florent/docker
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: florent:master
Branches Tags
florent:master
florent:service-baikal
..
compare: florent:service-baikal
Branches Tags
florent:master
florent:service-baikal

1 Commits
master ... service-ba

Author SHA1 Message Date
Florent Guiotte
d0ec9d9baf Add baikal 2023-05-19 11:05:38 +02:00
51 changed files with 397 additions and 888 deletions
Show Stats Expand all files Collapse all files

BIN
.env
View File

Binary file not shown.

4
.gitattributes vendored
View File

@ -4,7 +4,3 @@ ddclient/ddclient.conf filter=git-crypt diff=git-crypt
*.pem filter=git-crypt diff=git-crypt
*.env filter=git-crypt diff=git-crypt
*.override.yml filter=git-crypt diff=git-crypt
*.secret filter=git-crypt diff=git-crypt
htpasswd filter=git-crypt diff=git-crypt
id_rsa filter=git-crypt diff=git-crypt
.env filter=git-crypt diff=git-crypt

45
README.md
View File

@ -6,15 +6,6 @@
## Setup
Setup DNS server for docker in `/etc/docker/daemon.json`:
```config
{
"data-root": "/home/docker",
"dns": ["1.1.1.1", "8.8.8.8", "8.8.4.4"]
}
```
Once DNS are properly setup on host:
1. Create OVH token : <https://www.ovh.com/auth/api/createToken>
@ -23,45 +14,19 @@ Once DNS are properly setup on host:
### Services
#### Flood
- Socket: `/config/.local/share/rtorrent/rtorrent.sock`
## Create a new service
1. Add the service in `docker-compose.yml`
2. Create the DynHost and id <https://www.ovh.com/manager/#/web/domain/guiotte.fr/dynhost>
2. Create the DynHost <https://www.ovh.com/manager/#/web/domain/guiotte.fr/dynhost>
3. Add the host in the DDclient configuration `./ddclient/ddclient.conf`
4. Add the nginx proxy configuration in `./swag/nginx/proxy-confs/`
5. Update the local zone in `./bind9/guiotte.db`
6. Restart `bind9` and `swag`: `dcc restart bind9 swag`
## Update MariaDB
After upgrading from one major MySQL/MariaDB release to another, we have to run `mariadb-upgrade` on the services using MariaDB.
### Lychee
```bash
dcc stop lychee
dcc exec lychee-db mariadb-upgrade -u root -p"$(cat lychee-db-root-pw.secret)"
dcc restart lychee-db
dcc up -d lychee
```
### Nextcloud
```bash
dcc stop nextcloud
dcc exec nextcloud-db mariadb-upgrade -u root -p"$(cat nextcloud-db-root-pw.secret)"
dcc restart nextcloud-db
dcc up -d nextcloud
```
## Backup
To backup the named volumes, run:
```shell
./backup.py
```
## Logs
2022-11-02 Created OVH token

110
backup.py
View File

@ -1,110 +0,0 @@
#!/usr/bin/env python
# file backup.py
# author Florent Guiotte <florent.guiotte@irisa.fr>
# version 0.0
# date 10 août 2024
"""Abstract
doc.
"""
import yaml
from pathlib import Path
import subprocess
from datetime import datetime
COMPOSE_PATH = Path('docker-compose.yml')
BACKUP_PATH = Path('./data/bkp')
VOLUME_PREFIX = 'docker_'
class UnionFind:
def __init__(self):
self.parent = {}
def make(self, service):
self.parent.setdefault(service, service)
def find(self, service):
"""return root"""
if self.parent[service] != service:
self.parent[service] = self.find(self.parent[service])
return self.parent[service]
def union(self, service1, service2):
root1 = self.find(service1)
root2 = self.find(service2)
if root1 != root2:
self.parent[root2] = root1 # compress!
def build_services_graph(services):
uf = UnionFind()
for service in services:
uf.make(service)
for dependency in services[service].get('depends_on', []):
uf.make(dependency)
uf.union(service, dependency)
return uf
def group_services(services, graph):
grouped_services = {}
for service in services:
root = graph.find(service)
if root not in grouped_services:
grouped_services[root] = {'services': []}
grouped_services[root]['services'].append(service)
return grouped_services
def group_volumes(services, volumes, services_group):
for group_name, group in services_group.items():
group_volumes = group.setdefault('volumes', [])
for service in group['services']:
for volume in [v.split(':')[0] for v in services[service]['volumes']]:
if volume in volumes: group_volumes += [volume]
return services_group
def backup(volume):
current_date = datetime.now()
date_string = current_date.strftime("%Y-%m-%d")
archive_name = f'{date_string}_{volume}.tar'
print(f'backup volume {volume} to {BACKUP_PATH}/{archive_name}')
subprocess.run(f'docker run --rm --volume {VOLUME_PREFIX}{volume}:/data --volume {BACKUP_PATH.resolve()}:/bkp ubuntu tar -cf /bkp/{archive_name} -C /data .'.split())
def run_docker_compose(cmd):
subprocess.run(f'docker compose {cmd}'.split())
if __name__ == '__main__':
with COMPOSE_PATH.open() as cf:
compose = yaml.safe_load(cf)
services = compose['services']
volumes = compose['volumes']
services_graph = build_services_graph(services)
services_group = group_services(services, services_graph)
services_group = group_volumes(services, volumes, services_group)
for group_name, group in services_group.items():
print(f'Service group {group_name} ', end='')
if not group['volumes']:
print('no volumes')
continue
print('run backup...')
run_docker_compose(f'stop {" ".join(group["services"])}')
for volume in group['volumes']:
backup(volume)
run_docker_compose(f'start {" ".join(group["services"])}')

10
bind9/guiotte.db
View File

@ -20,12 +20,4 @@ dm.guiotte.fr. IN A 192.168.1.2
money.guiotte.fr. IN CNAME dm.guiotte.fr.
photos.guiotte.fr. IN CNAME dm.guiotte.fr.
dl.guiotte.fr. IN CNAME dm.guiotte.fr.
kdoc.guiotte.fr. IN CNAME dm.guiotte.fr.
sync.guiotte.fr. IN CNAME dm.guiotte.fr.
pad.guiotte.fr. IN CNAME dm.guiotte.fr.
home.guiotte.fr. IN CNAME dm.guiotte.fr.
zotero.guiotte.fr. IN CNAME dm.guiotte.fr.
git.guiotte.fr. IN CNAME dm.guiotte.fr.
db.guiotte.fr. IN CNAME dm.guiotte.fr.
flix.guiotte.fr. IN CNAME dm.guiotte.fr.
task.guiotte.fr. IN CNAME dm.guiotte.fr.
cal.guiotte.fr. IN CNAME dm.guiotte.fr.

2
bind9/lan.db
View File

@ -22,7 +22,6 @@ jus.lan. IN A 192.168.1.6
tcw.lan. IN A 192.168.1.8
silk.lan. IN A 192.168.1.9
ror.lan. IN A 192.168.1.10
drmanhattan.lan. IN CNAME dm.lan.
ozymandias.lan. IN CNAME ozy.lan.
@ -31,6 +30,5 @@ ozymandias.lan. IN CNAME ozy.lan.
silhouette.lan. IN CNAME sil.lan.
justice.lan. IN CNAME jus.lan.
thecomedian-wifi.lan. IN CNAME tcw.lan.
rorschach.lan. IN CNAME ror.lan.
kodi.lan. IN CNAME jus.lan.

BIN
ddclient/ddclient.conf
View File

Binary file not shown.

BIN
docker-compose.override.yml Normal file
View File

Binary file not shown.

416
docker-compose.yml
View File

@ -1,10 +1,12 @@
version: '3.4'
x-common-environment: &common-environment
PUID: 1000
PGID: 1000
TZ: Europe/Helsinki
services:
bind9:
image: ubuntu/bind9:9.18-22.04_beta
container_name: bind9
@ -18,7 +20,6 @@ services:
ports:
- "53:53/udp"
swag:
image: lscr.io/linuxserver/swag
container_name: swag
@ -38,7 +39,6 @@ services:
- 443:443
- 80:80
ddclient:
image: lscr.io/linuxserver/ddclient:latest
container_name: ddclient
@ -46,8 +46,6 @@ services:
environment: *common-environment
volumes:
- ./ddclient:/config
- ddclient-cache:/run/ddclient-cache
#- ddclient-cache:/var/cache/ddclient
money:
image: ihatemoney/ihatemoney
@ -66,23 +64,16 @@ services:
container_name: transmission
environment:
<<: *common-environment
FILE__USER: /run/secrets/transmission-user
FILE__PASS: /run/secrets/transmission-pw
volumes:
- transmission-config:/config
- /storage/@media/download:/downloads
- /storage/@media/download/torrent:/watch
- ./transmission/eodl.sh:/eodl.sh
- /mnt/storage/download:/downloads
- /mnt/storage/download/torrent:/watch
ports:
- 9091:9091
- 51413:51413
- 51413:51413/udp
restart: unless-stopped
secrets:
- transmission-user
- transmission-pw
# WIP
# radarr:
# image: lscr.io/linuxserver/radarr:latest
@ -100,47 +91,16 @@ services:
# restart: unless-stopped
#jackett:
# image: lscr.io/linuxserver/jackett:latest
# container_name: jackett
# environment:
# <<: *common-environment
# AUTO_UPDATE: true #optional
# RUN_OPTS: #optional
# volumes:
# - jackett-config:/config
# - /mnt/storage/media/dl:/downloads
# ports:
# - 9117:9117
# restart: unless-stopped
#sonarr:
# image: lscr.io/linuxserver/sonarr:latest
# container_name: sonarr
# environment: *common-environment
# volumes:
# - sonarr-config:/config
# - /mnt/storage/media:/data
# #- /mnt/storage/video/Films/:/movies
# #- /mnt/storage/download/:/downloads
# ports:
# - 8989:8989
# restart: unless-stopped
syncthing:
image: lscr.io/linuxserver/syncthing:latest
container_name: syncthing
hostname: drmanhattan
hostname: drmanhattan #optional
environment: *common-environment
volumes:
- ./syncthing:/config
- sync-notes:/notes
- sync-audrey:/audrey-sync
- ./data/signal-bkp:/signal-bkp
- ./data/audrey-projets:/audrey-projets
- /mnt/storage/music/Florent:/music
ports:
#- 8384:8384
- 22000:22000/tcp
- 22000:22000/udp
- 21027:21027/udp
@ -155,13 +115,10 @@ services:
- lychee-db:/config
environment:
<<: *common-environment
FILE__MYSQL_ROOT_PASSWORD: /run/secrets/lychee-db-root-pw
FILE__MYSQL_PASSWORD: /run/secrets/lychee-db-pw
MYSQL_ROOT_PASSWORD: rootpassword
MYSQL_DATABASE: lychee
MYSQL_USER: lychee
secrets:
- lychee-db-root-pw
- lychee-db-pw
MYSQL_PASSWORD: dbpassword
lychee:
@ -175,306 +132,91 @@ services:
- lychee-pictures:/pictures
environment:
<<: *common-environment
FILE__DB_PASSWORD: /run/secrets/lychee-db-pw
DB_HOST: lychee-db
DB_CONNECTION: mysql
DB_USERNAME: lychee
DB_PASSWORD: dbpassword
DB_DATABASE: lychee
DB_PORT: 3306
APP_URL: https://photos.guiotte.fr
TRUSTED_PROXIES: 172.22.0.0/24
secrets:
- lychee-db-pw
# WIP
# zotero:
# #image: lscr.io/linuxserver/nginx:latest
# #image: sashgorokhov/webdav
# build: zotero
# container_name: zotero
# environment:
# - PUID=1000
# - PGID=1000
# - TZ=Europe/Helsinki
# - USERNAME=user
# - PASSWORD=passwd
# volumes:
# - zotero-data:/data
# #- zotero-data:/media
# restart: unless-stopped
# # https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/master/Dockerfile
# # https://github.com/linuxserver/docker-nginx/blob/master/Dockerfile
# # https://github.com/sashgorokhov/docker-nginx-webdav/blob/master/Dockerfile
# # XXX: Missing "nginx-extra" in my build?
zotero-sync:
image: lscr.io/linuxserver/nginx:latest
container_name: zotero-sync
taskserver:
build: taskserver
container_name: taskserver
hostname: dm.guiotte.fr
restart: always
environment: *common-environment
volumes:
- ./zotero-sync:/config
- zotero-sync-data:/data
restart: unless-stopped
# Not in use anymore
# subdomain still activated though
#slides-notes:
# build: slides-notes
# container_name: slides-notes
# restart: always
# environment: *common-environment
# volumes:
# - ./slides-notes/slides:/app/slides
nextcloud:
image: lscr.io/linuxserver/nextcloud:latest
container_name: nextcloud
restart: unless-stopped
depends_on:
- nextcloud-db
environment: *common-environment
volumes:
- nextcloud-config:/config
- nextcloud-data:/data
nextcloud-db:
image: linuxserver/mariadb:latest
container_name: nextcloud-db
restart: unless-stopped
environment:
<<: *common-environment
FILE__MYSQL_ROOT_PASSWORD: /run/secrets/nextcloud-db-root-pw
FILE__MYSQL_PASSWORD: /run/secrets/nextcloud-db-pw
MYSQL_DATABASE: database
MYSQL_USER: user
volumes:
- nextcloud-db-config:/config
secrets:
- nextcloud-db-root-pw
- nextcloud-db-pw
hedgedoc:
image: lscr.io/linuxserver/hedgedoc:latest
container_name: hedgedoc
depends_on:
- hedgedoc-db
environment:
<<: *common-environment
DB_HOST: hedgedoc-db
DB_PORT: 3306
DB_USER: hedgedoc
DB_NAME: hedgedoc
FILE__DB_PASS: /run/secrets/hedgedoc-db-pw
CMD_DOMAIN: pad.guiotte.fr
CMD_PROTOCOL_USESSL: true
CMD_ALLOW_FREEURL: true
CMD_REQUIRE_FREEURL_AUTHENTICATION: true
volumes:
- hedgedoc-config:/config
restart: unless-stopped
secrets:
- hedgedoc-db-pw
hedgedoc-db:
image: lscr.io/linuxserver/mariadb:latest
container_name: hedgedoc-db
restart: unless-stopped
volumes:
- hedgedoc-db:/config
environment:
<<: *common-environment
FILE__MYSQL_ROOT_PASSWORD: /run/secrets/hedgedoc-db-root-pw
FILE__MYSQL_PASSWORD: /run/secrets/hedgedoc-db-pw
MYSQL_DATABASE: hedgedoc
MYSQL_USER: hedgedoc
secrets:
- hedgedoc-db-root-pw
- hedgedoc-db-pw
homeassistant:
image: lscr.io/linuxserver/homeassistant:latest
container_name: homeassistant
environment:
<<: *common-environment
volumes:
- homeassistant-config:/config
restart: unless-stopped
# NOTE: Temporarily disable zigbee and wifi iot
#
# devices:
# - /dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20240219191913-if00:/dev/ttyACM0
#
#
#yee0:
# build: ssh
# container_name: yee0
# volumes:
# - ./ssh/id_rsa:/root/.ssh/id_rsa
# environment:
# - SSH_HOSTNAME=192.168.1.5
# - SSH_USERNAME=alarm
# - SSH_LOCAL_PORT=55443
# - SSH_DESTINATION=10.0.0.100
# - SSH_DESTINATION_PORT=55443
# #ports:
# # - 55443:55443
# restart: unless-stopped
#
#
#yee1:
# build: ssh
# container_name: yee1
# volumes:
# - ./ssh/id_rsa:/root/.ssh/id_rsa
# environment:
# - SSH_HOSTNAME=192.168.1.5
# - SSH_USERNAME=alarm
# - SSH_LOCAL_PORT=55443
# - SSH_DESTINATION=10.0.0.101
# - SSH_DESTINATION_PORT=55443
# #ports:
# # - 55443:55443
# restart: unless-stopped
gitea:
image: gitea/gitea:latest
#build: gitea
container_name: gitea
restart: unless-stopped
environment:
<<: *common-environment
GITEA__database__DB_TYPE: mysql
GITEA__database__HOST: gitea-db:3306
GITEA__database__NAME: gitea
GITEA__database__USER: gitea
GITEA__database__PASSWD: gitea
GITEA__service__DISABLE_REGISTRATION: true
GITEA__server__DOMAIN: git.guiotte.fr
GITEA__server__SSH_DOMAIN: git.guiotte.fr
GITEA__server__LANDING_PAGE: explore
depends_on:
- gitea-db
volumes:
- gitea-data:/data
gitea-db:
image: linuxserver/mariadb:latest
container_name: gitea-db
restart: unless-stopped
environment:
<<: *common-environment
FILE__MYSQL_ROOT_PASSWORD: /run/secrets/gitea-db-root-pw
FILE__MYSQL_PASSWORD: /run/secrets/gitea-db-pw
MYSQL_DATABASE: gitea
MYSQL_USER: gitea
volumes:
- gitea-db:/config
secrets:
- gitea-db-root-pw
- gitea-db-pw
nocodb:
image: nocodb/nocodb:latest
container_name: nocodb
restart: unless-stopped
environment:
<<: *common-environment
NC_DB_JSON_FILE: /run/secrets/nocodb-json
volumes:
- nocodb-data:/usr/app/data
secrets:
- nocodb-json
nocodb-db:
image: linuxserver/mariadb:latest
container_name: nocodb-db
restart: unless-stopped
environment:
<<: *common-environment
FILE__MYSQL_ROOT_PASSWORD: /run/secrets/nocodb-db-root-pw
FILE__MYSQL_PASSWORD: /run/secrets/nocodb-db-pw
MYSQL_DATABASE: nocodb
MYSQL_USER: nocodb
volumes:
- nocodb-db:/config
secrets:
- nocodb-db-root-pw
- nocodb-db-pw
jellyfin:
image: lscr.io/linuxserver/jellyfin:latest
container_name: jellyfin
environment:
<<: *common-environment
JELLYFIN_PublishedServerUrl: https://flix.guiotte.fr
volumes:
- jellyfin-config:/config
- /storage/@media/video:/data/video
- /storage/@media/music:/data/music
env_file:
- taskserver/taskserver.env
ports:
- 7359:7359/udp #optional Allows clients to discover Jellyfin on the local network
- 1900:1900/udp #optional Service discovery used by DNLA and clients
restart: unless-stopped
devices:
- /dev/dri:/dev/dri
taskchampion:
image: ghcr.io/gothenburgbitfactory/taskchampion-sync-server:latest
container_name: taskchampion
restart: unless-stopped
environment:
- "RUST_LOG=info" # Log every request
- "DATA_DIR=/taskchampion-data"
- "TASKCHAMPION_SYNC_SERVER_HOSTNAME=task.guiotte.fr"
- "TASKCHAMPION_SYNC_SERVER_CLIENT_ID=${TASKCHAMPION_SYNC_SERVER_CLIENT_ID}"
- "53589:53589"
volumes:
- taskchampion-data:/taskchampion-data
- taskserver-data:/var/taskd
- taskserver-certs:/ssl_certs
- ./taskserver/client_certs:/client_certs
slides-notes:
build: slides-notes
container_name: slides-notes
restart: always
environment: *common-environment
volumes:
- ./slides-notes/slides:/app/slides
baikal:
image: ckulka/baikal:nginx
container_name: baikal
restart: always
volumes:
- baikal-config:/var/www/baikal/config
#- baikal-data:/var/www/baikal/Specific
baikal-db:
image: lscr.io/linuxserver/mariadb:latest
container_name: baikal-db
restart: always
volumes:
- baikal-db:/config
environment:
<<: *common-environment
MYSQL_ROOT_PASSWORD: rootpassword
MYSQL_DATABASE: baikal
MYSQL_USER: baikal
MYSQL_PASSWORD: dbpassword
volumes:
money-data:
zotero-data:
lychee-db:
lychee-config:
lychee-pictures:
taskserver-data:
taskserver-certs:
transmission-config:
nextcloud-data:
nextcloud-config:
nextcloud-db-config:
ddclient-cache:
hedgedoc-config:
hedgedoc-db:
homeassistant-config:
zotero-sync-data:
gitea-data:
gitea-db:
sonarr-config:
jackett-config:
sync-audrey:
sync-notes:
nocodb:
nocodb-data:
nocodb-db:
jellyfin-config:
taskchampion-data:
secrets:
lychee-db-root-pw:
file: lychee-db-root-pw.secret
lychee-db-pw:
file: lychee-db-pw.secret
nextcloud-db-root-pw:
file: nextcloud-db-root-pw.secret
nextcloud-db-pw:
file: nextcloud-db-pw.secret
transmission-user:
file: transmission-user.secret
transmission-pw:
file: transmission-pw.secret
hedgedoc-db-root-pw:
file: hedgedoc-db-root-pw.secret
hedgedoc-db-pw:
file: hedgedoc-db-pw.secret
gitea-db-root-pw:
file: gitea-db-root-pw.secret
gitea-db-pw:
file: gitea-db-pw.secret
nocodb-db-root-pw:
file: nocodb-db-root-pw.secret
nocodb-db-pw:
file: nocodb-db-pw.secret
nocodb-json:
file: nocodb-json.secret
baikal-config:
baikal-db:

5
flood/.rtorrent.rc Normal file
View File

@ -0,0 +1,5 @@
## Import default configurations
import = /etc/rtorrent/rtorrent.rc
## Listening port
network.port_range.set=6881-6881

BIN
gitea-db-pw.secret
View File

Binary file not shown.

BIN
gitea-db-root-pw.secret
View File

Binary file not shown.

BIN
hedgedoc-db-pw.secret
View File

Binary file not shown.

BIN
hedgedoc-db-root-pw.secret
View File

Binary file not shown.

BIN
lychee-db-pw.secret
View File

Binary file not shown.

BIN
lychee-db-root-pw.secret
View File

Binary file not shown.

BIN
nextcloud-db-pw.secret
View File

Binary file not shown.

BIN
nextcloud-db-root-pw.secret
View File

Binary file not shown.

BIN
nocodb-db-pw.secret
View File

Binary file not shown.

BIN
nocodb-db-root-pw.secret
View File

Binary file not shown.

BIN
nocodb-json.secret
View File

Binary file not shown.

25
ssh/Dockerfile
View File

@ -1,25 +0,0 @@
FROM ghcr.io/linuxserver/baseimage-alpine:3.18
# Install SSH client
RUN \
apk add --no-cache \
openssh-client
# Set volume for ssh key
VOLUME /root/.ssh/id_rsa
# Set default values for SSH tunnel configuration
ENV SSH_HOSTNAME=server.example.com
ENV SSH_USERNAME=username
ENV SSH_DESTINATION=destination
ENV SSH_DESTINATION_PORT=12345
ENV SSH_LOCAL_PORT=12345
ENTRYPOINT ssh \
-N -4 \
-L *:$SSH_LOCAL_PORT:$SSH_DESTINATION:$SSH_DESTINATION_PORT \
-l $SSH_USERNAME \
-o "StrictHostKeyChecking no" \
-o "UserKnownHostsFile /dev/null" \
$SSH_HOSTNAME

BIN
ssh/id_rsa
View File

Binary file not shown.

1
ssh/id_rsa.pub
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfkGAQYqBuWSSWvRPZ8lIUNLIKHG7u/gUpDn55cg8QWCKBDmmHd5zqbUNoNcyRZQCcdn9hX05ZuezkYMxEso2p6wz2Qv1Zqt8oZ9z49RcWCIiNNu1DZdyvMdoN9XkBTwSPOEaVurBGHchSiXmB/DI0/wg06L58et5w0MseR5sFKsKOzrQLFW1ZnaC3O9ueQmIiDyWM6zz0XkKWZ4qD7fUop/7sP0+FrhwhjQQziCduNXqBgOa9gHaKYqM0aLL7ZV68QGt/e3X6Wa+ojps6FZqeJL/QCxG1GmgNQzwq/I94/rEz3XzjgcpY0LBMLX0aw/U393q4nL/KFwrNBwvWDJPnmVo3J86x5MXnO0K3mpTxtb8+OyTGNA4t3XNwLy4ZfeYS5zqCUXAmOvMhFEJ75yy5UtYyt+0zQQq4gCDNxbIgqlHHq0sHgwxnW6EDgOxsPIuUiKc+BZIOZUOZqZy59cH+CixtpoW3sv1/RZPRcXWZPRpmXDMp/kY/gUV9z7bBMFs= florent@drmanhattan

103
swag/nginx/nginx.conf
View File

@ -1,7 +1,4 @@
## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
### Based on alpine defaults
# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.19-stable
## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
user abc;
@ -17,13 +14,11 @@ error_log /config/log/nginx/error.log;
# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;
# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*.conf;
events {
# The maximum number of simultaneous connections that can be opened by
# a worker process.
worker_connections 1024;
# multi_accept on;
}
http {
@ -54,29 +49,101 @@ http {
# instead of using partial frames. Default is 'off'.
tcp_nopush on;
# all ssl related config moved to ssl.conf
# included in server blocks where listen 443 is defined
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
gzip_vary on;
# Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Saves unauthorized log messages to a separate log file
map $status $unauthorized {
default 0;
~^401 1;
}
access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
# Sets the path, format, and configuration for a buffered log write.
access_log /config/log/nginx/access.log;
# Includes virtual hosts configs.
include /etc/nginx/http.d/*.conf;
#include /etc/nginx/http.d/*.conf;
# WARNING: Don't use this directory for virtual hosts anymore.
# This include will be moved to the root context in Alpine 3.14.
#include /etc/nginx/conf.d/*.conf;
##
# Basic Settings
##
client_body_buffer_size 128k;
keepalive_timeout 65;
large_client_header_buffers 4 16k;
send_timeout 5m;
tcp_nodelay on;
types_hash_max_size 2048;
variables_hash_max_size 2048;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /config/nginx/site-confs/*.conf;
#Removed lua. Do not remove this comment
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
daemon off;
pid /run/nginx.pid;

48
swag/nginx/proxy-confs/hedgedoc.subdomain.conf
View File

@ -1,48 +0,0 @@
## Version 2023/05/31
# make sure you set the following environment variables in your docker arguments
# CMD_DOMAIN=hedgedoc.server.com
# CMD_URL_ADDPORT=false
# CMD_PROTOCOL_USESSL=true
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pad.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app hedgedoc;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

26
swag/nginx/proxy-confs/lychee.subdomain.conf
View File

@ -1,10 +1,9 @@
## Version 2023/05/31
# make sure that your lychee container is named lychee
## Version 2021/05/18
# make sure that your dns has a cname set for lychee
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
server_name photos.*;
@ -12,29 +11,24 @@ server {
client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
# enable for Authelia
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /ldaplogin;
# enable for Authelia (requires authelia-server.conf in the server block)
# enable for Authelia
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app lychee;

36
swag/nginx/proxy-confs/nextcloud.subdomain.conf
View File

@ -1,36 +0,0 @@
## Version 2021/05/18
# make sure that your dns has a cname set for nextcloud
# assuming this container is called "swag", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
# 'trusted_proxies' => ['swag'],
# 'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
# 'overwritehost' => 'nextcloud.your-domain.com',
# 'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
# array (
# 0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
# 1 => 'nextcloud.your-domain.com',
# ),
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name kdoc.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app nextcloud;
set $upstream_port 443;
set $upstream_proto https;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
proxy_max_temp_file_size 2048m;
}
}

45
swag/nginx/proxy-confs/nocodb.subdomain.conf
View File

@ -1,45 +0,0 @@
## Version 2024/07/16
# make sure that your nocodb container is named nocodb
# make sure that your dns has a cname set for nocodb
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name db.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app nocodb;
set $upstream_port 8080;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

63
swag/nginx/proxy-confs/taskchampion.subdomain.conf
View File

@ -1,63 +0,0 @@
## Version 2024/07/16
# REMOVE THIS LINE BEFORE SUBMITTING: The structure of the file (all of the existing lines) should be kept as close as possible to this template.
# REMOVE THIS LINE BEFORE SUBMITTING: Look through this file for <tags> and replace them. Review other sample files to see how things are done.
# REMOVE THIS LINE BEFORE SUBMITTING: The comment lines at the top of the file (below this line) should explain any prerequisites for using the proxy such as DNS or app settings.
# make sure that your <container_name> container is named <container_name>
# make sure that your dns has a cname set for <container_name>
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name task.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app taskchampion;
set $upstream_port 8080;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
}
# REMOVE THIS LINE BEFORE SUBMITTING: Some proxies require one or more additional location blocks for things like API or RPC endpoints.
# REMOVE THIS LINE BEFORE SUBMITTING: If the proxy you are making a sample for does not require an additional location block please remove the commented out section below.
# location ~ (/<container_name>)?/api {
# include /config/nginx/proxy.conf;
# include /config/nginx/resolver.conf;
# set $upstream_app <container_name>;
# set $upstream_port <port_number>;
# set $upstream_proto <http or https>;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#
# # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
# }
}

13
swag/nginx/proxy.conf
View File

@ -1,4 +1,4 @@
## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@ -10,7 +10,7 @@ proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;
# Proxy Cache and Cookie Settings
@ -26,13 +26,6 @@ proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

85
swag/nginx/site-confs/default.conf
View File

@ -1,85 +0,0 @@
## Version 2024/03/06 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
include /config/nginx/ssl.conf;
root /config/www;
index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
}
location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

40
swag/nginx/ssl.conf
View File

@ -1,40 +1,46 @@
## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
### Mozilla Recommendations
# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7
# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
### Linuxserver.io Defaults
# Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/cert.crt;
ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
# Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem;
# Enable TLS 1.3 early data
ssl_early_data on;
# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Optional additional headers
#add_header Cache-Control "no-transform" always;
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
#add_header Permissions-Policy "interest-cohort=()" always;
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
#add_header Permissions-Policy "interest-cohort=()";
#add_header Referrer-Policy "same-origin" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header X-XSS-Protection "1; mode=block" always;

BIN
syncthing/config.xml
View File

Binary file not shown.

13
taskserver/Dockerfile Normal file
View File

@ -0,0 +1,13 @@
FROM ghcr.io/linuxserver/baseimage-alpine:3.16
RUN apk --no-cache add taskd
ENV TASKDDATA=/var/taskd
VOLUME /var/taskd
COPY root/ /
VOLUME /ssl_certs/ /client_certs/
EXPOSE 53589
ENTRYPOINT ["/init"]

22
taskserver/README.md Normal file
View File

@ -0,0 +1,22 @@
# Taskserver
Written with the help of
<https://github.com/coaxial/docker-taskd-service>.
## Certs renewal
*do we need to remove volumes?:*
```shell
docker volume rm docker_taskserver-certs docker_taskserver-data
```
Once a year recreate the container and copy the `client_certs` dir! On
the client:
```shell
scp -r florent@dm.guiotte.fr:~/docker/taskserver/client_certs/* ~/.config/task/certs
task config taskd.credentials -- watch/user/$(cat ~/.config/task/certs/user-uuid)
task sync init
```

20
taskserver/root/etc/cont-init.d/14-install-cert-generator Normal file
View File

@ -0,0 +1,20 @@
#!/usr/bin/with-contenv sh
#shellsheck shell=sh
printf "Installing the certificate generator\n"
apk --no-cache add curl gnutls-utils
mkdir -p /opt/src/taskd
# get a copy of the repo wich also contains the certificate generation scripts
curl -sSL https://api.github.com/repos/gothenburgbitfactory/taskserver/tarball/master -o /tmp/taskd.tar.gz
tar xzf /tmp/taskd.tar.gz -C /opt/src/taskd --strip 1
# set the variables for the certs to be generated (as defined in
# taskserver.env)
{
echo "BITS=$TASKD_CERT_BITS";
echo "EXPIRATION_DAYS=$TASKD_CERT_EXPIRATION_DAYS";
echo "ORGANIZATION=\"$TASKD_CERT_ORGANIZATION\"";
echo "CN=$(hostname -f)";
echo "COUNTRY=$TASKD_CERT_COUNTRY";
echo "STATE=\"$TASKD_CERT_STATE\"";
echo "LOCALITY=\"$TASKD_CERT_LOCALITY\"";
} > /opt/src/taskd/pki/vars

20
taskserver/root/etc/cont-init.d/15-generate-server-certs Normal file
View File

@ -0,0 +1,20 @@
#!/usr/bin/with-contenv sh
#shellcheck shell=sh
if [ -s "$TASKDDATA/ca.cert.pem" ]; then
printf "Server certificates found, not generating any.\n"
else
# Use the generate script to make the CA and server certificates
printf "No server certificates found, generating them...\n"
cd /opt/src/taskd/pki || exit 1
./generate
# move generated certs to volumes so they're not lost when the container is
# destroyed, and so that they can be accessed from other containers if needed
cp ./client.key.pem /ssl_certs/
cp ./client.cert.pem /ssl_certs/
cp ./server.key.pem /ssl_certs/
cp ./server.cert.pem /ssl_certs/
cp ./ca.key.pem /ssl_certs/
cp ./ca.cert.pem /ssl_certs/
cp ./ca.cert.pem /client_certs/
fi

15
taskserver/root/etc/cont-init.d/16-generate-user-certs Normal file
View File

@ -0,0 +1,15 @@
#!/usr/bin/with-contenv sh
#shellcheck shell=sh
if [ -s "$TASKDDATA/$TASKD_USERNAME.cert.pem" ]; then
printf "User certificate for %s found, not generating again\n" "$TASKD_USERNAME"
else
# Now we generate the user certificate that will go on the client machine
printf "No certificate found for %s, generating user certificate...\n" "$TASKD_USERNAME"
cd /opt/src/taskd/pki || exit 1
./generate.client "$TASKD_USERNAME"
# move cert and key to a volume so they're not lost when the container is
# removed and so that they're accessible outside the taskd container
cp "$TASKD_USERNAME".cert.pem /client_certs/"$TASKD_USERNAME".cert.pem
cp "$TASKD_USERNAME".key.pem /client_certs/"$TASKD_USERNAME".key.pem
fi

29
taskserver/root/etc/cont-init.d/20-copy-certs Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/with-contenv sh
#shellcheck shell=sh
# Regroup all certificates where taskd will look for them
if [ -s "$TASKDDATA/server.cert.pem" ]; then
printf "Server certificates found in %s, not overwriting\n" "$TASKDDATA"
# put the certs in the ssl_certs volume to avoid mismatch between /ssl_certs
# and the ones the server is using
cp "$TASKDDATA/server.key.pem" /ssl_certs
cp "$TASKDDATA/server.cert.pem" /ssl_certs
else
printf "No server certificates in %s, copying them over...\n" "$TASKDDATA"
cp /ssl_certs/server.key.pem "$TASKDDATA"
cp /ssl_certs/server.cert.pem "$TASKDDATA"
fi
if [ -s "$TASKDDATA/$TASKD_USERNAME.cert.pem" ]; then
printf "Client certificates for user %s found in %s, not overwriting\n" "$TASKD_USERNAME" "$TASKDDATA"
# put the certs in the client_certs volume to avoid mismatch between
# /client_certs and the ones the server is using
cp "$TASKDDATA/ca.cert.pem" /client_certs
cp "$TASKDDATA/$TASKD_USERNAME.key.pem" /client_certs
cp "$TASKDDATA/$TASKD_USERNAME.cert.pem" /client_certs
else
printf "No certificates for user %s in %s, copying them over...\n" "$TASKD_USERNAME" "$TASKDDATA"
cp /client_certs/ca.cert.pem "$TASKDDATA"
cp "/client_certs/$TASKD_USERNAME.key.pem" "$TASKDDATA"
cp "/client_certs/$TASKD_USERNAME.cert.pem" "$TASKDDATA"
fi

43
taskserver/root/etc/cont-init.d/30-bootstrap-taskd Normal file
View File

@ -0,0 +1,43 @@
#!/usr/bin/with-contenv sh
#shellcheck shell=sh
# with help from https://blog.polettix.it/setup-a-taskwarrior-server/
# if we already have a config file, we don't want to overwrite it
if [ -s "$TASKDDATA/config" ]; then
printf "%s/config file found, skipping bootstrap\n" "$TASKDDATA"
else
printf "%s/config file not found, bootstrapping taskd\n" "$TASKDDATA"
# configure taskd, create the organization and user
taskd init
touch "$TASKDDATA/taskd.log"
touch "$TASKDDATA/taskd.pid"
chown taskd "$TASKDDATA/taskd.log"
chown taskd "$TASKDDATA/taskd.pid"
taskd config --force server "$(hostname -f):53589"
taskd config --force log "$TASKDDATA"/taskd.log
taskd config --force pid.file "$TASKDDATA"/taskd.pid
taskd config --force server.key "$TASKDDATA"/server.key.pem
taskd config --force server.cert "$TASKDDATA"/server.cert.pem
taskd config --force server.crl "$TASKDDATA"/server.crl.pem
taskd config --force ca.cert "$TASKDDATA"/ca.cert.pem
fi
if find "$TASKDDATA/orgs" -name "$TASKD_ORGNAME" | grep "$TASKD_ORGNAME"; then
printf "Organization %s found, not regenerating it\n" "$TASKD_ORGNAME"
else
printf "Organization %s not found, generating it...\n" "$TASKD_ORGNAME"
taskd add org "$TASKD_ORGNAME"
fi
if grep -qrw "$TASKDDATA/orgs/$TASKD_ORGNAME/users" -e "user=$TASKD_USERNAME"; then
printf "User %s already exists, not recreating it\n" "$TASKD_USERNAME"
# extract the UUID anyway
grep -rw "$TASKDDATA/orgs/$TASKD_ORGNAME/users" -e "user=$TASKD_USERNAME" | sed '/.*\([0-9a-f\-]\{36\}\).*/!d;s//\1/g' > /client_certs/"$TASKD_USERNAME-uuid"
else
printf "User %s didn't exist, creating it...\n" "$TASKD_USERNAME"
# use tee to still write to stdout but also save output to file
taskd add user "$TASKD_ORGNAME" "$TASKD_USERNAME" | tee /client_certs/"$TASKD_USERNAME-uuid"
# now remove the rest of the output and only keep the uuid, useful for
# configuring taskwarrior on the client machine
sed -i '/.*\([0-9a-f\-]\{36\}\)/!d;s//\1/g' /client_certs/"$TASKD_USERNAME-uuid"
fi

8
taskserver/root/etc/cont-init.d/35-fix-permissions Normal file
View File

@ -0,0 +1,8 @@
#!/usr/bin/with-contenv sh
#shellcheck shell=sh
# make the taskd data dir rw for the user running taskd
chown -R taskd:taskd "$TASKDDATA"
# make client certs readable for every user to work around UID and GID mapping
# inconsistencies across hosts
chmod +r /client_certs/*

6
taskserver/root/etc/cont-init.d/90-diagnostics Normal file
View File

@ -0,0 +1,6 @@
#!/usr/bin/with-contenv sh
#shellcheck shell=sh
# some debug info, useful when running CI tests mostly
s6-setuidgid taskd taskd diagnostics
ls -clash "$TASKDDATA"

5
taskserver/root/etc/services.d/taskd-logs/run Normal file
View File

@ -0,0 +1,5 @@
#!/usr/bin/with-contenv sh
#shellcheck shell=sh
# write a copy of the log in the container's console for easier monitoring/inspection
exec tail -F "$TASKDDATA/taskd.log"

5
taskserver/root/etc/services.d/taskd/run Normal file
View File

@ -0,0 +1,5 @@
#!/usr/bin/with-contenv sh
#shellcheck shell=sh
# user taskd will run the taskserver, running as root is asking for trouble
exec s6-setuidgid taskd taskd server

BIN
taskserver/taskserver.env Normal file
View File

Binary file not shown.

BIN
transmission-pw.secret
View File

Binary file not shown.

BIN
transmission-user.secret
View File

Binary file not shown.

5
zotero-sync/.gitignore vendored
View File

@ -1,5 +0,0 @@
keys
.migrations
log
nginx
php

BIN
zotero-sync/nginx/htpasswd
View File

Binary file not shown.

17
zotero-sync/nginx/site-confs/default.conf
View File

@ -1,17 +0,0 @@
server {
listen 80;
client_max_body_size 0;
location / {
root /data;
dav_methods PUT DELETE MOVE;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:rw group:rw all:r;
auth_basic "Restricted";
auth_basic_user_file /config/nginx/htpasswd;
}
}