feature/jenkins-proxy (#182)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/182 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
2025-07-01 11:58:20 +02:00
parent ad1537b856
commit fee080dbf4
9 changed files with 220 additions and 22 deletions
--- a/Jenkins/nginx-proxy/nginx-letsencrypt-renew.service
+++ b/Jenkins/nginx-proxy/nginx-letsencrypt-renew.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Renew Let's Encrypt certs via Make
+
+[Service]
+Type=oneshot
+WorkingDirectory=%h/hs.hsadmin.ng/Jenkins
+ExecStart=/usr/bin/make nginx-letsencrypt-renew
+
--- a/Jenkins/nginx-proxy/nginx-letsencrypt-renew.timer
+++ b/Jenkins/nginx-proxy/nginx-letsencrypt-renew.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Run cert renew Make target at ~5 AM daily
+
+[Timer]
+OnCalendar=05:05
+RandomizedDelaySec=20m
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+
--- a/Jenkins/nginx-proxy/nginx.conf
+++ b/Jenkins/nginx-proxy/nginx.conf
@@ -0,0 +1,40 @@
+events {}
+
+http {
+    server {
+        listen 80;
+        server_name %SERVER_NAME;
+
+        # directly answer initial certbot request
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        # forward all other HTTP-requests to HTTPS
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    server {
+        listen 443 ssl;
+        server_name %SERVER_NAME;
+
+        ssl_certificate /etc/letsencrypt/live/%SERVER_NAME/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/%SERVER_NAME/privkey.pem;
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        location / {
+            proxy_pass http://%SERVER_NAME:8090;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+}
+
--- a/Jenkins/nginx-proxy/options-ssl-nginx.conf
+++ b/Jenkins/nginx-proxy/options-ssl-nginx.conf
@@ -0,0 +1,7 @@
+ssl_session_cache shared:le_nginx_SSL:1m;
+ssl_session_timeout 1440m;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...";
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;