From ddae5d18e04a8e9f5ab879931e80d32571645d4e Mon Sep 17 00:00:00 2001 From: dddpt Date: Wed, 6 Mar 2024 16:00:02 +0100 Subject: [PATCH 01/10] moved conf/nginx -> nginx --- .gitignore | 2 +- docker-compose.yml | 12 ++++++------ {conf/nginx => nginx}/options-ssl-nginx.conf | 0 {conf/nginx => nginx}/pages/403.html | 0 {conf/nginx => nginx}/pages/404.html | 0 {conf/nginx => nginx}/pages/500.html | 0 {conf/nginx => nginx}/pages/sad_nyuki.svg | 0 {conf/nginx => nginx}/ssl-dhparams.pem | 0 .../nginx => nginx}/templates/default.conf.template | 0 9 files changed, 7 insertions(+), 7 deletions(-) rename {conf/nginx => nginx}/options-ssl-nginx.conf (100%) rename {conf/nginx => nginx}/pages/403.html (100%) rename {conf/nginx => nginx}/pages/404.html (100%) rename {conf/nginx => nginx}/pages/500.html (100%) rename {conf/nginx => nginx}/pages/sad_nyuki.svg (100%) rename {conf/nginx => nginx}/ssl-dhparams.pem (100%) rename {conf/nginx => nginx}/templates/default.conf.template (100%) diff --git a/.gitignore b/.gitignore index 88fcf6718..cb14ef9bd 100644 --- a/.gitignore +++ b/.gitignore @@ -8,7 +8,7 @@ __pycache__/ .env docker-compose.override.yml client/projects -conf/nginx/certs/* +nginx/certs/* conf/certbot/* Pipfile* **/site-packages diff --git a/docker-compose.yml b/docker-compose.yml index 28df94370..f6c97e432 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -91,11 +91,11 @@ services: image: nginx:stable restart: unless-stopped volumes: - - ./conf/nginx/pages/:/var/www/html/pages/ - - ./conf/nginx/templates/:/etc/nginx/templates/ - - ./conf/nginx/certs/:/etc/nginx/certs/:ro - - ./conf/nginx/options-ssl-nginx.conf:/etc/nginx/options-ssl-nginx.conf - - ./conf/nginx/ssl-dhparams.pem:/etc/nginx/ssl-dhparams.pem + - ./nginx/pages/:/var/www/html/pages/ + - ./nginx/templates/:/etc/nginx/templates/ + - ./nginx/certs/:/etc/nginx/certs/:ro + - ./nginx/options-ssl-nginx.conf:/etc/nginx/options-ssl-nginx.conf + - ./nginx/ssl-dhparams.pem:/etc/nginx/ssl-dhparams.pem - certbot_www:/var/www/certbot ports: - ${WEB_HTTP_PORT}:80 @@ -119,7 +119,7 @@ services: environment: domain: ${QFIELDCLOUD_HOST} volumes: - - ./conf/nginx/certs/:/root/.local/share/mkcert/ + - ./nginx/certs/:/root/.local/share/mkcert/ command: /bin/sh -c 'mkcert -install && for i in $$(echo $$domain | sed "s/,/ /g"); do [ ! -f /root/.local/share/mkcert/$$i.pem ] && mkcert $$i; done && tail -f -n0 /etc/hosts' certbot: diff --git a/conf/nginx/options-ssl-nginx.conf b/nginx/options-ssl-nginx.conf similarity index 100% rename from conf/nginx/options-ssl-nginx.conf rename to nginx/options-ssl-nginx.conf diff --git a/conf/nginx/pages/403.html b/nginx/pages/403.html similarity index 100% rename from conf/nginx/pages/403.html rename to nginx/pages/403.html diff --git a/conf/nginx/pages/404.html b/nginx/pages/404.html similarity index 100% rename from conf/nginx/pages/404.html rename to nginx/pages/404.html diff --git a/conf/nginx/pages/500.html b/nginx/pages/500.html similarity index 100% rename from conf/nginx/pages/500.html rename to nginx/pages/500.html diff --git a/conf/nginx/pages/sad_nyuki.svg b/nginx/pages/sad_nyuki.svg similarity index 100% rename from conf/nginx/pages/sad_nyuki.svg rename to nginx/pages/sad_nyuki.svg diff --git a/conf/nginx/ssl-dhparams.pem b/nginx/ssl-dhparams.pem similarity index 100% rename from conf/nginx/ssl-dhparams.pem rename to nginx/ssl-dhparams.pem diff --git a/conf/nginx/templates/default.conf.template b/nginx/templates/default.conf.template similarity index 100% rename from conf/nginx/templates/default.conf.template rename to nginx/templates/default.conf.template From 308cdfbf86c8cf16ba1d54ea18090bb44eadd0d9 Mon Sep 17 00:00:00 2001 From: dddpt Date: Wed, 6 Mar 2024 16:08:28 +0100 Subject: [PATCH 02/10] build custom nginx docker image --- docker-compose.yml | 7 ++----- nginx/Dockerfile | 6 ++++++ 2 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 nginx/Dockerfile diff --git a/docker-compose.yml b/docker-compose.yml index f6c97e432..fafbc95b3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -88,14 +88,11 @@ services: ofelia.job-exec.runcrons.command: python manage.py runcrons nginx: - image: nginx:stable + build: + context: ./nginx restart: unless-stopped volumes: - - ./nginx/pages/:/var/www/html/pages/ - - ./nginx/templates/:/etc/nginx/templates/ - ./nginx/certs/:/etc/nginx/certs/:ro - - ./nginx/options-ssl-nginx.conf:/etc/nginx/options-ssl-nginx.conf - - ./nginx/ssl-dhparams.pem:/etc/nginx/ssl-dhparams.pem - certbot_www:/var/www/certbot ports: - ${WEB_HTTP_PORT}:80 diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 000000000..200d8b581 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,6 @@ +FROM nginx:stable + +COPY pages /var/www/html/pages/ +COPY templates/ /etc/nginx/templates/ +COPY options-ssl-nginx.conf /etc/nginx/options-ssl-nginx.conf +COPY ssl-dhparams.pem /etc/nginx/ssl-dhparams.pem From 2b4b51ae1b29af030f9c8dcfabe4b3e7a821822c Mon Sep 17 00:00:00 2001 From: dddpt Date: Wed, 6 Mar 2024 16:41:49 +0100 Subject: [PATCH 03/10] added build&push qfieldcloud-nginx to github workflows --- .github/workflows/build_and_push.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml index 8cb55558b..036d0db78 100644 --- a/.github/workflows/build_and_push.yml +++ b/.github/workflows/build_and_push.yml @@ -98,3 +98,16 @@ jobs: tags: | opengisch/qfieldcloud-qgis:${{ steps.prepare.outputs.docker_tag }} opengisch/qfieldcloud-qgis:${{ steps.prepare.outputs.docker_commit }} + + # Nginx + - name: Docker Build and Push nginx + id: docker_build_and_push_nginx + uses: docker/build-push-action@v2 + with: + builder: ${{ steps.buildx.outputs.name }} + context: ./nginx + file: ./nginx/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: | + opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_tag }} + opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_commit }} From ffcdf03f690ea0e2078910af60a6127aa7fe042b Mon Sep 17 00:00:00 2001 From: dddpt Date: Wed, 6 Mar 2024 16:52:05 +0100 Subject: [PATCH 04/10] added "on PR" github workflow trigger for testing --- .github/workflows/build_and_push.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml index 036d0db78..00887bb06 100644 --- a/.github/workflows/build_and_push.yml +++ b/.github/workflows/build_and_push.yml @@ -5,6 +5,9 @@ on: - master tags: - "v*.*.*" + pull_request: + branches: + - master jobs: build_and_push: runs-on: ubuntu-22.04 From e45cd8a9c052ab0c6dc4b1bff43af1a3afeb6730 Mon Sep 17 00:00:00 2001 From: dddpt Date: Wed, 6 Mar 2024 17:02:34 +0100 Subject: [PATCH 05/10] allows to push to dockerhub on gh PR --- .github/workflows/build_and_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml index 00887bb06..5a55d0fee 100644 --- a/.github/workflows/build_and_push.yml +++ b/.github/workflows/build_and_push.yml @@ -110,7 +110,7 @@ jobs: builder: ${{ steps.buildx.outputs.name }} context: ./nginx file: ./nginx/Dockerfile - push: ${{ github.event_name != 'pull_request' }} + # push: ${{ github.event_name != 'pull_request' }} tags: | opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_tag }} opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_commit }} From 152baae2f66519d3649c584ca36dce6dbd00dc39 Mon Sep 17 00:00:00 2001 From: dddpt Date: Wed, 6 Mar 2024 17:11:04 +0100 Subject: [PATCH 06/10] login to dockerhub on PR for testing... --- .github/workflows/build_and_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml index 5a55d0fee..3de6fe467 100644 --- a/.github/workflows/build_and_push.yml +++ b/.github/workflows/build_and_push.yml @@ -40,7 +40,7 @@ jobs: ${{ runner.os }}-buildx- - name: Login to dockerhub - if: github.event_name != 'pull_request' + #if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} From c27b2d188bd533ce6d0af238fc1e356e66f53220 Mon Sep 17 00:00:00 2001 From: dddpt Date: Thu, 7 Mar 2024 10:06:45 +0100 Subject: [PATCH 07/10] nginx/ -> docker-nginx/ --- .github/workflows/build_and_push.yml | 4 ++-- .gitignore | 2 +- {nginx => docker-nginx}/Dockerfile | 0 {nginx => docker-nginx}/options-ssl-nginx.conf | 0 {nginx => docker-nginx}/pages/403.html | 0 {nginx => docker-nginx}/pages/404.html | 0 {nginx => docker-nginx}/pages/500.html | 0 {nginx => docker-nginx}/pages/sad_nyuki.svg | 0 {nginx => docker-nginx}/ssl-dhparams.pem | 0 {nginx => docker-nginx}/templates/default.conf.template | 0 10 files changed, 3 insertions(+), 3 deletions(-) rename {nginx => docker-nginx}/Dockerfile (100%) rename {nginx => docker-nginx}/options-ssl-nginx.conf (100%) rename {nginx => docker-nginx}/pages/403.html (100%) rename {nginx => docker-nginx}/pages/404.html (100%) rename {nginx => docker-nginx}/pages/500.html (100%) rename {nginx => docker-nginx}/pages/sad_nyuki.svg (100%) rename {nginx => docker-nginx}/ssl-dhparams.pem (100%) rename {nginx => docker-nginx}/templates/default.conf.template (100%) diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml index 3de6fe467..6f4520e10 100644 --- a/.github/workflows/build_and_push.yml +++ b/.github/workflows/build_and_push.yml @@ -108,8 +108,8 @@ jobs: uses: docker/build-push-action@v2 with: builder: ${{ steps.buildx.outputs.name }} - context: ./nginx - file: ./nginx/Dockerfile + context: ./docker-nginx + file: ./docker-nginx/Dockerfile # push: ${{ github.event_name != 'pull_request' }} tags: | opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_tag }} diff --git a/.gitignore b/.gitignore index cb14ef9bd..23825ee50 100644 --- a/.gitignore +++ b/.gitignore @@ -8,7 +8,7 @@ __pycache__/ .env docker-compose.override.yml client/projects -nginx/certs/* +docker-nginx/certs/* conf/certbot/* Pipfile* **/site-packages diff --git a/nginx/Dockerfile b/docker-nginx/Dockerfile similarity index 100% rename from nginx/Dockerfile rename to docker-nginx/Dockerfile diff --git a/nginx/options-ssl-nginx.conf b/docker-nginx/options-ssl-nginx.conf similarity index 100% rename from nginx/options-ssl-nginx.conf rename to docker-nginx/options-ssl-nginx.conf diff --git a/nginx/pages/403.html b/docker-nginx/pages/403.html similarity index 100% rename from nginx/pages/403.html rename to docker-nginx/pages/403.html diff --git a/nginx/pages/404.html b/docker-nginx/pages/404.html similarity index 100% rename from nginx/pages/404.html rename to docker-nginx/pages/404.html diff --git a/nginx/pages/500.html b/docker-nginx/pages/500.html similarity index 100% rename from nginx/pages/500.html rename to docker-nginx/pages/500.html diff --git a/nginx/pages/sad_nyuki.svg b/docker-nginx/pages/sad_nyuki.svg similarity index 100% rename from nginx/pages/sad_nyuki.svg rename to docker-nginx/pages/sad_nyuki.svg diff --git a/nginx/ssl-dhparams.pem b/docker-nginx/ssl-dhparams.pem similarity index 100% rename from nginx/ssl-dhparams.pem rename to docker-nginx/ssl-dhparams.pem diff --git a/nginx/templates/default.conf.template b/docker-nginx/templates/default.conf.template similarity index 100% rename from nginx/templates/default.conf.template rename to docker-nginx/templates/default.conf.template From 59443f14fedb6706b6e02c987a4d86e53d4fe0e7 Mon Sep 17 00:00:00 2001 From: dddpt Date: Thu, 7 Mar 2024 10:17:51 +0100 Subject: [PATCH 08/10] push: true --- .github/workflows/build_and_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml index 6f4520e10..b1b4cc7be 100644 --- a/.github/workflows/build_and_push.yml +++ b/.github/workflows/build_and_push.yml @@ -110,7 +110,7 @@ jobs: builder: ${{ steps.buildx.outputs.name }} context: ./docker-nginx file: ./docker-nginx/Dockerfile - # push: ${{ github.event_name != 'pull_request' }} + push: true #${{ github.event_name == 'pull_request' }} tags: | opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_tag }} opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_commit }} From 3a74f697475d31e892b9411329c4d0bea2f93174 Mon Sep 17 00:00:00 2001 From: dddpt Date: Thu, 7 Mar 2024 11:00:06 +0100 Subject: [PATCH 09/10] github workflow executes only on commits on master or tags, not PR. --- .github/workflows/build_and_push.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build_and_push.yml b/.github/workflows/build_and_push.yml index b1b4cc7be..cfa9f54e9 100644 --- a/.github/workflows/build_and_push.yml +++ b/.github/workflows/build_and_push.yml @@ -5,9 +5,6 @@ on: - master tags: - "v*.*.*" - pull_request: - branches: - - master jobs: build_and_push: runs-on: ubuntu-22.04 @@ -40,7 +37,7 @@ jobs: ${{ runner.os }}-buildx- - name: Login to dockerhub - #if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} @@ -110,7 +107,7 @@ jobs: builder: ${{ steps.buildx.outputs.name }} context: ./docker-nginx file: ./docker-nginx/Dockerfile - push: true #${{ github.event_name == 'pull_request' }} + push: ${{ github.event_name != 'pull_request' }} tags: | opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_tag }} opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_commit }} From 4189e5e3b6868d422b38fd4b0147160c8e456891 Mon Sep 17 00:00:00 2001 From: dddpt Date: Thu, 7 Mar 2024 11:47:11 +0100 Subject: [PATCH 10/10] update docker-nginx/ path in docker-compose & init_letsencrypt --- README.md | 4 ++-- docker-compose.yml | 6 +++--- scripts/init_letsencrypt.sh | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index e974cdc28..e54e506d6 100644 --- a/README.md +++ b/README.md @@ -207,11 +207,11 @@ Note if you run tests using the `docker-compose.test.yml` configuration, the `ap ## Add root certificate -QFieldCloud will automatically generate a certificate and it's root certificate in `./config/nginx/certs`. However, you need to trust the root certificate first, so other programs (e.g. curl) can create secure connection to the local QFieldCloud instance. +QFieldCloud will automatically generate a certificate and it's root certificate in `./docker-nginx/certs`. However, you need to trust the root certificate first, so other programs (e.g. curl) can create secure connection to the local QFieldCloud instance. On Debian/Ubuntu, copy the root certificate to the directory with trusted certificates. Note the extension has been changed to `.crt`: - sudo cp ./conf/nginx/certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt + sudo cp ./docker-nginx/certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt Trust the newly added certificate: diff --git a/docker-compose.yml b/docker-compose.yml index fafbc95b3..8cfc369fb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -89,10 +89,10 @@ services: nginx: build: - context: ./nginx + context: ./docker-nginx restart: unless-stopped volumes: - - ./nginx/certs/:/etc/nginx/certs/:ro + - ./docker-nginx/certs/:/etc/nginx/certs/:ro - certbot_www:/var/www/certbot ports: - ${WEB_HTTP_PORT}:80 @@ -116,7 +116,7 @@ services: environment: domain: ${QFIELDCLOUD_HOST} volumes: - - ./nginx/certs/:/root/.local/share/mkcert/ + - ./docker-nginx/certs/:/root/.local/share/mkcert/ command: /bin/sh -c 'mkcert -install && for i in $$(echo $$domain | sed "s/,/ /g"); do [ ! -f /root/.local/share/mkcert/$$i.pem ] && mkcert $$i; done && tail -f -n0 /etc/hosts' certbot: diff --git a/scripts/init_letsencrypt.sh b/scripts/init_letsencrypt.sh index 2d1f904b7..10f03705d 100755 --- a/scripts/init_letsencrypt.sh +++ b/scripts/init_letsencrypt.sh @@ -9,10 +9,10 @@ set +o allexport CONFIG_PATH="${CONFIG_PATH:-'./conf'}" -if [ ! -e "$CONFIG_PATH/nginx/options-ssl-nginx.conf" ] || [ ! -e "$CONFIG_PATH/nginx/ssl-dhparams.pem" ]; then +if [ ! -e "docker-nginx/options-ssl-nginx.conf" ] || [ ! -e "docker-nginx/ssl-dhparams.pem" ]; then echo "### Downloading recommended TLS parameters ..." - curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$CONFIG_PATH/nginx/options-ssl-nginx.conf" - curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$CONFIG_PATH/nginx/ssl-dhparams.pem" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "docker-nginx/options-ssl-nginx.conf" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "docker-nginx/ssl-dhparams.pem" echo fi @@ -34,8 +34,8 @@ docker compose run --rm --entrypoint "\ echo echo "### Copy the certificate and key to their final destination ..." -cp ${CONFIG_PATH}/certbot/conf/live/${QFIELDCLOUD_HOST}/fullchain.pem ${CONFIG_PATH}/nginx/certs/${QFIELDCLOUD_HOST}.pem -cp ${CONFIG_PATH}/certbot/conf/live/${QFIELDCLOUD_HOST}/privkey.pem ${CONFIG_PATH}/nginx/certs/${QFIELDCLOUD_HOST}-key.pem +cp ${CONFIG_PATH}/certbot/conf/live/${QFIELDCLOUD_HOST}/fullchain.pem docker-nginx/certs/${QFIELDCLOUD_HOST}.pem +cp ${CONFIG_PATH}/certbot/conf/live/${QFIELDCLOUD_HOST}/privkey.pem docker-nginx/certs/${QFIELDCLOUD_HOST}-key.pem echo echo "### Reloading nginx ..."