add anubis

nginx/docker-compose.yaml

@@ -22,11 +22,25 @@ services:
       -  env.production
     extra_hosts:
       - "host.docker.internal:host-gateway"
-    labels:
-      - "diun.enable=true"
 
   certbot:
     image: certbot/certbot
     volumes:
       - ../data/certbot/conf:/etc/letsencrypt
       - ../data/certbot/www:/var/www/certbot
+
+  anubis-nginx:
+    image: ghcr.io/techarohq/anubis:latest
+    environment:
+      BIND: "/run/anubis/nginx.sock"
+      DIFFICULTY: "4"
+      METRICS_BIND: ":9090"
+      SERVE_ROBOTS_TXT: "true"
+      TARGET: "http://nginx"
+      POLICY_FNAME: "/data/cfg/botPolicy.yaml"
+      OG_PASSTHROUGH: "true"
+      OG_EXPIRY_TIME: "24h"
+    ports:
+      - 8080:8080
+    # volumes:
+    #   - "./botPolicy.yaml:/data/cfg/botPolicy.yaml:ro"

nginx/nginx/templates/000-default.conf.template

@@ -33,6 +33,13 @@ server {
 	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
 	chunked_transfer_encoding on;
 
+	# Forward to anubis
+	location / {
+	  proxy_set_header Host $host;
+	  proxy_set_header X-Real-IP $remote_addr;
+	  proxy_pass http://anubis;
+	}
+
 	location = /robots.txt {
 		add_header Content-Type text/plain;
 	  	return 200 "User-agent: *\nDisallow: /\n";

nginx/nginx/templates/git.conf.template

@@ -1,4 +1,6 @@
 server {
+	listen unix:/run/nginx/nginx.sock;
+
 	server_name ${GITEA_HOSTNAME};
 	client_max_body_size 128m;
 
@@ -21,17 +23,18 @@ server {
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 
-        # force login with OIDC
-        location /user/login {
-          return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak;
-        }
-
-	listen 443 ssl;
-	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
-	include /etc/nginx/includes/options-ssl-nginx.conf;
-	include /etc/nginx/includes/challenge.conf;
-	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+    # force login with OIDC
+    location /user/login {
+      return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak;
+    }
+
+	# listen 443 ssl;
+	# ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	# ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+
+	# include /etc/nginx/includes/options-ssl-nginx.conf;
+	# include /etc/nginx/includes/challenge.conf;
+	# ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
 
 

nginx/nginx/templates/upstream-anubis.conf.template

@@ -0,0 +1,14 @@
+upstream anubis {
+  # Make sure this matches the values you set for `BIND` and `BIND_NETWORK`.
+  # If this does not match, your services will not be protected by Anubis.
+
+  # Try anubis first over a UNIX socket
+  server unix:/run/anubis/nginx.sock;
+  #server 127.0.0.1:8923;
+
+  # Optional: fall back to serving the websites directly. This allows your
+  # websites to be resilient against Anubis failing, at the risk of exposing
+  # them to the raw internet without protection. This is a tradeoff and can
+  # be worth it in some edge cases.
+  #server unix:/run/nginx.sock backup;
+}