commit 8823c67af2d0690ef49f34a3ce038ebb84851bf8 Author: Zoran Peričić Date: Thu Mar 19 13:57:20 2026 +0100 v1.0.0-1 diff --git a/container.conf b/container.conf new file mode 100644 index 0000000..2f5f3ea --- /dev/null +++ b/container.conf @@ -0,0 +1,220 @@ +# set timezone, required, set it to one of the values from the "TZ identifier" https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List +TZ=Europe/Zagreb + +# email address which should be used for acme, currently optional, may be required in the future, so I recommend you to enter your email here, optional for letsencrypt, but required for zerossl and google public ca +ACME_EMAIL=ssl@netst.org + +# acme server used when requesting/renewing certs using certbot, default is set to: https://acme-v02.api.letsencrypt.org/directory (letsencrypt) +#ACME_SERVER=https://dv.acme-v02.api.pki.goog/directory (google public ca) / https://acme.zerossl.com/v2/DV90 (zerossl) + +# Key Identifier for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac +#ACME_EAB_KID=123456789abcdef + +# HMAC key for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac +#ACME_EAB_HMAC_KEY=123456789abcdef + +# enables must-staple, default false, I recommend you to enable this if your CA supports it, supported by zerossl, google public ca ignores this, unsupported by letsencrypt (will fail), overrides ACME_OCSP_STAPLING to true +#ACME_MUST_STAPLE=true + +# enables ocsp stapling, default false, I recommend you to enable this if your CA supports it, supported by zerossl and google public ca +#ACME_OCSP_STAPLING=true + +# sets the profile to be used from the acme server, default is "none" (so the default profile), supported by letsencrypt (https://letsencrypt.org/docs/profiles), if you use letsencrypt I would recommend the "shortlived" profile, until it is public you should use the "tlsserver" profile, note: both are limited to 25 domains per cert instead of 100 like the "classic" (default) profile +#ACME_PROFILE=shortlived + +# which key type to use ecdsa or rsa, default and recommended: ecdsa +#ACME_KEY_TYPE=rsa + +# enables checking if ACME_SERVER has a valid TLS cert, default and recommended true +#ACME_SERVER_TLS_VERIFY=false + +# enables ocsp stapling for custom certs, default false, I recommend you to enable this if your custom certs support it +#CUSTOM_OCSP_STAPLING=true + +# set user id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root) +#PUID=1000 + +# set group id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root), requires PUID to be not 0 +#PGID=1000 + +# Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host +#NPM_PORT=82 + +# Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host +#GOA_PORT=92 + +# IPv4 address to bind, defaults to all +#IPV4_BINDING=127.0.0.1 + +# IPv4 address to bind for the NPM UI, defaults to all +#NPM_IPV4_BINDING=127.0.0.1 + +# IPv4 address to bind for the goaccess, defaults to all +#GOA_IPV4_BINDING=127.0.0.1 + +# IPv6 address to bind, defaults to all +#IPV6_BINDING=[::1] + +# IPv6 address to bind for the NPM UI, defaults to all +#NPM_IPV6_BINDING=[::1] + +# IPv6 address to bind for goaccess, defaults to all +#GOA_IPV6_BINDING=[::1] + +# fully disables listing on IPv6 and the IPv6 resolver of nginx, overrides IPV6_BINDING/NPM_IPV6_BINDING/GOA_IPV6_BINDING, default false +#DISABLE_IPV6=true + +# Binds the NPM UI only to localhost (IPv4+IPv6), overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false +#NPM_LISTEN_LOCALHOST=true + +# Binds goaccess only to localhost (IPv4+IPv6), overrides GOA_IPV4_BINDING/GOA_IPV6_BINDING, default false +#GOA_LISTEN_LOCALHOST=true + +# ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts +#DEFAULT_CERT_ID=1 + +# tcp port to use for http traffic, changing this may breaks certbot http challenge, default 80 +#HTTP_PORT=8080 + +# udp and tcp port to use for https traffic, changing this may breaks certbot http challenge, default 443 +#HTTPS_PORT=8443 + +# disables nginx to listen on port 80, default false +#DISABLE_HTTP=true + +# should listeners of http(s) hosts (proxy/redirect/dead and default) use proxy protocol instead of http(s)? default false, overrides DISABLE_H3_QUIC to true +#LISTEN_PROXY_PROTOCOL=true + +# use proxy protocol for http listeners only, default false +#LISTEN_PROXY_PROTOCOL_HTTP=true + +# use proxy protocol for https listeners only, default false, overrides DISABLE_H3_QUIC to true +#LISTEN_PROXY_PROTOCOL_HTTPS=true + +# disables nginx to listen on port 443 udp for default host and all your hosts, this will fully disable HTTP/3 and QUIC, even if you enable it inside the UI, not recommended, default false +#DISABLE_H3_QUIC=true + +# enables nginxs quic_bpf (https://nginx.org/en/docs/http/ngx_http_v3_module.html#quic_bpf), you also need to add caps to the NPMplus container (BPF, PERFMON, NET_ADMIN) to use this, recommended, default false +#NGINX_QUIC_BPF=true + +# Log 404 errors to the docker logs, unrelated to access logs, default false +#NGINX_LOG_NOT_FOUND=true + +# value of worker_processes, default and recommended: auto +#NGINX_WORKER_PROCESSES=8 + +# value of worker_connections, default: 512 +#NGINX_WORKER_CONNECTIONS=1024 + +# forces X25519MLKEM768 as only key exchange, overrides NGINX_DISABLE_TLS12 to true and NGINX_TRUST_SECPR1 to false, default false +#NGINX_FORCE_X25519MLKEM768=true + +# disables TLS 1.2, only TLS 1.3 will be available, default false +#NGINX_DISABLE_TLS12=true + +# trust secp256r1 (prime256v1) curve, default true +#NGINX_TRUST_SECPR1=false + +# disables nginxbeautifier, useful when it fails parsing non-standard custom/advanced configs, default false +#DISABLE_NGINX_BEAUTIFIER=true + +# trust and whitelist cloudflare ip ranges, default false +#TRUST_CLOUDFLARE=true + +# Enables writing http access logs to /opt/npmplus/nginx/access.log, stream access logs to /opt/npmplus/nginx/stream.log and enables daily logrotation, default false +#LOGROTATE=true + +# Set how often the access.log should be rotated until it is deleted, default 3 +#LOGROTATIONS=7 + +# Set how many hours should be between certbot trying to renew your certs, default 3 +#CRT=72 + +# Enables goaccess (and overrides LOGROTATE to true), default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npmplus/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also enable the geoipupdate container below (please change the timezone) +#GOA=true + +# Arguments that should be passed to goaccess, default: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string +#GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string + +# Activate PHP83, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container +#PHP83=true + +# Add php extensions, also enables PHP83, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php83-*, default none, requires PHP83 +#PHP83_APKS=php83-curl php83-openssl + +# Activate PHP84, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container +#PHP84=true + +# Add php extensions, also enables PHP84, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php84-*, default none, requires PHP84 +#PHP84_APKS=php84-curl php84-openssl + +# Activate PHP85, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container +#PHP85=true + +# Add php extensions, also enables PHP85, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php85-*, default none, requires PHP85 +#PHP85_APKS=php85-curl php85-openssl + +# Add php extensions, default none, requires PHP83, PHP84 and/or PHP85, not recommended, please use PHP83_APKS, PHP84_APKS or PHP85_APKS +#PHP_APKS=php-pecl-apcu php-pecl-redis + +# email to use instead of admin@example.org on first start of NPMplus for the initial user +#INITIAL_ADMIN_EMAIL= + +# password to use instead of a random password which is logged on first start of NPMplus for the initial user +#INITIAL_ADMIN_PASSWORD= + +# default page to set on first start of NPMplus for the initial user, default congratulations, can be one of: 404, 444, redirect, congratulations or html +#INITIAL_DEFAULT_PAGE=444 + +# disable gravatar, default false +#DISABLE_GRAVATAR=true + +# see readme, default off +#ENABLE_PRERUN=true + +# loads the openappsec attachment module, you also need to set ipc and enable the shm-volume for NPMplus, this will fully disable brotli, default false +#NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE=true + +# loads the geoip2 module, you need to configure this yourself, default false +#NGINX_LOAD_GEOIP2_MODULE=true + +# loads the njs module (nginx JavaScript module), you need to configure this yourself, default false +#NGINX_LOAD_NJS_MODULE=true + +# loads the ldap module, you need to configure this yourself, default false +#NGINX_LOAD_LDAP_MODULE=true + +# loads the ntlm module, you need to configure this yourself, default false +#NGINX_LOAD_NTLM_MODULE=true + +# loads the virtual host traffic status module, you need to configure this yourself, default false +#NGINX_LOAD_VHOST_TRAFFIC_STATUS_MODULE=true + +# OIDC login for NPMplus admin UI, all four are required together or none +#OIDC_REDIRECT_DOMAIN=npm.example.com +#OIDC_ISSUER_URL=https://auth.example.com +#OIDC_CLIENT_ID=npmplus +#OIDC_CLIENT_SECRET=secret + +# require verified email for OIDC login, default true +#OIDC_REQUIRE_VERIFIED_EMAIL=true + +# disable password login when OIDC is configured, default false +#OIDC_DISABLE_PASSWORD=true + +# Anubis bot challenge integration, upstream URL must not contain a path +#AUTH_REQUEST_ANUBIS_UPSTREAM=http://127.0.0.1:8923 + +# use custom anubis challenge images from /data/anubis/, default false +#AUTH_REQUEST_ANUBIS_USE_CUSTOM_IMAGES=true + +# Tinyauth integration, both upstream and domain are required together +#AUTH_REQUEST_TINYAUTH_UPSTREAM=http://127.0.0.1:3000 +#AUTH_REQUEST_TINYAUTH_DOMAIN=example.com + +# Authelia integration, upstream URL must not contain a path +#AUTH_REQUEST_AUTHELIA_UPSTREAM=http://127.0.0.1:9091 + +# Authentik integration, upstream is required, domain is optional +#AUTH_REQUEST_AUTHENTIK_UPSTREAM=http://127.0.0.1:9000 +#AUTH_REQUEST_AUTHENTIK_DOMAIN=example.com diff --git a/nginx-proxy-manager-plus.container b/nginx-proxy-manager-plus.container new file mode 100644 index 0000000..6c0d6f8 --- /dev/null +++ b/nginx-proxy-manager-plus.container @@ -0,0 +1,18 @@ +[Unit] +Description=nginx-proxy-manager-plus + +[Container] +ContainerName=nginx-proxy-manager-plus +EnvironmentFile=/etc/nginx-proxy-manager-plus/container.conf +Image=docker.io/zoeyvid/npmplus:latest +Volume=/var/lib/nginx-proxy-manager-plus/data:/data +AddCapability=BPF PERFMON NET_ADMIN +Network=host + +[Service] +Restart=always +ExecStartPre=/usr/bin/install -d -m '0750' -o root -g root /var/lib/nginx-proxy-manager-plus +ExecStartPre=/usr/bin/install -d -m '0750' -o 1000 -g 1000 /var/lib/nginx-proxy-manager-plus/data + +[Install] +WantedBy=multi-user.target default.target diff --git a/nginx-proxy-manager-plus.spec b/nginx-proxy-manager-plus.spec new file mode 100644 index 0000000..c16687d --- /dev/null +++ b/nginx-proxy-manager-plus.spec @@ -0,0 +1,51 @@ +Name: nginx-proxy-manager-plus +Version: 1.0.0 +Release: 1%{?dist} +Summary: NPMplus - Nginx Proxy Manager Plus (container) +License: AGPL-3.0 +Group: System Environment/Base +URL: https://github.com/ZoeyVid/NPMplus + +Source0: nginx-proxy-manager-plus.container +Source1: container.conf + +BuildArch: noarch +BuildRequires: systemd-rpm-macros +Requires: podman +Requires: containers-common + +%description +NPMplus is a hardened fork of Nginx Proxy Manager with HTTP/3, post-quantum +TLS, CrowdSec/openappsec WAF, OIDC, GoAccess analytics, and more. +Runs as a Podman container via quadlet. + +%install +%{__rm} -rf %{buildroot} + +install -p -D -m 644 %{SOURCE0} %{buildroot}%{_datadir}/containers/systemd/nginx-proxy-manager-plus.container +install -d -m 750 %{buildroot}%{_sysconfdir}/nginx-proxy-manager-plus +install -m 640 %{SOURCE1} %{buildroot}%{_sysconfdir}/nginx-proxy-manager-plus/container.conf +install -d -m 750 %{buildroot}%{_sharedstatedir}/nginx-proxy-manager-plus + +%post +%systemd_post nginx-proxy-manager-plus.service + +%preun +%systemd_preun nginx-proxy-manager-plus.service + +%postun +%systemd_postun nginx-proxy-manager-plus.service + +%clean +%{__rm} -rf %{buildroot} + +%files +%defattr(-,root,root,-) +%{_datadir}/containers/systemd/nginx-proxy-manager-plus.container +%dir %attr(0750,root,root) %{_sysconfdir}/nginx-proxy-manager-plus +%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/nginx-proxy-manager-plus/container.conf +%dir %attr(0750,root,root) %{_sharedstatedir}/nginx-proxy-manager-plus + +%changelog +* Thu Mar 19 2026 Zoran Pericic - 1.0.0-1 +- Initial package