update .gitignore

* 'master' of https://git.charlesreid1.com/docker/d-nginx-subdomains:
  add license to footer, add links to readme, trim redundancy
  fix bullet item list typo
  update mkdocs
  propagate change to index
  fix last command
  update gitignore and add css
  init commit of docs

.gitignore

@@ -1,4 +1,6 @@
+site/
 letsencrypt/
 letsencrypt_certs/
 nginx.conf.default
 rojo.charlesreid1.com
+conf.d/http.subdomains.conf

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "mkdocs-material"]
+	path = mkdocs-material
+	url = https://git.charlesreid1.com/charlesreid1/mkdocs-material.git

README.md

@@ -8,166 +8,11 @@ one-pagers.
 The services are just:
 * nginx
 
-This is also intended to be reverse proxied
+## Links
-by another frontend nginx server,
-so this one-container pod will bind 
-to a VPN IP address and establish
-(unecrypted) HTTP connections over the 
-(encrypted) VPN connection.
 
-Pretty simple, right?
+[documentation: d-nginx-subdomains container](https://pages.charlesreid1.com/d-nginx-subdomains/) (you are here)
 
-# Networking
+[source code on git.charlesreid1.com: d-nginx-subdomains](https://git.charlesreid1.com/docker/d-nginx-subdomains)
 
-The setup for this one-container docker pod 
+[source code on github.com: charlesreid1-docker/d-nginx-subdomains](https://github.com/charlesreid1-docker/d-nginx-subdomains)
-is to have an nginx container bound to all
-addresses inside the container (see nginx.conf
-selection below) and then bind that port 
-inside the container to a specific IP and port
-on the host (see docker-compose selection below).
 
-The nginx configuration file contains a listen
-directive that binds nginx to all addresses 
-inside the container:
-
-```
-server {
-    listen *:7777;
-```
-
-Meanwhile, in the `docker-compose.yml` file,
-we bind the container's port 7777 to the 
-host's port 7777, but only on a private
-IP address:
-
-```
-servies:
-  stormy_nginx_subs:
-    ...
-    ports:
-      - "10.5.0.2:7777:7777"
-```
-
-
-# Config files
-
-All `*.conf` files in the `conf.d/` directory will be picked up by nginx.
-
-The config files must be named `*.conf`.
-
-
-# Volumes
-
-No data volumes are used.
-
-* nginx static content is a bind-mounted host directory
-* lets encrypt generates site certs, which will be bind-mounted into host directory
-
-Here is the volumes directive in `docker-compose.yml`:
-
-```
-    volumes:
-      - "./conf.d:/etc/nginx/conf.d"
-      - "/www/pages.charlesreid1.com/htdocs:/www/pages.charlesreid1.com/htdocs:ro"
-      - "/www/hooks.charlesreid1.com/htdocs:/www/hooks.charlesreid1.com/htdocs:ro"
-      - "/www/bots.charlesreid1.com/htdocs:/www/bots.charlesreid1.com/htdocs:ro"
-```
-
-The first line sets the nginx config files,
-the rest set the static content locations.
-
-
-# Backups
-
-Site content comes from git.charlesreid1.com,
-nothing to back up.
-
-# Workflow
-
-### Static Content Directory Layout
-
-Directories with static content are bind-mounted
-read-only into the container. To update the content
-being served, just update the content directory
-on the host.
-
-(This enables you to use version control to 
-track the live site contents.)
-
-The section below covers how accomplish this layout.
-You should have your web content laid out as follows
-on the host:
-
-```
-/www
-    example.com/
-        htdocs/
-            index.html
-            ...
-        example.com-src/
-            README.md
-            pelican/
-            ...
-        git/
-            <contents of .git dir>
-            ...
-
-    example2.com/
-        htdocs/
-            ...
-        example2.com-src/
-            ...
-        git/
-            ...
-```
-
-In the container, you will have a mirrored directory
-structure, but only `htdocs`:
-
-```
-/www
-    example.com/
-        htdocs/
-            index.html
-            ...
-
-    example2.com/
-        htdocs/
-            ...
-```
-
-
-### Deploying Static Content with Git
-
-You can use git to deploy static content, but take care
-not to put your `.git` directory into the live 
-web directory.
-
-```
-git clone \
-  --separate-git-dir=/www/example.com/git \
-  -b gh-pages \
-  <url-of-static-site> \
-  /www/example.com/htdocs
-```
-
-Let's walk through that:
-
-* Clone command to deploy content fresh
-* Separate git dir to keep git from being live
-* Branch `gh-pages` (we decided to match Github's convention)
-* Url of static site from git.charlesreid1.com
-* The path of the final cloned repo (bind mounted into container)
-
-See scripts for details.
-
-### Updating Static Content with Git
-
-
-```
-git pull \
-```
-
-specify git-dir
-
-specify work-dir

conf.d/client-allow.conf

@@ -1,2 +0,0 @@
-allow 10.5.0.1;
-allow 45.56.87.232;

conf.d/http.subdomains.conf

@@ -1,56 +0,0 @@
-####################
-#
-# charlesreid1 subdomains
-# (http only, https happens with krash)
-# 
-# runs on #blackbeard
-# 
-# nginx only listens on the private vpn ip,
-# because it is reverse-proxied by another
-# nginx instance (krash).
-# binding to the private vpn ip happens
-# at the docker level, not the nginx level.
-#
-# 7777  pages.charlesreid1.com
-# 7778  hooks.charlesreid1.com
-# 7779  bots.charlesreid1.com
-# 
-####################
-
-server {
-    listen 7777;
-    server_name pages.charlesreid1.com;
-    include /etc/nginx/conf.d/client-allow.conf;
-    deny all;
-    location / {
-        try_files $uri $uri/ =404;
-        root /www/pages.charlesreid1.com/htdocs;
-        index index.html;
-    }
-}
-
-server {
-    listen 7778;
-    server_name hooks.charlesreid1.com;
-    include /etc/nginx/conf.d/client-allow.conf;
-    deny all;
-    location / {
-        try_files $uri $uri/ =404;
-        #root /www/hooks.charlesreid1.com/htdocs;
-        root /www/pages.charlesreid1.com/htdocs;
-        index index.html;
-    }
-}
-
-server {
-    listen 7779;
-    server_name bots.charlesreid1.com;
-    include /etc/nginx/conf.d/client-allow.conf;
-    deny all;
-    location / {
-        try_files $uri $uri/ =404;
-        #root /www/bots.charlesreid1.com/htdocs;
-        root /www/pages.charlesreid1.com/htdocs;
-        index index.html;
-    }
-}

conf.d_templates/client-allow.conf

@@ -0,0 +1 @@
+allow {{ nginx_charlesreid1_ip }};

conf.d_templates/http.subdomains.conf.j2

@@ -0,0 +1,69 @@
+####################
+#
+# charlesreid1 subdomains
+# (this is http only)
+# (the https happens in pod-charlesreid1)
+# (this happens in pod-webhooks)
+# 
+# We use a client-allow.conf to block all IPs
+# except for the IP of the machine running
+# pod-charlesreid1. This is because this pod
+# is reverse-proxied by the machine running
+# pod-charlesreid1.
+#
+# Binding to a private ip happens
+# at the docker level, not the nginx level.
+#
+# 7777  pages.{{ server_name_default }}
+# 7778  hooks.{{ server_name_default }}
+# 7779  bots.{{ server_name_default }}
+# 
+####################
+
+server {
+    listen 7777;
+    listen [::]:7777;
+    server_name pages.{{ server_name_default }};
+    ## Only allow IPs in client-allow.conf
+    #include /etc/nginx/conf.d/client-allow.conf;
+    #deny all;
+    port_in_redirect off;
+    location / {
+        index index.html;
+        try_files $uri $uri/ $uri/index.html =404;
+        root /www/pages.{{ server_name_default }}/htdocs;
+    }
+}
+
+
+
+server {
+    listen 7778;
+    listen [::]:7778;
+    server_name hooks.{{ server_name_default }};
+    ## Only allow IPs in client-allow.conf
+    #include /etc/nginx/conf.d/client-allow.conf;
+    #deny all;
+    location / {
+        index index.html;
+        try_files $uri $uri/ $uri/index.html =404;
+        root /www/hooks.{{ server_name_default }}/htdocs;
+    }
+}
+
+
+
+server {
+    listen 7779;
+    listen [::]:7779;
+    server_name bots.{{ server_name_default }};
+    ## Only allow IPs in client-allow.conf
+    #include /etc/nginx/conf.d/client-allow.conf;
+    #deny all;
+    location / {
+        index index.html;
+        try_files $uri $uri/ $uri/index.html =404;
+        root /www/bots.{{ server_name_default }}/htdocs;
+    }
+}
+

docs/css/custom.css

@@ -0,0 +1,11 @@
+.md-typeset h1 { font-weight: 600; }
+.md-typeset h2 { font-weight: 600; }
+.md-typeset h3 { font-weight: 600; }
+.md-typeset h4 { font-weight: 600; }
+
+body {
+    background-color: #FAFAFA;
+}
+div.body {
+    background-color: #FAFAFA;
+}

docs/index.md

@@ -0,0 +1,174 @@
+# d-nginx-subdomains
+
+This repo contains docker containers
+and a docker compose file for running
+an nginx web server for subdomain
+one-pagers.
+
+The services are just:
+
+* nginx
+
+This is also intended to be reverse proxied
+by another frontend nginx server,
+so this one-container pod will bind 
+to a VPN IP address and establish
+(unecrypted) HTTP connections over the 
+(encrypted) VPN connection.
+
+Pretty simple, right?
+
+# Networking
+
+The setup for this one-container docker pod 
+is to have an nginx container bound to all
+addresses inside the container (see nginx.conf
+selection below) and then bind that port 
+inside the container to a specific IP and port
+on the host (see docker-compose selection below).
+
+The nginx configuration file contains a listen
+directive that binds nginx to all addresses 
+inside the container:
+
+```
+server {
+    listen *:7777;
+    }
+```
+
+Meanwhile, in the `docker-compose.yml` file,
+we bind the container's port 7777 to the 
+host's port 7777, but only on a private
+IP address:
+
+```
+servies:
+  stormy_nginx_subs:
+    ...
+    ports:
+      - "10.5.0.2:7777:7777"
+```
+
+
+# Config files
+
+All `*.conf` files in the `conf.d/` directory will be picked up by nginx.
+
+The config files must be named `*.conf`.
+
+
+# Volumes
+
+No data volumes are used.
+
+* nginx static content is a bind-mounted host directory
+* lets encrypt generates site certs, which will be bind-mounted into host directory
+
+Here is the volumes directive in `docker-compose.yml`:
+
+```
+    volumes:
+      - "./conf.d:/etc/nginx/conf.d"
+      - "/www/pages.charlesreid1.com/htdocs:/www/pages.charlesreid1.com/htdocs:ro"
+      - "/www/hooks.charlesreid1.com/htdocs:/www/hooks.charlesreid1.com/htdocs:ro"
+      - "/www/bots.charlesreid1.com/htdocs:/www/bots.charlesreid1.com/htdocs:ro"
+```
+
+The first line sets the nginx config files,
+the rest set the static content locations.
+
+
+# Backups
+
+Site content comes from git.charlesreid1.com,
+nothing to back up.
+
+# Workflow
+
+## Static Content Directory Layout
+
+Directories with static content are bind-mounted
+read-only into the container. To update the content
+being served, just update the content directory
+on the host.
+
+(This enables you to use version control to 
+track the live site contents.)
+
+The section below covers how accomplish this layout.
+You should have your web content laid out as follows
+on the host:
+
+```
+/www
+    example.com/
+        htdocs/
+            index.html
+            ...
+        example.com-src/
+            README.md
+            pelican/
+            ...
+        git/
+            <contents of .git dir>
+            ...
+
+    example2.com/
+        htdocs/
+            ...
+        example2.com-src/
+            ...
+        git/
+            ...
+```
+
+In the container, you will have a mirrored directory
+structure, but only `htdocs`:
+
+```
+/www
+    example.com/
+        htdocs/
+            index.html
+            ...
+
+    example2.com/
+        htdocs/
+            ...
+```
+
+
+## Deploying Static Content with Git
+
+You can use git to deploy static content, but take care
+not to put your `.git` directory into the live 
+web directory.
+
+```
+git clone \
+  --separate-git-dir=/www/example.com/git \
+  -b gh-pages \
+  <url-of-static-site> \
+  /www/example.com/htdocs
+```
+
+Let's walk through that:
+
+* Clone command to deploy content fresh
+* Separate git dir to keep git from being live
+* Branch `gh-pages` (we decided to match Github's convention)
+* Url of static site from git.charlesreid1.com
+* The path of the final cloned repo (bind mounted into container)
+
+See scripts for details.
+
+## Updating Static Content with Git
+
+
+```
+git \
+    --git-dir=/www/example.com/git \
+    --work-tree=/www/example.com/htdocs/reponame \
+    pull origin gh-pages
+```

mkdocs.yml

@@ -0,0 +1,36 @@
+site_name: d-nginx-subdomains
+site_url: https://pages.charlesreid1.com/d-nginx-subdomains
+repo_name: d-nginx-subdomains
+repo_url: https://git.charlesreid1.com/docker/d-nginx-subdomains
+edit_uri: ""
+
+copyright: 'Copyright &copy; 2018 <a href="https://charlesreid1.com">Charles Reid</a>, released under the <a href="https://opensource.org/licenses/MIT">MIT license</a>'
+
+docs_dir: docs
+site_dir: site
+extra_css:
+  - css/custom.css
+theme: 
+  name: null
+  custom_dir: 'mkdocs-material/material'
+  palette:
+    primary: 'light green'
+    accent: 'light green'
+  logo:
+    icon: 'input'
+  font:
+    text: 'Roboto'
+    code: 'Roboto Mono'
+nav:
+  - 'Home':         'index.md'
+
+# Extensions
+markdown_extensions:
+  - admonition
+  - codehilite:
+      guess_lang: false
+  - toc:
+      permalink: true
+
+
+strict: true

scripts/clean_config.py

@@ -0,0 +1,30 @@
+import glob
+import os
+import subprocess
+
+"""
+Clean d-nginx-subdomains conf.d directory
+
+
+This script cleans out the conf.d directory
+in the d-nginx-subdomains repo.
+
+This script should be run before you generate a new set
+of config files from the nginx config file templates in
+d-nginx-subdomains/conf.d_templates/
+
+This script cleans out all the config files in the folder
+d-nginx-subdomains/conf.d/
+
+That way there are no old config files to clash with the
+new ones.
+"""
+
+HERE = os.path.abspath(os.path.dirname(__file__))
+CONF = os.path.abspath(os.path.join(HERE,'..','conf.d'))
+
+for f in glob.glob(os.path.join(CONF,"*.conf")):
+    if os.path.basename(f)!="_.conf":
+        cmd = ['rm','-fr',f]
+        subprocess.call(cmd)
+

static_pull.py

@@ -25,7 +25,6 @@ for name in onepagers:
     url = onepagers[name]
 
     basedir = os.path.join("/www",name)
-    mkdircmd = ["mkdir","-p",basedir]
     pullcmd = ["git","-C",basedir,"--git-dir=git","--work-tree=htdocs","pull","origin","gh-pages"]
 
     if( os.path.isdir( os.path.join(basedir,"git") is False ) 
@@ -43,7 +42,6 @@ for name in onepagers:
     print(" ")
     response = input('Okay to proceed? (y/n) ')
     if(response=='y' or response=='Y' or response=='yes'):
-        subprocess.call(mkdircmd)
         subprocess.call(pullcmd)