Skip to content

Instantly share code, notes, and snippets.

@segfo

segfo/server_compose.yml

Last active August 28, 2025 00:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save segfo/2e88a3e77e3d2fb5cefc79d527330224 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save segfo/2e88a3e77e3d2fb5cefc79d527330224 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
server_compose.yml
# 同じディレクトリに .env を作ってください。
# .envのサンプルはgistのコメントに書きます。
services:
# パスワードマネージャ 不要なら消してね
vaultwarden:
image: vaultwarden_arm64:1.34.3
container_name: vaultwarden
user: '1000:1000'
ports:
- 8080:80
environment:
- DOMAIN=${VAULTWARDEN_DOMAIN}
- SIGNUPS_ALLOWED=${VAULTWARDEN_SIGNUPS_ALLOWED}
- ROCKET_PORT=80
- EXPERIMENTAL_CLIENT_FEATURE_FLAGS=ssh-key-vault-item,ssh-agent
volumes:
- ./vw-data:/data
restart: unless-stopped
# DNS型広告ブロッカー
pihole:
image: pihole/pihole:latest
container_name: pihole
cap_add:
- NET_ADMIN
environment:
- TZ=${TZ}
- PIHOLE_UID=${PUID}
- PIHOLE_GID=${PGID}
volumes:
- ./etc/pihole:/etc/pihole
- ./etc/dnsmasq.d:/etc/dnsmasq.d
ports:
- "53:53/tcp"
- "53:53/udp"
restart: unless-stopped
# pi-holeのUI用のリバプロ。TLS通信の終端の役割をしている。不要なら消してね
nginx:
image: nginx:latest
container_name: nginx
depends_on:
- pihole
ports:
- 10443:443
volumes:
- ./nginx/conf.d:/etc/nginx/conf.d
- ./nginx/certs:/etc/nginx/certs
restart: unless-stopped
# ローカルCA、生成したTLS証明書をNginxに食わせる
stepca:
image: smallstep/step-ca
container_name: stepca
volumes:
- ./step-ca:/home/step
ports:
- 8443:443 # ACME endpoint
restart: unless-stopped
networks:
internal_net:
driver: bridge
@segfo
Copy link
Author

segfo commented Aug 27, 2025
edited
Loading

Nignxの設定ファイル

# nginx が $connection_upgrade を理解するように map を追加
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 443 ssl;
    server_name server.local;

    ssl_certificate     /etc/nginx/certs/server.local.crt;
    ssl_certificate_key /etc/nginx/certs/server.local.key;

    # Docker の内部DNS を使う(コンテナ内では 127.0.0.11 が Docker DNS)
    resolver 127.0.0.11 valid=30s;

    # upstream を変数で指定すると起動時に解決しない(リクエスト時に解決される)
    set $upstream_host "pihole:80";

    location / {
        proxy_pass http://$upstream_host;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket 等が必要なら以下も
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

@segfo
Copy link
Author

segfo commented Aug 27, 2025
edited
Loading

ディレクトリ構成

server
├── .env <環境変数(compose.ymlとLocalCA構築・運用スクリプト共用)>
├── compose.yml
├── etc <piholeのフォルダ>
│   ├── dnsmasq.d
│   └── pihole
├── logs <TLS証明書の再発行スクリプトのログなど>
├── nginx <TLSの終端・リバースプロキシ>
│   ├── certs <各サーバの証明書>
│   │   ├── server.crt
│   │   ├── server.csr
│   │   └── server.key
│   └── conf.d <リバプロの構成ファイル>
│       └── pihole.conf <pihole用>
├── scripts
│   ├── ca-setup.sh
│   ├── cert-renew-and-reload.sh
│   └── create-cert.sh
├── step-ca <scripts/ca-setup.shを実行すると作成される>
└── vw-data <vaultwardenのDBデータ>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment