full-install: add letsencrypt cert gen script

docker-compose/full-install/.env

@@ -1 +1,2 @@
 NC_INSTALL_ROOT=./
+NO_COLOR=NEST_JS_LOG_MESSAGE_NO_COLOR_SET_NON_NULL_VALUE

docker-compose/full-install/advanced.md

@@ -0,0 +1,23 @@
+# Advanced operations 
+
+
+## Restarting containers 
+
+## Upgrade nocodb instance 
+
+## Enable SSL
+In order to enable SSL for incoming https requests, you will need to have certs which is
+private-key public-key pair
+### letsencrypt for generating certificates 
+### Bring your own certificates 
+### self signed certificates 
+
+## Database pasword rotation 
+
+## nginx configurations 
+
+## Add Node 
+
+## Minio integration for resources
+
+## Enable scheduled backups to run nightly on all your instances.

docker-compose/full-install/bin/nginx_start.sh

@@ -5,7 +5,7 @@
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
 COMPONENT_DIR=${SCRIPT_DIR}/../
-cd ${COMPONENT_DIR}/docker
+cd ${COMPONENT_DIR}
 mkdir -p ${COMPONENT_DIR}/data
 chmod -R 777 ${COMPONENT_DIR}/data
 docker-compose restart nginx

docker-compose/full-install/docker-compose.yml

@@ -72,9 +72,12 @@ services:
       - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nc_properties.env    
     volumes:
       - ${NC_INSTALL_ROOT:-/opt/nocodb}/nginx/conf.d:/etc/nginx/conf.d:ro
+      - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/conf.d:/etc/nginx/custom-conf.d:ro
       - ${NC_INSTALL_ROOT:-/opt/nocodb}/nginx/conf:/opt/nocohub/nginx/conf
       - ${NC_INSTALL_ROOT:-/opt/nocodb}/nginx/conf/nginx.conf:/etc/nginx/nginx.conf:ro
       - ${NC_INSTALL_ROOT:-/opt/nocodb}/data/nginx:/opt/nocohub/nginx/data
+      - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/certbot/www:/var/www/certbot/:ro
+      - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/certbot/conf/:/etc/nginx/ssl/:ro      
       # -  ../nginx/conf/ssl:/etc/nginx/ssl/:ro   
     expose:
       - "80"                 
@@ -89,3 +92,8 @@ services:
         limits:
           cpus: '1'
           memory: 1000M    
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/certbot/www:/var/www/certbot/:rw
+      - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/certbot/conf/:/etc/letsencrypt/:rw           

docker-compose/full-install/nginx/conf-templates/certbot_conf.template

@@ -0,0 +1,15 @@
+server {
+    listen 80;
+    listen [::]:80;
+    
+    # chantge server_name while generating cert
+    server_name <SERVER_NAME>;
+
+    #access_log  /var/log/nginx/host.access.log  main;
+
+    # this is required for cert generation. 
+    # change server_name as well with cname of required cert
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }                     
+}

docker-compose/full-install/nginx/conf-templates/ssl_server_name_conf.template

@@ -0,0 +1,41 @@
+server {
+    listen 80;
+    listen [::]:80 ;
+    listen 443 default_server ssl;
+    listen [::]:443 ssl ;
+    # chantge server_name while generating cert
+    server_name <SERVER_NAME>;
+
+    # force https-redirects
+    if ($scheme = http) {
+        return 301 https://$server_name$request_uri;
+    }
+    
+    ssl_certificate /etc/nginx/ssl/live/<SERVER_NAME>/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/<SERVER_NAME>/privkey.pem;
+
+    #access_log  /var/log/nginx/host.access.log  main;
+    location / {
+        include  /etc/nginx/mime.types;
+        root   /opt/nocohub/nginx/data/<SERVER_NAME>/;
+        index  index.html index.htm;
+        auth_basic "Restricted Access";
+        auth_basic_user_file /opt/nocohub/nginx/conf/.htpasswd;        
+    }
+
+    location /proxy {
+        proxy_pass http://nocohub-001:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+
+        auth_basic "Restricted Access";
+        auth_basic_user_file /opt/nocohub/nginx/conf/.htpasswd;       
+    }    
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    location ~ /\.ht {
+       deny  all;
+    }
+}

docker-compose/full-install/nginx/conf.d/default.conf

@@ -3,11 +3,6 @@ server {
     listen       80;
     listen  [::]:80;
     server_name  localhost;
-    # server_name my.nocodb.com;
-    # listen 443 default_server ssl;
-    # listen [::]:443 ssl ;
-    # ssl_certificate /etc/nginx/ssl/live/status.nocodb.com/fullchain.pem;
-    # ssl_certificate_key /etc/nginx/ssl/live/status.nocodb.com/privkey.pem;
 
     location / {    	
         proxy_pass http://nocodb_backend;

docker-compose/full-install/nginx/conf/nginx.conf

@@ -4,4 +4,5 @@ events {
 
 http {
     include /etc/nginx/conf.d/*.conf;
-    }
+    include /etc/nginx/custom-conf.d/*.conf;
+}

docker-compose/full-install/prepare_env.sh

@@ -4,6 +4,9 @@
 
 # -- main line code starts here --
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source ${SCRIPT_DIR}/sbin/util.sh
+source ${SCRIPT_DIR}/sbin/install_vars.sh
+
 ENV_FILE=${SCRIPT_DIR}/conf/nc_properties.env
 bkp_file=${ENV_FILE}-$(date +%s).bak
 # Source existing nc_envs.env file to get current values
@@ -13,9 +16,6 @@ if [ -f ${ENV_FILE} ]; then
     cp ${ENV_FILE} ${bkp_file}
 fi
 
-# Array of properties with default values
-properties=("NC_INSTALL_ROOT=${SCRIPT_DIR}" "MINIO_ROOT_USER=minioadmin" "MINIO_ROOT_PASSWORD=minioadmin" "POSTGRES_USER=postgres" "POSTGRES_PASSWORD=test123" "POSTGRES_DB=nocodb" "NC_REDIS_URL=redis://redis:6379/4" 'NC_DB=pg://postgres:5432?u=postgres&password=${POSTGRES_PASSWORD:-nocodb}&d=postgres' "NO_COLOR=NEST_JS_LOG_MESSAGE_NO_COLOR_SET_NON_NULL_VALUE" "LOKI_ENDPOINT=http://localhost:3100")
-
 echo "Update or confirm the values to be set"
 # Iterate over the properties array and prompt user for input
 for prop in "${properties[@]}"; do

docker-compose/full-install/sbin/gen_letsencrypt_cert.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# expects nginx to be up and running with conf.d/certbot.conf
+# dns to be mapped to the machine where cert is generated
+#
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+SERVER_NAME=${1}
+if [[ -z "$SERVER_NAME" ]]
+then
+    echo "required argument servername"
+    echo "usage ex: ./gen_certs my.nocodb.com"
+    exit 1
+fi
+
+echo "Creating configs for SERVER_NAME: ${SERVER_NAME}"
+cd ${SCRIPT_DIR}/../conf/nginx/conf.d
+sed "s,<SERVER_NAME>,${SERVER_NAME},g" ${SCRIPT_DIR}/../nginx/conf-templates/certbot_conf.template > certbot.conf
+
+cd ${SCRIPT_DIR}/../bin
+./nginx_start.sh 
+./nginx_reload.sh 
+
+echo "Triggering certbot to create ssl configs: ${SERVER_NAME}"
+cd ${SCRIPT_DIR}/..
+docker-compose run --rm  certbot certonly --webroot --webroot-path /var/www/certbot/  -d ${SERVER_NAME}
+
+
+echo "Now reload nginx with new ssl configs for your site : ${SERVER_NAME}"
+cd ${SCRIPT_DIR}/../conf/nginx/conf.d
+sed "s,<SERVER_NAME>,${SERVER_NAME},g" ${SCRIPT_DIR}/../nginx/conf-templates/ssl_server_name_conf.template > ${SERVER_NAME}.conf
+${SCRIPT_DIR}/../bin/nginx_reload.sh

docker-compose/full-install/sbin/install_vars.sh

@@ -1,3 +1,7 @@
 nocodb_install_version="1.0.0"  # Replace with actual version
 REQUIRED_PORTS=(80 443)
-DOCKER_IMAGES=("redis:latest" "postgres:14.7" "nocodb/nocodb:latest" "nginx")
+DOCKER_IMAGES=("redis:latest" "postgres:14.7" "nocodb/nocodb:latest" "nginx" "certbot/certbot:latest" )
+
+# Array of properties with default values
+properties=( "POSTGRES_USER=postgres" "POSTGRES_PASSWORD=test123" "POSTGRES_DB=nocodb" "NC_REDIS_URL=redis://redis:6379/4" 'NC_DB=pg://postgres:5432?u=postgres&password=${POSTGRES_PASSWORD:-nocodb}&d=postgres' )
+# "NC_INSTALL_ROOT=${SCRIPT_DIR}" "MINIO_ROOT_USER=minioadmin" "MINIO_ROOT_PASSWORD=minioadmin"

docker-compose/full-install/security.md

@@ -0,0 +1 @@
+Security