From bb9f2ae3ce75b8495298c6925ee6b9ae61dd0185 Mon Sep 17 00:00:00 2001 From: Jan Novak Date: Fri, 20 Feb 2026 02:13:55 +0100 Subject: [PATCH] docker-30: several new and forgotten config files relevant to services running in docker --- docker-30/lab-proxy/nginx.conf | 46 +++++++++++++++++++++++++++++++ docker-30/lab-proxy/run.sh | 9 ++++++ docker-30/maru-hleda-byt/run.sh | 9 ++++++ docker-30/nginx/001-gitea.conf | 22 +++++++++++++++ docker-30/nginx/002-jellyfin.conf | 35 +++++++++++++++++++++++ docker-30/vault/vault-backup.sh | 4 +-- 6 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 docker-30/lab-proxy/nginx.conf create mode 100644 docker-30/lab-proxy/run.sh create mode 100644 docker-30/maru-hleda-byt/run.sh create mode 100644 docker-30/nginx/001-gitea.conf create mode 100644 docker-30/nginx/002-jellyfin.conf diff --git a/docker-30/lab-proxy/nginx.conf b/docker-30/lab-proxy/nginx.conf new file mode 100644 index 0000000..7a4c7b2 --- /dev/null +++ b/docker-30/lab-proxy/nginx.conf @@ -0,0 +1,46 @@ +# nginx.conf + +error_log /dev/stderr; + +http { + + server { + listen 9080; + + location / { + proxy_pass http://192.168.0.35:80; + proxy_set_header Host $host; + } + } + + log_format detailed '$remote_addr - [$time_local] ' + '"$request_method $host$request_uri" ' + '$status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /dev/stdout detailed; +} + +stream { + # Stream doesn't log by default, enable explicitly: + log_format stream_log '$remote_addr [$time_local] ' + '$protocol $ssl_preread_server_name ' + '$status $bytes_sent $bytes_received $session_time'; + + access_log /dev/stdout stream_log; + + # Nginx ingress in kubernetes + server { + listen 9443; + proxy_pass 192.168.0.35:443; + } + + # Gateway provided by cilium/envoy + server { + listen 9444; + proxy_pass 192.168.0.36:443; + } +} + + +events {} \ No newline at end of file diff --git a/docker-30/lab-proxy/run.sh b/docker-30/lab-proxy/run.sh new file mode 100644 index 0000000..990203a --- /dev/null +++ b/docker-30/lab-proxy/run.sh @@ -0,0 +1,9 @@ +docker rm -f lab-proxy || /usr/bin/true + +docker run -d --name lab-proxy \ + --restart unless-stopped \ + -v /srv/docker/lab-proxy/nginx.conf:/etc/nginx/nginx.conf:ro \ + -p 9443:9443 \ + -p 9444:9444 \ + -p 9080:9080 \ + nginx:alpine \ No newline at end of file diff --git a/docker-30/maru-hleda-byt/run.sh b/docker-30/maru-hleda-byt/run.sh new file mode 100644 index 0000000..38f2234 --- /dev/null +++ b/docker-30/maru-hleda-byt/run.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +docker rm -f maru-hleda-byt + +# gitea registry login with kacerr / token +docker run -d --name maru-hleda-byt \ + -p 8080:8080 \ + -v /srv/maru-hleda-byt/data:/app/data \ + gitea.home.hrajfrisbee.cz/littlemeat/maru-hleda-byt:0.01 \ No newline at end of file diff --git a/docker-30/nginx/001-gitea.conf b/docker-30/nginx/001-gitea.conf new file mode 100644 index 0000000..733d4ea --- /dev/null +++ b/docker-30/nginx/001-gitea.conf @@ -0,0 +1,22 @@ +server { + listen 443 ssl http2; + server_name gitea.home.hrajfrisbee.cz; + + ssl_certificate /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/privkey.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + location / { + proxy_pass http://192.168.0.30:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Gitea Git over HTTP + client_max_body_size 512m; +} \ No newline at end of file diff --git a/docker-30/nginx/002-jellyfin.conf b/docker-30/nginx/002-jellyfin.conf new file mode 100644 index 0000000..f90b007 --- /dev/null +++ b/docker-30/nginx/002-jellyfin.conf @@ -0,0 +1,35 @@ +server { + listen 443 ssl http2; + server_name jellyfin.home.hrajfrisbee.cz; + + ssl_certificate /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/privkey.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + + # Security headers for media streaming + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + # Increase body size for high-res movie posters + client_max_body_size 20M; + + location / { + # Proxy to your Synology or VM IP and Jellyfin port (default 8096) + proxy_pass http://192.168.0.2:8096; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + # Disable buffering for smoother streaming + proxy_buffering off; + } +} diff --git a/docker-30/vault/vault-backup.sh b/docker-30/vault/vault-backup.sh index 67286cd..3c10554 100644 --- a/docker-30/vault/vault-backup.sh +++ b/docker-30/vault/vault-backup.sh @@ -29,10 +29,10 @@ log "Backup size: ${BACKUP_SIZE} bytes" # --- Upload to MinIO --- log "Uploading to ${MC_ALIAS}/${S3_BUCKET}..." set -x -mc cp --quiet "${BACKUP_FILE}" "${MC_ALIAS}/${S3_BUCKET}/vault-backup-${TIMESTAMP}.tar.gz" +minio-cli cp --quiet "${BACKUP_FILE}" "${MC_ALIAS}/${S3_BUCKET}/vault-backup-${TIMESTAMP}.tar.gz" # --- Prune old backups --- log "Pruning backups older than ${RETENTION_DAYS} days..." -mc rm --quiet --recursive --force --older-than "${RETENTION_DAYS}d" "${MC_ALIAS}/${S3_BUCKET}/" +minio-cli rm --quiet --recursive --force --older-than "${RETENTION_DAYS}d" "${MC_ALIAS}/${S3_BUCKET}/" log "Backup complete: vault-backup-${TIMESTAMP}.tar.gz" \ No newline at end of file