From 7d05a9d5d55bb07638d5ba53c341435eaf94e9b5 Mon Sep 17 00:00:00 2001 From: crt Date: Thu, 11 Jul 2024 03:40:18 +0200 Subject: [PATCH] Finished Nginx Documentation --- README.md | 1 + image-builder-512mb/README.md | 15 +- image-builder-512mb/debian-nginx.conf | 43 ----- image-builder-512mb/debian-nginx.sh | 21 --- image-builder-512mb/image_builder.sh | 30 +++- image-builder-512mb/nginx-debian.conf | 247 ++++++++++++++++++++++++++ image-builder-512mb/script.sh | 22 --- image-builder-512mb/settings.conf | 47 ----- 8 files changed, 277 insertions(+), 149 deletions(-) delete mode 100644 image-builder-512mb/debian-nginx.conf delete mode 100644 image-builder-512mb/debian-nginx.sh create mode 100644 image-builder-512mb/nginx-debian.conf delete mode 100644 image-builder-512mb/script.sh delete mode 100644 image-builder-512mb/settings.conf diff --git a/README.md b/README.md index fdd2362..49d9535 100644 --- a/README.md +++ b/README.md @@ -31,3 +31,4 @@ See [Image Builder Readme](image-builder/README.md) ### Project specific image_builder files All Project files that achieved the goals listen in the [JOURNAL.md](JOURNAL.md) are Documented here : [Realizing Projects](image-builder/README.md) +* With Critical Infrastructure Data left out as it will be used in Production and therefore shouldn't have all its infos displayed publicly diff --git a/image-builder-512mb/README.md b/image-builder-512mb/README.md index ad573ab..fad6de0 100644 --- a/image-builder-512mb/README.md +++ b/image-builder-512mb/README.md @@ -3,7 +3,7 @@ ## Nginx Proxy manager Requirements : - Nginx WebUI : https://github.com/0xJacky/nginx-ui/tree/dev - - Configs and Websites Stored on seperate Mountpoint for easy reassignement + - Configs and Websites Stored Webserver for easy redeployment and changes Distro of Choice : Debian - Why ? : Eases installation of Nginx Plugins if needed and more up to date Nginx versions available compared to alpine @@ -13,21 +13,18 @@ The easiest way to do this is to manually install and configure things how you w 1. Making our Temporary Debian VM, adding the data directory and starting it : `pct create 201 adastor:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst --rootfs local-btrfs:8 --cores 2 --memory 1024 --swap 512 --net0 name=eth0,bridge=vmbr0,ip=dhcp --hostname debian-nginx-temp && pct set 201 -mp0 local-btrfs:8,mp=/data,size=8G && pct start 201` 2. Entering our container : `pct enter 201` -3. Completing a Manual Installation : +3. Completing a Manual Installation of the basics : ``` apt update -apt upgrade -apt autoremove -apt clean +apt upgrade -y apt install nginx-full curl -y systemctl enable --now nginx bash <(curl -L -s https://raw.githubusercontent.com/0xJacky/nginx-ui/master/install.sh) install systemctl enable --now nginx-ui -sed -i '/include \/etc\/nginx\/sites-enabled\/\*;/a include \/data\/configs\/\*conf;' /etc/nginx/nginx.conf ``` -4. Making it a bash script : -See debian-nginx.sh +4. Making it a bash script and implementing our config files aswell as website files : +See debian-nginx.conf 5. Building the Container Image : `./image_builder.sh --param-file debian-nginx.conf` 6. Move to your CT Template dir of choice :`mv ./vzdump-lxc-202-2024_06_29-10_52_05.tar.gz /mnt/pve/adastor/template/cache/debian-nginx-2024-06-29.tar.gz` -7. Enjoy our success and Deploy where needed with our configs in a mountpoint +7. Enjoy our success and Deploy where needed diff --git a/image-builder-512mb/debian-nginx.conf b/image-builder-512mb/debian-nginx.conf deleted file mode 100644 index 274d6df..0000000 --- a/image-builder-512mb/debian-nginx.conf +++ /dev/null @@ -1,43 +0,0 @@ - -TEMPLATE=adastor:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst -# Set your Baseimage here - -RAM=1024 -# Define RAM during setup - -SWAP=512 -# Define SWAP during setup - -CORES=2 -# Define Cores during setup - -BRIDGE=vmbr0 -# Define Network interface during Installation - -IP=dhcp -# Define IP During installation (use DHCP, proper static V4 not implemented) - -CTID= -# Manually Override CTID, not needed usually - -HOSTNAME=debian-nginx -# Set Temporary Hostname - -EXPORT_NAME=debian-nginx-image -# Doesnt work anyways so yea - -EXPORT_PATH= -# Leave this empty to use the current directory - -SCRIPT=debian-nginx.sh -# Leave this empty to use script.sh in the current directory - -MIN_ID=200 -# Define minimum ID for CT to avoid conflicts with other nodes if in a cluster - -STORAGE=local-btrfs -# Set what storage pool to use - -DISK_SIZE=8 -# Set the default disk size for the container - diff --git a/image-builder-512mb/debian-nginx.sh b/image-builder-512mb/debian-nginx.sh deleted file mode 100644 index 58741bf..0000000 --- a/image-builder-512mb/debian-nginx.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# Ensure the locale environment variables are set correctly -export LANGUAGE=en_US.UTF-8 -export LANG=en_US.UTF-8 -export LC_ALL=en_US.UTF-8 - -# Install locales and configure locale settings -apt-get update -apt-get install -y locales -locale-gen en_US.UTF-8 - -apt update -apt upgrade -y -apt autoremove -y -apt clean -apt install nginx-full curl -y -systemctl enable --now nginx -bash <(curl -L -s https://raw.githubusercontent.com/0xJacky/nginx-ui/master/install.sh) install -systemctl enable --now nginx-ui -sed -i '/include \/etc\/nginx\/sites-enabled\/\*;/a include \/data\/configs\/\*conf;' /etc/nginx/nginx.conf diff --git a/image-builder-512mb/image_builder.sh b/image-builder-512mb/image_builder.sh index 3cfa6ac..fcd6234 100755 --- a/image-builder-512mb/image_builder.sh +++ b/image-builder-512mb/image_builder.sh @@ -37,7 +37,6 @@ while [[ "$#" -gt 0 ]]; do --hostname) HOSTNAME="$2"; shift ;; --export-name) EXPORT_NAME="$2"; shift ;; --export-path) EXPORT_PATH="$2"; shift ;; - --script) SCRIPT="$2"; shift ;; --min-id) MIN_ID="$2"; shift ;; --storage) STORAGE="$2"; shift ;; --disk-size) DISK_SIZE="$2"; shift ;; @@ -64,7 +63,6 @@ HOSTNAME=${HOSTNAME:-nginx-debian} EXPORT_NAME=${EXPORT_NAME:-mycontainer_backup} CURRENT_DIR=$(pwd) EXPORT_PATH=${EXPORT_PATH:-$CURRENT_DIR} -SCRIPT=${SCRIPT:-$CURRENT_DIR/script.sh} MIN_ID=${MIN_ID:-200} STORAGE=${STORAGE:-local-btrfs} DISK_SIZE=${DISK_SIZE:-8} @@ -72,21 +70,28 @@ MOUNT_POINT=${MOUNT_POINT:-} PRIVILEGED=${PRIVILEGED:-0} ROOTFS="${STORAGE}:${DISK_SIZE}" -# Check if the script file exists -if [ ! -f "$SCRIPT" ]; then - echo "Script file $SCRIPT does not exist." +# Check if the script content is provided +if [ -z "$SCRIPT_CONTENT" ]; then + echo "Script content not provided in the parameter file." exit 1 fi +# Write the script content to a temporary file +TEMP_SCRIPT=$(mktemp) +echo "$SCRIPT_CONTENT" > "$TEMP_SCRIPT" +chmod +x "$TEMP_SCRIPT" + # Check if the container already exists on the local node if pct status $CTID &>/dev/null; then echo "VM $CTID already exists on this node." + rm "$TEMP_SCRIPT" exit 1 fi # Create the container with the correct storage format if ! pct create $CTID $TEMPLATE --rootfs $ROOTFS --cores $CORES --memory $RAM --swap $SWAP --net0 name=eth0,bridge=$BRIDGE,ip=$IP --hostname $HOSTNAME --unprivileged $PRIVILEGED; then echo "Failed to create the container." + rm "$TEMP_SCRIPT" exit 1 fi @@ -94,6 +99,7 @@ fi if [ -n "$MOUNT_POINT" ]; then if ! pct set $CTID -mp0 $MOUNT_POINT,backup=1; then echo "Failed to set the mount point." + rm "$TEMP_SCRIPT" exit 1 fi fi @@ -101,19 +107,25 @@ fi # Start the container if ! pct start $CTID; then echo "Failed to start the container." + rm "$TEMP_SCRIPT" exit 1 fi -# Run the shell script in the container -if ! pct exec $CTID -- /bin/bash -c "$(cat $SCRIPT)"; then +# Copy the temporary script file to the container +pct push $CTID $TEMP_SCRIPT /root/script.sh -perms 755 + +# Run the script inside the container +if ! pct exec $CTID -- /root/script.sh; then echo "Failed to run the script inside the container." pct stop $CTID + rm "$TEMP_SCRIPT" exit 1 fi # Stop the container if ! pct stop $CTID; then echo "Failed to stop the container." + rm "$TEMP_SCRIPT" exit 1 fi @@ -121,7 +133,11 @@ fi BACKUP_FILE=$EXPORT_PATH/$EXPORT_NAME.tar.gz if ! vzdump $CTID --dumpdir $EXPORT_PATH --compress gzip; then echo "Failed to export the container." + rm "$TEMP_SCRIPT" exit 1 fi +# Cleanup +rm "$TEMP_SCRIPT" + echo "Container $CTID has been created, configured, and exported to $BACKUP_FILE" diff --git a/image-builder-512mb/nginx-debian.conf b/image-builder-512mb/nginx-debian.conf new file mode 100644 index 0000000..28e4a37 --- /dev/null +++ b/image-builder-512mb/nginx-debian.conf @@ -0,0 +1,247 @@ +TEMPLATE=adastor:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst +# Set your Baseimage here +RAM=1024 +# Define RAM during setup +SWAP=512 +# Define SWAP during setup +CORES=2 +# Define Cores during setup +BRIDGE=vmbr0 +# Define Network interface during Installation +IP=dhcp +# Define IP During installation (use DHCP, proper static V4 not implemented) +CTID= +# Manually Override CTID, not needed usually +HOSTNAME=nginx-512mb +# Set Temporary Hostname +EXPORT_NAME=MB-NGINX +# Doesnt work properly, ignore for now +EXPORT_PATH= +# Leave this empty to use the current directory +MIN_ID=200 +# Define minimum ID for CT to avoid conflicts with other nodes if in a cluster +STORAGE=local-btrfs +# Set what storage pool to use +DISK_SIZE=8 +# Set the default disk size for the container +MOUNT_POINT=local-lvm:8,mp=/data,size=8G +# Specify your mount point here +PRIVILEGED=0 +# Set to 1 for privileged container, 0 for unprivileged +SCRIPT_CONTENT=$(cat <<'EOF' +#!/bin/bash + +# Update package list and install nginx, unzip and curl +apt-get update +apt-get upgrade -y +apt-get install -y nginx-full unzip curl + +# Start nginx and enable service +systemctl start nginx +systemctl enable nginx + +# Setting Nginx Config Files +cat << 'EOT' > /etc/nginx/conf.d/512mb.ch.conf +server { +################################### +# Website stuff and basic configs # +################################### + + root /var/www/512mb.org; + index index.html; + server_name 512mb.ch; + listen [::]:443 ssl; # managed by Certbot + listen 443 ssl; # managed by Certbot + + location / { + try_files $uri $uri/ =404; + } + +############################### +# Vaultwarden Passwordmanager # +############################### + location /pass/ { + proxy_pass http://123.123.123.123/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + sub_filter_once off; + sub_filter 'href="/' 'href="/pass/'; + sub_filter 'src="/' 'src="/pass/'; + } + + + +############## +# Mail Stuff # +############## + +# Allow Clients to automatically pick up CalDAV (like Thunderbird for example) + location /.well-known/caldav { + proxy_pass http://123.123.123.124/.well-known/caldav; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + +# Allow Client to automatically pick up CarDAV + location /.well-known/carddav { + proxy_pass http://123.123.123.124/.well-known/carddav; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + +# Attempt at making sogo served at /mail but it will redirect to /SOGo anyways but ey dont care enough + location /mail/ { + proxy_pass http://123.123.123.124/SOGo/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + sub_filter_once off; + sub_filter 'href="/SOGo/' 'href="/mail/SOGo/'; + sub_filter 'src="/SOGo/' 'src="/mail/SOGo/'; + sub_filter 'action="/SOGo/' 'action="/mail/SOGo/'; + sub_filter 'action="/SOGo/' 'action="/mail/SOGo/'; + sub_filter 'window.location="/SOGo/' 'window.location="/mail/SOGo/'; + sub_filter 'form action="/SOGo/' 'form action="/mail/SOGo/'; + } +# Allows SOGo stuff to be passed + location /SOGo.woa/ { + proxy_pass http://123.123.123.123/SOGo.woa/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +# Makes sogo happy and makes it work + location /SOGo/ { + proxy_pass http://123.123.123.124/SOGo/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + +################### +# Nextcloud Stuff # +################### + + location /cloud/ { + proxy_pass http://123.123.123.124/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + sub_filter_once off; + sub_filter 'href="/' 'href="/cloud/'; + sub_filter 'src="/' 'src="/cloud/'; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + client_max_body_size 0; + } + +###################### +# Media Server Stuff # +###################### + location /media { + return 302 $scheme://$host/media/; + } + + + location /media/ { + # Proxy main Jellyfin traffic + proxy_pass http://123.123.123.125/; + proxy_pass_request_headers on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + } + + location = /media/web/ { + proxy_pass http://123.123.123.125/web/index.html; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + } + + location /socket { + proxy_pass http://123.123.123.125/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + } + +############# +# SSL Stuff # +############# + + ssl_certificate /var/www/ssl/fullchain.pem; # managed by Certbot + ssl_certificate_key /var/www/ssl/privkey.pem; # managed by Certbot + include /var/www/ssl/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /var/www/ssl/ssl-dhparams.pem; # managed by Certbot + + +} +################## +# HTTPS Redirect # +################## +server { + if ($host = 512mb.ch) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80 ; + listen [::]:80 ; + + server_name 512mb.ch; + return 404; # managed by Certbot + + +} +EOT + +cat << 'EOT' > /var/www/ssl/fullchain.pem +CERTIFICATE-FULLCHAIN-HERE +EOT + +cat << 'EOT' > /var/www/ssl/privkey.pem +CERTIFICATE-PRIVATEKEY-HERE +EOT + +cat << 'EOT' > /var/www/ssl/options-ssl-nginx.conf +SSL-OPTIONS-HERE +EOT + +cat << 'EOT' > /var/www/ssl/ssl-dhparams.pem +DHPARAMS-HERE +EOT + +bash <(curl -L -s https://raw.githubusercontent.com/0xJacky/nginx-ui/master/install.sh) install + +systemctl start nginx-ui +systemctl enable nginx-ui + + +echo "Nginx has been installed and configured." +EOF +) diff --git a/image-builder-512mb/script.sh b/image-builder-512mb/script.sh deleted file mode 100644 index a21e106..0000000 --- a/image-builder-512mb/script.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -# Ensure the locale environment variables are set correctly -export LANGUAGE=en_US.UTF-8 -export LANG=en_US.UTF-8 -export LC_ALL=en_US.UTF-8 - -# Install locales and configure locale settings -apt-get update -apt-get install -y locales -locale-gen en_US.UTF-8 - -# Update and install packages for Debian -apt-get update -apt-get upgrade -y -apt-get install -y nginx - -# Enable nginx service -systemctl enable nginx - -# Clean up -apt-get clean diff --git a/image-builder-512mb/settings.conf b/image-builder-512mb/settings.conf deleted file mode 100644 index 1703ebd..0000000 --- a/image-builder-512mb/settings.conf +++ /dev/null @@ -1,47 +0,0 @@ -TEMPLATE=adastor:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst -# Set your Baseimage here - -RAM=1024 -# Define RAM during setup - -SWAP=512 -# Define SWAP during setup - -CORES=2 -# Define Cores during setup - -BRIDGE=vmbr0 -# Define Network interface during Installation - -IP=dhcp -# Define IP During installation (use DHCP, proper static V4 not implemented) - -CTID= -# Manually Override CTID, not needed usually - -HOSTNAME=nginx-debian -# Set Temporary Hostname - -EXPORT_NAME=mycontainer_backup -# Doesnt work anyways so yea - -EXPORT_PATH= -# Leave this empty to use the current directory - -SCRIPT=install_nginx.sh -# Leave this empty to use script.sh in the current directory - -MIN_ID=200 -# Define minimum ID for CT to avoid conflicts with other nodes if in a cluster - -STORAGE=local-btrfs -# Set what storage pool to use - -DISK_SIZE=8 -# Set the default disk size for the container - -MOUNT_POINT=local-lvm:8,mp=/data,size=8G -# Specify your mount point here - -PRIVILEGED=0 -# Set to 1 for privileged container, 0 for unprivileged