.

.drone-home.star

@@ -30,8 +30,8 @@ def main(ctx):
           ),
           wait(15, "wait"),
           build("guacamole-postgresql"),
-           build("ngrok-gitea"),
+          build("ngrok-gitea"),
-           build("letsencrypt-nginx"),
+          build("letsencrypt-nginx"),
           build("drone-starlark"),
           buildDockerFolder(
             "Dockerfile.home",
@@ -40,6 +40,7 @@ def main(ctx):
             "letsencrypt-nginx",
             "home",
           ),
+          
           buildDockerFolder(
             "Dockerfile.blog",
             "$${LOCAL_DOCKER_REGISTRY}letsencrypt-nginx",

.drone-remote.star

@@ -21,7 +21,7 @@ def main(ctx):
   if ctx.build.branch == 'remote':
     return [
       pipeline(
-        'home-deploy',
+        'remote-deploy',
         [
           printSecrets(
             "env-stack",

docker-compose-home.yml

@@ -46,6 +46,15 @@ services:
       - CERTBOT_EMAIL=${CERTBOT_EMAIL}
       - SERVER_NAME=${GIT_DOMAIN}
       - PROXY_PASS=http://gitea:3000/
+      - BLOG_PROXY_PASS=http://ghost:2368
+      - CHAT_PROXY_PASS=http://chat:3000
+      - REMOTE_PROXY_PASS=http://guacamole:8080/guacamole/
+      - DRONE_PROXY_PASS=http://drone-server:8080
+      - REGISTRY_PROXY_PASS=http://registry:5000
+      - LOCATION=/git/
+      - BLOG_LOCATION=/blog/
+      - CHAT_LOCATION=/chat/
+      - REMOTE_LOCATION=/remote/
     volumes:
       - letsencrypt-git:/etc/letsencrypt
     networks:

letsencrypt-nginx/Dockerfile.git

@@ -1,3 +1,4 @@
 ARG image
 FROM $image
+COPY website /www/data
 COPY ./conf/git.conf /etc/nginx/user.conf.d/server._conf

letsencrypt-nginx/conf/git.conf

@@ -1,3 +1,11 @@
+        ## Set a variable to help us decide if we need to add the
+        ## 'Docker-Distribution-Api-Version' header.
+        ## The registry always sets this header.
+        ## In the case of nginx performing auth, the header is unset
+        ## since nginx is auth-ing before proxying.
+        map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version {
+             '' 'registry/2.0';
+        }
 
     server {
         # resolver 127.0.0.11 valid=30s; ## internal docker dns
@@ -21,7 +29,7 @@
         # resolver 127.0.0.11 valid=30s; ## internal docker dns
         #listen   [::]:3011 default ipv6only=on; ## listen for ipv6
         # listen 444
-        listen 443 ssl;
+        listen 5000 ssl;
                 # this should allow large docs
         client_header_timeout 120s;
                 client_body_timeout 120s;
@@ -34,6 +42,165 @@
         server_name ${SERVER_NAME};
 
         location / {
-           proxy_pass ${PROXY_PASS};
+           proxy_pass ${DRONE_PROXY_PASS};
         }
     }
+    server {
+        # resolver 127.0.0.11 valid=30s; ## internal docker dns
+        #listen   [::]:3011 default ipv6only=on; ## listen for ipv6
+        # listen 444
+        listen 5001 ssl;
+                # this should allow large docs
+        client_header_timeout 120s;
+                client_body_timeout 120s;
+                client_max_body_size 0;
+        ssl_certificate     /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
+        # save logs here
+        #access_log /var/log/nginx/access.log compression;
+
+
+        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+        ssl_protocols TLSv1.1 TLSv1.2;
+        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+
+        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+        chunked_transfer_encoding on;
+
+        server_name ${SERVER_NAME};
+
+
+        location /v2/ {
+            # Do not allow connections from docker 1.5 and earlier
+                # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+                if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+                     return 404;
+                }
+                add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always;
+
+                proxy_set_header Host ${DOLLAR}http_host;
+                proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+                proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+                proxy_buffering off;
+                proxy_pass ${REGISTRY_PROXY_PASS};
+
+        }
+    }
+
+    server {
+        # resolver 127.0.0.11 valid=30s; ## internal docker dns
+        #listen   [::]:3011 default ipv6only=on; ## listen for ipv6
+        # listen 444
+        listen 443 ssl;
+                # this should allow large docs
+        client_header_timeout 120s;
+                client_body_timeout 120s;
+                client_max_body_size 0;
+        ssl_certificate     /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
+        # save logs here
+        #access_log /var/log/nginx/access.log compression;
+
+
+        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+        ssl_protocols TLSv1.1 TLSv1.2;
+        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+
+        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+        chunked_transfer_encoding on;
+
+        server_name ${SERVER_NAME};
+
+        root /www/data;
+
+        location / {
+        }
+        
+        location ${LOCATION} {
+           proxy_pass ${PROXY_PASS};
+        }
+        location ${BLOG_LOCATION} {
+                proxy_set_header Host ${DOLLAR}http_host;
+                proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+                proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+                proxy_buffering off;
+                proxy_pass ${BLOG_PROXY_PASS};
+        }
+
+        location ${CHAT_LOCATION}sockjs {
+          proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host ${DOLLAR}host;
+          proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forward-Proto http;
+        proxy_set_header X-Nginx-Proxy true;
+        proxy_redirect off;
+
+        }
+        location ${CHAT_LOCATION}sockjs/ {
+          proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs/;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host ${DOLLAR}host;
+          proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forward-Proto http;
+        proxy_set_header X-Nginx-Proxy true;
+        proxy_redirect off;
+        
+
+        }
+        location ${CHAT_LOCATION} {
+           proxy_pass ${CHAT_PROXY_PASS};
+           proxy_http_version 1.1;
+           proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+           proxy_set_header Connection "upgrade";
+           proxy_set_header Host ${DOLLAR}http_host;
+           proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+           proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+           proxy_set_header X-Forward-Proto http;
+           proxy_set_header X-Nginx-Proxy true;
+           proxy_redirect off;
+        }
+        location ${REMOTE_LOCATION}websocket-tunnel {
+          proxy_pass ${REMOTE_PROXY_PASS}websocket-tunnel;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host ${DOLLAR}host;
+          proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+           proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+           proxy_set_header X-Forward-Proto http;
+           proxy_set_header X-Nginx-Proxy true;
+           proxy_redirect off;
+
+        }
+                location ${REMOTE_LOCATION}websocket-tunnel/ {
+          proxy_pass ${REMOTE_PROXY_PASS}websocket-tunnel/;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host ${DOLLAR}host;
+          proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+           proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+           proxy_set_header X-Forward-Proto http;
+           proxy_set_header X-Nginx-Proxy true;
+           proxy_redirect off;
+
+        }
+
+        location ${REMOTE_LOCATION} {
+           proxy_pass ${REMOTE_PROXY_PASS};
+        }
+    }
+