v1.0.0-1

2026-03-19 13:57:20 +01:00
commit 8823c67af2
3 changed files with 289 additions and 0 deletions
--- a/container.conf
+++ b/container.conf
@@ -0,0 +1,220 @@
 # set timezone, required, set it to one of the values from the "TZ identifier" https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
 TZ=Europe/Zagreb
 # email address which should be used for acme, currently optional, may be required in the future, so I recommend you to enter your email here, optional for letsencrypt, but required for zerossl and google public ca
 ACME_EMAIL=ssl@netst.org
 # acme server used when requesting/renewing certs using certbot, default is set to: https://acme-v02.api.letsencrypt.org/directory (letsencrypt)
 #ACME_SERVER=https://dv.acme-v02.api.pki.goog/directory (google public ca) / https://acme.zerossl.com/v2/DV90 (zerossl)
 # Key Identifier for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac
 #ACME_EAB_KID=123456789abcdef
 # HMAC key for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac
 #ACME_EAB_HMAC_KEY=123456789abcdef
 # enables must-staple, default false, I recommend you to enable this if your CA supports it, supported by zerossl, google public ca ignores this, unsupported by letsencrypt (will fail), overrides ACME_OCSP_STAPLING to true
 #ACME_MUST_STAPLE=true
 # enables ocsp stapling, default false, I recommend you to enable this if your CA supports it, supported by zerossl and google public ca
 #ACME_OCSP_STAPLING=true
 # sets the profile to be used from the acme server, default is "none" (so the default profile), supported by letsencrypt (https://letsencrypt.org/docs/profiles), if you use letsencrypt I would recommend the "shortlived" profile, until it is public you should use the "tlsserver" profile, note: both are limited to 25 domains per cert instead of 100 like the "classic" (default) profile
 #ACME_PROFILE=shortlived
 # which key type to use ecdsa or rsa, default and recommended: ecdsa
 #ACME_KEY_TYPE=rsa
 # enables checking if ACME_SERVER has a valid TLS cert, default and recommended true
 #ACME_SERVER_TLS_VERIFY=false
 # enables ocsp stapling for custom certs, default false, I recommend you to enable this if your custom certs support it
 #CUSTOM_OCSP_STAPLING=true
 # set user id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root)
 #PUID=1000
 # set group id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root), requires PUID to be not 0
 #PGID=1000
 # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
 #NPM_PORT=82
 # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
 #GOA_PORT=92
 # IPv4 address to bind, defaults to all
 #IPV4_BINDING=127.0.0.1
 # IPv4 address to bind for the NPM UI, defaults to all
 #NPM_IPV4_BINDING=127.0.0.1
 # IPv4 address to bind for the goaccess, defaults to all
 #GOA_IPV4_BINDING=127.0.0.1
 # IPv6 address to bind, defaults to all
 #IPV6_BINDING=[::1]
 # IPv6 address to bind for the NPM UI, defaults to all
 #NPM_IPV6_BINDING=[::1]
 # IPv6 address to bind for goaccess, defaults to all
 #GOA_IPV6_BINDING=[::1]
 # fully disables listing on IPv6 and the IPv6 resolver of nginx, overrides IPV6_BINDING/NPM_IPV6_BINDING/GOA_IPV6_BINDING, default false
 #DISABLE_IPV6=true
 # Binds the NPM UI only to localhost (IPv4+IPv6), overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
 #NPM_LISTEN_LOCALHOST=true
 # Binds goaccess only to localhost (IPv4+IPv6), overrides GOA_IPV4_BINDING/GOA_IPV6_BINDING, default false
 #GOA_LISTEN_LOCALHOST=true
 # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
 #DEFAULT_CERT_ID=1
 # tcp port to use for http traffic, changing this may breaks certbot http challenge, default 80
 #HTTP_PORT=8080
 # udp and tcp port to use for https traffic, changing this may breaks certbot http challenge, default 443
 #HTTPS_PORT=8443
 # disables nginx to listen on port 80, default false
 #DISABLE_HTTP=true
 # should listeners of http(s) hosts (proxy/redirect/dead and default) use proxy protocol instead of http(s)? default false, overrides DISABLE_H3_QUIC to true
 #LISTEN_PROXY_PROTOCOL=true
 # use proxy protocol for http listeners only, default false
 #LISTEN_PROXY_PROTOCOL_HTTP=true
 # use proxy protocol for https listeners only, default false, overrides DISABLE_H3_QUIC to true
 #LISTEN_PROXY_PROTOCOL_HTTPS=true
 # disables nginx to listen on port 443 udp for default host and all your hosts, this will fully disable HTTP/3 and QUIC, even if you enable it inside the UI, not recommended, default false
 #DISABLE_H3_QUIC=true
 # enables nginxs quic_bpf (https://nginx.org/en/docs/http/ngx_http_v3_module.html#quic_bpf), you also need to add caps to the NPMplus container (BPF, PERFMON, NET_ADMIN) to use this, recommended, default false
 #NGINX_QUIC_BPF=true
 # Log 404 errors to the docker logs, unrelated to access logs, default false
 #NGINX_LOG_NOT_FOUND=true
 # value of worker_processes, default and recommended: auto
 #NGINX_WORKER_PROCESSES=8
 # value of worker_connections, default: 512
 #NGINX_WORKER_CONNECTIONS=1024
 # forces X25519MLKEM768 as only key exchange, overrides NGINX_DISABLE_TLS12 to true and NGINX_TRUST_SECPR1 to false, default false
 #NGINX_FORCE_X25519MLKEM768=true
 # disables TLS 1.2, only TLS 1.3 will be available, default false
 #NGINX_DISABLE_TLS12=true
 # trust secp256r1 (prime256v1) curve, default true
 #NGINX_TRUST_SECPR1=false
 # disables nginxbeautifier, useful when it fails parsing non-standard custom/advanced configs, default false
 #DISABLE_NGINX_BEAUTIFIER=true
 # trust and whitelist cloudflare ip ranges, default false
 #TRUST_CLOUDFLARE=true
 # Enables writing http access logs to /opt/npmplus/nginx/access.log, stream access logs to /opt/npmplus/nginx/stream.log and enables daily logrotation, default false
 #LOGROTATE=true
 # Set how often the access.log should be rotated until it is deleted, default 3
 #LOGROTATIONS=7
 # Set how many hours should be between certbot trying to renew your certs, default 3
 #CRT=72
 # Enables goaccess (and overrides LOGROTATE to true), default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npmplus/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also enable the geoipupdate container below (please change the timezone)
 #GOA=true
 # Arguments that should be passed to goaccess, default: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string
 #GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string
 # Activate PHP83, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container
 #PHP83=true
 # Add php extensions, also enables PHP83, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php83-*, default none, requires PHP83
 #PHP83_APKS=php83-curl php83-openssl
 # Activate PHP84, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container
 #PHP84=true
 # Add php extensions, also enables PHP84, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php84-*, default none, requires PHP84
 #PHP84_APKS=php84-curl php84-openssl
 # Activate PHP85, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container
 #PHP85=true
 # Add php extensions, also enables PHP85, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php85-*, default none, requires PHP85
 #PHP85_APKS=php85-curl php85-openssl
 # Add php extensions, default none, requires PHP83, PHP84 and/or PHP85, not recommended, please use PHP83_APKS, PHP84_APKS or PHP85_APKS
 #PHP_APKS=php-pecl-apcu php-pecl-redis
 # email to use instead of admin@example.org on first start of NPMplus for the initial user
 #INITIAL_ADMIN_EMAIL=<initial@email.tld>
 # password to use instead of a random password which is logged on first start of NPMplus for the initial user
 #INITIAL_ADMIN_PASSWORD=<initial-password>
 # default page to set on first start of NPMplus for the initial user, default congratulations, can be one of: 404, 444, redirect, congratulations or html
 #INITIAL_DEFAULT_PAGE=444
 # disable gravatar, default false
 #DISABLE_GRAVATAR=true
 # see readme, default off
 #ENABLE_PRERUN=true
 # loads the openappsec attachment module, you also need to set ipc and enable the shm-volume for NPMplus, this will fully disable brotli, default false
 #NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE=true
 # loads the geoip2 module, you need to configure this yourself, default false
 #NGINX_LOAD_GEOIP2_MODULE=true
 # loads the njs module (nginx JavaScript module), you need to configure this yourself, default false
 #NGINX_LOAD_NJS_MODULE=true
 # loads the ldap module, you need to configure this yourself, default false
 #NGINX_LOAD_LDAP_MODULE=true
 # loads the ntlm module, you need to configure this yourself, default false
 #NGINX_LOAD_NTLM_MODULE=true
 # loads the virtual host traffic status module, you need to configure this yourself, default false
 #NGINX_LOAD_VHOST_TRAFFIC_STATUS_MODULE=true
 # OIDC login for NPMplus admin UI, all four are required together or none
 #OIDC_REDIRECT_DOMAIN=npm.example.com
 #OIDC_ISSUER_URL=https://auth.example.com
 #OIDC_CLIENT_ID=npmplus
 #OIDC_CLIENT_SECRET=secret
 # require verified email for OIDC login, default true
 #OIDC_REQUIRE_VERIFIED_EMAIL=true
 # disable password login when OIDC is configured, default false
 #OIDC_DISABLE_PASSWORD=true
 # Anubis bot challenge integration, upstream URL must not contain a path
 #AUTH_REQUEST_ANUBIS_UPSTREAM=http://127.0.0.1:8923
 # use custom anubis challenge images from /data/anubis/, default false
 #AUTH_REQUEST_ANUBIS_USE_CUSTOM_IMAGES=true
 # Tinyauth integration, both upstream and domain are required together
 #AUTH_REQUEST_TINYAUTH_UPSTREAM=http://127.0.0.1:3000
 #AUTH_REQUEST_TINYAUTH_DOMAIN=example.com
 # Authelia integration, upstream URL must not contain a path
 #AUTH_REQUEST_AUTHELIA_UPSTREAM=http://127.0.0.1:9091
 # Authentik integration, upstream is required, domain is optional
 #AUTH_REQUEST_AUTHENTIK_UPSTREAM=http://127.0.0.1:9000
 #AUTH_REQUEST_AUTHENTIK_DOMAIN=example.com
--- a/nginx-proxy-manager-plus.container
+++ b/nginx-proxy-manager-plus.container
@@ -0,0 +1,18 @@
 [Unit]
 Description=nginx-proxy-manager-plus
 [Container]
 ContainerName=nginx-proxy-manager-plus
 EnvironmentFile=/etc/nginx-proxy-manager-plus/container.conf
 Image=docker.io/zoeyvid/npmplus:latest
 Volume=/var/lib/nginx-proxy-manager-plus/data:/data
 AddCapability=BPF PERFMON NET_ADMIN
 Network=host
 [Service]
 Restart=always
 ExecStartPre=/usr/bin/install -d -m '0750' -o root -g root /var/lib/nginx-proxy-manager-plus
 ExecStartPre=/usr/bin/install -d -m '0750' -o 1000 -g 1000 /var/lib/nginx-proxy-manager-plus/data
 [Install]
 WantedBy=multi-user.target default.target
--- a/nginx-proxy-manager-plus.spec
+++ b/nginx-proxy-manager-plus.spec
@@ -0,0 +1,51 @@
 Name:           nginx-proxy-manager-plus
 Version:        1.0.0
 Release:        1%{?dist}
 Summary:        NPMplus - Nginx Proxy Manager Plus (container)
 License:        AGPL-3.0
 Group:          System Environment/Base
 URL:            https://github.com/ZoeyVid/NPMplus
 Source0:        nginx-proxy-manager-plus.container
 Source1:        container.conf
 BuildArch:      noarch
 BuildRequires:  systemd-rpm-macros
 Requires:       podman
 Requires:       containers-common
 %description
 NPMplus is a hardened fork of Nginx Proxy Manager with HTTP/3, post-quantum
 TLS, CrowdSec/openappsec WAF, OIDC, GoAccess analytics, and more.
 Runs as a Podman container via quadlet.
 %install
 %{__rm} -rf %{buildroot}
 install -p -D -m 644 %{SOURCE0} %{buildroot}%{_datadir}/containers/systemd/nginx-proxy-manager-plus.container
 install -d -m 750 %{buildroot}%{_sysconfdir}/nginx-proxy-manager-plus
 install -m 640 %{SOURCE1} %{buildroot}%{_sysconfdir}/nginx-proxy-manager-plus/container.conf
 install -d -m 750 %{buildroot}%{_sharedstatedir}/nginx-proxy-manager-plus
 %post
 %systemd_post nginx-proxy-manager-plus.service
 %preun
 %systemd_preun nginx-proxy-manager-plus.service
 %postun
 %systemd_postun nginx-proxy-manager-plus.service
 %clean
 %{__rm} -rf %{buildroot}
 %files
 %defattr(-,root,root,-)
 %{_datadir}/containers/systemd/nginx-proxy-manager-plus.container
 %dir %attr(0750,root,root) %{_sysconfdir}/nginx-proxy-manager-plus
 %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/nginx-proxy-manager-plus/container.conf
 %dir %attr(0750,root,root) %{_sharedstatedir}/nginx-proxy-manager-plus
 %changelog
 * Thu Mar 19 2026 Zoran Pericic <zpericic@netst.org> - 1.0.0-1
 - Initial package