added add_location.sh

2025-12-03 17:09:07 +00:00
parent e7128e8652
commit 8c976051ab
7 changed files with 101 additions and 14 deletions
--- a/bin/add_server.sh
+++ b/bin/add_server.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+read -p "Enter server name: " SERVER_NAME
+
+mkdir .tmp
+cp ./config/nginx/template/http_location.conf .tmp/"$SERVER_NAME.conf"
+
+# Replace placeholder SERVER_NAME in the copied file
+sed -i "s/SERVER_NAME/$SERVER_NAME/g" .tmp/"$SERVER_NAME.conf"
+mv .tmp/"$SERVER_NAME.conf" ./config/nginx/conf.d/
+
+docker exec -it nginx-main nginx -s reload
+docker exec -it certbot certbot certaonly --nginx -d "$SERVER_NAME" -d "www.$SERVER_NAME"
+
--- a/bin/add_user.sh
+++ b/bin/add_user.sh
--- a/config/nginx/template/http_location.conf
+++ b/config/nginx/template/http_location.conf
@@ -0,0 +1,17 @@
+server {
+    # Listen on port 80 for standard HTTP traffic
+    listen 80;
+    
+    # Specify the domain name this block should respond to
+    server_name SERVER_NAME;
+
+    location .well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        # Redirect all HTTP requests to HTTPS
+        return 301 https://$host$request_uri;
+    }
+
+}
--- a/config/nginx/template/https_location.conf
+++ b/config/nginx/template/https_location.conf
@@ -0,0 +1,44 @@
+server {
+    # Listen on port 80 for standard HTTP traffic
+    listen 80;
+    
+    # Specify the domain name this block should respond to
+    server_name SERVER_NAME;
+
+    location .well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        # Redirect all HTTP requests to HTTPS
+        return 301 https://$host$request_uri;
+    }
+
+}
+
+server {
+    listen 443 ssl;
+    server_name SERVER_NAME;
+    ssl_certificate /etc/letsencrypt/live/SERVER_NAME/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/SERVER_NAME/privkey.pem;
+
+    root /var/www/html/SERVER_NAME;
+
+    index index.html index.htm;
+
+    location / {
+        auth_basic "Restricted Documentation Area";
+        auth_basic_user_file /etc/nginx/auth/AUTH_FILE;
+        try_files $uri $uri/ =404;
+    }
+ 
+    location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg)$ {
+        # Set cache duration to 30 days
+        expires 30d;
+        # Disable access logging for these files to reduce disk I/O
+        access_log off;
+        auth_basic "Restricted Documentation Area";
+        auth_basic_user_file /etc/nginx/auth/AUTH_FILE;
+    }
+
+}
--- a/data/auth/.htpasswd
+++ b/data/auth/.htpasswd
@@ -0,0 +1 @@
+admin:$apr1$5wUJG.eY$rMZE3iil418vpdvzPJyUZ0
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,13 +6,12 @@ services:
      - "80:80"
      - "443:443"
    volumes:
-      - ./data/nginx.conf/:/etc/nginx/nginx.conf:ro # Nginx should only read its config
-      - ./data/.htpasswd:/etc/nginx/.htpasswd:ro
-      - ./data/conf.d/:/etc/nginx/conf.d/:ro
-      - ./data/certbot/www:/var/www/certbot/:ro
-      - ./data/certbot/conf:/etc/letsencrypt/:ro
-      - /prod/data/docs/:/var/www/html/docs.nxs.solutions/:ro
-      - ./logs/:/var/log/nginx/:rw
+      - ./config/nginx/:/etc/nginx/:ro # Nginx should only read its config
+      - ./data/auth/:/etc/nginx/auth:ro
+      - ./data/certbot:/var/www/certbot/:ro
+      - ./config/certbot:/etc/letsencrypt/:ro
+      - ./data/www/html/:/var/www/html/:ro
+      - ./logs/nginx/:/var/log/nginx/:rw
    networks:
      - fast-services
    restart: always
@@ -24,9 +23,9 @@ services:
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $!; done;'"
    volumes:
      # Must be read-write for certbot to place challenge files
-      - ./data/certbot/www:/var/www/certbot/:rw
+      - ./data/certbot/:/var/www/certbot/:rw
      # Must be read-write for certbot to store and renew certificates
-      - ./data/certbot/conf:/etc/letsencrypt/:rw
+      - ./config/certbot/:/etc/letsencrypt/:rw
    # Only runs when explicitly called or for renewal cronjob
    restart: unless-stopped
    networks:
@@ -43,11 +42,7 @@ services:
      # Ensure it always restarts
      restart: always
      volumes:
-        # 1. Mount the Nginx logs from the host (Read-Only)
-        - ./logs:/var/log/nginx:ro
-        # 2. Persist Fail2Ban's configuration and database
-        - /var/log/auth.log:/var/log/auth.log:ro
-        - /prod/gitea/logs/access.log:/var/log/gitea/access.log:ro
+        - ./logs/nginx:/var/log/nginx:ro
        - ./data/fail2ban:/data
      environment:
        # Optional: set timezone
--- a/setup.sh
+++ b/setup.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Create a basic authentication file for Nginx
+# 1. Check if htpasswd command is available
+
+if ! command -v htpasswd &> /dev/null
+then
+	echo "htpasswd could not be found, please install apache2-utils or httpd-tools."
+    sudo apt-get update && sudo apt-get install -y apache2-utils
+fi
+
+# 2. Create the password file with at least one user
+
+echo "Create an admin user for basic authentication."
+htpasswd -c ./data/auth/.htpasswd admin
+echo "Basic authentication file created at ./data/auth/.htpasswd"
				`@@ -0,0 +1 @@`
				`admin:$apr1$5wUJG.eY$rMZE3iil418vpdvzPJyUZ0`