From 3c1cad4bd77edd44c716383f748ee59967e1d10d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 14:28:04 -0400 Subject: [PATCH 1/9] portal --- base.yml | 34 ++++++++++++++++ compose/production/portal/Dockerfile | 8 ++++ compose/production/portal/default.conf | 29 ++++++++++++++ compose/production/portal/run.sh | 54 ++++++++++++++++++++++++++ 4 files changed, 125 insertions(+) create mode 100644 compose/production/portal/Dockerfile create mode 100644 compose/production/portal/default.conf create mode 100755 compose/production/portal/run.sh diff --git a/base.yml b/base.yml index 035a6e8..76a5f39 100644 --- a/base.yml +++ b/base.yml @@ -84,6 +84,40 @@ services: #- --serversTransport.insecureSkipVerify=true restart: unless-stopped + portal: + build: + context: ./compose/production/portal/ + dockerfile: Dockerfile + image: mistborn_production_portal + container_name: mistborn_production_portal + ports: + - "10.2.3.1:5001:80" + environment: + - SERVER_REDIRECT=home.mistborn + # optionally define path to redirect all requests + # if not set nginx var $request_uri is used + #- SERVER_REDIRECT_PATH=/landingpage + # optionally define schema to redirect all requests + # if not set but X-Forwarded-Proto is send as request header with value 'https' this will be used. + # In all other cases nginx var `$scheme` is used + #- SERVER_REDIRECT_SCHEME=https + # optionally define the http code to use for redirection + # allowed Codes are: 301, 302, 303, 307, 308, default is 301 + #- SERVER_REDIRECT_CODE=301 + # optionally define the http code to redirect POST requests + # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used + #- SERVER_REDIRECT_POST_CODE= + # optionally define the http code to redirect PUT, PATCH and DELETE requests + # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used + #- SERVER_REDIRECT_PUT_PATCH_DELETE_CODE= + # optionally define the location for the nginx access log + # if not set /dev/stdout is used + #- SERVER_ACCESS_LOG=/dev/null + # optionally define the location for the nginx error log + # if not set /dev/stderr is used + #- SERVER_ERROR_LOG=/dev/null + restart: unless-stopped + redis: image: redis:5.0 container_name: mistborn_production_redis diff --git a/compose/production/portal/Dockerfile b/compose/production/portal/Dockerfile new file mode 100644 index 0000000..99a9b76 --- /dev/null +++ b/compose/production/portal/Dockerfile @@ -0,0 +1,8 @@ +FROM nginx:alpine + +ADD run.sh /run.sh +ADD default.conf /etc/nginx/conf.d/default.conf + +RUN chmod +x /run.sh + +CMD ["/run.sh"] \ No newline at end of file diff --git a/compose/production/portal/default.conf b/compose/production/portal/default.conf new file mode 100644 index 0000000..be0b82b --- /dev/null +++ b/compose/production/portal/default.conf @@ -0,0 +1,29 @@ +map $http_x_forwarded_proto $redirect_scheme { + default $scheme; + https https; +} + +server { + listen 80; + listen [::]:80; + server_name ${SERVER_NAME}; + + # cherry picked from https://github.com/schmunk42/docker-nginx-redirect/pull/8 + if ($request_method = POST) { + return ${SERVER_REDIRECT_POST_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH}; + } + + if ($request_method ~ PUT|PATCH|DELETE) { + return ${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH}; + } + + return ${SERVER_REDIRECT_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH}; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} \ No newline at end of file diff --git a/compose/production/portal/run.sh b/compose/production/portal/run.sh new file mode 100755 index 0000000..6ff495a --- /dev/null +++ b/compose/production/portal/run.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env sh + +if [ ! -n "$SERVER_REDIRECT" ] ; then + echo "Environment variable SERVER_REDIRECT is not set, exiting." + exit 1 +fi + +# set server name from optional ENV var +if [ ! -n "$SERVER_NAME" ] ; then + SERVER_NAME='localhost' +fi + +# set redirect code from optional ENV var +# allowed Status Codes are: 301, 302, 303, 307, 308 +expr match "$SERVER_REDIRECT_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_CODE='301' + +# set redirect code from optional ENV var for POST requests +expr match "$SERVER_REDIRECT_POST_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_POST_CODE=$SERVER_REDIRECT_CODE + +# set redirect code from optional ENV var for PUT, PATCH and DELETE requests +expr match "$SERVER_REDIRECT_PUT_PATCH_DELETE_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=$SERVER_REDIRECT_CODE + +# set redirect path from optional ENV var +if [ ! -n "$SERVER_REDIRECT_PATH" ] ; then + SERVER_REDIRECT_PATH='$request_uri' +fi + +# set redirect scheme from optional ENV var +if [ ! -n "$SERVER_REDIRECT_SCHEME" ] ; then + SERVER_REDIRECT_SCHEME='$redirect_scheme' +fi + +# set access log location from optional ENV var +if [ ! -n "$SERVER_ACCESS_LOG" ] ; then + SERVER_ACCESS_LOG='/dev/stdout' +fi + +# set error log location from optional ENV var +if [ ! -n "$SERVER_ERROR_LOG" ] ; then + SERVER_ERROR_LOG='/dev/stderr' +fi + +sed -i "s|\${SERVER_REDIRECT}|${SERVER_REDIRECT}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_NAME}|${SERVER_NAME}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_CODE}|${SERVER_REDIRECT_CODE}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_POST_CODE}|${SERVER_REDIRECT_POST_CODE}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_PATH}|${SERVER_REDIRECT_PATH}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_SCHEME}|${SERVER_REDIRECT_SCHEME}|" /etc/nginx/conf.d/default.conf + +ln -sfT "$SERVER_ACCESS_LOG" /var/log/nginx/access.log +ln -sfT "$SERVER_ERROR_LOG" /var/log/nginx/error.log + +exec nginx -g 'daemon off;' \ No newline at end of file From c141d033cfc72782c9901fdc8aa03e13cd027b72 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 15:15:33 -0400 Subject: [PATCH 2/9] userland binaries --- scripts/subinstallers/iptables.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index ba7784e..a5dad87 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -11,6 +11,9 @@ if [ "$DISTRO" == "ubuntu" ]; then sudo systemctl disable ufw || true fi +# make sure user land binaries installed +sudo apt-get install -y iptables ip6tables + # default interface iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') From 12b0de7a35fe7ef9e07ceade936b89f85aff537c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 15:17:26 -0400 Subject: [PATCH 3/9] nginx version --- compose/production/portal/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose/production/portal/Dockerfile b/compose/production/portal/Dockerfile index 99a9b76..5f5edeb 100644 --- a/compose/production/portal/Dockerfile +++ b/compose/production/portal/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:alpine +FROM nginx:1.21.1-alpine ADD run.sh /run.sh ADD default.conf /etc/nginx/conf.d/default.conf From 4a5306d6b8e80409a0f6c829e306058c13238875 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 15:21:22 -0400 Subject: [PATCH 4/9] ip6tables --- scripts/subinstallers/iptables.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index a5dad87..9c06dc7 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -12,7 +12,7 @@ if [ "$DISTRO" == "ubuntu" ]; then fi # make sure user land binaries installed -sudo apt-get install -y iptables ip6tables +sudo apt-get install -y iptables # default interface iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') From ee13370587150a880a40b8cf9e2fa4f365e9526c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 15:54:34 -0400 Subject: [PATCH 5/9] portal env --- scripts/subinstallers/gen_prod_env.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index d185c32..b663321 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -21,8 +21,8 @@ echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE -echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE -echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE +#echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE +#echo "MISTBORN_PORTAL_PORT=5001" >> $DJANGO_PROD_FILE chmod 600 $DJANGO_PROD_FILE # generate production .env file for postgresql From 288ee9468c3fc18978af11f1076f5ed8d7ceba58 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 18:58:59 -0400 Subject: [PATCH 6/9] portal redirect port --- scripts/subinstallers/gen_prod_env.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index b663321..b12550a 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -22,7 +22,7 @@ echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE #echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE -#echo "MISTBORN_PORTAL_PORT=5001" >> $DJANGO_PROD_FILE +echo "MISTBORN_PORTAL_REDIRECT_PORT=5001" >> $DJANGO_PROD_FILE chmod 600 $DJANGO_PROD_FILE # generate production .env file for postgresql From c45a62acbcc754b0726d7e17e9b50b30e4e8634a Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 19:59:05 -0400 Subject: [PATCH 7/9] redirect path --- base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base.yml b/base.yml index 76a5f39..93ce3d3 100644 --- a/base.yml +++ b/base.yml @@ -96,7 +96,7 @@ services: - SERVER_REDIRECT=home.mistborn # optionally define path to redirect all requests # if not set nginx var $request_uri is used - #- SERVER_REDIRECT_PATH=/landingpage + - SERVER_REDIRECT_PATH=/ # optionally define schema to redirect all requests # if not set but X-Forwarded-Proto is send as request header with value 'https' this will be used. # In all other cases nginx var `$scheme` is used From 9caa840969245cfb8bbfe34ac032f19d4d47b0f1 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 20:19:09 -0400 Subject: [PATCH 8/9] bind ip --- base.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base.yml b/base.yml index 93ce3d3..aa52061 100644 --- a/base.yml +++ b/base.yml @@ -13,7 +13,7 @@ services: - postgres - redis ports: - - "10.2.3.1:5000:5000/tcp" # auth access + - "${MISTBORN_DNS_BIND_IP}:5000:5000/tcp" # auth access labels: - "traefik.enable=true" - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)" @@ -91,7 +91,7 @@ services: image: mistborn_production_portal container_name: mistborn_production_portal ports: - - "10.2.3.1:5001:80" + - "${MISTBORN_DNS_BIND_IP}:5001:80" environment: - SERVER_REDIRECT=home.mistborn # optionally define path to redirect all requests From ec35dc5fb91999a4057dfe801026ce5092896cc6 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 31 Jul 2021 22:16:50 -0400 Subject: [PATCH 9/9] wireguard caps --- scripts/subinstallers/wireguard.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/subinstallers/wireguard.sh b/scripts/subinstallers/wireguard.sh index baedd88..b5f0d55 100755 --- a/scripts/subinstallers/wireguard.sh +++ b/scripts/subinstallers/wireguard.sh @@ -1,16 +1,16 @@ #!/bin/bash -figlet "Mistborn: Installing Wireguard" +figlet "Mistborn: Installing WireGuard" # if wireguard not in current repositories if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then # install PPAs - echo "Adding Wireguard PPAs" + echo "Adding WireGuard PPAs" # Wireguard if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then - echo "Adding Wireguard repo keys" + echo "Adding WireGuard repo keys" sudo -E apt-get install -y dirmngr sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010 @@ -28,6 +28,6 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then fi fi -echo "Installing Wireguard" +echo "Installing WireGuard" sudo apt-get update sudo -E apt-get install -y openresolv wireguard