Add cert scripts; update readme; update gitignore; add nginx

2024-11-19 10:54:05 +01:00 · 2024-11-19 10:54:05 +01:00 · ae3d5e4df7
commit ae3d5e4df7
parent 91c5eb1d9d
9 changed files with 301 additions and 30 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,6 +1,16 @@
 ---

 services:
+  geoipupdate:
+    image: "maxmindinc/geoipupdate:latest"
+    volumes:
+      - "geoip:/usr/share/GeoIP"
+    environment:
+      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN"
+      GEOIPUPDATE_FREQUENCY: "8"
+      GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}"
+      GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}"
+
  postgresql:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
@ -19,7 +29,7 @@ services:
    env_file:
      - .env
    networks:
-      - net
+      - backend

  redis:
    image: docker.io/library/redis:alpine
@ -34,7 +44,7 @@ services:
    volumes:
      - redis:/data
    networks:
-      - net
+      - backend

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
@ -52,21 +62,12 @@ services:
      - geoip:/geoip
    env_file:
      - .env
-    # ports:
-    #   - "${COMPOSE_PORT_HTTP:-9000}:9000"
-    #   - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
    networks:
-      - net
-      - web
-    labels:
-      - "traefik.enable=true"
-      - traefik.docker.network=web
-      - traefik.port=9443
-      - traefik.frontend.rule=Host:${PUBLIC_DOMAIN}
-      - traefik.protocol=https
+      - backend
+      - frontend

  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
@ -97,17 +98,46 @@ services:
      - postgresql
      - redis
    networks:
-      - net
+      - backend

-  geoipupdate:
-    image: "maxmindinc/geoipupdate:latest"
-    volumes:
-      - "geoip:/usr/share/GeoIP"
+  nginx:
+    build:
+      context: ./docker/nginx
+      dockerfile: Dockerfile
+      args:
+        IMAGE: "nginxinc/nginx-unprivileged:1.27.2-bookworm"
+        IMG_TITLE: "nginx-unprivileged-base23"
+        IMAGE_VERSION: "COMPOSE"
    environment:
-      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN"
-      GEOIPUPDATE_FREQUENCY: "8"
-      GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}"
-      GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}"
+      - NGINX_HTTP_PORT=${NGINX_HTTP_PORT}
+      - NGINX_HTTPS_PORT=${NGINX_HTTPS_PORT}
+      - NGINX_RESOLVER=${NGINX_RESOLVER}
+      - NGINX_SERVERNAME=${NGINX_SERVERNAME}
+      - NGINX_SSL_SESSION_TIMEOUT=${NGINX_SSL_SESSION_TIMEOUT}
+      - NGINX_SSL_SESSION_CACHE=${NGINX_SSL_SESSION_CACHE}
+      - NGINX_SSL_PROTOCOLS=${NGINX_SSL_PROTOCOLS}
+      - NGINX_SSL_CIPHERS=${NGINX_SSL_CIPHERS}
+      - NGINX_SSL_PREFER_SERVER_CIPHERS=${NGINX_SSL_PREFER_SERVER_CIPHERS}
+      - NGINX_HEADER_STRICT_TRANSPORT_SECURITY=${NGINX_HEADER_STRICT_TRANSPORT_SECURITY}
+      - NGINX_SSL_STAPLING=${NGINX_SSL_STAPLING}
+      - NGINX_SSL_STAPLING_VERIFY=${NGINX_SSL_STAPLING_VERIFY}
+    volumes:
+      - ./data/nginx/default.conf.template:/etc/nginx/templates/default.conf.template:ro
+      - ./data/nginx/dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro
+      - ./data/nginx/certs:/etc/nginx/ssl/certs:ro
+    ports:
+      - target: 8080
+        published: "80"
+        protocol: tcp
+        app_protocol: http # Docker Compose 2.26.0
+        mode: ingress
+      - target: 8443
+        published: "443"
+        protocol: tcp
+        app_protocol: https # Docker Compose 2.26.0
+        mode: ingress
+    networks:
+      - frontend


 volumes:
@ -120,6 +150,5 @@ volumes:


 networks:
-  net:
-  web:
-    external: true
+  backend:
+  frontend: