Initial commit

.gitignore

@@ -0,0 +1,15 @@
+
+logs/*.log
+
+config/nginx/conf.d/*.conf
+
+# Sensitive data
+data/.htpasswd
+
+# Fail2ban database files
+data/fail2ban/db/*.db
+
+# Certbot subdirectories
+data/certbot/**
+
+

bin/init-letsencrypt.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+DOMAIN="apidocs.nxs.solutions"
+EMAIL="info@nxs.solutions"
+STAGING=0 # Set to 1 for testing (to avoid rate limits)
+
+# Ensure required directories exist
+if [ ! -d "data/certbot/conf" ]; then
+  mkdir -p data/certbot/conf
+fi
+if [ ! -d "data/certbot/www" ]; then
+  mkdir -p data/certbot/www
+fi
+
+# Run Certbot to get initial certificate
+docker compose run --rm certbot certonly --webroot \
+  --webroot-path=/var/www/certbot \
+  --email "$EMAIL" \
+  -d "$DOMAIN" -d "www.$DOMAIN" \
+  --rsa-key-size 4096 \
+  --agree-tos \
+  --noninteractive \
+  $([ "$STAGING" -eq 1 ] && echo "--staging")
+
+# Reload Nginx to use the new certificate
+docker compose exec nginx nginx -s reload

config/fail2ban/filter.d/gitea.local

@@ -0,0 +1,4 @@
+# gitea.local
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =

config/fail2ban/jail.d/gitea.local

@@ -0,0 +1,8 @@
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/access.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]

config/fail2ban/jail.d/nginx-bots.local

@@ -0,0 +1,9 @@
+[nginx-badbots]
+enabled = true
+port = http,https
+filter = nginx-error-common
+logpath = /var/log/nginx/access.log
+maxretry = 10
+findtime = 60
+bantime = 3600
+chain = DOCKER-USER

config/fail2ban/jail.d/nginx-log.local

@@ -0,0 +1,19 @@
+[nginx-http-auth]
+enabled = true
+port = http,https
+filter = nginx-http-auth
+logpath = /var/log/nginx/error.log
+maxretry = 3
+findtime = 600
+bantime = 86400
+chain = DOCKER-USER
+
+
+
+
+
+
+
+
+
+

config/nginx/nginx.conf

@@ -0,0 +1,24 @@
+# 1. Main global section
+user  nginx;
+worker_processes  auto;
+
+# 2. **REQUIRED EVENTS BLOCK**
+events {
+    # Define how Nginx handles connections
+    worker_connections  1024;
+}
+
+# 3. HTTP context (where your server blocks go)
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent"';   
+    sendfile        on;
+    keepalive_timeout  65;
+    
+    resolver 127.0.0.11 valid=5s ipv6=off;
+    # Include your server configuration files (like develop.conf)
+    include /etc/nginx/conf.d/*.conf;
+}

docker-compose.yml

@@ -0,0 +1,58 @@
+services:
+  nginx:
+    image: nginx:latest
+    container_name: nginx-main
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./data/nginx.conf/:/etc/nginx/nginx.conf:ro # Nginx should only read its config
+      - ./data/.htpasswd:/etc/nginx/.htpasswd:ro
+      - ./data/conf.d/:/etc/nginx/conf.d/:ro
+      - ./data/certbot/www:/var/www/certbot/:ro
+      - ./data/certbot/conf:/etc/letsencrypt/:ro
+      - /prod/data/docs/:/var/www/html/docs.nxs.solutions/:ro
+      - ./logs/:/var/log/nginx/:rw
+    networks:
+      - fast-services
+    restart: always
+
+  certbot:
+    image: certbot/certbot
+    container_name: certbot
+    # The container will not run automatically; it's used for one-off commands
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $!; done;'"
+    volumes:
+      # Must be read-write for certbot to place challenge files
+      - ./data/certbot/www:/var/www/certbot/:rw
+      # Must be read-write for certbot to store and renew certificates
+      - ./data/certbot/conf:/etc/letsencrypt/:rw
+    # Only runs when explicitly called or for renewal cronjob
+    restart: unless-stopped
+    networks:
+      - fast-services
+
+  fail2ban:
+      image: crazymax/fail2ban:latest
+      container_name: fail2ban
+      # Required for Fail2Ban to modify host firewall rules
+      network_mode: host
+      cap_add:
+        - NET_ADMIN
+        - NET_RAW
+      # Ensure it always restarts
+      restart: always
+      volumes:
+        # 1. Mount the Nginx logs from the host (Read-Only)
+        - ./logs:/var/log/nginx:ro
+        # 2. Persist Fail2Ban's configuration and database
+        - /var/log/auth.log:/var/log/auth.log:ro
+        - /prod/gitea/logs/access.log:/var/log/gitea/access.log:ro
+        - ./data/fail2ban:/data
+      environment:
+        # Optional: set timezone
+        - TZ=Europe/Berlin
+
+networks:
+  fast-services:
+    external: true