mirror of
https://github.com/BillyOutlast/TheLounge-Shielded.git
synced 2026-07-01 09:47:23 -04:00
Initial Build
This commit is contained in:
@@ -0,0 +1,7 @@
|
||||
#GlueTUN Config Example
|
||||
IRC_AIRVPN_PORT=3000
|
||||
|
||||
IRC_DDNS=irc.airdns.org
|
||||
WIREGUARD_PRIVATE_KEY=1234567890
|
||||
WIREGUARD_PRESHARED_KEY=1234567890
|
||||
WIREGUARD_ADDRESSES=10.99.99.99/32,ff:ff:ff...:ff/128
|
||||
@@ -0,0 +1,201 @@
|
||||
# Drop-Shielded
|
||||
|
||||
A secure, VPN-protected Drop media server setup using Docker Compose with Gluetun VPN tunnel, PostgreSQL database, and Nginx reverse proxy with SSL termination.
|
||||
|
||||
## Features
|
||||
|
||||
- 🔒 **VPN Protection**: All traffic routed through AirVPN using Gluetun
|
||||
- 🗄️ **Database**: PostgreSQL 14 with health checks
|
||||
- 🔐 **SSL/HTTPS**: Self-signed certificates with Nginx reverse proxy
|
||||
- 📁 **Media Library**: Configurable library paths for media storage
|
||||
- 🐳 **Containerized**: Fully containerized setup with Docker Compose
|
||||
|
||||
## Architecture
|
||||
|
||||
```
|
||||
Internet → AirVPN (Gluetun) → Nginx (SSL) → Drop Application
|
||||
↓
|
||||
PostgreSQL Database
|
||||
```
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Docker or Podman with Compose
|
||||
- AirVPN Wireguard configuration
|
||||
- OpenSSL (for certificate generation)
|
||||
|
||||
## Quick Start
|
||||
|
||||
1. **Clone the repository**
|
||||
```bash
|
||||
git clone https://github.com/BillyOutlast/Drop-Shielded.git
|
||||
cd Drop-Shielded
|
||||
```
|
||||
|
||||
2. **Configure environment**
|
||||
```bash
|
||||
cp .env.example .env
|
||||
# Edit .env with your configuration
|
||||
```
|
||||
|
||||
3. **Generate SSL certificates**
|
||||
```bash
|
||||
bash ./generate-certs.sh
|
||||
```
|
||||
|
||||
4. **Start the services**
|
||||
```bash
|
||||
docker-compose up -d
|
||||
# or with Podman
|
||||
podman-compose up -d
|
||||
```
|
||||
|
||||
5. **Access your Drop server**
|
||||
- URL: `https://your-domain:your-port`
|
||||
- Default: `https://drop.airdns.org:3000`
|
||||
|
||||
## Configuration
|
||||
|
||||
### Environment Variables
|
||||
|
||||
Copy `.env.example` to `.env` and configure:
|
||||
|
||||
| Variable | Description | Example |
|
||||
|----------|-------------|---------|
|
||||
| `DROP_AIRVPN_PORT` | External port for Drop access | `3000` |
|
||||
| `DROP_DDNS` | Your domain/DDNS hostname | `drop.airdns.org` |
|
||||
| `WIREGUARD_PRIVATE_KEY` | Your AirVPN private key | `your-private-key` |
|
||||
| `WIREGUARD_PRESHARED_KEY` | Your AirVPN preshared key | `your-preshared-key` |
|
||||
| `WIREGUARD_ADDRESSES` | Your AirVPN IP addresses | `10.99.99.99/32` |
|
||||
| `POSTGRES_PASSWORD` | PostgreSQL password | `drop` |
|
||||
| `POSTGRES_USER` | PostgreSQL username | `drop` |
|
||||
| `POSTGRES_DB` | PostgreSQL database name | `drop` |
|
||||
| `LIBRARY_PATH` | Path to your media library | `./library` |
|
||||
| `DROP_DATA_PATH` | Path to Drop data directory | `./data` |
|
||||
|
||||
### AirVPN Setup
|
||||
|
||||
1. Log into your AirVPN account
|
||||
2. Generate a Wireguard configuration
|
||||
3. Extract the private key, preshared key, and addresses
|
||||
4. Add these to your `.env` file
|
||||
|
||||
### SSL Certificates
|
||||
|
||||
The setup uses self-signed certificates generated by the included script:
|
||||
|
||||
```bash
|
||||
./generate-certs.sh
|
||||
```
|
||||
|
||||
This creates:
|
||||
- `nginx/certs/server.crt` - SSL certificate
|
||||
- `nginx/certs/server.key` - Private key
|
||||
- `nginx/certs/server.pem` - Certificate bundle
|
||||
|
||||
### Library Configuration
|
||||
|
||||
#### Single Library
|
||||
Use `LIBRARY_PATH` for a single media library:
|
||||
```env
|
||||
LIBRARY_PATH=./library
|
||||
```
|
||||
|
||||
#### Multiple Libraries
|
||||
Uncomment and configure multiple library paths in `docker-compose.yaml`:
|
||||
```yaml
|
||||
volumes:
|
||||
- ${LIBRARY_PATH_1}:/library/1
|
||||
- ${LIBRARY_PATH_2}:/library/2
|
||||
```
|
||||
|
||||
## Services
|
||||
|
||||
### Gluetun VPN
|
||||
- **Image**: `qmcgaw/gluetun`
|
||||
- **Purpose**: VPN tunnel for all traffic
|
||||
- **Network**: Host for other containers
|
||||
|
||||
### PostgreSQL
|
||||
- **Image**: `postgres:14-alpine`
|
||||
- **Purpose**: Database for Drop application
|
||||
- **Health Check**: Built-in readiness probe
|
||||
|
||||
### Nginx
|
||||
- **Image**: `nginx:alpine`
|
||||
- **Purpose**: SSL termination and reverse proxy
|
||||
- **Port**: Configurable via `DROP_AIRVPN_PORT`
|
||||
|
||||
### Drop
|
||||
- **Image**: `ghcr.io/drop-oss/drop:latest`
|
||||
- **Purpose**: Media server application
|
||||
- **Dependencies**: PostgreSQL health check
|
||||
|
||||
## File Structure
|
||||
|
||||
```
|
||||
Drop-Shielded/
|
||||
├── docker-compose.yaml # Main compose configuration
|
||||
├── .env.example # Environment template
|
||||
├── .env # Your configuration (create from example)
|
||||
├── generate-certs.sh # SSL certificate generator
|
||||
├── nginx/
|
||||
│ ├── nginx.conf # Nginx configuration
|
||||
│ └── certs/ # SSL certificates (generated)
|
||||
├── db/ # PostgreSQL data
|
||||
├── data/ # Drop application data
|
||||
├── gluetun/ # Gluetun configuration
|
||||
└── library/ # Media library
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### VPN Connection Issues
|
||||
1. Verify your AirVPN credentials in `.env`
|
||||
2. Check Gluetun logs: `docker-compose logs gluetun`
|
||||
3. Ensure your AirVPN account is active
|
||||
|
||||
### SSL Certificate Issues
|
||||
1. Regenerate certificates: `bash ./generate-certs.sh`
|
||||
2. Verify certificate permissions
|
||||
3. Check Nginx logs: `docker-compose logs nginx`
|
||||
|
||||
### Database Connection Issues
|
||||
1. Wait for PostgreSQL to start completely
|
||||
2. Check health status: `docker-compose ps`
|
||||
3. Verify database credentials in `.env`
|
||||
|
||||
### Port Access Issues
|
||||
1. Ensure `DROP_AIRVPN_PORT` is correctly configured
|
||||
2. Check firewall settings
|
||||
3. Verify VPN port forwarding
|
||||
|
||||
## Security Notes
|
||||
|
||||
- All traffic is routed through the VPN
|
||||
- Self-signed certificates provide encryption but will show browser warnings
|
||||
- Database is only accessible within the container network
|
||||
- Media libraries are mounted read-only where possible
|
||||
|
||||
## Contributing
|
||||
|
||||
1. Fork the repository
|
||||
2. Create a feature branch
|
||||
3. Make your changes
|
||||
4. Test the configuration
|
||||
5. Submit a pull request
|
||||
|
||||
## License
|
||||
|
||||
This project is open source. Please check individual component licenses:
|
||||
- [Drop](https://github.com/drop-oss/drop)
|
||||
- [Gluetun](https://github.com/qdm12/gluetun)
|
||||
- [PostgreSQL](https://www.postgresql.org/)
|
||||
- [Nginx](https://nginx.org/)
|
||||
|
||||
## Support
|
||||
|
||||
For issues related to:
|
||||
- **Drop application**: [Drop GitHub Issues](https://github.com/drop-oss/drop/issues)
|
||||
- **VPN connectivity**: [Gluetun GitHub Issues](https://github.com/qdm12/gluetun/issues)
|
||||
- **This setup**: [Create an issue](https://github.com/BillyOutlast/Drop-Shielded/issues)
|
||||
@@ -0,0 +1,58 @@
|
||||
services:
|
||||
gluetun:
|
||||
image: qmcgaw/gluetun
|
||||
container_name: gluetun-IRC-shielded
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
gluetun-IRC-network:
|
||||
ipv4_address: 172.21.0.20
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
devices:
|
||||
- /dev/net/tun:/dev/net/tun
|
||||
ports:
|
||||
- "${IRC_AIRVPN_PORT}:${IRC_AIRVPN_PORT}"
|
||||
volumes:
|
||||
- ./gluetun:/gluetun
|
||||
environment:
|
||||
- HOSTNAME=gluetun-IRC-shielded
|
||||
- VPN_SERVICE_PROVIDER=airvpn
|
||||
- VPN_TYPE=wireguard
|
||||
- WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
|
||||
- WIREGUARD_PRESHARED_KEY=${WIREGUARD_PRESHARED_KEY}
|
||||
- WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
|
||||
- FIREWALL_VPN_INPUT_PORTS=${IRC_AIRVPN_PORT}
|
||||
nginx:
|
||||
image: nginx:alpine
|
||||
container_name: nginx-IRC-shielded
|
||||
network_mode: "service:gluetun"
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- HOSTNAME=nginx-IRC-shielded
|
||||
volumes:
|
||||
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
||||
- ./nginx/certs:/etc/nginx/certs:ro
|
||||
security_opt:
|
||||
- "label=disable"
|
||||
depends_on:
|
||||
- drop
|
||||
thelounge:
|
||||
image: ghcr.io/thelounge/thelounge:latest
|
||||
container_name: thelounge
|
||||
network_mode: "service:gluetun"
|
||||
environment:
|
||||
- HOSTNAME=thelounge-IRC-shielded
|
||||
ports:
|
||||
- "9000:9000"
|
||||
volumes:
|
||||
- ./thelounge:/var/opt/thelounge
|
||||
restart: always
|
||||
|
||||
networks:
|
||||
gluetun-IRC-network:
|
||||
driver: bridge
|
||||
name: gluetun-IRC-network
|
||||
ipam:
|
||||
config:
|
||||
- subnet: 172.21.0.0/16
|
||||
@@ -0,0 +1,30 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Create certificates directory
|
||||
mkdir -p ./nginx/certs
|
||||
|
||||
# Generate private key
|
||||
openssl genrsa -out ./nginx/certs/server.key 2048
|
||||
|
||||
# Generate certificate signing request
|
||||
openssl req -new -key ./nginx/certs/server.key -out ./nginx/certs/server.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=localhost"
|
||||
|
||||
# Generate self-signed certificate (valid for 365 days)
|
||||
openssl x509 -req -days 365 -in ./nginx/certs/server.csr -signkey ./nginx/certs/server.key -out ./nginx/certs/server.crt
|
||||
|
||||
# Create certificate bundle
|
||||
cat ./nginx/certs/server.crt > ./nginx/certs/server.pem
|
||||
cat ./nginx/certs/server.key >> ./nginx/certs/server.pem
|
||||
|
||||
# Set proper permissions
|
||||
chmod 600 ./nginx/certs/server.key
|
||||
chmod 644 ./nginx/certs/server.crt
|
||||
chmod 644 ./nginx/certs/server.pem
|
||||
|
||||
# Clean up CSR file
|
||||
rm ./nginx/certs/server.csr
|
||||
|
||||
echo "Self-signed certificates generated successfully!"
|
||||
echo "Certificate: ./nginx/certs/server.crt"
|
||||
echo "Private Key: ./nginx/certs/server.key"
|
||||
echo "Bundle: ./nginx/certs/server.pem"
|
||||
@@ -0,0 +1,42 @@
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
upstream drop_backend {
|
||||
server drop-shielded:9000;
|
||||
}
|
||||
|
||||
# HTTPS server
|
||||
server {
|
||||
listen ${IRC_AIRVPN_PORT} ssl;
|
||||
server_name _;
|
||||
|
||||
# SSL configuration
|
||||
ssl_certificate /etc/nginx/certs/server.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/server.key;
|
||||
|
||||
# SSL settings
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://drop_backend;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
# Handle WebSocket connections if needed
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
# Timeout settings
|
||||
proxy_connect_timeout 60s;
|
||||
proxy_send_timeout 60s;
|
||||
proxy_read_timeout 60s;
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user