2023-08-21 Hyperling +# Clean all unused images and containers. +# https://docs.docker.com/config/pruning/ +# Very helpful during development, nice in a long-running production as well. +# usage: clean.sh + +docker image prune -a + +docker container prune + +docker volume prune + +docker network prune + +exit 0 diff --git a/source.env b/source.env index b242c68..4600df0 100755 --- a/source.env +++ b/source.env @@ -1,10 +1,14 @@ +#!/bin/bash # Provide any necessary project variables. # Needs run in the current shell environment, such as: -# source /PATH_TO_GIT_PROJECT/source.env +# source /PATH_TO_PROJECT/source.env DIR="$(dirname -- "${BASH_SOURCE[0]}")" -if [[ $DIR == \.* ]]; then +if [[ "$DIR" == '.'* ]]; then + RETURN="`pwd`" + cd $DIR DIR="`pwd`" + cd "$RETURN" fi DOCKER_HOME="$DIR"