Compare commits
48 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 84e71bbdb9 | |||
| 21698b0ae1 | |||
| 60e71f6fe8 | |||
| ac194fbfc4 | |||
| ea6d872a77 | |||
| 5b0c349edb | |||
| f811e72e64 | |||
| 8e13e2004a | |||
| c9253b5d08 | |||
| 1770301a87 | |||
| 33754a20fc | |||
| 9e8290b7df | |||
| 9f16b7e8db | |||
| af2b40516f | |||
| 1ee9c0402d | |||
| 76855cfa05 | |||
| 206795e072 | |||
| 2b9b190d9a | |||
| 558ef17e2a | |||
| 51098b4aee | |||
| 2397c7ab41 | |||
| 2dd07a703f | |||
| 554e032bd6 | |||
| 6f822f786d | |||
| 0912b637b4 | |||
| ba6e4c9e38 | |||
| 2161cac791 | |||
| 41afd81c9b | |||
| 51d17d5f25 | |||
| 8c6f87c3b8 | |||
| bfc50470cd | |||
| abc10cd4b8 | |||
| d65e94be20 | |||
| 4dbfdb8d4e | |||
| dac79d5711 | |||
| 17cc666f54 | |||
| ecf165ea2e | |||
| fb461744ea | |||
| e0df6262cd | |||
| 092d7e3104 | |||
| 6285e43118 | |||
| 54cd95dda9 | |||
| 5eb4902ee6 | |||
| 896e0580a2 | |||
| b6217ef663 | |||
| 66abb3bda3 | |||
| 6fa31ff7c0 | |||
| 54e1b51494 |
13
.gitea/workflows/ci.yaml
Normal file
13
.gitea/workflows/ci.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
name: Continuous Integration
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
env:
|
||||
runs-on: linux
|
||||
steps:
|
||||
- name: Show env
|
||||
run: env | sort
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1 +1,2 @@
|
||||
*.swp
|
||||
*.env
|
||||
|
||||
13
Makefile
13
Makefile
@@ -2,8 +2,11 @@ NAME = $(shell basename $(PWD))
|
||||
VERSION = $(shell git describe | sed 's/-/./g')
|
||||
BRANCH = $(shell git branch --show-current)
|
||||
|
||||
RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
|
||||
RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
|
||||
RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
|
||||
RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
|
||||
RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
|
||||
|
||||
.PHONY: name
|
||||
name:
|
||||
@@ -13,7 +16,7 @@ name:
|
||||
version:
|
||||
@echo "$(VERSION)"
|
||||
|
||||
$(RPM_SOURCEDIR)/$(NAME)-%.tar.gz: *
|
||||
$(RPM_TARBALL_PATH): *
|
||||
git archive --format=tar.gz \
|
||||
--output="$@" \
|
||||
--prefix="$(NAME)-$(VERSION)/" \
|
||||
@@ -21,8 +24,12 @@ $(RPM_SOURCEDIR)/$(NAME)-%.tar.gz: *
|
||||
"$(BRANCH)"
|
||||
|
||||
.PHONY: tarball
|
||||
tarball: $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
|
||||
tarball: $(RPM_TARBALL_PATH)
|
||||
|
||||
.PHONY: install
|
||||
install:
|
||||
install -m 644 --target-directory=$(DESTDIR)/$(RPM_SYSCONFDIR)/nginx nginx.conf
|
||||
install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
|
||||
install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf
|
||||
install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
|
||||
install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
|
||||
install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
|
||||
|
||||
9
files/certbot/ovh.ini
Normal file
9
files/certbot/ovh.ini
Normal file
@@ -0,0 +1,9 @@
|
||||
# OVH API credentials used by Certbot
|
||||
# To generate a new token, go to: https://www.ovh.com/auth/api/createToken
|
||||
|
||||
dns_ovh_endpoint = "$OVH_ENDPOINT"
|
||||
dns_ovh_application_name = "$OVH_APPLICATION_NAME"
|
||||
dns_ovh_application_description = "$OVH_APPLICATION_DESCRIPTION"
|
||||
dns_ovh_application_key = "$OVH_APPLICATION_KEY"
|
||||
dns_ovh_application_secret = "$OVH_APPLICATION_SECRET"
|
||||
dns_ovh_consumer_key = "$OVH_CONSUMER_KEY"
|
||||
27
files/nginx/0_security.conf
Normal file
27
files/nginx/0_security.conf
Normal file
@@ -0,0 +1,27 @@
|
||||
# Configure secure access with letsencrypt
|
||||
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
|
||||
# Add some ssl settings from Mozilla
|
||||
# see: https://ssl-config.mozilla.org
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.1;
|
||||
|
||||
# Add some basic security headers from OWASP
|
||||
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
|
||||
add_header X-Frame-Options "DENY" always;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
|
||||
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
||||
add_header Cross-Origin-Resource-Policy "same-site" always;
|
||||
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
|
||||
add_header Server "webserver" always;
|
||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||
13
files/nginx/default.conf
Normal file
13
files/nginx/default.conf
Normal file
@@ -0,0 +1,13 @@
|
||||
server {
|
||||
listen 443 default_server;
|
||||
server_name _;
|
||||
|
||||
return 404;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
5
files/sbin/certbot_renew
Normal file
5
files/sbin/certbot_renew
Normal file
@@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
/usr/bin/env sleep $(($RANDOM % 3600));
|
||||
/opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh
|
||||
/usr/bin/env certbot renew --cert-name netoik.io
|
||||
5
files/systemd/certbot-renew.service
Normal file
5
files/systemd/certbot-renew.service
Normal file
@@ -0,0 +1,5 @@
|
||||
[Unit]
|
||||
Description=Renew certbot certificates
|
||||
|
||||
[Service]
|
||||
ExecStart=certbot_renew
|
||||
8
files/systemd/certbot-renew.timer
Normal file
8
files/systemd/certbot-renew.timer
Normal file
@@ -0,0 +1,8 @@
|
||||
[Unit]
|
||||
Description=Daily renew certbot certificates
|
||||
|
||||
[Timer]
|
||||
OnCalendar=Daily
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,16 +1,16 @@
|
||||
Name: netoik-rp
|
||||
%define debug_package %{nil}
|
||||
|
||||
Name: %(make name)
|
||||
Version: %(make version)
|
||||
Release: 1%{?dist}
|
||||
Summary: Netoik Reverse Proxy
|
||||
License: MIT
|
||||
|
||||
URL: https://git.netoik.io/samuel/netoik-rp
|
||||
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
|
||||
Buildarch: x86_64
|
||||
Buildarch: noarch
|
||||
BuildRequires: make
|
||||
|
||||
Requires: nginx
|
||||
Requires: nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl
|
||||
|
||||
%description
|
||||
Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io
|
||||
@@ -21,8 +21,60 @@ Install the reverse proxy called nginx with a predefined configuration and with
|
||||
%install
|
||||
%make_install
|
||||
|
||||
%post
|
||||
# Replace secrets in ovh.ini
|
||||
envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.new
|
||||
if cmp --silent %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini; then
|
||||
rm %{_sysconfdir}/certbot/.ovh.ini.new
|
||||
else
|
||||
mv %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini
|
||||
chmod 600 %{_sysconfdir}/certbot/ovh.ini
|
||||
fi
|
||||
|
||||
# Create virtualenv with certot
|
||||
if [ ! -d "/opt/certbot" ]; then
|
||||
python3 -m venv /opt/certbot
|
||||
/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
|
||||
ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
|
||||
fi
|
||||
|
||||
# Create certbot certificates
|
||||
if ! certbot certificates --cert-name netoik.io | grep --quiet netoik.io; then
|
||||
certbot certonly --cert-name netoik.io --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials %{_sysconfdir}/certbot/ovh.ini -d *.netoik.io -d *.samuel-campos.fr
|
||||
fi
|
||||
|
||||
# Create ssl dh params if not already exists
|
||||
if [ ! -f "%{_sysconfdir}/letsencrypt/ssl-dhparams.pem" ]; then
|
||||
openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
|
||||
fi
|
||||
|
||||
# Restart services
|
||||
systemctl daemon-reload
|
||||
systemctl reenable --now nginx.service certbot-renew.timer
|
||||
|
||||
%postun
|
||||
# Remove folders after uninstall
|
||||
if [ $1 == 0 ]; then
|
||||
/opt/certbot/bin/certbot delete --cert-name netoik.io
|
||||
rm --recursive --force /opt/certbot
|
||||
rm --recursive --force %{_sysconfdir}/certbot
|
||||
fi
|
||||
|
||||
%files
|
||||
%attr(644, root, root) /%{_sysconfdir}/nginx/nginx.conf
|
||||
%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/0_security.conf
|
||||
%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/default.conf
|
||||
|
||||
%attr(755, root, root) %dir %{_sysconfdir}/certbot
|
||||
%attr(600, root, root) %{_sysconfdir}/certbot/ovh.ini
|
||||
|
||||
%attr(644, root, root) %{_unitdir}/certbot-renew.timer
|
||||
%attr(644, root, root) %{_unitdir}/certbot-renew.service
|
||||
|
||||
%attr(755, root, root) %{_sbindir}/certbot_renew
|
||||
|
||||
%ghost %attr(755, root, root) %dir /opt/certbot
|
||||
%ghost %attr(755, root, root) %{_sbindir}/certbot
|
||||
%ghost %attr(644, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
|
||||
|
||||
%changelog
|
||||
# let's skip this for now
|
||||
%autochangelog
|
||||
|
||||
61
nginx.conf
61
nginx.conf
@@ -1,61 +0,0 @@
|
||||
# For more information on configuration
|
||||
# See: http://nginx.org/en/docs/
|
||||
|
||||
# Configure core
|
||||
# See: https://nginx.org/en/docs/ngx_core_module.html
|
||||
user nginx;
|
||||
worker_processes auto;
|
||||
error_log /var/log/nginx/error.log;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
# Load dynamic modules
|
||||
# See: /usr/share/doc/nginx/README.dynamic.
|
||||
include /usr/share/nginx/modules/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
# Configure logs
|
||||
# See: https://nginx.org/en/docs/http/ngx_http_log_module.html
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
# Configure core
|
||||
# See: https://nginx.org/en/docs/ngx_core_module.html
|
||||
include /etc/nginx/mime.types;
|
||||
default_type text/html;
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 4096;
|
||||
|
||||
# Configure ssl module
|
||||
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Configure headers
|
||||
# See: https://nginx.org/en/docs/http/ngx_http_headers_module.html
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
|
||||
|
||||
# Configure http2
|
||||
# See: https://nginx.org/en/docs/http/ngx_http_v2_module.html
|
||||
http2 on;
|
||||
|
||||
# Configure http3
|
||||
# See: https://nginx.org/en/docs/http/ngx_http_v3_module.html
|
||||
http3 on;
|
||||
|
||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||
# See: http://nginx.org/en/docs/ngx_core_module.html#include
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
||||
Reference in New Issue
Block a user