v1.0.0-1

2026-03-19 13:57:20 +01:00
commit 8823c67af2
3 changed files with 289 additions and 0 deletions
--- a/container.conf
+++ b/container.conf
@@ -0,0 +1,220 @@
+# set timezone, required, set it to one of the values from the "TZ identifier" https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+TZ=Europe/Zagreb
+
+# email address which should be used for acme, currently optional, may be required in the future, so I recommend you to enter your email here, optional for letsencrypt, but required for zerossl and google public ca
+ACME_EMAIL=ssl@netst.org
+
+# acme server used when requesting/renewing certs using certbot, default is set to: https://acme-v02.api.letsencrypt.org/directory (letsencrypt)
+#ACME_SERVER=https://dv.acme-v02.api.pki.goog/directory (google public ca) / https://acme.zerossl.com/v2/DV90 (zerossl)
+
+# Key Identifier for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac
+#ACME_EAB_KID=123456789abcdef
+
+# HMAC key for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac
+#ACME_EAB_HMAC_KEY=123456789abcdef
+
+# enables must-staple, default false, I recommend you to enable this if your CA supports it, supported by zerossl, google public ca ignores this, unsupported by letsencrypt (will fail), overrides ACME_OCSP_STAPLING to true
+#ACME_MUST_STAPLE=true
+
+# enables ocsp stapling, default false, I recommend you to enable this if your CA supports it, supported by zerossl and google public ca
+#ACME_OCSP_STAPLING=true
+
+# sets the profile to be used from the acme server, default is "none" (so the default profile), supported by letsencrypt (https://letsencrypt.org/docs/profiles), if you use letsencrypt I would recommend the "shortlived" profile, until it is public you should use the "tlsserver" profile, note: both are limited to 25 domains per cert instead of 100 like the "classic" (default) profile
+#ACME_PROFILE=shortlived
+
+# which key type to use ecdsa or rsa, default and recommended: ecdsa
+#ACME_KEY_TYPE=rsa
+
+# enables checking if ACME_SERVER has a valid TLS cert, default and recommended true
+#ACME_SERVER_TLS_VERIFY=false
+
+# enables ocsp stapling for custom certs, default false, I recommend you to enable this if your custom certs support it
+#CUSTOM_OCSP_STAPLING=true
+
+# set user id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root)
+#PUID=1000
+
+# set group id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root), requires PUID to be not 0
+#PGID=1000
+
+# Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
+#NPM_PORT=82
+
+# Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
+#GOA_PORT=92
+
+# IPv4 address to bind, defaults to all
+#IPV4_BINDING=127.0.0.1
+
+# IPv4 address to bind for the NPM UI, defaults to all
+#NPM_IPV4_BINDING=127.0.0.1
+
+# IPv4 address to bind for the goaccess, defaults to all
+#GOA_IPV4_BINDING=127.0.0.1
+
+# IPv6 address to bind, defaults to all
+#IPV6_BINDING=[::1]
+
+# IPv6 address to bind for the NPM UI, defaults to all
+#NPM_IPV6_BINDING=[::1]
+
+# IPv6 address to bind for goaccess, defaults to all
+#GOA_IPV6_BINDING=[::1]
+
+# fully disables listing on IPv6 and the IPv6 resolver of nginx, overrides IPV6_BINDING/NPM_IPV6_BINDING/GOA_IPV6_BINDING, default false
+#DISABLE_IPV6=true
+
+# Binds the NPM UI only to localhost (IPv4+IPv6), overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
+#NPM_LISTEN_LOCALHOST=true
+
+# Binds goaccess only to localhost (IPv4+IPv6), overrides GOA_IPV4_BINDING/GOA_IPV6_BINDING, default false
+#GOA_LISTEN_LOCALHOST=true
+
+# ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
+#DEFAULT_CERT_ID=1
+
+# tcp port to use for http traffic, changing this may breaks certbot http challenge, default 80
+#HTTP_PORT=8080
+
+# udp and tcp port to use for https traffic, changing this may breaks certbot http challenge, default 443
+#HTTPS_PORT=8443
+
+# disables nginx to listen on port 80, default false
+#DISABLE_HTTP=true
+
+# should listeners of http(s) hosts (proxy/redirect/dead and default) use proxy protocol instead of http(s)? default false, overrides DISABLE_H3_QUIC to true
+#LISTEN_PROXY_PROTOCOL=true
+
+# use proxy protocol for http listeners only, default false
+#LISTEN_PROXY_PROTOCOL_HTTP=true
+
+# use proxy protocol for https listeners only, default false, overrides DISABLE_H3_QUIC to true
+#LISTEN_PROXY_PROTOCOL_HTTPS=true
+
+# disables nginx to listen on port 443 udp for default host and all your hosts, this will fully disable HTTP/3 and QUIC, even if you enable it inside the UI, not recommended, default false
+#DISABLE_H3_QUIC=true
+
+# enables nginxs quic_bpf (https://nginx.org/en/docs/http/ngx_http_v3_module.html#quic_bpf), you also need to add caps to the NPMplus container (BPF, PERFMON, NET_ADMIN) to use this, recommended, default false
+#NGINX_QUIC_BPF=true
+
+# Log 404 errors to the docker logs, unrelated to access logs, default false
+#NGINX_LOG_NOT_FOUND=true
+
+# value of worker_processes, default and recommended: auto
+#NGINX_WORKER_PROCESSES=8
+
+# value of worker_connections, default: 512
+#NGINX_WORKER_CONNECTIONS=1024
+
+# forces X25519MLKEM768 as only key exchange, overrides NGINX_DISABLE_TLS12 to true and NGINX_TRUST_SECPR1 to false, default false
+#NGINX_FORCE_X25519MLKEM768=true
+
+# disables TLS 1.2, only TLS 1.3 will be available, default false
+#NGINX_DISABLE_TLS12=true
+
+# trust secp256r1 (prime256v1) curve, default true
+#NGINX_TRUST_SECPR1=false
+
+# disables nginxbeautifier, useful when it fails parsing non-standard custom/advanced configs, default false
+#DISABLE_NGINX_BEAUTIFIER=true
+
+# trust and whitelist cloudflare ip ranges, default false
+#TRUST_CLOUDFLARE=true
+
+# Enables writing http access logs to /opt/npmplus/nginx/access.log, stream access logs to /opt/npmplus/nginx/stream.log and enables daily logrotation, default false
+#LOGROTATE=true
+
+# Set how often the access.log should be rotated until it is deleted, default 3
+#LOGROTATIONS=7
+
+# Set how many hours should be between certbot trying to renew your certs, default 3
+#CRT=72
+
+# Enables goaccess (and overrides LOGROTATE to true), default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npmplus/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also enable the geoipupdate container below (please change the timezone)
+#GOA=true
+
+# Arguments that should be passed to goaccess, default: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string
+#GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string
+
+# Activate PHP83, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container
+#PHP83=true
+
+# Add php extensions, also enables PHP83, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php83-*, default none, requires PHP83
+#PHP83_APKS=php83-curl php83-openssl
+
+# Activate PHP84, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container
+#PHP84=true
+
+# Add php extensions, also enables PHP84, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php84-*, default none, requires PHP84
+#PHP84_APKS=php84-curl php84-openssl
+
+# Activate PHP85, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container
+#PHP85=true
+
+# Add php extensions, also enables PHP85, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php85-*, default none, requires PHP85
+#PHP85_APKS=php85-curl php85-openssl
+
+# Add php extensions, default none, requires PHP83, PHP84 and/or PHP85, not recommended, please use PHP83_APKS, PHP84_APKS or PHP85_APKS
+#PHP_APKS=php-pecl-apcu php-pecl-redis
+
+# email to use instead of admin@example.org on first start of NPMplus for the initial user
+#INITIAL_ADMIN_EMAIL=<initial@email.tld>
+
+# password to use instead of a random password which is logged on first start of NPMplus for the initial user
+#INITIAL_ADMIN_PASSWORD=<initial-password>
+
+# default page to set on first start of NPMplus for the initial user, default congratulations, can be one of: 404, 444, redirect, congratulations or html
+#INITIAL_DEFAULT_PAGE=444
+
+# disable gravatar, default false
+#DISABLE_GRAVATAR=true
+
+# see readme, default off
+#ENABLE_PRERUN=true
+
+# loads the openappsec attachment module, you also need to set ipc and enable the shm-volume for NPMplus, this will fully disable brotli, default false
+#NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE=true
+
+# loads the geoip2 module, you need to configure this yourself, default false
+#NGINX_LOAD_GEOIP2_MODULE=true
+
+# loads the njs module (nginx JavaScript module), you need to configure this yourself, default false
+#NGINX_LOAD_NJS_MODULE=true
+
+# loads the ldap module, you need to configure this yourself, default false
+#NGINX_LOAD_LDAP_MODULE=true
+
+# loads the ntlm module, you need to configure this yourself, default false
+#NGINX_LOAD_NTLM_MODULE=true
+
+# loads the virtual host traffic status module, you need to configure this yourself, default false
+#NGINX_LOAD_VHOST_TRAFFIC_STATUS_MODULE=true
+
+# OIDC login for NPMplus admin UI, all four are required together or none
+#OIDC_REDIRECT_DOMAIN=npm.example.com
+#OIDC_ISSUER_URL=https://auth.example.com
+#OIDC_CLIENT_ID=npmplus
+#OIDC_CLIENT_SECRET=secret
+
+# require verified email for OIDC login, default true
+#OIDC_REQUIRE_VERIFIED_EMAIL=true
+
+# disable password login when OIDC is configured, default false
+#OIDC_DISABLE_PASSWORD=true
+
+# Anubis bot challenge integration, upstream URL must not contain a path
+#AUTH_REQUEST_ANUBIS_UPSTREAM=http://127.0.0.1:8923
+
+# use custom anubis challenge images from /data/anubis/, default false
+#AUTH_REQUEST_ANUBIS_USE_CUSTOM_IMAGES=true
+
+# Tinyauth integration, both upstream and domain are required together
+#AUTH_REQUEST_TINYAUTH_UPSTREAM=http://127.0.0.1:3000
+#AUTH_REQUEST_TINYAUTH_DOMAIN=example.com
+
+# Authelia integration, upstream URL must not contain a path
+#AUTH_REQUEST_AUTHELIA_UPSTREAM=http://127.0.0.1:9091
+
+# Authentik integration, upstream is required, domain is optional
+#AUTH_REQUEST_AUTHENTIK_UPSTREAM=http://127.0.0.1:9000
+#AUTH_REQUEST_AUTHENTIK_DOMAIN=example.com
--- a/nginx-proxy-manager-plus.container
+++ b/nginx-proxy-manager-plus.container
@@ -0,0 +1,18 @@
+[Unit]
+Description=nginx-proxy-manager-plus
+
+[Container]
+ContainerName=nginx-proxy-manager-plus
+EnvironmentFile=/etc/nginx-proxy-manager-plus/container.conf
+Image=docker.io/zoeyvid/npmplus:latest
+Volume=/var/lib/nginx-proxy-manager-plus/data:/data
+AddCapability=BPF PERFMON NET_ADMIN
+Network=host
+
+[Service]
+Restart=always
+ExecStartPre=/usr/bin/install -d -m '0750' -o root -g root /var/lib/nginx-proxy-manager-plus
+ExecStartPre=/usr/bin/install -d -m '0750' -o 1000 -g 1000 /var/lib/nginx-proxy-manager-plus/data
+
+[Install]
+WantedBy=multi-user.target default.target
--- a/nginx-proxy-manager-plus.spec
+++ b/nginx-proxy-manager-plus.spec
@@ -0,0 +1,51 @@
+Name:           nginx-proxy-manager-plus
+Version:        1.0.0
+Release:        1%{?dist}
+Summary:        NPMplus - Nginx Proxy Manager Plus (container)
+License:        AGPL-3.0
+Group:          System Environment/Base
+URL:            https://github.com/ZoeyVid/NPMplus
+
+Source0:        nginx-proxy-manager-plus.container
+Source1:        container.conf
+
+BuildArch:      noarch
+BuildRequires:  systemd-rpm-macros
+Requires:       podman
+Requires:       containers-common
+
+%description
+NPMplus is a hardened fork of Nginx Proxy Manager with HTTP/3, post-quantum
+TLS, CrowdSec/openappsec WAF, OIDC, GoAccess analytics, and more.
+Runs as a Podman container via quadlet.
+
+%install
+%{__rm} -rf %{buildroot}
+
+install -p -D -m 644 %{SOURCE0} %{buildroot}%{_datadir}/containers/systemd/nginx-proxy-manager-plus.container
+install -d -m 750 %{buildroot}%{_sysconfdir}/nginx-proxy-manager-plus
+install -m 640 %{SOURCE1} %{buildroot}%{_sysconfdir}/nginx-proxy-manager-plus/container.conf
+install -d -m 750 %{buildroot}%{_sharedstatedir}/nginx-proxy-manager-plus
+
+%post
+%systemd_post nginx-proxy-manager-plus.service
+
+%preun
+%systemd_preun nginx-proxy-manager-plus.service
+
+%postun
+%systemd_postun nginx-proxy-manager-plus.service
+
+%clean
+%{__rm} -rf %{buildroot}
+
+%files
+%defattr(-,root,root,-)
+%{_datadir}/containers/systemd/nginx-proxy-manager-plus.container
+%dir %attr(0750,root,root) %{_sysconfdir}/nginx-proxy-manager-plus
+%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/nginx-proxy-manager-plus/container.conf
+%dir %attr(0750,root,root) %{_sharedstatedir}/nginx-proxy-manager-plus
+
+%changelog
+* Thu Mar 19 2026 Zoran Pericic <zpericic@netst.org> - 1.0.0-1
+- Initial package