From a90c4fe22febaf2ce5ad742432682b664229baaf Mon Sep 17 00:00:00 2001
From: Wojciech Kozlowski <wojciech.kozlowski@vivaldi.net>
Date: Sun, 17 Sep 2017 01:07:45 +0100
Subject: [PATCH] Let's encrypt working

---
 docker-compose.yml                            | 11 ++++-
 proxy/Dockerfile                              |  6 +++
 .../cloud.wojciechkozlowski.eu.conf           |  2 +-
 proxy/nginx-conf.d/default.conf               | 24 ++++++++++
 .../gitlab.wojciechkozlowski.eu.conf          |  2 +-
 .../wiki.wojciechkozlowski.eu.conf            |  2 +-
 proxy/nginx-conf.d/wojciechkozlowski.eu.conf  |  2 +-
 proxy/nginx.conf                              | 46 +++++++++++++++++++
 8 files changed, 89 insertions(+), 6 deletions(-)
 create mode 100644 proxy/Dockerfile
 create mode 100644 proxy/nginx-conf.d/default.conf
 create mode 100644 proxy/nginx.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index fc0e0bd..1bcd4a7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,7 @@ volumes:
   vol_gitlab_config:
   vol_gitlab_logs:
   vol_gitlab_data:
+  vol_letsencrypt:
 
 services:
 
@@ -79,6 +80,8 @@ services:
       GITLAB_OMNIBUS_CONFIG: |
         external_url 'http://gitlab.wojciechkozlowski.eu'
         # Add any other gitlab.rb configuration here, each on its own line
+    ports:
+      - 2770:22
     volumes:
       - vol_gitlab_config:/etc/gitlab
       - vol_gitlab_logs:/var/log/gitlab
@@ -91,14 +94,18 @@ services:
 
   proxy:
     container_name: proxy
-    image: nginx
+    build: proxy
+    image: proxy
     ports:
       - 80:80
+      - 443:443
     links:
       - html
       - wiki
       - nextcloud
       - gitlab
     volumes:
-      - ./proxy/nginx-conf.d:/etc/nginx/conf.d
+      - ./proxy/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./proxy/nginx-conf.d:/etc/nginx/conf.d:ro
+      - vol_letsencrypt:/etc/letsencrypt
     restart: always
diff --git a/proxy/Dockerfile b/proxy/Dockerfile
new file mode 100644
index 0000000..5c43981
--- /dev/null
+++ b/proxy/Dockerfile
@@ -0,0 +1,6 @@
+FROM nginx
+
+RUN apt update && apt install -y certbot
+RUN mkdir -p /var/www/html
+
+VOLUME ["/etc/letsencrypt"]
diff --git a/proxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf b/proxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf
index 38fcaa0..40acaf3 100644
--- a/proxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf
+++ b/proxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf
@@ -1,5 +1,5 @@
 server {
-    listen       80;
+    listen       443;
     server_name  cloud.wojciechkozlowski.eu;
 
     location / {
diff --git a/proxy/nginx-conf.d/default.conf b/proxy/nginx-conf.d/default.conf
new file mode 100644
index 0000000..82ce33a
--- /dev/null
+++ b/proxy/nginx-conf.d/default.conf
@@ -0,0 +1,24 @@
+# server {
+#         listen 443 ssl http2;
+
+#         ssl_certificate /etc/nginx/cert/bjornjohansen.no.certchain.crt;
+#         ssl_certificate_key /etc/nginx/cert/bjornjohansen.no.key;
+
+#         ssl_session_cache shared:SSL:20m;
+#         ssl_session_timeout 60m;
+
+#         ssl_prefer_server_ciphers on;
+
+#         ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
+
+#         ssl_dhparam /etc/nginx/cert/dhparam.pem;
+
+#         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+#         ssl_stapling on;
+#         ssl_stapling_verify on;
+#         ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;
+#         resolver 8.8.8.8 8.8.4.4;
+
+#         add_header Strict-Transport-Security "max-age=31536000" always;
+# }
diff --git a/proxy/nginx-conf.d/gitlab.wojciechkozlowski.eu.conf b/proxy/nginx-conf.d/gitlab.wojciechkozlowski.eu.conf
index 8cfe54d..3856196 100644
--- a/proxy/nginx-conf.d/gitlab.wojciechkozlowski.eu.conf
+++ b/proxy/nginx-conf.d/gitlab.wojciechkozlowski.eu.conf
@@ -1,5 +1,5 @@
 server {
-    listen       80;
+    listen       443;
     server_name  gitlab.wojciechkozlowski.eu;
 
     location / {
diff --git a/proxy/nginx-conf.d/wiki.wojciechkozlowski.eu.conf b/proxy/nginx-conf.d/wiki.wojciechkozlowski.eu.conf
index b902ec3..41e68f0 100644
--- a/proxy/nginx-conf.d/wiki.wojciechkozlowski.eu.conf
+++ b/proxy/nginx-conf.d/wiki.wojciechkozlowski.eu.conf
@@ -1,5 +1,5 @@
 server {
-    listen       80;
+    listen       443;
     server_name  wiki.wojciechkozlowski.eu;
 
     location / {
diff --git a/proxy/nginx-conf.d/wojciechkozlowski.eu.conf b/proxy/nginx-conf.d/wojciechkozlowski.eu.conf
index 024e268..03167f5 100644
--- a/proxy/nginx-conf.d/wojciechkozlowski.eu.conf
+++ b/proxy/nginx-conf.d/wojciechkozlowski.eu.conf
@@ -1,5 +1,5 @@
 server {
-    listen       80;
+    listen       443;
     server_name  wojciechkozlowski.eu;
 
     location / {
diff --git a/proxy/nginx.conf b/proxy/nginx.conf
new file mode 100644
index 0000000..68b81b0
--- /dev/null
+++ b/proxy/nginx.conf
@@ -0,0 +1,46 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    server {
+        listen       80;
+        server_name  wojciechkozlowski.eu
+                     cloud.wojciechkozlowski.eu
+                     gitlab.wojciechkozlowski.eu
+                     wiki.wojciechkozlowski.eu;
+
+        location ^~ /.well-known {
+            allow all;
+            root /var/www/html;
+        }
+
+        location / {
+            return 301 https://$server_name$request_uri;
+        }
+    }
+
+    include /etc/nginx/conf.d/*.conf;
+}
\ No newline at end of file