From dd8210e9b11ea5d531ebca90a25c5d835d3b3437 Mon Sep 17 00:00:00 2001
From: James Turland <james@turland.uk>
Date: Wed, 19 Feb 2025 12:43:30 +0000
Subject: [PATCH] nginx

---
 Nginx/cloudflare.ini               |  5 ++
 Nginx/docker-compose.yaml          | 34 +++++++++++++
 Nginx/it-tools/docker-compose.yaml | 13 +++++
 Nginx/nginx.conf                   | 76 ++++++++++++++++++++++++++++++
 4 files changed, 128 insertions(+)
 create mode 100644 Nginx/cloudflare.ini
 create mode 100644 Nginx/docker-compose.yaml
 create mode 100644 Nginx/it-tools/docker-compose.yaml
 create mode 100644 Nginx/nginx.conf

diff --git a/Nginx/cloudflare.ini b/Nginx/cloudflare.ini
new file mode 100644
index 0000000..902f216
--- /dev/null
+++ b/Nginx/cloudflare.ini
@@ -0,0 +1,5 @@
+# Cloudflare API credentials used by Certbot
+
+# How to generate API token:
+# https://developers.cloudflare.com/api/tokens/create
+dns_cloudflare_api_token = sdfjuhSDFjkh_sdfjSDFSD3sddjh
\ No newline at end of file
diff --git a/Nginx/docker-compose.yaml b/Nginx/docker-compose.yaml
new file mode 100644
index 0000000..d6692ca
--- /dev/null
+++ b/Nginx/docker-compose.yaml
@@ -0,0 +1,34 @@
+services:
+  certbot:
+    image: certbot/dns-cloudflare
+    volumes:
+      - ./certs:/etc/letsencrypt
+      - ./cloudflare.ini:/root/cloudflare.ini
+    command: >-
+      certonly --dns-cloudflare
+      --dns-cloudflare-credentials /root/cloudflare.ini
+      --dns-cloudflare-propagation-seconds 15
+      --email your@email.com
+      --agree-tos --no-eff-email
+      -d *.jimsgarage.co.uk
+
+  nginx:
+    image: nginx:latest
+    ports:
+      - "80:80"
+      - "443:443"
+    restart: "always"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "10"
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf
+      - ./certs:/etc/letsencrypt
+    networks:
+      - nginx-proxy
+
+networks:
+  nginx-proxy:
+    external: true
\ No newline at end of file
diff --git a/Nginx/it-tools/docker-compose.yaml b/Nginx/it-tools/docker-compose.yaml
new file mode 100644
index 0000000..7930f49
--- /dev/null
+++ b/Nginx/it-tools/docker-compose.yaml
@@ -0,0 +1,13 @@
+services:
+    it-tools:
+        image: 'corentinth/it-tools:latest'
+        #ports:
+        #    - '8080:80'
+        restart: unless-stopped
+        container_name: it-tools
+        networks:
+          - nginx-proxy
+
+networks:
+  nginx-proxy:
+    external: true
\ No newline at end of file
diff --git a/Nginx/nginx.conf b/Nginx/nginx.conf
new file mode 100644
index 0000000..18ff707
--- /dev/null
+++ b/Nginx/nginx.conf
@@ -0,0 +1,76 @@
+worker_processes  1;
+
+events {
+  worker_connections  512;
+}
+
+http {
+  server {
+    listen 80;
+
+    root   /usr/share/nginx/html/;
+    index  index.html;
+
+    location / {
+      try_files $uri /index.html index.php;
+    } 
+    
+    ### SSL LetsEncrypt
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    ssl_certificate /etc/letsencrypt/live/jimsgarage.co.uk/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/jimsgarage.co.uk/privkey.pem;
+
+    ### Create the dhparam file: 
+    ### openssl  dhparam  -out  ssl-dhparams.pem  4096
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:1m;  # about 4000 sessions
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+  }
+
+    server {
+    listen 80;
+  
+    server_name it-tools.jimsgarage.co.uk;
+
+    location / {
+      proxy_pass http://it-tools;
+    } 
+    
+    ### SSL LetsEncrypt
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    ssl_certificate /etc/letsencrypt/live/jimsgarage.co.uk/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/jimsgarage.co.uk/privkey.pem;
+
+    ### Create the dhparam file: 
+    ### openssl  dhparam  -out  ssl-dhparams.pem  4096
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:1m;  # about 4000 sessions
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+  }
+}
\ No newline at end of file