From 7954ae4bd360411ca5085d3691a41377b8a2e47b Mon Sep 17 00:00:00 2001 From: Norbert Tretkowski Date: Thu, 22 May 2025 06:54:23 +0200 Subject: [PATCH] Initial commit --- .gitignore | 1 + gotosocial/docker-compose.yml | 57 +++++++++++++++++ mollysocket/docker-compose.yml | 55 +++++++++++++++++ mollysocket/nginx.conf | 34 +++++++++++ nextcloud/docker-compose.yaml | 105 ++++++++++++++++++++++++++++++++ nextcloud/nginx.conf | 108 +++++++++++++++++++++++++++++++++ nextcloud/php-fpm-www.conf | 7 +++ 7 files changed, 367 insertions(+) create mode 100644 .gitignore create mode 100644 gotosocial/docker-compose.yml create mode 100644 mollysocket/docker-compose.yml create mode 100644 mollysocket/nginx.conf create mode 100644 nextcloud/docker-compose.yaml create mode 100644 nextcloud/nginx.conf create mode 100644 nextcloud/php-fpm-www.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4c49bd7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.env diff --git a/gotosocial/docker-compose.yml b/gotosocial/docker-compose.yml new file mode 100644 index 0000000..8ad33c1 --- /dev/null +++ b/gotosocial/docker-compose.yml @@ -0,0 +1,57 @@ +services: + traefik: + image: "traefik:v3.3" + container_name: "traefik" + restart: always + command: + - "--api.insecure=false" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--entryPoints.web.address=:80" + - "--entryPoints.websecure.address=:443" + - "--certificatesresolvers.myresolver.acme.httpchallenge=true" + - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.myresolver.acme.email=norbert@tretkowski.de" + - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" + ports: + - "80:80" + - "443:443" + volumes: + - "./traefik/letsencrypt:/letsencrypt" + - "/var/run/docker.sock:/var/run/docker.sock:ro" + networks: + - gotosocial + + gotosocial: + image: superseriousbusiness/gotosocial:latest + container_name: gotosocial + user: 1000:1000 + restart: always + networks: + - gotosocial + environment: + GTS_HOST: social.tretkowski.de + GTS_DB_TYPE: sqlite + GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db + GTS_LETSENCRYPT_ENABLED: "false" + GTS_WAZERO_COMPILATION_CACHE: /gotosocial/.cache + GTS_ADVANCED_RATE_LIMIT_REQUESTS: "0" + TZ: Europe/Berlin + ports: + - "127.0.0.1:8080:8080" + volumes: + - "./gotosocial/data:/gotosocial/storage" + - "./gotosocial/cache:/gotosocial/.cache" + labels: + - "traefik.enable=true" + - "traefik.http.routers.gotosocial.rule=Host(`social.tretkowski.de`)" + - "traefik.http.routers.gotosocial.entrypoints=websecure" + - "traefik.http.routers.gotosocial.tls.certresolver=myresolver" + +networks: + gotosocial: + ipam: + driver: default + config: + - subnet: "172.18.1.0/24" + gateway: "172.18.1.1" diff --git a/mollysocket/docker-compose.yml b/mollysocket/docker-compose.yml new file mode 100644 index 0000000..e3e4b3b --- /dev/null +++ b/mollysocket/docker-compose.yml @@ -0,0 +1,55 @@ +services: + certbot: + restart: "no" + image: certbot/certbot:v3.1.0 + command: certonly --standalone --noninteractive --email norbert@tretkowski.de --agree-tos --domains mollysocket.tretkowski.de + volumes: + - $PWD/certs:/etc/letsencrypt + ports: + - "80:80" + - "443:443" + networks: + - external + - internal + + nginx: + image: nginx:1.27.3-alpine-slim + restart: unless-stopped + depends_on: + - mollysocket + volumes: + - $PWD/certs:/etc/letsencrypt:ro + - $PWD/nginx.conf:/etc/nginx/nginx.conf:ro + ports: + - "80:80" + - "443:443" + networks: + - external + - internal + + mollysocket: + image: ghcr.io/mollyim/mollysocket:1.6.0-alpine + container_name: mollysocket + restart: always + volumes: + - ./data:/data + working_dir: /data + command: server + environment: + - MOLLY_DB="/data/mollysocket.db" + - MOLLY_ALLOWED_ENDPOINTS=["https://up.conversations.im/","https://ntfy.sh/"] + - MOLLY_ALLOWED_UUIDS=["7d6ffb3e-6a0d-4335-8e6e-7acee0d20d34"] + #- MOLLY_VAPID_PRIVKEY="paste output of `docker compose run mollysocket vapid gen` here" + - MOLLY_HOST=0.0.0.0 + - MOLLY_PORT=8020 + - RUST_LOG=info + ports: + - "127.0.0.1:8020:8020" + networks: + - external + - internal + +networks: + external: + internal: + internal: true diff --git a/mollysocket/nginx.conf b/mollysocket/nginx.conf new file mode 100644 index 0000000..0baa6a8 --- /dev/null +++ b/mollysocket/nginx.conf @@ -0,0 +1,34 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + server { + listen 80; + listen [::]:80; + + server_name mollysocket.tretkowski.de; + + location / { + return 301 https://$host$request_uri; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name mollysocket.tretkowski.de; + + ssl_certificate /etc/letsencrypt/live/mollysocket.tretkowski.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/mollysocket.tretkowski.de/privkey.pem; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $http_host; + proxy_pass http://mollysocket:8020; + } + } +} diff --git a/nextcloud/docker-compose.yaml b/nextcloud/docker-compose.yaml new file mode 100644 index 0000000..a9a3914 --- /dev/null +++ b/nextcloud/docker-compose.yaml @@ -0,0 +1,105 @@ +services: + + caddy: + image: lucaslorentz/caddy-docker-proxy:ci-alpine + container_name: reverse-proxy + ports: + - 80:80 + - 443:443 + environment: + - CADDY_INGRESS_NETWORKS=nextcloud_network + networks: + - nextcloud_network + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - caddy_data:/data + restart: unless-stopped + + web: + image: nginx:alpine + container_name: nextcloud-web + networks: + - nextcloud_network + links: + - nextcloud + labels: + caddy: share.inittab.de + caddy.reverse_proxy: "{{upstreams}}" + caddy.header: /* + caddy.header.Strict-Transport-Security: '"max-age=15552000;"' + caddy.rewrite_0: /.well-known/carddav /remote.php/dav + caddy.rewrite_1: /.well-known/caldav /remote.php/dav + caddy.rewrite_2: /.well-known/webfinger /index.php/.well-known/webfinger + caddy.rewrite_3: /.well-known/nodeinfo /index.php/.well-known/nodeinfo + volumes: + - nextcloud_data:/var/www/html:z,ro + - ./nginx.conf:/etc/nginx/nginx.conf:ro + restart: unless-stopped + + db: + image: mariadb:lts + container_name: mariadb-database + command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW + networks: + - nextcloud_network + volumes: + - db_data:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD + - MYSQL_USER + - MYSQL_PASSWORD + - MYSQL_DATABASE + restart: unless-stopped + + redis: + image: redis:alpine + container_name: redis-dbcache + networks: + - nextcloud_network + restart: unless-stopped + + nextcloud: + image: nextcloud:stable-fpm + container_name: nextcloud-app + networks: + - nextcloud_network + volumes: + - nextcloud_data:/var/www/html:z + - ./php-fpm-www.conf:/usr/local/etc/php-fpm.d/www.conf:ro + environment: + - MYSQL_USER + - MYSQL_PASSWORD + - MYSQL_DATABASE + - MYSQL_HOST + - REDIS_HOST + - OVERWRITEPROTOCOL + - OVERWRITEHOST + - TRUSTED_PROXIES + - APACHE_DISABLE_REWRITE_IP + restart: unless-stopped + depends_on: + - caddy + - db + - redis + + cron: + image: nextcloud:stable-fpm + container_name: nextcloud-cron + networks: + - nextcloud_network + volumes: + - nextcloud_data:/var/www/html:z + entrypoint: /cron.sh + restart: unless-stopped + depends_on: + - db + - redis + +networks: + nextcloud_network: + external: true + +volumes: + caddy_data: {} + db_data: {} + nextcloud_data: {} diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf new file mode 100644 index 0000000..10028ac --- /dev/null +++ b/nextcloud/nginx.conf @@ -0,0 +1,108 @@ +worker_processes auto; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + server_tokens off; + keepalive_timeout 65; + #gzip on; + + upstream php-handler { + server nextcloud:9000; + } + + server { + listen 80; + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + + fastcgi_hide_header X-Powered-By; + root /var/www/html; + index index.php index.html /index.php$request_uri; + + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + location ~ \.php(?:$|/) { + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + #fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; + access_log off; + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; + access_log off; + } + + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } + } +} diff --git a/nextcloud/php-fpm-www.conf b/nextcloud/php-fpm-www.conf new file mode 100644 index 0000000..a081214 --- /dev/null +++ b/nextcloud/php-fpm-www.conf @@ -0,0 +1,7 @@ +user = www-data +group = www-data +pm = dynamic +pm.max_children = 281 +pm.start_servers = 140 +pm.min_spare_servers = 93 +pm.max_spare_servers = 187