diff --git a/.drone.do.yml b/.drone.do.yml new file mode 100644 index 0000000..ed6119a --- /dev/null +++ b/.drone.do.yml @@ -0,0 +1,136 @@ +--- + +kind: pipeline +type: docker +name: default +when: + branch: + - master + +clone: + # skip_verify: true + +steps: +steps: +- name: wait + when: + branch: + - master + image: docker:dind + volumes: + - name: dockersock + path: /var/run + + commands: + - sleep 60 +- name: build-letsencrypt-nginx + when: + branch: + - master + image: docker:dind + volumes: + - name: dockersock + path: /var/run + environment: + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + commands: + - cd letsencrypt-nginx + - docker build . -t $${LOCAL_DOCKER_REGISTRY}/letsencrypt-nginx + - docker push $${LOCAL_DOCKER_REGISTRY}/letsencrypt-nginx +- name: build-letsencrypt-git + when: + branch: + - master + image: docker:dind + volumes: + - name: dockersock + path: /var/run + environment: + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + commands: + - cd letsencrypt-nginx + - sh build.sh git $${LOCAL_DOCKER_REGISTRY} +- name: scp files + when: + branch: + - master + image: appleboy/drone-scp + settings: + host: + from_secret: ssh-host + username: + from_secret: ssh-user + password: + from_secret: ssh-password + port: + from_secret: ssh-port + command_timeout: 2m + target: ~/gitea-drone-stack-deploy + source: + - . +- name: deploy + when: + branch: + - master + image: appleboy/drone-ssh + environment: + DRONE_RPC_SECRET: + from_secret: drone-rpc-secret + DRONE_GITEA_CLIENT_ID: + from_secret: drone-gitea-client-id + DRONE_GITEA_CLIENT_SECRET: + from_secret: drone-gitea-client-secret + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + SSH_USER: + from_secret: ssh-user + CERTBOT_EMAIL: + from_secret: certbot-email + GIT_DOMAIN: + from_secret: git-domain + settings: + envs: + - drone_rpc_secret + - drone_gitea_client_id + - drone_gitea_client_secret + - ssh_user + - local_docker_registry + - certbot_email + - git_domain + host: + from_secret: ssh-host + username: + from_secret: ssh-user + password: + from_secret: ssh-password + port: + from_secret: ssh-port + script: + - set -e + - export LOCAL_DOCKER_REGISTRY=$LOCAL_DOCKER_REGISTRY + - export DRONE_RPC_SECRET=$DRONE_RPC_SECRET + - export DRONE_GITEA_CLIENT_ID=$DRONE_GITEA_CLIENT_ID + - export DRONE_GITEA_CLIENT_SECRET=$DRONE_GITEA_CLIENT_SECRET + - export SSH_USER=$SSH_USER + - export CERTBOT_EMAIL=$CERTBOT_EMAIL + - export GIT_DOMAIN=$GIT_DOMAIN + - docker network prune -f + - cd ~/gitea-drone-stack-deploy + - docker stack rm gitea + - sleep 60 + - docker stack deploy -c docker-compose-do.yml gitea + #- sleep 300 + +services: +- name: docker + image: docker:dind + privileged: true + volumes: + - name: dockersock + path: /var/run + +volumes: +- name: dockersock + temp: {} diff --git a/docker-compose-do.yml b/docker-compose-do.yml index e51b912..c216844 100644 --- a/docker-compose-do.yml +++ b/docker-compose-do.yml @@ -7,13 +7,15 @@ services: replicas: 1 restart_policy: condition: any - image: letsencrypt-git + image: ${LOCAL_DOCKER_REPOSITORY}letsencrypt-git environment: - CERTBOT_EMAIL=${CERTBOT_EMAIL} - SERVER_NAME=${GIT_DOMAIN} - PROXY_PASS=http://gitea:3000/ - BLOG_PROXY_PASS=http://ghost:2368 - CHAT_PROXY_PASS=http://chat:3000 + - DRONE_PROXY_PASS=http://drone-server:8080 + - REGISTRY_PROXY_PASS=http://registry:5000 - LOCATION=/git/ - BLOG_LOCATION=/blog/ - CHAT_LOCATION=/chat/ @@ -25,6 +27,7 @@ services: - 80:80 - 443:443 - 5000:5000 + - 5001:5001 gitea: deploy: placement: @@ -144,7 +147,20 @@ services: - DRONE_RUNNER_NAME="docker-runner" #- DRONE_ENV_PLUGIN_ENDPOINT=http://git.local-domain:8888 #- DRONE_ENV_PLUGIN_TOKEN=anything - + registry: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: registry:2 + volumes: + - registry-data:/var/lib/registry + environment: + - REGISTRY_HTTP_ADDR=0.0.0.0:5000 + networks: + - appnet volumes: gitea-db: gitea-app: @@ -154,6 +170,7 @@ volumes: chat-uploads: drone: drone-data: + registry-data: networks: appnet: driver: overlay diff --git a/letsencrypt-nginx/conf/copy b/letsencrypt-nginx/conf/copy new file mode 100644 index 0000000..534f00b --- /dev/null +++ b/letsencrypt-nginx/conf/copy @@ -0,0 +1,172 @@ + ## Set a variable to help us decide if we need to add the + ## 'Docker-Distribution-Api-Version' header. + ## The registry always sets this header. + ## In the case of nginx performing auth, the header is unset + ## since nginx is auth-ing before proxying. + map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { + '' 'registry/2.0'; + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + listen 80; + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 200m; + + # save logs here + + server_name ${SERVER_NAME}; + + + location / { + return 301 https://${DOLLAR}host${DOLLAR}request_uri; + } + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5000 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 200m; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + server_name ${SERVER_NAME}; + + location / { + proxy_pass ${DRONE_PROXY_PASS}; + } + } + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5001 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; + + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${REGISTRY_PROXY_PASS}; + + } + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 443 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + location ${LOCATION} { + proxy_pass ${PROXY_PASS}; + } + location ${BLOG_LOCATION} { + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${BLOG_PROXY_PASS}; + } + + location ${CHAT_LOCATION}sockjs { + proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + location ${CHAT_LOCATION}sockjs/ { + proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs/; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + + } + location ${CHAT_LOCATION} { + proxy_pass ${CHAT_PROXY_PASS}; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + } + diff --git a/letsencrypt-nginx/conf/copy-1 b/letsencrypt-nginx/conf/copy-1 new file mode 100644 index 0000000..f2d9612 --- /dev/null +++ b/letsencrypt-nginx/conf/copy-1 @@ -0,0 +1,120 @@ + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + listen 80; + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 200m; + + # save logs here + + server_name ${SERVER_NAME}; + + + location / { + return 301 https://${DOLLAR}host${DOLLAR}request_uri; + } + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5000 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 200m; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + server_name ${SERVER_NAME}; + + location / { + proxy_pass ${DRONE_PROXY_PASS}; + } + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 443 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + location ${LOCATION} { + proxy_pass ${PROXY_PASS}; + } + location ${BLOG_LOCATION} { + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${BLOG_PROXY_PASS}; + } + + location ${CHAT_LOCATION}sockjs { + proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + location ${CHAT_LOCATION}sockjs/ { + proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs/; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + + } + location ${CHAT_LOCATION} { + proxy_pass ${CHAT_PROXY_PASS}; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + } + diff --git a/letsencrypt-nginx/conf/git.conf b/letsencrypt-nginx/conf/git.conf index 3486818..534f00b 100644 --- a/letsencrypt-nginx/conf/git.conf +++ b/letsencrypt-nginx/conf/git.conf @@ -1,3 +1,11 @@ + ## Set a variable to help us decide if we need to add the + ## 'Docker-Distribution-Api-Version' header. + ## The registry always sets this header. + ## In the case of nginx performing auth, the header is unset + ## since nginx is auth-ing before proxying. + map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { + '' 'registry/2.0'; + } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns @@ -34,9 +42,54 @@ server_name ${SERVER_NAME}; location / { - proxy_pass http://drone-server:8080/; + proxy_pass ${DRONE_PROXY_PASS}; } } + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5001 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; + + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${REGISTRY_PROXY_PASS}; + + } + } + server { # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 @@ -45,14 +98,24 @@ # this should allow large docs client_header_timeout 120s; client_body_timeout 120s; - client_max_body_size 200m; + client_max_body_size 0; ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; # save logs here #access_log /var/log/nginx/access.log compression; - server_name ${SERVER_NAME}; + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + location ${LOCATION} { proxy_pass ${PROXY_PASS}; }