18 changed files with 237 additions and 135 deletions
--- a/.env
+++ b/.env
--- a/.gitattributes
+++ b/.gitattributes
@ -7,4 +7,3 @@ ddclient/ddclient.conf filter=git-crypt diff=git-crypt
 *.secret filter=git-crypt diff=git-crypt
 htpasswd filter=git-crypt diff=git-crypt
 id_rsa filter=git-crypt diff=git-crypt
 .env filter=git-crypt diff=git-crypt
--- a/bind9/guiotte.db
+++ b/bind9/guiotte.db
@ -27,5 +27,3 @@ home.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
 zotero.guiotte.fr. IN  CNAME   dm.guiotte.fr.
 git.guiotte.fr.    IN  CNAME   dm.guiotte.fr.
 db.guiotte.fr.     IN  CNAME   dm.guiotte.fr.
 flix.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
 task.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
--- a/ddclient/ddclient.conf
+++ b/ddclient/ddclient.conf
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -197,6 +197,22 @@ services:
    restart: unless-stopped
  taskserver:
    build: taskserver
    container_name: taskserver
    hostname: dm.guiotte.fr
    restart: always
    environment: *common-environment
    env_file:
      - taskserver/taskserver.env
    ports:
      - "53589:53589"
    volumes:
      - taskserver-data:/var/taskd
      - taskserver-certs:/ssl_certs
      - ./taskserver/client_certs:/client_certs
  # Not in use anymore
  # subdomain still activated though
  #slides-notes:
@ -285,42 +301,40 @@ services:
    volumes:
      - homeassistant-config:/config
    restart: unless-stopped
-  # NOTE: Temporarily disable zigbee and wifi iot 
+    devices:
-  #
+      - /dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20240219191913-if00:/dev/ttyACM0
-  #  devices:
+
-  #    - /dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20240219191913-if00:/dev/ttyACM0
+
-  #
+  yee0:
-  #
+    build: ssh
-  #yee0:
+    container_name: yee0
-  #  build: ssh
+    volumes:
-  #  container_name: yee0
+      - ./ssh/id_rsa:/root/.ssh/id_rsa
-  #  volumes:
+    environment:
-  #    - ./ssh/id_rsa:/root/.ssh/id_rsa
+      - SSH_HOSTNAME=192.168.1.5
-  #  environment:
+      - SSH_USERNAME=alarm
-  #    - SSH_HOSTNAME=192.168.1.5
+      - SSH_LOCAL_PORT=55443
-  #    - SSH_USERNAME=alarm
+      - SSH_DESTINATION=10.0.0.100
-  #    - SSH_LOCAL_PORT=55443
+      - SSH_DESTINATION_PORT=55443
-  #    - SSH_DESTINATION=10.0.0.100
+        #ports:
-  #    - SSH_DESTINATION_PORT=55443
+        #  - 55443:55443
-  #      #ports:
+    restart: unless-stopped
-  #      #  - 55443:55443
+
-  #  restart: unless-stopped
+
-  #
+  yee1:
-  #
+    build: ssh
-  #yee1:
+    container_name: yee1
-  #  build: ssh
+    volumes:
-  #  container_name: yee1
+      - ./ssh/id_rsa:/root/.ssh/id_rsa
-  #  volumes:
+    environment:
-  #    - ./ssh/id_rsa:/root/.ssh/id_rsa
+      - SSH_HOSTNAME=192.168.1.5
-  #  environment:
+      - SSH_USERNAME=alarm
-  #    - SSH_HOSTNAME=192.168.1.5
+      - SSH_LOCAL_PORT=55443
-  #    - SSH_USERNAME=alarm
+      - SSH_DESTINATION=10.0.0.101
-  #    - SSH_LOCAL_PORT=55443
+      - SSH_DESTINATION_PORT=55443
-  #    - SSH_DESTINATION=10.0.0.101
+        #ports:
-  #    - SSH_DESTINATION_PORT=55443
+        #  - 55443:55443
-  #      #ports:
+    restart: unless-stopped
  #      #  - 55443:55443
  #  restart: unless-stopped
  gitea:
    image: gitea/gitea:latest
@ -391,37 +405,6 @@ services:
      - nocodb-db-pw
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    environment:
      <<: *common-environment
      JELLYFIN_PublishedServerUrl: https://flix.guiotte.fr
    volumes:
      - jellyfin-config:/config
      - /storage/@media/video:/data/video
      - /storage/@media/music:/data/music
    ports:
      - 7359:7359/udp #optional Allows clients to discover Jellyfin on the local network
      - 1900:1900/udp #optional Service discovery used by DNLA and clients
    restart: unless-stopped
    devices:
      - /dev/dri:/dev/dri
  taskchampion:
    image: ghcr.io/gothenburgbitfactory/taskchampion-sync-server:latest
    container_name: taskchampion
    restart: unless-stopped
    environment:
      - "RUST_LOG=info" # Log every request
      - "DATA_DIR=/taskchampion-data"
      - "TASKCHAMPION_SYNC_SERVER_HOSTNAME=task.guiotte.fr"
      - "TASKCHAMPION_SYNC_SERVER_CLIENT_ID=${TASKCHAMPION_SYNC_SERVER_CLIENT_ID}"
    volumes:
      - taskchampion-data:/taskchampion-data
 volumes:
  money-data:
  lychee-db:
@ -447,8 +430,6 @@ volumes:
  nocodb:
  nocodb-data:
  nocodb-db:
  jellyfin-config:
  taskchampion-data:
 secrets:
--- a/swag/nginx/proxy-confs/taskchampion.subdomain.conf
+++ b/swag/nginx/proxy-confs/taskchampion.subdomain.conf
@ -1,63 +0,0 @@
 ## Version 2024/07/16
 # REMOVE THIS LINE BEFORE SUBMITTING: The structure of the file (all of the existing lines) should be kept as close as possible to this template.
 # REMOVE THIS LINE BEFORE SUBMITTING: Look through this file for <tags> and replace them. Review other sample files to see how things are done.
 # REMOVE THIS LINE BEFORE SUBMITTING: The comment lines at the top of the file (below this line) should explain any prerequisites for using the proxy such as DNS or app settings.
 # make sure that your <container_name> container is named <container_name>
 # make sure that your dns has a cname set for <container_name>
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name task.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;
    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;
    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;
        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app taskchampion;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
    }
    # REMOVE THIS LINE BEFORE SUBMITTING: Some proxies require one or more additional location blocks for things like API or RPC endpoints.
    # REMOVE THIS LINE BEFORE SUBMITTING: If the proxy you are making a sample for does not require an additional location block please remove the commented out section below.
    # location ~ (/<container_name>)?/api {
    #     include /config/nginx/proxy.conf;
    #     include /config/nginx/resolver.conf;
    #     set $upstream_app <container_name>;
    #     set $upstream_port <port_number>;
    #     set $upstream_proto <http or https>;
    #     proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    #
    #     # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
    # }
 }
--- a/taskserver/Dockerfile
+++ b/taskserver/Dockerfile
@ -0,0 +1,13 @@
 FROM ghcr.io/linuxserver/baseimage-alpine:3.16
 RUN apk --no-cache add taskd
 ENV TASKDDATA=/var/taskd
 VOLUME /var/taskd
 COPY root/ /
 VOLUME /ssl_certs/ /client_certs/
 EXPOSE 53589
 ENTRYPOINT ["/init"]
--- a/taskserver/README.md
+++ b/taskserver/README.md
@ -0,0 +1,23 @@
 # Taskserver
 Written with the help of
 <https://github.com/coaxial/docker-taskd-service>.
 ## Certs renewal
 - *do we need to remove volumes?:* Yes!
 Once a year recreate the container and copy the `client_certs` dir! On the server:
 ```shell
 dcc stop taskserver && dcc rm taskserver && docker volume rm docker_taskserver-certs docker_taskserver-data && dcu
 ```
 On the client:
 ```shell
 scp -r florent@dm.guiotte.fr:~/docker/taskserver/client_certs/* ~/.config/task/certs
 task config taskd.credentials -- watch/user/$(cat ~/.config/task/certs/user-uuid)
 task sync init
 ```
--- a/taskserver/root/etc/cont-init.d/14-install-cert-generator
+++ b/taskserver/root/etc/cont-init.d/14-install-cert-generator
@ -0,0 +1,20 @@
 #!/usr/bin/with-contenv sh
 #shellsheck shell=sh
 printf "Installing the certificate generator\n"
 apk --no-cache add curl gnutls-utils
 mkdir -p /opt/src/taskd
 # get a copy of the repo wich also contains the certificate generation scripts
 curl -sSL https://api.github.com/repos/gothenburgbitfactory/taskserver/tarball/master -o /tmp/taskd.tar.gz
 tar xzf /tmp/taskd.tar.gz -C /opt/src/taskd --strip 1
 # set the variables for the certs to be generated (as defined in
 # taskserver.env)
 {
  echo "BITS=$TASKD_CERT_BITS";
  echo "EXPIRATION_DAYS=$TASKD_CERT_EXPIRATION_DAYS";
  echo "ORGANIZATION=\"$TASKD_CERT_ORGANIZATION\"";
  echo "CN=$(hostname -f)";
  echo "COUNTRY=$TASKD_CERT_COUNTRY";
  echo "STATE=\"$TASKD_CERT_STATE\"";
  echo "LOCALITY=\"$TASKD_CERT_LOCALITY\"";
 } > /opt/src/taskd/pki/vars
--- a/taskserver/root/etc/cont-init.d/15-generate-server-certs
+++ b/taskserver/root/etc/cont-init.d/15-generate-server-certs
@ -0,0 +1,20 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 if [ -s "$TASKDDATA/ca.cert.pem" ]; then
  printf "Server certificates found, not generating any.\n"
 else
  # Use the generate script to make the CA and server certificates
  printf "No server certificates found, generating them...\n"
  cd /opt/src/taskd/pki || exit 1
  ./generate
  # move generated certs to volumes so they're not lost when the container is
  # destroyed, and so that they can be accessed from other containers if needed
  cp ./client.key.pem /ssl_certs/
  cp ./client.cert.pem /ssl_certs/
  cp ./server.key.pem /ssl_certs/
  cp ./server.cert.pem /ssl_certs/
  cp ./ca.key.pem /ssl_certs/
  cp ./ca.cert.pem /ssl_certs/
  cp ./ca.cert.pem /client_certs/
 fi
--- a/taskserver/root/etc/cont-init.d/16-generate-user-certs
+++ b/taskserver/root/etc/cont-init.d/16-generate-user-certs
@ -0,0 +1,15 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 if [ -s "$TASKDDATA/$TASKD_USERNAME.cert.pem" ]; then
  printf "User certificate for %s found, not generating again\n" "$TASKD_USERNAME"
 else
  # Now we generate the user certificate that will go on the client machine
  printf "No certificate found for %s, generating user certificate...\n" "$TASKD_USERNAME"
  cd /opt/src/taskd/pki || exit 1
  ./generate.client "$TASKD_USERNAME"
  # move cert and key to a volume so they're not lost when the container is 
  # removed and so that they're accessible outside the taskd container
  cp "$TASKD_USERNAME".cert.pem /client_certs/"$TASKD_USERNAME".cert.pem
  cp "$TASKD_USERNAME".key.pem /client_certs/"$TASKD_USERNAME".key.pem
 fi
--- a/taskserver/root/etc/cont-init.d/20-copy-certs
+++ b/taskserver/root/etc/cont-init.d/20-copy-certs
@ -0,0 +1,29 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # Regroup all certificates where taskd will look for them
 if [ -s "$TASKDDATA/server.cert.pem" ]; then
  printf "Server certificates found in %s, not overwriting\n" "$TASKDDATA"
  # put the certs in the ssl_certs volume to avoid mismatch between /ssl_certs
  # and the ones the server is using
  cp "$TASKDDATA/server.key.pem" /ssl_certs
  cp "$TASKDDATA/server.cert.pem" /ssl_certs
 else
  printf "No server certificates in %s, copying them over...\n" "$TASKDDATA"
  cp /ssl_certs/server.key.pem "$TASKDDATA"
  cp /ssl_certs/server.cert.pem "$TASKDDATA"
 fi
 if [ -s "$TASKDDATA/$TASKD_USERNAME.cert.pem" ]; then
  printf "Client certificates for user %s found in %s, not overwriting\n" "$TASKD_USERNAME" "$TASKDDATA"
  # put the certs in the client_certs volume to avoid mismatch between
  # /client_certs and the ones the server is using
  cp "$TASKDDATA/ca.cert.pem" /client_certs
  cp "$TASKDDATA/$TASKD_USERNAME.key.pem" /client_certs
  cp "$TASKDDATA/$TASKD_USERNAME.cert.pem" /client_certs
 else
  printf "No certificates for user %s in %s, copying them over...\n" "$TASKD_USERNAME" "$TASKDDATA"
  cp /client_certs/ca.cert.pem "$TASKDDATA"
  cp "/client_certs/$TASKD_USERNAME.key.pem" "$TASKDDATA"
  cp "/client_certs/$TASKD_USERNAME.cert.pem" "$TASKDDATA"
 fi
--- a/taskserver/root/etc/cont-init.d/30-bootstrap-taskd
+++ b/taskserver/root/etc/cont-init.d/30-bootstrap-taskd
@ -0,0 +1,43 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # with help from https://blog.polettix.it/setup-a-taskwarrior-server/
 # if we already have a config file, we don't want to overwrite it
 if [ -s "$TASKDDATA/config" ]; then
  printf "%s/config file found, skipping bootstrap\n" "$TASKDDATA"
 else
  printf "%s/config file not found, bootstrapping taskd\n" "$TASKDDATA"
  # configure taskd, create the organization and user
  taskd init
  touch "$TASKDDATA/taskd.log"
  touch "$TASKDDATA/taskd.pid"
  chown taskd "$TASKDDATA/taskd.log"
  chown taskd "$TASKDDATA/taskd.pid"
  taskd config --force server      "$(hostname -f):53589"
  taskd config --force log         "$TASKDDATA"/taskd.log
  taskd config --force pid.file    "$TASKDDATA"/taskd.pid
  taskd config --force server.key  "$TASKDDATA"/server.key.pem
  taskd config --force server.cert "$TASKDDATA"/server.cert.pem
  taskd config --force server.crl  "$TASKDDATA"/server.crl.pem
  taskd config --force ca.cert     "$TASKDDATA"/ca.cert.pem
 fi
 if find "$TASKDDATA/orgs" -name "$TASKD_ORGNAME" | grep "$TASKD_ORGNAME"; then
  printf "Organization %s found, not regenerating it\n" "$TASKD_ORGNAME"
 else
  printf "Organization %s not found, generating it...\n" "$TASKD_ORGNAME"
  taskd add org "$TASKD_ORGNAME"
 fi
 if grep -qrw "$TASKDDATA/orgs/$TASKD_ORGNAME/users" -e "user=$TASKD_USERNAME"; then
  printf "User %s already exists, not recreating it\n" "$TASKD_USERNAME"
  # extract the UUID anyway
  grep -rw "$TASKDDATA/orgs/$TASKD_ORGNAME/users" -e "user=$TASKD_USERNAME" | sed '/.*\([0-9a-f\-]\{36\}\).*/!d;s//\1/g' > /client_certs/"$TASKD_USERNAME-uuid"
 else
  printf "User %s didn't exist, creating it...\n" "$TASKD_USERNAME"
  # use tee to still write to stdout but also save output to file
  taskd add user "$TASKD_ORGNAME" "$TASKD_USERNAME" | tee /client_certs/"$TASKD_USERNAME-uuid"
  # now remove the rest of the output and only keep the uuid, useful for
  # configuring taskwarrior on the client machine
  sed -i '/.*\([0-9a-f\-]\{36\}\)/!d;s//\1/g' /client_certs/"$TASKD_USERNAME-uuid"
 fi
--- a/taskserver/root/etc/cont-init.d/35-fix-permissions
+++ b/taskserver/root/etc/cont-init.d/35-fix-permissions
@ -0,0 +1,8 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # make the taskd data dir rw for the user running taskd
 chown -R taskd:taskd "$TASKDDATA"
 # make client certs readable for every user to work around UID and GID mapping
 # inconsistencies across hosts
 chmod +r /client_certs/*
--- a/taskserver/root/etc/cont-init.d/90-diagnostics
+++ b/taskserver/root/etc/cont-init.d/90-diagnostics
@ -0,0 +1,6 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # some debug info, useful when running CI tests mostly
 s6-setuidgid taskd taskd diagnostics
 ls -clash "$TASKDDATA"
--- a/taskserver/root/etc/services.d/taskd-logs/run
+++ b/taskserver/root/etc/services.d/taskd-logs/run
@ -0,0 +1,5 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # write a copy of the log in the container's console for easier monitoring/inspection
 exec tail -F "$TASKDDATA/taskd.log"
--- a/taskserver/root/etc/services.d/taskd/run
+++ b/taskserver/root/etc/services.d/taskd/run
@ -0,0 +1,5 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # user taskd will run the taskserver, running as root is asking for trouble
 exec s6-setuidgid taskd taskd server
--- a/taskserver/taskserver.env
+++ b/taskserver/taskserver.env