jketreno/ketr.services
1
0
Fork 0
Code Issues Activity

Deployed services seem to be working

Browse Source 
Signed-off-by: James Ketrenos <james_git@ketrenos.com>
This commit is contained in:
James Ketr 2024-04-24 13:51:35 -07:00
parent c30d731bd0
commit 47eb000b2b
7 changed files with 177 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -1,5 +1,19 @@
# ketreweb containers
The cron job to update certificates isn't quite working yet.
To update certificates:
```bash
docker exec -it ketrenet-cron /bin/bash
/usr/bin/certbot renew --no-self-upgrade --webroot -w /var/www/ketrenos.com
/usr/bin/scp -q -i /keys/opnsense-letsencrypt /etc/letsencrypt/live/ketrenos.com/{fullchain,privkey}.pem letsencrypt@opnsense.ketrenos.com:.
/usr/bin/ssh -i /keys/opnsense-letsencrypt letsencrypt@opnsense.ketrenos.com sudo ./update-cert.sh fullchain.pem privkey.pem
```
After that completes (without errors) outside the container use `./sync-certs` to push
the updated certificates to all the service containers and servers.
## ketreweb
nginx and apache2

14
cron/etc/letsencrypt/options-ssl-apache.conf
View File

@ -7,20 +7,12 @@
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log
# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

108
docker-compose.yml
View File

@ -9,17 +9,17 @@ services:
dockerfile: Dockerfile.web
restart: always
volumes:
- ./web/etc/nginx/sites-enabled:/etc/nginx/sites-enabled:ro
- ./web/etc/nginx/sites-available:/etc/nginx/sites-available:ro
- ./web/etc/apache2/envvars:/etc/apache2/envvars:ro
- ./web/etc/apache2/ports.conf:/etc/apache2/ports.conf:ro
- ./web/etc/apache2/sites-enabled:/etc/apache2/sites-enabled:ro
- ./web/etc/apache2/sites-available:/etc/apache2/sites-available:ro
- ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
- ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- ./web/entrypoint.sh:/entrypoint.sh:ro
- ./data/log:/var/log:rw
- ./www:/var/www:ro
- /home/jketreno/docker/webserver/web/etc/nginx/sites-enabled:/etc/nginx/sites-enabled:ro
- /home/jketreno/docker/webserver/web/etc/nginx/sites-available:/etc/nginx/sites-available:ro
- /home/jketreno/docker/webserver/web/etc/apache2/envvars:/etc/apache2/envvars:ro
- /home/jketreno/docker/webserver/web/etc/apache2/ports.conf:/etc/apache2/ports.conf:ro
- /home/jketreno/docker/webserver/web/etc/apache2/sites-enabled:/etc/apache2/sites-enabled:ro
- /home/jketreno/docker/webserver/web/etc/apache2/sites-available:/etc/apache2/sites-available:ro
- /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
- /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- /home/jketreno/docker/webserver/web/entrypoint.sh:/entrypoint.sh:ro
- /home/jketreno/docker/webserver/data/log:/var/log:rw
- /home/jketreno/docker/webserver/www:/var/www:ro
ports:
- 80:80
- 443:443
@ -38,33 +38,34 @@ services:
- 465:465 # postfix smtps
- 587:587 # postfix submission
volumes:
- ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
- ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- ./mail/etc/mailname:/etc/mailname:ro
- ./mail/etc/aliases.db:/etc/aliases.db:rw
- ./mail/etc/aliases:/etc/aliases:rw
- ./mail/etc/dovecot:/etc/dovecot:ro
- ./mail/etc/amavis:/etc/amavis:ro
- ./mail/etc/clamav:/etc/clamav:ro
- ./mail/etc/hostname:/etc/hostname:ro
- ./mail/etc/opendkim.conf:/etc/opendkim.conf:ro
- ./mail/etc/opendkim:/etc/opendkim:ro
- ./mail/etc/postfix:/etc/postfix:rw
- ./mail/etc/milter-greylist:/etc/milter-greylist:ro
- ./mail/entrypoint.sh:/entrypoint.sh:ro
- ./data/log:/var/log:rw
- ./data/mail/var/mail:/var/mail:rw
- ./data/mail/var/spool/mail:/var/spool/mail:rw
- /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
- /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- /home/jketreno/docker/webserver/mail/etc/mailname:/etc/mailname:ro
- /home/jketreno/docker/webserver/mail/etc/aliases.db:/etc/aliases.db:rw
- /home/jketreno/docker/webserver/mail/etc/aliases:/etc/aliases:rw
- /home/jketreno/docker/webserver/mail/etc/dovecot:/etc/dovecot:ro
- /home/jketreno/docker/webserver/mail/etc/amavis:/etc/amavis:ro
- /home/jketreno/docker/webserver/mail/etc/clamav:/etc/clamav:ro
- /home/jketreno/docker/webserver/mail/etc/hostname:/etc/hostname:ro
- /home/jketreno/docker/webserver/mail/etc/opendkim.conf:/etc/opendkim.conf:ro
- /home/jketreno/docker/webserver/mail/etc/opendkim:/etc/opendkim:ro
- /home/jketreno/docker/webserver/mail/etc/postfix:/etc/postfix:rw
- /home/jketreno/docker/webserver/mail/etc/milter-greylist:/etc/milter-greylist:ro
- /home/jketreno/docker/webserver/mail/entrypoint.sh:/entrypoint.sh:ro
- /home/jketreno/docker/webserver/data/log:/var/log:rw
- /home/jketreno/docker/webserver/data/mail/var/mail:/var/mail:rw
- /home/jketreno/docker/webserver/data/mail/var/spool/mail:/var/spool/mail:rw
- /home/jketreno/docker/webserver/data/mail/var/lib/milter-greylist:/var/lib/milter-greylist:rw
- /home:/home:rw
- ./www:/var/www:ro
- ./data/mail/var/lib/clamav:/var/lib/clamav:rw
- ./mail/etc/rsyslog.conf:/etc/rsyslog.conf:ro
- ./mail/etc/default/milter-greylist:/etc/default/milter-greylist:ro
- /home/jketreno/docker/webserver/www:/var/www:ro
- /home/jketreno/docker/webserver/data/mail/var/lib/clamav:/var/lib/clamav:rw
- /home/jketreno/docker/webserver/mail/etc/rsyslog.conf:/etc/rsyslog.conf:ro
- /home/jketreno/docker/webserver/mail/etc/default/milter-greylist:/etc/default/milter-greylist:ro
# Keys
- ./keys/mail/etc/dkimkeys:/etc/dkimkeys:ro
- ./keys/mail/etc/spamassassin/sa-update-keys/:/etc/spamassassin/sa-update-keys:rw
- ./keys/mail/etc/dovecot/private:/etc/dovecot-private:ro
- ./keys/mail/etc/opendkim:/etc/opendkim-private:rw
- /home/jketreno/docker/webserver/keys/mail/etc/dkimkeys:/etc/dkimkeys:ro
- /home/jketreno/docker/webserver/keys/mail/etc/spamassassin/sa-update-keys/:/etc/spamassassin/sa-update-keys:rw
- /home/jketreno/docker/webserver/keys/mail/etc/dovecot/private:/etc/dovecot-private:ro
- /home/jketreno/docker/webserver/keys/mail/etc/opendkim:/etc/opendkim-private:rw
# Authentication of dovecot users via pam
#
@ -89,9 +90,9 @@ services:
ports:
- 8124:80
volumes:
- ./roundcube/var/roundcube:/var/roundcube/config:ro
- ./data/roundcube/db:/var/roundcube/db:rw
- ./data/roundcube/html:/var/www/html:rw
- /home/jketreno/docker/webserver/roundcube/var/roundcube:/var/roundcube/config:ro
- /home/jketreno/docker/webserver/data/roundcube/db:/var/roundcube/db:rw
- /home/jketreno/docker/webserver/data/roundcube/html:/var/www/html:rw
ketrenet-cron:
image: ketrenet-cron
@ -101,16 +102,17 @@ services:
dockerfile: Dockerfile.cron
restart: always
volumes:
- ./cron/etc/letsencrypt:/etc/letsencrypt:rw
- ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:rw
- ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:rw
- ./cron/etc/cron.d:/etc/cron.d:ro
- ./data/log:/var/log:rw
- ./keys/letsencrypt/:/keys:ro
- ./www:/var/www:rw
- ./cron/entrypoint.sh:/entrypoint.sh:ro
- /home/jketreno/docker/webserver/cron/etc/letsencrypt:/etc/letsencrypt:rw
- /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:rw
- /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:rw
- /home/jketreno/docker/webserver/cron/etc/cron.d:/etc/cron.d:ro
- /home/jketreno/docker/webserver/data/log:/var/log:rw
- /home/jketreno/docker/webserver/keys/letsencrypt/:/keys:ro
- /home/jketreno/docker/webserver/www:/var/www:rw
- /home/jketreno/docker/webserver/cron/entrypoint.sh:/entrypoint.sh:ro
ketrenet-dns:
profiles: [ "dev" ]
image: ketrenet-dns
container_name: ketrenet-dns
hostname: dns
@ -124,9 +126,9 @@ services:
- 67:67/udp # dhcp
- 68:68/udp # dhcp
volumes:
- ./keys/dns/ddns.key:/etc/ddns.key:ro
- ./dns/etc/dhcp:/etc/dhcp:ro
- ./dns/etc/bind:/etc/bind:ro
- ./dns/entrypoint.sh:/entrypoint.sh:ro
- ./data/log:/var/log:rw
- ./data/dns/var/lib/:/var/lib:rw
- /home/jketreno/docker/webserver/keys/dns/ddns.key:/etc/ddns.key:ro
- /home/jketreno/docker/webserver/dns/etc/dhcp:/etc/dhcp:ro
- /home/jketreno/docker/webserver/dns/etc/bind:/etc/bind:ro
- /home/jketreno/docker/webserver/dns/entrypoint.sh:/entrypoint.sh:ro
- /home/jketreno/docker/webserver/data/log:/var/log:rw
- /home/jketreno/docker/webserver/data/dns/var/lib/:/var/lib:rw

6
mail/entrypoint.sh
View File

@ -9,7 +9,11 @@ usermod -a -G opendkim postfix
chmod g+rx /var/lib/amavis/tmp
# directory is not being created by /etc/init.d/opendkim
mkdir /var/spool/postfix/{opendkim,milter-greylist}
for dir in opendkim ilter-greylist; do
if [[ ! -d "/var/spool/${dir}" ]]; then
mkdir -p "/var/spool/postfix/${dir}"
fi
done
chown opendkim:opendkim /var/spool/postfix/opendkim
# opendkim needs to read its private data

37
sync-cert Executable file
View File

@ -0,0 +1,37 @@
#!/bin/bash
#
# Update /home/jketreno/letsencrypt
#
/usr/bin/rsync -aprl --delete /home/jketreno/docker/webserver/cron/etc/letsencrypt/ /home/jketreno/letsencrypt/
mapfile -t paths < <(find /home/jketreno/docker/webserver/keys/cron/etc/letsencrypt -maxdepth 1 -type d | tail -n +2)
for path in "${paths[@]}"; do
dir=$(basename "${path}")
/usr/bin/rsync -aprl "${path}/" "/home/jketreno/letsencrypt/${dir}/"
done
#
# Change ownership so files can be read
#
chown -R jketreno: /home/jketreno/letsencrypt
#
# Update cert on media.ketrenos.com
#
/usr/bin/rsync -e "/usr/bin/ssh -i /home/jketreno/.ssh/media" -aprl --delete /home/jketreno/letsencrypt/ root@media.ketrenos.com:/etc/letsencrypt/
/usr/bin/ssh -i /home/jketreno/.ssh/media root@media.ketrenos.com "chown -R root:root /etc/letsencrypt"
/usr/bin/ssh -i /home/jketreno/.ssh/media root@media.ketrenos.com "systemctl restart nginx"
#
# Update mail VM
#
echo "update mail /etc/letsencrypt"
/usr/bin/rsync -e "/usr/bin/ssh -i /home/jketreno/.ssh/email" -aprl --delete /home/jketreno/letsencrypt/ root@email.ketrenos.com:/etc/letsencrypt/
/usr/bin/ssh -i /home/jketreno/.ssh/email root@email.ketrenos.com "chown -R root:root /etc/letsencrypt"
/usr/bin/ssh -i /home/jketreno/.ssh/email root@email.ketrenos.com "/usr/sbin/service postfix restart ; /usr/bin/doveadm reload"
#
# Update cert on opnsense.ketrenos.com
#
/usr/bin/scp -q -i keys/letsencrypt/opnsense-letsencrypt /home/jketreno/letsencrypt/live/ketrenos.com/{fullchain,privkey}.pem letsencrypt@opnsense.ketrenos.com:.
/usr/bin/ssh -i keys/letsencrypt/opnsense-letsencrypt letsencrypt@opnsense.ketrenos.com sudo ./update-cert.sh fullchain.pem privkey.pem

7
web/entrypoint.sh
View File

@ -22,6 +22,9 @@ done &
#
# Watch for letsencrypt changes and if they occur, restart nginx and apache2
#
while inotifywait -e modify /etc/letsencrypt/archive; do
kill -9 "$(cat /var/run/nginx.pid)" "$(cat /var/run/apache2.pid)"
while inotifywait -r -e modify /etc/letsencrypt/archive; do
killall nginx
rm -f /var/run/nginx.pid
killall apache2
rm -f /var/run/apache2/apache2.pid
done

57
web/etc/nginx/sites-available/default
View File

@ -495,6 +495,39 @@ server {
}
}
server {
server_name files.ketrenos.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
location ~* ^(/.well-known) {
root /var/www/ketrenos.com;
}
}
server {
server_name email.ketrenos.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
location ~* ^(/.well-known) {
root /var/www/ketrenos.com;
}
}
server {
server_name smtp.ketrenos.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
location ~* ^(/.well-known) {
root /var/www/ketrenos.com;
}
}
server {
server_name mail.ketrenos.com;
listen 443 ssl;
@ -637,6 +670,30 @@ server {
}
}
server {
server_name nutshellforestfarm.ketrenos.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
location ~* ^(/.well-known) {
root /var/www/ketrenos.com;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass_header Set-Cookie;
proxy_pass_header P3P;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://192.168.1.78:8932;
}
}
server {
server_name opnsense.ketrenos.com;