quico-containers/nginx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(nginx): Initial commit

Browse Source
This commit is contained in:
hygienic-books 2025-01-26 19:04:01 +01:00
parent b3ffcb10a6
commit e98236e64b
5 changed files with 302 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.idea

253
README.md
View File

@ -1,3 +1,252 @@
# nginx
# FIXME
Setup instruction for a plain Nginx Docker container
Search and replace all mentions of FIXME with sensible content in this file and in [compose.yaml](compose.yaml).
# Nginx Docker Compose files
Docker Compose files to spin up an instance of Nginx.
# How to run
Add a `COMPOSE_ENV` file and save its location as a shell variable along with the location where this repo lives, here for example `/opt/containers/nginx` plus all other variables. At [env/fqdn_context.env.example](env/fqdn_context.env.example) you'll find an example environment file.
When everything's ready start Nginx with Docker Compose, otherwise head down to [Initial setup](#initial-setup) first.
## Environment
```
export COMPOSE_DIR='/opt/containers/nginx'
export COMPOSE_CTX='ux_vilnius'
export COMPOSE_PROJECT='nginx-'"${COMPOSE_CTX}"
export COMPOSE_FILE="${COMPOSE_DIR}"'/compose.yaml'
export COMPOSE_ENV=<add accordingly>
```
## Context
On your deployment machine create the necessary Docker context to connect to and control the Docker daemon on whatever target host you'll be using, for example:
```
docker context create fully.qualified.domain.name --docker 'host=ssh://root@fully.qualified.domain.name'
```
## Pull
Pull images from Docker Hub verbatim.
```
docker compose --project-name "${COMPOSE_PROJECT}" --file "${COMPOSE_FILE}" --env-file "${COMPOSE_ENV}" pull
```
## Copy to target
Copy images to target Docker host, that is assuming you deploy to a machine that itself has no network route to reach Docker Hub or your private registry of choice. Copying in its simplest form involves a local `docker save` and a remote `docker load`. Consider the helper mini-project [quico.space/Quico/copy-docker](https://quico.space/Quico/copy-docker) where [copy-docker.sh](https://quico.space/Quico/copy-docker/src/branch/main/copy-docker.sh) allows the following workflow:
```
copy-docker 'nginx:latest' fully.qualified.domain.name
```
## Start
```
docker --context 'containers-1.ops.loft.seneve.de' compose --project-name "${COMPOSE_PROJECT}" --file "${COMPOSE_FILE}" --env-file "${COMPOSE_ENV}" up --detach
```
## Clean up
Get rid of unnecessary images on both the deployment and the target machine:
```
docker --context 'fully.qualified.domain.name' system prune -af
docker system prune -af
```
# Initial setup
We're assuming you run Docker Compose workloads with ZFS-based bind mounts. ZFS management, creating a zpool and setting adequate properties for its datasets is out of scope of this document.
## Datasets
Create ZFS datasets and set permissions as needed.
* Parent dateset
```
export "$(grep -Pi -- '^CONTEXT=' "${COMPOSE_ENV}")"
zfs create -o canmount=off zpool/data/opt
zfs create -o mountpoint=/opt/docker-data zpool/data/opt/docker-data
```
* Container-specific datasets
```
zfs create -p 'zpool/data/opt/docker-data/nginx-'"${CONTEXT}"'/nginx/conf'
zfs create -p 'zpool/data/opt/docker-data/nginx-'"${CONTEXT}"'/nginx/data'
```
This results in a directory structure like so:
```
/opt/docker-data/nginx-loft/nginx
├── conf
└── data
```
* Create subdirs
```
mkdir -p '/opt/docker-data/nginx-'"${CONTEXT}"'/nginx/'{'conf/'{'certs','nginx/'{'conf.d','sites-enabled'}},'data/logs'}
```
This creates the following dir structure:
```
/opt/docker-data/nginx-loft/nginx
├── conf
│ ├── certs
│ └── nginx
│ ├── conf.d
│ └── sites-enabled
└── data
└── logs
```
* Change ownership
```
chown -R 101:101 '/opt/docker-data/nginx-'"${CONTEXT}"'/nginx/'*
```
## Additional files
* Place an `ssl.conf` and an `nginx.conf` file on target server:
```
/opt/docker-data/nginx-loft/nginx
└── conf
└── nginx
├── conf.d
│ └── ssl.conf
└── nginx.conf
```
* The `nginx.conf` file may look like so:
```
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}
```
* An `ssl.conf` file may look like so:
```
server_tokens off;
# For a 100% SSL rating at ssllabs.com
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam sslcerts/dhparam.pem;
ssl_ecdh_curve secp384r1;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# In a Nextcloud instance these two are done internally by PHP nowadays.
# Nextcloud's admin interface will complain if you do these via the reverse
# proxy.
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# End 100% SSL rating block
```
* Store SSL certificates as needed in `/opt/docker-data/nginx-${CONTEXT}/nginx/conf/certs`
* Add per-site config files to `/opt/docker-data/nginx-${CONTEXT}/nginx/conf/nginx/sites-enabled` like so:
```
/opt/docker-data/nginx-loft/
└── nginx
└── conf
└── nginx
└── sites-enabled
├── name.domain.qualified.fully.conf
└── name.domain.a.also.conf
```
Where an individual file may look like so. This largely depends on each application.
```
server {
listen 80;
server_name fully.qualified.domain.name;
access_log /var/log/nginx/name.domain.qualified.fully_plain_access.log main;
error_log /var/log/nginx/name.domain.qualified.fully_plain_error.log error;
return 308 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name fully.qualified.domain.name;
ssl_certificate /etc/nginx/sslcerts/name.domain.qualified.fully_fullchain.cer;
ssl_certificate_key /etc/nginx/sslcerts/name.domain.qualified.fully.key;
ssl_trusted_certificate /etc/nginx/sslcerts/name.domain.qualified.fully_ca.cer;
access_log /var/log/nginx/name.domain.qualified.fully_ssl_access.log main;
error_log /var/log/nginx/name.domain.qualified.fully_ssl_error.log error;
location / {
proxy_pass http://fully.qualified.domain.name:63961;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
When done head back up to [How to run](#how-to-run).
# Development
## Conventional commits
This project uses [Conventional Commits](https://www.conventionalcommits.org/) for its commit messages.
### Commit types
Commit _types_ besides `fix` and `feat` are:
- `refactor`: Keeping functionality while streamlining or otherwise improving function flow
- `docs`: Documentation for project or components
### Commit scopes
The following _scopes_ are known for this project. A Conventional Commits commit message may optionally use one of the following scopes or none:
- `nginx`: A change to how the `nginx` service component works
- `build`: Build-related changes such as `Dockerfile` fixes and features.
- `mount`: Volume or bind mount-related changes.
- `net`: Networking, IP addressing, routing changes
- `meta`: Affects the project's repo layout, file names etc.

11
common-settings.yaml Normal file
View File

@ -0,0 +1,11 @@
services:
common-settings:
environment:
TZ: "${TIMEZONE:-Etc/UTC}"
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "10"
compress: "true"
restart: "${RESTARTPOLICY:-unless-stopped}"

37
compose.yaml Normal file
View File

@ -0,0 +1,37 @@
services:
nginx-loft:
image: nginx:latest
container_name: nginx-${CONTEXT}
networks:
nginx-default:
ulimits:
nproc: ${ULIMIT_NPROC:-65535}
nofile:
soft: ${ULIMIT_NPROC:-65535}
hard: ${ULIMIT_NPROC:-65535}
extra_hosts:
- host.docker.internal:host-gateway
extends:
file: common-settings.yml
service: common-settings
ports:
- "80:80"
- "443:443"
volumes:
- /opt/docker-data/nginx-${CONTEXT}/nginx/conf/certs:/etc/nginx/sslcerts
- /opt/docker-data/nginx-${CONTEXT}/nginx/conf/nginx/nginx.conf:/etc/nginx/nginx.conf
- /opt/docker-data/nginx-${CONTEXT}/nginx/conf/nginx/conf.d/ssl.conf:/etc/nginx/conf.d/ssl.conf
- /opt/docker-data/nginx-${CONTEXT}/nginx/conf/nginx/sites-enabled:/etc/nginx/sites-enabled
- /opt/docker-data/nginx-${CONTEXT}/nginx/data/logs:/var/log/nginx
networks:
# Variables are not supported in keys, only in values.
# Change static context string manually if need something else
nginx-default:
name: nginx-${CONTEXT}
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
ipam:
driver: default
config:
- subnet: ${SUBNET}

2
env/fqdn_context.env.example vendored Normal file
View File

@ -0,0 +1,2 @@
CONTEXT=ux_vilnius
SUBNET=172.19.141.0/24