Put real domain name + add gitea installation + add config apis

docker/conf/applications/api.c2a-systeme.fr.conf

@@ -0,0 +1,96 @@
+# http://nginx.org/en/docs/http/websocket.html
+# http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+# http server
+server {
+    listen       80;
+    listen       [::]:80;
+
+    server_name  api.c2a-systeme.fr;
+
+    location / {
+        # redirect everything to HTTPS
+        return 301 https://$host$request_uri;
+    }
+}
+
+# https server
+server {
+    server_name  api.c2a-systeme.fr;
+    listen       443 http2;
+    listen       [::]:443 http2;
+
+    ssl                  on;
+    # paths are relative to prefix and not to this file
+    ssl_certificate      /etc/letsencrypt/live/api.c2a-systeme.fr/cert.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/api.c2a-systeme.fr/privkey.pem;
+    ssl_session_timeout  5m;
+    ssl_session_cache shared:SSL:50m;
+
+    # https://bettercrypto.org/static/applied-crypto-hardening.pdf
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    # https://cipherli.st/
+    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
+
+    # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    add_header Strict-Transport-Security "max-age=15768000";
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
+    add_header X-Frame-Options "SAMEORIGIN";
+    proxy_hide_header X-Frame-Options;
+
+    # https://github.com/twitter/secureheaders
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
+    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
+    add_header X-XSS-Protection "1; mode=block";
+    proxy_hide_header X-XSS-Protection;
+    add_header X-Download-Options "noopen";
+    proxy_hide_header X-Download-Options;
+    add_header X-Content-Type-Options "nosniff";
+    proxy_hide_header X-Content-Type-Options;
+    add_header X-Permitted-Cross-Domain-Policies "none";
+    proxy_hide_header X-Permitted-Cross-Domain-Policies;
+    add_header Referrer-Policy "no-referrer-when-downgrade";
+    proxy_hide_header Referrer-Policy;
+
+
+    proxy_http_version 1.1;
+    proxy_intercept_errors on;
+    proxy_read_timeout       3500;
+    proxy_connect_timeout    3250;
+
+    proxy_set_header   Host               $host;
+    proxy_set_header   X-Forwarded-For    $remote_addr;
+    proxy_set_header   X-Forwarded-Host   $host;
+    proxy_set_header   X-Forwarded-Port   $server_port;
+    proxy_set_header   X-Forwarded-Proto  https;
+    proxy_set_header   X-Forwarded-Ssl    on;
+
+    # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    location / {
+        # No buffering to temp files, it fails for large downloads
+        proxy_max_temp_file_size 0;
+
+        # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
+        client_max_body_size 0;
+
+        # Bloc accès of the search robots
+        location = /robots.txt {
+            return 200 "User-agent: *\nDisallow: /";
+        }
+
+        proxy_pass http://127.0.0.1:8004;
+
+    }
+}   

docker/conf/applications/dev.api.c2a-systeme.fr.conf

@@ -0,0 +1,96 @@
+# http://nginx.org/en/docs/http/websocket.html
+# http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+# http server
+server {
+    listen       80;
+    listen       [::]:80;
+
+    server_name  dev.api.c2a-systeme.fr;
+
+    location / {
+        # redirect everything to HTTPS
+        return 301 https://$host$request_uri;
+    }
+}
+
+# https server
+server {
+    server_name  dev.api.c2a-systeme.fr;
+    listen       443 http2;
+    listen       [::]:443 http2;
+
+    ssl                  on;
+    # paths are relative to prefix and not to this file
+    ssl_certificate      /etc/letsencrypt/live/dev.api.c2a-systeme.fr/cert.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/dev.api.c2a-systeme.fr/privkey.pem;
+    ssl_session_timeout  5m;
+    ssl_session_cache shared:SSL:50m;
+
+    # https://bettercrypto.org/static/applied-crypto-hardening.pdf
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    # https://cipherli.st/
+    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
+
+    # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    add_header Strict-Transport-Security "max-age=15768000";
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
+    add_header X-Frame-Options "SAMEORIGIN";
+    proxy_hide_header X-Frame-Options;
+
+    # https://github.com/twitter/secureheaders
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
+    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
+    add_header X-XSS-Protection "1; mode=block";
+    proxy_hide_header X-XSS-Protection;
+    add_header X-Download-Options "noopen";
+    proxy_hide_header X-Download-Options;
+    add_header X-Content-Type-Options "nosniff";
+    proxy_hide_header X-Content-Type-Options;
+    add_header X-Permitted-Cross-Domain-Policies "none";
+    proxy_hide_header X-Permitted-Cross-Domain-Policies;
+    add_header Referrer-Policy "no-referrer-when-downgrade";
+    proxy_hide_header Referrer-Policy;
+
+
+    proxy_http_version 1.1;
+    proxy_intercept_errors on;
+    proxy_read_timeout       3500;
+    proxy_connect_timeout    3250;
+
+    proxy_set_header   Host               $host;
+    proxy_set_header   X-Forwarded-For    $remote_addr;
+    proxy_set_header   X-Forwarded-Host   $host;
+    proxy_set_header   X-Forwarded-Port   $server_port;
+    proxy_set_header   X-Forwarded-Proto  https;
+    proxy_set_header   X-Forwarded-Ssl    on;
+
+    # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    location / {
+        # No buffering to temp files, it fails for large downloads
+        proxy_max_temp_file_size 0;
+
+        # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
+        client_max_body_size 0;
+
+        # Bloc accès of the search robots
+        location = /robots.txt {
+            return 200 "User-agent: *\nDisallow: /";
+        }
+
+        proxy_pass http://127.0.0.1:8005;
+
+    }
+}   

docker/conf/applications/git.c2a-systeme.fr.conf

@@ -0,0 +1,96 @@
+# http://nginx.org/en/docs/http/websocket.html
+# http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+# http server
+server {
+    listen       80;
+    listen       [::]:80;
+
+    server_name  git.c2a-systeme.fr;
+
+    location / {
+        # redirect everything to HTTPS
+        return 301 https://$host$request_uri;
+    }
+}
+
+# https server
+server {
+    server_name  git.c2a-systeme.fr;
+    listen       443 http2;
+    listen       [::]:443 http2;
+
+    ssl                  on;
+    # paths are relative to prefix and not to this file
+    ssl_certificate      /etc/letsencrypt/live/git.c2a-systeme.fr/cert.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/git.c2a-systeme.fr/privkey.pem;
+    ssl_session_timeout  5m;
+    ssl_session_cache shared:SSL:50m;
+
+    # https://bettercrypto.org/static/applied-crypto-hardening.pdf
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    # https://cipherli.st/
+    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
+
+    # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    add_header Strict-Transport-Security "max-age=15768000";
+
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
+    add_header X-Frame-Options "SAMEORIGIN";
+    proxy_hide_header X-Frame-Options;
+
+    # https://github.com/twitter/secureheaders
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
+    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
+    add_header X-XSS-Protection "1; mode=block";
+    proxy_hide_header X-XSS-Protection;
+    add_header X-Download-Options "noopen";
+    proxy_hide_header X-Download-Options;
+    add_header X-Content-Type-Options "nosniff";
+    proxy_hide_header X-Content-Type-Options;
+    add_header X-Permitted-Cross-Domain-Policies "none";
+    proxy_hide_header X-Permitted-Cross-Domain-Policies;
+    add_header Referrer-Policy "no-referrer-when-downgrade";
+    proxy_hide_header Referrer-Policy;
+
+
+    proxy_http_version 1.1;
+    proxy_intercept_errors on;
+    proxy_read_timeout       3500;
+    proxy_connect_timeout    3250;
+
+    proxy_set_header   Host               $host;
+    proxy_set_header   X-Forwarded-For    $remote_addr;
+    proxy_set_header   X-Forwarded-Host   $host;
+    proxy_set_header   X-Forwarded-Port   $server_port;
+    proxy_set_header   X-Forwarded-Proto  https;
+    proxy_set_header   X-Forwarded-Ssl    on;
+
+    # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    location / {
+        # No buffering to temp files, it fails for large downloads
+        proxy_max_temp_file_size 0;
+
+        # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
+        client_max_body_size 0;
+
+        # Bloc accès of the search robots
+        location = /robots.txt {
+            return 200 "User-agent: *\nDisallow: /";
+        }
+
+        proxy_pass http://127.0.0.1:8000;
+
+    }
+}   

docker/conf/applications/gitlab.c2a-systeme.fr.conf

@@ -10,7 +10,7 @@ server {
     listen       80;
     listen       [::]:80;
 
-    server_name  gitla.teksatcau.fr;
+    server_name  gitlab.c2a-systeme.fr;
 
     location / {
         # redirect everything to HTTPS
@@ -20,14 +20,14 @@ server {
 
 # https server
 server {
-    server_name  gitla.teksatcau.fr;
+    server_name  gitlab.c2a-systeme.fr;
     listen       443 http2;
     listen       [::]:443 http2;
 
     ssl                  on;
     # paths are relative to prefix and not to this file
-    ssl_certificate      /etc/letsencrypt/live/gitla.teksatcau.fr/cert.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/gitla.teksatcau.fr/privkey.pem;
+    ssl_certificate      /etc/letsencrypt/live/gitlab.c2a-systeme.fr/cert.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/gitlab.c2a-systeme.fr/privkey.pem;
     ssl_session_timeout  5m;
     ssl_session_cache shared:SSL:50m;
 

docker/conf/applications/jenkins.c2a-systeme.fr.conf

@@ -9,7 +9,7 @@ server {
     listen       80;
     listen       [::]:80;
 
-    server_name  jenkins.teksatcau.fr;
+    server_name  jenkins.c2a-systeme.fr;
 
     location / {
         # redirect everything to HTTPS
@@ -19,14 +19,14 @@ server {
 
 # https server
 server {
-    server_name  jenkins.teksatcau.fr;
+    server_name  jenkins.c2a-systeme.fr;
     listen       443 http2;
     listen       [::]:443 http2;
 
     ssl                  on;
     # paths are relative to prefix and not to this file
-    ssl_certificate      /etc/letsencrypt/live/jenkins.teksatcau.fr/cert.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/jenkins.teksatcau.fr/privkey.pem;
+    ssl_certificate      /etc/letsencrypt/live/jenkins.c2a-systeme.fr/cert.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/jenkins.c2a-systeme.fr/privkey.pem;
     ssl_session_timeout  5m;
     ssl_session_cache shared:SSL:50m;
 

docker/conf/applications/portainer.c2a-systeme.fr.conf

@@ -9,7 +9,7 @@ server {
     listen       80;
     listen       [::]:80;
 
-    server_name  portainer.teksatcau.fr;
+    server_name  portainer.c2a-systeme.fr;
 
     location / {
         # redirect everything to HTTPS
@@ -19,14 +19,14 @@ server {
 
 # https server
 server {
-    server_name  portainer.teksatcau.fr;
+    server_name  portainer.c2a-systeme.fr;
     listen       443 http2;
     listen       [::]:443 http2;
 
     ssl                  on;
     # paths are relative to prefix and not to this file
-    ssl_certificate      /etc/letsencrypt/live/portainer.teksatcau.fr/cert.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/portainer.teksatcau.fr/privkey.pem;
+    ssl_certificate      /etc/letsencrypt/live/portainer.c2a-systeme.fr/cert.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/portainer.c2a-systeme.fr/privkey.pem;
     ssl_session_timeout  5m;
     ssl_session_cache shared:SSL:50m;
 

docker/install-gitea.sh

@@ -0,0 +1,7 @@
+docker run --detach \
+    --name gitea \
+    --publish 8000:3000 \
+    --publish 2200:22 \
+    --volume /var/gitea:/data \
+    --restart unless-stopped \
+    gitea/gitea:latest

docker/install-gitlab.sh

@@ -2,9 +2,9 @@ docker run --detach \
     --name gitlab \
     --publish 8001:80 \
     --publish 2201:22 \
-    --hostname gitla.teksatcau.fr \
+    --hostname gitlab.c2a-systeme.fr \
     --volume /srv/gitlab/config:/etc/gitlab \
-    --env GITLAB_OMNIBUS_CONFIG="external_url 'https://gitla.teksatcau.fr/';gitlab_rails['gitlab_shell_ssh_port'] = 2201;nginx['listen_port'] = 80;nginx['listen_https'] = false;" \
+    --env GITLAB_OMNIBUS_CONFIG="external_url 'https://gitlab.c2a-systeme.fr/';gitlab_rails['gitlab_shell_ssh_port'] = 2201;nginx['listen_port'] = 80;nginx['listen_https'] = false;" \
     --volume /srv/gitlab/logs:/var/log/gitlab \
     --volume /srv/gitlab/data:/var/opt/gitlab \
     --restart unless-stopped \

docker/install-nginx.sh

@@ -1,8 +1,12 @@
 apt-get install -y nginx
 
-/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d gitlab.teksatcau.fr
-/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d jenkins.teksatcau.fr
-/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d portainer.teksatcau.fr
+/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d www.c2a-systeme.fr
+/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d git.c2a-systeme.fr
+/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d api.c2a-systeme.fr
+/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d gitlab.c2a-systeme.fr
+/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d dev.api.c2a-systeme.fr
+/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d jenkins.c2a-systeme.fr
+/opt/letsencrypt/letsencrypt-auto --email mathieu.sanchez@outlook.fr --agree-tos certonly --nginx -d portainer.c2a-systeme.fr
 
 cp ./docker/conf/nginx.conf /etc/nginx/
 cp ./docker/conf/mime.types /etc/nginx/