Private servers configuration

Based on
https://github.com/howardabrams/literate-devops-demo
Implementation of
Literate Devops with Emacs
Base server config is defined on the var property on the section.
Category
Systems Administration

This is a literate devops file based on Howard Abrahams's one... at some point I will expose the .org file instead of the rendered version 🤷. While it does configure the servers at codigoparallevar.com, don't take it too seriously 😉.

This file also doubles as a stress-test of mixing code and result blocks, which I had some trouble converting to DOM in the past, so do know that they might have been rendering problems on this file 😅.

Utils

Use C-c C-n C-s to create a remote region

(defun start-remote-command ()
  (interactive)
  (insert "\#+BEGIN_SRC shell  :async :dir /ssh:root@personal_server: :noweb yes :results drawer")
  (indent-for-tab-command)
  (insert "\n#+END_SRC")
  (indent-for-tab-command)
  (insert "\n"))

(local-set-key (kbd "C-c o a s") 'start-remote-command)

: start-remote-command

Run this to test the connection

hostname -I

192.168.1.33 172.18.0.1 172.19.0.1 172.21.0.1 172.20.0.1 172.17.0.1 172.22.0.1 10.0.3.1

Install mosh

apt-get install -y mosh

      Reading package lists... 100%

Reading package lists... Done
      Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
      Reading state information... 0%

Reading state information... Done
      mosh is already the newest version (1.3.2-2.1+b1).
      0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Update server packages

apt update
apt upgrade -y

Install docker

Instructions on
https://docs.docker.com/engine/install/debian/

Install required packages

apt-get install -y \
        apt-transport-https \
        ca-certificates \
        curl \
        gnupg-agent \
        software-properties-common

        > > > > + apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
        Reading package lists... 100%

Reading package lists... Done
        Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
        Reading state information... 0%

Reading state information... Done
        curl is already the newest version (7.64.0-4+deb10u1).
        gnupg-agent is already the newest version (2.2.12-1+deb10u1).
        software-properties-common is already the newest version (0.96.20.2-2).
        apt-transport-https is already the newest version (1.8.2.1).
        ca-certificates is already the newest version (20200601~deb10u1).
        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Add Docker’s official GPG key

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -

+ apt-key add -
+ curl -fsSL https://download.docker.com/linux/debian/gpg
OK

Add repository

add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/debian \
   $(lsb_release -cs) \
   stable"

> > ++ lsb_release -cs
+ add-apt-repository 'deb [arch=amd64] https://download.docker.com/linux/debian    buster    stable'

Update APT and install Docker

apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io

        + apt-get update
        [Working]
            
Hit:1 http://mirror.hetzner.de/debian/packages buster InRelease
        [Connecting to prod.debian.map.fastly.net (2a04:4e42:3::204)] [Connecting to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                                                           
Hit:2 http://mirror.hetzner.de/debian/packages buster-updates InRelease
        
                                                                                                                                           
Hit:3 http://mirror.hetzner.de/debian/packages buster-backports InRelease
        
                                                                                                                                           
Hit:4 http://mirror.hetzner.de/debian/security buster/updates InRelease
        [Connecting to prod.debian.map.fastly.net (2a04:4e42:1b::204)] [Waiting for headers] [Connecting to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                                                                                  
Hit:5 http://security.debian.org buster/updates InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:6 http://deb.debian.org/debian buster InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:7 http://deb.debian.org/debian buster-updates InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:8 http://deb.debian.org/debian buster-backports InRelease
        [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                            
Hit:9 https://download.docker.com/linux/debian buster InRelease
        [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
20% [Working]
             

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 27%

Reading package lists... 27%

Reading package lists... 45%

Reading package lists... 45%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 48%

Reading package lists... 48%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 76%

Reading package lists... 76%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 97%

Reading package lists... 97%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... Done
        + apt-get install -y docker-ce docker-ce-cli containerd.io
        Reading package lists... 100%

Reading package lists... Done
        Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
        Reading state information... 0%

Reading state information... Done
        containerd.io is already the newest version (1.2.13-2).
        docker-ce-cli is already the newest version (5:19.03.12~3-0~debian-buster).
        docker-ce is already the newest version (5:19.03.12~3-0~debian-buster).
        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Create docker network

docker network ls | grep internal || docker network create internal

+ grep internal
+ docker network ls
+ docker network create internal
b04d6928f041216947f403ec9b13e0c0b95e01b2b17cc519712768e673c06d80

Router

Install one with letsencrypt

Based on
https://hub.docker.com/r/linuxserver/swag

VERSION=2.7.4
# Starting with version 1.30 it fails with
# s6-rc: warning: unable to start service legacy-cont-init: command exited 1"
docker pull linuxserver/swag:$VERSION
docker rm -f ingress
docker run -d \
       --name=ingress \
       --cap-add=NET_ADMIN \
       -e PUID=1000 \
       -e PGID=1000 \
       -e TZ=Europe/Madrid \
       -e URL=codigoparallevar.com \
       -e SUBDOMAINS=cloud,social,social,matrix,www,code,wallabag,wiki,pleromatest,api \
       -e VALIDATION=http \
       -e ONLY_SUBDOMAINS=false \
       -e EXTRA_DOMAINS=birracoin.com,www.birracoin.com \
       -e STAGING=false \
       -e EMAIL='me@codigoparallevar.com' \
       -p 443:443 \
       -p 80:80 \
       -v letsencrypt_config:/config \
       -v /etc/nginx/sites-enabled:/config/nginx/site-confs/ \
       -v /etc/nginx/sites-available:/etc/nginx/sites-available:ro \
       -v /mnt/vols/misc/codigoparallevar:/var/lib/nginx/html:ro \
       -v /mnt/vols/misc/wiki:/opt/wiki:ro \
       -v /mnt/vols/misc/birracoin:/opt/birracoin:ro \
       -v /mnt/vols/misc/beerol:/opt/beerol:ro \
       -v /dev/null:/etc/nginx/conf.d/stream.conf:ro \
       --restart unless-stopped \
       --network=internal \
       --memory=190m \
       linuxserver/swag:$VERSION

2.7.4: Pulling from linuxserver/swag
Digest: sha256:6239cc1646cbcaed599b8bb4c203fa9778730580e00cf7bebd33fb3653f55f3e
Status: Image is up to date for linuxserver/swag:2.7.4
docker.io/linuxserver/swag:2.7.4
ingress
ac87d3d3f74434bc9f53c4c6cccf17386d4e32513b2d5f24a7e8f31fc7a17572

Add base config

Base config
ARCHIVE

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Default

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 768;
  # multi_accept on;
}

http {

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  types_hash_max_size 2048;
  # server_tokens off;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;

  # gzip_vary on;
  # gzip_proxied any;
  # gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}

## Original: https://raw.githubusercontent.com/linuxserver/docker-letsencrypt/master/root/defaults/default

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://\$host\$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    # root /config/www;
    # index index.html index.htm index.php;

    server_name _;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }

    location /video {
         return 301 /files/$request_uri;
    }

    # location ~ \.php$ {
    #     fastcgi_split_path_info ^(.+\.php)(/.+)$;
    #     fastcgi_pass 127.0.0.1:9000;
    #     fastcgi_index index.php;
    #     include /etc/nginx/fastcgi_params;
    # }

    # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
    # notice this is within the same server block as the base
    # don't forget to generate the .htpasswd file as described on docker hub
    #	location ^~ /cp {
    #		auth_basic "Restricted";
    #		auth_basic_user_file /config/nginx/.htpasswd;
    #		include /config/nginx/proxy.conf;
    #		proxy_pass http://192.168.1.50:5050/cp;
    #	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

mkdir /etc/nginx/conf.d
mkdir /etc/nginx/sites-enabled
cat > /etc/nginx/nginx.conf <<EOF
<<nginx-config>>
EOF
cat > /etc/nginx/sites-enabled/default.conf <<EOF
<<router-config>>
EOF
<<reload-router>>

+ mkdir /etc/nginx/conf.d
mkdir: cannot create directory ‘/etc/nginx/conf.d’: File exists
+ mkdir /etc/nginx/sites-enabled
mkdir: cannot create directory ‘/etc/nginx/sites-enabled’: File exists
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
Error response from daemon: Container b5c5fd4fbfd389e45a84e44b86f479d3a4cb050c37461de4474ea50e8eca2dbe is not running
+ docker start ingress
ingress

Restart

docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`' # Reload configuration without restart
docker start ingress # Start it in case it stopped

+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
failed to resize tty, using default size
+ docker start ingress
ingress

[....] Reloading nginx: nginx[?25l7[1G[[32m ok [39;49m8[?12l[?25h.

Nextcloud

Install nextcloud

Install docker

docker rm -f nextcloud
docker run --name=nextcloud -d \
       -v /mnt/vols/nextcloud/vols/main:/var/www/html \
       -v /mnt/vols/nextcloud/vols/apps:/var/www/html/custom_apps \
       -v /mnt/vols/nextcloud/vols/config:/var/www/html/config \
       -v /mnt/vols/nextcloud/vols/data:/var/www/html/data \
       -e OVERWRITEHOST=cloud.codigoparallevar.com \
       -e OVERWRITEPROTOCOL=https \
       --restart=unless-stopped \
       --network internal \
       --memory=380m \
       nextcloud:27.1.1

nextcloud
2f2abd48ce92e10b4a91d7de937558ffd3728eca5fe1a80a842e7ffc315112bb

Add router config

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://nextcloud:80;
    }
}

cat > /etc/nginx/sites-enabled/cloud.conf <<EOF
<<cloud-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
Error response from daemon: Cannot link to a non running container: /hubzilla-server AS /ingress/hubzilla-server
+ docker start ingress
ingress

Mail

Prepare mail classifier

Check
Sieve

  # Sieve filter

  # Declare the extensions used by this script.
  #
  require ["fileinto", "reject"];

  # Test sieve
  #
  if header :contains "Subject" "Sieve Test" {
     fileinto "Junk";
  }

# enabled rulename "PayPal" from matchcase "\"servicio@paypal.es\" <servicio@paypal.es>" move "#imap/NewMail/archive/srv/PayPal"
# enabled rulename "Patreon" from matchcase "Patreon <bingo@patreon.com>" move "#imap/NewMail/archive/srv/Patreon"
# enabled rulename "FSF" from matchcase "<info@fsf.org>" move "#imap/NewMail/archive/coms/FSF"
# enabled rulename "EFF" from matchcase "<membership@eff.org>" move "#imap/NewMail/archive/coms/EFF"
# enabled rulename "DBD" from matchcase "<info@defectivebydesign.org>" move "#imap/NewMail/archive/coms/DBD"
# enabled rulename "Software clown" from matchcase "Itamar Turner-Trauring <itamar@codewithoutrules.com>" move "#imap/NewMail/archive/soft-clown"
# enabled rulename "EFF - action" from matchcase "<action@eff.org>" move "#imap/NewMail/archive/coms/EFF"
# enabled rulename "TheBatch" from matchcase "\"deeplearning.ai\" <thebatch@deeplearning.ai>" move "#imap/NewMail/archive/lists"
# enabled rulename "Dribble" header "Sender" matchcase "no-reply@n.dribbble.com" mark_as_read move "#imap/NewMail/archive/lists/design/dribble"
# enabled rulename "Stack Overflow list" from matchcase "\"Stack Overflow\" <do-not-reply@stackoverflow.email>" | from matchcase "Stack Overflow <do-not-reply@stackoverflow.email>" mark_as_read move "#imap/NewMail/archive/lists/StackOverflow"
# enabled rulename "DEGIRO" from matchcase "DEGIRO <clientes@degiro.es>" move "#imap/NewMail/archive/srv/banca/degiro"
# enabled rulename "Spam - Elitetorrent" from matchcase "\"elitetorrent1.com\" <info@elitetorrent1.com>" mark_as_spam
# enabled rulename "@163 spam" inreplyto matchcase "@163.com" | from matchcase "@163.com" mark_as_spam set_score 0
# enabled rulename "CGPGrey" from matchcase "Grey <Email@CGPGrey.com>" move "#imap/NewMail/archive/lists/grey"
# enabled rulename "Julia Evans" from matchcase "Julia Evans <julia@jvns.ca>" move "#imap/NewMail/archive/lists/julia evans"
# enabled rulename "EFFEctor" from matchcase "\"EFFector List\" <editor@eff.org>" move "#imap/NewMail/archive/coms/EFFector"
# enabled rulename "UseParagon" from matchcase "\"Brandon Foo\" <brandon@useparagon.com>" move "#imap/NewMail/archive/startups/pm-competitors"
# enabled rulename "SourceHut" from matchcase "sourcehut <outgoing@sr.ht>" move "#imap/NewMail/archive/srv/sourcehut"
# enabled rulename "ANDBanc" from matchcase "<andbank@bancononline.com>" move "#imap/NewMail/archive/srv/banca/andbank"
# enabled rulename "Amazon" from matchcase "\"Amazon.es\" <auto-confirm@amazon.es>" move "#imap/NewMail/archive/srv/Amazon"

  # Mailing lists
  #
  elsif header :contains "List-Id" "~mil/sxmo-devel.lists.sr.ht" {
      fileinto "archive/coms/sxmo";
  }
  # "Tails"
  elsif header :contains "List-Id" "amnesia-news.boum.org" {
      fileinto "archive/coms/tails";
  }
  # "PyVigo"
  elsif header :contains "List-Id" "vigo.lists.es.python.org" {
      fileinto "archive/coms";
  }
  # "BOE" header "List-Id"
  elsif header :contains "List-Id" "9416fe6b76f2c3f985c1f8e0f.30885.list-id.mcsv.net" {
      fileinto "archive/boe";
  }
  # "PyMad"
  elsif header :contains "List-Id" "python-madrid-list.meetup.com" {
      fileinto "archive/coms/python-madrid";
  }
  # "Brechadigital"
  elsif header :contains "List-Id" "brechadigital.inventati.org" {
      fileinto  "archive/coms/brechadigital";
  }
  # "eu-gene"
  elsif header :contains "List-Id" "eu-gene.we.lurk.org" {
                             fileinto  "archive/coms/gen";
  }
  # "Trisquel"
  elsif header :contains "List-Id" "trisquel-devel.listas.trisquel.info" {
    fileinto "archive/coms/trisquel";
  }
  # "NCN"
  elsif header :contains "List-Id" "noconname.listas.noconname.org" {
    fileinto "archive/sec/no-con-name";
  }
  # "AptGetUpdate"
  elsif header :contains "List-Id" "aptgetupdate.lists.riseup.net" {
    fileinto "archive/coms/aptgetupdate";
  }
  # "SV"
  elsif header :contains "List-Id" "sector-virus.googlegroups.com" {
    fileinto "archive/sec/sv";
  }
  # "Una al dia"
  elsif header :contains "List-Id" "dd62599a9195e52f2dca2ab9a.63065.list-id.mcsv.net" {
    fileinto "#imap/NewMail/archive/una-al-dia";
  }
  # "GPUL"
  elsif header :contains "List-Id" "asociacion.lists.gpul.org" {
    fileinto "archive/coms/gpul";
  }
  # "Replicant"
  elsif header :contains "List-Id" "replicant.osuosl.org" {
    fileinto "archive/coms/replicant";
  }
  # "FreedomBox"
  elsif header :contains "List-Id" "freedombox-discuss.alioth-lists.debian.net" {
    fileinto "archive/coms/freedom-box";
  }
  # "FullDisclosure"
  elsif header :contains "List-Id" "fulldisclosure.seclists.org" {
    fileinto "archive/fd";
  }
  # "TWIML"
  elsif anyof (header :contains "List-Id" "96b64078a550522835ec6034e.272005.list-id.mcsv.net",
          address :contains "From" "@twimlai.com") {
    fileinto "archive/lists/twiml";
  }
  # "Rooted"
  elsif header :contains "List-Id" "rootedcon.listas.rooted.es" {
    fileinto "archive/sec/rooted";
  }
  # "LaBrecha"
  elsif header :contains "List-Id" "Participa-Brecha.googlegroups.com" {
    fileinto "archive/coms/brechadigital/Participa-brecha";
  }
  # "Python Vigo"
  elsif header :contains "List-Id" "vigo.lists.es.python.org" {
    fileinto "archive/coms/pyvigo";
  }
  # "LibrePlanet"
  elsif header :contains "List-Id" "libreplanet-discuss.libreplanet.org" {
    fileinto "archive/coms/libreplanet";
  }
  # "ElBinario"
  elsif header :contains "List-Id" "binario.listas.elbinario.net" {
    fileinto "archive/coms/el-binario";
  }
  # "Crafting interpreters"
  elsif header :contains "List-Id" "0952ca43ed2536d6717766b88.303821.list-id.mcsv.net" {
    fileinto "archive/crafting-interpreters";
  }
  # "RxJs"
  elsif header :contains "List-Id" "c22e7832272fe0663b822a283.114397.list-id.mcsv.net" {
    fileinto "archive/lists/rxjs";
  }
  # "NMap"
  elsif header :contains "List-Id" "announce.nmap.org" {
    fileinto "archive/sec";
  }
  # "N8N"
  elsif header :contains "List-Id" "2c8845820b0d9053a7bd0fa5f.44345.list-id.mcsv.net" {
    fileinto "archive/startups/pm-competitors";
  }
  # "OrgMode"
  elsif header :contains "List-Id" "emacs-orgmode.gnu.org" {
    fileinto "archive/coms/orgmode";
  }
  # "Tech podcasts - Nacion lumpen"
  elsif header :contains "List-Id" "nacion-lumpen.googlegroups.com" {
    fileinto "archive/lists/podcasts/tech/nacion-lumpen";
  }

  # Keep the rest.

Test sieve rules

VERSION=2022-05-13
FNAME=$(mktemp --suffix='.sieve')

cat > "$FNAME" <<_EOF_
<<mail-sieve>>
_EOF_

docker run --rm \
       -v "$FNAME":/var/lib/dovecot/sieve/default.sieve:ro \
       --entrypoint=ash \
       kenkeiras/mail-server:$VERSION -c "/usr/bin/sievec /var/lib/dovecot/sieve/default.sieve"

result=$?
rm "$FNAME"
if [ $result -eq 0 ];
then
    echo "OK"
else
    echo "[ERROR]"
fi
exit $result

OK

Configure mail

# See man 5 aliases for format
postmaster: root, kenkeiras
me: kenkeiras
xmpp: kenkeiras
www-data: kenkeiras
bluestash: kenkeiras
sergio: kenkeiras
sergio.martinez: kenkeiras
sergio.mportela: kenkeiras
nullhub: kenkeiras
admin: kenkeiras
hivemind: kenkeiras
tweetcodes: kenkeiras
oneliners: kenkeiras

Install mail

Category
Email Infrastructure

VERSION=2022-05-13
docker pull -q kenkeiras/mail-server:$VERSION
docker rm -f mail

# Configure aliases
cat > /etc/postfix/aliases <<_EOF_
<<mail-aliases>>
_EOF_

# Configure sieve
cat > /var/lib/dovecot/sieve/default.sieve <<_EOF_
<<mail-sieve>>
_EOF_

docker run --name=mail -d    \
       -p 25:25 -p 465:465   \
       -p 143:143 -p 993:993 \
       -v /mnt/vols/mail/spool:/var/spool/postfix \
       -v /mnt/vols/mail/var:/var/lib/postfix     \
       -v /mnt/vols/mail/certs:/extra/mail-certs  \
       -v /etc/dovecot/passdb:/etc/dovecot/passdb \
       -v /etc/postfix/aliases:/etc/aliases       \
       -v /var/lib/dovecot/sieve/default.sieve:/var/lib/dovecot/sieve/default.sieve \
       -v /mnt/vols/mail/mailboxes:/var/mail      \
       -e HOSTNAME='codigoparallevar.com' \
       -e DOMAIN='codigoparallevar.com'   \
       -e POSSIBLE_DESTINATIONS='mail.codigoparallevar.com,mail.codigoparallevar.com,codigoparallevar.com,www.codigoparallevar.com' \
       -e CERT_DIRECTORY='/extra/mail-certs' \
       -e USERNAME='kenkeiras' \
       --restart=unless-stopped \
      --network internal \
      --memory=190m \
      kenkeiras/mail-server:$VERSION

docker.io/kenkeiras/mail-server:2022-05-13
mail
0a271e4200291de1e44c7a374d7185f6f75f5fd93af4aaddb61488987a604497

[ 0/3 ] Tasks

TODO
Classification

See
Server-based mail processing
Added through
Prepare mail classifier

DONE
Troubleshooting

Check
https://forum.iredmail.org/topic453-faq-how-to-debug-dovecot-and-sieve-rules.html

TODO
Add DKIM

TODO
Check self-sending

Need authentication from self account

DISCARDED
[ 100% ] Hubzilla
ARCHIVE

DONE
Setup MySQL

DONE
Prepare config

#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#

# this is read by the standalone daemon and embedded servers
[server]

# this is only for the mysqld standalone daemon
[mysqld]

#
# * Basic Settings
#
user		= mysql
pid-file	= /var/run/mysqld/mysqld.pid
socket		= /var/run/mysqld/mysqld.sock
port		= 3306
basedir		= /usr
datadir		= /var/lib/mysql
tmpdir		= /tmp
lc-messages-dir	= /usr/share/mysql
skip-external-locking

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address		= 0.0.0.0

#
# * Fine Tuning
#
key_buffer_size		= 16M
max_allowed_packet	= 16M
thread_stack		= 192K
thread_cache_size       = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam_recover_options  = BACKUP
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10

#
# * Query Cache Configuration
#
query_cache_limit	= 1M
query_cache_size        = 16M

#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file	= /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_rate_limit	= 1000
#log_slow_verbosity	= query_plan
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id		= 1
#log_bin			= /var/log/mysql/mysql-bin.log
expire_logs_days	= 10
max_binlog_size   = 100M
#binlog_do_db		= include_database_name
#binlog_ignore_db	= exclude_database_name

#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!

#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
# ssl-cipher=TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
# ssl=on

#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
#
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci

#
# * Unix socket authentication plugin is built-in since 10.0.22-6
#
# Needed so the root database user can authenticate without a password but
# only when running as the unix root user.
#
# Also available for other users if required.
# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/

# this is only for embedded server
[embedded]

# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]

# This group is only read by MariaDB-10.1 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.1]

mkdir -p /etc/mysql/
cat > /etc/mysql/micro.cnf <<EOF
<<server-config>>
EOF

+ mkdir -p /etc/mysql/
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat

DONE
Launch container

docker rm -f hubzilla-mysql
docker run -d --name=hubzilla-mysql \
       -v /mnt/vols/hubzilla/mysql:/var/lib/mysql \
       -v /etc/mysql/micro.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf \
       -e MYSQL_RANDOM_ROOT_PASSWORD="yes" \
       --network internal \
       mariadb:10

+ docker rm -f hubzilla-mysql
Error: No such container: hubzilla-mysql
> > > > > + docker run -d --name=hubzilla-mysql -v /mnt/vols/hubzilla/mysql:/var/lib/mysql -v /etc/mysql/micro.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf -e MYSQL_RANDOM_ROOT_PASSWORD=yes --network internal mariadb:10
cd5a9677a3be549fdf975a1ed75c47d468a3f4501280e05bab1991be7838aaff

DONE
Configure Hubzilla

docker rm -f hubzilla-server
docker run -d --name=hubzilla-server \
       -v /mnt//vols/hubzilla/data:/data \
       -e SERVERNAME=social.codigoparallevar.com \
       --link=hubzilla-mysql:mysql \
       --network=internal \
       kenkeiras/hubzilla:testing

+ docker rm -f hubzilla-server
hubzilla-server
> > > > > + docker run -d --name=hubzilla-server -v /mnt//vols/hubzilla/data:/data -e SERVERNAME=social.codigoparallevar.com --link=hubzilla-mysql:mysql --network=internal kenkeiras/hubzilla:testing
ebba1f6ecc996ec0f137e3c3a793c2e59bf49055ba134f8ad42668af141c5f19

DONE
Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name social.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        proxy_set_header X-Forwarded-Proto https;
        include /config/nginx/proxy.conf;
        proxy_pass  http://hubzilla-server:80;
    }
}

cat > /etc/nginx/sites-enabled/social.conf <<EOF
<<hubzilla-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

DONE
Test migration

DONE
Can login

Does send mails
ARCHIVE

Probably is no longer needed

DONE
Lock old instance

DONE
Migrate DNS

DONE
Generate certificate

DONE
Test everything continues working

DONE
Pleroma test
ARCHIVE

DONE
Network

docker network create pleroma-test

52dde94ff2e18ed1e1c5a6f301fdada68445c7b2314a2cd08ad406036806f33a

DONE
DB

docker rm -f pleroma-test-postgres || true
docker run -d --name=pleroma-test-postgres \
         -e POSTGRES_PASSWORD="CHANGE_THIS"  \
         -e POSTGRES_USER=pleroma \
         -e POSTGRES_DB=pleroma \
         -v /mnt/vols/hubzilla/pleroma-test/postgres:/var/lib/postgresql/data/ \
         --network=internal \
         --memory=190m \
         --restart=unless-stopped \
  postgres:9.6-alpine

+ docker rm -f pleroma-test-postgres
pleroma-test-postgres
> > > > > > > > + docker run -d --name=pleroma-test-postgres -e POSTGRES_PASSWORD=LJQit53q7qWowwaRgdZSuj9mMsRXxUfZ -e POSTGRES_USER=pleroma -e POSTGRES_DB=pleroma -v /mnt/vols/hubzilla/pleroma-test/postgres:/var/lib/postgresql/data/ --network=internal --memory=190m --restart=unless-stopped postgres:9.6-alpine
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
7eef83b7972fafba427dcae5ad2e93c9ff11cd1eb6d59723b07b8372158b5136

Add citext extension

docker exec -i pleroma-test-postgres psql -U pleroma -c "CREATE EXTENSION IF NOT EXISTS citext;"

+ docker exec -i pleroma-test-postgres psql -U pleroma -c 'CREATE EXTENSION IF NOT EXISTS citext;'
CREATE EXTENSION

DONE
Backend

See
https://github.com/angristan/docker-pleroma

Build

mkdir -p /mnt/vols/hubzilla/pleroma-test/code/ || true
git clone https://github.com/angristan/docker-pleroma /mnt/vols/hubzilla/pleroma-test/code/docker-pleroma
cd /mnt/vols/hubzilla/pleroma-test/code/docker-pleroma
docker build -t pleroma .

Run

docker rm -f pleroma-test-backend || true
docker run -d --name=pleroma-test-backend \
           --link=pleroma-test-postgres:db \
           -e DB_PASS="CHANGE_THIS" \
           -e DOMAIN='pleromatest.codigoparallevar.com' \
           -v /mnt/vols/hubzilla/pleroma-test/uploads:/pleroma/uploads/ \
           --network=internal \
           --memory=380m \
           --restart=unless-stopped \
    pleroma-test

+ docker rm -f pleroma-test-backend
Error: No such container: pleroma-test-backend
> > > > > > > > + docker run -d --name=pleroma-test-backend --link=pleroma-test-postgres:db -e DB_PASS=LJQit53q7qWowwaRgdZSuj9mMsRXxUfZ -e DOMAIN=pleromatest.codigoparallevar.com -v /mnt/vols/hubzilla/pleroma-test/uploads:/pleroma/uploads/ --network=internal --memory=190m --restart=unless-stopped pleroma-test
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
e2c10538606f8f2ce930c5e4d36a921a2176c8941b5fce8b9f58959b0de1fb72

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name pleromatest.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://pleroma-test-backend:4000;
    }
}

cat > /etc/nginx/sites-enabled/pleroma-test.conf <<EOF
<<pleroma-test-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
cat: /var/run/nginx.pid: No such file or directory
sh: you need to specify whom to kill
+ docker start ingress
ingress

DISCARDED
Frontend

GoToSocial

Url
https://gotosocial.org/
On GH
https://github.com/superseriousbusiness/gotosocial
On DockerHub
https://hub.docker.com/r/superseriousbusiness/gotosocial
Installation docs
https://docs.gotosocial.org/en/latest/installation_guide/docker/

A lightweight ActivityPub server written in Go.

DONE
Install service

version: "3.3"

services:
  gotosocial:
    image: superseriousbusiness/gotosocial:0.13.1
    container_name: gotosocial
    user: 1001:1001
    networks:
      - gotosocial
      - internal
    environment:
      GTS_HOST: social.codigoparallevar.com
      GTS_DB_TYPE: sqlite
      GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
      GTS_LETSENCRYPT_ENABLED: "false"
      GTS_LETSENCRYPT_EMAIL_ADDRESS: ""
      ## For reverse proxy setups:
      # GTS_TRUSTED_PROXIES: "172.x.x.x"
    # ports:
      # - "443:8080"
      ## For letsencrypt:
      #- "80:80"
      ## For reverse proxy setups:
      # - "127.0.0.1:8080:8080"
    volumes:
      - /mnt/vols/hubzilla/gotosocial/storage:/gotosocial/storage
    restart: "always"

networks:
  gotosocial:
    ipam:
      driver: default
  internal:
    name: internal
    external: true

Upload configuration

cat > /mnt/vols/hubzilla/gotosocial/docker-compose.yaml <<EOF
<<gotosocial-docker-compose.yaml>>
EOF

date

Sat 27 Jan 2024 01:16:32 PM CET

Start docker compose

docker-compose up -d

    [2K
0.12.2: Pulling from superseriousbusiness/gotosocial

    [1A[2K
63b65145d645: Already exists
[1B
    [1A[2K
07618903f3e7: Already exists
[1B
    [1A[2K
4f4fb700ef54: Already exists
[1B
    [1A[2K
02538a5ecfdc: Pulling fs layer
[1B
    [1A[2K
48012ea88093: Pulling fs layer
[1B
    [1A[2K
1e69d0e0ee1a: Pulling fs layer
[1B[1A[2K
1e69d0e0ee1a: Downloading [=>                                                 ]  1.369kB/37.24kB
[1B[1A[2K
1e69d0e0ee1a: Verifying Checksum
[1B[1A[2K
1e69d0e0ee1a: Download complete
[1B[3A[2K
02538a5ecfdc: Downloading [>                                                  ]  188.3kB/18.5MB
[3B[2A[2K
48012ea88093: Downloading [>                                                  ]  13.69kB/1.353MB
[2B[3A[2K
02538a5ecfdc: Downloading [==================>                                ]  6.667MB/18.5MB
[3B[2A[2K
48012ea88093: Downloading [=======================================>           ]  1.062MB/1.353MB
[2B[3A[2K
02538a5ecfdc: Verifying Checksum
[3B[3A[2K
02538a5ecfdc: Download complete
[3B[2A[2K
48012ea88093: Verifying Checksum
[2B[2A[2K
48012ea88093: Download complete
[2B[3A[2K
02538a5ecfdc: Extracting [>                                                  ]  196.6kB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [======>                                            ]  2.556MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [===========>                                       ]  4.325MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [===============>                                   ]  5.898MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [====================>                              ]  7.668MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [===========================>                       ]  10.03MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [================================>                  ]  11.99MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [===================================>               ]  12.98MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [========================================>          ]  14.94MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [==============================================>    ]   17.3MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [=================================================> ]  18.28MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Extracting [==================================================>]   18.5MB/18.5MB
[3B[3A[2K
02538a5ecfdc: Pull complete
[3B[2A[2K
48012ea88093: Extracting [=>                                                 ]  32.77kB/1.353MB
[2B[2A[2K
48012ea88093: Extracting [=========>                                         ]  262.1kB/1.353MB
[2B[2A[2K
48012ea88093: Extracting [==================================================>]  1.353MB/1.353MB
[2B[2A[2K
48012ea88093: Pull complete
[2B[1A[2K
1e69d0e0ee1a: Extracting [===========================================>       ]  32.77kB/37.24kB
[1B[1A[2K
1e69d0e0ee1a: Extracting [==================================================>]  37.24kB/37.24kB
[1B[1A[2K
1e69d0e0ee1a: Extracting [==================================================>]  37.24kB/37.24kB
[1B[1A[2K
1e69d0e0ee1a: Pull complete
[1B[2K
Digest: sha256:1d0dcbfd7f14e35ae219877bfbdcc8dfcaa41592f0b31f3ef114c0f16f2132f5
    [2K
Status: Downloaded newer image for superseriousbusiness/gotosocial:0.12.2

DONE
Install reverse proxy

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name social.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://gotosocial:8080;
    }
}

cat > /etc/nginx/sites-enabled/social.conf <<EOF
<<gotosocial-router-config>>
EOF
<<reload-router>>

ingress

TODO
Configure trusted proxy

See Reverse proxy with NGINX, fixing it is needed for proper rate limiting.

Matrix

Synapse

Software
Synapse

DONE
Launch container

docker rm -f matrix-server
docker run -d --name=matrix-server \
       -v /mnt/vols/misc/matrix:/data \
       -p 8448:8448 -p 8008:8008 \
       --network=internal \
       --memory=480m \
       matrixdotorg/synapse:v1.92.2

matrix-server
d300b48b924772d242c203c81da7eaa53329ae7d06443f8ddb7249b20bbc3a56

DONE
Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name matrix.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  https://matrix-server:8448;
    }
}

cat > /etc/nginx/sites-enabled/matrix.conf <<EOF
<<matrix-router-config>>
EOF
<<reload-router>>

ingress

DONE
Check matrix certs & federation

Url
https://federationtester.matrix.org/

Gitea

DONE
Configure container

docker rm -f gitea-server || true
docker run -d --name=gitea-server \
       -v /mnt/vols/misc/gitea:/data \
       -p 2022:22 \
       --network=internal \
       --memory=380m \
       gitea/gitea:1.21.1

gitea-server
5e9432329d0ccaf23669543091b5408d4cde6a7e8020ddd773ebded006bcf69d

TODO
Add action runner

docker rm -f gitea-server-action-runner || true
docker  run -d --name=gitea-server-action-runner \
        -e GITEA_INSTANCE_URL=https://code.codigoparallevar.com \
        -e GITEA_RUNNER_REGISTRATION_TOKEN=GITEA-REGISTRATION-TOKEN-HERE \
        -v /var/run/docker.sock:/var/run/docker.sock \
        gitea/act_runner:nightly

DONE
Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name code.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://gitea-server:3000;
    }
}

cat > /etc/nginx/sites-enabled/gitea.conf <<EOF
<<gitea-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
failed to resize tty, using default size
+ docker start ingress
ingress

TechTree

DONE
Configure database

docker rm -f techtree-postgres || true
docker run -d --name=techtree-postgres \
       -e POSTGRES_PASSWORD=CHANGE_THIS \
       -v /mnt/vols/misc/techtree/postgres:/var/lib/postgresql/data/ \
       --network=internal \
       --memory=190m \
       postgres:10

+ docker rm -f techtree-postgres
techtree-postgres
> > > > > + docker run -d --name=techtree-postgres -e POSTGRES_PASSWORD=CHANGE_THIS -v /mnt/vols/misc/techtree/postgres:/var/lib/postgresql/data/ --network=internal --memory=190m postgres:10
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
39c9bed6f75969b116d60ca291a711e8ad5a1331ed2af3ae7466e8461a03a17f

DONE
Configure container

docker rm -f techtree-server
source ~/.techtree-credentials.sh

GENPASSWD() {
    openssl passwd hex 1 2 3 4 5 6|tr -d '/\n'
}

docker run -d --name=techtree-server -m 500m \
       --link=techtree-postgres:db \
       -e DATABASE_URL=postgres://${TT_USERNAME}:${TT_PASSWORD}@db:5432/${TT_DB} \
       -e SECRET_KEY_BASE="`GENPASSWD`" \
       -e PORT=80 \
       -e MIX_ENV=prod \
       --network=internal \
       --memory=190m \
       kenkeiras/techtree:prod

clean_techtree_credentials

+ docker rm -f techtree-server
techtree-server
+ source /root/.techtree-credentials.sh
++ TT_USERNAME=techtree
++ TT_DB=techtree
++ TT_PASSWORD=D677oBFOZ5y5YXIzi4N37LGw1ANLawL9YcU7E8YNGgX4ZQ6BQCj2oodHfXi3ECiUkEyNhkHuB2vSA.3YblgT3IN46g
server# > > server# server# > > > > > > > > ++ GENPASSWD
++ tr -d '/\n'
++ openssl passwd hex 1 2 3 4 5 6
+ docker run -d --name=techtree-server -m 500m --link=techtree-postgres:db -e DATABASE_URL=postgres://techtree:D677oBFOZ5y5YXIzi4N37LGw1ANLawL9YcU7E8YNGgX4ZQ6BQCj2oodHfXi3ECiUkEyNhkHuB2vSA.3YblgT3IN46g@db:5432/techtree -e SECRET_KEY_BASE=O5hSnbBNbmqZ6BPBqKvuj2ZDc1AoHKCdIlsa4cWKSJm4zLPFWqMs6veQMhLsFmW6WbAUTn1Ni4z1sOcFa918xjy6PQ -e PORT=80 -e MIX_ENV=prod --network=internal --memory=190m kenkeiras/techtree:prod
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
332084157ece622a25088577813a1f986e610afab8c11369e25983c496fc7253
server# + clean_techtree_credentials
+ unset TT_USERNAME
+ unset TT_DB
+ unset TT_PASSWORD

DONE
Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name techtree.spiral.systems;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://techtree-server:80;
    }
}

cat > /etc/nginx/sites-enabled/techtree.conf <<EOF
<<techtree-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

Notes API

You are most probably reading these notes already. The API just provides the search function right now.

Configure container

docker pull kenkeiras/notes-api-server:latest
docker rm -f notes-api-server
docker run -d --name notes-api-server \
       -e DB_PATH=/db.sqlite3 \
       -v /mnt/vols/misc/codigoparallevar-api/db.sqlite3:/db.sqlite3:ro \
       --network=internal \
       kenkeiras/notes-api-server:latest

    latest: Pulling from kenkeiras/notes-api-server

    [1A[2K
cea82ae3b787: Already exists 
[1B
    [1A[2K
f525697c80b8: Already exists 
[1B
    [1A[2K
5502e0a13a5e: Pulling fs layer 
[1B[1A[2K
5502e0a13a5e: Downloading   49.2kB/4.9MB
[1B[1A[2K
5502e0a13a5e: Downloading   4.47MB/4.9MB
[1B[1A[2K
5502e0a13a5e: Verifying Checksum 
[1B[1A[2K
5502e0a13a5e: Download complete 
[1B[1A[2K
5502e0a13a5e: Extracting  65.54kB/4.9MB
[1B[1A[2K
5502e0a13a5e: Extracting  131.1kB/4.9MB
[1B[1A[2K
5502e0a13a5e: Extracting  1.704MB/4.9MB
[1B[1A[2K
5502e0a13a5e: Extracting  3.539MB/4.9MB
[1B[1A[2K
5502e0a13a5e: Extracting    4.9MB/4.9MB
[1B[1A[2K
5502e0a13a5e: Pull complete 
[1BDigest: sha256:3ae36797c7da7bcc5dc2c16c49df877aa10a91d6db8aeffb2e54b4a0a3c53c9c
    Status: Downloaded newer image for kenkeiras/notes-api-server:latest
    docker.io/kenkeiras/notes-api-server:latest
    notes-api-server
    245d8fc3f09cc2fbf9273d572b541d9a671f328b755f85edccee3d7ce0703753

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name api.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 1M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://notes-api-server:3000;
    }
}

cat > /etc/nginx/sites-enabled/notes-api.conf <<EOF
<<notes-api-router-config>>
EOF
<<reload-router>>

ingress

Wallabag

DONE
Configure container

docker rm -f wallabag-server
docker run -d --name wallabag-server \
       -e SYMFONY__ENV__DOMAIN_NAME=https://wallabag.codigoparallevar.com \
       -v /mnt/vols/misc/wallabag/data:/var/www/wallabag/data \
       -v /mnt/vols/misc/wallabag/images:/var/www/wallabag/web/assets/images \
       --network=internal \
       wallabag/wallabag:2.3.8

+ docker rm -f wallabag-server
wallabag-server
> > > > > + docker run -d --name wallabag-server -e SYMFONY__ENV__DOMAIN_NAME=https://wallabag.codigoparallevar.com -v /mnt/vols/misc/wallabag/data:/var/www/wallabag/data -v /mnt/vols/misc/wallabag/images:/var/www/wallabag/web/assets/images --network=internal wallabag/wallabag:2.3.8
6c4767717793cc1d483bccd7d098236d7105815838e7711a78d62c73a8b84254

DONE
Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name wallabag.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://wallabag-server:80;
    }
}

cat > /etc/nginx/sites-enabled/wallabag.conf <<EOF
<<wallabag-router-config>>
EOF
<<reload-router>>

ingress

Wiki

DONE
Configure router

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/wiki;
    # index index.html index.htm index.php;

    server_name wiki.codigoparallevar.com;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}

cat > /etc/nginx/sites-enabled/wiki.conf <<EOF
<<wiki-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
failed to resize tty, using default size
+ docker start ingress
ingress

DISCARDED
BeeRol

DONE
Configure router

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/beerol;
    # index index.html index.htm index.php;

    server_name beerol.quest;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}

cat > /etc/nginx/sites-enabled/beerol.conf <<EOF
<<beerol-router-config>>
EOF
<<reload-router>>

ingress

Birracoin

Configure router

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/birracoin;
    # index index.html index.htm index.php;

    server_name birracoin.com;
    server_name www.birracoin.com;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}

cat > /etc/nginx/sites-enabled/birracoin.conf <<EOF
<<birracoin-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

Prosody

DONE
Configure container

docker rm -f prosody-server
docker run -d --name prosody-server \
       -v /mnt/vols/misc/prosody/data:/var/lib/prosody \
       -v /mnt/vols/misc/prosody/etc:/etc/prosody \
       -v /mnt/vols/misc/prosody/certs:/extra/certs \
       -p 5222:5222 \
       -p 5269:5269 \
       -p 5280:5280 \
       --network=internal \
       --memory=190m \
       prosody/prosody:0.11

+ docker rm -f prosody-server
prosody-server
> > > > > > > > > + docker run -d --name prosody-server -v /mnt/vols/misc/prosody/data:/var/lib/prosody -v /mnt/vols/misc/prosody/etc:/etc/prosody -v /mnt/vols/misc/prosody/certs:/extra/certs -p 5222:5222 -p 5269:5269 -p 5280:5280 --network=internal --memory=190m prosody/prosody:0.11
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
9b5c70494e984865e6caa46796b22dd4a4e48ac3c6df267adaae582fb22eb00f

Grok

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # index index.html index.htm index.php;

    server_name grok.spiral.systems;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    location / {
        proxy_pass http://172.17.0.1:1234;
    }
}

cat > /etc/nginx/sites-enabled/grok.conf <<EOF
<<grok-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
cat: /var/run/nginx.pid: No such file or directory
sh: you need to specify whom to kill
+ docker start ingress
ingress

Wireguard VPN

Fiddling with WireGuard to check how useful can it be to connect to home machines from a remote location.

Installation

apt-get install -y wireguard

  Reading package lists... 100%

Reading package lists... Done
  Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 1%

Building dependency tree... 2%

Building dependency tree... 3%

Building dependency tree... 4%

Building dependency tree... 5%

Building dependency tree... 6%

Building dependency tree... 7%

Building dependency tree... 8%

Building dependency tree... 9%

Building dependency tree... 10%

Building dependency tree... 11%

Building dependency tree... 12%

Building dependency tree... 13%

Building dependency tree... 14%

Building dependency tree... 15%

Building dependency tree... 16%

Building dependency tree... 17%

Building dependency tree... 18%

Building dependency tree... 19%

Building dependency tree... 20%

Building dependency tree... 21%

Building dependency tree... 22%

Building dependency tree... 23%

Building dependency tree... 24%

Building dependency tree... 25%

Building dependency tree... 26%

Building dependency tree... 27%

Building dependency tree... 28%

Building dependency tree... 29%

Building dependency tree... 30%

Building dependency tree... 31%

Building dependency tree... 32%

Building dependency tree... 33%

Building dependency tree... 34%

Building dependency tree... 35%

Building dependency tree... 36%

Building dependency tree... 37%

Building dependency tree... 38%

Building dependency tree... 39%

Building dependency tree... 40%

Building dependency tree... 41%

Building dependency tree... 42%

Building dependency tree... 43%

Building dependency tree... 44%

Building dependency tree... 45%

Building dependency tree... 46%

Building dependency tree... 47%

Building dependency tree... 48%

Building dependency tree... 49%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... 51%

Building dependency tree... 52%

Building dependency tree... 53%

Building dependency tree... 54%

Building dependency tree... 55%

Building dependency tree... 56%

Building dependency tree... 57%

Building dependency tree... 58%

Building dependency tree... 59%

Building dependency tree... 60%

Building dependency tree... 61%

Building dependency tree... 62%

Building dependency tree... 63%

Building dependency tree... 64%

Building dependency tree... 65%

Building dependency tree... 66%

Building dependency tree... 67%

Building dependency tree... 68%

Building dependency tree... 69%

Building dependency tree... 70%

Building dependency tree... 71%

Building dependency tree... 72%

Building dependency tree... 73%

Building dependency tree... 74%

Building dependency tree... 75%

Building dependency tree... 76%

Building dependency tree... 77%

Building dependency tree... 78%

Building dependency tree... 79%

Building dependency tree... 80%

Building dependency tree... 81%

Building dependency tree... 82%

Building dependency tree... 83%

Building dependency tree... 84%

Building dependency tree... 85%

Building dependency tree... 86%

Building dependency tree... 87%

Building dependency tree... 88%

Building dependency tree... 89%

Building dependency tree... 90%

Building dependency tree... 91%

Building dependency tree... 92%

Building dependency tree... 93%

Building dependency tree... 94%

Building dependency tree... 95%

Building dependency tree... 96%

Building dependency tree... 97%

Building dependency tree... 98%

Building dependency tree... 99%

Building dependency tree
  Reading state information... 0%

Reading state information... 0%

Reading state information... 1%

Reading state information... 3%

Reading state information... 3%

Reading state information... 4%

Reading state information... 5%

Reading state information... 6%

Reading state information... 7%

Reading state information... 8%

Reading state information... 9%

Reading state information... 10%

Reading state information... 11%

Reading state information... 12%

Reading state information... 13%

Reading state information... 14%

Reading state information... 15%

Reading state information... 16%

Reading state information... 17%

Reading state information... 18%

Reading state information... 19%

Reading state information... 20%

Reading state information... 21%

Reading state information... 22%

Reading state information... 23%

Reading state information... 24%

Reading state information... 25%

Reading state information... 26%

Reading state information... 27%

Reading state information... 28%

Reading state information... 29%

Reading state information... 30%

Reading state information... 31%

Reading state information... 32%

Reading state information... 33%

Reading state information... 34%

Reading state information... 35%

Reading state information... 36%

Reading state information... 37%

Reading state information... 39%

Reading state information... 39%

Reading state information... 40%

Reading state information... 41%

Reading state information... 42%

Reading state information... 43%

Reading state information... 44%

Reading state information... 45%

Reading state information... 46%

Reading state information... 47%

Reading state information... 48%

Reading state information... 49%

Reading state information... 50%

Reading state information... 51%

Reading state information... 52%

Reading state information... 53%

Reading state information... 55%

Reading state information... 55%

Reading state information... 56%

Reading state information... 57%

Reading state information... 58%

Reading state information... 59%

Reading state information... 60%

Reading state information... 61%

Reading state information... 62%

Reading state information... 63%

Reading state information... 64%

Reading state information... 65%

Reading state information... 67%

Reading state information... 67%

Reading state information... 68%

Reading state information... 69%

Reading state information... 70%

Reading state information... 71%

Reading state information... 72%

Reading state information... 73%

Reading state information... 75%

Reading state information... 75%

Reading state information... 76%

Reading state information... 77%

Reading state information... 78%

Reading state information... 79%

Reading state information... 80%

Reading state information... 81%

Reading state information... 82%

Reading state information... 83%

Reading state information... 85%

Reading state information... 85%

Reading state information... 86%

Reading state information... 87%

Reading state information... 88%

Reading state information... 89%

Reading state information... 90%

Reading state information... 91%

Reading state information... 92%

Reading state information... 93%

Reading state information... 94%

Reading state information... 95%

Reading state information... 96%

Reading state information... 97%

Reading state information... 100%

Reading state information... Done
  wireguard is already the newest version (1.0.20210223-1~bpo10+1).
  The following packages were automatically installed and are no longer required:
    git-man liberror-perl
  Use 'apt autoremove' to remove them.
  0 upgraded, 0 newly installed, 0 to remove and 33 not upgraded.

Setup

See
https://www.wireguard.com/quickstart/
It's not automated, as it contains private keys ¯\_(ツ)_/¯
It's not supported?

# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported

Fix
https://stackoverflow.com/a/66643937

Docker Watchtower

Url
https://containrrr.dev/watchtower/

Docker's watchtower updates Docker images when new tags are available on the registry.

docker rm -f watchtower || true
docker run -d --name=watchtower \
         -v /var/run/docker.sock:/var/run/docker.sock \
         --memory=190m \
         containrrr/watchtower

Update certificates

docker exec -i ingress ls -lh /etc/letsencrypt/live/codigoparallevar.com/

total 20K
-rw-r--r-- 1 abc users  692 Nov  7 00:30 README
lrwxrwxrwx 1 abc users   44 Jan  6 02:12 cert.pem -> ../../archive/codigoparallevar.com/cert2.pem
lrwxrwxrwx 1 abc users   45 Jan  6 02:12 chain.pem -> ../../archive/codigoparallevar.com/chain2.pem
lrwxrwxrwx 1 abc users   49 Jan  6 02:12 fullchain.pem -> ../../archive/codigoparallevar.com/fullchain2.pem
-rw-r--r-- 1 abc users 5.8K Jan  6 02:12 priv-fullchain-bundle.pem
lrwxrwxrwx 1 abc users   47 Jan  6 02:12 privkey.pem -> ../../archive/codigoparallevar.com/privkey2.pem
-rw------- 1 abc users 4.7K Jan  6 02:12 privkey.pfx

set -eux
# Mail certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain2.pem /mnt/vols/mail/certs/fullchain.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey2.pem /mnt/vols/mail/certs/privkey.pem
docker restart mail

# Prosody certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain2.pem /mnt/vols/misc/prosody/certs/fullchain.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey2.pem /mnt/vols/misc/prosody/certs/privkey.pem
sudo chown 101:0 -R /mnt/vols/misc/prosody/certs/
docker restart prosody-server

# Matrix certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey2.pem /mnt/vols/misc/matrix/privkey.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain2.pem /mnt/vols/misc/matrix/fullchain.pem
sudo chown 991:991 -R /mnt/vols/misc/matrix/
docker restart matrix-server

mail
prosody-server
matrix-server

Table of contents

Private servers configuration

Base config ARCHIVE

TODO Classification

DONE Troubleshooting

TODO Add DKIM

TODO Check self-sending

DISCARDED [ 100% ] Hubzilla ARCHIVE

DONE Setup MySQL

DONE Prepare config

DONE Launch container

DONE Configure Hubzilla

DONE Configure router

DONE Test migration

DONE Can login

Does send mails ARCHIVE

DONE Lock old instance

DONE Migrate DNS

DONE Generate certificate

DONE Test everything continues working

DONE Pleroma test ARCHIVE

DONE Network

DONE DB

DONE Backend

DISCARDED Frontend

DONE Install service

DONE Install reverse proxy

TODO Configure trusted proxy

DONE Launch container

DONE Configure router

DONE Check matrix certs & federation

DONE Configure container

TODO Add action runner

DONE Configure router

DONE Configure database

DONE Configure container

DONE Configure router

DONE Configure container

DONE Configure router

DONE Configure router

DISCARDED BeeRol

DONE Configure router

DONE Configure container

Base config
ARCHIVE

TODO
Classification

DONE
Troubleshooting

TODO
Add DKIM

TODO
Check self-sending

DISCARDED
[ 100% ] Hubzilla
ARCHIVE

DONE
Setup MySQL

DONE
Prepare config

DONE
Launch container

DONE
Configure Hubzilla

DONE
Configure router

DONE
Test migration

DONE
Can login

Does send mails
ARCHIVE

DONE
Lock old instance

DONE
Migrate DNS

DONE
Generate certificate

DONE
Test everything continues working

DONE
Pleroma test
ARCHIVE

DONE
Network

DONE
DB

DONE
Backend

DISCARDED
Frontend

DONE
Install service

DONE
Install reverse proxy

TODO
Configure trusted proxy

DONE
Launch container

DONE
Configure router

DONE
Check matrix certs & federation

DONE
Configure container

TODO
Add action runner

DONE
Configure router

DONE
Configure database

DONE
Configure container

DONE
Configure router

DONE
Configure container

DONE
Configure router

DONE
Configure router

DISCARDED
BeeRol

DONE
Configure router

DONE
Configure container