services: migrate to linuxerserver-letsencrypt

This commit is contained in:
Bruno BELANYI 2020-04-11 19:01:50 +02:00
parent 8a22864b83
commit e24dfd031c
15 changed files with 496 additions and 114 deletions

9
.gitignore vendored
View file

@ -18,3 +18,12 @@
/emby /emby
embystat embystat
/airsonic /airsonic
/letsencrypt/*
!/letsencrypt/nginx/
/letsencrypt/nginx/*
!/letsencrypt/nginx/proxy-confs/
/letsencrypt/nginx/proxy-confs/*.sample
/letsencrypt/nginx/proxy-confs/README.md

View file

@ -1,69 +1,48 @@
version: "2" version: "2"
services: services:
letsencrypt:
proxy: image: linuxserver/letsencrypt
image: jwilder/nginx-proxy
container_name: proxy
restart: unless-stopped
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- certs:/etc/nginx/certs:rw
- vhost.d:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- ./uploadsize.conf:/etc/nginx/conf.d/uploadsize.conf:ro
ports:
- "80:80"
- "443:443"
networks:
- "default"
- "proxy-tier"
proxy-letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: letsencrypt container_name: letsencrypt
restart: unless-stopped restart: unless-stopped
cap_add:
- NET_ADMIN
environment: environment:
- NGINX_PROXY_CONTAINER=proxy - PUID=1000
- PGID=1000
- TZ=Europe/Paris
- URL=belanyi.fr
- SUBDOMAINS=wildcard
- VALIDATION=dns
- DNSPLUGIN=gandi #optional
- EMAIL=brunobelanyi@gmail.com #optional
- DHLEVEL=2048 #optional
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional
- STAGING=false #optional
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - ./letsencrypt:/config
volumes_from: ports:
- "proxy" - 443:443
depends_on: - 80:80 #optional
- "proxy"
networks:
- "default"
- "proxy-tier"
freshrss: freshrss:
image: linuxserver/freshrss image: linuxserver/freshrss
container_name: freshrss container_name: freshrss
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=feed.belanyi.fr
- LETSENCRYPT_HOST=feed.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- PGID=1001 - PGID=1001
- PUID=1000 - PUID=1000
volumes: volumes:
- ./freshrss:/config - ./freshrss:/config
ports: ports:
- "667:80" - "667:80"
networks:
- "proxy-tier"
- "default"
calibre: calibre:
image: linuxserver/calibre image: linuxserver/calibre
container_name: calibre container_name: calibre
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=calibre.belanyi.fr
- LETSENCRYPT_HOST=calibre.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- VIRTUAL_PORT=8080
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -75,18 +54,12 @@ services:
ports: ports:
- "8080:8080" - "8080:8080"
#- "8081:8081" #- "8081:8081"
networks:
- "default"
- "proxy-tier"
calibre-web: calibre-web:
image: linuxserver/calibre-web image: linuxserver/calibre-web
container_name: calibre-web container_name: calibre-web
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=library.belanyi.fr
- LETSENCRYPT_HOST=library.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -96,19 +69,12 @@ services:
- ./library:/books - ./library:/books
ports: ports:
- "8083:8083" - "8083:8083"
networks:
- "default"
- "proxy-tier"
pyload: pyload:
image: linuxserver/pyload image: linuxserver/pyload
container_name: pyload container_name: pyload
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=pyload.belanyi.fr
- LETSENCRYPT_HOST=pyload.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- VIRTUAL_PORT=8000
- TZ=Europe/Paris - TZ=Europe/Paris
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
@ -118,19 +84,12 @@ services:
ports: ports:
- 8000:8000 - 8000:8000
- 7227:7227 #optional - 7227:7227 #optional
networks:
- "default"
- "proxy-tier"
transmission: transmission:
image: linuxserver/transmission image: linuxserver/transmission
container_name: transmission container_name: transmission
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=transmission.belanyi.fr
- LETSENCRYPT_HOST=transmission.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- VIRTUAL_PORT=9091
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -146,18 +105,12 @@ services:
- 9091:9091 - 9091:9091
- 51413:51413 - 51413:51413
- 51413:51413/udp - 51413:51413/udp
networks:
- "default"
- "proxy-tier"
jackett: jackett:
image: linuxserver/jackett image: linuxserver/jackett
container_name: jackett container_name: jackett
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=jackett.belanyi.fr
- LETSENCRYPT_HOST=jackett.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -166,18 +119,12 @@ services:
- ~/downloads/blackhole:/downloads - ~/downloads/blackhole:/downloads
ports: ports:
- 9117:9117 - 9117:9117
networks:
- "default"
- "proxy-tier"
sonarr: sonarr:
image: linuxserver/sonarr image: linuxserver/sonarr
container_name: sonarr container_name: sonarr
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=sonarr.belanyi.fr
- LETSENCRYPT_HOST=sonarr.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -188,18 +135,12 @@ services:
- ~/downloads:/downloads - ~/downloads:/downloads
ports: ports:
- 8989:8989 - 8989:8989
networks:
- "default"
- "proxy-tier"
radarr: radarr:
image: linuxserver/radarr image: linuxserver/radarr
container_name: radarr container_name: radarr
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=radarr.belanyi.fr
- LETSENCRYPT_HOST=radarr.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -210,18 +151,12 @@ services:
- ~/downloads:/downloads - ~/downloads:/downloads
ports: ports:
- 7878:7878 - 7878:7878
networks:
- "default"
- "proxy-tier"
bazarr: bazarr:
image: linuxserver/bazarr image: linuxserver/bazarr
container_name: bazarr container_name: bazarr
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=bazarr.belanyi.fr
- LETSENCRYPT_HOST=bazarr.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -232,18 +167,12 @@ services:
- ~/videos/shows:/tv - ~/videos/shows:/tv
ports: ports:
- 6767:6767 - 6767:6767
networks:
- "default"
- "proxy-tier"
lidarr: lidarr:
image: linuxserver/lidarr image: linuxserver/lidarr
container_name: lidarr container_name: lidarr
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=lidarr.belanyi.fr
- LETSENCRYPT_HOST=lidarr.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -254,19 +183,12 @@ services:
- ~/downloads:/downloads - ~/downloads:/downloads
ports: ports:
- 8686:8686 - 8686:8686
networks:
- "default"
- "proxy-tier"
quassel-core: quassel-core:
image: linuxserver/quassel-core image: linuxserver/quassel-core
container_name: quassel-core container_name: quassel-core
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=quassel.belanyi.fr
- LETSENCRYPT_HOST=quassel.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- VIRTUAL_PORT=4242
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -284,10 +206,6 @@ services:
container_name: emby container_name: emby
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=emby.belanyi.fr
- LETSENCRYPT_HOST=emby.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- VIRTUAL_PORT=8096
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -305,9 +223,6 @@ services:
container_name: airsonic container_name: airsonic
restart: unless-stopped restart: unless-stopped
environment: environment:
- VIRTUAL_HOST=airsonic.belanyi.fr
- LETSENCRYPT_HOST=airsonic.belanyi.fr
- LETSENCRYPT_EMAIL=brunobelanyi@gmail.com
- PUID=1000 - PUID=1000
- PGID=1000 - PGID=1000
- TZ=Europe/Paris - TZ=Europe/Paris
@ -319,11 +234,3 @@ services:
- ~/playlists:/playlists - ~/playlists:/playlists
ports: ports:
- 4040:4040 - 4040:4040
volumes:
certs:
vhost.d:
html:
networks:
proxy-tier:

View file

@ -0,0 +1,33 @@
# make sure that your dns has a cname set for airsonic and that your airsonic container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name airsonic.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app airsonic;
set $upstream_port 4040;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View file

@ -0,0 +1,33 @@
# make sure that your dns has a cname set for bazarr and that your bazarr container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name bazarr.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app bazarr;
set $upstream_port 6767;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View file

@ -0,0 +1,35 @@
# make sure that your dns has a cname set for calibre-web
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name library.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app calibre-web;
set $upstream_port 8083;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_set_header Host $http_host;
proxy_set_header X-Scheme $scheme;
}
}

View file

@ -0,0 +1,35 @@
# make sure that your dns has a cname set for calibre
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name calibre.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
resolver 127.0.0.11 valid=30s;
set $upstream_app calibre;
set $upstream_port 8080;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}

View file

@ -0,0 +1,32 @@
# make sure that your dns has a cname set for emby and that your emby container is not using a base url
# if emby is running in bridge mode and the container is named "emby", the below config should work as is
# if not, replace the line "set $upstream_app emby;" with "set $upstream_app <containername>;"
# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of emby
# in emby settings, under "Advanced" change the public https port to 443, leave the local ports as is, set the "external domain" to your url,
# and set the "Secure connection mode" to "Handled by reverse proxy"
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name emby.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app emby;
set $upstream_port 8096;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}

View file

@ -0,0 +1,40 @@
# make sure that your dns has a cname set for freshrss
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name feed.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app freshrss;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_cookie_path / "/; HTTPOnly; Secure";
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
}
}

View file

@ -0,0 +1,53 @@
# make sure that your dns has a cname set for jackett and that your jackett container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name jackett.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app jackett;
set $upstream_port 9117;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location ~ (/jackett)?/api {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app jackett;
set $upstream_port 9117;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location ~ (/jackett)?/dl {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app jackett;
set $upstream_port 9117;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View file

@ -0,0 +1,43 @@
# make sure that your dns has a cname set for lidarr and that your lidarr container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name lidarr.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app lidarr;
set $upstream_port 8686;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location ~ (/lidarr)?/api {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app lidarr;
set $upstream_port 8686;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View file

@ -0,0 +1,33 @@
# make sure that your dns has a cname set for pyload and that your pyload container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pyload.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app pyload;
set $upstream_port 8000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View file

@ -0,0 +1,43 @@
# make sure that your dns has a cname set for radarr and that your radarr container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name radarr.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app radarr;
set $upstream_port 7878;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location ~ (/radarr)?/api {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app radarr;
set $upstream_port 7878;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View file

@ -0,0 +1,43 @@
# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name sonarr.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app sonarr;
set $upstream_port 8989;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location ~ (/sonarr)?/api {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app sonarr;
set $upstream_port 8989;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View file

@ -0,0 +1,44 @@
# make sure that your dns has a cname set for transmission
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name transmission.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app transmission;
set $upstream_port 9091;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_pass_header X-Transmission-Session-Id;
}
location ~ (/transmission)?/rpc {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app transmission;
set $upstream_port 9091;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View file

@ -1 +0,0 @@
client_max_body_size 1g;