(untested) make nginx run as non-root

.gitignore

@@ -3,7 +3,7 @@ __pycache__
 
 # website
 website/gitea
-website/letsencrypt
+website/certbot
 website/sendgrid.key
 
 # monerod

compose.yml

@@ -21,18 +21,16 @@ services:
   website:
     restart: always
     build: website/.
-    entrypoint: ["/bin/sh", "/root/entry.sh"]
+    entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
     ports:
-      - "80:80"
+      - "80:8080"
-      - "443:443"
+      - "443:8443"
     networks:
       - web
     volumes:
-      - ./website/letsencrypt:/etc/letsencrypt
+      - ./website/certbot:/home/ubuntu/certbot
     cap_drop:
       - ALL
-    cap_add:
-      - NET_BIND_SERVICE
   gitea:
     restart: always
     image: gitea/gitea:latest-rootless

scripts/backup.py

@@ -9,6 +9,6 @@ if __name__ == "__main__":
         "terraria/worlds",
         "terraria/password.txt",
         "website/gitea",
-        "website/letsencrypt",
+        "website/certbot",
         "website/sendgrid.key",
     ], check=True)

scripts/setup_repo.py

@@ -5,7 +5,7 @@ from pathlib import Path
 if __name__ == "__main__":
     # create folders with same UID/GID as user so containers have access
     PATHS = [
-        "website/letsencrypt",
+        "website/certbot",
         "website/gitea/config",
         "website/gitea/data",
         "monerod/.bitmonero",

website/.dockerignore

@@ -1,2 +1,2 @@
 gitea
-letsencrypt
+certbot

website/Dockerfile

@@ -5,18 +5,14 @@ ENV TZ=America/Los_Angeles
 RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 
 RUN apt-get update && apt-get -y upgrade
-RUN apt-get install -y nginx certbot python3-certbot-nginx python3-pip
+RUN apt-get install -y nginx certbot python3-pip
 RUN pip3 install sendgrid --break-system-packages
 
-RUN rm /etc/nginx/sites-enabled/default
+USER ubuntu
+WORKDIR /home/ubuntu
+RUN mkdir nginx certbot
 
-# enable site
 # TODO make the website code not terrible ;-;
-COPY matthewtran.com /etc/nginx/sites-available
+COPY --chown=ubuntu:ubuntu html ./html
-RUN  ln -s /etc/nginx/sites-available/matthewtran.com /etc/nginx/sites-enabled/matthewtran.com
+COPY --chown=ubuntu:ubuntu sendgrid.ke[y] ip_update.py ./
-COPY html /var/www/matthewtran.com/html
+COPY --chown=ubuntu:ubuntu server.conf entry.sh ./
-
-# start script
-WORKDIR /root
-COPY sendgrid.ke[y] ip_update.py ./
-COPY entry.sh ./

website/entry.sh

@@ -1,32 +1,29 @@
 #!/bin/sh
 
-# server needs to be up to get certs
-nginx
-while [ ! -f /var/run/nginx.pid ]
-do
-    sleep 1
-done
-
 # get certs if needed
-certbot --nginx \
+certbot certonly --standalone \
-    --webroot-path /var/www/matthewtran.com \
+    --http-01-port 8080 \
+    --config-dir ~/certbot \
+    --work-dir ~/certbot/work \
+    --logs-dir ~/certbot/logs \
     --non-interactive --agree-tos -m matthewlamtran@berkeley.edu \
     -d matthewtran.com \
     -d www.matthewtran.com \
     -d git.matthewtran.com
-nginx -s reload
 
 # background process to renew certs and check ip changes
 update() {
-    certbot renew --quiet
+    certbot renew --quiet \
+        --config-dir ~/certbot \
+        --work-dir ~/certbot/work \
+        --logs-dir ~/certbot/logs
     sleep 86400
 }
 update &
 ./ip_update.py &
 
-# wait for termination
+# run server
-cleanup() {
+nginx -c ~/server.conf
-    echo "stopping..."
+trap 'echo "stopping website..."' TERM
-}
+tail -f /dev/null &
-trap 'cleanup' TERM
+wait $!
-wait $! # wait SIGTERM, other processes can just be killed

website/matthewtran.com

@@ -1,29 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name matthewtran.com www.matthewtran.com;
-
-    root /var/www/matthewtran.com/html;
-    index index.html;
-
-    location / {
-        try_files $uri $uri/ =404;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name git.matthewtran.com;
-
-    location / {
-        client_max_body_size 512M;
-        proxy_pass http://gitea:3000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}

website/server.conf

@@ -0,0 +1,75 @@
+# adapted from /etc/nginx/nginx.conf
+worker_processes auto;
+pid /home/ubuntu/nginx/site.pid;
+error_log /dev/stderr;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    types_hash_max_size 2048;
+    gzip on;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_certificate     /home/ubuntu/certbot/live/matthewtran.com/fullchain.pem;
+    ssl_certificate_key /home/ubuntu/certbot/live/matthewtran.com/privkey.pem;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    access_log            /dev/stdout;
+    client_body_temp_path /home/ubuntu/nginx/body;
+    proxy_temp_path       /home/ubuntu/nginx/proxy;
+    fastcgi_temp_path     /home/ubuntu/nginx/fastcgi;
+    uwsgi_temp_path       /home/ubuntu/nginx/uwsgi;
+    scgi_temp_path        /home/ubuntu/nginx/scgi;
+
+    # SSL redirect
+    server {
+        listen 8080 default_server;
+        listen [::]:8080 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+    }
+
+    # default
+    server {
+        listen 8443 ssl default_server;
+        listen [::]:8443 ssl default_server;
+        server_name _;
+        return 404;
+    }
+
+    # website
+    server {
+        listen 8443 ssl;
+        listen [::]:8443 ssl;
+        server_name matthewtran.com www.matthewtran.com;
+
+        root /home/ubuntu/html;
+        index index.html;
+        location / {
+            try_files $uri $uri/ =404;
+        }
+    }
+
+    # gitea
+    server {
+        listen 8443 ssl;
+        listen [::]:8443 ssl;
+        server_name git.matthewtran.com;
+
+        location / {
+            client_max_body_size 512M;
+            proxy_pass http://gitea:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+    }
+}