remove taskserver

.gitattributes

@@ -4,3 +4,7 @@ ddclient/ddclient.conf filter=git-crypt diff=git-crypt
 *.pem filter=git-crypt diff=git-crypt
 *.env filter=git-crypt diff=git-crypt
 *.override.yml filter=git-crypt diff=git-crypt
+*.secret filter=git-crypt diff=git-crypt
+htpasswd filter=git-crypt diff=git-crypt
+id_rsa filter=git-crypt diff=git-crypt
+.env filter=git-crypt diff=git-crypt

README.md

@@ -6,6 +6,15 @@
 
 ## Setup
 
+Setup DNS server for docker in `/etc/docker/daemon.json`:
+
+```config
+{
+	"data-root": "/home/docker",
+	"dns": ["1.1.1.1", "8.8.8.8", "8.8.4.4"]
+}
+```
+
 Once DNS are properly setup on host:
 
 1. Create OVH token : <https://www.ovh.com/auth/api/createToken>
@@ -14,19 +23,45 @@ Once DNS are properly setup on host:
 
 ### Services
 
-#### Flood
-
-- Socket: `/config/.local/share/rtorrent/rtorrent.sock`
-
 ## Create a new service
 
 1. Add the service in `docker-compose.yml`
-2. Create the DynHost <https://www.ovh.com/manager/#/web/domain/guiotte.fr/dynhost>
+2. Create the DynHost and id  <https://www.ovh.com/manager/#/web/domain/guiotte.fr/dynhost>
 3. Add the host in the DDclient configuration `./ddclient/ddclient.conf`
 4. Add the nginx proxy configuration in `./swag/nginx/proxy-confs/`
 5. Update the local zone in `./bind9/guiotte.db`
 6. Restart `bind9` and `swag`: `dcc restart bind9 swag`
 
+## Update MariaDB
+
+After upgrading from one major MySQL/MariaDB release to another, we have to run `mariadb-upgrade` on the services using MariaDB.
+
+### Lychee
+
+```bash
+dcc stop lychee
+dcc exec lychee-db mariadb-upgrade -u root -p"$(cat lychee-db-root-pw.secret)"
+dcc restart lychee-db
+dcc up -d lychee
+```
+
+### Nextcloud
+
+```bash
+dcc stop nextcloud
+dcc exec nextcloud-db mariadb-upgrade -u root -p"$(cat nextcloud-db-root-pw.secret)"
+dcc restart nextcloud-db
+dcc up -d nextcloud
+```
+
+## Backup
+
+To backup the named volumes, run:
+
+```shell
+./backup.py
+```
+
 ## Logs
 
     2022-11-02 Created OVH token

backup.py

@@ -0,0 +1,110 @@
+#!/usr/bin/env python
+# file backup.py
+# author Florent Guiotte <florent.guiotte@irisa.fr>
+# version 0.0
+# date 10 août 2024
+"""Abstract
+
+doc.
+"""
+
+import yaml
+from pathlib import Path
+import subprocess
+from datetime import datetime
+
+
+COMPOSE_PATH = Path('docker-compose.yml')
+BACKUP_PATH = Path('./data/bkp')
+VOLUME_PREFIX = 'docker_'
+
+
+class UnionFind:
+    def __init__(self):
+        self.parent = {}
+
+    def make(self, service):
+        self.parent.setdefault(service, service)
+
+    def find(self, service):
+        """return root"""
+        if self.parent[service] != service:
+            self.parent[service] = self.find(self.parent[service])
+
+        return self.parent[service]
+
+    def union(self, service1, service2):
+        root1 = self.find(service1)
+        root2 = self.find(service2)
+        if root1 != root2:
+            self.parent[root2] = root1 # compress!
+
+def build_services_graph(services):
+    uf = UnionFind()
+
+    for service in services:
+        uf.make(service)
+        for dependency in services[service].get('depends_on', []):
+            uf.make(dependency)
+            uf.union(service, dependency)
+
+    return uf
+
+def group_services(services, graph):
+    grouped_services = {}
+    for service in services:
+        root = graph.find(service)
+        if root not in grouped_services:
+            grouped_services[root] = {'services': []}
+        grouped_services[root]['services'].append(service)
+
+    return grouped_services
+
+
+def group_volumes(services, volumes, services_group):
+    for group_name, group in services_group.items():
+        group_volumes = group.setdefault('volumes', [])
+        for service in group['services']:
+            for volume in [v.split(':')[0] for v in services[service]['volumes']]:
+                if volume in volumes: group_volumes += [volume]
+
+    return services_group
+
+def backup(volume):
+    current_date = datetime.now()
+    date_string = current_date.strftime("%Y-%m-%d")
+    archive_name = f'{date_string}_{volume}.tar'
+    print(f'backup volume {volume} to {BACKUP_PATH}/{archive_name}')
+
+    subprocess.run(f'docker run --rm --volume {VOLUME_PREFIX}{volume}:/data --volume {BACKUP_PATH.resolve()}:/bkp ubuntu tar -cf /bkp/{archive_name} -C /data .'.split())
+
+
+def run_docker_compose(cmd):
+    subprocess.run(f'docker compose {cmd}'.split())
+
+
+if __name__ == '__main__':
+    with COMPOSE_PATH.open() as cf:
+        compose = yaml.safe_load(cf)
+
+    services = compose['services']
+    volumes = compose['volumes']
+
+
+    services_graph = build_services_graph(services)
+    services_group = group_services(services, services_graph)
+    services_group = group_volumes(services, volumes, services_group)
+
+    for group_name, group in services_group.items():
+        print(f'Service group {group_name} ', end='')
+
+        if not group['volumes']:
+            print('no volumes')
+            continue
+
+        print('run backup...')
+
+        run_docker_compose(f'stop {" ".join(group["services"])}')
+        for volume in group['volumes']:
+            backup(volume)
+        run_docker_compose(f'start {" ".join(group["services"])}')

bind9/guiotte.db

@@ -20,3 +20,12 @@ dm.guiotte.fr.     IN  A       192.168.1.2
 money.guiotte.fr.  IN  CNAME   dm.guiotte.fr.
 photos.guiotte.fr. IN  CNAME   dm.guiotte.fr.
 dl.guiotte.fr.     IN  CNAME   dm.guiotte.fr.
+kdoc.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
+sync.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
+pad.guiotte.fr.    IN  CNAME   dm.guiotte.fr.
+home.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
+zotero.guiotte.fr. IN  CNAME   dm.guiotte.fr.
+git.guiotte.fr.    IN  CNAME   dm.guiotte.fr.
+db.guiotte.fr.     IN  CNAME   dm.guiotte.fr.
+flix.guiotte.fr.   IN  CNAME   dm.guiotte.fr.
+task.guiotte.fr.   IN  CNAME   dm.guiotte.fr.

bind9/lan.db

@@ -22,6 +22,7 @@ jus.lan.          IN  A       192.168.1.6
 
 tcw.lan.          IN  A       192.168.1.8
 silk.lan.         IN  A       192.168.1.9
+ror.lan.          IN  A       192.168.1.10
 
 drmanhattan.lan.      IN  CNAME   dm.lan.
 ozymandias.lan.       IN  CNAME   ozy.lan.
@@ -30,5 +31,6 @@ ozymandias.lan.       IN  CNAME   ozy.lan.
 silhouette.lan.       IN  CNAME   sil.lan.
 justice.lan.          IN  CNAME   jus.lan.
 thecomedian-wifi.lan. IN  CNAME   tcw.lan.  
+rorschach.lan.        IN  CNAME   ror.lan.
 
 kodi.lan.             IN  CNAME   jus.lan.

docker-compose.yml

@@ -1,12 +1,10 @@
-version: '3.4'
-
 x-common-environment: &common-environment
   PUID: 1000
   PGID: 1000
   TZ: Europe/Helsinki
 
-services:
 
+services:
   bind9:
     image: ubuntu/bind9:9.18-22.04_beta
     container_name: bind9
@@ -20,6 +18,7 @@ services:
     ports:
       - "53:53/udp"
 
+
   swag:
     image: lscr.io/linuxserver/swag
     container_name: swag
@@ -39,6 +38,7 @@ services:
       - 443:443
       - 80:80
 
+
   ddclient:
     image: lscr.io/linuxserver/ddclient:latest
     container_name: ddclient
@@ -46,6 +46,8 @@ services:
     environment: *common-environment
     volumes:
       - ./ddclient:/config
+      - ddclient-cache:/run/ddclient-cache
+      #- ddclient-cache:/var/cache/ddclient
 
   money:
     image: ihatemoney/ihatemoney
@@ -64,16 +66,23 @@ services:
     container_name: transmission
     environment:
       <<: *common-environment
+      FILE__USER: /run/secrets/transmission-user
+      FILE__PASS: /run/secrets/transmission-pw
     volumes:
       - transmission-config:/config
-      - /mnt/storage/download:/downloads
-      - /mnt/storage/download/torrent:/watch
+      - /storage/@media/download:/downloads
+      - /storage/@media/download/torrent:/watch
+      - ./transmission/eodl.sh:/eodl.sh
     ports:
       - 9091:9091
       - 51413:51413
       - 51413:51413/udp
     restart: unless-stopped
+    secrets:
+      - transmission-user
+      - transmission-pw
 
+         
         # WIP
         #  radarr:
         #    image: lscr.io/linuxserver/radarr:latest
@@ -91,16 +100,47 @@ services:
         #    restart: unless-stopped
 
 
+  #jackett:
+  #  image: lscr.io/linuxserver/jackett:latest
+  #  container_name: jackett
+  #  environment:
+  #    <<: *common-environment
+  #    AUTO_UPDATE: true #optional
+  #    RUN_OPTS: #optional
+  #  volumes:
+  #    - jackett-config:/config
+  #    - /mnt/storage/media/dl:/downloads
+  #  ports:
+  #    - 9117:9117
+  #  restart: unless-stopped
+
+
+  #sonarr:
+  #  image: lscr.io/linuxserver/sonarr:latest
+  #  container_name: sonarr
+  #  environment: *common-environment
+  #  volumes:
+  #    - sonarr-config:/config
+  #    - /mnt/storage/media:/data
+  #    #- /mnt/storage/video/Films/:/movies
+  #    #- /mnt/storage/download/:/downloads
+  #  ports:
+  #    - 8989:8989
+  #  restart: unless-stopped
+
+
   syncthing:
     image: lscr.io/linuxserver/syncthing:latest
     container_name: syncthing
-    hostname: drmanhattan #optional
+    hostname: drmanhattan
     environment: *common-environment
     volumes:
       - ./syncthing:/config
-      - /mnt/storage/music/Florent:/music
+      - sync-notes:/notes
+      - sync-audrey:/audrey-sync
+      - ./data/signal-bkp:/signal-bkp
+      - ./data/audrey-projets:/audrey-projets
     ports:
-      #- 8384:8384
       - 22000:22000/tcp
       - 22000:22000/udp
       - 21027:21027/udp
@@ -115,10 +155,13 @@ services:
       - lychee-db:/config
     environment:
       <<: *common-environment
-      MYSQL_ROOT_PASSWORD: rootpassword
+      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/lychee-db-root-pw
+      FILE__MYSQL_PASSWORD: /run/secrets/lychee-db-pw
       MYSQL_DATABASE: lychee
       MYSQL_USER: lychee
-      MYSQL_PASSWORD: dbpassword
+    secrets:
+      - lychee-db-root-pw
+      - lychee-db-pw
 
 
   lychee:
@@ -132,65 +175,306 @@ services:
       - lychee-pictures:/pictures
     environment:
       <<: *common-environment
+      FILE__DB_PASSWORD: /run/secrets/lychee-db-pw
       DB_HOST: lychee-db
+      DB_CONNECTION: mysql
       DB_USERNAME: lychee
-      DB_PASSWORD: dbpassword
       DB_DATABASE: lychee
       DB_PORT: 3306
+      APP_URL: https://photos.guiotte.fr
+      TRUSTED_PROXIES: 172.22.0.0/24
+    secrets:
+      - lychee-db-pw
 
-        # WIP
-        #  zotero:
-        #    #image: lscr.io/linuxserver/nginx:latest
-        #    #image: sashgorokhov/webdav
-        #    build: zotero
-        #    container_name: zotero
-        #    environment:
-        #      - PUID=1000
-        #      - PGID=1000
-        #      - TZ=Europe/Helsinki
-        #      - USERNAME=user
-        #      - PASSWORD=passwd
-        #    volumes:
-        #      - zotero-data:/data
-        #      #- zotero-data:/media
-        #    restart: unless-stopped
-        #    # https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/master/Dockerfile
-        #    # https://github.com/linuxserver/docker-nginx/blob/master/Dockerfile
-        #    # https://github.com/sashgorokhov/docker-nginx-webdav/blob/master/Dockerfile
-        #    # XXX: Missing "nginx-extra" in my build?
-    
 
-  taskserver:
-    build: taskserver
-    container_name: taskserver
-    hostname: dm.guiotte.fr
-    restart: always
+  zotero-sync:
+    image: lscr.io/linuxserver/nginx:latest
+    container_name: zotero-sync
     environment: *common-environment
-    env_file:
-      - taskserver/taskserver.env
+    volumes:
+      - ./zotero-sync:/config
+      - zotero-sync-data:/data
+    restart: unless-stopped
+
+
+  # Not in use anymore
+  # subdomain still activated though
+  #slides-notes:
+  #  build: slides-notes
+  #  container_name: slides-notes
+  #  restart: always
+  #  environment: *common-environment
+  #  volumes:
+  #    - ./slides-notes/slides:/app/slides
+
+
+  nextcloud:
+    image: lscr.io/linuxserver/nextcloud:latest
+    container_name: nextcloud
+    restart: unless-stopped
+    depends_on:
+      - nextcloud-db
+    environment: *common-environment
+    volumes:
+      - nextcloud-config:/config
+      - nextcloud-data:/data
+
+
+  nextcloud-db:
+    image: linuxserver/mariadb:latest
+    container_name: nextcloud-db
+    restart: unless-stopped
+    environment:
+      <<: *common-environment
+      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/nextcloud-db-root-pw
+      FILE__MYSQL_PASSWORD: /run/secrets/nextcloud-db-pw
+      MYSQL_DATABASE: database
+      MYSQL_USER: user
+    volumes:
+      - nextcloud-db-config:/config
+    secrets:
+      - nextcloud-db-root-pw
+      - nextcloud-db-pw
+
+
+  hedgedoc:
+    image: lscr.io/linuxserver/hedgedoc:latest
+    container_name: hedgedoc
+    depends_on:
+      - hedgedoc-db
+    environment:
+      <<: *common-environment
+      DB_HOST: hedgedoc-db
+      DB_PORT: 3306
+      DB_USER: hedgedoc
+      DB_NAME: hedgedoc
+      FILE__DB_PASS: /run/secrets/hedgedoc-db-pw
+      CMD_DOMAIN: pad.guiotte.fr
+      CMD_PROTOCOL_USESSL: true
+      CMD_ALLOW_FREEURL: true
+      CMD_REQUIRE_FREEURL_AUTHENTICATION: true
+    volumes:
+      - hedgedoc-config:/config
+    restart: unless-stopped
+    secrets:
+      - hedgedoc-db-pw
+
+
+  hedgedoc-db:
+    image: lscr.io/linuxserver/mariadb:latest
+    container_name: hedgedoc-db
+    restart: unless-stopped
+    volumes:
+      - hedgedoc-db:/config
+    environment:
+      <<: *common-environment
+      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/hedgedoc-db-root-pw
+      FILE__MYSQL_PASSWORD: /run/secrets/hedgedoc-db-pw
+      MYSQL_DATABASE: hedgedoc
+      MYSQL_USER: hedgedoc
+    secrets:
+      - hedgedoc-db-root-pw
+      - hedgedoc-db-pw
+
+
+  homeassistant:
+    image: lscr.io/linuxserver/homeassistant:latest
+    container_name: homeassistant
+    environment:
+      <<: *common-environment
+    volumes:
+      - homeassistant-config:/config
+    restart: unless-stopped
+  # NOTE: Temporarily disable zigbee and wifi iot 
+  #
+  #  devices:
+  #    - /dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20240219191913-if00:/dev/ttyACM0
+  #
+  #
+  #yee0:
+  #  build: ssh
+  #  container_name: yee0
+  #  volumes:
+  #    - ./ssh/id_rsa:/root/.ssh/id_rsa
+  #  environment:
+  #    - SSH_HOSTNAME=192.168.1.5
+  #    - SSH_USERNAME=alarm
+  #    - SSH_LOCAL_PORT=55443
+  #    - SSH_DESTINATION=10.0.0.100
+  #    - SSH_DESTINATION_PORT=55443
+  #      #ports:
+  #      #  - 55443:55443
+  #  restart: unless-stopped
+  #
+  #
+  #yee1:
+  #  build: ssh
+  #  container_name: yee1
+  #  volumes:
+  #    - ./ssh/id_rsa:/root/.ssh/id_rsa
+  #  environment:
+  #    - SSH_HOSTNAME=192.168.1.5
+  #    - SSH_USERNAME=alarm
+  #    - SSH_LOCAL_PORT=55443
+  #    - SSH_DESTINATION=10.0.0.101
+  #    - SSH_DESTINATION_PORT=55443
+  #      #ports:
+  #      #  - 55443:55443
+  #  restart: unless-stopped
+
+  gitea:
+    image: gitea/gitea:latest
+    #build: gitea
+    container_name: gitea
+    restart: unless-stopped
+    environment:
+      <<: *common-environment
+      GITEA__database__DB_TYPE: mysql
+      GITEA__database__HOST: gitea-db:3306
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: gitea
+      GITEA__service__DISABLE_REGISTRATION: true
+      GITEA__server__DOMAIN: git.guiotte.fr
+      GITEA__server__SSH_DOMAIN: git.guiotte.fr
+      GITEA__server__LANDING_PAGE: explore
+    depends_on:
+      - gitea-db
+    volumes:
+      - gitea-data:/data
+
+
+  gitea-db:
+    image: linuxserver/mariadb:latest
+    container_name: gitea-db
+    restart: unless-stopped
+    environment:
+      <<: *common-environment
+      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/gitea-db-root-pw
+      FILE__MYSQL_PASSWORD: /run/secrets/gitea-db-pw
+      MYSQL_DATABASE: gitea
+      MYSQL_USER: gitea
+    volumes:
+      - gitea-db:/config
+    secrets:
+      - gitea-db-root-pw
+      - gitea-db-pw
+
+
+  nocodb:
+    image: nocodb/nocodb:latest
+    container_name: nocodb
+    restart: unless-stopped
+    environment:
+      <<: *common-environment
+      NC_DB_JSON_FILE: /run/secrets/nocodb-json
+    volumes:
+      - nocodb-data:/usr/app/data
+    secrets:
+      - nocodb-json
+
+
+  nocodb-db:
+    image: linuxserver/mariadb:latest
+    container_name: nocodb-db
+    restart: unless-stopped
+    environment:
+      <<: *common-environment
+      FILE__MYSQL_ROOT_PASSWORD: /run/secrets/nocodb-db-root-pw
+      FILE__MYSQL_PASSWORD: /run/secrets/nocodb-db-pw
+      MYSQL_DATABASE: nocodb
+      MYSQL_USER: nocodb
+    volumes:
+      - nocodb-db:/config
+    secrets:
+      - nocodb-db-root-pw
+      - nocodb-db-pw
+
+
+  jellyfin:
+    image: lscr.io/linuxserver/jellyfin:latest
+    container_name: jellyfin
+    environment:
+      <<: *common-environment
+      JELLYFIN_PublishedServerUrl: https://flix.guiotte.fr
+    volumes:
+      - jellyfin-config:/config
+      - /storage/@media/video:/data/video
+      - /storage/@media/music:/data/music
     ports:
-      - "53589:53589"
-    volumes:
-      - taskserver-data:/var/taskd
-      - taskserver-certs:/ssl_certs
-      - ./taskserver/client_certs:/client_certs
+      - 7359:7359/udp #optional Allows clients to discover Jellyfin on the local network
+      - 1900:1900/udp #optional Service discovery used by DNLA and clients
+    restart: unless-stopped
+    devices:
+      - /dev/dri:/dev/dri
 
 
-  slides-notes:
-    build: slides-notes
-    container_name: slides-notes
-    restart: always
-    environment: *common-environment
+  taskchampion:
+    image: ghcr.io/gothenburgbitfactory/taskchampion-sync-server:latest
+    container_name: taskchampion
+    restart: unless-stopped
+    environment:
+      - "RUST_LOG=info" # Log every request
+      - "DATA_DIR=/taskchampion-data"
+      - "TASKCHAMPION_SYNC_SERVER_HOSTNAME=task.guiotte.fr"
+      - "TASKCHAMPION_SYNC_SERVER_CLIENT_ID=${TASKCHAMPION_SYNC_SERVER_CLIENT_ID}"
     volumes:
-      - ./slides-notes/slides:/app/slides
+      - taskchampion-data:/taskchampion-data
 
 
 volumes:
   money-data:
-  zotero-data:
   lychee-db:
   lychee-config:
   lychee-pictures:
   taskserver-data:
   taskserver-certs:
   transmission-config:
+  nextcloud-data:
+  nextcloud-config:
+  nextcloud-db-config:
+  ddclient-cache:
+  hedgedoc-config:
+  hedgedoc-db:
+  homeassistant-config:
+  zotero-sync-data:
+  gitea-data:
+  gitea-db:
+  sonarr-config:
+  jackett-config:
+  sync-audrey:
+  sync-notes:
+  nocodb:
+  nocodb-data:
+  nocodb-db:
+  jellyfin-config:
+  taskchampion-data:
+
+
+secrets:
+  lychee-db-root-pw:
+    file: lychee-db-root-pw.secret
+  lychee-db-pw:
+    file: lychee-db-pw.secret
+  nextcloud-db-root-pw:
+    file: nextcloud-db-root-pw.secret
+  nextcloud-db-pw:
+    file: nextcloud-db-pw.secret
+  transmission-user:
+    file: transmission-user.secret
+  transmission-pw:
+    file: transmission-pw.secret
+  hedgedoc-db-root-pw:
+    file: hedgedoc-db-root-pw.secret
+  hedgedoc-db-pw:
+    file: hedgedoc-db-pw.secret
+  gitea-db-root-pw:
+    file: gitea-db-root-pw.secret
+  gitea-db-pw:
+    file: gitea-db-pw.secret
+  nocodb-db-root-pw:
+    file: nocodb-db-root-pw.secret
+  nocodb-db-pw:
+    file: nocodb-db-pw.secret
+  nocodb-json:
+    file: nocodb-json.secret

flood/.rtorrent.rc

@@ -1,5 +0,0 @@
-## Import default configurations
-import = /etc/rtorrent/rtorrent.rc
-
-## Listening port
-network.port_range.set=6881-6881

ssh/Dockerfile

@@ -0,0 +1,25 @@
+FROM ghcr.io/linuxserver/baseimage-alpine:3.18
+
+# Install SSH client
+RUN \
+  apk add --no-cache \
+    openssh-client
+
+
+# Set volume for ssh key
+VOLUME /root/.ssh/id_rsa
+
+# Set default values for SSH tunnel configuration
+ENV SSH_HOSTNAME=server.example.com
+ENV SSH_USERNAME=username
+ENV SSH_DESTINATION=destination
+ENV SSH_DESTINATION_PORT=12345
+ENV SSH_LOCAL_PORT=12345
+
+ENTRYPOINT ssh \
+  -N -4 \
+  -L *:$SSH_LOCAL_PORT:$SSH_DESTINATION:$SSH_DESTINATION_PORT \
+  -l $SSH_USERNAME \
+  -o "StrictHostKeyChecking no" \
+  -o "UserKnownHostsFile /dev/null" \
+  $SSH_HOSTNAME

ssh/id_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfkGAQYqBuWSSWvRPZ8lIUNLIKHG7u/gUpDn55cg8QWCKBDmmHd5zqbUNoNcyRZQCcdn9hX05ZuezkYMxEso2p6wz2Qv1Zqt8oZ9z49RcWCIiNNu1DZdyvMdoN9XkBTwSPOEaVurBGHchSiXmB/DI0/wg06L58et5w0MseR5sFKsKOzrQLFW1ZnaC3O9ueQmIiDyWM6zz0XkKWZ4qD7fUop/7sP0+FrhwhjQQziCduNXqBgOa9gHaKYqM0aLL7ZV68QGt/e3X6Wa+ojps6FZqeJL/QCxG1GmgNQzwq/I94/rEz3XzjgcpY0LBMLX0aw/U393q4nL/KFwrNBwvWDJPnmVo3J86x5MXnO0K3mpTxtb8+OyTGNA4t3XNwLy4ZfeYS5zqCUXAmOvMhFEJ75yy5UtYyt+0zQQq4gCDNxbIgqlHHq0sHgwxnW6EDgOxsPIuUiKc+BZIOZUOZqZy59cH+CixtpoW3sv1/RZPRcXWZPRpmXDMp/kY/gUV9z7bBMFs= florent@drmanhattan

swag/nginx/nginx.conf

@@ -1,4 +1,7 @@
-## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
+
+### Based on alpine defaults
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.19-stable
 
 user abc;
 
@@ -14,11 +17,13 @@ error_log /config/log/nginx/error.log;
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
 events {
     # The maximum number of simultaneous connections that can be opened by
     # a worker process.
     worker_connections 1024;
-    # multi_accept on;
 }
 
 http {
@@ -49,101 +54,29 @@ http {
     # instead of using partial frames. Default is 'off'.
     tcp_nopush on;
 
+    # all ssl related config moved to ssl.conf
+    # included in server blocks where listen 443 is defined
+
+    # Enable gzipping of responses.
+    #gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
     # Helper variable for proxying websockets.
     map $http_upgrade $connection_upgrade {
         default upgrade;
         '' close;
     }
 
-    # Saves unauthorized log messages to a separate log file
-    map $status $unauthorized {
-        default 0;
-        ~^401  1;
-    }
-    access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
-    
     # Sets the path, format, and configuration for a buffered log write.
     access_log /config/log/nginx/access.log;
 
     # Includes virtual hosts configs.
-    #include /etc/nginx/http.d/*.conf;
-
-    # WARNING: Don't use this directory for virtual hosts anymore.
-    # This include will be moved to the root context in Alpine 3.14.
-    #include /etc/nginx/conf.d/*.conf;
-
-
-    ##
-    # Basic Settings
-    ##
-
-    client_body_buffer_size 128k;
-    keepalive_timeout 65;
-    large_client_header_buffers 4 16k;
-    send_timeout 5m;
-    tcp_nodelay on;
-    types_hash_max_size 2048;
-    variables_hash_max_size 2048;
-    # server_names_hash_bucket_size 64;
-    # server_name_in_redirect off;
-
-    ##
-    # Gzip Settings
-    ##
-
-    gzip on;
-    gzip_disable "msie6";
-    # gzip_vary on;
-    # gzip_proxied any;
-    # gzip_comp_level 6;
-    # gzip_buffers 16 8k;
-    # gzip_http_version 1.1;
-    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-    ##
-    # nginx-naxsi config
-    ##
-    # Uncomment it if you installed nginx-naxsi
-    ##
-
-    #include /etc/nginx/naxsi_core.rules;
-
-    ##
-    # nginx-passenger config
-    ##
-    # Uncomment it if you installed nginx-passenger
-    ##
-
-    #passenger_root /usr;
-    #passenger_ruby /usr/bin/ruby;
-
-    ##
-    # Virtual Host Configs
-    ##
+    include /etc/nginx/http.d/*.conf;
     include /config/nginx/site-confs/*.conf;
-    #Removed lua. Do not remove this comment
 }
 
-#mail {
-#    # See sample authentication script at:
-#    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-#
-#    # auth_http localhost/auth.php;
-#    # pop3_capabilities "TOP" "USER";
-#    # imap_capabilities "IMAP4rev1" "UIDPLUS";
-#
-#    server {
-#        listen     localhost:110;
-#        protocol   pop3;
-#        proxy      on;
-#    }
-#
-#    server {
-#        listen     localhost:143;
-#        protocol   imap;
-#        proxy      on;
-#    }
-#}
-
 daemon off;
 pid /run/nginx.pid;
+

swag/nginx/proxy-confs/hedgedoc.subdomain.conf

@@ -0,0 +1,48 @@
+## Version 2023/05/31
+# make sure you set the following environment variables in your docker arguments
+# CMD_DOMAIN=hedgedoc.server.com
+# CMD_URL_ADDPORT=false
+# CMD_PROTOCOL_USESSL=true
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name pad.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app hedgedoc;
+        set $upstream_port 3000;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+    }
+}

swag/nginx/proxy-confs/lychee.subdomain.conf

@@ -1,9 +1,10 @@
-## Version 2021/05/18
+## Version 2023/05/31
+# make sure that your lychee container is named lychee
 # make sure that your dns has a cname set for lychee
 
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     server_name photos.*;
 
@@ -11,24 +12,29 @@ server {
 
     client_max_body_size 0;
 
-    # enable for ldap auth, fill in ldap details in ldap.conf
-    #include /config/nginx/ldap.conf;
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
 
-    # enable for Authelia
+    # enable for Authelia (requires authelia-location.conf in the location block)
     #include /config/nginx/authelia-server.conf;
 
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
     location / {
         # enable the next two lines for http auth
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
-        # enable the next two lines for ldap auth
-        #auth_request /auth;
-        #error_page 401 =200 /ldaplogin;
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
 
-        # enable for Authelia
+        # enable for Authelia (requires authelia-server.conf in the server block)
         #include /config/nginx/authelia-location.conf;
 
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app lychee;

swag/nginx/proxy-confs/nextcloud.subdomain.conf

@@ -0,0 +1,36 @@
+## Version 2021/05/18
+# make sure that your dns has a cname set for nextcloud
+# assuming this container is called "swag", edit your nextcloud container's config
+# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
+#  'trusted_proxies' => ['swag'],
+#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
+#  'overwritehost' => 'nextcloud.your-domain.com',
+#  'overwriteprotocol' => 'https',
+#
+# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
+#  array (
+#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
+#    1 => 'nextcloud.your-domain.com',
+#  ),
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name kdoc.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    location / {
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app nextcloud;
+        set $upstream_port 443;
+        set $upstream_proto https;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+        proxy_max_temp_file_size 2048m;
+    }
+}

swag/nginx/proxy-confs/nocodb.subdomain.conf

@@ -0,0 +1,45 @@
+## Version 2024/07/16
+# make sure that your nocodb container is named nocodb
+# make sure that your dns has a cname set for nocodb
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name db.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app nocodb;
+        set $upstream_port 8080;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+    }
+}

swag/nginx/proxy-confs/taskchampion.subdomain.conf

@@ -0,0 +1,63 @@
+## Version 2024/07/16
+# REMOVE THIS LINE BEFORE SUBMITTING: The structure of the file (all of the existing lines) should be kept as close as possible to this template.
+# REMOVE THIS LINE BEFORE SUBMITTING: Look through this file for <tags> and replace them. Review other sample files to see how things are done.
+# REMOVE THIS LINE BEFORE SUBMITTING: The comment lines at the top of the file (below this line) should explain any prerequisites for using the proxy such as DNS or app settings.
+# make sure that your <container_name> container is named <container_name>
+# make sure that your dns has a cname set for <container_name>
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name task.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app taskchampion;
+        set $upstream_port 8080;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+        # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
+    }
+
+    # REMOVE THIS LINE BEFORE SUBMITTING: Some proxies require one or more additional location blocks for things like API or RPC endpoints.
+    # REMOVE THIS LINE BEFORE SUBMITTING: If the proxy you are making a sample for does not require an additional location block please remove the commented out section below.
+    # location ~ (/<container_name>)?/api {
+    #     include /config/nginx/proxy.conf;
+    #     include /config/nginx/resolver.conf;
+    #     set $upstream_app <container_name>;
+    #     set $upstream_port <port_number>;
+    #     set $upstream_proto <http or https>;
+    #     proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+    #
+    #     # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
+    # }
+}

swag/nginx/proxy.conf

@@ -1,4 +1,4 @@
-## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
 
 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -10,7 +10,7 @@ proxy_headers_hash_bucket_size 128;
 proxy_headers_hash_max_size 1024;
 proxy_http_version 1.1;
 proxy_read_timeout 240;
-proxy_redirect  http://  $scheme://;
+proxy_redirect http:// $scheme://;
 proxy_send_timeout 240;
 
 # Proxy Cache and Cookie Settings
@@ -26,6 +26,13 @@ proxy_set_header Proxy "";
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Host $host;
-proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-Method $request_method;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Original-Method $request_method;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Real-IP $remote_addr;
+

swag/nginx/site-confs/default.conf

@@ -0,0 +1,85 @@
+## Version 2024/03/06 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+
+# redirect all traffic to https
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# main server block
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+    root /config/www;
+    index index.html index.htm index.php;
+
+    # enable subfolder method reverse proxy confs
+    include /config/nginx/proxy-confs/*.subfolder.conf;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    location / {
+        # enable for basic auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    }
+
+    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny all;
+    }
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
+

swag/nginx/ssl.conf

@@ -1,46 +1,40 @@
-## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
 
 ### Mozilla Recommendations
-# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
+# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7
 
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
 ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
 ssl_session_tickets off;
 
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;
 
-
-### Linuxserver.io Defaults
-
-# Certificates
-ssl_certificate /config/keys/letsencrypt/fullchain.pem;
-ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
-ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
-
-# Diffie-Hellman Parameters
-ssl_dhparam /config/nginx/dhparams.pem;
-
-# Enable TLS 1.3 early data
-ssl_early_data on;
-
-# HSTS, remove # from the line below to enable HSTS
-#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+ssl_trusted_certificate /config/keys/cert.crt;
 
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
-#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
-#add_header Permissions-Policy "interest-cohort=()";
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
+#add_header Permissions-Policy "interest-cohort=()" always;
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;
 #add_header X-UA-Compatible "IE=Edge" always;
 #add_header X-XSS-Protection "1; mode=block" always;
+

taskserver/Dockerfile

@@ -1,13 +0,0 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:3.16
-
-RUN apk --no-cache add taskd
-
-ENV TASKDDATA=/var/taskd
-VOLUME /var/taskd
-
-COPY root/ /
-
-VOLUME /ssl_certs/ /client_certs/
-EXPOSE 53589
-
-ENTRYPOINT ["/init"]

taskserver/README.md

@@ -1,22 +0,0 @@
-# Taskserver
-
-Written with the help of
-<https://github.com/coaxial/docker-taskd-service>.
-
-
-## Certs renewal
-
-*do we need to remove volumes?:*
-
-```shell
-docker volume rm docker_taskserver-certs docker_taskserver-data
-
-```
-Once a year recreate the container and copy the `client_certs` dir! On
-the client:
-
-```shell
-scp -r florent@dm.guiotte.fr:~/docker/taskserver/client_certs/* ~/.config/task/certs
-task config taskd.credentials -- watch/user/$(cat ~/.config/task/certs/user-uuid)
-task sync init
-```

taskserver/root/etc/cont-init.d/14-install-cert-generator

@@ -1,20 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellsheck shell=sh
-
-printf "Installing the certificate generator\n"
-apk --no-cache add curl gnutls-utils
-mkdir -p /opt/src/taskd
-# get a copy of the repo wich also contains the certificate generation scripts
-curl -sSL https://api.github.com/repos/gothenburgbitfactory/taskserver/tarball/master -o /tmp/taskd.tar.gz
-tar xzf /tmp/taskd.tar.gz -C /opt/src/taskd --strip 1
-# set the variables for the certs to be generated (as defined in
-# taskserver.env)
-{
-  echo "BITS=$TASKD_CERT_BITS";
-  echo "EXPIRATION_DAYS=$TASKD_CERT_EXPIRATION_DAYS";
-  echo "ORGANIZATION=\"$TASKD_CERT_ORGANIZATION\"";
-  echo "CN=$(hostname -f)";
-  echo "COUNTRY=$TASKD_CERT_COUNTRY";
-  echo "STATE=\"$TASKD_CERT_STATE\"";
-  echo "LOCALITY=\"$TASKD_CERT_LOCALITY\"";
-} > /opt/src/taskd/pki/vars

taskserver/root/etc/cont-init.d/15-generate-server-certs

@@ -1,20 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellcheck shell=sh
-
-if [ -s "$TASKDDATA/ca.cert.pem" ]; then
-  printf "Server certificates found, not generating any.\n"
-else
-  # Use the generate script to make the CA and server certificates
-  printf "No server certificates found, generating them...\n"
-  cd /opt/src/taskd/pki || exit 1
-  ./generate
-  # move generated certs to volumes so they're not lost when the container is
-  # destroyed, and so that they can be accessed from other containers if needed
-  cp ./client.key.pem /ssl_certs/
-  cp ./client.cert.pem /ssl_certs/
-  cp ./server.key.pem /ssl_certs/
-  cp ./server.cert.pem /ssl_certs/
-  cp ./ca.key.pem /ssl_certs/
-  cp ./ca.cert.pem /ssl_certs/
-  cp ./ca.cert.pem /client_certs/
-fi

taskserver/root/etc/cont-init.d/16-generate-user-certs

@@ -1,15 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellcheck shell=sh
-
-if [ -s "$TASKDDATA/$TASKD_USERNAME.cert.pem" ]; then
-  printf "User certificate for %s found, not generating again\n" "$TASKD_USERNAME"
-else
-  # Now we generate the user certificate that will go on the client machine
-  printf "No certificate found for %s, generating user certificate...\n" "$TASKD_USERNAME"
-  cd /opt/src/taskd/pki || exit 1
-  ./generate.client "$TASKD_USERNAME"
-  # move cert and key to a volume so they're not lost when the container is 
-  # removed and so that they're accessible outside the taskd container
-  cp "$TASKD_USERNAME".cert.pem /client_certs/"$TASKD_USERNAME".cert.pem
-  cp "$TASKD_USERNAME".key.pem /client_certs/"$TASKD_USERNAME".key.pem
-fi

taskserver/root/etc/cont-init.d/20-copy-certs

@@ -1,29 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellcheck shell=sh
-
-# Regroup all certificates where taskd will look for them
-if [ -s "$TASKDDATA/server.cert.pem" ]; then
-  printf "Server certificates found in %s, not overwriting\n" "$TASKDDATA"
-  # put the certs in the ssl_certs volume to avoid mismatch between /ssl_certs
-  # and the ones the server is using
-  cp "$TASKDDATA/server.key.pem" /ssl_certs
-  cp "$TASKDDATA/server.cert.pem" /ssl_certs
-else
-  printf "No server certificates in %s, copying them over...\n" "$TASKDDATA"
-  cp /ssl_certs/server.key.pem "$TASKDDATA"
-  cp /ssl_certs/server.cert.pem "$TASKDDATA"
-fi
-
-if [ -s "$TASKDDATA/$TASKD_USERNAME.cert.pem" ]; then
-  printf "Client certificates for user %s found in %s, not overwriting\n" "$TASKD_USERNAME" "$TASKDDATA"
-  # put the certs in the client_certs volume to avoid mismatch between
-  # /client_certs and the ones the server is using
-  cp "$TASKDDATA/ca.cert.pem" /client_certs
-  cp "$TASKDDATA/$TASKD_USERNAME.key.pem" /client_certs
-  cp "$TASKDDATA/$TASKD_USERNAME.cert.pem" /client_certs
-else
-  printf "No certificates for user %s in %s, copying them over...\n" "$TASKD_USERNAME" "$TASKDDATA"
-  cp /client_certs/ca.cert.pem "$TASKDDATA"
-  cp "/client_certs/$TASKD_USERNAME.key.pem" "$TASKDDATA"
-  cp "/client_certs/$TASKD_USERNAME.cert.pem" "$TASKDDATA"
-fi

taskserver/root/etc/cont-init.d/30-bootstrap-taskd

@@ -1,43 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellcheck shell=sh
-# with help from https://blog.polettix.it/setup-a-taskwarrior-server/
-
-# if we already have a config file, we don't want to overwrite it
-if [ -s "$TASKDDATA/config" ]; then
-  printf "%s/config file found, skipping bootstrap\n" "$TASKDDATA"
-else
-  printf "%s/config file not found, bootstrapping taskd\n" "$TASKDDATA"
-  # configure taskd, create the organization and user
-  taskd init
-  touch "$TASKDDATA/taskd.log"
-  touch "$TASKDDATA/taskd.pid"
-  chown taskd "$TASKDDATA/taskd.log"
-  chown taskd "$TASKDDATA/taskd.pid"
-  taskd config --force server      "$(hostname -f):53589"
-  taskd config --force log         "$TASKDDATA"/taskd.log
-  taskd config --force pid.file    "$TASKDDATA"/taskd.pid
-  taskd config --force server.key  "$TASKDDATA"/server.key.pem
-  taskd config --force server.cert "$TASKDDATA"/server.cert.pem
-  taskd config --force server.crl  "$TASKDDATA"/server.crl.pem
-  taskd config --force ca.cert     "$TASKDDATA"/ca.cert.pem
-fi
-
-if find "$TASKDDATA/orgs" -name "$TASKD_ORGNAME" | grep "$TASKD_ORGNAME"; then
-  printf "Organization %s found, not regenerating it\n" "$TASKD_ORGNAME"
-else
-  printf "Organization %s not found, generating it...\n" "$TASKD_ORGNAME"
-  taskd add org "$TASKD_ORGNAME"
-fi
-
-if grep -qrw "$TASKDDATA/orgs/$TASKD_ORGNAME/users" -e "user=$TASKD_USERNAME"; then
-  printf "User %s already exists, not recreating it\n" "$TASKD_USERNAME"
-  # extract the UUID anyway
-  grep -rw "$TASKDDATA/orgs/$TASKD_ORGNAME/users" -e "user=$TASKD_USERNAME" | sed '/.*\([0-9a-f\-]\{36\}\).*/!d;s//\1/g' > /client_certs/"$TASKD_USERNAME-uuid"
-else
-  printf "User %s didn't exist, creating it...\n" "$TASKD_USERNAME"
-  # use tee to still write to stdout but also save output to file
-  taskd add user "$TASKD_ORGNAME" "$TASKD_USERNAME" | tee /client_certs/"$TASKD_USERNAME-uuid"
-  # now remove the rest of the output and only keep the uuid, useful for
-  # configuring taskwarrior on the client machine
-  sed -i '/.*\([0-9a-f\-]\{36\}\)/!d;s//\1/g' /client_certs/"$TASKD_USERNAME-uuid"
-fi

taskserver/root/etc/cont-init.d/35-fix-permissions

@@ -1,8 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellcheck shell=sh
-
-# make the taskd data dir rw for the user running taskd
-chown -R taskd:taskd "$TASKDDATA"
-# make client certs readable for every user to work around UID and GID mapping
-# inconsistencies across hosts
-chmod +r /client_certs/*

taskserver/root/etc/cont-init.d/90-diagnostics

@@ -1,6 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellcheck shell=sh
-
-# some debug info, useful when running CI tests mostly
-s6-setuidgid taskd taskd diagnostics
-ls -clash "$TASKDDATA"

taskserver/root/etc/services.d/taskd-logs/run

@@ -1,5 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellcheck shell=sh
-
-# write a copy of the log in the container's console for easier monitoring/inspection
-exec tail -F "$TASKDDATA/taskd.log"

taskserver/root/etc/services.d/taskd/run

@@ -1,5 +0,0 @@
-#!/usr/bin/with-contenv sh
-#shellcheck shell=sh
-
-# user taskd will run the taskserver, running as root is asking for trouble
-exec s6-setuidgid taskd taskd server

zotero-sync/.gitignore

@@ -0,0 +1,5 @@
+keys
+.migrations
+log
+nginx
+php

zotero-sync/nginx/site-confs/default.conf

@@ -0,0 +1,17 @@
+server {
+    listen 80;
+
+    client_max_body_size 0;
+
+    location / {
+        root /data;
+
+        dav_methods PUT DELETE MOVE;
+        dav_ext_methods PROPFIND OPTIONS;
+
+        dav_access user:rw group:rw all:r;
+
+        auth_basic "Restricted";
+        auth_basic_user_file /config/nginx/htpasswd;
+    }
+}