From b78303335ef1d3994fb3b314950445ebfa87d2e4 Mon Sep 17 00:00:00 2001 From: titanz Date: Mon, 30 Dec 2024 03:03:02 +0100 Subject: [PATCH] first commit --- MonitoRSS | 1 + ghost/docker-compose.yml | 49 +++++++++++++ gitea/docker-compose.yml | 52 ++++++++++++++ isso-comments/config/isso.cfg | 17 +++++ isso-comments/isso.sh | 3 + nextcloud/.env | 14 ++++ nextcloud/compose.yml | 127 ++++++++++++++++++++++++++++++++++ nextcloud/nginx/default.conf | 93 +++++++++++++++++++++++++ vaultwarden/.env | 6 ++ vaultwarden/compose.yml | 49 +++++++++++++ 10 files changed, 411 insertions(+) create mode 160000 MonitoRSS create mode 100644 ghost/docker-compose.yml create mode 100644 gitea/docker-compose.yml create mode 100644 isso-comments/config/isso.cfg create mode 100755 isso-comments/isso.sh create mode 100644 nextcloud/.env create mode 100644 nextcloud/compose.yml create mode 100644 nextcloud/nginx/default.conf create mode 100644 vaultwarden/.env create mode 100644 vaultwarden/compose.yml diff --git a/MonitoRSS b/MonitoRSS new file mode 160000 index 0000000..9329d30 --- /dev/null +++ b/MonitoRSS @@ -0,0 +1 @@ +Subproject commit 9329d3064ea0341e8446d0526b7d73a9c6233c08 diff --git a/ghost/docker-compose.yml b/ghost/docker-compose.yml new file mode 100644 index 0000000..a46d080 --- /dev/null +++ b/ghost/docker-compose.yml @@ -0,0 +1,49 @@ +version: '3.1' + +services: + + ghost: + image: ghost:5-alpine + restart: always + expose: + - "8084" + ports: + - 8084:2368 + environment: + # see https://ghost.org/docs/config/#configuration-options + database__client: mysql + database__connection__host: db + database__connection__user: ghost + database__connection__password: + database__connection__database: ghostdb + # this url value is just an example, and is likely wrong for your environment! + url: https://blog.conorz.at/ + # contrary to the default mentioned in the linked documentation, this image defaults to NODE_ENV=production (so development mode needs to be explicitly specified if desired) + #NODE_ENV: development + volumes: + - ./ghost:/var/lib/ghost/content + + db: + image: ghcr.io/polarix-containers/mariadb:11.4-alpine + restart: always + environment: + MYSQL_ROOT_PASSWORD: + MYSQL_USER: ghost + MYSQL_PASSWORD: + MYSQL_DATABASE: ghostdb + volumes: + - ./db:/var/lib/mysql + user: "3005:3005" + read_only: true + tmpfs: + - /var/tmp:mode=0770,uid=3005,gid=3005,noexec,nosuid,nodev + - /run/mariadb:size=50M,mode=0770,uid=3005,gid=3005,noexec,nosuid,nodev + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL + +volumes: + ghost: + db: + diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml new file mode 100644 index 0000000..f44667b --- /dev/null +++ b/gitea/docker-compose.yml @@ -0,0 +1,52 @@ +version: "2" + +services: + server: + image: ghcr.io/polarix-containers/gitea:latest + environment: + - GITEA__database__DB_TYPE=postgres + - GITEA__database__HOST=gitea-db-1:5432 + - GITEA__database__NAME=giteadb + - GITEA__database__USER=gitea + - GITEA__database__PASSWD= + restart: always + volumes: + - ./data:/var/lib/gitea + - ./config:/etc/gitea + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "3004:3000" + - "2220:2220" + depends_on: + - db + read_only: false + user: "3002:3002" + security_opt: + - "no-new-privileges=true" +# cap_drop: +# - ALL + + db: + image: ghcr.io/polarix-containers/postgres:17 + restart: always + environment: + - POSTGRES_USER=gitea + - POSTGRES_PASSWORD= + - POSTGRES_DB=giteadb + volumes: + - ./postgres:/var/lib/postgresql/data:Z + healthcheck: + test: ["CMD", "pg_isready", "-U", "gitea", "-d", "giteadb"] + interval: 15s + timeout: 5s + ports: + - "5433:5432" + user: "70:70" + read_only: true + tmpfs: + - /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL diff --git a/isso-comments/config/isso.cfg b/isso-comments/config/isso.cfg new file mode 100644 index 0000000..17a1307 --- /dev/null +++ b/isso-comments/config/isso.cfg @@ -0,0 +1,17 @@ +# Isso example configuration file +# vim: set filetype=dosini + +[general] + +# Change dbpath to /db/comments.db if running in docker! +dbpath = /db/comments.db +host = https://blog.conorz.at/ + +[server] +listen = http://localhost:8080/ +trusted-proxies = http://localhost:8080/ +[admin] +enabled = true +password = + +# public-endpoint = diff --git a/isso-comments/isso.sh b/isso-comments/isso.sh new file mode 100755 index 0000000..347c29f --- /dev/null +++ b/isso-comments/isso.sh @@ -0,0 +1,3 @@ +sudo docker run -d --rm --name isso -p 127.0.0.1:8086:8080 \ + -v /home/titanz/comments/config:/config -v /home/titanz/comments/db:/db \ + ghcr.io/isso-comments/isso:release diff --git a/nextcloud/.env b/nextcloud/.env new file mode 100644 index 0000000..c439ce9 --- /dev/null +++ b/nextcloud/.env @@ -0,0 +1,14 @@ +MARIADB_ROOT_PASSWORD= +MARIADB_DATABASE=nextclouddb +MARIADB_USER=nextcloud +MARIADB_PASSWORD= +SMTP_HOST= +SMTP_SECURE=ssl +SMTP_PORT=465 +SMTP_NAME= +SMTP_PASSWORD= +MAIL_FROM_ADDRESS= +MAIL_DOMAIN= +TRUSTED_PROXIES=cloud.conorz.at +NC_maintenance_window_start=0 +NC_default_phone_region=US diff --git a/nextcloud/compose.yml b/nextcloud/compose.yml new file mode 100644 index 0000000..2af180f --- /dev/null +++ b/nextcloud/compose.yml @@ -0,0 +1,127 @@ +services: + mariadb: + container_name: mariadb + restart: unless-stopped + image: ghcr.io/polarix-containers/mariadb:11.4-alpine + volumes: + - "./mariadb:/var/lib/mysql:Z" + networks: + - mariadb + environment: + - MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD} + - MARIADB_DATABASE=${MARIADB_DATABASE} + - MARIADB_USER=${MARIADB_USER} + - MARIADB_PASSWORD=${MARIADB_PASSWORD} + user: "3003:3003" + read_only: true + tmpfs: + - /var/tmp:mode=0770,uid=3003,gid=3003,noexec,nosuid,nodev + - /run/mariadb:size=50M,mode=0770,uid=3003,gid=3003,noexec,nosuid,nodev + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL + + valkey: + container_name: valkey + image: ghcr.io/polarix-containers/valkey:8 + restart: unless-stopped + volumes: + - ./valkey:/data:Z + networks: + - valkey + user: "3009:3009" + read_only: true + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL + + nextcloud: + container_name: nextcloud + image: ghcr.io/polarix-containers/nextcloud:29 + restart: unless-stopped + volumes: + - ./nextcloud:/var/www/html:z + networks: + - mariadb + - valkey + - nginx + depends_on: + - mariadb + - valkey + environment: + - MYSQL_HOST=mariadb + - MYSQL_DATABASE=${MARIADB_DATABASE} + - MYSQL_USER=${MARIADB_USER} + - MYSQL_PASSWORD=${MARIADB_PASSWORD} + - REDIS_HOST=valkey + - SMTP_HOST=${SMTP_HOST} + - SMTP_SECURE=${SMTP_SECURE} + - SMTP_PORT=${SMTP_PORT} + - SMTP_NAME=${SMTP_NAME} + - SMTP_PASSWORD=${SMTP_PASSWORD} + - MAIL_FROM_ADDRESS=${MAIL_FROM_ADDRESS} + - MAIL_DOMAIN=${MAIL_DOMAIN} + - TRUSTED_PROXIES=${TRUSTED_PROXIES} + - NC_maintenance_window_start=${NC_maintenance_window_start} + - NC_default_phone_region=${NC_default_phone_region} + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL + cap_add: + - CHOWN + - DAC_OVERRIDE + - FOWNER + - SETUID + - SETGID + + cron: + container_name: cron + image: ghcr.io/polarix-containers/nextcloud:stable + restart: unless-stopped + volumes: + - ./nextcloud:/var/www/html:z + networks: + - mariadb + - valkey + depends_on: + - mariadb + - valkey + entrypoint: /cron.sh + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL + cap_add: + - SETUID + - SETGID + + nginx: + container_name: nginx + restart: unless-stopped + image: ghcr.io/polarix-containers/nginx:unprivileged-slim + ports: + - 8085:8080/tcp + volumes: + - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:Z,ro + - ./nextcloud:/var/www/html:z + networks: + - nginx + depends_on: + - nextcloud + user: "101:101" + read_only: true + tmpfs: + - /var/cache/nginx:mode=0770,uid=101,gid=101,noexec,nosuid,nodev + - /tmp:mode=0770,uid=101,gid=101,noexec,nosuid,nodev + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL + +networks: + mariadb: + valkey: + nginx: diff --git a/nextcloud/nginx/default.conf b/nextcloud/nginx/default.conf new file mode 100644 index 0000000..c199fea --- /dev/null +++ b/nextcloud/nginx/default.conf @@ -0,0 +1,93 @@ +server { + listen 8080; + + absolute_redirect off; + sendfile on; + + include mime.types; + default_type application/octet-stream; + types { + text/javascript mjs; + application/wasm wasm; + } + + # set max upload size and increase upload timeout: + client_max_body_size 512M; + client_body_timeout 300s; + fastcgi_buffers 64 4K; + + # https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + client_body_buffer_size 512k; + + root /var/www/html; + index index.php index.html /index.php$request_uri; + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location ^~ /.well-known { + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + return 301 /index.php$request_uri; + } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass nextcloud:9000; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; + } + + # Serve static files + location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463, immutable"; + access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } + } + + location ~ \.(otf|woff2?)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=604800"; + access_log off; # Optional: Don't log access to assets + } + + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } +} diff --git a/vaultwarden/.env b/vaultwarden/.env new file mode 100644 index 0000000..7733dc2 --- /dev/null +++ b/vaultwarden/.env @@ -0,0 +1,6 @@ +ADMIN_TOKEN='' +POSTGRES_USER=vaultwarden +POSTGRES_PASSWORD= +PUSH_INSTALLATION_ID= +PUSH_INSTALLATION_KEY= +DOMAIN=https://bitwarden.conorz.at/ diff --git a/vaultwarden/compose.yml b/vaultwarden/compose.yml new file mode 100644 index 0000000..e0d35c8 --- /dev/null +++ b/vaultwarden/compose.yml @@ -0,0 +1,49 @@ +services: + vaultwarden: + container_name: vaultwarden + image: ghcr.io/polarix-containers/vaultwarden:latest + restart: always + volumes: + - /home/titanz/vaultwarden:/data:Z + ports: + - "8081:8080/tcp" + depends_on: + postgres: + condition: service_healthy + environment: + - SIGNUPS_ALLOWED=false + - ADMIN_TOKEN=${ADMIN_TOKEN} + - PUSH_ENABLED=true + - PUSH_INSTALLATION_ID=${PUSH_INSTALLATION_ID} + - PUSH_INSTALLATION_KEY=${PUSH_INSTALLATION_KEY} + - DOMAIN=${DOMAIN} + - ROCKET_PORT=8080 + - DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_USER} + - YUBICO_CLIENT_ID=82851 + - YUBICO_SECRET_KEY=mLPiA1hxQGOan61RXAtL63xLrLE= + user: "3001:3001" + read_only: true + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL + + postgres: + container_name: vaultwarden-postgres + image: ghcr.io/polarix-containers/postgres:17 + restart: always + volumes: + - ./postgres:/var/lib/postgresql/data:Z + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + healthcheck: + test: ["CMD", "pg_isready", "-U", "vaultwarden"] + interval: 15s + timeout: 5s + user: "70:70" + read_only: true + tmpfs: + - /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev + security_opt: + - "no-new-privileges=true"