From 2548c969889640b5fc88a3e6b0c068ed509da49c Mon Sep 17 00:00:00 2001 From: Benjamin Palko Date: Fri, 7 Mar 2025 13:57:32 -0500 Subject: [PATCH] init --- .editorconfig | 14 +++ .env | 1 + README.md | 17 ++++ config/nginx/.gitignore | 4 + config/nginx/.migrations | 1 + config/nginx/nginx/nginx.conf | 95 +++++++++++++++++++ config/nginx/nginx/nginx.conf.sample | 95 +++++++++++++++++++ .../nginx/proxy-confs/theia-storybook.conf | 20 ++++ config/nginx/nginx/resolver.conf | 3 + config/nginx/nginx/site-confs/default.conf | 44 +++++++++ .../nginx/site-confs/default.conf.sample | 44 +++++++++ config/nginx/nginx/ssl.conf | 32 +++++++ config/nginx/nginx/ssl.conf.sample | 32 +++++++ config/nginx/nginx/worker_processes.conf | 3 + config/nginx/php/php-local.ini | 3 + config/nginx/php/www2.conf | 5 + config/nginx/www/index.html | 34 +++++++ docker-compose.yml | 14 +++ 18 files changed, 461 insertions(+) create mode 100644 .editorconfig create mode 100644 .env create mode 100644 README.md create mode 100644 config/nginx/.gitignore create mode 100755 config/nginx/.migrations create mode 100755 config/nginx/nginx/nginx.conf create mode 100644 config/nginx/nginx/nginx.conf.sample create mode 100644 config/nginx/nginx/proxy-confs/theia-storybook.conf create mode 100755 config/nginx/nginx/resolver.conf create mode 100755 config/nginx/nginx/site-confs/default.conf create mode 100644 config/nginx/nginx/site-confs/default.conf.sample create mode 100755 config/nginx/nginx/ssl.conf create mode 100644 config/nginx/nginx/ssl.conf.sample create mode 100755 config/nginx/nginx/worker_processes.conf create mode 100755 config/nginx/php/php-local.ini create mode 100755 config/nginx/php/www2.conf create mode 100755 config/nginx/www/index.html create mode 100644 docker-compose.yml diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..7feefc4 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,14 @@ +root = true + +[*] +end_of_line = lf +insert_final_newline = false + +[*.{js,ts}] +indent_style = tab +indent_size = 4 + +[{*.{yml,mjs,json}}] +indent_style = space +indent_size = 2 + diff --git a/.env b/.env new file mode 100644 index 0000000..117c06d --- /dev/null +++ b/.env @@ -0,0 +1 @@ +NPM_TOKEN=88097a2fbf83ef025397b96fba63e4c7b1dac6cc \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..63720e3 --- /dev/null +++ b/README.md @@ -0,0 +1,17 @@ +# Atlas + +This repository contains the deployment definitions for the full Pantheon suite of services. + +## Setup + +Login to docker: + +```bash +docker login git.palko.ca +``` + +Start docker compose: + +```bash +docker compose up -d +``` \ No newline at end of file diff --git a/config/nginx/.gitignore b/config/nginx/.gitignore new file mode 100644 index 0000000..3af3dcc --- /dev/null +++ b/config/nginx/.gitignore @@ -0,0 +1,4 @@ +keys +log + +nginx/dhparams.pem \ No newline at end of file diff --git a/config/nginx/.migrations b/config/nginx/.migrations new file mode 100755 index 0000000..1e3c378 --- /dev/null +++ b/config/nginx/.migrations @@ -0,0 +1 @@ +01-nginx-site-confs-default diff --git a/config/nginx/nginx/nginx.conf b/config/nginx/nginx/nginx.conf new file mode 100755 index 0000000..ff9b9d3 --- /dev/null +++ b/config/nginx/nginx/nginx.conf @@ -0,0 +1,95 @@ +## Version 2024/12/17 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample + +### Based on alpine defaults +# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.21-stable + +user abc; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; + +# Include files with config snippets into the root context. +include /etc/nginx/conf.d/*.conf; + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + # all ssl related config moved to ssl.conf + # included in server blocks where listen 443 is defined + + # Enable gzipping of responses. + #gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Enable http2 by default for all servers + http2 on; + + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; + + client_body_temp_path /tmp/nginx 1 2; + proxy_temp_path /tmp/nginx-proxy; + fastcgi_temp_path /tmp/nginx-fastcgi; + uwsgi_temp_path /tmp/nginx-uwsgi; + scgi_temp_path /tmp/nginx-scgi; + + proxy_cache_path /tmp/nginx-proxy-cache keys_zone=lsio-proxy:10m; + fastcgi_cache_path /tmp/nginx-fcgi-cache keys_zone=lsio-fcgi:10m; + scgi_cache_path /tmp/nginx-scgi-cache keys_zone=lsio-scgi:10m; + uwsgi_cache_path /tmp/nginx-uwsgi-cache keys_zone=lsio-uwsgi:10m; + + # Includes virtual hosts configs. + include /etc/nginx/http.d/*.conf; + include /config/nginx/site-confs/*.conf; +} + +daemon off; +pid /run/nginx.pid; diff --git a/config/nginx/nginx/nginx.conf.sample b/config/nginx/nginx/nginx.conf.sample new file mode 100644 index 0000000..ff9b9d3 --- /dev/null +++ b/config/nginx/nginx/nginx.conf.sample @@ -0,0 +1,95 @@ +## Version 2024/12/17 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample + +### Based on alpine defaults +# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.21-stable + +user abc; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; + +# Include files with config snippets into the root context. +include /etc/nginx/conf.d/*.conf; + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + # all ssl related config moved to ssl.conf + # included in server blocks where listen 443 is defined + + # Enable gzipping of responses. + #gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Enable http2 by default for all servers + http2 on; + + # Sets the path, format, and configuration for a buffered log write. + access_log /config/log/nginx/access.log; + + client_body_temp_path /tmp/nginx 1 2; + proxy_temp_path /tmp/nginx-proxy; + fastcgi_temp_path /tmp/nginx-fastcgi; + uwsgi_temp_path /tmp/nginx-uwsgi; + scgi_temp_path /tmp/nginx-scgi; + + proxy_cache_path /tmp/nginx-proxy-cache keys_zone=lsio-proxy:10m; + fastcgi_cache_path /tmp/nginx-fcgi-cache keys_zone=lsio-fcgi:10m; + scgi_cache_path /tmp/nginx-scgi-cache keys_zone=lsio-scgi:10m; + uwsgi_cache_path /tmp/nginx-uwsgi-cache keys_zone=lsio-uwsgi:10m; + + # Includes virtual hosts configs. + include /etc/nginx/http.d/*.conf; + include /config/nginx/site-confs/*.conf; +} + +daemon off; +pid /run/nginx.pid; diff --git a/config/nginx/nginx/proxy-confs/theia-storybook.conf b/config/nginx/nginx/proxy-confs/theia-storybook.conf new file mode 100644 index 0000000..d410ebb --- /dev/null +++ b/config/nginx/nginx/proxy-confs/theia-storybook.conf @@ -0,0 +1,20 @@ +server { + listen 80; + listen [::]:80; + + server_name theia.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app theia-storybook; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} \ No newline at end of file diff --git a/config/nginx/nginx/resolver.conf b/config/nginx/nginx/resolver.conf new file mode 100755 index 0000000..1ae22e7 --- /dev/null +++ b/config/nginx/nginx/resolver.conf @@ -0,0 +1,3 @@ +# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish. + +resolver 127.0.0.11 valid=30s; diff --git a/config/nginx/nginx/site-confs/default.conf b/config/nginx/nginx/site-confs/default.conf new file mode 100755 index 0000000..2ca1247 --- /dev/null +++ b/config/nginx/nginx/site-confs/default.conf @@ -0,0 +1,44 @@ +## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/site-confs/default.conf.sample + +server { + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name pantheon.ca; + + include /config/nginx/ssl.conf; + + set $root /app/www/public; + if (!-d /app/www/public) { + set $root /config/www; + } + root $root; + index index.html index.htm index.php; + + location / { + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; + } + + location ~ ^(.+\.php)(.*)$ { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + fastcgi_split_path_info ^(.+\.php)(.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht { + deny all; + } +} \ No newline at end of file diff --git a/config/nginx/nginx/site-confs/default.conf.sample b/config/nginx/nginx/site-confs/default.conf.sample new file mode 100644 index 0000000..626004d --- /dev/null +++ b/config/nginx/nginx/site-confs/default.conf.sample @@ -0,0 +1,44 @@ +## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/site-confs/default.conf.sample + +server { + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + + include /config/nginx/ssl.conf; + + set $root /app/www/public; + if (!-d /app/www/public) { + set $root /config/www; + } + root $root; + index index.html index.htm index.php; + + location / { + # enable for basic auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args; + } + + location ~ ^(.+\.php)(.*)$ { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + fastcgi_split_path_info ^(.+\.php)(.*)$; + if (!-f $document_root$fastcgi_script_name) { return 404; } + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } + + # deny access to .htaccess/.htpasswd files + location ~ /\.ht { + deny all; + } +} diff --git a/config/nginx/nginx/ssl.conf b/config/nginx/nginx/ssl.conf new file mode 100755 index 0000000..c2e5fc8 --- /dev/null +++ b/config/nginx/nginx/ssl.conf @@ -0,0 +1,32 @@ +## Version 2024/12/06 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample + +### Mozilla Recommendations +# generated 2024-12-06, Mozilla Guideline v5.7, nginx 1.26.2, OpenSSL 3.3.2, intermediate config, no OCSP +# https://ssl-config.mozilla.org/#server=nginx&version=1.26.2&config=intermediate&openssl=3.3.2&ocsp=false&guideline=5.7 + +ssl_certificate /config/keys/cert.crt; +ssl_certificate_key /config/keys/cert.key; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /config/nginx/dhparams.pem; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +#add_header Strict-Transport-Security "max-age=63072000" always; + +# Optional additional headers +#add_header Cache-Control "no-transform" always; +#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always; +#add_header Permissions-Policy "interest-cohort=()" always; +#add_header Referrer-Policy "same-origin" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header X-XSS-Protection "1; mode=block" always; diff --git a/config/nginx/nginx/ssl.conf.sample b/config/nginx/nginx/ssl.conf.sample new file mode 100644 index 0000000..c2e5fc8 --- /dev/null +++ b/config/nginx/nginx/ssl.conf.sample @@ -0,0 +1,32 @@ +## Version 2024/12/06 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample + +### Mozilla Recommendations +# generated 2024-12-06, Mozilla Guideline v5.7, nginx 1.26.2, OpenSSL 3.3.2, intermediate config, no OCSP +# https://ssl-config.mozilla.org/#server=nginx&version=1.26.2&config=intermediate&openssl=3.3.2&ocsp=false&guideline=5.7 + +ssl_certificate /config/keys/cert.crt; +ssl_certificate_key /config/keys/cert.key; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /config/nginx/dhparams.pem; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +#add_header Strict-Transport-Security "max-age=63072000" always; + +# Optional additional headers +#add_header Cache-Control "no-transform" always; +#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always; +#add_header Permissions-Policy "interest-cohort=()" always; +#add_header Referrer-Policy "same-origin" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header X-XSS-Protection "1; mode=block" always; diff --git a/config/nginx/nginx/worker_processes.conf b/config/nginx/nginx/worker_processes.conf new file mode 100755 index 0000000..256bb9b --- /dev/null +++ b/config/nginx/nginx/worker_processes.conf @@ -0,0 +1,3 @@ +# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically. + +worker_processes 12; diff --git a/config/nginx/php/php-local.ini b/config/nginx/php/php-local.ini new file mode 100755 index 0000000..7d9efdb --- /dev/null +++ b/config/nginx/php/php-local.ini @@ -0,0 +1,3 @@ +; Edit this file to override php.ini directives + +date.timezone = UTC diff --git a/config/nginx/php/www2.conf b/config/nginx/php/www2.conf new file mode 100755 index 0000000..13fc59d --- /dev/null +++ b/config/nginx/php/www2.conf @@ -0,0 +1,5 @@ +; Edit this file to override www.conf and php-fpm.conf directives and restart the container + +; Pool name +[www] + diff --git a/config/nginx/www/index.html b/config/nginx/www/index.html new file mode 100755 index 0000000..8351def --- /dev/null +++ b/config/nginx/www/index.html @@ -0,0 +1,34 @@ + + + Welcome to our server + + + +
+

Welcome to our server

+

The website is currently being setup under this address.

+

For help and support, please contact: me@example.com

+
+ + diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..ce471a6 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,14 @@ +name: Pantheon + +services: + nginx: + image: lscr.io/linuxserver/nginx:latest + env_file: .env + volumes: + - ./config/nginx:/config + ports: + - 80:80 + - 443:443 + restart: unless-stopped + theia-storybook: + image: git.palko.ca/pantheon/theia-storybook:latest \ No newline at end of file