Add baikal

2023-05-19 11:05:38 +02:00
52 changed files with 393 additions and 974 deletions
--- a/.env
+++ b/.env
--- a/.gitattributes
+++ b/.gitattributes
@ -4,7 +4,3 @@ ddclient/ddclient.conf filter=git-crypt diff=git-crypt
 *.pem filter=git-crypt diff=git-crypt
 *.env filter=git-crypt diff=git-crypt
 *.override.yml filter=git-crypt diff=git-crypt
 *.secret filter=git-crypt diff=git-crypt
 htpasswd filter=git-crypt diff=git-crypt
 id_rsa filter=git-crypt diff=git-crypt
 .env filter=git-crypt diff=git-crypt
--- a/README.md
+++ b/README.md
@ -6,15 +6,6 @@
 ## Setup
 Setup DNS server for docker in `/etc/docker/daemon.json`:
 ```config
 {
 	"data-root": "/home/docker",
 	"dns": ["1.1.1.1", "8.8.8.8", "8.8.4.4"]
 }
 ```
 Once DNS are properly setup on host:
 1. Create OVH token : <https://www.ovh.com/auth/api/createToken>
@ -23,45 +14,19 @@ Once DNS are properly setup on host:
 ### Services
 #### Flood
 - Socket: `/config/.local/share/rtorrent/rtorrent.sock`
 ## Create a new service
 1. Add the service in `docker-compose.yml`
-2. Create the DynHost and id  <https://www.ovh.com/manager/#/web/domain/guiotte.fr/dynhost>
+2. Create the DynHost <https://www.ovh.com/manager/#/web/domain/guiotte.fr/dynhost>
 3. Add the host in the DDclient configuration `./ddclient/ddclient.conf`
 4. Add the nginx proxy configuration in `./swag/nginx/proxy-confs/`
 5. Update the local zone in `./bind9/guiotte.db`
 6. Restart `bind9` and `swag`: `dcc restart bind9 swag`
 ## Update MariaDB
 After upgrading from one major MySQL/MariaDB release to another, we have to run `mariadb-upgrade` on the services using MariaDB.
 ### Lychee
 ```bash
 dcc stop lychee
 dcc exec lychee-db mariadb-upgrade -u root -p"$(cat lychee-db-root-pw.secret)"
 dcc restart lychee-db
 dcc up -d lychee
 ```
 ### Nextcloud
 ```bash
 dcc stop nextcloud
 dcc exec nextcloud-db mariadb-upgrade -u root -p"$(cat nextcloud-db-root-pw.secret)"
 dcc restart nextcloud-db
 dcc up -d nextcloud
 ```
 ## Backup
 To backup the named volumes, run:
 ```shell
 ./backup.py
 ```
 ## Logs
    2022-11-02 Created OVH token
--- a/backup.py
+++ b/backup.py
@ -1,110 +0,0 @@
 #!/usr/bin/env python
 # file backup.py
 # author Florent Guiotte <florent.guiotte@irisa.fr>
 # version 0.0
 # date 10 août 2024
 """Abstract
 doc.
 """
 import yaml
 from pathlib import Path
 import subprocess
 from datetime import datetime
 COMPOSE_PATH = Path('docker-compose.yml')
 BACKUP_PATH = Path('./data/bkp')
 VOLUME_PREFIX = 'docker_'
 class UnionFind:
    def __init__(self):
        self.parent = {}
    def make(self, service):
        self.parent.setdefault(service, service)
    def find(self, service):
        """return root"""
        if self.parent[service] != service:
            self.parent[service] = self.find(self.parent[service])
        return self.parent[service]
    def union(self, service1, service2):
        root1 = self.find(service1)
        root2 = self.find(service2)
        if root1 != root2:
            self.parent[root2] = root1 # compress!
 def build_services_graph(services):
    uf = UnionFind()
    for service in services:
        uf.make(service)
        for dependency in services[service].get('depends_on', []):
            uf.make(dependency)
            uf.union(service, dependency)
    return uf
 def group_services(services, graph):
    grouped_services = {}
    for service in services:
        root = graph.find(service)
        if root not in grouped_services:
            grouped_services[root] = {'services': []}
        grouped_services[root]['services'].append(service)
    return grouped_services
 def group_volumes(services, volumes, services_group):
    for group_name, group in services_group.items():
        group_volumes = group.setdefault('volumes', [])
        for service in group['services']:
            for volume in [v.split(':')[0] for v in services[service]['volumes']]:
                if volume in volumes: group_volumes += [volume]
    return services_group
 def backup(volume):
    current_date = datetime.now()
    date_string = current_date.strftime("%Y-%m-%d")
    archive_name = f'{date_string}_{volume}.tar'
    print(f'backup volume {volume} to {BACKUP_PATH}/{archive_name}')
    subprocess.run(f'docker run --rm --volume {VOLUME_PREFIX}{volume}:/data --volume {BACKUP_PATH.resolve()}:/bkp ubuntu tar -cf /bkp/{archive_name} -C /data .'.split())
 def run_docker_compose(cmd):
    subprocess.run(f'docker compose {cmd}'.split())
 if __name__ == '__main__':
    with COMPOSE_PATH.open() as cf:
        compose = yaml.safe_load(cf)
    services = compose['services']
    volumes = compose['volumes']
    services_graph = build_services_graph(services)
    services_group = group_services(services, services_graph)
    services_group = group_volumes(services, volumes, services_group)
    for group_name, group in services_group.items():
        print(f'Service group {group_name} ', end='')
        if not group['volumes']:
            print('no volumes')
            continue
        print('run backup...')
        run_docker_compose(f'stop {" ".join(group["services"])}')
        for volume in group['volumes']:
            backup(volume)
        run_docker_compose(f'start {" ".join(group["services"])}')
--- a/bind9/guiotte.db
+++ b/bind9/guiotte.db
@ -20,13 +20,4 @@ dm.guiotte.fr.     IN  A       192.168.1.2
 money.guiotte.fr.  IN  CNAME   dm.guiotte.fr.
 photos.guiotte.fr. IN  CNAME   dm.guiotte.fr.
 dl.guiotte.fr.     IN  CNAME   dm.guiotte.fr.
-kdoc.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
+cal.guiotte.fr.    IN  CNAME   dm.guiotte.fr.
 sync.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
 pad.guiotte.fr.    IN  CNAME   dm.guiotte.fr.
 home.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
 zotero.guiotte.fr. IN  CNAME   dm.guiotte.fr.
 git.guiotte.fr.    IN  CNAME   dm.guiotte.fr.
 db.guiotte.fr.     IN  CNAME   dm.guiotte.fr.
 flix.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
 task.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
 todo.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
--- a/bind9/lan.db
+++ b/bind9/lan.db
@ -22,7 +22,6 @@ jus.lan.          IN  A       192.168.1.6
 tcw.lan.          IN  A       192.168.1.8
 silk.lan.         IN  A       192.168.1.9
 ror.lan.          IN  A       192.168.1.10
 drmanhattan.lan.      IN  CNAME   dm.lan.
 ozymandias.lan.       IN  CNAME   ozy.lan.
@ -31,6 +30,5 @@ ozymandias.lan.       IN  CNAME   ozy.lan.
 silhouette.lan.       IN  CNAME   sil.lan.
 justice.lan.          IN  CNAME   jus.lan.
 thecomedian-wifi.lan. IN  CNAME   tcw.lan.  
 rorschach.lan.        IN  CNAME   ror.lan.
 kodi.lan.             IN  CNAME   jus.lan.
--- a/ddclient/ddclient.conf
+++ b/ddclient/ddclient.conf
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,10 +1,12 @@
 version: '3.4'
 x-common-environment: &common-environment
  PUID: 1000
  PGID: 1000
-  TZ: &tz Europe/Paris
+  TZ: Europe/Helsinki
 services:
  bind9:
    image: ubuntu/bind9:9.18-22.04_beta
    container_name: bind9
@ -18,7 +20,6 @@ services:
    ports:
      - "53:53/udp"
  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
@ -38,7 +39,6 @@ services:
      - 443:443
      - 80:80
  ddclient:
    image: lscr.io/linuxserver/ddclient:latest
    container_name: ddclient
@ -46,8 +46,6 @@ services:
    environment: *common-environment
    volumes:
      - ./ddclient:/config
      - ddclient-cache:/run/ddclient-cache
      #- ddclient-cache:/var/cache/ddclient
  money:
    image: ihatemoney/ihatemoney
@ -66,22 +64,15 @@ services:
    container_name: transmission
    environment:
      <<: *common-environment
      FILE__USER: /run/secrets/transmission-user
      FILE__PASS: /run/secrets/transmission-pw
    volumes:
      - transmission-config:/config
-      - /storage/@media/download:/downloads
+      - /mnt/storage/download:/downloads
-      - /storage/@media/download/torrent:/watch
+      - /mnt/storage/download/torrent:/watch
      - ./transmission/eodl.sh:/eodl.sh
    ports:
      - 9091:9091
      - 51413:51413
      - 51413:51413/udp
    restart: unless-stopped
    secrets:
      - transmission-user
      - transmission-pw
        # WIP
        #  radarr:
@ -100,47 +91,16 @@ services:
        #    restart: unless-stopped
  #jackett:
  #  image: lscr.io/linuxserver/jackett:latest
  #  container_name: jackett
  #  environment:
  #    <<: *common-environment
  #    AUTO_UPDATE: true #optional
  #    RUN_OPTS: #optional
  #  volumes:
  #    - jackett-config:/config
  #    - /mnt/storage/media/dl:/downloads
  #  ports:
  #    - 9117:9117
  #  restart: unless-stopped
  #sonarr:
  #  image: lscr.io/linuxserver/sonarr:latest
  #  container_name: sonarr
  #  environment: *common-environment
  #  volumes:
  #    - sonarr-config:/config
  #    - /mnt/storage/media:/data
  #    #- /mnt/storage/video/Films/:/movies
  #    #- /mnt/storage/download/:/downloads
  #  ports:
  #    - 8989:8989
  #  restart: unless-stopped
  syncthing:
    image: lscr.io/linuxserver/syncthing:latest
    container_name: syncthing
-    hostname: drmanhattan
+    hostname: drmanhattan #optional
    environment: *common-environment
    volumes:
      - ./syncthing:/config
-      - sync-notes:/notes
+      - /mnt/storage/music/Florent:/music
      - sync-audrey:/audrey-sync
      - ./data/signal-bkp:/signal-bkp
      - ./data/audrey-projets:/audrey-projets
    ports:
      #- 8384:8384
      - 22000:22000/tcp
      - 22000:22000/udp
      - 21027:21027/udp
@ -155,13 +115,10 @@ services:
      - lychee-db:/config
    environment:
      <<: *common-environment
-      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/lychee-db-root-pw
+      MYSQL_ROOT_PASSWORD: rootpassword
      FILE__MYSQL_PASSWORD: /run/secrets/lychee-db-pw
      MYSQL_DATABASE: lychee
      MYSQL_USER: lychee
-    secrets:
+      MYSQL_PASSWORD: dbpassword
      - lychee-db-root-pw
      - lychee-db-pw
  lychee:
@ -175,332 +132,91 @@ services:
      - lychee-pictures:/pictures
    environment:
      <<: *common-environment
      FILE__DB_PASSWORD: /run/secrets/lychee-db-pw
      DB_HOST: lychee-db
      DB_CONNECTION: mysql
      DB_USERNAME: lychee
      DB_PASSWORD: dbpassword
      DB_DATABASE: lychee
      DB_PORT: 3306
      APP_URL: https://photos.guiotte.fr
      TRUSTED_PROXIES: 172.22.0.0/24
    secrets:
      - lychee-db-pw
-
+        # WIP
-  zotero-sync:
+        #  zotero:
-    image: lscr.io/linuxserver/nginx:latest
+        #    #image: lscr.io/linuxserver/nginx:latest
-    container_name: zotero-sync
+        #    #image: sashgorokhov/webdav
-    environment: *common-environment
+        #    build: zotero
-    volumes:
+        #    container_name: zotero
      - ./zotero-sync:/config
      - zotero-sync-data:/data
    restart: unless-stopped
  # Not in use anymore
  # subdomain still activated though
  #slides-notes:
  #  build: slides-notes
  #  container_name: slides-notes
  #  restart: always
  #  environment: *common-environment
  #  volumes:
  #    - ./slides-notes/slides:/app/slides
  nextcloud:
    image: lscr.io/linuxserver/nextcloud:latest
    container_name: nextcloud
    restart: unless-stopped
    depends_on:
      - nextcloud-db
    environment: *common-environment
    volumes:
      - nextcloud-config:/config
      - nextcloud-data:/data
  nextcloud-db:
    image: linuxserver/mariadb:latest
    container_name: nextcloud-db
    restart: unless-stopped
    environment:
      <<: *common-environment
      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/nextcloud-db-root-pw
      FILE__MYSQL_PASSWORD: /run/secrets/nextcloud-db-pw
      MYSQL_DATABASE: database
      MYSQL_USER: user
    volumes:
      - nextcloud-db-config:/config
    secrets:
      - nextcloud-db-root-pw
      - nextcloud-db-pw
  hedgedoc:
    image: lscr.io/linuxserver/hedgedoc:latest
    container_name: hedgedoc
    depends_on:
      - hedgedoc-db
    environment:
      <<: *common-environment
      DB_HOST: hedgedoc-db
      DB_PORT: 3306
      DB_USER: hedgedoc
      DB_NAME: hedgedoc
      FILE__DB_PASS: /run/secrets/hedgedoc-db-pw
      CMD_DOMAIN: pad.guiotte.fr
      CMD_PROTOCOL_USESSL: true
      CMD_ALLOW_FREEURL: true
      CMD_REQUIRE_FREEURL_AUTHENTICATION: true
    volumes:
      - hedgedoc-config:/config
    restart: unless-stopped
    secrets:
      - hedgedoc-db-pw
  hedgedoc-db:
    image: lscr.io/linuxserver/mariadb:latest
    container_name: hedgedoc-db
    restart: unless-stopped
    volumes:
      - hedgedoc-db:/config
    environment:
      <<: *common-environment
      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/hedgedoc-db-root-pw
      FILE__MYSQL_PASSWORD: /run/secrets/hedgedoc-db-pw
      MYSQL_DATABASE: hedgedoc
      MYSQL_USER: hedgedoc
    secrets:
      - hedgedoc-db-root-pw
      - hedgedoc-db-pw
  homeassistant:
    image: lscr.io/linuxserver/homeassistant:latest
    container_name: homeassistant
    environment:
      <<: *common-environment
    volumes:
      - homeassistant-config:/config
    restart: unless-stopped
    devices:
      - /dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20240219191913-if00:/dev/ttyACM0
  # NOTE: Temporarily disable zigbee and wifi iot 
  #
  #
  #
  #yee0:
  #  build: ssh
  #  container_name: yee0
  #  volumes:
  #    - ./ssh/id_rsa:/root/.ssh/id_rsa
        #    environment:
-  #    - SSH_HOSTNAME=192.168.1.5
+        #      - PUID=1000
-  #    - SSH_USERNAME=alarm
+        #      - PGID=1000
-  #    - SSH_LOCAL_PORT=55443
+        #      - TZ=Europe/Helsinki
-  #    - SSH_DESTINATION=10.0.0.100
+        #      - USERNAME=user
-  #    - SSH_DESTINATION_PORT=55443
+        #      - PASSWORD=passwd
  #      #ports:
  #      #  - 55443:55443
  #  restart: unless-stopped
  #
  #
  #yee1:
  #  build: ssh
  #  container_name: yee1
        #    volumes:
-  #    - ./ssh/id_rsa:/root/.ssh/id_rsa
+        #      - zotero-data:/data
-  #  environment:
+        #      #- zotero-data:/media
  #    - SSH_HOSTNAME=192.168.1.5
  #    - SSH_USERNAME=alarm
  #    - SSH_LOCAL_PORT=55443
  #    - SSH_DESTINATION=10.0.0.101
  #    - SSH_DESTINATION_PORT=55443
  #      #ports:
  #      #  - 55443:55443
        #    restart: unless-stopped
-
+        #    # https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/master/Dockerfile
-  gitea:
+        #    # https://github.com/linuxserver/docker-nginx/blob/master/Dockerfile
-    image: gitea/gitea:latest
+        #    # https://github.com/sashgorokhov/docker-nginx-webdav/blob/master/Dockerfile
-    #build: gitea
+        #    # XXX: Missing "nginx-extra" in my build?
    container_name: gitea
    restart: unless-stopped
    environment:
      <<: *common-environment
      GITEA__database__DB_TYPE: mysql
      GITEA__database__HOST: gitea-db:3306
      GITEA__database__NAME: gitea
      GITEA__database__USER: gitea
      GITEA__database__PASSWD: gitea
      GITEA__service__DISABLE_REGISTRATION: true
      GITEA__server__DOMAIN: git.guiotte.fr
      GITEA__server__SSH_DOMAIN: git.guiotte.fr
      GITEA__server__LANDING_PAGE: explore
    depends_on:
      - gitea-db
    volumes:
      - gitea-data:/data
-  gitea-db:
+  taskserver:
-    image: linuxserver/mariadb:latest
+    build: taskserver
-    container_name: gitea-db
+    container_name: taskserver
-    restart: unless-stopped
+    hostname: dm.guiotte.fr
-    environment:
+    restart: always
-      <<: *common-environment
+    environment: *common-environment
-      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/gitea-db-root-pw
+    env_file:
-      FILE__MYSQL_PASSWORD: /run/secrets/gitea-db-pw
+      - taskserver/taskserver.env
      MYSQL_DATABASE: gitea
      MYSQL_USER: gitea
    volumes:
      - gitea-db:/config
    secrets:
      - gitea-db-root-pw
      - gitea-db-pw
  nocodb:
    image: nocodb/nocodb:latest
    container_name: nocodb
    restart: unless-stopped
    environment:
      <<: *common-environment
      NC_DB_JSON_FILE: /run/secrets/nocodb-json
    volumes:
      - nocodb-data:/usr/app/data
    secrets:
      - nocodb-json
  nocodb-db:
    image: linuxserver/mariadb:latest
    container_name: nocodb-db
    restart: unless-stopped
    environment:
      <<: *common-environment
      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/nocodb-db-root-pw
      FILE__MYSQL_PASSWORD: /run/secrets/nocodb-db-pw
      MYSQL_DATABASE: nocodb
      MYSQL_USER: nocodb
    volumes:
      - nocodb-db:/config
    secrets:
      - nocodb-db-root-pw
      - nocodb-db-pw
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    environment:
      <<: *common-environment
      JELLYFIN_PublishedServerUrl: https://flix.guiotte.fr
    volumes:
      - jellyfin-config:/config
      - /storage/@media/video:/data/video
      - /storage/@media/music:/data/music
    ports:
-      - 7359:7359/udp #optional Allows clients to discover Jellyfin on the local network
+      - "53589:53589"
      - 1900:1900/udp #optional Service discovery used by DNLA and clients
    restart: unless-stopped
    devices:
      - /dev/dri:/dev/dri
  taskchampion:
    image: ghcr.io/gothenburgbitfactory/taskchampion-sync-server:latest
    container_name: taskchampion
    restart: unless-stopped
    environment:
      - "RUST_LOG=info" # Log every request
      - "DATA_DIR=/taskchampion-data"
      - "TASKCHAMPION_SYNC_SERVER_HOSTNAME=task.guiotte.fr"
      - "TASKCHAMPION_SYNC_SERVER_CLIENT_ID=${TASKCHAMPION_SYNC_SERVER_CLIENT_ID}"
    volumes:
-      - taskchampion-data:/taskchampion-data
+      - taskserver-data:/var/taskd
      - taskserver-certs:/ssl_certs
      - ./taskserver/client_certs:/client_certs
-  vikunja:
+  slides-notes:
-    image: vikunja/vikunja
+    build: slides-notes
-    container_name: vikunja
+    container_name: slides-notes
-    restart: unless-stopped
+    restart: always
    environment: *common-environment
    volumes:
      - ./slides-notes/slides:/app/slides
  baikal:
    image: ckulka/baikal:nginx
    container_name: baikal
    restart: always
    volumes:
      - baikal-config:/var/www/baikal/config
     #- baikal-data:/var/www/baikal/Specific
  baikal-db:
    image: lscr.io/linuxserver/mariadb:latest
    container_name: baikal-db
    restart: always
    volumes:
      - baikal-db:/config
    environment:
      <<: *common-environment
-      VIKUNJA_SERVICE_PUBLICURL: https://todo.guiotte.fr
+      MYSQL_ROOT_PASSWORD: rootpassword
-      VIKUNJA_DATABASE_PATH: /db/vikunja.db
+      MYSQL_DATABASE: baikal
-      VIKUNJA_SERVICE_JWTSECRET: ${VIKUNJA_SERVICE_JWTSECRET}
+      MYSQL_USER: baikal
-      VIKUNJA_SERVICE_TIMEZONE: *tz
+      MYSQL_PASSWORD: dbpassword
      VIKUNJA_MAILER_ENABLED: true
      VIKUNJA_MAILER_HOST: ${MAIL_SERVER}
      VIKUNJA_MAILER_PORT: ${MAIL_SMTP_PORT}
      VIKUNJA_MAILER_USERNAME: ${MAIL_USERNAME}
      VIKUNJA_MAILER_PASSWORD: ${MAIL_PASSWORD}
      VIKUNJA_MAILER_FORCESSL: ${MAIL_USE_SSL}
      VIKUNJA_SERVICE_ENABLEREGISTRATION: true
    volumes:
      - vikunja-data:/app/vikunja/files
      - vikunja-db:/db
 volumes:
  money-data:
  zotero-data:
  lychee-db:
  lychee-config:
  lychee-pictures:
  taskserver-data:
  taskserver-certs:
  transmission-config:
-  nextcloud-data:
+  baikal-config:
-  nextcloud-config:
+  baikal-db:
  nextcloud-db-config:
  ddclient-cache:
  hedgedoc-config:
  hedgedoc-db:
  homeassistant-config:
  zotero-sync-data:
  gitea-data:
  gitea-db:
  sonarr-config:
  jackett-config:
  sync-audrey:
  sync-notes:
  nocodb:
  nocodb-data:
  nocodb-db:
  jellyfin-config:
  taskchampion-data:
  vikunja-data:
  vikunja-db:
 secrets:
  lychee-db-root-pw:
    file: lychee-db-root-pw.secret
  lychee-db-pw:
    file: lychee-db-pw.secret
  nextcloud-db-root-pw:
    file: nextcloud-db-root-pw.secret
  nextcloud-db-pw:
    file: nextcloud-db-pw.secret
  transmission-user:
    file: transmission-user.secret
  transmission-pw:
    file: transmission-pw.secret
  hedgedoc-db-root-pw:
    file: hedgedoc-db-root-pw.secret
  hedgedoc-db-pw:
    file: hedgedoc-db-pw.secret
  gitea-db-root-pw:
    file: gitea-db-root-pw.secret
  gitea-db-pw:
    file: gitea-db-pw.secret
  nocodb-db-root-pw:
    file: nocodb-db-root-pw.secret
  nocodb-db-pw:
    file: nocodb-db-pw.secret
  nocodb-json:
    file: nocodb-json.secret
--- a/flood/.rtorrent.rc
+++ b/flood/.rtorrent.rc
@ -0,0 +1,5 @@
 ## Import default configurations
 import = /etc/rtorrent/rtorrent.rc
 ## Listening port
 network.port_range.set=6881-6881
--- a/gitea-db-pw.secret
+++ b/gitea-db-pw.secret
--- a/gitea-db-root-pw.secret
+++ b/gitea-db-root-pw.secret
--- a/hedgedoc-db-pw.secret
+++ b/hedgedoc-db-pw.secret
--- a/hedgedoc-db-root-pw.secret
+++ b/hedgedoc-db-root-pw.secret
--- a/lychee-db-pw.secret
+++ b/lychee-db-pw.secret
--- a/lychee-db-root-pw.secret
+++ b/lychee-db-root-pw.secret
--- a/nextcloud-db-pw.secret
+++ b/nextcloud-db-pw.secret
--- a/nextcloud-db-root-pw.secret
+++ b/nextcloud-db-root-pw.secret
--- a/nocodb-db-pw.secret
+++ b/nocodb-db-pw.secret
--- a/nocodb-db-root-pw.secret
+++ b/nocodb-db-root-pw.secret
--- a/nocodb-json.secret
+++ b/nocodb-json.secret
--- a/ssh/Dockerfile
+++ b/ssh/Dockerfile
@ -1,25 +0,0 @@
 FROM ghcr.io/linuxserver/baseimage-alpine:3.18
 # Install SSH client
 RUN \
  apk add --no-cache \
    openssh-client
 # Set volume for ssh key
 VOLUME /root/.ssh/id_rsa
 # Set default values for SSH tunnel configuration
 ENV SSH_HOSTNAME=server.example.com
 ENV SSH_USERNAME=username
 ENV SSH_DESTINATION=destination
 ENV SSH_DESTINATION_PORT=12345
 ENV SSH_LOCAL_PORT=12345
 ENTRYPOINT ssh \
  -N -4 \
  -L *:$SSH_LOCAL_PORT:$SSH_DESTINATION:$SSH_DESTINATION_PORT \
  -l $SSH_USERNAME \
  -o "StrictHostKeyChecking no" \
  -o "UserKnownHostsFile /dev/null" \
  $SSH_HOSTNAME
--- a/ssh/id_rsa
+++ b/ssh/id_rsa
--- a/ssh/id_rsa.pub
+++ b/ssh/id_rsa.pub
@ -1 +0,0 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfkGAQYqBuWSSWvRPZ8lIUNLIKHG7u/gUpDn55cg8QWCKBDmmHd5zqbUNoNcyRZQCcdn9hX05ZuezkYMxEso2p6wz2Qv1Zqt8oZ9z49RcWCIiNNu1DZdyvMdoN9XkBTwSPOEaVurBGHchSiXmB/DI0/wg06L58et5w0MseR5sFKsKOzrQLFW1ZnaC3O9ueQmIiDyWM6zz0XkKWZ4qD7fUop/7sP0+FrhwhjQQziCduNXqBgOa9gHaKYqM0aLL7ZV68QGt/e3X6Wa+ojps6FZqeJL/QCxG1GmgNQzwq/I94/rEz3XzjgcpY0LBMLX0aw/U393q4nL/KFwrNBwvWDJPnmVo3J86x5MXnO0K3mpTxtb8+OyTGNA4t3XNwLy4ZfeYS5zqCUXAmOvMhFEJ75yy5UtYyt+0zQQq4gCDNxbIgqlHHq0sHgwxnW6EDgOxsPIuUiKc+BZIOZUOZqZy59cH+CixtpoW3sv1/RZPRcXWZPRpmXDMp/kY/gUV9z7bBMFs= florent@drmanhattan
--- a/swag/nginx/nginx.conf
+++ b/swag/nginx/nginx.conf
@ -1,7 +1,4 @@
-## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
+## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
 ### Based on alpine defaults
 # https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.19-stable
 user abc;
@ -17,13 +14,11 @@ error_log /config/log/nginx/error.log;
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 # Include files with config snippets into the root context.
 include /etc/nginx/conf.d/*.conf;
 events {
    # The maximum number of simultaneous connections that can be opened by
    # a worker process.
    worker_connections 1024;
    # multi_accept on;
 }
 http {
@ -54,29 +49,101 @@ http {
    # instead of using partial frames. Default is 'off'.
    tcp_nopush on;
    # all ssl related config moved to ssl.conf
    # included in server blocks where listen 443 is defined
    # Enable gzipping of responses.
    #gzip on;
    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
    gzip_vary on;
    # Helper variable for proxying websockets.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
    # Saves unauthorized log messages to a separate log file
    map $status $unauthorized {
        default 0;
        ~^401  1;
    }
    access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log;
    # Includes virtual hosts configs.
-    include /etc/nginx/http.d/*.conf;
+    #include /etc/nginx/http.d/*.conf;
    # WARNING: Don't use this directory for virtual hosts anymore.
    # This include will be moved to the root context in Alpine 3.14.
    #include /etc/nginx/conf.d/*.conf;
    ##
    # Basic Settings
    ##
    client_body_buffer_size 128k;
    keepalive_timeout 65;
    large_client_header_buffers 4 16k;
    send_timeout 5m;
    tcp_nodelay on;
    types_hash_max_size 2048;
    variables_hash_max_size 2048;
    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;
    ##
    # Gzip Settings
    ##
    gzip on;
    gzip_disable "msie6";
    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##
    #include /etc/nginx/naxsi_core.rules;
    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##
    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;
    ##
    # Virtual Host Configs
    ##
    include /config/nginx/site-confs/*.conf;
    #Removed lua. Do not remove this comment
 }
 #mail {
 #    # See sample authentication script at:
 #    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
 #
 #    # auth_http localhost/auth.php;
 #    # pop3_capabilities "TOP" "USER";
 #    # imap_capabilities "IMAP4rev1" "UIDPLUS";
 #
 #    server {
 #        listen     localhost:110;
 #        protocol   pop3;
 #        proxy      on;
 #    }
 #
 #    server {
 #        listen     localhost:143;
 #        protocol   imap;
 #        proxy      on;
 #    }
 #}
 daemon off;
 pid /run/nginx.pid;
--- a/swag/nginx/proxy-confs/hedgedoc.subdomain.conf
+++ b/swag/nginx/proxy-confs/hedgedoc.subdomain.conf
@ -1,48 +0,0 @@
 ## Version 2023/05/31
 # make sure you set the following environment variables in your docker arguments
 # CMD_DOMAIN=hedgedoc.server.com
 # CMD_URL_ADDPORT=false
 # CMD_PROTOCOL_USESSL=true
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name pad.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;
    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;
    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;
        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app hedgedoc;
        set $upstream_port 3000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
 }
--- a/swag/nginx/proxy-confs/lychee.subdomain.conf
+++ b/swag/nginx/proxy-confs/lychee.subdomain.conf
@ -1,10 +1,9 @@
-## Version 2023/05/31
+## Version 2021/05/18
 # make sure that your lychee container is named lychee
 # make sure that your dns has a cname set for lychee
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
    server_name photos.*;
@ -12,29 +11,24 @@ server {
    client_max_body_size 0;
-    # enable for ldap auth (requires ldap-location.conf in the location block)
+    # enable for ldap auth, fill in ldap details in ldap.conf
-    #include /config/nginx/ldap-server.conf;
+    #include /config/nginx/ldap.conf;
-    # enable for Authelia (requires authelia-location.conf in the location block)
+    # enable for Authelia
    #include /config/nginx/authelia-server.conf;
    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
-        # enable for ldap auth (requires ldap-server.conf in the server block)
+        # enable the next two lines for ldap auth
-        #include /config/nginx/ldap-location.conf;
+        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;
-        # enable for Authelia (requires authelia-server.conf in the server block)
+        # enable for Authelia
        #include /config/nginx/authelia-location.conf;
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app lychee;
--- a/swag/nginx/proxy-confs/nextcloud.subdomain.conf
+++ b/swag/nginx/proxy-confs/nextcloud.subdomain.conf
@ -1,36 +0,0 @@
 ## Version 2021/05/18
 # make sure that your dns has a cname set for nextcloud
 # assuming this container is called "swag", edit your nextcloud container's config
 # located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
 #  'trusted_proxies' => ['swag'],
 #  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
 #  'overwritehost' => 'nextcloud.your-domain.com',
 #  'overwriteprotocol' => 'https',
 #
 # Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
 #  array (
 #    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
 #    1 => 'nextcloud.your-domain.com',
 #  ),
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name kdoc.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_max_temp_file_size 2048m;
    }
 }
--- a/swag/nginx/proxy-confs/nocodb.subdomain.conf
+++ b/swag/nginx/proxy-confs/nocodb.subdomain.conf
@ -1,45 +0,0 @@
 ## Version 2024/07/16
 # make sure that your nocodb container is named nocodb
 # make sure that your dns has a cname set for nocodb
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name db.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;
    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;
    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;
        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app nocodb;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
 }
--- a/swag/nginx/proxy-confs/taskchampion.subdomain.conf
+++ b/swag/nginx/proxy-confs/taskchampion.subdomain.conf
@ -1,63 +0,0 @@
 ## Version 2024/07/16
 # REMOVE THIS LINE BEFORE SUBMITTING: The structure of the file (all of the existing lines) should be kept as close as possible to this template.
 # REMOVE THIS LINE BEFORE SUBMITTING: Look through this file for <tags> and replace them. Review other sample files to see how things are done.
 # REMOVE THIS LINE BEFORE SUBMITTING: The comment lines at the top of the file (below this line) should explain any prerequisites for using the proxy such as DNS or app settings.
 # make sure that your <container_name> container is named <container_name>
 # make sure that your dns has a cname set for <container_name>
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name task.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;
    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;
    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;
        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app taskchampion;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
    }
    # REMOVE THIS LINE BEFORE SUBMITTING: Some proxies require one or more additional location blocks for things like API or RPC endpoints.
    # REMOVE THIS LINE BEFORE SUBMITTING: If the proxy you are making a sample for does not require an additional location block please remove the commented out section below.
    # location ~ (/<container_name>)?/api {
    #     include /config/nginx/proxy.conf;
    #     include /config/nginx/resolver.conf;
    #     set $upstream_app <container_name>;
    #     set $upstream_port <port_number>;
    #     set $upstream_proto <http or https>;
    #     proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    #
    #     # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
    # }
 }
--- a/swag/nginx/proxy-confs/vikunja.subdomain.conf
+++ b/swag/nginx/proxy-confs/vikunja.subdomain.conf
@ -1,63 +0,0 @@
 ## Version 2024/07/16
 # REMOVE THIS LINE BEFORE SUBMITTING: The structure of the file (all of the existing lines) should be kept as close as possible to this template.
 # REMOVE THIS LINE BEFORE SUBMITTING: Look through this file for <tags> and replace them. Review other sample files to see how things are done.
 # REMOVE THIS LINE BEFORE SUBMITTING: The comment lines at the top of the file (below this line) should explain any prerequisites for using the proxy such as DNS or app settings.
 # make sure that your <container_name> container is named <container_name>
 # make sure that your dns has a cname set for <container_name>
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name todo.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;
    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;
    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;
        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app vikunja;
        set $upstream_port 3456;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
    }
    # REMOVE THIS LINE BEFORE SUBMITTING: Some proxies require one or more additional location blocks for things like API or RPC endpoints.
    # REMOVE THIS LINE BEFORE SUBMITTING: If the proxy you are making a sample for does not require an additional location block please remove the commented out section below.
    # location ~ (/<container_name>)?/api {
    #     include /config/nginx/proxy.conf;
    #     include /config/nginx/resolver.conf;
    #     set $upstream_app <container_name>;
    #     set $upstream_port <port_number>;
    #     set $upstream_proto <http or https>;
    #     proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    #
    #     # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
    # }
 }
--- a/swag/nginx/proxy.conf
+++ b/swag/nginx/proxy.conf
@ -1,4 +1,4 @@
-## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
+## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@ -26,13 +26,6 @@ proxy_set_header Proxy "";
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Host $host;
-proxy_set_header X-Forwarded-Method $request_method;
+proxy_set_header X-Forwarded-Proto https;
 proxy_set_header X-Forwarded-Port $server_port;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-Uri $request_uri;
 proxy_set_header X-Original-Method $request_method;
 proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Real-IP $remote_addr;
--- a/swag/nginx/site-confs/default.conf
+++ b/swag/nginx/site-confs/default.conf
@ -1,85 +0,0 @@
 ## Version 2024/03/06 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
 # redirect all traffic to https
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    location / {
        return 301 https://$host$request_uri;
    }
 }
 # main server block
 server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;
    include /config/nginx/ssl.conf;
    root /config/www;
    index index.html index.htm index.php;
    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;
    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;
    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;
    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;
    location / {
        # enable for basic auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;
        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
    }
    location ~ ^(.+\.php)(.*)$ {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;
        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;
        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        if (!-f $document_root$fastcgi_script_name) { return 404; }
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
    # deny access to .htaccess/.htpasswd files
    location ~ /\.ht {
        deny all;
    }
 }
 # enable subdomain method reverse proxy confs
 include /config/nginx/proxy-confs/*.subdomain.conf;
 # enable proxy cache for auth
 proxy_cache_path cache/ keys_zone=auth_cache:10m;
--- a/swag/nginx/ssl.conf
+++ b/swag/nginx/ssl.conf
@ -1,40 +1,46 @@
-## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
+## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
 ### Mozilla Recommendations
-# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
+# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7
+# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
 ssl_certificate /config/keys/cert.crt;
 ssl_certificate_key /config/keys/cert.key;
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 ssl_session_tickets off;
 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
 ssl_dhparam /config/nginx/dhparams.pem;
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers off;
 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
 #add_header Strict-Transport-Security "max-age=63072000" always;
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;
 ### Linuxserver.io Defaults
 # Certificates
 ssl_certificate /config/keys/letsencrypt/fullchain.pem;
 ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
-ssl_trusted_certificate /config/keys/cert.crt;
+ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
 # Diffie-Hellman Parameters
 ssl_dhparam /config/nginx/dhparams.pem;
 # Enable TLS 1.3 early data
 ssl_early_data on;
 # HSTS, remove # from the line below to enable HSTS
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
-#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
-#add_header Permissions-Policy "interest-cohort=()" always;
+#add_header Permissions-Policy "interest-cohort=()";
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;
 #add_header X-UA-Compatible "IE=Edge" always;
 #add_header X-XSS-Protection "1; mode=block" always;
--- a/syncthing/config.xml
+++ b/syncthing/config.xml
--- a/taskserver/Dockerfile
+++ b/taskserver/Dockerfile
@ -0,0 +1,13 @@
 FROM ghcr.io/linuxserver/baseimage-alpine:3.16
 RUN apk --no-cache add taskd
 ENV TASKDDATA=/var/taskd
 VOLUME /var/taskd
 COPY root/ /
 VOLUME /ssl_certs/ /client_certs/
 EXPOSE 53589
 ENTRYPOINT ["/init"]
--- a/taskserver/README.md
+++ b/taskserver/README.md
@ -0,0 +1,22 @@
 # Taskserver
 Written with the help of
 <https://github.com/coaxial/docker-taskd-service>.
 ## Certs renewal
 *do we need to remove volumes?:*
 ```shell
 docker volume rm docker_taskserver-certs docker_taskserver-data
 ```
 Once a year recreate the container and copy the `client_certs` dir! On
 the client:
 ```shell
 scp -r florent@dm.guiotte.fr:~/docker/taskserver/client_certs/* ~/.config/task/certs
 task config taskd.credentials -- watch/user/$(cat ~/.config/task/certs/user-uuid)
 task sync init
 ```
--- a/taskserver/root/etc/cont-init.d/14-install-cert-generator
+++ b/taskserver/root/etc/cont-init.d/14-install-cert-generator
@ -0,0 +1,20 @@
 #!/usr/bin/with-contenv sh
 #shellsheck shell=sh
 printf "Installing the certificate generator\n"
 apk --no-cache add curl gnutls-utils
 mkdir -p /opt/src/taskd
 # get a copy of the repo wich also contains the certificate generation scripts
 curl -sSL https://api.github.com/repos/gothenburgbitfactory/taskserver/tarball/master -o /tmp/taskd.tar.gz
 tar xzf /tmp/taskd.tar.gz -C /opt/src/taskd --strip 1
 # set the variables for the certs to be generated (as defined in
 # taskserver.env)
 {
  echo "BITS=$TASKD_CERT_BITS";
  echo "EXPIRATION_DAYS=$TASKD_CERT_EXPIRATION_DAYS";
  echo "ORGANIZATION=\"$TASKD_CERT_ORGANIZATION\"";
  echo "CN=$(hostname -f)";
  echo "COUNTRY=$TASKD_CERT_COUNTRY";
  echo "STATE=\"$TASKD_CERT_STATE\"";
  echo "LOCALITY=\"$TASKD_CERT_LOCALITY\"";
 } > /opt/src/taskd/pki/vars
--- a/taskserver/root/etc/cont-init.d/15-generate-server-certs
+++ b/taskserver/root/etc/cont-init.d/15-generate-server-certs
@ -0,0 +1,20 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 if [ -s "$TASKDDATA/ca.cert.pem" ]; then
  printf "Server certificates found, not generating any.\n"
 else
  # Use the generate script to make the CA and server certificates
  printf "No server certificates found, generating them...\n"
  cd /opt/src/taskd/pki || exit 1
  ./generate
  # move generated certs to volumes so they're not lost when the container is
  # destroyed, and so that they can be accessed from other containers if needed
  cp ./client.key.pem /ssl_certs/
  cp ./client.cert.pem /ssl_certs/
  cp ./server.key.pem /ssl_certs/
  cp ./server.cert.pem /ssl_certs/
  cp ./ca.key.pem /ssl_certs/
  cp ./ca.cert.pem /ssl_certs/
  cp ./ca.cert.pem /client_certs/
 fi
--- a/taskserver/root/etc/cont-init.d/16-generate-user-certs
+++ b/taskserver/root/etc/cont-init.d/16-generate-user-certs
@ -0,0 +1,15 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 if [ -s "$TASKDDATA/$TASKD_USERNAME.cert.pem" ]; then
  printf "User certificate for %s found, not generating again\n" "$TASKD_USERNAME"
 else
  # Now we generate the user certificate that will go on the client machine
  printf "No certificate found for %s, generating user certificate...\n" "$TASKD_USERNAME"
  cd /opt/src/taskd/pki || exit 1
  ./generate.client "$TASKD_USERNAME"
  # move cert and key to a volume so they're not lost when the container is 
  # removed and so that they're accessible outside the taskd container
  cp "$TASKD_USERNAME".cert.pem /client_certs/"$TASKD_USERNAME".cert.pem
  cp "$TASKD_USERNAME".key.pem /client_certs/"$TASKD_USERNAME".key.pem
 fi
--- a/taskserver/root/etc/cont-init.d/20-copy-certs
+++ b/taskserver/root/etc/cont-init.d/20-copy-certs
@ -0,0 +1,29 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # Regroup all certificates where taskd will look for them
 if [ -s "$TASKDDATA/server.cert.pem" ]; then
  printf "Server certificates found in %s, not overwriting\n" "$TASKDDATA"
  # put the certs in the ssl_certs volume to avoid mismatch between /ssl_certs
  # and the ones the server is using
  cp "$TASKDDATA/server.key.pem" /ssl_certs
  cp "$TASKDDATA/server.cert.pem" /ssl_certs
 else
  printf "No server certificates in %s, copying them over...\n" "$TASKDDATA"
  cp /ssl_certs/server.key.pem "$TASKDDATA"
  cp /ssl_certs/server.cert.pem "$TASKDDATA"
 fi
 if [ -s "$TASKDDATA/$TASKD_USERNAME.cert.pem" ]; then
  printf "Client certificates for user %s found in %s, not overwriting\n" "$TASKD_USERNAME" "$TASKDDATA"
  # put the certs in the client_certs volume to avoid mismatch between
  # /client_certs and the ones the server is using
  cp "$TASKDDATA/ca.cert.pem" /client_certs
  cp "$TASKDDATA/$TASKD_USERNAME.key.pem" /client_certs
  cp "$TASKDDATA/$TASKD_USERNAME.cert.pem" /client_certs
 else
  printf "No certificates for user %s in %s, copying them over...\n" "$TASKD_USERNAME" "$TASKDDATA"
  cp /client_certs/ca.cert.pem "$TASKDDATA"
  cp "/client_certs/$TASKD_USERNAME.key.pem" "$TASKDDATA"
  cp "/client_certs/$TASKD_USERNAME.cert.pem" "$TASKDDATA"
 fi
--- a/taskserver/root/etc/cont-init.d/30-bootstrap-taskd
+++ b/taskserver/root/etc/cont-init.d/30-bootstrap-taskd
@ -0,0 +1,43 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # with help from https://blog.polettix.it/setup-a-taskwarrior-server/
 # if we already have a config file, we don't want to overwrite it
 if [ -s "$TASKDDATA/config" ]; then
  printf "%s/config file found, skipping bootstrap\n" "$TASKDDATA"
 else
  printf "%s/config file not found, bootstrapping taskd\n" "$TASKDDATA"
  # configure taskd, create the organization and user
  taskd init
  touch "$TASKDDATA/taskd.log"
  touch "$TASKDDATA/taskd.pid"
  chown taskd "$TASKDDATA/taskd.log"
  chown taskd "$TASKDDATA/taskd.pid"
  taskd config --force server      "$(hostname -f):53589"
  taskd config --force log         "$TASKDDATA"/taskd.log
  taskd config --force pid.file    "$TASKDDATA"/taskd.pid
  taskd config --force server.key  "$TASKDDATA"/server.key.pem
  taskd config --force server.cert "$TASKDDATA"/server.cert.pem
  taskd config --force server.crl  "$TASKDDATA"/server.crl.pem
  taskd config --force ca.cert     "$TASKDDATA"/ca.cert.pem
 fi
 if find "$TASKDDATA/orgs" -name "$TASKD_ORGNAME" | grep "$TASKD_ORGNAME"; then
  printf "Organization %s found, not regenerating it\n" "$TASKD_ORGNAME"
 else
  printf "Organization %s not found, generating it...\n" "$TASKD_ORGNAME"
  taskd add org "$TASKD_ORGNAME"
 fi
 if grep -qrw "$TASKDDATA/orgs/$TASKD_ORGNAME/users" -e "user=$TASKD_USERNAME"; then
  printf "User %s already exists, not recreating it\n" "$TASKD_USERNAME"
  # extract the UUID anyway
  grep -rw "$TASKDDATA/orgs/$TASKD_ORGNAME/users" -e "user=$TASKD_USERNAME" | sed '/.*\([0-9a-f\-]\{36\}\).*/!d;s//\1/g' > /client_certs/"$TASKD_USERNAME-uuid"
 else
  printf "User %s didn't exist, creating it...\n" "$TASKD_USERNAME"
  # use tee to still write to stdout but also save output to file
  taskd add user "$TASKD_ORGNAME" "$TASKD_USERNAME" | tee /client_certs/"$TASKD_USERNAME-uuid"
  # now remove the rest of the output and only keep the uuid, useful for
  # configuring taskwarrior on the client machine
  sed -i '/.*\([0-9a-f\-]\{36\}\)/!d;s//\1/g' /client_certs/"$TASKD_USERNAME-uuid"
 fi
--- a/taskserver/root/etc/cont-init.d/35-fix-permissions
+++ b/taskserver/root/etc/cont-init.d/35-fix-permissions
@ -0,0 +1,8 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # make the taskd data dir rw for the user running taskd
 chown -R taskd:taskd "$TASKDDATA"
 # make client certs readable for every user to work around UID and GID mapping
 # inconsistencies across hosts
 chmod +r /client_certs/*
--- a/taskserver/root/etc/cont-init.d/90-diagnostics
+++ b/taskserver/root/etc/cont-init.d/90-diagnostics
@ -0,0 +1,6 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # some debug info, useful when running CI tests mostly
 s6-setuidgid taskd taskd diagnostics
 ls -clash "$TASKDDATA"
--- a/taskserver/root/etc/services.d/taskd-logs/run
+++ b/taskserver/root/etc/services.d/taskd-logs/run
@ -0,0 +1,5 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # write a copy of the log in the container's console for easier monitoring/inspection
 exec tail -F "$TASKDDATA/taskd.log"
--- a/taskserver/root/etc/services.d/taskd/run
+++ b/taskserver/root/etc/services.d/taskd/run
@ -0,0 +1,5 @@
 #!/usr/bin/with-contenv sh
 #shellcheck shell=sh
 # user taskd will run the taskserver, running as root is asking for trouble
 exec s6-setuidgid taskd taskd server
--- a/taskserver/taskserver.env
+++ b/taskserver/taskserver.env
--- a/transmission-pw.secret
+++ b/transmission-pw.secret
--- a/transmission-user.secret
+++ b/transmission-user.secret
--- a/zotero-sync/.gitignore
+++ b/zotero-sync/.gitignore
@ -1,5 +0,0 @@
 keys
 .migrations
 log
 nginx
 php
--- a/zotero-sync/nginx/htpasswd
+++ b/zotero-sync/nginx/htpasswd
--- a/zotero-sync/nginx/site-confs/default.conf
+++ b/zotero-sync/nginx/site-confs/default.conf
@ -1,17 +0,0 @@
 server {
    listen 80;
    client_max_body_size 0;
    location / {
        root /data;
        dav_methods PUT DELETE MOVE;
        dav_ext_methods PROPFIND OPTIONS;
        dav_access user:rw group:rw all:r;
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/htpasswd;
    }
 }
		`@ -1 +0,0 @@`
			ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfkGAQYqBuWSSWvRPZ8lIUNLIKHG7u/gUpDn55cg8QWCKBDmmHd5zqbUNoNcyRZQCcdn9hX05ZuezkYMxEso2p6wz2Qv1Zqt8oZ9z49RcWCIiNNu1DZdyvMdoN9XkBTwSPOEaVurBGHchSiXmB/DI0/wg06L58et5w0MseR5sFKsKOzrQLFW1ZnaC3O9ueQmIiDyWM6zz0XkKWZ4qD7fUop/7sP0+FrhwhjQQziCduNXqBgOa9gHaKYqM0aLL7ZV68QGt/e3X6Wa+ojps6FZqeJL/QCxG1GmgNQzwq/I94/rEz3XzjgcpY0LBMLX0aw/U393q4nL/KFwrNBwvWDJPnmVo3J86x5MXnO0K3mpTxtb8+OyTGNA4t3XNwLy4ZfeYS5zqCUXAmOvMhFEJ75yy5UtYyt+0zQQq4gCDNxbIgqlHHq0sHgwxnW6EDgOxsPIuUiKc+BZIOZUOZqZy59cH+CixtpoW3sv1/RZPRcXWZPRpmXDMp/kY/gUV9z7bBMFs= florent@drmanhattan