florent/docker
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: florent:f02f6cfe3995b45d8efb5b1498412417ebcbed79
Branches Tags
florent:master
florent:service-baikal
..
compare: florent:7319497118feeb95f9b6aaf08fa9e127174f6c5d
Branches Tags
florent:master
florent:service-baikal

No commits in common. "f02f6cfe3995b45d8efb5b1498412417ebcbed79" and "7319497118feeb95f9b6aaf08fa9e127174f6c5d" have entirely different histories.
f02f6cfe39 ... 7319497118

9 changed files with 123 additions and 269 deletions
Show Stats Expand all files Collapse all files

8
README.md
View File

@ -45,14 +45,6 @@ dcc restart nextcloud-db
dcc up -d nextcloud dcc up -d nextcloud
``` ```
## Backup
To backup the named volumes, run:
```shell
./backup.py
```
## Logs ## Logs
2022-11-02 Created OVH token 2022-11-02 Created OVH token

110
backup.py
View File

@ -1,110 +0,0 @@
#!/usr/bin/env python
# file backup.py
# author Florent Guiotte <florent.guiotte@irisa.fr>
# version 0.0
# date 10 août 2024
"""Abstract
doc.
"""
import yaml
from pathlib import Path
import subprocess
from datetime import datetime
COMPOSE_PATH = Path('docker-compose.yml')
BACKUP_PATH = Path('/mnt/storage/docker-bkp')
VOLUME_PREFIX = 'docker_'
class UnionFind:
def __init__(self):
self.parent = {}
def make(self, service):
self.parent.setdefault(service, service)
def find(self, service):
"""return root"""
if self.parent[service] != service:
self.parent[service] = self.find(self.parent[service])
return self.parent[service]
def union(self, service1, service2):
root1 = self.find(service1)
root2 = self.find(service2)
if root1 != root2:
self.parent[root2] = root1 # compress!
def build_services_graph(services):
uf = UnionFind()
for service in services:
uf.make(service)
for dependency in services[service].get('depends_on', []):
uf.make(dependency)
uf.union(service, dependency)
return uf
def group_services(services, graph):
grouped_services = {}
for service in services:
root = graph.find(service)
if root not in grouped_services:
grouped_services[root] = {'services': []}
grouped_services[root]['services'].append(service)
return grouped_services
def group_volumes(services, volumes, services_group):
for group_name, group in services_group.items():
group_volumes = group.setdefault('volumes', [])
for service in group['services']:
for volume in [v.split(':')[0] for v in services[service]['volumes']]:
if volume in volumes: group_volumes += [volume]
return services_group
def backup(volume):
current_date = datetime.now()
date_string = current_date.strftime("%Y-%m-%d")
archive_name = f'{date_string}_{volume}.tar'
print(f'backup volume {volume} to {BACKUP_PATH}/{archive_name}')
subprocess.run(f'docker run --rm --volume {VOLUME_PREFIX}{volume}:/data --volume {BACKUP_PATH}:/bkp ubuntu tar -cf /bkp/{archive_name} -C /data .'.split())
def run_docker_compose(cmd):
subprocess.run(f'docker compose {cmd}'.split())
if __name__ == '__main__':
with COMPOSE_PATH.open() as cf:
compose = yaml.safe_load(cf)
services = compose['services']
volumes = compose['volumes']
services_graph = build_services_graph(services)
services_group = group_services(services, services_graph)
services_group = group_volumes(services, volumes, services_group)
for group_name, group in services_group.items():
print(f'Service group {group_name} ', end='')
if not group['volumes']:
print('no volumes')
continue
print('run backup...')
run_docker_compose(f'stop {" ".join(group["services"])}')
for volume in group['volumes']:
backup(volume)
run_docker_compose(f'start {" ".join(group["services"])}')

7
docker-compose.yml
View File

@ -148,12 +148,9 @@ services:
<<: *common-environment <<: *common-environment
FILE__DB_PASSWORD: /run/secrets/lychee-db-pw FILE__DB_PASSWORD: /run/secrets/lychee-db-pw
DB_HOST: lychee-db DB_HOST: lychee-db
DB_CONNECTION: mysql
DB_USERNAME: lychee DB_USERNAME: lychee
DB_DATABASE: lychee DB_DATABASE: lychee
DB_PORT: 3306 DB_PORT: 3306
APP_URL: https://photos.guiotte.fr
TRUSTED_PROXIES: 172.22.0.0/24
secrets: secrets:
- lychee-db-pw - lychee-db-pw
@ -295,7 +292,7 @@ services:
- SSH_HOSTNAME=192.168.1.5 - SSH_HOSTNAME=192.168.1.5
- SSH_USERNAME=alarm - SSH_USERNAME=alarm
- SSH_LOCAL_PORT=55443 - SSH_LOCAL_PORT=55443
- SSH_DESTINATION=10.0.0.100 - SSH_DESTINATION=10.0.0.130
- SSH_DESTINATION_PORT=55443 - SSH_DESTINATION_PORT=55443
#ports: #ports:
# - 55443:55443 # - 55443:55443
@ -311,7 +308,7 @@ services:
- SSH_HOSTNAME=192.168.1.5 - SSH_HOSTNAME=192.168.1.5
- SSH_USERNAME=alarm - SSH_USERNAME=alarm
- SSH_LOCAL_PORT=55443 - SSH_LOCAL_PORT=55443
- SSH_DESTINATION=10.0.0.101 - SSH_DESTINATION=10.0.0.251
- SSH_DESTINATION_PORT=55443 - SSH_DESTINATION_PORT=55443
#ports: #ports:
# - 55443:55443 # - 55443:55443

103
swag/nginx/nginx.conf
View File

@ -1,7 +1,4 @@
## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample ## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
### Based on alpine defaults
# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.19-stable
user abc; user abc;
@ -17,13 +14,11 @@ error_log /config/log/nginx/error.log;
# Includes files with directives to load dynamic modules. # Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf; include /etc/nginx/modules/*.conf;
# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*.conf;
events { events {
# The maximum number of simultaneous connections that can be opened by # The maximum number of simultaneous connections that can be opened by
# a worker process. # a worker process.
worker_connections 1024; worker_connections 1024;
# multi_accept on;
} }
http { http {
@ -54,29 +49,101 @@ http {
# instead of using partial frames. Default is 'off'. # instead of using partial frames. Default is 'off'.
tcp_nopush on; tcp_nopush on;
# all ssl related config moved to ssl.conf
# included in server blocks where listen 443 is defined
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
gzip_vary on;
# Helper variable for proxying websockets. # Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
} }
# Saves unauthorized log messages to a separate log file
map $status $unauthorized {
default 0;
~^401 1;
}
access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
# Sets the path, format, and configuration for a buffered log write. # Sets the path, format, and configuration for a buffered log write.
access_log /config/log/nginx/access.log; access_log /config/log/nginx/access.log;
# Includes virtual hosts configs. # Includes virtual hosts configs.
include /etc/nginx/http.d/*.conf; #include /etc/nginx/http.d/*.conf;
# WARNING: Don't use this directory for virtual hosts anymore.
# This include will be moved to the root context in Alpine 3.14.
#include /etc/nginx/conf.d/*.conf;
##
# Basic Settings
##
client_body_buffer_size 128k;
keepalive_timeout 65;
large_client_header_buffers 4 16k;
send_timeout 5m;
tcp_nodelay on;
types_hash_max_size 2048;
variables_hash_max_size 2048;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /config/nginx/site-confs/*.conf; include /config/nginx/site-confs/*.conf;
#Removed lua. Do not remove this comment
} }
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
daemon off; daemon off;
pid /run/nginx.pid; pid /run/nginx.pid;

26
swag/nginx/proxy-confs/lychee.subdomain.conf
View File

@ -1,10 +1,9 @@
## Version 2023/05/31 ## Version 2021/05/18
# make sure that your lychee container is named lychee
# make sure that your dns has a cname set for lychee # make sure that your dns has a cname set for lychee
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
server_name photos.*; server_name photos.*;
@ -12,29 +11,24 @@ server {
client_max_body_size 0; client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block) # enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap-server.conf; #include /config/nginx/ldap.conf;
# enable for Authelia (requires authelia-location.conf in the location block) # enable for Authelia
#include /config/nginx/authelia-server.conf; #include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / { location / {
# enable the next two lines for http auth # enable the next two lines for http auth
#auth_basic "Restricted"; #auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd; #auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block) # enable the next two lines for ldap auth
#include /config/nginx/ldap-location.conf; #auth_request /auth;
#error_page 401 =200 /ldaplogin;
# enable for Authelia (requires authelia-server.conf in the server block) # enable for Authelia
#include /config/nginx/authelia-location.conf; #include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf; include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf; include /config/nginx/resolver.conf;
set $upstream_app lychee; set $upstream_app lychee;

13
swag/nginx/proxy.conf
View File

@ -1,4 +1,4 @@
## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample ## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
# Timeout if the real server is dead # Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@ -10,7 +10,7 @@ proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024; proxy_headers_hash_max_size 1024;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_read_timeout 240; proxy_read_timeout 240;
proxy_redirect http:// $scheme://; proxy_redirect http:// $scheme://;
proxy_send_timeout 240; proxy_send_timeout 240;
# Proxy Cache and Cookie Settings # Proxy Cache and Cookie Settings
@ -26,13 +26,6 @@ proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

85
swag/nginx/site-confs/default.conf
View File

@ -1,85 +0,0 @@
## Version 2024/03/06 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
include /config/nginx/ssl.conf;
root /config/www;
index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
}
location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

40
swag/nginx/ssl.conf
View File

@ -1,40 +1,46 @@
## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample ## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
### Mozilla Recommendations ### Mozilla Recommendations
# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7 # https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off; ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;
# intermediate configuration # intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling # OCSP stapling
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
### Linuxserver.io Defaults
# Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/cert.crt; ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
# Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem;
# Enable TLS 1.3 early data
ssl_early_data on;
# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Optional additional headers # Optional additional headers
#add_header Cache-Control "no-transform" always; #add_header Cache-Control "no-transform" always;
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always; #add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
#add_header Permissions-Policy "interest-cohort=()" always; #add_header Permissions-Policy "interest-cohort=()";
#add_header Referrer-Policy "same-origin" always; #add_header Referrer-Policy "same-origin" always;
#add_header X-Content-Type-Options "nosniff" always; #add_header X-Content-Type-Options "nosniff" always;
#add_header X-Frame-Options "SAMEORIGIN" always; #add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-UA-Compatible "IE=Edge" always; #add_header X-UA-Compatible "IE=Edge" always;
#add_header X-XSS-Protection "1; mode=block" always; #add_header X-XSS-Protection "1; mode=block" always;

BIN
syncthing/config.xml
View File

Binary file not shown.