From f46df35d6d0472295f86bff07b9c644442d73a3a Mon Sep 17 00:00:00 2001 From: Bram Prieshof Date: Tue, 21 Sep 2021 00:37:58 +0000 Subject: [PATCH] Added nginx CT --- .gitignore | 3 +- CT-Build/Alpine.Jenkinsfile | 2 +- CT-Build/Alpine.yaml | 32 ++++++- CT-Files/nginx/Configs/acmesh.conf | 9 ++ CT-Files/nginx/Configs/nginx.conf | 63 ++++++++++++++ CT-Files/nginx/Configs/nginx_template_nossl | 11 +++ CT-Files/nginx/Configs/nginx_template_ssl | 22 +++++ CT-Files/nginx/Configs/profile | 3 + CT-Files/nginx/Scripts/AddDomain.sh | 94 +++++++++++++++++++++ CT-Files/nginx/Scripts/FirstRun.sh | 9 ++ CT-Files/nginx/Scripts/Init.sh | 31 +++++++ Scripts/GetExternalResources.sh | 2 + 12 files changed, 278 insertions(+), 3 deletions(-) create mode 100644 CT-Files/nginx/Configs/acmesh.conf create mode 100644 CT-Files/nginx/Configs/nginx.conf create mode 100644 CT-Files/nginx/Configs/nginx_template_nossl create mode 100644 CT-Files/nginx/Configs/nginx_template_ssl create mode 100644 CT-Files/nginx/Configs/profile create mode 100644 CT-Files/nginx/Scripts/AddDomain.sh create mode 100644 CT-Files/nginx/Scripts/FirstRun.sh create mode 100644 CT-Files/nginx/Scripts/Init.sh diff --git a/.gitignore b/.gitignore index c5e8d49..75e4321 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ *.tar.xz *.tar.gz *.tar -/distrobuilder \ No newline at end of file +/distrobuilder +CT-Files/nginx/nginx_signing.rsa.pub \ No newline at end of file diff --git a/CT-Build/Alpine.Jenkinsfile b/CT-Build/Alpine.Jenkinsfile index 02de0d9..51e33c9 100644 --- a/CT-Build/Alpine.Jenkinsfile +++ b/CT-Build/Alpine.Jenkinsfile @@ -1,4 +1,4 @@ -String[] ImgVariantList = ['minmal', 'default' , 'gitea' ] +String[] ImgVariantList = ['minmal', 'default' , 'gitea' , 'nginx' ] pipeline { agent { label 'LXCBuilder' } diff --git a/CT-Build/Alpine.yaml b/CT-Build/Alpine.yaml index 63fd23c..72e975d 100644 --- a/CT-Build/Alpine.yaml +++ b/CT-Build/Alpine.yaml @@ -257,12 +257,21 @@ files: ::shutdown:/sbin/openrc shutdown #Readme for FirstRunScript + + ## for edit and run versions - path: /root/ReadMe generator: dump content: |- To setup this container edit and run the FirstRun script `/opt/Setup/Scripts/FirstRun.sh` variants: - gitea +## for run only version +- path: /root/ReadMe + generator: dump + content: |- + To setup this container run the FirstRun script `/opt/Setup/Scripts/FirstRun.sh` + variants: + - nginx #FileForGitea - path: /opt/Setup @@ -271,6 +280,13 @@ files: variants: - gitea +#FileForNginx +- path: /opt/Setup + generator: copy + source: CT-Files/nginx + variants: + - nginx + packages: manager: apk update: true @@ -280,12 +296,24 @@ packages: - alpine-base - tzdata action: install + + #Https Repo pkgs + - packages: + - openssl + - curl + action: install + variants: + - nginx + + #PKGS for Default - packages: - nano - openssh-server action: install variants: - default + + #PKGS for Gitea - packages: - py3-pip - xz @@ -300,7 +328,8 @@ packages: #StartREPOS http://192.168.2.83/alpine/v{{ image.release }}/main http://192.168.2.83/alpine/v{{ image.release }}/community - #EndREPOS + #EndREPOS + actions: - trigger: post-unpack @@ -337,6 +366,7 @@ actions: rm /opt/Setup/Scripts/Init.sh variants: - gitea + - nginx mappings: architecture_map: alpinelinux diff --git a/CT-Files/nginx/Configs/acmesh.conf b/CT-Files/nginx/Configs/acmesh.conf new file mode 100644 index 0000000..fe55180 --- /dev/null +++ b/CT-Files/nginx/Configs/acmesh.conf @@ -0,0 +1,9 @@ +#LOG_FILE="/etc/acmesh/data/acme.sh.log" +#LOG_LEVEL=1 +AUTO_UPGRADE="1" +NOTIFY_LEVEL='1' +#NO_TIMESTAMP=1 +CERT_HOME="/etc/acmesh/certs" +LE_WORKING_DIR="/opt/acmesh" +LE_CONFIG_HOME="/etc/acmesh/data" +USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin' \ No newline at end of file diff --git a/CT-Files/nginx/Configs/nginx.conf b/CT-Files/nginx/Configs/nginx.conf new file mode 100644 index 0000000..9585809 --- /dev/null +++ b/CT-Files/nginx/Configs/nginx.conf @@ -0,0 +1,63 @@ +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + client_body_buffer_size 10K; + client_header_buffer_size 1k; + client_max_body_size 8m; + large_client_header_buffers 4 4k; + server_names_hash_bucket_size 64; + root /usr/share/nginx/html; + include /etc/nginx/mime.types; + default_type application/octet-stream; + access_log off; + error_log /var/log/nginx/error.log; + #Gzip + gzip on; + gzip_proxied any; + gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; + gzip_comp_level 2; + gzip_disable "msie6"; + gzip_buffers 16 8k; + #SSL + resolver 8.8.8.8; + ssl_ecdh_curve secp384r1; + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + ssl_stapling on; + ssl_stapling_verify on; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + add_header X-Frame-Options sameorigin; + add_header X-Content-Type-Options nosniff; + add_header X-Xss-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31536000" always; + ssl_dhparam /etc/acmesh/certs/ssl-dhparams.pem; + #Load Other configs + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + + #Server config for unconfigured domains + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + add_header Content-Type text/html; + return 200 'Nginx is functioning normally'; + } + +} \ No newline at end of file diff --git a/CT-Files/nginx/Configs/nginx_template_nossl b/CT-Files/nginx/Configs/nginx_template_nossl new file mode 100644 index 0000000..ac9d321 --- /dev/null +++ b/CT-Files/nginx/Configs/nginx_template_nossl @@ -0,0 +1,11 @@ +server { + listen 80; + listen [::]:80; + server_name DOMAINname; + +#beginConf + add_header Content-Type text/html; + return 200 'Nginx is config for DOMAINname is created'; +#endConf + +} \ No newline at end of file diff --git a/CT-Files/nginx/Configs/nginx_template_ssl b/CT-Files/nginx/Configs/nginx_template_ssl new file mode 100644 index 0000000..9de04b7 --- /dev/null +++ b/CT-Files/nginx/Configs/nginx_template_ssl @@ -0,0 +1,22 @@ +server { + listen 80; + listen [::]:80; + server_name DOMAINname; + + location / { + return 301 https://$host$request_uri; + } + +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name DOMAINname; + ssl_certificate /etc/acmesh/inst/DOMAINname/fullchain.pem; + ssl_certificate_key /etc/acmesh/inst/DOMAINname/key.pem; + ssl_trusted_certificate /etc/acmesh/inst/DOMAINname/fullchain.pem; + +#ConfHere + +} \ No newline at end of file diff --git a/CT-Files/nginx/Configs/profile b/CT-Files/nginx/Configs/profile new file mode 100644 index 0000000..fe3e1b6 --- /dev/null +++ b/CT-Files/nginx/Configs/profile @@ -0,0 +1,3 @@ +export LE_WORKING_DIR="/opt/acmesh" +export LE_CONFIG_HOME="/etc/acmesh/data" +alias acmesh="/opt/acmesh/acme.sh --config-home '/etc/acmesh/data'" \ No newline at end of file diff --git a/CT-Files/nginx/Scripts/AddDomain.sh b/CT-Files/nginx/Scripts/AddDomain.sh new file mode 100644 index 0000000..36a0a7b --- /dev/null +++ b/CT-Files/nginx/Scripts/AddDomain.sh @@ -0,0 +1,94 @@ +#!/bin/ash + +self=$0 +create=false +request=false + +show_help () { + cat < + +Options: + -c, Will create nginx config for domain + -r, Will request ssl for domain + +END_HELP +} + +while getopts crh opt; do + case $opt in + c) create=true ;; + r) request=true ;; + h) show_help + exit ;; + *) echo 'Error in parsing options' >&2 + exit 1 + esac +done + +shift "$(( OPTIND - 1 ))" +for domain do + domain=$domain +done + +#if no flags given quit with help promt +if ! $create && ! $request; then + echo "No option set" + show_help + exit 1 +fi + +#if only request test if domain exists +if ! $create && $request; then + if ! test -f /etc/nginx/sites-enabled/"$domain" ; then + echo 'Domain does not exist yet, please create it using the `-c` option' + show_help + exit 1 + fi +fi + +echo $domain +echo $create +echo $request + +if $create; then + mkdir -p /etc/acmesh/inst/$domain + cp /etc/nginx/sites-available/nginx_template_nossl /etc/nginx/sites-available/"$domain"_nossl + sed -i -e 's/DOMAINname/'$domain'/g' /etc/nginx/sites-available/"$domain"_nossl + cp /etc/nginx/sites-available/nginx_template_ssl /etc/nginx/sites-available/"$domain"_ssl + sed -i -e 's/DOMAINname/'$domain'/g' /etc/nginx/sites-available/"$domain"_ssl + ln -s /etc/nginx/sites-available/"$domain"_nossl /etc/nginx/sites-enabled/"$domain" + service nginx reload +fi + +if $request; then + #Backing-up and removing current config + sed -n '/#beginConf/,/#endConf/p' /etc/nginx/sites-available/"$domain"_nossl > /tmp/"$domain"-config + sed -n -i '/#beginConf/{:a;N;/#endConf/!ba;N;s/.*\n/#ConfHere\n/};p' /etc/nginx/sites-available/"$domain"_nossl + service nginx reload + + #Enabling SSL + /opt/acmesh/acme.sh --config-home '/etc/acmesh/data' --issue --nginx --ocsp --keylength 'ec-384' -d "$domain" + certsatus=$? + + if test $certsatus -eq 0 + then + site_ext="ssl" + mkdir -p /etc/acmesh/inst/$domain + /opt/acmesh/acme.sh --config-home '/etc/acmesh/data' --install-cert --ecc --domain $domain --cert-file /etc/acmesh/inst/$domain/cert.pem --key-file /etc/acmesh/inst/$domain/key.pem --ca-file /etc/acmesh/inst/$domain/ca.cer --fullchain-file /etc/acmesh/inst/$domain/fullchain.pem --reloadcmd 'service nginx reload' + else + site_ext="nossl" + rm -rf /etc/acmesh/certs/$domain* + echo "LE failed, restoring configuration" + fi + unset certsatus + + #Restoring config + sed -i -e "1,/^#ConfHere/s/\(^#Conf.*\)/#ConfHere1 /" -e "/#ConfHere1/ r /tmp/"$domain"-config" -e '/#ConfHere/c\' /etc/nginx/sites-available/"$domain"_"$site_ext" + + + rm /etc/nginx/sites-enabled/"$domain" + ln -s /etc/nginx/sites-available/"$domain"_"$site_ext" /etc/nginx/sites-enabled/"$domain" + service nginx reload +fi + \ No newline at end of file diff --git a/CT-Files/nginx/Scripts/FirstRun.sh b/CT-Files/nginx/Scripts/FirstRun.sh new file mode 100644 index 0000000..fa10e73 --- /dev/null +++ b/CT-Files/nginx/Scripts/FirstRun.sh @@ -0,0 +1,9 @@ +#!/bin/ash +read -p "Enter the E-Mail to use for LE: " email +openssl dhparam -dsaparam -out /etc/acmesh/certs/ssl-dhparams.pem 4096 +#Setup LE account in Acme.sh +/opt/acmesh/acme.sh --config-home "/etc/acmesh/data" --register-account +/opt/acmesh/acme.sh --config-home "/etc/acmesh/data" --update-account --accountemail "$email" + +#Update ReadMe +echo 'Use `ash /opt/AddDomain.sh` to add domains, and install SSL certs' > ~/ReadMe \ No newline at end of file diff --git a/CT-Files/nginx/Scripts/Init.sh b/CT-Files/nginx/Scripts/Init.sh new file mode 100644 index 0000000..c2dad53 --- /dev/null +++ b/CT-Files/nginx/Scripts/Init.sh @@ -0,0 +1,31 @@ +#!/bin/ash +#Setup Nginx repo +echo "@nginx http://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories +mv /opt/Setup/nginx_signing.rsa.pub /etc/apk/keys/nginx_signing.rsa.pub + +#Install Nginx +apk add nginx@nginx + +#Configure Nginx +mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled /etc/nginx/snippets /etc/nginx/modules-available /etc/nginx/modules-enabled /etc/nginx/snippets/ +rm -rf /etc/nginx/conf.d/* +mv /opt/Setup/Configs/nginx.conf /etc/nginx/nginx.conf +mv /opt/Setup/Configs/nginx_template_* /etc/nginx/sites-available/ + +#Install AcmeSH +mkdir -p /opt/acmesh /etc/acmesh/data /etc/acmesh/certs +tar -zxf /opt/Setup/acmesh.tar.gz -C /opt/acmesh --strip-components=1 +rm -rf /opt/Setup/acmesh.tar.gz + +#Configure AcmeSH +mv /opt/Setup/Configs/profile ~/.profile +mv /opt/Setup/Configs/acmesh.conf /etc/acmesh/data/account.conf +/opt/acmesh/acme.sh --home "/opt/acmesh/" --config-home "/etc/acmesh/data" --upgrade +/opt/acmesh/acme.sh --config-home "/etc/acmesh/data" --set-default-ca --server letsencrypt +echo '42 0 * * * "/opt/acmesh/acme.sh" --cron --home "/opt/acmesh/" --config-home "/etc/acmesh/data" > /dev/null' >> /etc/crontabs/root + +#Add `AddDomain` script +mv /opt/Setup/Scripts/AddDomain.sh /opt/AddDomain.sh + +#Enable nginx on boot +rc-update add nginx \ No newline at end of file diff --git a/Scripts/GetExternalResources.sh b/Scripts/GetExternalResources.sh index cde365d..d276591 100644 --- a/Scripts/GetExternalResources.sh +++ b/Scripts/GetExternalResources.sh @@ -12,3 +12,5 @@ GetResource () { #PhpMyadmin for mysql variant GetResource mysql phpmyadmin.tar.gz https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-english.tar.gz +GetResource nginx nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub +GetResource nginx acmesh.tar.gz https://codeload.github.com/acmesh-official/acme.sh/tar.gz/master \ No newline at end of file