From 0ac6a62507070c29207578cac75279ba599ac376 Mon Sep 17 00:00:00 2001 From: Aaron Johnon Date: Tue, 11 Jan 2022 19:27:45 -0600 Subject: [PATCH] Added the rest of the files; updated for password security --- .gitignore | 1 + zabbix/docker-compose.yml | 21 ++++++++----------- zabbix/example/psql.env | 4 ++++ zabbix/zabbix/zabbix-server/build/Dockerfile | 3 +++ zabbix/zabbix/zabbix-web/build/Dockerfile | 14 +++++++++++++ .../zabbix/zabbix-web/build/letsencrypt.conf | 5 +++++ 6 files changed, 36 insertions(+), 12 deletions(-) create mode 100644 zabbix/example/psql.env create mode 100644 zabbix/zabbix/zabbix-server/build/Dockerfile create mode 100644 zabbix/zabbix/zabbix-web/build/Dockerfile create mode 100644 zabbix/zabbix/zabbix-web/build/letsencrypt.conf diff --git a/.gitignore b/.gitignore index 91e7a83..7bdb681 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /zabbix/psql_password +/zabbix/psql.env diff --git a/zabbix/docker-compose.yml b/zabbix/docker-compose.yml index 5628920..a8c2f0c 100644 --- a/zabbix/docker-compose.yml +++ b/zabbix/docker-compose.yml @@ -1,7 +1,9 @@ version: '3.3' -secrets: - psql_password: - file: ./psql_password +#secrets: +# psql_password: +# file: ./psql_password +env_file: + - psql.env services: zabbix-web: @@ -23,9 +25,6 @@ services: ZBX_SERVER_NAME: Skyfall Zabbix ZBX_SERVER_HOST: zabbix-server DB_SERVER_HOST: zabbix-database - POSTGRES_DB: zabbix - POSTGRES_USER: zabbix - POSTGRES_PASSWORD_FILE: /run/secrets/psql_password PHP_TZ: America/Chicago zabbix-server: @@ -52,9 +51,6 @@ services: - ./zabbix/zabbix-server/data/mibs:/var/lib/zabbix/mibs environment: DB_SERVER_HOST: zabbix-database - POSTGRES_DB: zabbix - POSTGRES_USER: zabbix - POSTGRES_PASSWORD_FILE: /run/secrets/psql_password TZ: America/Chicago zabbix-database: @@ -67,9 +63,10 @@ services: zabbix_network: ipv4_address: 192.168.176.2 environment: - POSTGRES_DB: zabbix - POSTGRES_USER: zabbix - POSTGRES_PASSWORD_FILE: /run/secrets/psql_password + #POSTGRES_DB: zabbix + #POSTGRES_USER: zabbix + #POSTGRES_PASSWORD: REDACTED + #POSTGRES_PASSWORD_FILE: /run/secrets/psql_password zabbix-java-gateway: image: zabbix/zabbix-java-gateway:latest diff --git a/zabbix/example/psql.env b/zabbix/example/psql.env new file mode 100644 index 0000000..4825632 --- /dev/null +++ b/zabbix/example/psql.env @@ -0,0 +1,4 @@ +POSTGRES_DB: zabbix +POSTGRES_USER: zabbix +POSTGRES_PASSWORD: REDACTED + diff --git a/zabbix/zabbix/zabbix-server/build/Dockerfile b/zabbix/zabbix/zabbix-server/build/Dockerfile new file mode 100644 index 0000000..c724418 --- /dev/null +++ b/zabbix/zabbix/zabbix-server/build/Dockerfile @@ -0,0 +1,3 @@ +FROM zabbix/zabbix-server-pgsql:alpine-5.2-latest +USER root +RUN apk update && apk add curl nmap diff --git a/zabbix/zabbix/zabbix-web/build/Dockerfile b/zabbix/zabbix/zabbix-web/build/Dockerfile new file mode 100644 index 0000000..0f1fb05 --- /dev/null +++ b/zabbix/zabbix/zabbix-web/build/Dockerfile @@ -0,0 +1,14 @@ +FROM zabbix/zabbix-web-nginx-pgsql:alpine-5.2-latest + +#Tell nginx to include letsencrypt.conf, which allows access to .well-known directory +#This enables us to do Lets Encrypt webroot verifications +#Copy of the letsencrypt.conf config file +USER root +RUN sed -i "/robots.txt/i\ \ \ \ include \/etc\/nginx\/letsencrypt.conf;\n" /etc/zabbix/nginx_ssl.conf +RUN sed -i "/robots.txt/i\ \ \ \ include \/etc\/nginx\/letsencrypt.conf;\n" /etc/zabbix/nginx.conf +COPY letsencrypt.conf /etc/nginx/ + +#Create a link called .well-known in the webroot that points to /leverify/.well-known +#/leverify will me mounted on the host OS and cerbot will be told that it is the +#web root. Certbot will create a .well-known directory there (which will make the symlink valid) and then put the verification file inside of it. +RUN mkdir /leverify && ln -s /leverify/.well-known /usr/share/zabbix/.well-known diff --git a/zabbix/zabbix/zabbix-web/build/letsencrypt.conf b/zabbix/zabbix/zabbix-web/build/letsencrypt.conf new file mode 100644 index 0000000..b956b96 --- /dev/null +++ b/zabbix/zabbix/zabbix-web/build/letsencrypt.conf @@ -0,0 +1,5 @@ + location ~ /\.well-known/acme-challenge { + default_type "text/plain"; + root /usr/share/zabbix; + allow all; + }