Created
March 13, 2022 04:19
-
-
Save chadgeary/3d9965143446c891f3cbaa4308e611f2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # create proxy dir and files | |
| sudo mkdir -p /opt/duckdnsswag/proxy-confs | |
| # create nginx.conf with pointer to proxy-confs/duckdnsswag.conf at the end | |
| sudo tee /opt/duckdnsswag/nginx.conf << EOM | |
| ## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf | |
| user abc; | |
| # Set number of worker processes automatically based on number of CPU cores. | |
| include /config/nginx/worker_processes.conf; | |
| # Enables the use of JIT for regular expressions to speed-up their processing. | |
| pcre_jit on; | |
| # Configures default error logger. | |
| error_log /config/log/nginx/error.log; | |
| # Includes files with directives to load dynamic modules. | |
| include /etc/nginx/modules/*.conf; | |
| events { | |
| # The maximum number of simultaneous connections that can be opened by | |
| # a worker process. | |
| worker_connections 1024; | |
| # multi_accept on; | |
| } | |
| http { | |
| # Includes mapping of file name extensions to MIME types of responses | |
| # and defines the default type. | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| # Name servers used to resolve names of upstream servers into addresses. | |
| # It's also needed when using tcpsocket and udpsocket in Lua modules. | |
| #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; | |
| include /config/nginx/resolver.conf; | |
| # Don't tell nginx version to the clients. Default is 'on'. | |
| server_tokens off; | |
| # Specifies the maximum accepted body size of a client request, as | |
| # indicated by the request header Content-Length. If the stated content | |
| # length is greater than this size, then the client receives the HTTP | |
| # error code 413. Set to 0 to disable. Default is '1m'. | |
| client_max_body_size 0; | |
| # Sendfile copies data between one FD and other from within the kernel, | |
| # which is more efficient than read() + write(). Default is off. | |
| sendfile on; | |
| # Causes nginx to attempt to send its HTTP response head in one packet, | |
| # instead of using partial frames. Default is 'off'. | |
| tcp_nopush on; | |
| # Helper variable for proxying websockets. | |
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| # Sets the path, format, and configuration for a buffered log write. | |
| access_log /config/log/nginx/access.log; | |
| # Includes virtual hosts configs. | |
| #include /etc/nginx/http.d/*.conf; | |
| # WARNING: Don't use this directory for virtual hosts anymore. | |
| # This include will be moved to the root context in Alpine 3.14. | |
| #include /etc/nginx/conf.d/*.conf; | |
| ## | |
| # Basic Settings | |
| ## | |
| client_body_buffer_size 128k; | |
| keepalive_timeout 65; | |
| large_client_header_buffers 4 16k; | |
| send_timeout 5m; | |
| tcp_nodelay on; | |
| types_hash_max_size 2048; | |
| variables_hash_max_size 2048; | |
| # server_names_hash_bucket_size 64; | |
| # server_name_in_redirect off; | |
| ## | |
| # Gzip Settings | |
| ## | |
| gzip on; | |
| gzip_disable "msie6"; | |
| # gzip_vary on; | |
| # gzip_proxied any; | |
| # gzip_comp_level 6; | |
| # gzip_buffers 16 8k; | |
| # gzip_http_version 1.1; | |
| # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
| ## | |
| # Virtual Host Configs | |
| ## | |
| include /config/nginx/site-confs/*; | |
| include /config/nginx/proxy-confs/duckdnsswag.conf; | |
| #Removed lua. Do not remove this comment | |
| } | |
| daemon off; | |
| pid /run/nginx.pid; | |
| EOM | |
| # create proxy-confs/duckdnsswag.conf - this tells nginx where to send traffic | |
| sudo tee /opt/duckdnsswag/proxy-confs/duckdnsswag.conf << EOM | |
| server { | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| server_name {{ duckdns_domain }}; | |
| include /config/nginx/ssl.conf; | |
| client_max_body_size 0; | |
| access_log /dev/stdout; | |
| error_log /dev/stderr warn; | |
| # Enable strict transport security | |
| # https://docs.nextcloud.com/server/22/admin_manual/installation/harden_server.html#enable-http-strict-transport-security | |
| add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; | |
| location / { | |
| include /config/nginx/proxy.conf; | |
| include /config/nginx/resolver.conf; | |
| set $upstream_app {{ docker_pihole }}; | |
| set $upstream_port 80; | |
| set $upstream_proto http; | |
| proxy_pass $upstream_proto://$upstream_app:$upstream_port; | |
| proxy_max_temp_file_size 2048m; | |
| proxy_set_header X-Forwarded-Host $host:$server_port; | |
| proxy_set_header X-Forwarded-Server $host; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_buffering off; | |
| } | |
| } | |
| EOM | |
| sudo chown -R 1000 /opt/duckdnsswag | |
| # generate a playbook yaml | |
| tee ~/duckdnsswag.yaml << EOM | |
| --- | |
| - name: duckdnsswag | |
| hosts: localhost | |
| gather_facts: true | |
| become: true | |
| tasks: | |
| - name: duckdnsupdater container | |
| docker_container: | |
| name: cloudblock_duckdnsupdater | |
| hostname: cloudblock_duckdnsupdater | |
| image: ghcr.io/linuxserver/duckdns | |
| networks: | |
| - name: cloudblock | |
| ipv4_address: "{{ docker_duckdnsupdater }}" | |
| env: | |
| PUID: "1000" | |
| PGID: "1000" | |
| TZ: "UTC" | |
| SUBDOMAINS: "{{ duckdns_domain.split('.')[0] }}" | |
| TOKEN: "{{ duckdns_token }}" | |
| pull: yes | |
| purge_networks: yes | |
| restart_policy: "always" | |
| container_default_behavior: "compatibility" | |
| - name: proxy template files | |
| template: | |
| src: "{{ item }}" | |
| dest: "/opt/duckdnsswag/{{ item }}" | |
| owner: 1000 | |
| mode: 0444 | |
| - name: duckdns web proxy container | |
| docker_container: | |
| name: cloudblock_webproxy | |
| hostname: cloudblockwebproxy | |
| image: ghcr.io/linuxserver/swag | |
| networks: | |
| - name: cloudblock | |
| ipv4_address: "{{ docker_webproxy }}" | |
| env: | |
| PUID: "1000" | |
| PGID: "1000" | |
| TZ: "UTC" | |
| URL: "{{ duckdns_domain }}" | |
| DUCKDNSTOKEN: "{{ duckdns_token }}" | |
| EMAIL: "{{ letsencrypt_email }}" | |
| VALIDATION: "duckdns" | |
| ports: | |
| - "443:443" | |
| volumes: "/opt/duckdnsswag:/config" | |
| pull: yes | |
| purge_networks: yes | |
| restart_policy: "always" | |
| container_default_behavior: "compatibility" | |
| restart: yes | |
| # stop the original web proxy container | |
| sudo docker stop web_proxy | |
| # run the playbook to install duckdnsupdater/swag with nginx | |
| ansible-playbook ~/duckdnsswag.yaml --extra-vars 'docker_pihole=172.18.0.3 docker_webproxy=172.18.0.5 docker_duckdnsupdater=172.18.0.6 duckdns_domain=REPLACE_ME.duckdns.org duckdns_token=REPLACE_ME [email protected]' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment