New directory structure

2021-11-25 17:36:47 -06:00 · 2021-11-25 17:36:47 -06:00 · c370caafee
commit c370caafee
parent e9779d2531
14 changed files with 33 additions and 68 deletions
--- a/readme-vars.yml
+++ b/readme-vars.yml
@ -155,7 +155,7 @@ app_setup_nginx_reverse_proxy_block: ""

 # changelog
 changelogs:
-  - { date: "27.10.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Use standard nginx.conf from lsio alpine nginx base image." }
+  - { date: "25.11.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf - Use standard nginx.conf from lsio alpine nginx base image." }
  - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." }
  - { date: "20.11.21:", desc: "Added support for dnspod validation." }
  - { date: "15.11.21:", desc: "Added support for deSEC DNS for wildcard certificate generation." }
--- a/root/defaults/dhparams.pem
+++ b/root/defaults/dhparams.pem
@ -1,13 +0,0 @@
-----BEGIN DH PARAMETERS-----
-MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
-7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
-nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
-8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
-iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
-zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----
--- a/root/defaults/nginx/location-confs/authelia-location.conf.sample
+++ b/root/defaults/nginx/location-confs/authelia-location.conf.sample
@ -1,4 +1,4 @@
-## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-location.conf
+## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/location-confs/authelia-location.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia
 # Make sure that the authelia configuration.yml has 'path: "authelia"' defined

--- a/root/defaults/nginx/location-confs/proxy.conf.sample
+++ b/root/defaults/nginx/location-confs/proxy.conf.sample
@ -1,4 +1,4 @@
-## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/location-confs/proxy.conf.sample

 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
--- a/root/defaults/nginx/server-confs/authelia-server.conf.sample
+++ b/root/defaults/nginx/server-confs/authelia-server.conf.sample
@ -1,8 +1,8 @@
-## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
+## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/authelia-server.conf.sample
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia

 location ^~ /authelia {
-    include /config/nginx/proxy.conf;
+    include /config/nginx/location-confs/*.conf;
    include /config/nginx/resolver.conf;
    set $upstream_authelia authelia;
    proxy_pass http://$upstream_authelia:9091;
--- a/root/defaults/nginx/server-confs/geoip2.conf.sample
+++ b/root/defaults/nginx/server-confs/geoip2.conf.sample
@ -1,4 +1,4 @@
-## Version 2020/10/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/geoip2.conf
+## Version 2020/10/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/geoip2.conf.sample
 # To enable, uncommment the Geoip2 config line in nginx.conf
 # Add the -e MAXMINDDB_LICENSE_KEY=<licensekey> to automatically download the Geolite2 database.
 # A Maxmind license key can be acquired here: https://www.maxmind.com/en/geolite2/signup
@ -77,16 +77,9 @@ geo $allow_list {
 #
 #    server_name unifi.*;
 #
-#    include /config/nginx/ssl.conf;
+#    include /config/nginx/server-confs/*.conf;
 #
 #    client_max_body_size 0;
-#
-#    # enable for ldap auth, fill in ldap details in ldap.conf
-#    #include /config/nginx/ldap.conf;
-#
-#    # enable for Authelia
-#    #include /config/nginx/authelia-server.conf;
-

 #   # Allow lan access if default is set to no
 #   if ($allow_list = yes) {
@ -108,10 +101,7 @@ geo $allow_list {
 #        #auth_request /auth;
 #        #error_page 401 =200 /ldaplogin;
 #
-#        # enable for Authelia
-#        #include /config/nginx/authelia-location.conf;
-#
-#        include /config/nginx/proxy.conf;
+#        include /config/nginx/location-confs/*.conf;
 #        resolver 127.0.0.11 valid=30s;
 #        set $upstream_app unifi-controller;
 #        set $upstream_port 8443;
--- a/root/defaults/nginx/server-confs/ldap.conf.sample
+++ b/root/defaults/nginx/server-confs/ldap.conf.sample
@ -1,4 +1,4 @@
-## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ldap.conf
+## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/ldap.conf.sample
 ## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth
 ## see the heimdall example in the default site config for info on enabling ldap auth
 ## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth
--- a/root/defaults/nginx/server-confs/ssl.conf.sample
+++ b/root/defaults/nginx/server-confs/ssl.conf.sample
@ -1,4 +1,4 @@
-## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/ssl.conf.sample

 ### Mozilla Recommendations
 # generated 2021-10-16, Mozilla Guideline v5.6, nginx 1.20.1-r3, OpenSSL 1.1.1l-r0, intermediate configuration
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@ -1,4 +1,4 @@
-## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
+## Version 2021/10/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample

 error_page 502 /502.html;

@ -18,22 +18,9 @@ server {
    index index.html index.htm index.php;

    # enable subfolder method reverse proxy confs
-    include /config/nginx/proxy-confs/*.subfolder.conf;
+    include /config/nginx/subfolder-confs/*.subfolder.conf;

-    # all ssl related config moved to ssl.conf
-    include /config/nginx/ssl.conf;
-
-    # enable for ldap auth
-    #include /config/nginx/ldap.conf;
-
-    # enable for Authelia
-    #include /config/nginx/authelia-server.conf;
-
-    # enable for geo blocking
-    # See /config/nginx/geoip2.conf for more information.
-    #if ($allowed_country = no) {
-    #   return 444;
-    #}
+    include /config/nginx/server-confs/*.conf;

    set $htpasswd_file /config/nginx/.htpasswd;
    set $auth_basic "Restricted";
@ -49,7 +36,7 @@ server {
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
-        #include /config/nginx/authelia-location.conf;
+        #include /config/nginx/location-confs/authelia-location.conf;

        try_files $uri $uri/ /index.html /index.php?$args =404;
    }
@ -68,6 +55,6 @@ server {
 }

 # enable subdomain method reverse proxy confs
-include /config/nginx/proxy-confs/*.subdomain.conf;
+include /config/nginx/subdomain-confs/*.subdomain.conf;
 # enable proxy cache for auth
 proxy_cache_path cache/ keys_zone=auth_cache:10m;
--- a/root/defaults/www/502.html
+++ b/root/defaults/www/502.html
--- a/root/defaults/www/index.html
+++ b/root/defaults/www/index.html
--- a/root/etc/cont-init.d/25-migrate-confs
+++ b/root/etc/cont-init.d/25-migrate-confs
@ -0,0 +1,6 @@
+#!/usr/bin/with-contenv bash
+
+# shellcheck source=/dev/null
+source /defaults/migrate.sh
+
+migrate "/config/nginx/proxy.conf" "/config/nginx/location-confs/proxy.conf"
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@ -44,9 +44,6 @@ ln -s /config/etc/letsencrypt /etc/letsencrypt
 cp -n /defaults/dns-conf/* /config/dns-conf/
 chown -R abc:abc /config/dns-conf

-# copy reverse proxy configs
-cp -R /defaults/proxy-confs /config/nginx/
-
 # copy/update the fail2ban config defaults to/in /config
 cp -R /defaults/fail2ban/filter.d /config/fail2ban/
 cp -R /defaults/fail2ban/action.d /config/fail2ban/
@ -66,18 +63,12 @@ cp /config/fail2ban/jail.local /etc/fail2ban/jail.local
 # copy crontab and proxy defaults if needed
 [[ ! -f /config/crontabs/root ]] && \
    cp /etc/crontabs/root /config/crontabs/
-[[ ! -f /config/nginx/proxy.conf ]] && \
-    cp /defaults/proxy.conf /config/nginx/proxy.conf
-[[ ! -f /config/nginx/ldap.conf ]] && \
-    cp /defaults/ldap.conf /config/nginx/ldap.conf
-[[ ! -f /config/nginx/authelia-server.conf ]] && \
-    cp /defaults/authelia-server.conf /config/nginx/authelia-server.conf
-[[ ! -f /config/nginx/authelia-location.conf ]] && \
-    cp /defaults/authelia-location.conf /config/nginx/authelia-location.conf
-[[ ! -f /config/nginx/geoip2.conf ]] && \
-    cp /defaults/geoip2.conf /config/nginx/geoip2.conf
-[[ ! -f /config/www/502.html ]] &&
-    cp /defaults/502.html /config/www/502.html
+[[ ! -f /config/nginx/location-confs/proxy.conf ]] && \
+    cp /defaults/nginx/location-confs/proxy.conf.sample /config/nginx/location-confs/proxy.conf
+[[ ! -f /config/nginx/server-confs/ssl.conf ]] && \
+    cp /defaults/nginx/server-confs/ssl.conf.sample /config/nginx/server-confs/ssl.conf
+[[ ! -f /config/www/502.html ]] && \
+    cp /defaults/www/502.html /config/www/502.html

 # remove lua bits from nginx.conf if not done before
 if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
@ -86,8 +77,8 @@ if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
 fi

 # patch authelia-server.conf for CVE-2021-32637
-if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
-    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf
+if [[ -f /config/nginx/server-confs/authelia-server.conf ]] && ! grep -q 'if ($request_uri ~' /config/nginx/server-confs/authelia-server.conf; then
+    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/server-confs/authelia-server.conf
 fi

 # check to make sure DNSPLUGIN is selected if dns validation is used
--- a/root/etc/cont-init.d/70-templates
+++ b/root/etc/cont-init.d/70-templates
@ -1,5 +1,9 @@
 #!/usr/bin/with-contenv bash

+# NEEDS TO BE REWORKED FOR NEW STRUCTURE
+## Should cycle through all *.sample files in /defaults/nginx/ (instead of hardcoded list)
+## Should be moved into the alpine nginx base image
+
 nginx_confs=( \
    authelia-location.conf \
    authelia-server.conf \