From e356e4cf1619de9284bf0536c79452fcf23c63e1 Mon Sep 17 00:00:00 2001
From: phg <mail@philip-henning.com>
Date: Sat, 26 Jul 2025 00:08:06 +0200
Subject: [PATCH] cleanup; Readme still in WIP

---
 README.md                        | 65 ++++++-----------------
 data/nginx/default.conf.template | 90 --------------------------------
 docker/nginx/Dockerfile          | 83 -----------------------------
 scripts/cert_renew.sh            | 12 -----
 scripts/cert_renew_hook.sh       |  8 ---
 scripts/compose.sh               | 11 +---
 6 files changed, 17 insertions(+), 252 deletions(-)
 delete mode 100644 data/nginx/default.conf.template
 delete mode 100644 docker/nginx/Dockerfile
 delete mode 100755 scripts/cert_renew.sh
 delete mode 100755 scripts/cert_renew_hook.sh

diff --git a/README.md b/README.md
index 53e484d..1f7c7e2 100644
--- a/README.md
+++ b/README.md
@@ -1,15 +1,13 @@
-# `sso.base23.de` - Base23 SSO for all services
+# `sso.s1q.dev` - Base23 SSO for all services
 
 [Authentik](https://goauthentik.io/) based SSO for our sevices.
 
 ## Table of Contents
 
-- [`sso.base23.de` - Base23 SSO for all services](#ssobase23de---base23-sso-for-all-services)
+- [`sso.s1q.dev` - Base23 SSO for all services](#ssos1qdev---base23-sso-for-all-services)
   - [Table of Contents](#table-of-contents)
   - [Prerequisites](#prerequisites)
-    - [Server Setup](#server-setup)
     - [Tailscale](#tailscale)
-    - [Base23 Docker registry login](#base23-docker-registry-login)
     - [CrowdSec](#crowdsec)
       - [Setup CrowdSec Repo](#setup-crowdsec-repo)
       - [Install CrowdSec](#install-crowdsec)
@@ -25,32 +23,7 @@
 
 ## Prerequisites
 
-### Server Setup
-
-```shell
-apt update \
-  && apt upgrade -y \
-  && for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg; done \
-  && apt install ca-certificates curl \
-  && install -m 0755 -d /etc/apt/keyrings \
-  && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
-  && chmod a+r /etc/apt/keyrings/docker.asc \
-  && echo \
-  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
-  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
-  tee /etc/apt/sources.list.d/docker.list > /dev/null \
-  && apt update \
-  && apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
-  && mkdir -p /var/lib/apps \
-  && ln -s /var/lib/apps \
-  && apt install -y git vim \
-  && TEMP_DIR=$(mktemp -d) \
-  && curl -fsSL https://github.com/go-acme/lego/releases/download/v4.20.2/lego_v4.20.2_linux_amd64.tar.gz -o ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz \
-  && tar xzvf ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz --directory=${TEMP_DIR} \
-  && install -m 755 -o root -g root "${TEMP_DIR}/lego" "/usr/local/bin" \
-  && rm -rf ${TEMP_DIR} \
-  && unset TEMP_DIR
-```
+- dokploy
 
 ### Tailscale
 
@@ -61,18 +34,12 @@ printf "Enter preauthkey for Tailscale: " \
   && curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list \
   && apt-get update \
   && apt-get install tailscale \
-  && tailscale up --login-server https://vpn.base23.de --authkey ${TAILSCALE_PREAUTHKEY} --advertise-tags=tag:prod-servers \
+  && tailscale up --login-server https://vpn.s1q.dev --authkey ${TAILSCALE_PREAUTHKEY} \
   && sleep 2 \
   && tailscale status \
   && unset TAILSCALE_PREAUTHKEY
 ```
 
-### Base23 Docker registry login
-
-```shell
-docker login -u gitlab+deploy-token-5 registry.git.base23.de
-```
-
 ### CrowdSec
 
 #### Setup CrowdSec Repo
@@ -116,9 +83,9 @@ systemctl restart crowdsec; systemctl status crowdsec.service
 Whitelist Tailscale IPs:
 
 ```shell
-cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-base23-tailscale.yaml \
+cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-s1q-dev-tailscale.yaml \
   && systemctl restart crowdsec; journalctl -xef -u crowdsec.service
-name: base23/tailscale ## Must be unqiue
+name: s1q-dev/tailscale ## Must be unqiue
 description: "Whitelist events from Tailscale Subnet"
 whitelist:
   reason: "Tailscale clients"
@@ -127,18 +94,18 @@ whitelist:
 EOF
 ```
 
-Whitelist our current Public IPs:
+Whitelist my current Public IPs:
 
 ```shell
 mkdir -p /etc/crowdsec/postoverflows/s01-whitelist/ \
-  && cat << EOF > /etc/crowdsec/postoverflows/s01-whitelist/01-base23-public-ips.yaml \
+  && cat << EOF > /etc/crowdsec/postoverflows/s01-whitelist/01-s1q-dev-public-ips.yaml \
   && crowdsec -t && systemctl restart crowdsec; systemctl status crowdsec.service
-name: base23/public-ips ## Must be unqiue
-description: "Whitelist events from base23 public IPs"
+name: s1q-dev/public-ips ## Must be unqiue
+description: "Whitelist events from s1q-dev public IPs"
 whitelist:
-  reason: "Base23 Public IPs"
+  reason: "s1q-dev Public IPs"
   expression:
-    - evt.Overflow.Alert.Source.IP in LookupHost("asterix.ddns.base23.de")
+    - evt.Overflow.Alert.Source.IP in LookupHost("r3w.de")
 EOF
 ```
 
@@ -151,8 +118,8 @@ cscli collections install firix/authentik \
 ---
 source: docker
 container_name_regexp:
-  - sso-base23-de-server-*
-  - sso-base23-de-worker-*
+  - sso-s1q-dev-de-server-*
+  - sso-s1q-dev-de-worker-*
 labels:
   type: authentik
 EOF
@@ -177,8 +144,8 @@ Setup notifications:
 
 ```shell
 cd /root/apps \
-  && git clone ssh://git@git.base23.de:222/base23/sso.base23.de.git \
-  && cd sso.base23.de \
+  && git clone ssh://git@git.base23.de:222/base23/sso.s1q.dev.git \
+  && cd sso.s1q.dev \
   && ./scripts/init.sh
 ```
 
diff --git a/data/nginx/default.conf.template b/data/nginx/default.conf.template
deleted file mode 100644
index 341eee7..0000000
--- a/data/nginx/default.conf.template
+++ /dev/null
@@ -1,90 +0,0 @@
-# Upstream where your authentik server is hosted.
-upstream authentik {
-	server server:9443;
-	# Improve performance by keeping some connections alive.
-	keepalive 10;
-}
-
-# Upgrade WebSocket if requested, otherwise use keepalive
-map $http_upgrade $connection_upgrade_keepalive {
-	default upgrade;
-	''      '';
-}
-
-# Server just for serving a health endpoint
-server {
-	listen 127.0.0.1:8181;
-	server_name localhost;
-
-	# replace with the IP address of your resolver
-	resolver ${NGINX_RESOLVER};
-
-	# Handle /health separately without serving any files
-	location = /health {
-		access_log off;
-		default_type text/plain;
-		return 200 'OK';
-	}
-}
-
-# Redirect to HTTPS
-server {
-	listen ${NGINX_HTTP_PORT};
-	listen [::]:${NGINX_HTTP_PORT};
-	server_name ${NGINX_SERVERNAME};
-
-	# Exclude Let's Encrypt directory from redirection
-	location /.well-known/acme-challenge/ {
-		root /var/www/letsencrypt;
-	}
-
-	# Redirect all other traffic to HTTPS
-	location / {
-		return 302 https://$host$request_uri;
-	}
-}
-
-# HTTPS Server
-server {
-	listen ${NGINX_HTTPS_PORT} ssl;
-	listen [::]:${NGINX_HTTPS_PORT} ssl;
-	http2 on;
-	server_name ${NGINX_SERVERNAME};
-
-	ssl_certificate /etc/nginx/ssl/certs/_.base23.de.crt;
-	ssl_certificate_key /etc/nginx/ssl/certs/_.base23.de.key;
-	ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT};
-	ssl_session_cache ${NGINX_SSL_SESSION_CACHE};
-
-	ssl_dhparam /etc/nginx/ssl/dhparams.pem;
-
-	# intermediate configuration
-	ssl_protocols ${NGINX_SSL_PROTOCOLS};
-	ssl_ciphers ${NGINX_SSL_CIPHERS};
-	ssl_prefer_server_ciphers ${NGINX_SSL_PREFER_SERVER_CIPHERS};
-
-	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
-	add_header Strict-Transport-Security ${NGINX_HEADER_STRICT_TRANSPORT_SECURITY};
-
-	# OCSP stapling
-	ssl_stapling ${NGINX_SSL_STAPLING};
-	ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY};
-
-	# verify chain of trust of OCSP response using Root CA and Intermediate certs
-	ssl_trusted_certificate /etc/nginx/ssl/certs/_.base23.de.issuer.crt;
-
-	# replace with the IP address of your resolver
-	resolver ${NGINX_RESOLVER};
-
-	client_max_body_size 50m;
-
-	location / {
-		proxy_pass https://authentik;
-		proxy_http_version 1.1;
-		proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header Host $http_host;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection $connection_upgrade_keepalive;
-	}
-}
diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile
deleted file mode 100644
index a730104..0000000
--- a/docker/nginx/Dockerfile
+++ /dev/null
@@ -1,83 +0,0 @@
-ARG IMAGE=nginxinc/nginx-unprivileged:stable-bullseye
-
-FROM $IMAGE AS builder
-
-ARG HTTP_SUBSTITUTIONS_VERSION='e12e965ac1837ca709709f9a26f572a54d83430e'
-ARG HEADERS_MORE_VERSION='0.37'
-
-USER root
-
-RUN set -x \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends \
-        build-essential \
-        libgd-dev \
-        libgeoip-dev \
-        libedit-dev \
-        libxslt1-dev \
-        libssl-dev \
-        libpcre2-dev \
-        libperl-dev \
-        zlib1g-dev \
-        unzip \
-    && rm -rf /var/lib/apt/lists/* \
-    && mkdir -p /usr/src \
-    && curl \
-        -o nginx.tar.gz \
-        https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
-    && curl -L \
-        -o nginx_substitutions_filter.zip \
-        https://codeload.github.com/yaoweibin/ngx_http_substitutions_filter_module/zip/${HTTP_SUBSTITUTIONS_VERSION} \
-    && curl -L \
-        -o headers-more-nginx-module.zip \
-        https://codeload.github.com/openresty/headers-more-nginx-module/zip/refs/tags/v${HEADERS_MORE_VERSION} \
-    && tar -zxC /usr/src -f nginx.tar.gz \
-    && unzip nginx_substitutions_filter.zip -d /usr/src \
-    && unzip headers-more-nginx-module.zip -d /usr/src \
-    && rm nginx.tar.gz \
-    && rm nginx_substitutions_filter.zip \
-    && rm headers-more-nginx-module.zip \
-    && cd /usr/src/nginx-${NGINX_VERSION} \
-    && set -eux \
-    && eval ./configure $(nginx -V 2>&1 | sed -n -e "s/^.*configure arguments: //p") \
-        --add-dynamic-module=/usr/src/ngx_http_substitutions_filter_module-${HTTP_SUBSTITUTIONS_VERSION} \
-        --add-dynamic-module=/usr/src/headers-more-nginx-module-${HEADERS_MORE_VERSION} \
-        --with-http_sub_module \
-    && set +eux \
-    && make \
-    && make install
-
-
-
-FROM $IMAGE
-
-ARG BUILD_DATE=01.01.1970
-ARG IMG_TITLE=docker-image
-ARG IMAGE_VERSION=0
-ARG SRC_REV=0
-
-COPY --from=builder --chown=root:root --chmod=0644 /usr/lib/nginx/modules/ngx_http_subs_filter_module.so /usr/lib/nginx/modules/ngx_http_subs_filter_module.so
-COPY --from=builder --chown=root:root --chmod=0644 /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so
-COPY --from=builder --chown=root:root --chmod=0755 /usr/sbin/nginx /usr/sbin/nginx
-
-RUN sed -i '1iload_module /usr/lib/nginx/modules/ngx_http_subs_filter_module.so;\n' /etc/nginx/nginx.conf \
-    &&  sed -i '1iload_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;\n' /etc/nginx/nginx.conf
-
-# Redirect log output to stdout and stderr
-RUN set -x \
-    && sed -i 's,/var/log/nginx/error.log,/dev/stderr,' /etc/nginx/nginx.conf \
-    && sed -i 's,/var/log/nginx/access.log,/dev/stdout,' /etc/nginx/nginx.conf
-
-# Healthcheck to ping the /health endpoint
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl --fail http://localhost:8181/health || exit 1
-
-LABEL \
-    maintainer="philip.henning@base23.de" \
-    org.opencontainers.image.created="${BUILD_DATE}" \
-    org.opencontainers.image.vendor="Base23 GmbH" \
-    org.opencontainers.image.authors="Philip Henning | Base23 GmbH <philip.henning@base23.de>" \
-    org.opencontainers.image.title="${IMG_TITLE}" \
-    org.opencontainers.image.description="rootless nginx image based on nginxinc/nginx-unprivileged with subst module" \
-    org.opencontainers.image.version="${IMAGE_VERSION}" \
-    org.opencontainers.image.source="https://git.base23.de/base23/sso.base23.de" \
-    org.opencontainers.image.revision="${SRC_REV}"
diff --git a/scripts/cert_renew.sh b/scripts/cert_renew.sh
deleted file mode 100755
index 1eff0a0..0000000
--- a/scripts/cert_renew.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-set -euf -o pipefail
-
-cd "$(dirname "$(realpath "$0")")/../"
-
-lego \
-	--path ./data/.lego \
-	--email="acme@base23.de" \
-	--domains="*.base23.de" \
-	--dns hetzner \
-	renew \
-	--renew-hook="./scripts/cert_renew_hook.sh"
diff --git a/scripts/cert_renew_hook.sh b/scripts/cert_renew_hook.sh
deleted file mode 100755
index 4fe8734..0000000
--- a/scripts/cert_renew_hook.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euf -o pipefail
-
-cd "$(dirname "$(realpath "$0")")/../"
-
-install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{_.base23.de.crt,_.base23.de.issuer.crt,_.base23.de.key} "./data/nginx/certs"
-
-docker compose restart nginx
diff --git a/scripts/compose.sh b/scripts/compose.sh
index 65590b4..9ddaea3 100755
--- a/scripts/compose.sh
+++ b/scripts/compose.sh
@@ -11,20 +11,11 @@ STAGE="${1:-}"
 shift || true
 
 if [[ -z "${STAGE,,}" ]]; then
-  echo "Usage: $0 <prod|test>"
+  echo "Usage: $0 <stage>"
   echo "Example: $0 test"
   exit 1
 fi
 
-if [[ "${STAGE,,}" == "prod" ]]; then
-  DOCKER_COMPOSE_CLI="docker compose"
-elif [[ "${STAGE,,}" == "test" ]]; then
-  DOCKER_COMPOSE_CLI="docker-compose-2.32.4"
-else
-  echo "Invalid stage: ${STAGE,,}. Use 'prod' or 'test'."
-  exit 1
-fi
-
 cd "$(dirname "$(realpath "$0")")/../"
 AUTHENTIK_DOCKER_COMPOSE_PATH="$(realpath "$(pwd)")"