Table of contents

Private servers configuration

%3 cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec Private servers configuration cluster_dde0295c_d791_4859_96d5_1a1114b82f4d TechTree cluster_d59b9486_f9f7_4f2d_b7c8_34a48d2cacca Birracoin cluster_a7efbbc6_b4c3_4e0f_af0e_25c4e4c75ce8 Gitea cluster_9c9fa300_d39b_450b_8d1f_2d301e0aba52 Nextcloud cluster_fee5cc82_0278_4cb4_b9bc_920beaff95b9 Router cluster_f9f76f9d_512a_4024_8cf8_78aa6e6eefa0 Add base config cluster_53753b17_6b23_4baa_8629_4f977bc25f12 Prosody cluster_cc3fc80e_2b7f_4127_a33a_a7f9e0ec1774 Matrix cluster_7d76606c_dc72_4c1e_940a_12830da6a161 Synapse cluster_88fa215b_2e7b_418f_ba63_881a54a4a06a Wallabag cluster_ce3ba47d_39c1_4760_b0ae_818f2c2ecd1b [100%] Hubzilla cluster_96d8f71e_1113_42fd_9c43_5de25e2fa7f7 Setup MySQL cluster_256e74be_bed3_4dd3_a2fc_b4af2300555d Test migration cluster_9689225f_e635_478c_916c_107543af5fc2 Wiki cluster_013f8790_a198_4176_99c4_9d8636261c62 Mail cluster_bc3279c9_d315_4eb0_8a83_d889718a3d9e [0/3] Tasks cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81 Classification cluster_6d70f532_09f4_4e0c_80c6_ae0986420009 BeeRol cluster_e6993653_eaf1_4108_bce3_002eb949e1ea GoToSocial cluster_62e02df4_e737_4ff4_a761_a0b5f4402d7f Notes API cluster_797e8e61_bf07_4040_b43f_5f096236a76b Wireguard VPN cluster_6eb18c7c_ad3a_4288_a0cb_e953ec39e99b Pleroma test cluster_882fdd58_bcd3_441d_8ba5_d6e7fb244a45 Backend cluster_36f9f60d_955e_422d_aad0_3987d0f454c8 DB _d07fcf27_d6fc_41e3_a9d0_b2e2902aec23 Install docker _c8ea4ef4_f625_40b3_be0d_1845d91b17e2 Configure container _42b1b150_1232_4ad6_a5ba_fe19fa275184 Configure router _d19f123e_8721_46e1_bd8f_9e68332840fb Configure database _a26e8fb3_ce13_4424_b968_717557b87ead Configure router _1572a3ac_63c9_4f08_b65a_fb9765fb9dba Configure container _62504d21_24e2_40bc_a327_7bb50e95c6be Configure router _faabba3a_94ca_4970_a202_97774d650620 Add action runner _afd9b50d_ec11_4f18_9820_263ae34a63d8 Add router config _a9c82abd_cca7_40e9_824c_ae0809494b24 Install nextcloud _9a16a238_49ab_4a49_9381_ff58317587b7 Restart _d7328a0b_f16b_4ebd_ae50_71cd744448a8 Install one with letsencrypt _498f3cb0_14aa_485b_8e51_1afca1d9e5a9 Base config _ec314f28_d506_4f25_9ec1_ddbfa7a7dc96 Default _89437bf5_9f1d_4456_9345_587260b6da6a Configure container _2ced388a_58ac_4b6f_af20_94ca315bd227 Check matrix certs & federation _702f624f_2d27_4ea4_b441_615a8ce31d16 Launch container _2af6ca81_8601_49b3_85b2_543859ffc29a Configure router _344f28c5_c04f_46b7_9162_ab37f5e207f7 Configure router _95c9eaa7_c132_4c04_95b4_461b1a444b07 Configure container _89f89ce6_ae49_4079_8f50_082f66eaad79 Test everything continues working _68e94c30_dadd_401f_b884_47ff953b28e4 Lock old instance _0ab7ae92_f73e_480d_9b65_a54601e455da Configure Hubzilla _ef072bc6_4fc3_4d17_8197_c42242a13e30 Configure router _8655ef02_07df_4e82_88f0_29fadbe0333e Generate certificate _bc3febbb_0153_429a_8166_64b247e24d40 Migrate DNS _bc2b9fa8_2cf1_46a4_8b23_2a5e1c77793e Prepare config _8e1ce4eb_fa7c_4425_8a4c_cbe559eef988 Launch container _a05d77c0_cc41_43f1_8801_aed1f9ffde6c Does send mails _dc8e1a7e_e063_4767_ab84_6a1c412c8777 Can login _03eedb49_bcf7_417c_8db4_e051994ca72c Utils _dce5ea95_4b53_431a_9216_26c547fae17b Update certificates _4bcfa5ce_f59a_48ec_899c_179adb4416c9 Grok _5da3b97f_3787_45a5_b7e7_95a1315422b4 Configure router _9c60401a_a3e0_4001_934d_a473541c7247 Docker Watchtower _5a8c7b19_fdd9_436d_a97b_19a6a4d305a6 Add DKIM _abf7416e_aae8_4f08_b6f7_b33ceb564e15 Check self-sending _87ca199b_e9ba_497b_a7ac_7bbc5d195fee Troubleshooting _e4717756_19eb_4317_be7a_bee43f8c2d9a Prepare mail classifier _27ad1b8d_0c29_4306_8fbc_7623e89eb85f Sieve _e4717756_19eb_4317_be7a_bee43f8c2d9a->_27ad1b8d_0c29_4306_8fbc_7623e89eb85f _923f728c_3e2a_48ab_ba83_9fe1e8f067a4 Configure mail _01c5e29d_7e0b_483d_a07e_0b61eaf4aef1 Install mail _f3415283_1d9c_4f12_8406_83292771bdd1 Email _01c5e29d_7e0b_483d_a07e_0b61eaf4aef1->_f3415283_1d9c_4f12_8406_83292771bdd1 _c841cde2_8eb3_4fc5_ad41_90d46146af73 Configure router _6b528b8e_0d61_4c95_9461_868036855066 Create docker network _bbd91c61_313c_432a_934e_0d4410f00432 Install service _df844d7e_7054_414b_90e7_372a160e0028 Configure trusted proxy _8aac777d_9056_48cf_af11_5b8ea02008ae Install reverse proxy _2b2f02e2_791c_435d_a166_6a6feeaa67bc Configure container _4314b1a2_0741_4790_b979_6e22c9f1500e Configure router _647eb700_5f5c_4292_8f3c_5184e850440c Installation _38eec485_12a9_4def_933b_65ca1f2a3eef Setup _fe3e0ec7_17db_482c_a85f_f4143dc2dbce Update server packages _588b28d6_1f55_4af1_916b_4f8d47f2451c Frontend _5fc2df11_8899_4f41_b505_c30b07a5f385 Run _9eeaaa5d_0c2c_43f0_8da4_9893913c7199 Configure router _90fd8dc8_781a_4ff7_9f98_4803b918ae34 Build _5a667ea3_4929_4d27_9bde_64839b5e93e9 Network _f42b589b_2db5_4cb1_8c41_86eeacb788fa Add citext extension _2813a24c_e58b_4f57_ae87_48bdfac11704 WireGuard _65b53b3b_2af6_451e_a639_b303f842c474 SQLite FTS5 _65b53b3b_2af6_451e_a639_b303f842c474->__0:cluster_62e02df4_e737_4ff4_a761_a0b5f4402d7f _ea48ec1d_f9d4_4fb7_b39a_faa7b6e2ba95 Notes index _ea48ec1d_f9d4_4fb7_b39a_faa7b6e2ba95->__1:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec _5a84e07e_7598_43b4_99f0_927ed08dd7b7 ActivityPub _5a895a21_132a_44e3_8105_1f6f0c094bc2 Systems Administration _b0b8e32a_1052_485c_b3a8_91102ae2cc85 Server-based mail processing _b0b8e32a_1052_485c_b3a8_91102ae2cc85->_f3415283_1d9c_4f12_8406_83292771bdd1 _27ad1b8d_0c29_4306_8fbc_7623e89eb85f->_e4717756_19eb_4317_be7a_bee43f8c2d9a _1e0ac86f_4754_4ddf_96a7_b34a1cae5b96 Synapse _34112603_5776_4592_9f27_598bb0b18285 Literate Devops with Emacs __2:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec->_5a895a21_132a_44e3_8105_1f6f0c094bc2 __3:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec->_34112603_5776_4592_9f27_598bb0b18285 __4:cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81->_e4717756_19eb_4317_be7a_bee43f8c2d9a __5:cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81->_b0b8e32a_1052_485c_b3a8_91102ae2cc85 __6:cluster_e6993653_eaf1_4108_bce3_002eb949e1ea->_5a84e07e_7598_43b4_99f0_927ed08dd7b7 __7:cluster_7d76606c_dc72_4c1e_940a_12830da6a161->_1e0ac86f_4754_4ddf_96a7_b34a1cae5b96 __8:cluster_797e8e61_bf07_4040_b43f_5f096236a76b->_2813a24c_e58b_4f57_ae87_48bdfac11704

This is a literate devops file based on Howard Abrahams's one... at some point I will expose the .org file instead of the rendered version 🤷. While it does configure the servers at codigoparallevar.com, don't take it too seriously 😉.

This file also doubles as a stress-test of mixing code and result blocks, which I had some trouble converting to DOM in the past, so do know that they might have been rendering problems on this file 😅.

Utils

  • Use C-c C-n C-s to create a remote region

(defun start-remote-command ()
  (interactive)
  (insert "\#+BEGIN_SRC shell  :async :dir /ssh:root@personal_server: :noweb yes :results drawer")
  (indent-for-tab-command)
  (insert "\n#+END_SRC")
  (indent-for-tab-command)
  (insert "\n"))

(local-set-key (kbd "C-c o a s") 'start-remote-command)

: start-remote-command

  • Run this to test the connection

hostname -I

192.168.1.33 172.18.0.1 172.19.0.1 172.21.0.1 172.20.0.1 172.17.0.1 172.22.0.1 10.0.3.1

  • Install mosh

apt-get install -y mosh

      Reading package lists... 100%

Reading package lists... Done
      Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
      Reading state information... 0%

Reading state information... Done
      mosh is already the newest version (1.3.2-2.1+b1).
      0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Update server packages

apt update
apt upgrade -y

Install docker

apt-get install -y \
        apt-transport-https \
        ca-certificates \
        curl \
        gnupg-agent \
        software-properties-common

        > > > > + apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
        Reading package lists... 100%

Reading package lists... Done
        Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
        Reading state information... 0%

Reading state information... Done
        curl is already the newest version (7.64.0-4+deb10u1).
        gnupg-agent is already the newest version (2.2.12-1+deb10u1).
        software-properties-common is already the newest version (0.96.20.2-2).
        apt-transport-https is already the newest version (1.8.2.1).
        ca-certificates is already the newest version (20200601~deb10u1).
        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

  • Add Docker’s official GPG key

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -

+ apt-key add -
+ curl -fsSL https://download.docker.com/linux/debian/gpg
OK

  • Add repository

add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/debian \
   $(lsb_release -cs) \
   stable"

> > ++ lsb_release -cs
+ add-apt-repository 'deb [arch=amd64] https://download.docker.com/linux/debian    buster    stable'

  • Update APT and install Docker

apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io

        + apt-get update
        [Working]
            
Hit:1 http://mirror.hetzner.de/debian/packages buster InRelease
        [Connecting to prod.debian.map.fastly.net (2a04:4e42:3::204)] [Connecting to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                                                           
Hit:2 http://mirror.hetzner.de/debian/packages buster-updates InRelease
        
                                                                                                                                           
Hit:3 http://mirror.hetzner.de/debian/packages buster-backports InRelease
        
                                                                                                                                           
Hit:4 http://mirror.hetzner.de/debian/security buster/updates InRelease
        [Connecting to prod.debian.map.fastly.net (2a04:4e42:1b::204)] [Waiting for headers] [Connecting to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                                                                                  
Hit:5 http://security.debian.org buster/updates InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:6 http://deb.debian.org/debian buster InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:7 http://deb.debian.org/debian buster-updates InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:8 http://deb.debian.org/debian buster-backports InRelease
        [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                            
Hit:9 https://download.docker.com/linux/debian buster InRelease
        [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
20% [Working]
             

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 27%

Reading package lists... 27%

Reading package lists... 45%

Reading package lists... 45%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 48%

Reading package lists... 48%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 76%

Reading package lists... 76%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 97%

Reading package lists... 97%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... Done
        + apt-get install -y docker-ce docker-ce-cli containerd.io
        Reading package lists... 100%

Reading package lists... Done
        Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
        Reading state information... 0%

Reading state information... Done
        containerd.io is already the newest version (1.2.13-2).
        docker-ce-cli is already the newest version (5:19.03.12~3-0~debian-buster).
        docker-ce is already the newest version (5:19.03.12~3-0~debian-buster).
        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Create docker network

docker network ls | grep internal || docker network create internal

+ grep internal
+ docker network ls
+ docker network create internal
b04d6928f041216947f403ec9b13e0c0b95e01b2b17cc519712768e673c06d80

Router

Install one with letsencrypt

VERSION=2.7.4
# Starting with version 1.30 it fails with
# s6-rc: warning: unable to start service legacy-cont-init: command exited 1"
docker pull linuxserver/swag:$VERSION
docker rm -f ingress
docker run -d \
       --name=ingress \
       --cap-add=NET_ADMIN \
       -e PUID=1000 \
       -e PGID=1000 \
       -e TZ=Europe/Madrid \
       -e URL=codigoparallevar.com \
       -e SUBDOMAINS=cloud,social,social,matrix,www,code,wallabag,wiki,pleromatest,api \
       -e VALIDATION=http \
       -e ONLY_SUBDOMAINS=false \
       -e EXTRA_DOMAINS=birracoin.com,www.birracoin.com \
       -e STAGING=false \
       -e EMAIL='me@codigoparallevar.com' \
       -p 443:443 \
       -p 80:80 \
       -v letsencrypt_config:/config \
       -v /etc/nginx/sites-enabled:/config/nginx/site-confs/ \
       -v /etc/nginx/sites-available:/etc/nginx/sites-available:ro \
       -v /mnt/vols/misc/codigoparallevar:/var/lib/nginx/html:ro \
       -v /mnt/vols/misc/wiki:/opt/wiki:ro \
       -v /mnt/vols/misc/birracoin:/opt/birracoin:ro \
       -v /mnt/vols/misc/beerol:/opt/beerol:ro \
       -v /dev/null:/etc/nginx/conf.d/stream.conf:ro \
       --restart unless-stopped \
       --network=internal \
       --memory=190m \
       linuxserver/swag:$VERSION

2.7.4: Pulling from linuxserver/swag
Digest: sha256:6239cc1646cbcaed599b8bb4c203fa9778730580e00cf7bebd33fb3653f55f3e
Status: Image is up to date for linuxserver/swag:2.7.4
docker.io/linuxserver/swag:2.7.4
ingress
ac87d3d3f74434bc9f53c4c6cccf17386d4e32513b2d5f24a7e8f31fc7a17572

Add base config

Base config

ARCHIVE

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Default

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 768;
  # multi_accept on;
}

http {

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  types_hash_max_size 2048;
  # server_tokens off;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;

  # gzip_vary on;
  # gzip_proxied any;
  # gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}

## Original: https://raw.githubusercontent.com/linuxserver/docker-letsencrypt/master/root/defaults/default

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://\$host\$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    # root /config/www;
    # index index.html index.htm index.php;

    server_name _;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }

    location /video {
         return 301 /files/$request_uri;
    }

    # location ~ \.php$ {
    #     fastcgi_split_path_info ^(.+\.php)(/.+)$;
    #     fastcgi_pass 127.0.0.1:9000;
    #     fastcgi_index index.php;
    #     include /etc/nginx/fastcgi_params;
    # }

    # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
    # notice this is within the same server block as the base
    # don't forget to generate the .htpasswd file as described on docker hub
    #	location ^~ /cp {
    #		auth_basic "Restricted";
    #		auth_basic_user_file /config/nginx/.htpasswd;
    #		include /config/nginx/proxy.conf;
    #		proxy_pass http://192.168.1.50:5050/cp;
    #	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

mkdir /etc/nginx/conf.d
mkdir /etc/nginx/sites-enabled
cat > /etc/nginx/nginx.conf <<EOF
<<nginx-config>>
EOF
cat > /etc/nginx/sites-enabled/default.conf <<EOF
<<router-config>>
EOF
<<reload-router>>

+ mkdir /etc/nginx/conf.d
mkdir: cannot create directory ‘/etc/nginx/conf.d’: File exists
+ mkdir /etc/nginx/sites-enabled
mkdir: cannot create directory ‘/etc/nginx/sites-enabled’: File exists
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
Error response from daemon: Container b5c5fd4fbfd389e45a84e44b86f479d3a4cb050c37461de4474ea50e8eca2dbe is not running
+ docker start ingress
ingress

Restart

docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`' # Reload configuration without restart
docker start ingress # Start it in case it stopped

+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
failed to resize tty, using default size
+ docker start ingress
ingress

[....] Reloading nginx: nginx[?25l7[ ok 8[?12l[?25h.

Nextcloud

Install nextcloud

  • Install docker

docker rm -f nextcloud
docker run --name=nextcloud -d \
       -v /mnt/vols/nextcloud/vols/main:/var/www/html \
       -v /mnt/vols/nextcloud/vols/apps:/var/www/html/custom_apps \
       -v /mnt/vols/nextcloud/vols/config:/var/www/html/config \
       -v /mnt/vols/nextcloud/vols/data:/var/www/html/data \
       -e OVERWRITEHOST=cloud.codigoparallevar.com \
       -e OVERWRITEPROTOCOL=https \
       --restart=unless-stopped \
       --network internal \
       --memory=380m \
       nextcloud:27.1.1

nextcloud
2f2abd48ce92e10b4a91d7de937558ffd3728eca5fe1a80a842e7ffc315112bb

Add router config

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://nextcloud:80;
    }
}

cat > /etc/nginx/sites-enabled/cloud.conf <<EOF
<<cloud-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
Error response from daemon: Cannot link to a non running container: /hubzilla-server AS /ingress/hubzilla-server
+ docker start ingress
ingress

Mail

Prepare mail classifier

  # Sieve filter

  # Declare the extensions used by this script.
  #
  require ["fileinto", "reject"];

  # Test sieve
  #
  if header :contains "Subject" "Sieve Test" {
     fileinto "Junk";
  }

# enabled rulename "PayPal" from matchcase "\"servicio@paypal.es\" <servicio@paypal.es>" move "#imap/NewMail/archive/srv/PayPal"
# enabled rulename "Patreon" from matchcase "Patreon <bingo@patreon.com>" move "#imap/NewMail/archive/srv/Patreon"
# enabled rulename "FSF" from matchcase "<info@fsf.org>" move "#imap/NewMail/archive/coms/FSF"
# enabled rulename "EFF" from matchcase "<membership@eff.org>" move "#imap/NewMail/archive/coms/EFF"
# enabled rulename "DBD" from matchcase "<info@defectivebydesign.org>" move "#imap/NewMail/archive/coms/DBD"
# enabled rulename "Software clown" from matchcase "Itamar Turner-Trauring <itamar@codewithoutrules.com>" move "#imap/NewMail/archive/soft-clown"
# enabled rulename "EFF - action" from matchcase "<action@eff.org>" move "#imap/NewMail/archive/coms/EFF"
# enabled rulename "TheBatch" from matchcase "\"deeplearning.ai\" <thebatch@deeplearning.ai>" move "#imap/NewMail/archive/lists"
# enabled rulename "Dribble" header "Sender" matchcase "no-reply@n.dribbble.com" mark_as_read move "#imap/NewMail/archive/lists/design/dribble"
# enabled rulename "Stack Overflow list" from matchcase "\"Stack Overflow\" <do-not-reply@stackoverflow.email>" | from matchcase "Stack Overflow <do-not-reply@stackoverflow.email>" mark_as_read move "#imap/NewMail/archive/lists/StackOverflow"
# enabled rulename "DEGIRO" from matchcase "DEGIRO <clientes@degiro.es>" move "#imap/NewMail/archive/srv/banca/degiro"
# enabled rulename "Spam - Elitetorrent" from matchcase "\"elitetorrent1.com\" <info@elitetorrent1.com>" mark_as_spam
# enabled rulename "@163 spam" inreplyto matchcase "@163.com" | from matchcase "@163.com" mark_as_spam set_score 0
# enabled rulename "CGPGrey" from matchcase "Grey <Email@CGPGrey.com>" move "#imap/NewMail/archive/lists/grey"
# enabled rulename "Julia Evans" from matchcase "Julia Evans <julia@jvns.ca>" move "#imap/NewMail/archive/lists/julia evans"
# enabled rulename "EFFEctor" from matchcase "\"EFFector List\" <editor@eff.org>" move "#imap/NewMail/archive/coms/EFFector"
# enabled rulename "UseParagon" from matchcase "\"Brandon Foo\" <brandon@useparagon.com>" move "#imap/NewMail/archive/startups/pm-competitors"
# enabled rulename "SourceHut" from matchcase "sourcehut <outgoing@sr.ht>" move "#imap/NewMail/archive/srv/sourcehut"
# enabled rulename "ANDBanc" from matchcase "<andbank@bancononline.com>" move "#imap/NewMail/archive/srv/banca/andbank"
# enabled rulename "Amazon" from matchcase "\"Amazon.es\" <auto-confirm@amazon.es>" move "#imap/NewMail/archive/srv/Amazon"

  # Mailing lists
  #
  elsif header :contains "List-Id" "~mil/sxmo-devel.lists.sr.ht" {
      fileinto "archive/coms/sxmo";
  }
  # "Tails"
  elsif header :contains "List-Id" "amnesia-news.boum.org" {
      fileinto "archive/coms/tails";
  }
  # "PyVigo"
  elsif header :contains "List-Id" "vigo.lists.es.python.org" {
      fileinto "archive/coms";
  }
  # "BOE" header "List-Id"
  elsif header :contains "List-Id" "9416fe6b76f2c3f985c1f8e0f.30885.list-id.mcsv.net" {
      fileinto "archive/boe";
  }
  # "PyMad"
  elsif header :contains "List-Id" "python-madrid-list.meetup.com" {
      fileinto "archive/coms/python-madrid";
  }
  # "Brechadigital"
  elsif header :contains "List-Id" "brechadigital.inventati.org" {
      fileinto  "archive/coms/brechadigital";
  }
  # "eu-gene"
  elsif header :contains "List-Id" "eu-gene.we.lurk.org" {
                             fileinto  "archive/coms/gen";
  }
  # "Trisquel"
  elsif header :contains "List-Id" "trisquel-devel.listas.trisquel.info" {
    fileinto "archive/coms/trisquel";
  }
  # "NCN"
  elsif header :contains "List-Id" "noconname.listas.noconname.org" {
    fileinto "archive/sec/no-con-name";
  }
  # "AptGetUpdate"
  elsif header :contains "List-Id" "aptgetupdate.lists.riseup.net" {
    fileinto "archive/coms/aptgetupdate";
  }
  # "SV"
  elsif header :contains "List-Id" "sector-virus.googlegroups.com" {
    fileinto "archive/sec/sv";
  }
  # "Una al dia"
  elsif header :contains "List-Id" "dd62599a9195e52f2dca2ab9a.63065.list-id.mcsv.net" {
    fileinto "#imap/NewMail/archive/una-al-dia";
  }
  # "GPUL"
  elsif header :contains "List-Id" "asociacion.lists.gpul.org" {
    fileinto "archive/coms/gpul";
  }
  # "Replicant"
  elsif header :contains "List-Id" "replicant.osuosl.org" {
    fileinto "archive/coms/replicant";
  }
  # "FreedomBox"
  elsif header :contains "List-Id" "freedombox-discuss.alioth-lists.debian.net" {
    fileinto "archive/coms/freedom-box";
  }
  # "FullDisclosure"
  elsif header :contains "List-Id" "fulldisclosure.seclists.org" {
    fileinto "archive/fd";
  }
  # "TWIML"
  elsif anyof (header :contains "List-Id" "96b64078a550522835ec6034e.272005.list-id.mcsv.net",
          address :contains "From" "@twimlai.com") {
    fileinto "archive/lists/twiml";
  }
  # "Rooted"
  elsif header :contains "List-Id" "rootedcon.listas.rooted.es" {
    fileinto "archive/sec/rooted";
  }
  # "LaBrecha"
  elsif header :contains "List-Id" "Participa-Brecha.googlegroups.com" {
    fileinto "archive/coms/brechadigital/Participa-brecha";
  }
  # "Python Vigo"
  elsif header :contains "List-Id" "vigo.lists.es.python.org" {
    fileinto "archive/coms/pyvigo";
  }
  # "LibrePlanet"
  elsif header :contains "List-Id" "libreplanet-discuss.libreplanet.org" {
    fileinto "archive/coms/libreplanet";
  }
  # "ElBinario"
  elsif header :contains "List-Id" "binario.listas.elbinario.net" {
    fileinto "archive/coms/el-binario";
  }
  # "Crafting interpreters"
  elsif header :contains "List-Id" "0952ca43ed2536d6717766b88.303821.list-id.mcsv.net" {
    fileinto "archive/crafting-interpreters";
  }
  # "RxJs"
  elsif header :contains "List-Id" "c22e7832272fe0663b822a283.114397.list-id.mcsv.net" {
    fileinto "archive/lists/rxjs";
  }
  # "NMap"
  elsif header :contains "List-Id" "announce.nmap.org" {
    fileinto "archive/sec";
  }
  # "N8N"
  elsif header :contains "List-Id" "2c8845820b0d9053a7bd0fa5f.44345.list-id.mcsv.net" {
    fileinto "archive/startups/pm-competitors";
  }
  # "OrgMode"
  elsif header :contains "List-Id" "emacs-orgmode.gnu.org" {
    fileinto "archive/coms/orgmode";
  }
  # "Tech podcasts - Nacion lumpen"
  elsif header :contains "List-Id" "nacion-lumpen.googlegroups.com" {
    fileinto "archive/lists/podcasts/tech/nacion-lumpen";
  }

  # Keep the rest.

  • Test sieve rules

VERSION=2022-05-13
FNAME=$(mktemp --suffix='.sieve')

cat > "$FNAME" <<_EOF_
<<mail-sieve>>
_EOF_

docker run --rm \
       -v "$FNAME":/var/lib/dovecot/sieve/default.sieve:ro \
       --entrypoint=ash \
       kenkeiras/mail-server:$VERSION -c "/usr/bin/sievec /var/lib/dovecot/sieve/default.sieve"

result=$?
rm "$FNAME"
if [ $result -eq 0 ];
then
    echo "OK"
else
    echo "[ERROR]"
fi
exit $result
OK

Configure mail

# See man 5 aliases for format
postmaster: root, kenkeiras
me: kenkeiras
xmpp: kenkeiras
www-data: kenkeiras
bluestash: kenkeiras
sergio: kenkeiras
sergio.martinez: kenkeiras
sergio.mportela: kenkeiras
nullhub: kenkeiras
admin: kenkeiras
hivemind: kenkeiras
tweetcodes: kenkeiras
oneliners: kenkeiras

Install mail

VERSION=2022-05-13
docker pull -q kenkeiras/mail-server:$VERSION
docker rm -f mail

# Configure aliases
cat > /etc/postfix/aliases <<_EOF_
<<mail-aliases>>
_EOF_

# Configure sieve
cat > /var/lib/dovecot/sieve/default.sieve <<_EOF_
<<mail-sieve>>
_EOF_

docker run --name=mail -d    \
       -p 25:25 -p 465:465   \
       -p 143:143 -p 993:993 \
       -v /mnt/vols/mail/spool:/var/spool/postfix \
       -v /mnt/vols/mail/var:/var/lib/postfix     \
       -v /mnt/vols/mail/certs:/extra/mail-certs  \
       -v /etc/dovecot/passdb:/etc/dovecot/passdb \
       -v /etc/postfix/aliases:/etc/aliases       \
       -v /var/lib/dovecot/sieve/default.sieve:/var/lib/dovecot/sieve/default.sieve \
       -v /mnt/vols/mail/mailboxes:/var/mail      \
       -e HOSTNAME='codigoparallevar.com' \
       -e DOMAIN='codigoparallevar.com'   \
       -e POSSIBLE_DESTINATIONS='mail.codigoparallevar.com,mail.codigoparallevar.com,codigoparallevar.com,www.codigoparallevar.com' \
       -e CERT_DIRECTORY='/extra/mail-certs' \
       -e USERNAME='kenkeiras' \
       --restart=unless-stopped \
      --network internal \
      --memory=190m \
      kenkeiras/mail-server:$VERSION

docker.io/kenkeiras/mail-server:2022-05-13
mail
0a271e4200291de1e44c7a374d7185f6f75f5fd93af4aaddb61488987a604497

DISCARDED

[ 100% ] Hubzilla

ARCHIVE

DONE

Setup MySQL

DONE

Prepare config

#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#

# this is read by the standalone daemon and embedded servers
[server]

# this is only for the mysqld standalone daemon
[mysqld]

#
# * Basic Settings
#
user		= mysql
pid-file	= /var/run/mysqld/mysqld.pid
socket		= /var/run/mysqld/mysqld.sock
port		= 3306
basedir		= /usr
datadir		= /var/lib/mysql
tmpdir		= /tmp
lc-messages-dir	= /usr/share/mysql
skip-external-locking

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address		= 0.0.0.0

#
# * Fine Tuning
#
key_buffer_size		= 16M
max_allowed_packet	= 16M
thread_stack		= 192K
thread_cache_size       = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam_recover_options  = BACKUP
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10

#
# * Query Cache Configuration
#
query_cache_limit	= 1M
query_cache_size        = 16M

#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file	= /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_rate_limit	= 1000
#log_slow_verbosity	= query_plan
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id		= 1
#log_bin			= /var/log/mysql/mysql-bin.log
expire_logs_days	= 10
max_binlog_size   = 100M
#binlog_do_db		= include_database_name
#binlog_ignore_db	= exclude_database_name

#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!

#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
# ssl-cipher=TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
# ssl=on

#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
#
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci

#
# * Unix socket authentication plugin is built-in since 10.0.22-6
#
# Needed so the root database user can authenticate without a password but
# only when running as the unix root user.
#
# Also available for other users if required.
# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/

# this is only for embedded server
[embedded]

# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]

# This group is only read by MariaDB-10.1 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.1]

mkdir -p /etc/mysql/
cat > /etc/mysql/micro.cnf <<EOF
<<server-config>>
EOF

+ mkdir -p /etc/mysql/
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat

DONE

Launch container

docker rm -f hubzilla-mysql
docker run -d --name=hubzilla-mysql \
       -v /mnt/vols/hubzilla/mysql:/var/lib/mysql \
       -v /etc/mysql/micro.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf \
       -e MYSQL_RANDOM_ROOT_PASSWORD="yes" \
       --network internal \
       mariadb:10

+ docker rm -f hubzilla-mysql
Error: No such container: hubzilla-mysql
> > > > > + docker run -d --name=hubzilla-mysql -v /mnt/vols/hubzilla/mysql:/var/lib/mysql -v /etc/mysql/micro.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf -e MYSQL_RANDOM_ROOT_PASSWORD=yes --network internal mariadb:10
cd5a9677a3be549fdf975a1ed75c47d468a3f4501280e05bab1991be7838aaff

DONE

Configure Hubzilla

docker rm -f hubzilla-server
docker run -d --name=hubzilla-server \
       -v /mnt//vols/hubzilla/data:/data \
       -e SERVERNAME=social.codigoparallevar.com \
       --link=hubzilla-mysql:mysql \
       --network=internal \
       kenkeiras/hubzilla:testing

+ docker rm -f hubzilla-server
hubzilla-server
> > > > > + docker run -d --name=hubzilla-server -v /mnt//vols/hubzilla/data:/data -e SERVERNAME=social.codigoparallevar.com --link=hubzilla-mysql:mysql --network=internal kenkeiras/hubzilla:testing
ebba1f6ecc996ec0f137e3c3a793c2e59bf49055ba134f8ad42668af141c5f19

DONE

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name social.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        proxy_set_header X-Forwarded-Proto https;
        include /config/nginx/proxy.conf;
        proxy_pass  http://hubzilla-server:80;
    }
}

cat > /etc/nginx/sites-enabled/social.conf <<EOF
<<hubzilla-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

DONE

Test migration

DONE

Can login

Does send mails

ARCHIVE

  • Probably is no longer needed

DONE

Pleroma test

ARCHIVE

DONE

Network

docker network create pleroma-test

52dde94ff2e18ed1e1c5a6f301fdada68445c7b2314a2cd08ad406036806f33a

DONE

DB

docker rm -f pleroma-test-postgres || true
docker run -d --name=pleroma-test-postgres \
         -e POSTGRES_PASSWORD="CHANGE_THIS"  \
         -e POSTGRES_USER=pleroma \
         -e POSTGRES_DB=pleroma \
         -v /mnt/vols/hubzilla/pleroma-test/postgres:/var/lib/postgresql/data/ \
         --network=internal \
         --memory=190m \
         --restart=unless-stopped \
  postgres:9.6-alpine

+ docker rm -f pleroma-test-postgres
pleroma-test-postgres
> > > > > > > > + docker run -d --name=pleroma-test-postgres -e POSTGRES_PASSWORD=LJQit53q7qWowwaRgdZSuj9mMsRXxUfZ -e POSTGRES_USER=pleroma -e POSTGRES_DB=pleroma -v /mnt/vols/hubzilla/pleroma-test/postgres:/var/lib/postgresql/data/ --network=internal --memory=190m --restart=unless-stopped postgres:9.6-alpine
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
7eef83b7972fafba427dcae5ad2e93c9ff11cd1eb6d59723b07b8372158b5136

Add citext extension

docker exec -i pleroma-test-postgres psql -U pleroma -c "CREATE EXTENSION IF NOT EXISTS citext;"

+ docker exec -i pleroma-test-postgres psql -U pleroma -c 'CREATE EXTENSION IF NOT EXISTS citext;'
CREATE EXTENSION

DONE

Backend

Build

mkdir -p /mnt/vols/hubzilla/pleroma-test/code/ || true
git clone https://github.com/angristan/docker-pleroma /mnt/vols/hubzilla/pleroma-test/code/docker-pleroma
cd /mnt/vols/hubzilla/pleroma-test/code/docker-pleroma
docker build -t pleroma .

Run

docker rm -f pleroma-test-backend || true
docker run -d --name=pleroma-test-backend \
           --link=pleroma-test-postgres:db \
           -e DB_PASS="CHANGE_THIS" \
           -e DOMAIN='pleromatest.codigoparallevar.com' \
           -v /mnt/vols/hubzilla/pleroma-test/uploads:/pleroma/uploads/ \
           --network=internal \
           --memory=380m \
           --restart=unless-stopped \
    pleroma-test

+ docker rm -f pleroma-test-backend
Error: No such container: pleroma-test-backend
> > > > > > > > + docker run -d --name=pleroma-test-backend --link=pleroma-test-postgres:db -e DB_PASS=LJQit53q7qWowwaRgdZSuj9mMsRXxUfZ -e DOMAIN=pleromatest.codigoparallevar.com -v /mnt/vols/hubzilla/pleroma-test/uploads:/pleroma/uploads/ --network=internal --memory=190m --restart=unless-stopped pleroma-test
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
e2c10538606f8f2ce930c5e4d36a921a2176c8941b5fce8b9f58959b0de1fb72

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name pleromatest.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://pleroma-test-backend:4000;
    }
}

cat > /etc/nginx/sites-enabled/pleroma-test.conf <<EOF
<<pleroma-test-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
cat: /var/run/nginx.pid: No such file or directory
sh: you need to specify whom to kill
+ docker start ingress
ingress

DISCARDED

Frontend

GoToSocial

A lightweight ActivityPub server written in Go.

DONE

Install service

version: "3.3"

services:
  gotosocial:
    image: superseriousbusiness/gotosocial:0.13.1
    container_name: gotosocial
    user: 1001:1001
    networks:
      - gotosocial
      - internal
    environment:
      GTS_HOST: social.codigoparallevar.com
      GTS_DB_TYPE: sqlite
      GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
      GTS_LETSENCRYPT_ENABLED: "false"
      GTS_LETSENCRYPT_EMAIL_ADDRESS: ""
      ## For reverse proxy setups:
      # GTS_TRUSTED_PROXIES: "172.x.x.x"
    # ports:
      # - "443:8080"
      ## For letsencrypt:
      #- "80:80"
      ## For reverse proxy setups:
      # - "127.0.0.1:8080:8080"
    volumes:
      - /mnt/vols/hubzilla/gotosocial/storage:/gotosocial/storage
    restart: "always"

networks:
  gotosocial:
    ipam:
      driver: default
  internal:
    name: internal
    external: true

  • Upload configuration

cat > /mnt/vols/hubzilla/gotosocial/docker-compose.yaml <<EOF
<<gotosocial-docker-compose.yaml>>
EOF

date

Sat 27 Jan 2024 01:16:32 PM CET

  • Start docker compose

docker-compose up -d

    
0.12.2: Pulling from superseriousbusiness/gotosocial

    
63b65145d645: Already exists

    
07618903f3e7: Already exists

    
4f4fb700ef54: Already exists

    
02538a5ecfdc: Pulling fs layer

    
48012ea88093: Pulling fs layer

    
1e69d0e0ee1a: Pulling fs layer

1e69d0e0ee1a: Downloading [=>                                                 ]  1.369kB/37.24kB

1e69d0e0ee1a: Verifying Checksum

1e69d0e0ee1a: Download complete

02538a5ecfdc: Downloading [>                                                  ]  188.3kB/18.5MB

48012ea88093: Downloading [>                                                  ]  13.69kB/1.353MB

02538a5ecfdc: Downloading [==================>                                ]  6.667MB/18.5MB

48012ea88093: Downloading [=======================================>           ]  1.062MB/1.353MB

02538a5ecfdc: Verifying Checksum

02538a5ecfdc: Download complete

48012ea88093: Verifying Checksum

48012ea88093: Download complete

02538a5ecfdc: Extracting [>                                                  ]  196.6kB/18.5MB

02538a5ecfdc: Extracting [======>                                            ]  2.556MB/18.5MB

02538a5ecfdc: Extracting [===========>                                       ]  4.325MB/18.5MB

02538a5ecfdc: Extracting [===============>                                   ]  5.898MB/18.5MB

02538a5ecfdc: Extracting [====================>                              ]  7.668MB/18.5MB

02538a5ecfdc: Extracting [===========================>                       ]  10.03MB/18.5MB

02538a5ecfdc: Extracting [================================>                  ]  11.99MB/18.5MB

02538a5ecfdc: Extracting [===================================>               ]  12.98MB/18.5MB

02538a5ecfdc: Extracting [========================================>          ]  14.94MB/18.5MB

02538a5ecfdc: Extracting [==============================================>    ]   17.3MB/18.5MB

02538a5ecfdc: Extracting [=================================================> ]  18.28MB/18.5MB

02538a5ecfdc: Extracting [==================================================>]   18.5MB/18.5MB

02538a5ecfdc: Pull complete

48012ea88093: Extracting [=>                                                 ]  32.77kB/1.353MB

48012ea88093: Extracting [=========>                                         ]  262.1kB/1.353MB

48012ea88093: Extracting [==================================================>]  1.353MB/1.353MB

48012ea88093: Pull complete

1e69d0e0ee1a: Extracting [===========================================>       ]  32.77kB/37.24kB

1e69d0e0ee1a: Extracting [==================================================>]  37.24kB/37.24kB

1e69d0e0ee1a: Extracting [==================================================>]  37.24kB/37.24kB

1e69d0e0ee1a: Pull complete

Digest: sha256:1d0dcbfd7f14e35ae219877bfbdcc8dfcaa41592f0b31f3ef114c0f16f2132f5
    
Status: Downloaded newer image for superseriousbusiness/gotosocial:0.12.2

DONE

Install reverse proxy

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name social.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://gotosocial:8080;
    }
}

cat > /etc/nginx/sites-enabled/social.conf <<EOF
<<gotosocial-router-config>>
EOF
<<reload-router>>

ingress

TODO

Configure trusted proxy

See Reverse proxy with NGINX, fixing it is needed for proper rate limiting.

Matrix

Synapse

DONE

Launch container

docker rm -f matrix-server
docker run -d --name=matrix-server \
       -v /mnt/vols/misc/matrix:/data \
       -p 8448:8448 -p 8008:8008 \
       --network=internal \
       --memory=480m \
       matrixdotorg/synapse:v1.92.2

matrix-server
d300b48b924772d242c203c81da7eaa53329ae7d06443f8ddb7249b20bbc3a56

DONE

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name matrix.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  https://matrix-server:8448;
    }
}

cat > /etc/nginx/sites-enabled/matrix.conf <<EOF
<<matrix-router-config>>
EOF
<<reload-router>>

ingress

Gitea

DONE

Configure container

docker rm -f gitea-server || true
docker run -d --name=gitea-server \
       -v /mnt/vols/misc/gitea:/data \
       -p 2022:22 \
       --network=internal \
       --memory=380m \
       gitea/gitea:1.21.1

gitea-server
5e9432329d0ccaf23669543091b5408d4cde6a7e8020ddd773ebded006bcf69d

TODO

Add action runner

docker rm -f gitea-server-action-runner || true
docker  run -d --name=gitea-server-action-runner \
        -e GITEA_INSTANCE_URL=https://code.codigoparallevar.com \
        -e GITEA_RUNNER_REGISTRATION_TOKEN=GITEA-REGISTRATION-TOKEN-HERE \
        -v /var/run/docker.sock:/var/run/docker.sock \
        gitea/act_runner:nightly

DONE

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name code.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://gitea-server:3000;
    }
}

cat > /etc/nginx/sites-enabled/gitea.conf <<EOF
<<gitea-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
failed to resize tty, using default size
+ docker start ingress
ingress

TechTree

DONE

Configure database

docker rm -f techtree-postgres || true
docker run -d --name=techtree-postgres \
       -e POSTGRES_PASSWORD=CHANGE_THIS \
       -v /mnt/vols/misc/techtree/postgres:/var/lib/postgresql/data/ \
       --network=internal \
       --memory=190m \
       postgres:10

+ docker rm -f techtree-postgres
techtree-postgres
> > > > > + docker run -d --name=techtree-postgres -e POSTGRES_PASSWORD=CHANGE_THIS -v /mnt/vols/misc/techtree/postgres:/var/lib/postgresql/data/ --network=internal --memory=190m postgres:10
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
39c9bed6f75969b116d60ca291a711e8ad5a1331ed2af3ae7466e8461a03a17f

DONE

Configure container

docker rm -f techtree-server
source ~/.techtree-credentials.sh

GENPASSWD() {
    openssl passwd hex 1 2 3 4 5 6|tr -d '/\n'
}

docker run -d --name=techtree-server -m 500m \
       --link=techtree-postgres:db \
       -e DATABASE_URL=postgres://${TT_USERNAME}:${TT_PASSWORD}@db:5432/${TT_DB} \
       -e SECRET_KEY_BASE="`GENPASSWD`" \
       -e PORT=80 \
       -e MIX_ENV=prod \
       --network=internal \
       --memory=190m \
       kenkeiras/techtree:prod

clean_techtree_credentials

+ docker rm -f techtree-server
techtree-server
+ source /root/.techtree-credentials.sh
++ TT_USERNAME=techtree
++ TT_DB=techtree
++ TT_PASSWORD=D677oBFOZ5y5YXIzi4N37LGw1ANLawL9YcU7E8YNGgX4ZQ6BQCj2oodHfXi3ECiUkEyNhkHuB2vSA.3YblgT3IN46g
server# > > server# server# > > > > > > > > ++ GENPASSWD
++ tr -d '/\n'
++ openssl passwd hex 1 2 3 4 5 6
+ docker run -d --name=techtree-server -m 500m --link=techtree-postgres:db -e DATABASE_URL=postgres://techtree:D677oBFOZ5y5YXIzi4N37LGw1ANLawL9YcU7E8YNGgX4ZQ6BQCj2oodHfXi3ECiUkEyNhkHuB2vSA.3YblgT3IN46g@db:5432/techtree -e SECRET_KEY_BASE=O5hSnbBNbmqZ6BPBqKvuj2ZDc1AoHKCdIlsa4cWKSJm4zLPFWqMs6veQMhLsFmW6WbAUTn1Ni4z1sOcFa918xjy6PQ -e PORT=80 -e MIX_ENV=prod --network=internal --memory=190m kenkeiras/techtree:prod
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
332084157ece622a25088577813a1f986e610afab8c11369e25983c496fc7253
server# + clean_techtree_credentials
+ unset TT_USERNAME
+ unset TT_DB
+ unset TT_PASSWORD

DONE

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name techtree.spiral.systems;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://techtree-server:80;
    }
}

cat > /etc/nginx/sites-enabled/techtree.conf <<EOF
<<techtree-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

Notes API

You are most probably reading these notes already. The API just provides the search function right now.

Configure container

docker pull kenkeiras/notes-api-server:latest
docker rm -f notes-api-server
docker run -d --name notes-api-server \
       -e DB_PATH=/db.sqlite3 \
       -v /mnt/vols/misc/codigoparallevar-api/db.sqlite3:/db.sqlite3:ro \
       --network=internal \
       kenkeiras/notes-api-server:latest

    latest: Pulling from kenkeiras/notes-api-server

    
cea82ae3b787: Already exists 

    
f525697c80b8: Already exists 

    
5502e0a13a5e: Pulling fs layer 

5502e0a13a5e: Downloading   49.2kB/4.9MB

5502e0a13a5e: Downloading   4.47MB/4.9MB

5502e0a13a5e: Verifying Checksum 

5502e0a13a5e: Download complete 

5502e0a13a5e: Extracting  65.54kB/4.9MB

5502e0a13a5e: Extracting  131.1kB/4.9MB

5502e0a13a5e: Extracting  1.704MB/4.9MB

5502e0a13a5e: Extracting  3.539MB/4.9MB

5502e0a13a5e: Extracting    4.9MB/4.9MB

5502e0a13a5e: Pull complete 
Digest: sha256:3ae36797c7da7bcc5dc2c16c49df877aa10a91d6db8aeffb2e54b4a0a3c53c9c
    Status: Downloaded newer image for kenkeiras/notes-api-server:latest
    docker.io/kenkeiras/notes-api-server:latest
    notes-api-server
    245d8fc3f09cc2fbf9273d572b541d9a671f328b755f85edccee3d7ce0703753

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name api.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 1M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://notes-api-server:3000;
    }
}

cat > /etc/nginx/sites-enabled/notes-api.conf <<EOF
<<notes-api-router-config>>
EOF
<<reload-router>>

ingress

Wallabag

DONE

Configure container

docker rm -f wallabag-server
docker run -d --name wallabag-server \
       -e SYMFONY__ENV__DOMAIN_NAME=https://wallabag.codigoparallevar.com \
       -v /mnt/vols/misc/wallabag/data:/var/www/wallabag/data \
       -v /mnt/vols/misc/wallabag/images:/var/www/wallabag/web/assets/images \
       --network=internal \
       wallabag/wallabag:2.3.8

+ docker rm -f wallabag-server
wallabag-server
> > > > > + docker run -d --name wallabag-server -e SYMFONY__ENV__DOMAIN_NAME=https://wallabag.codigoparallevar.com -v /mnt/vols/misc/wallabag/data:/var/www/wallabag/data -v /mnt/vols/misc/wallabag/images:/var/www/wallabag/web/assets/images --network=internal wallabag/wallabag:2.3.8
6c4767717793cc1d483bccd7d098236d7105815838e7711a78d62c73a8b84254

DONE

Configure router

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name wallabag.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://wallabag-server:80;
    }
}

cat > /etc/nginx/sites-enabled/wallabag.conf <<EOF
<<wallabag-router-config>>
EOF
<<reload-router>>

ingress

Wiki

DONE

Configure router

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/wiki;
    # index index.html index.htm index.php;

    server_name wiki.codigoparallevar.com;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}

cat > /etc/nginx/sites-enabled/wiki.conf <<EOF
<<wiki-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
failed to resize tty, using default size
+ docker start ingress
ingress

DISCARDED

BeeRol

DONE

Configure router

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/beerol;
    # index index.html index.htm index.php;

    server_name beerol.quest;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}

cat > /etc/nginx/sites-enabled/beerol.conf <<EOF
<<beerol-router-config>>
EOF
<<reload-router>>

ingress

Birracoin

Configure router

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/birracoin;
    # index index.html index.htm index.php;

    server_name birracoin.com;
    server_name www.birracoin.com;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}

cat > /etc/nginx/sites-enabled/birracoin.conf <<EOF
<<birracoin-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

Prosody

DONE

Configure container

docker rm -f prosody-server
docker run -d --name prosody-server \
       -v /mnt/vols/misc/prosody/data:/var/lib/prosody \
       -v /mnt/vols/misc/prosody/etc:/etc/prosody \
       -v /mnt/vols/misc/prosody/certs:/extra/certs \
       -p 5222:5222 \
       -p 5269:5269 \
       -p 5280:5280 \
       --network=internal \
       --memory=190m \
       prosody/prosody:0.11

+ docker rm -f prosody-server
prosody-server
> > > > > > > > > + docker run -d --name prosody-server -v /mnt/vols/misc/prosody/data:/var/lib/prosody -v /mnt/vols/misc/prosody/etc:/etc/prosody -v /mnt/vols/misc/prosody/certs:/extra/certs -p 5222:5222 -p 5269:5269 -p 5280:5280 --network=internal --memory=190m prosody/prosody:0.11
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
9b5c70494e984865e6caa46796b22dd4a4e48ac3c6df267adaae582fb22eb00f

Grok

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # index index.html index.htm index.php;

    server_name grok.spiral.systems;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    location / {
        proxy_pass http://172.17.0.1:1234;
    }
}

cat > /etc/nginx/sites-enabled/grok.conf <<EOF
<<grok-router-config>>
EOF
<<reload-router>>

> > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
cat: /var/run/nginx.pid: No such file or directory
sh: you need to specify whom to kill
+ docker start ingress
ingress

Wireguard VPN

  • Fiddling with WireGuard to check how useful can it be to connect to home machines from a remote location.

Installation

apt-get install -y wireguard

  Reading package lists... 100%

Reading package lists... Done
  Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 1%

Building dependency tree... 2%

Building dependency tree... 3%

Building dependency tree... 4%

Building dependency tree... 5%

Building dependency tree... 6%

Building dependency tree... 7%

Building dependency tree... 8%

Building dependency tree... 9%

Building dependency tree... 10%

Building dependency tree... 11%

Building dependency tree... 12%

Building dependency tree... 13%

Building dependency tree... 14%

Building dependency tree... 15%

Building dependency tree... 16%

Building dependency tree... 17%

Building dependency tree... 18%

Building dependency tree... 19%

Building dependency tree... 20%

Building dependency tree... 21%

Building dependency tree... 22%

Building dependency tree... 23%

Building dependency tree... 24%

Building dependency tree... 25%

Building dependency tree... 26%

Building dependency tree... 27%

Building dependency tree... 28%

Building dependency tree... 29%

Building dependency tree... 30%

Building dependency tree... 31%

Building dependency tree... 32%

Building dependency tree... 33%

Building dependency tree... 34%

Building dependency tree... 35%

Building dependency tree... 36%

Building dependency tree... 37%

Building dependency tree... 38%

Building dependency tree... 39%

Building dependency tree... 40%

Building dependency tree... 41%

Building dependency tree... 42%

Building dependency tree... 43%

Building dependency tree... 44%

Building dependency tree... 45%

Building dependency tree... 46%

Building dependency tree... 47%

Building dependency tree... 48%

Building dependency tree... 49%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... 51%

Building dependency tree... 52%

Building dependency tree... 53%

Building dependency tree... 54%

Building dependency tree... 55%

Building dependency tree... 56%

Building dependency tree... 57%

Building dependency tree... 58%

Building dependency tree... 59%

Building dependency tree... 60%

Building dependency tree... 61%

Building dependency tree... 62%

Building dependency tree... 63%

Building dependency tree... 64%

Building dependency tree... 65%

Building dependency tree... 66%

Building dependency tree... 67%

Building dependency tree... 68%

Building dependency tree... 69%

Building dependency tree... 70%

Building dependency tree... 71%

Building dependency tree... 72%

Building dependency tree... 73%

Building dependency tree... 74%

Building dependency tree... 75%

Building dependency tree... 76%

Building dependency tree... 77%

Building dependency tree... 78%

Building dependency tree... 79%

Building dependency tree... 80%

Building dependency tree... 81%

Building dependency tree... 82%

Building dependency tree... 83%

Building dependency tree... 84%

Building dependency tree... 85%

Building dependency tree... 86%

Building dependency tree... 87%

Building dependency tree... 88%

Building dependency tree... 89%

Building dependency tree... 90%

Building dependency tree... 91%

Building dependency tree... 92%

Building dependency tree... 93%

Building dependency tree... 94%

Building dependency tree... 95%

Building dependency tree... 96%

Building dependency tree... 97%

Building dependency tree... 98%

Building dependency tree... 99%

Building dependency tree
  Reading state information... 0%

Reading state information... 0%

Reading state information... 1%

Reading state information... 3%

Reading state information... 3%

Reading state information... 4%

Reading state information... 5%

Reading state information... 6%

Reading state information... 7%

Reading state information... 8%

Reading state information... 9%

Reading state information... 10%

Reading state information... 11%

Reading state information... 12%

Reading state information... 13%

Reading state information... 14%

Reading state information... 15%

Reading state information... 16%

Reading state information... 17%

Reading state information... 18%

Reading state information... 19%

Reading state information... 20%

Reading state information... 21%

Reading state information... 22%

Reading state information... 23%

Reading state information... 24%

Reading state information... 25%

Reading state information... 26%

Reading state information... 27%

Reading state information... 28%

Reading state information... 29%

Reading state information... 30%

Reading state information... 31%

Reading state information... 32%

Reading state information... 33%

Reading state information... 34%

Reading state information... 35%

Reading state information... 36%

Reading state information... 37%

Reading state information... 39%

Reading state information... 39%

Reading state information... 40%

Reading state information... 41%

Reading state information... 42%

Reading state information... 43%

Reading state information... 44%

Reading state information... 45%

Reading state information... 46%

Reading state information... 47%

Reading state information... 48%

Reading state information... 49%

Reading state information... 50%

Reading state information... 51%

Reading state information... 52%

Reading state information... 53%

Reading state information... 55%

Reading state information... 55%

Reading state information... 56%

Reading state information... 57%

Reading state information... 58%

Reading state information... 59%

Reading state information... 60%

Reading state information... 61%

Reading state information... 62%

Reading state information... 63%

Reading state information... 64%

Reading state information... 65%

Reading state information... 67%

Reading state information... 67%

Reading state information... 68%

Reading state information... 69%

Reading state information... 70%

Reading state information... 71%

Reading state information... 72%

Reading state information... 73%

Reading state information... 75%

Reading state information... 75%

Reading state information... 76%

Reading state information... 77%

Reading state information... 78%

Reading state information... 79%

Reading state information... 80%

Reading state information... 81%

Reading state information... 82%

Reading state information... 83%

Reading state information... 85%

Reading state information... 85%

Reading state information... 86%

Reading state information... 87%

Reading state information... 88%

Reading state information... 89%

Reading state information... 90%

Reading state information... 91%

Reading state information... 92%

Reading state information... 93%

Reading state information... 94%

Reading state information... 95%

Reading state information... 96%

Reading state information... 97%

Reading state information... 100%

Reading state information... Done
  wireguard is already the newest version (1.0.20210223-1~bpo10+1).
  The following packages were automatically installed and are no longer required:
    git-man liberror-perl
  Use 'apt autoremove' to remove them.
  0 upgraded, 0 newly installed, 0 to remove and 33 not upgraded.

Setup

# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported

Docker Watchtower

Docker's watchtower updates Docker images when new tags are available on the registry.

docker rm -f watchtower || true
docker run -d --name=watchtower \
         -v /var/run/docker.sock:/var/run/docker.sock \
         --memory=190m \
         containrrr/watchtower

Update certificates

docker exec -i ingress ls -lh /etc/letsencrypt/live/codigoparallevar.com/

total 20K
-rw-r--r-- 1 abc users  692 Nov  7 00:30 README
lrwxrwxrwx 1 abc users   44 Jan  6 02:12 cert.pem -> ../../archive/codigoparallevar.com/cert2.pem
lrwxrwxrwx 1 abc users   45 Jan  6 02:12 chain.pem -> ../../archive/codigoparallevar.com/chain2.pem
lrwxrwxrwx 1 abc users   49 Jan  6 02:12 fullchain.pem -> ../../archive/codigoparallevar.com/fullchain2.pem
-rw-r--r-- 1 abc users 5.8K Jan  6 02:12 priv-fullchain-bundle.pem
lrwxrwxrwx 1 abc users   47 Jan  6 02:12 privkey.pem -> ../../archive/codigoparallevar.com/privkey2.pem
-rw------- 1 abc users 4.7K Jan  6 02:12 privkey.pfx

set -eux
# Mail certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain2.pem /mnt/vols/mail/certs/fullchain.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey2.pem /mnt/vols/mail/certs/privkey.pem
docker restart mail

# Prosody certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain2.pem /mnt/vols/misc/prosody/certs/fullchain.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey2.pem /mnt/vols/misc/prosody/certs/privkey.pem
sudo chown 101:0 -R /mnt/vols/misc/prosody/certs/
docker restart prosody-server

# Matrix certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey2.pem /mnt/vols/misc/matrix/privkey.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain2.pem /mnt/vols/misc/matrix/fullchain.pem
sudo chown 991:991 -R /mnt/vols/misc/matrix/
docker restart matrix-server

mail
prosody-server
matrix-server