first commit

.woodpecker.yml

@@ -8,48 +8,12 @@ clone:
       partial: false
       depth: 1
 steps:
-  run-post-deploy-smoke-tests:
+  deploy:
-    name: run-post-deploy-smoke-tests
+    name: deploy
-    image: git.nixc.us/colin/playwright:latest
+    image: docker:latest
-    secrets: [REGISTRY_USER, REGISTRY_PASSWORD]
-    when:
-      - branch: main
-      - path:
-          include: [ 'stack.yml', 'docker-compose.yml', 'Dockerfile.*', '.woodpecker.yml', '*.tests.ts' ]
-  build-push:
-    name: build-push
-    when:
-      - path:
-          include: [ 'stack.yml','.woodpecker.yml', 'Dockerfile', 'docker-entrypoint.sh', 'nginx.conf', 'README.md' ]
-    image: woodpeckerci/plugin-docker-buildx
     secrets: [REGISTRY_USER, REGISTRY_PASSWORD]
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     commands:
-      - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us
+      # - docker login -u $${REGISTRY_USER} -p $${REGISTRY_PASSWORD} git.nixc.us
-      - echo compose up build
+      - docker stack deploy --with-registry-auth -c ./truenas.yml truenas
-      - docker compose build
-      - echo compose push
-      - docker compose push
-      - echo docker compose rm -f
-      - docker compose rm -f
-  deploy-config:
-    name: deploy-config
-    when:
-      - path:
-          include: [ 'stack.yml','.woodpecker.yml', 'Dockerfile', 'docker-entrypoint.sh', 'nginx.conf', 'README.md' ]
-    image: woodpeckerci/plugin-docker-buildx
-    secrets: [REGISTRY_USER, REGISTRY_PASSWORD]
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    commands:
-    #   - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us
-      - docker stack deploy --with-registry-auth -c ./stack.yml lan-to-nginx
-  run-post-deploy-smoke-tests:
-    name: run-post-deploy-smoke-tests
-    image: git.nixc.us/colin/playwright:latest
-    secrets: [REGISTRY_USER, REGISTRY_PASSWORD]
-    when:
-      - branch: main
-      - path:
-          include: [ 'stack.yml', 'docker-compose.yml', 'Dockerfile.*', '.woodpecker.yml', '*.tests.ts' ]

Dockerfile

@@ -1,5 +1,11 @@
+# Start from the official Nginx image
 FROM nginx:alpine
+
+# Copy our custom Nginx configuration and script
 COPY nginx.conf /etc/nginx/nginx.conf.template
 COPY docker-entrypoint.sh /docker-entrypoint.sh
+# Make the script executable
 RUN chmod +x /docker-entrypoint.sh
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
+

docker-compose.yml

@@ -1,8 +1,14 @@
 version: '3.9'  
 
 services:
-  lan-to-nginx:
+  nginx-proxy:
     build:  
       context: .  
       dockerfile: Dockerfile  
-    image: git.nixc.us/colin/lan-to-nginx:latest
+    image: codeberg.org/iridium-net/lan-to-nginx:truenas
+    environment:
+      - BACKEND_ADDRESS=192.168.8.1 # Replace with your backend address
+      - BACKEND_PORT=80  # Replace with your backend port
+    ports:
+      - "80:80"  # Map port 80 from the host to port 80 in the container
+

docker-entrypoint.sh

@@ -4,11 +4,15 @@ PROTOCOL="${PROTOCOL:-http}"
 
 # Replace placeholders with environment variable values
 envsubst '$BACKEND_ADDRESS $BACKEND_PORT $PROTOCOL $MATOMO_URL $MATOMO_SITE_ID' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
+# Substitute environment variables in matomo.js
+envsubst '$MATOMO_URL $MATOMO_SITE_ID' < /matomo.js.template > /matomo.js
 
 # Start nginx in the foreground
 curl -k -I $PROTOCOL://$BACKEND_ADDRESS:$BACKEND_PORT
 echo checking nginx modules
 nginx -V 2>&1 | grep -o http_sub_module
+echo /matomo.js
+cat /matomo.js
 echo /etc/nginx/nginx.conf
 cat /etc/nginx/nginx.conf
 exec nginx -g 'daemon off;'

nginx.conf

@@ -11,34 +11,34 @@ http {
     server {
         listen 80;
 	
-        # Health check location at a secret path
+	add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; img-src * data:; font-src * data:;";
-        location /secret-health-path {
+#	add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ack.nixc.us; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self';";
-            add_header Content-Type text/plain;
+        # Define MIME type
-            return 200 'Healthy';
+        types {
+            text/html html htm shtml;
         }
 
         location / {
-            # Proxy pass to the backend using environment variables with HTTP explicitly
+            # Use the placeholders for the proxy pass
-            proxy_pass http://${BACKEND_ADDRESS}:${BACKEND_PORT};
+            proxy_pass ${PROTOCOL}://${BACKEND_ADDRESS}:${BACKEND_PORT};
-
-            # General proxy settings
             proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header Accept-Encoding "";
             proxy_buffering off;
+            proxy_ssl_verify off;  # Skip SSL verification, be cautious
 
-            # Remove headers that might hint at HTTPS usage
+            # Enable response body filtering
-            proxy_set_header X-Forwarded-Proto "";
+            sub_filter_once off;
-            proxy_set_header X-Forwarded-Ssl "";
-            proxy_set_header X-Url-Scheme "";
 
-            # Disable proxy_ssl_verify if you're not using HTTPS at all
+            # Inject the Matomo content just before </head>
-            proxy_ssl_verify off;
+            sub_filter '</body>' '<script async src="https://ack.nixc.us/tracker.js" data-ackee-server="https://ack.nixc.us" data-ackee-domain-id="9608c1ff-b08c-4781-ae7e-cee6eb415bf3"></script></body>';
+            sub_filter_types application/xml application/json text/css text/javascript application/javascript text/plain;
+
+        }
 
-            # Do not pass through the Connection header from the client
-            proxy_set_header Connection "";
-        }
     }
 }

stack.yml

@@ -1,28 +0,0 @@
-version: "3.9"
-
-networks:
-  traefik:
-    external: true
-
-services:
-  nginx:
-    image: git.nixc.us/colin/lan-to-nginx:latest
-    environment:
-      - BACKEND_ADDRESS=ingress.nixc.us
-      - BACKEND_PORT=443
-      - PROTOCOL=https
-    networks:
-      - traefik
-    deploy:
-      replicas: 1
-      labels:
-        - "us.nixc.autodeploy=true"
-        - "traefik.enable=true"
-        - "traefik.http.routers.nginx-proxy.tls=true"
-        - "traefik.http.services.nginx-proxy.loadbalancer.server.port=80"
-        - "traefik.http.routers.nginx-proxy.rule=Host(`nginx-proxy.nixc.us`)"
-        - "traefik.http.routers.nginx-proxy.entrypoints=websecure"
-        - "traefik.http.routers.nginx-proxy.tls.certresolver=letsencryptresolver"
-        - "traefik.http.routers.nginx-proxy.service=nginx-proxy"
-        - "traefik.docker.network=traefik"
-#        - 'traefik.http.routers.nginx-proxy.middlewares=authelia_authelia@docker'

tests/nginx-proxy.nixc.us.test.ts

@@ -1,6 +0,0 @@
-import { test, expect } from '@playwright/test';
-
-test('test', async ({ page }) => {
-  await page.goto('https://nginx-proxy.nixc.us/secret-health-path');
-  await page.getByText('Healthy').click();
-});

truenas.yml

@@ -0,0 +1,96 @@
+version: "3.9"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  truenas:
+    image: codeberg.org/iridium-net/lan-to-nginx:truenas
+    environment:
+      - BACKEND_ADDRESS=192.168.8.47
+      - BACKEND_PORT=443
+      - PROTOCOL=https
+      - MATOMO_URL=//m.nixc.us/     # Replace with your actual Matomo URL if different.
+      - MATOMO_SITE_ID=1            # Replace with your actual Site ID if different.
+    networks:
+      - traefik
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == macmini7
+      labels:
+        - "us.nixc.autodeploy=true"
+        - "traefik.enable=true"
+        - "traefik.http.routers.truenas-truenas.tls=true"
+        - "traefik.http.services.truenas-truenas.loadbalancer.server.port=80"
+        - "traefik.http.routers.truenas-truenas.rule=Host(`truenas.nixc.us`)"
+        - "traefik.http.routers.truenas-truenas.entrypoints=websecure"
+        - "traefik.http.routers.truenas-truenas.tls.certresolver=letsencryptresolver"
+        - "traefik.http.routers.truenas-truenas.service=truenas-truenas"
+        - "traefik.docker.network=traefik"
+        - 'traefik.http.routers.truenas-truenas.middlewares=authelia_authelia@docker'
+    logging:
+      driver: "gelf"
+      options:
+        gelf-address: "udp://log.nixc.us:15124"
+        tag: "truenas_truenas"
+  minio-api:
+    image: codeberg.org/iridium-net/lan-to-nginx:truenas
+    environment:
+      - BACKEND_ADDRESS=192.168.8.47
+      - BACKEND_PORT=9000
+      - PROTOCOL=http
+    networks:
+      - traefik
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == macmini7
+      labels:
+        - "us.nixc.autodeploy=true"
+        - "traefik.enable=true"
+        - "traefik.http.routers.truenas-minio-api.tls=true"
+        - "traefik.http.services.truenas-minio-api.loadbalancer.server.port=80"
+        - "traefik.http.routers.truenas-minio.rule=Host(`minio.nixc.us`)"
+        - "traefik.http.routers.truenas-minio.entrypoints=websecure"
+        - "traefik.http.routers.truenas-minio.tls.certresolver=letsencryptresolver"
+        - "traefik.http.routers.truenas-minio.service=truenas-minio"
+        - "traefik.docker.network=traefik"
+        # - 'traefik.http.routers.truenas-minio.middlewares=authelia_authelia@docker'
+    logging:
+      driver: "gelf"
+      options:
+        gelf-address: "udp://log.nixc.us:15124"
+        tag: "truenas_minio"
+  minio-api:
+    image: codeberg.org/iridium-net/lan-to-nginx:truenas
+    environment:
+      - BACKEND_ADDRESS=192.168.8.47
+      - BACKEND_PORT=9002
+      - PROTOCOL=http
+    networks:
+      - traefik
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == macmini7
+      labels:
+        - "us.nixc.autodeploy=true"
+        - "traefik.enable=true"
+        - "traefik.http.routers.truenas-minio-api.tls=true"
+        - "traefik.http.services.truenas-minio-api.loadbalancer.server.port=80"
+        - "traefik.http.routers.truenas-minio-api.rule=Host(`minio-api.nixc.us`)"
+        - "traefik.http.routers.truenas-minio-api.entrypoints=websecure"
+        - "traefik.http.routers.truenas-minio-api.tls.certresolver=letsencryptresolver"
+        - "traefik.http.routers.truenas-minio-api.service=truenas-minio-api"
+        - "traefik.docker.network=traefik"
+        # - 'traefik.http.routers.truenas-minio-api.middlewares=authelia_authelia@docker'
+    logging:
+      driver: "gelf"
+      options:
+        gelf-address: "udp://log.nixc.us:15124"
+        tag: "truenas_minio-api"