From ed0133e9433c7d4965516a2b3d89e24584b4f061 Mon Sep 17 00:00:00 2001 From: Archos Date: Sat, 7 Mar 2026 11:45:28 +0100 Subject: [PATCH] fix: trusted-proxies, nginx configs, bootstrap ssh/ufw, add zkreml.cz template --- bootstrap.sh | 2 +- docker-compose.yml | 2 ++ nginx/gotosocial.conf | 14 +----------- nginx/zkreml.cz.conf | 18 +++++++++++++++ scripts/install.sh | 51 +++++++++++++++++++++++++++++++++---------- 5 files changed, 62 insertions(+), 25 deletions(-) create mode 100644 nginx/zkreml.cz.conf diff --git a/bootstrap.sh b/bootstrap.sh index caca25d..b40616a 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -61,7 +61,7 @@ SSHD_CONF="/etc/ssh/sshd_config" sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' "$SSHD_CONF" # Zakaz PasswordAuthentication (pouze klíče) sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONF" -systemctl reload sshd +systemctl reload ssh.service # === UFW firewall === echo "==> Konfigurace UFW firewallu..." diff --git a/docker-compose.yml b/docker-compose.yml index 8f8c9a5..3888b3c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,8 @@ services: restart: unless-stopped env_file: - .env + environment: + - GTS_TRUSTED_PROXIES=127.0.0.1/32,172.18.0.1/16 ports: - "127.0.0.1:8080:8080" volumes: diff --git a/nginx/gotosocial.conf b/nginx/gotosocial.conf index b4377e3..8b90ce3 100644 --- a/nginx/gotosocial.conf +++ b/nginx/gotosocial.conf @@ -1,19 +1,7 @@ server { listen 80; listen [::]:80; - server_name vase-domena.cz; - - # Certbot automaticky přidá přesměrování na HTTPS -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name vase-domena.cz; - - # SSL – Certbot doplní automaticky - # ssl_certificate /etc/letsencrypt/live/vase-domena.cz/fullchain.pem; - # ssl_certificate_key /etc/letsencrypt/live/vase-domena.cz/privkey.pem; + server_name GTS_HOST; client_max_body_size 40M; diff --git a/nginx/zkreml.cz.conf b/nginx/zkreml.cz.conf new file mode 100644 index 0000000..fbaa101 --- /dev/null +++ b/nginx/zkreml.cz.conf @@ -0,0 +1,18 @@ +server { + listen 80; + listen [::]:80; + server_name ACCOUNT_DOMAIN; + + # Webfinger a discovery endpointy – přesměruj na GoToSocial instanci + location = /.well-known/webfinger { + return 301 https://GTS_HOST$request_uri; + } + + location = /.well-known/nodeinfo { + return 301 https://GTS_HOST$request_uri; + } + + location = /.well-known/host-meta { + return 301 https://GTS_HOST$request_uri; + } +} diff --git a/scripts/install.sh b/scripts/install.sh index 4a1b40e..91a435d 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -80,17 +80,20 @@ fi CONFIG_FILE="$ROOT_DIR/config/config.yaml" NGINX_CONF="$ROOT_DIR/nginx/gotosocial.conf" +NGINX_CONF_ZKREML="$ROOT_DIR/nginx/zkreml.cz.conf" echo "" echo "==> Nastavení konfigurace..." # Záloha originálů pro idempotentní opakované spuštění -[ -f "${CONFIG_FILE}.orig" ] || cp "$CONFIG_FILE" "${CONFIG_FILE}.orig" -[ -f "${NGINX_CONF}.orig" ] || cp "$NGINX_CONF" "${NGINX_CONF}.orig" +[ -f "${CONFIG_FILE}.orig" ] || cp "$CONFIG_FILE" "${CONFIG_FILE}.orig" +[ -f "${NGINX_CONF}.orig" ] || cp "$NGINX_CONF" "${NGINX_CONF}.orig" +[ -f "${NGINX_CONF_ZKREML}.orig" ] || cp "$NGINX_CONF_ZKREML" "${NGINX_CONF_ZKREML}.orig" # Vždy pracuj z originálu -cp "${CONFIG_FILE}.orig" "$CONFIG_FILE" -cp "${NGINX_CONF}.orig" "$NGINX_CONF" +cp "${CONFIG_FILE}.orig" "$CONFIG_FILE" +cp "${NGINX_CONF}.orig" "$NGINX_CONF" +cp "${NGINX_CONF_ZKREML}.orig" "$NGINX_CONF_ZKREML" # config.yaml – host sed -i "s|host: \".*\"|host: \"${GTS_DOMAIN}\"|" "$CONFIG_FILE" @@ -100,14 +103,26 @@ if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then sed -i "s|# account-domain: \".*\"|account-domain: \"${GTS_ACCOUNT_DOMAIN}\"|" "$CONFIG_FILE" fi -# nginx – server_name a references na doménu -sed -i "s|server_name .*;|server_name ${GTS_DOMAIN};|g" "$NGINX_CONF" -sed -i "s|vase-domena\.cz|${GTS_DOMAIN}|g" "$NGINX_CONF" +# nginx gotosocial.conf – dosaď GTS_HOST +sed -i "s|GTS_HOST|${GTS_DOMAIN}|g" "$NGINX_CONF" -# Nasazení nginx konfigurace +# nginx zkreml.cz.conf – dosaď ACCOUNT_DOMAIN a GTS_HOST +if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then + sed -i "s|ACCOUNT_DOMAIN|${GTS_ACCOUNT_DOMAIN}|g" "$NGINX_CONF_ZKREML" + sed -i "s|GTS_HOST|${GTS_DOMAIN}|g" "$NGINX_CONF_ZKREML" +fi + +# === Nasazení nginx konfigurací === echo "==> Nasazení Nginx konfigurace..." cp "$NGINX_CONF" /etc/nginx/sites-available/gotosocial ln -sf /etc/nginx/sites-available/gotosocial /etc/nginx/sites-enabled/gotosocial + +if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then + cp "$NGINX_CONF_ZKREML" "/etc/nginx/sites-available/${GTS_ACCOUNT_DOMAIN}" + ln -sf "/etc/nginx/sites-available/${GTS_ACCOUNT_DOMAIN}" \ + "/etc/nginx/sites-enabled/${GTS_ACCOUNT_DOMAIN}" +fi + nginx -t systemctl reload nginx @@ -136,14 +151,28 @@ $DC exec gotosocial /gotosocial/gotosocial admin account create \ $DC exec gotosocial /gotosocial/gotosocial admin account promote \ --username "$ADMIN_USER" -# === SSL certifikát === +# === SSL certifikáty === echo "" -echo "==> Získání SSL certifikátu přes Certbot..." +echo "==> Získání SSL certifikátu pro ${GTS_DOMAIN}..." certbot --nginx -d "$GTS_DOMAIN" +if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then + echo "==> Získání SSL certifikátu pro ${GTS_ACCOUNT_DOMAIN}..." + certbot --nginx -d "$GTS_ACCOUNT_DOMAIN" +fi + +# === Hotovo === echo "" echo "==> Instalace dokončena!" -echo " GoToSocial je dostupný na https://${GTS_DOMAIN}" +echo "" +echo " GoToSocial: https://${GTS_DOMAIN}" if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then + echo " Hlavní doména: https://${GTS_ACCOUNT_DOMAIN}" echo " Účty budou mít formát @uživatel@${GTS_ACCOUNT_DOMAIN}" fi +echo "" +echo "NEZAPOMENOUT nastavit DNS záznamy:" +echo " ${GTS_DOMAIN} -> IP tohoto serveru" +if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then + echo " ${GTS_ACCOUNT_DOMAIN} -> IP tohoto serveru" +fi