From 6f303873db7b655a29cb6d9f925bae7ae82102e9 Mon Sep 17 00:00:00 2001 From: John Doe Date: Sun, 30 Nov 2025 19:17:32 -0500 Subject: [PATCH] Initial Build --- .env.example | 7 ++ README.md | 201 ++++++++++++++++++++++++++++++++++++++++++++ docker-compose.yaml | 58 +++++++++++++ generate-certs.sh | 30 +++++++ nginx/nginx.conf | 42 +++++++++ 5 files changed, 338 insertions(+) create mode 100644 .env.example create mode 100644 README.md create mode 100644 docker-compose.yaml create mode 100644 generate-certs.sh create mode 100644 nginx/nginx.conf diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..984cd88 --- /dev/null +++ b/.env.example @@ -0,0 +1,7 @@ +#GlueTUN Config Example +IRC_AIRVPN_PORT=3000 + +IRC_DDNS=irc.airdns.org +WIREGUARD_PRIVATE_KEY=1234567890 +WIREGUARD_PRESHARED_KEY=1234567890 +WIREGUARD_ADDRESSES=10.99.99.99/32,ff:ff:ff...:ff/128 diff --git a/README.md b/README.md new file mode 100644 index 0000000..f546160 --- /dev/null +++ b/README.md @@ -0,0 +1,201 @@ +# Drop-Shielded + +A secure, VPN-protected Drop media server setup using Docker Compose with Gluetun VPN tunnel, PostgreSQL database, and Nginx reverse proxy with SSL termination. + +## Features + +- 🔒 **VPN Protection**: All traffic routed through AirVPN using Gluetun +- 🗄️ **Database**: PostgreSQL 14 with health checks +- 🔐 **SSL/HTTPS**: Self-signed certificates with Nginx reverse proxy +- 📁 **Media Library**: Configurable library paths for media storage +- 🐳 **Containerized**: Fully containerized setup with Docker Compose + +## Architecture + +``` +Internet → AirVPN (Gluetun) → Nginx (SSL) → Drop Application + ↓ + PostgreSQL Database +``` + +## Prerequisites + +- Docker or Podman with Compose +- AirVPN Wireguard configuration +- OpenSSL (for certificate generation) + +## Quick Start + +1. **Clone the repository** + ```bash + git clone https://github.com/BillyOutlast/Drop-Shielded.git + cd Drop-Shielded + ``` + +2. **Configure environment** + ```bash + cp .env.example .env + # Edit .env with your configuration + ``` + +3. **Generate SSL certificates** + ```bash + bash ./generate-certs.sh + ``` + +4. **Start the services** + ```bash + docker-compose up -d + # or with Podman + podman-compose up -d + ``` + +5. **Access your Drop server** + - URL: `https://your-domain:your-port` + - Default: `https://drop.airdns.org:3000` + +## Configuration + +### Environment Variables + +Copy `.env.example` to `.env` and configure: + +| Variable | Description | Example | +|----------|-------------|---------| +| `DROP_AIRVPN_PORT` | External port for Drop access | `3000` | +| `DROP_DDNS` | Your domain/DDNS hostname | `drop.airdns.org` | +| `WIREGUARD_PRIVATE_KEY` | Your AirVPN private key | `your-private-key` | +| `WIREGUARD_PRESHARED_KEY` | Your AirVPN preshared key | `your-preshared-key` | +| `WIREGUARD_ADDRESSES` | Your AirVPN IP addresses | `10.99.99.99/32` | +| `POSTGRES_PASSWORD` | PostgreSQL password | `drop` | +| `POSTGRES_USER` | PostgreSQL username | `drop` | +| `POSTGRES_DB` | PostgreSQL database name | `drop` | +| `LIBRARY_PATH` | Path to your media library | `./library` | +| `DROP_DATA_PATH` | Path to Drop data directory | `./data` | + +### AirVPN Setup + +1. Log into your AirVPN account +2. Generate a Wireguard configuration +3. Extract the private key, preshared key, and addresses +4. Add these to your `.env` file + +### SSL Certificates + +The setup uses self-signed certificates generated by the included script: + +```bash +./generate-certs.sh +``` + +This creates: +- `nginx/certs/server.crt` - SSL certificate +- `nginx/certs/server.key` - Private key +- `nginx/certs/server.pem` - Certificate bundle + +### Library Configuration + +#### Single Library +Use `LIBRARY_PATH` for a single media library: +```env +LIBRARY_PATH=./library +``` + +#### Multiple Libraries +Uncomment and configure multiple library paths in `docker-compose.yaml`: +```yaml +volumes: + - ${LIBRARY_PATH_1}:/library/1 + - ${LIBRARY_PATH_2}:/library/2 +``` + +## Services + +### Gluetun VPN +- **Image**: `qmcgaw/gluetun` +- **Purpose**: VPN tunnel for all traffic +- **Network**: Host for other containers + +### PostgreSQL +- **Image**: `postgres:14-alpine` +- **Purpose**: Database for Drop application +- **Health Check**: Built-in readiness probe + +### Nginx +- **Image**: `nginx:alpine` +- **Purpose**: SSL termination and reverse proxy +- **Port**: Configurable via `DROP_AIRVPN_PORT` + +### Drop +- **Image**: `ghcr.io/drop-oss/drop:latest` +- **Purpose**: Media server application +- **Dependencies**: PostgreSQL health check + +## File Structure + +``` +Drop-Shielded/ +├── docker-compose.yaml # Main compose configuration +├── .env.example # Environment template +├── .env # Your configuration (create from example) +├── generate-certs.sh # SSL certificate generator +├── nginx/ +│ ├── nginx.conf # Nginx configuration +│ └── certs/ # SSL certificates (generated) +├── db/ # PostgreSQL data +├── data/ # Drop application data +├── gluetun/ # Gluetun configuration +└── library/ # Media library +``` + +## Troubleshooting + +### VPN Connection Issues +1. Verify your AirVPN credentials in `.env` +2. Check Gluetun logs: `docker-compose logs gluetun` +3. Ensure your AirVPN account is active + +### SSL Certificate Issues +1. Regenerate certificates: `bash ./generate-certs.sh` +2. Verify certificate permissions +3. Check Nginx logs: `docker-compose logs nginx` + +### Database Connection Issues +1. Wait for PostgreSQL to start completely +2. Check health status: `docker-compose ps` +3. Verify database credentials in `.env` + +### Port Access Issues +1. Ensure `DROP_AIRVPN_PORT` is correctly configured +2. Check firewall settings +3. Verify VPN port forwarding + +## Security Notes + +- All traffic is routed through the VPN +- Self-signed certificates provide encryption but will show browser warnings +- Database is only accessible within the container network +- Media libraries are mounted read-only where possible + +## Contributing + +1. Fork the repository +2. Create a feature branch +3. Make your changes +4. Test the configuration +5. Submit a pull request + +## License + +This project is open source. Please check individual component licenses: +- [Drop](https://github.com/drop-oss/drop) +- [Gluetun](https://github.com/qdm12/gluetun) +- [PostgreSQL](https://www.postgresql.org/) +- [Nginx](https://nginx.org/) + +## Support + +For issues related to: +- **Drop application**: [Drop GitHub Issues](https://github.com/drop-oss/drop/issues) +- **VPN connectivity**: [Gluetun GitHub Issues](https://github.com/qdm12/gluetun/issues) +- **This setup**: [Create an issue](https://github.com/BillyOutlast/Drop-Shielded/issues) \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..dd35845 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,58 @@ +services: + gluetun: + image: qmcgaw/gluetun + container_name: gluetun-IRC-shielded + restart: unless-stopped + networks: + gluetun-IRC-network: + ipv4_address: 172.21.0.20 + cap_add: + - NET_ADMIN + - NET_RAW + devices: + - /dev/net/tun:/dev/net/tun + ports: + - "${IRC_AIRVPN_PORT}:${IRC_AIRVPN_PORT}" + volumes: + - ./gluetun:/gluetun + environment: + - HOSTNAME=gluetun-IRC-shielded + - VPN_SERVICE_PROVIDER=airvpn + - VPN_TYPE=wireguard + - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY} + - WIREGUARD_PRESHARED_KEY=${WIREGUARD_PRESHARED_KEY} + - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES} + - FIREWALL_VPN_INPUT_PORTS=${IRC_AIRVPN_PORT} + nginx: + image: nginx:alpine + container_name: nginx-IRC-shielded + network_mode: "service:gluetun" + restart: unless-stopped + environment: + - HOSTNAME=nginx-IRC-shielded + volumes: + - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./nginx/certs:/etc/nginx/certs:ro + security_opt: + - "label=disable" + depends_on: + - drop + thelounge: + image: ghcr.io/thelounge/thelounge:latest + container_name: thelounge + network_mode: "service:gluetun" + environment: + - HOSTNAME=thelounge-IRC-shielded + ports: + - "9000:9000" + volumes: + - ./thelounge:/var/opt/thelounge + restart: always + +networks: + gluetun-IRC-network: + driver: bridge + name: gluetun-IRC-network + ipam: + config: + - subnet: 172.21.0.0/16 \ No newline at end of file diff --git a/generate-certs.sh b/generate-certs.sh new file mode 100644 index 0000000..3a0db0e --- /dev/null +++ b/generate-certs.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# Create certificates directory +mkdir -p ./nginx/certs + +# Generate private key +openssl genrsa -out ./nginx/certs/server.key 2048 + +# Generate certificate signing request +openssl req -new -key ./nginx/certs/server.key -out ./nginx/certs/server.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=localhost" + +# Generate self-signed certificate (valid for 365 days) +openssl x509 -req -days 365 -in ./nginx/certs/server.csr -signkey ./nginx/certs/server.key -out ./nginx/certs/server.crt + +# Create certificate bundle +cat ./nginx/certs/server.crt > ./nginx/certs/server.pem +cat ./nginx/certs/server.key >> ./nginx/certs/server.pem + +# Set proper permissions +chmod 600 ./nginx/certs/server.key +chmod 644 ./nginx/certs/server.crt +chmod 644 ./nginx/certs/server.pem + +# Clean up CSR file +rm ./nginx/certs/server.csr + +echo "Self-signed certificates generated successfully!" +echo "Certificate: ./nginx/certs/server.crt" +echo "Private Key: ./nginx/certs/server.key" +echo "Bundle: ./nginx/certs/server.pem" \ No newline at end of file diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..5cc7dc0 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,42 @@ +events { + worker_connections 1024; +} + +http { + upstream drop_backend { + server drop-shielded:9000; + } + + # HTTPS server + server { + listen ${IRC_AIRVPN_PORT} ssl; + server_name _; + + # SSL configuration + ssl_certificate /etc/nginx/certs/server.crt; + ssl_certificate_key /etc/nginx/certs/server.key; + + # SSL settings + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://drop_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # Handle WebSocket connections if needed + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeout settings + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + } + } +} \ No newline at end of file