first commit

.woodpecker.yml

@@ -0,0 +1,19 @@
+# woodpecker.yml
+labels:
+  hostname: "macmini7"
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      partial: false
+      depth: 1
+steps:
+  deploy:
+    name: deploy
+    image: docker:latest
+    secrets: [REGISTRY_USER, REGISTRY_PASSWORD]
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      # - docker login -u $${REGISTRY_USER} -p $${REGISTRY_PASSWORD} git.nixc.us
+      - docker stack deploy --with-registry-auth -c ./truenas.yml truenas

Dockerfile

@@ -1,7 +1,11 @@
 # Start from the official Nginx image
 FROM nginx:alpine
 
-# Copy our custom Nginx configuration
+# Copy our custom Nginx configuration and script
-COPY nginx.conf /etc/nginx/nginx.conf
+COPY nginx.conf /etc/nginx/nginx.conf.template
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+# Make the script executable
+RUN chmod +x /docker-entrypoint.sh
 
+ENTRYPOINT ["/docker-entrypoint.sh"]
 

README.md

@@ -0,0 +1,38 @@
+Nginx Reverse Proxy Setup
+
+This repository provides a setup to run an Nginx container as a reverse proxy. The backend address and port can be set via environment variables.
+Repository Structure
+
+    Dockerfile: Contains instructions to build the custom Nginx Docker image.
+    nginx.conf: Nginx configuration to set up reverse proxy using environment variables.
+    docker-compose.yml: Docker Compose configuration to build and run the Nginx container.
+
+Setup Instructions
+1. Clone the Repository
+
+To get started, first clone the repository:
+
+bash
+
+git clone https://codeberg.org/Iridium-net/lan-to-nginx.git
+cd lan-to-nginx
+
+2. Modify Environment Variables (Optional)
+
+The docker-compose.yml file has environment variables set for a backend address of 192.168.8.1 and port 80. If you want to point the reverse proxy to a different backend, modify the docker-compose.yml file and adjust the BACKEND_ADDRESS and BACKEND_PORT environment variables.
+3. Build and Run
+
+Using Docker Compose, build and run the setup:
+
+bash
+
+docker-compose up --build -d
+
+The --build flag ensures that the image is built using the provided Dockerfile. The -d flag runs the container in detached mode.
+4. Access
+
+Once the container is running, access any machine where Docker is running on port 80. It will reverse proxy the request to the backend specified (in this example, 192.168.8.1:80).
+Notes
+
+    This setup uses the image from codeberg.org/Iridium-net/lan-to-nginx:latest. If you modify the Dockerfile and wish to use the locally built image, the docker-compose.yml configuration takes care of this by specifying both a build context and an image name.
+    Make sure to adjust firewall or security group settings if you're running this in a cloud environment or behind a firewall.

docker-compose.yml

@@ -5,7 +5,7 @@ services:
     build:  
       context: .  
       dockerfile: Dockerfile  
-    image: codeberg.org/Iridium-net/lan-to-nginx:latest  
+    image: codeberg.org/iridium-net/lan-to-nginx:truenas
     environment:
       - BACKEND_ADDRESS=192.168.8.1 # Replace with your backend address
       - BACKEND_PORT=80  # Replace with your backend port

docker-entrypoint.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Default to HTTP if PROTOCOL is not set
+PROTOCOL="${PROTOCOL:-http}"
+
+# Replace placeholders with environment variable values
+envsubst '$BACKEND_ADDRESS $BACKEND_PORT $PROTOCOL $MATOMO_URL $MATOMO_SITE_ID' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
+# Substitute environment variables in matomo.js
+envsubst '$MATOMO_URL $MATOMO_SITE_ID' < /matomo.js.template > /matomo.js
+
+# Start nginx in the foreground
+curl -k -I $PROTOCOL://$BACKEND_ADDRESS:$BACKEND_PORT
+echo checking nginx modules
+nginx -V 2>&1 | grep -o http_sub_module
+echo /matomo.js
+cat /matomo.js
+echo /etc/nginx/nginx.conf
+cat /etc/nginx/nginx.conf
+exec nginx -g 'daemon off;'

nginx.conf

@@ -6,23 +6,39 @@ events {
 }
 
 http {
-    include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    # Load environment variables
-    env BACKEND_ADDRESS;
-    env BACKEND_PORT;
-
     server {
         listen 80;
 	
+	add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; img-src * data:; font-src * data:;";
+#	add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ack.nixc.us; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self';";
+        # Define MIME type
+        types {
+            text/html html htm shtml;
+        }
+
         location / {
-            # Use the environment variables for the proxy pass
+            # Use the placeholders for the proxy pass
-            proxy_pass http://$BACKEND_ADDRESS:$BACKEND_PORT;
+            proxy_pass ${PROTOCOL}://${BACKEND_ADDRESS}:${BACKEND_PORT};
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Accept-Encoding "";
+            proxy_buffering off;
+            proxy_ssl_verify off;  # Skip SSL verification, be cautious
+
+            # Enable response body filtering
+            sub_filter_once off;
+
+            # Inject the Matomo content just before </head>
+            sub_filter '</body>' '<script async src="https://ack.nixc.us/tracker.js" data-ackee-server="https://ack.nixc.us" data-ackee-domain-id="9608c1ff-b08c-4781-ae7e-cee6eb415bf3"></script></body>';
+            sub_filter_types application/xml application/json text/css text/javascript application/javascript text/plain;
+
         }
+
     }
 }
-

truenas.yml

@@ -0,0 +1,96 @@
+version: "3.9"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  truenas:
+    image: codeberg.org/iridium-net/lan-to-nginx:truenas
+    environment:
+      - BACKEND_ADDRESS=192.168.8.47
+      - BACKEND_PORT=443
+      - PROTOCOL=https
+      - MATOMO_URL=//m.nixc.us/     # Replace with your actual Matomo URL if different.
+      - MATOMO_SITE_ID=1            # Replace with your actual Site ID if different.
+    networks:
+      - traefik
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == macmini7
+      labels:
+        - "us.nixc.autodeploy=true"
+        - "traefik.enable=true"
+        - "traefik.http.routers.truenas-truenas.tls=true"
+        - "traefik.http.services.truenas-truenas.loadbalancer.server.port=80"
+        - "traefik.http.routers.truenas-truenas.rule=Host(`truenas.nixc.us`)"
+        - "traefik.http.routers.truenas-truenas.entrypoints=websecure"
+        - "traefik.http.routers.truenas-truenas.tls.certresolver=letsencryptresolver"
+        - "traefik.http.routers.truenas-truenas.service=truenas-truenas"
+        - "traefik.docker.network=traefik"
+        - 'traefik.http.routers.truenas-truenas.middlewares=authelia_authelia@docker'
+    logging:
+      driver: "gelf"
+      options:
+        gelf-address: "udp://log.nixc.us:15124"
+        tag: "truenas_truenas"
+  minio-api:
+    image: codeberg.org/iridium-net/lan-to-nginx:truenas
+    environment:
+      - BACKEND_ADDRESS=192.168.8.47
+      - BACKEND_PORT=9000
+      - PROTOCOL=http
+    networks:
+      - traefik
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == macmini7
+      labels:
+        - "us.nixc.autodeploy=true"
+        - "traefik.enable=true"
+        - "traefik.http.routers.truenas-minio-api.tls=true"
+        - "traefik.http.services.truenas-minio-api.loadbalancer.server.port=80"
+        - "traefik.http.routers.truenas-minio.rule=Host(`minio.nixc.us`)"
+        - "traefik.http.routers.truenas-minio.entrypoints=websecure"
+        - "traefik.http.routers.truenas-minio.tls.certresolver=letsencryptresolver"
+        - "traefik.http.routers.truenas-minio.service=truenas-minio"
+        - "traefik.docker.network=traefik"
+        # - 'traefik.http.routers.truenas-minio.middlewares=authelia_authelia@docker'
+    logging:
+      driver: "gelf"
+      options:
+        gelf-address: "udp://log.nixc.us:15124"
+        tag: "truenas_minio"
+  minio-api:
+    image: codeberg.org/iridium-net/lan-to-nginx:truenas
+    environment:
+      - BACKEND_ADDRESS=192.168.8.47
+      - BACKEND_PORT=9002
+      - PROTOCOL=http
+    networks:
+      - traefik
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == macmini7
+      labels:
+        - "us.nixc.autodeploy=true"
+        - "traefik.enable=true"
+        - "traefik.http.routers.truenas-minio-api.tls=true"
+        - "traefik.http.services.truenas-minio-api.loadbalancer.server.port=80"
+        - "traefik.http.routers.truenas-minio-api.rule=Host(`minio-api.nixc.us`)"
+        - "traefik.http.routers.truenas-minio-api.entrypoints=websecure"
+        - "traefik.http.routers.truenas-minio-api.tls.certresolver=letsencryptresolver"
+        - "traefik.http.routers.truenas-minio-api.service=truenas-minio-api"
+        - "traefik.docker.network=traefik"
+        # - 'traefik.http.routers.truenas-minio-api.middlewares=authelia_authelia@docker'
+    logging:
+      driver: "gelf"
+      options:
+        gelf-address: "udp://log.nixc.us:15124"
+        tag: "truenas_minio-api"