Merge pull request #1 from lleene/acme-dns-01

Acme dns 01

README.md

@@ -0,0 +1,2 @@
+
+

TODO.md

@@ -1,6 +1,12 @@
+# Notes
+
+Next cloud reccomends you install imagemagic:
+
+docker-compose exec nextcloud apt -y update
+docker-compose exec nextcloud apt -y install libmagickcore-6.q16-6-extra
 
 # Startup after docker compose
 
  - Create admin email account
  - Update dkim and DNS records
-
+ - Get and configure SendGrid SMTP relay

config/gitea.ini

@@ -1,94 +0,0 @@
-APP_NAME = Gitea: Git with a cup of tea
-RUN_MODE = prod
-RUN_USER = git
-
-[repository]
-ROOT = /data/git/repositories
-
-[repository.local]
-LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
-
-[repository.upload]
-TEMP_PATH = /data/gitea/uploads
-
-[server]
-APP_DATA_PATH    = /data/gitea
-DOMAIN           = localhost
-SSH_DOMAIN       = localhost
-HTTP_PORT        = 3000
-ROOT_URL         = http://localhost:3000/
-DISABLE_SSH      = false
-SSH_PORT         = 22
-SSH_LISTEN_PORT  = 22
-LFS_START_SERVER = true
-LFS_JWT_SECRET   = 13R03sc6ZlnDkBFwKup2PoeT3eOggjn2oEmkOSjkQsE
-OFFLINE_MODE     = false
-
-[database]
-PATH     = /data/gitea/gitea.db
-DB_TYPE  = postgres
-HOST     = database:5432
-NAME     = gitea
-USER     = gitea
-PASSWD   = "hear397sew"
-LOG_SQL  = false
-SCHEMA   = 
-SSL_MODE = disable
-CHARSET  = utf8
-
-[indexer]
-ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
-
-[session]
-PROVIDER_CONFIG = /data/gitea/sessions
-PROVIDER        = file
-
-[picture]
-AVATAR_UPLOAD_PATH            = /data/gitea/avatars
-REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
-ENABLE_FEDERATED_AVATAR       = false
-
-[attachment]
-PATH = /data/gitea/attachments
-
-[log]
-MODE      = console
-LEVEL     = info
-ROUTER    = console
-ROOT_PATH = /data/gitea/log
-
-[security]
-INSTALL_LOCK                  = true
-SECRET_KEY                    = 
-REVERSE_PROXY_LIMIT           = 1
-REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN                = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2NjcxMjI4NDN9.2POH2B9XRVJQx5Ixymbz1iNT7D8OOPiaJNnk1ELTM8s
-PASSWORD_HASH_ALGO            = pbkdf2
-
-[service]
-DISABLE_REGISTRATION              = false
-REQUIRE_SIGNIN_VIEW               = false
-REGISTER_EMAIL_CONFIRM            = false
-ENABLE_NOTIFY_MAIL                = false
-ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
-ENABLE_CAPTCHA                    = false
-DEFAULT_KEEP_EMAIL_PRIVATE        = false
-DEFAULT_ALLOW_CREATE_ORGANIZATION = true
-DEFAULT_ENABLE_TIMETRACKING       = true
-NO_REPLY_ADDRESS                  = noreply.localhost
-
-[lfs]
-PATH = /data/git/lfs
-
-[mailer]
-ENABLED = false
-
-[openid]
-ENABLE_OPENID_SIGNIN = true
-ENABLE_OPENID_SIGNUP = true
-
-[repository.pull-request]
-DEFAULT_MERGE_STYLE = merge
-
-[repository.signing]
-DEFAULT_TRUST_MODEL = committer

config/hugo/Dockerfile

@@ -6,16 +6,17 @@ LABEL maintainer="Lieuwe Leene <lieuwe@leene.dev>"
 ARG HUGO_BASE="localhost"
 ARG SSL_ALGO=secp521r1
 
-RUN wget -O - "https://github.com/gohugoio/hugo/releases/download/$(wget -O - https://api.github.com/repos/gohugoio/hugo/releases/latest | grep -om 1 "/v[0-9.]*/hugo_[0-9.]*_Linux-64bit.tar.gz")" | tar -xz -C /tmp \
+RUN wget -O - "https://github.com/gohugoio/hugo/releases/download/$(wget -O - https://api.github.com/repos/gohugoio/hugo/releases/latest | grep -om 1 "v[0-9.]*/hugo_extended_[0-9.]*_Linux-64bit.tar.gz")" | tar -xz -C /tmp \
     && mkdir -p /usr/local/sbin \
     && mv /tmp/hugo /usr/local/sbin/hugo \
     && rm -rf /tmp/${HUGO_ID}_linux_amd64 \
     && rm -rf /tmp/LICENSE.md \
     && rm -rf /tmp/README.md
 
-RUN apk add --update git asciidoctor libc6-compat libstdc++ \
+RUN apk add --update git gcompat asciidoctor libc6-compat libstdc++ \
     && apk upgrade \
     && apk add --no-cache ca-certificates \
+    && ln -s /lib/libc.so.6 /usr/lib/libresolv.so.2 \
     && git clone https://github.com/lleene/hugo-site.git /src \
     && git clone https://github.com/lleene/hermit.git /src/themes/hermit \
     && /usr/local/sbin/hugo -b ${BASE_URL}/ -s /src -d /public --minify
@@ -24,7 +25,7 @@ RUN apk update && \
     apk add --no-cache openssl && \
     rm -rf /var/cache/apk/*
 
-RUN mkdir -p /etc/letsencrypt/live
+WORKDIR /etc/letsencrypt/live
 
 RUN openssl ecparam -name ${SSL_ALGO} -genkey | openssl pkey -out /etc/letsencrypt/live/ecprivkey.pem && \
     openssl pkey -in /etc/letsencrypt/live/ecprivkey.pem -pubout -out /etc/letsencrypt/live/ecpubkey.pem 

config/mail/postfix-policyd-spf.conf

@@ -0,0 +1,2 @@
+Whitelist = 192.168.0.0/31,192.168.1.0/30
+Domain_Whitelist = dockerize_internalnet

config/nginx/Dockerfile

@@ -0,0 +1,8 @@
+FROM python:3.6
+
+LABEL description="Certbot + nginxproxy soft-linker."
+LABEL maintainer="Lieuwe Leene <lieuwe@leene.dev>"
+
+COPY ./link_certificates.py /usr/bin/link_certificates.py
+
+RUN python /usr/bin/link_certificates.py /etc/letsencrypt/live

config/nginx/credentials.ini

@@ -0,0 +1 @@
+dns_google_domains_access_token = $GOOGLE_ACCESS_TOKEN

config/nginx/gitea_location

@@ -0,0 +1,6 @@
+
+proxy_redirect off;
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;

config/nginx/inbox_location

@@ -11,7 +11,7 @@ location ~ \.php$ {
     fastcgi_keep_conn on;
     fastcgi_split_path_info ^(.+\.php)(.*)$;
     fastcgi_index index.php;
-    fastcgi_pass inbox.zathura.leene.dev;
+    fastcgi_pass inbox.leene.dev;
     fastcgi_param PATH_INFO $fastcgi_path_info;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;

config/nginx/link_certificates.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+import os
+import sys
+import shutil
+
+cert_dir = "/etc/letsencrypt/live"
+
+def main():
+    if not os.access(cert_dir, os.W_OK) or not os.path.isdir(cert_dir):
+        raise RuntimeError(f"Cannot access certificat directory: {cert_dir}.")
+    base_domain = sys.argv[1]
+    key_file = os.path.join(cert_dir, base_domain, "privkey.pem")
+    cert_file = os.path.join(cert_dir, base_domain, "fullchain.pem")
+    for domain in sys.argv[2:]:
+        print(f"linking {domain} in {base_domain}")
+        symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.key")
+        if os.path.isfile(symlink):
+            os.remove(symlink)
+        shutil.copy(key_file, symlink)
+        symlink = os.path.join(cert_dir, f"{domain}.{base_domain}.crt")
+        if os.path.isfile(symlink):
+            os.remove(symlink)
+        shutil.copy(cert_file, symlink)
+
+
+
+if __name__ == "__main__":
+    sys.exit(main())
+
+# eof

config/nginx/nextcloud_location

@@ -49,7 +49,7 @@ location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|u
     fastcgi_param modHeadersAvailable true;
     # Enable pretty urls
     fastcgi_param front_controller_active true;
-    fastcgi_pass nextcloud.zathura.leene.dev;
+    fastcgi_pass nextcloud.leene.dev;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
 }

docker-compose.yaml

@@ -1,19 +1,30 @@
 version: "3.8"
 
-
 networks:
   internalnet:
     driver: bridge
     enable_ipv6: false
 
-
-x-mail: &defaults
-  restart: always
+x-mail:
+  &defaults
+  restart: unless-stopped
   env_file: local.env
   networks:
     - internalnet
 
 services:
+
+  certbot:
+    <<: *defaults
+    image: certbot/dns-cloudflare
+    container_name: certbot
+    command: certonly --non-interactive --dns-cloudflare --dns-cloudflare-credentials /config/credentials.ini --agree-tos --email admin@${NGINX_HOST} -d ${NGINX_HOST} -d lieuwe.${NGINX_HOST} -d mail.${NGINX_HOST} -d inbox.${NGINX_HOST} -d nextcloud.${NGINX_HOST} -d git.${NGINX_HOST} -d autodiscover.${NGINX_HOST} --server https://acme-v02.api.letsencrypt.org/directory
+    volumes:
+      - certbot_state:/var/lib/letsencrypt:z
+      - nginx_archive:/etc/letsencrypt/archive:z
+      - nginx_certs:/etc/letsencrypt/live:z
+      - ./config/nginx/credentials.ini:/config/credentials.ini:z
+
   hugo-html:
     networks:
       - internalnet
@@ -24,7 +35,6 @@ services:
         HUGO_BASE: lieuwe.${NGINX_HOST}
     volumes:
       - hugo_data:/public:z
-      - nginx_certs:/etc/letsencrypt/live:z
 
   hugo-site:
     <<: *defaults
@@ -53,6 +63,11 @@ services:
       - ./config/pg-init-scripts:/docker-entrypoint-initdb.d:ro,z
     ports:
       - "5432:5432"
+    healthcheck:
+      test: "pg_isready"
+      timeout: 45s
+      interval: 10s
+      retries: 10
 
   nextcloud:
     <<: *defaults
@@ -75,7 +90,8 @@ services:
       - SMTP_NAME=admin@${NGINX_HOST}
       - SMTP_PASSWORD=${SQL_PSWD}
     depends_on:
-      - pgsqlserver
+      pgsqlserver:
+        condition: service_healthy
     links:
       - pgsqlserver
     expose:
@@ -92,14 +108,23 @@ services:
       - VIRTUAL_HOST=git.${NGINX_HOST}
       - VIRTUAL_PORT=3000
       - LETSENCRYPT_HOST=git.${NGINX_HOST}
+      - GITEA__mailer__PASSWD=${SQL_PSWD}
+      - GITEA__server__DOMAIN=git.${NGINX_HOST}
+      - GITEA__server__SSH_DOMAIN=git.${NGINX_HOST}
+      - GITEA__server__ROOT_URL=https://git.${NGINX_HOST}/
+      - GITEA__server__CERT_FILE=/etc/letsencrypt/live/git.${NGINX_HOST}.crt
+      - GITEA__server__KEY_FILE=/etc/letsencrypt/live/git.${NGINX_HOST}.key
     volumes:
       - gitea_data:/data:z
+      - nginx_archive:/etc/letsencrypt/archive:ro,z
+      - nginx_certs:/etc/letsencrypt/live:ro,z
     expose:
       - "3000"
     ports:
       - "222:22"
     depends_on:
-      - pgsqlserver
+      pgsqlserver:
+        condition: service_healthy
     links:
       - pgsqlserver
 
@@ -116,7 +141,8 @@ services:
       - ROUNDCUBEMAIL_SMTP_SERVER=tls://${NGINX_HOST}
       - ROUNDCUBEMAIL_DB_PASSWORD=${SQL_PSWD}
     depends_on:
-      - pgsqlserver
+      pgsqlserver:
+        condition: service_healthy
     links:
       - pgsqlserver
     expose:
@@ -133,6 +159,11 @@ services:
     hostname: inbox
     domainname: ${NGINX_HOST}
     environment:
+      - VIRTUAL_HOST=mail.${NGINX_HOST}
+      - LETSENCRYPT_HOST=mail.${NGINX_HOST}
+      - SSL_TYPE=manual
+      - SSL_CERT_PATH=/etc/letsencrypt/live/mail.${NGINX_HOST}.crt
+      - SSL_KEY_PATH=/etc/letsencrypt/live/mail.${NGINX_HOST}.key
       - POSTMASTER_ADDRESS=admin@${NGINX_HOST}
       - RELAY_PASSWORD=${SENDGRID_APIKEY}
     ports:
@@ -141,18 +172,18 @@ services:
       - "587:587"
       - "993:993"
     volumes:
+      - nginx_archive:/etc/letsencrypt/archive:ro,z
       - nginx_certs:/etc/letsencrypt/live:ro,z
       - mail_data:/var/mail/:z
       - mail_state:/var/mail-state/:z
       - mail_config:/tmp/docker-mailserver/:z
+      - ./config/mail/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf:ro,z
     cap_add:
       - NET_ADMIN
-    depends_on:
-      - ddnsgd
 
   reverse-proxy:
     <<: *defaults
-    image: nginxproxy/nginx-proxy
+    image: nginxproxy/nginx-proxy:1.2.3
     container_name: nginx-proxy
     environment:
       - DEFAULT_EMAIL=admin@${NGINX_HOST}
@@ -163,6 +194,7 @@ services:
       - nginx_html:/usr/share/nginx/html:z
       - nginx_conf:/etc/nginx/conf.d/:z
       - nginx_dhparam:/etc/nginx/dhparam:z
+      - nginx_archive:/etc/nginx/archive/:ro,z
       - nginx_certs:/etc/nginx/certs/:z
       - nginx_vhost:/etc/nginx/vhost.d/:z
       - mail_html:/var/www/roundcube:z
@@ -171,57 +203,14 @@ services:
       - ./config/nginx/nextcloud_location:/etc/nginx/vhost.d/nextcloud.${NGINX_HOST}_location:ro,z
       - ./config/nginx/header_default:/etc/nginx/vhost.d/default:z
       - /var/run/docker.sock:/tmp/docker.sock:ro,z
-    depends_on:
-      - ddnsgd
-
-  acme-companion:
-    <<: *defaults
-    image: nginxproxy/acme-companion
-    container_name: nginx-proxy-acme
-    volumes_from:
-      - reverse-proxy
-    volumes:
-      - acme-state:/etc/acme.sh
-      - /var/run/docker.sock:/var/run/docker.sock:ro,z
-    depends_on:
-      - ddnsgd
-
-  ddnsgd:
-    <<: *defaults
-    container_name: "ddnsgd"
-    image: "ghcr.io/dominickbrasileiro/ddnsgd"
-    environment:
-      - HOSTNAME=${NGINX_HOST}
-      - USERNAME=${GDNS_USERNAME}
-      - PASSWORD=${GDNS_PASSWORD}
-
-  autodiscover:
-    <<: *defaults
-    image: monogramm/autodiscover-email-settings:latest
-    container_name: autodiscover
-    environment:
-      - VIRTUAL_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST}
-      - VIRTUAL_PORT=8000
-      - LETSENCRYPT_HOST=autodiscover.${NGINX_HOST},autoconfig.${NGINX_HOST}
-      - DOMAIN=${NGINX_HOST}
-      - IMAP_HOST=mail.${NGINX_HOST}
-      - IMAP_PORT=993
-      - IMAP_SOCKET=SSL
-      - POP_HOST=mail.${NGINX_HOST}
-      - POP_PORT=995
-      - POP_SOCKET=SSL
-      - SMTP_HOST=mail.${NGINX_HOST}
-      - SMTP_PORT=587
-      - SMTP_SOCKET=STARTTLS
-    expose:
-      - "8000"
 
 volumes:
-  acme-state:
+  certbot_state:
+  nginx_archive:
+  nginx_certs:
   gitea_data:
   hugo_data:
   nextcloud_data:
-  nginx_certs:
   nginx_dhparam:
   nginx_html:
   nginx_conf:

local.env

@@ -1,8 +1,7 @@
+
 ## Docker Env
 PERMIT_DOCKER=network
 
-## Google Dynamic DNS
-INTERVAL=900
 
 ## Mail Server Env
 POSTFIX_INET_PROTOCOLS=ipv4
@@ -16,13 +15,14 @@ ENABLE_SASLAUTHD=0
 ONE_DIR=1
 TLS_LEVEL=modern
 ENABLE_UPDATE_CHECK=1
-SSL_TYPE=letsencrypt
 SPOOF_PROTECTION=1
-ENABLE_POP3=1
 POSTSCREEN_ACTION=ignore
 ENABLE_DNSBL=0
 ENABLE_QUOTAS=0
+ENABLE_POP3=0
 
+
+## Email Relay
 RELAY_HOST=smtp.sendgrid.net
 RELAY_PORT=587
 RELAY_USER=apikey
@@ -32,6 +32,7 @@ RELAY_USER=apikey
 POSTGRES_USER="pgadmin"
 POSTGRES_INITDB_ARGS="--auth-host=scram-sha-256 --auth-local=scram-sha-256"
 
+
 ## Round Cube Env
 ROUNDCUBEMAIL_DB_TYPE=pgsql
 ROUNDCUBEMAIL_DB_NAME=roundcube
@@ -39,6 +40,22 @@ ROUNDCUBEMAIL_DB_USER=roundcube
 ROUNDCUBEMAIL_SKIN=elastic
 ROUNDCUBEMAIL_ASPELL_DICTS=en
 
+
 ## NGINX Reverse Proxy
 NGINX_PROXY_CONTAINER=nginx-proxy
 LETSENCRYPT_RESTART_CONTAINER=true
+ENABLE_IPV6=false
+
+
+## GITEA Setup
+GITEA__server__HTTP_PORT        = 3000
+GITEA__server__DISABLE_SSH      = false
+GITEA__server__SSH_PORT         = 222
+GITEA__server__SSH_LISTEN_PORT  = 222
+GITEA__server__DISABLE_REGISTRATION = true
+
+GITEA__mailer__ENABLED                 = true
+GITEA__mailer__PROTOCOL                = sendmail
+GITEA__mailer__FROM                    = admin@leene.dev
+GITEA__mailer__SENDMAIL_ARGS           = -S mailserver --
+