dragonlock2/matthewtran.com
1
0
Fork 0
mirror of https://github.com/dragonlock2/matthewtran.com.git synced 2025-10-11 12:07:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

(untested) make nginx run as non-root

Browse Source
This commit is contained in:
Matthew Tran 2025-02-19 03:16:52 -08:00
parent dd072e76d8
commit 36c4019c01
9 changed files with 104 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -3,7 +3,7 @@ __pycache__
# website
website/gitea
website/letsencrypt
website/certbot
website/sendgrid.key
# monerod

10
compose.yml
View File

@ -21,18 +21,16 @@ services:
website:
restart: always
build: website/.
entrypoint: ["/bin/sh", "/root/entry.sh"]
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
ports:
- "80:80"
- "443:443"
- "80:8080"
- "443:8443"
networks:
- web
volumes:
- ./website/letsencrypt:/etc/letsencrypt
- ./website/certbot:/home/ubuntu/certbot
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
gitea:
restart: always
image: gitea/gitea:latest-rootless

2
scripts/backup.py
View File

@ -9,6 +9,6 @@ if __name__ == "__main__":
"terraria/worlds",
"terraria/password.txt",
"website/gitea",
"website/letsencrypt",
"website/certbot",
"website/sendgrid.key",
], check=True)

2
scripts/setup_repo.py
View File

@ -5,7 +5,7 @@ from pathlib import Path
if __name__ == "__main__":
# create folders with same UID/GID as user so containers have access
PATHS = [
"website/letsencrypt",
"website/certbot",
"website/gitea/config",
"website/gitea/data",
"monerod/.bitmonero",

2
website/.dockerignore
View File

@ -1,2 +1,2 @@
gitea
letsencrypt
certbot

18
website/Dockerfile
View File

@ -5,18 +5,14 @@ ENV TZ=America/Los_Angeles
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y nginx certbot python3-certbot-nginx python3-pip
RUN apt-get install -y nginx certbot python3-pip
RUN pip3 install sendgrid --break-system-packages
RUN rm /etc/nginx/sites-enabled/default
USER ubuntu
WORKDIR /home/ubuntu
RUN mkdir nginx certbot
# enable site
# TODO make the website code not terrible ;-;
COPY matthewtran.com /etc/nginx/sites-available
RUN ln -s /etc/nginx/sites-available/matthewtran.com /etc/nginx/sites-enabled/matthewtran.com
COPY html /var/www/matthewtran.com/html
# start script
WORKDIR /root
COPY sendgrid.ke[y] ip_update.py ./
COPY entry.sh ./
COPY --chown=ubuntu:ubuntu html ./html
COPY --chown=ubuntu:ubuntu sendgrid.ke[y] ip_update.py ./
COPY --chown=ubuntu:ubuntu server.conf entry.sh ./

31
website/entry.sh
View File

@ -1,32 +1,29 @@
#!/bin/sh
# server needs to be up to get certs
nginx
while [ ! -f /var/run/nginx.pid ]
do
sleep 1
done
# get certs if needed
certbot --nginx \
--webroot-path /var/www/matthewtran.com \
certbot certonly --standalone \
--http-01-port 8080 \
--config-dir ~/certbot \
--work-dir ~/certbot/work \
--logs-dir ~/certbot/logs \
--non-interactive --agree-tos -m matthewlamtran@berkeley.edu \
-d matthewtran.com \
-d www.matthewtran.com \
-d git.matthewtran.com
nginx -s reload
# background process to renew certs and check ip changes
update() {
certbot renew --quiet
certbot renew --quiet \
--config-dir ~/certbot \
--work-dir ~/certbot/work \
--logs-dir ~/certbot/logs
sleep 86400
}
update &
./ip_update.py &
# wait for termination
cleanup() {
echo "stopping..."
}
trap 'cleanup' TERM
wait $! # wait SIGTERM, other processes can just be killed
# run server
nginx -c ~/server.conf
trap 'echo "stopping website..."' TERM
tail -f /dev/null &
wait $!

29
website/matthewtran.com
View File

@ -1,29 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name matthewtran.com www.matthewtran.com;
root /var/www/matthewtran.com/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name git.matthewtran.com;
location / {
client_max_body_size 512M;
proxy_pass http://gitea:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

75
website/server.conf Normal file
View File

@ -0,0 +1,75 @@
# adapted from /etc/nginx/nginx.conf
worker_processes auto;
pid /home/ubuntu/nginx/site.pid;
error_log /dev/stderr;
events {
worker_connections 1024;
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
gzip on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_certificate /home/ubuntu/certbot/live/matthewtran.com/fullchain.pem;
ssl_certificate_key /home/ubuntu/certbot/live/matthewtran.com/privkey.pem;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
client_body_temp_path /home/ubuntu/nginx/body;
proxy_temp_path /home/ubuntu/nginx/proxy;
fastcgi_temp_path /home/ubuntu/nginx/fastcgi;
uwsgi_temp_path /home/ubuntu/nginx/uwsgi;
scgi_temp_path /home/ubuntu/nginx/scgi;
# SSL redirect
server {
listen 8080 default_server;
listen [::]:8080 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# default
server {
listen 8443 ssl default_server;
listen [::]:8443 ssl default_server;
server_name _;
return 404;
}
# website
server {
listen 8443 ssl;
listen [::]:8443 ssl;
server_name matthewtran.com www.matthewtran.com;
root /home/ubuntu/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
# gitea
server {
listen 8443 ssl;
listen [::]:8443 ssl;
server_name git.matthewtran.com;
location / {
client_max_body_size 512M;
proxy_pass http://gitea:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
}