Table of contents

Private servers configuration

%3 cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec Private servers configuration cluster_dde0295c_d791_4859_96d5_1a1114b82f4d TechTree cluster_cc3fc80e_2b7f_4127_a33a_a7f9e0ec1774 Matrix cluster_7d76606c_dc72_4c1e_940a_12830da6a161 Synapse cluster_9c9fa300_d39b_450b_8d1f_2d301e0aba52 Nextcloud cluster_797e8e61_bf07_4040_b43f_5f096236a76b Wireguard VPN cluster_88fa215b_2e7b_418f_ba63_881a54a4a06a Wallabag cluster_62e02df4_e737_4ff4_a761_a0b5f4402d7f Notes API cluster_fee5cc82_0278_4cb4_b9bc_920beaff95b9 Router cluster_f9f76f9d_512a_4024_8cf8_78aa6e6eefa0 Add base config cluster_9689225f_e635_478c_916c_107543af5fc2 Wiki cluster_013f8790_a198_4176_99c4_9d8636261c62 Mail cluster_bc3279c9_d315_4eb0_8a83_d889718a3d9e [0/2] Tasks cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81 Classification cluster_53753b17_6b23_4baa_8629_4f977bc25f12 Prosody cluster_ce3ba47d_39c1_4760_b0ae_818f2c2ecd1b [100%] Hubzilla cluster_96d8f71e_1113_42fd_9c43_5de25e2fa7f7 Setup MySQL cluster_256e74be_bed3_4dd3_a2fc_b4af2300555d Test migration cluster_d59b9486_f9f7_4f2d_b7c8_34a48d2cacca Birracoin cluster_3ab9b898_edd8_4929_9413_01ec5b22cc6a Grocy cluster_6d70f532_09f4_4e0c_80c6_ae0986420009 BeeRol cluster_e6993653_eaf1_4108_bce3_002eb949e1ea GoToSocial cluster_a7efbbc6_b4c3_4e0f_af0e_25c4e4c75ce8 Gitea cluster_6eb18c7c_ad3a_4288_a0cb_e953ec39e99b Pleroma test cluster_36f9f60d_955e_422d_aad0_3987d0f454c8 DB cluster_882fdd58_bcd3_441d_8ba5_d6e7fb244a45 Backend _d19f123e_8721_46e1_bd8f_9e68332840fb Configure database _42b1b150_1232_4ad6_a5ba_fe19fa275184 Configure router _c8ea4ef4_f625_40b3_be0d_1845d91b17e2 Configure container _6b528b8e_0d61_4c95_9461_868036855066 Create docker network _702f624f_2d27_4ea4_b441_615a8ce31d16 Launch container _2ced388a_58ac_4b6f_af20_94ca315bd227 Check matrix certs & federation _2af6ca81_8601_49b3_85b2_543859ffc29a Configure router _afd9b50d_ec11_4f18_9820_263ae34a63d8 Add router config _a9c82abd_cca7_40e9_824c_ae0809494b24 Install nextcloud _647eb700_5f5c_4292_8f3c_5184e850440c Installation _38eec485_12a9_4def_933b_65ca1f2a3eef Setup _dce5ea95_4b53_431a_9216_26c547fae17b Update certificates _344f28c5_c04f_46b7_9162_ab37f5e207f7 Configure router _95c9eaa7_c132_4c04_95b4_461b1a444b07 Configure container _4314b1a2_0741_4790_b979_6e22c9f1500e Configure router _2b2f02e2_791c_435d_a166_6a6feeaa67bc Configure container _ec314f28_d506_4f25_9ec1_ddbfa7a7dc96 Default _498f3cb0_14aa_485b_8e51_1afca1d9e5a9 Base config _d7328a0b_f16b_4ebd_ae50_71cd744448a8 Install one with letsencrypt _9a16a238_49ab_4a49_9381_ff58317587b7 Restart _fe3e0ec7_17db_482c_a85f_f4143dc2dbce Update server packages _5da3b97f_3787_45a5_b7e7_95a1315422b4 Configure router _9c60401a_a3e0_4001_934d_a473541c7247 Docker Watchtower _5a8c7b19_fdd9_436d_a97b_19a6a4d305a6 Add DKIM _87ca199b_e9ba_497b_a7ac_7bbc5d195fee Troubleshooting _01c5e29d_7e0b_483d_a07e_0b61eaf4aef1 Install mail _f3415283_1d9c_4f12_8406_83292771bdd1 Email _01c5e29d_7e0b_483d_a07e_0b61eaf4aef1->_f3415283_1d9c_4f12_8406_83292771bdd1 _e4717756_19eb_4317_be7a_bee43f8c2d9a Prepare mail classifier _27ad1b8d_0c29_4306_8fbc_7623e89eb85f Sieve _e4717756_19eb_4317_be7a_bee43f8c2d9a->_27ad1b8d_0c29_4306_8fbc_7623e89eb85f _923f728c_3e2a_48ab_ba83_9fe1e8f067a4 Configure mail _89437bf5_9f1d_4456_9345_587260b6da6a Configure container _0ab7ae92_f73e_480d_9b65_a54601e455da Configure Hubzilla _8e1ce4eb_fa7c_4425_8a4c_cbe559eef988 Launch container _bc2b9fa8_2cf1_46a4_8b23_2a5e1c77793e Prepare config _dc8e1a7e_e063_4767_ab84_6a1c412c8777 Can login _a05d77c0_cc41_43f1_8801_aed1f9ffde6c Does send mails _bc3febbb_0153_429a_8166_64b247e24d40 Migrate DNS _8655ef02_07df_4e82_88f0_29fadbe0333e Generate certificate _89f89ce6_ae49_4079_8f50_082f66eaad79 Test everything continues working _ef072bc6_4fc3_4d17_8197_c42242a13e30 Configure router _68e94c30_dadd_401f_b884_47ff953b28e4 Lock old instance _a26e8fb3_ce13_4424_b968_717557b87ead Configure router _4bcfa5ce_f59a_48ec_899c_179adb4416c9 Grok _03eedb49_bcf7_417c_8db4_e051994ca72c Utils _42bd2c04_d36d_45c3_8998_84271d198f01 Configure container _ef1f99b0_9e61_450e_a8c0_2f8a87402d23 Configure router _c841cde2_8eb3_4fc5_ad41_90d46146af73 Configure router _8aac777d_9056_48cf_af11_5b8ea02008ae Install reverse proxy _df844d7e_7054_414b_90e7_372a160e0028 Configure trusted proxy _bbd91c61_313c_432a_934e_0d4410f00432 Install service _d07fcf27_d6fc_41e3_a9d0_b2e2902aec23 Install docker _1572a3ac_63c9_4f08_b65a_fb9765fb9dba Configure container _62504d21_24e2_40bc_a327_7bb50e95c6be Configure router _faabba3a_94ca_4970_a202_97774d650620 Add action runner _5a667ea3_4929_4d27_9bde_64839b5e93e9 Network _f42b589b_2db5_4cb1_8c41_86eeacb788fa Add citext extension _588b28d6_1f55_4af1_916b_4f8d47f2451c Frontend _5fc2df11_8899_4f41_b505_c30b07a5f385 Run _90fd8dc8_781a_4ff7_9f98_4803b918ae34 Build _9eeaaa5d_0c2c_43f0_8da4_9893913c7199 Configure router _1e0ac86f_4754_4ddf_96a7_b34a1cae5b96 Synapse _5a895a21_132a_44e3_8105_1f6f0c094bc2 Systems Administration _2813a24c_e58b_4f57_ae87_48bdfac11704 WireGuard _65b53b3b_2af6_451e_a639_b303f842c474 SQLite FTS5 _65b53b3b_2af6_451e_a639_b303f842c474->__0:cluster_62e02df4_e737_4ff4_a761_a0b5f4402d7f _5a84e07e_7598_43b4_99f0_927ed08dd7b7 ActivityPub _ea48ec1d_f9d4_4fb7_b39a_faa7b6e2ba95 Notes index _ea48ec1d_f9d4_4fb7_b39a_faa7b6e2ba95->__1:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec _ff5c276f_5eec_4b59_9962_c092a240b068 December Adventure 2024 _ff5c276f_5eec_4b59_9962_c092a240b068->__2:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec _ff5c276f_5eec_4b59_9962_c092a240b068->__3:cluster_e6993653_eaf1_4108_bce3_002eb949e1ea _b0b8e32a_1052_485c_b3a8_91102ae2cc85 Server-based mail processing _b0b8e32a_1052_485c_b3a8_91102ae2cc85->_f3415283_1d9c_4f12_8406_83292771bdd1 _27ad1b8d_0c29_4306_8fbc_7623e89eb85f->_e4717756_19eb_4317_be7a_bee43f8c2d9a _34112603_5776_4592_9f27_598bb0b18285 Literate Devops with Emacs __4:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec->_5a895a21_132a_44e3_8105_1f6f0c094bc2 __5:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec->_34112603_5776_4592_9f27_598bb0b18285 __6:cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81->_e4717756_19eb_4317_be7a_bee43f8c2d9a __7:cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81->_b0b8e32a_1052_485c_b3a8_91102ae2cc85 __8:cluster_e6993653_eaf1_4108_bce3_002eb949e1ea->_5a84e07e_7598_43b4_99f0_927ed08dd7b7 __9:cluster_7d76606c_dc72_4c1e_940a_12830da6a161->_1e0ac86f_4754_4ddf_96a7_b34a1cae5b96 __10:cluster_797e8e61_bf07_4040_b43f_5f096236a76b->_2813a24c_e58b_4f57_ae87_48bdfac11704

This is a literate devops file based on Howard Abrahams's one... at some point I will expose the .org file instead of the rendered version 🤷. While it does configure the servers at codigoparallevar.com, don't take it too seriously 😉.

This file also doubles as a stress-test of mixing code and result blocks, which I had some trouble converting to DOM in the past, so do know that they might have been rendering problems on this file 😅.

Utils

  • Use C-c C-n C-s to create a remote region

(defun start-remote-command ()
          (interactive)
          (insert "\#+BEGIN_SRC shell  :async :dir /ssh:root@personal_server: :noweb yes :results drawer")
          (indent-for-tab-command)
          (insert "\n#+END_SRC")
          (indent-for-tab-command)
          (insert "\n"))

        (local-set-key (kbd "C-c o a s") 'start-remote-command)

: start-remote-command

  • Run this to test the connection

hostname -I


      192.168.1.33 172.18.0.1 172.19.0.1 172.21.0.1 172.20.0.1 172.17.0.1 172.22.0.1 10.0.3.1

  • Install mosh

apt-get install -y mosh


      Reading package lists... 100%

Reading package lists... Done
      Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
      Reading state information... 0%

Reading state information... Done
      mosh is already the newest version (1.3.2-2.1+b1).
      0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Update server packages

 

apt update
     apt upgrade -y

Install docker

 

apt-get install -y \
                  apt-transport-https \
                  ca-certificates \
                  curl \
                  gnupg-agent \
                  software-properties-common


        > > > > + apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
        Reading package lists... 100%

Reading package lists... Done
        Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
        Reading state information... 0%

Reading state information... Done
        curl is already the newest version (7.64.0-4+deb10u1).
        gnupg-agent is already the newest version (2.2.12-1+deb10u1).
        software-properties-common is already the newest version (0.96.20.2-2).
        apt-transport-https is already the newest version (1.8.2.1).
        ca-certificates is already the newest version (20200601~deb10u1).
        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

  • Add Docker’s official GPG key

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -


        + apt-key add -
        + curl -fsSL https://download.docker.com/linux/debian/gpg
        OK

  • Add repository

add-apt-repository \
              "deb [arch=amd64] https://download.docker.com/linux/debian \
             $(lsb_release -cs) \
             stable"


        > > ++ lsb_release -cs
        + add-apt-repository 'deb [arch=amd64] https://download.docker.com/linux/debian    buster    stable'

  • Update APT and install Docker

apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io


        + apt-get update
        [Working]
            
Hit:1 http://mirror.hetzner.de/debian/packages buster InRelease
        [Connecting to prod.debian.map.fastly.net (2a04:4e42:3::204)] [Connecting to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                                                           
Hit:2 http://mirror.hetzner.de/debian/packages buster-updates InRelease
        
                                                                                                                                           
Hit:3 http://mirror.hetzner.de/debian/packages buster-backports InRelease
        
                                                                                                                                           
Hit:4 http://mirror.hetzner.de/debian/security buster/updates InRelease
        [Connecting to prod.debian.map.fastly.net (2a04:4e42:1b::204)] [Waiting for headers] [Connecting to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                                                                                  
Hit:5 http://security.debian.org buster/updates InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:6 http://deb.debian.org/debian buster InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:7 http://deb.debian.org/debian buster-updates InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:8 http://deb.debian.org/debian buster-backports InRelease
        [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                            
Hit:9 https://download.docker.com/linux/debian buster InRelease
        [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
20% [Working]
             

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 27%

Reading package lists... 27%

Reading package lists... 45%

Reading package lists... 45%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 48%

Reading package lists... 48%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 76%

Reading package lists... 76%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 97%

Reading package lists... 97%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... Done
        + apt-get install -y docker-ce docker-ce-cli containerd.io
        Reading package lists... 100%

Reading package lists... Done
        Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
        Reading state information... 0%

Reading state information... Done
        containerd.io is already the newest version (1.2.13-2).
        docker-ce-cli is already the newest version (5:19.03.12~3-0~debian-buster).
        docker-ce is already the newest version (5:19.03.12~3-0~debian-buster).
        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Create docker network

 

docker network ls | grep internal || docker network create internal


+ grep internal
+ docker network ls
+ docker network create internal
b04d6928f041216947f403ec9b13e0c0b95e01b2b17cc519712768e673c06d80

Router

Install one with letsencrypt

 

VERSION=2.7.4
# Starting with version 1.30 it fails with
# s6-rc: warning: unable to start service legacy-cont-init: command exited 1"
docker pull linuxserver/swag:$VERSION
docker rm -f ingress
docker run -d \
       --name=ingress \
       --cap-add=NET_ADMIN \
       -e PUID=1000 \
       -e PGID=1000 \
       -e TZ=Europe/Madrid \
       -e URL=codigoparallevar.com \
       -e SUBDOMAINS=cloud,social,social,matrix,www,code,wallabag,wiki,pleromatest,api,grocy \
       -e VALIDATION=http \
       -e ONLY_SUBDOMAINS=false \
       -e EXTRA_DOMAINS=birracoin.com,www.birracoin.com \
       -e STAGING=false \
       -e EMAIL='me@codigoparallevar.com' \
       -p 443:443 \
       -p 80:80 \
       -v letsencrypt_config:/config \
       -v /etc/nginx/sites-enabled:/config/nginx/site-confs/ \
       -v /etc/nginx/sites-available:/etc/nginx/sites-available:ro \
       -v /mnt/vols/misc/codigoparallevar:/var/lib/nginx/html:ro \
       -v /mnt/vols/misc/wiki:/opt/wiki:ro \
       -v /mnt/vols/misc/birracoin:/opt/birracoin:ro \
       -v /mnt/vols/misc/beerol:/opt/beerol:ro \
       -v /dev/null:/etc/nginx/conf.d/stream.conf:ro \
       --restart unless-stopped \
       --network=internal \
       --memory=190m \
       linuxserver/swag:$VERSION


    2.7.4: Pulling from linuxserver/swag
    Digest: sha256:c88e4a82ba5813f1efd85266126bfaa69e6568134d28864e2ac0dd043334c063
    Status: Image is up to date for linuxserver/swag:2.7.4
    docker.io/linuxserver/swag:2.7.4
    ingress
    bf309e60f03678249994dce64da9de7d9601f5b0db65c6750bc4e0fb23caa8e6

Add base config

Base config

ARCHIVE 

user www-data;
      worker_processes auto;
      pid /run/nginx.pid;
      include /etc/nginx/modules/*.conf;

      events {
          worker_connections 768;
          # multi_accept on;
      }

      http {

          ##
          # Basic Settings
          ##

          sendfile on;
          tcp_nopush on;
          tcp_nodelay on;
          keepalive_timeout 65;
          types_hash_max_size 2048;
          # server_tokens off;

          # server_names_hash_bucket_size 64;
          # server_name_in_redirect off;

          include /etc/nginx/mime.types;
          default_type application/octet-stream;

          ##
          # SSL Settings
          ##

          ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
          ssl_prefer_server_ciphers on;

          ##
          # Logging Settings
          ##

          access_log /var/log/nginx/access.log;
          error_log /var/log/nginx/error.log;

          ##
          # Gzip Settings
          ##

          gzip on;

          # gzip_vary on;
          # gzip_proxied any;
          # gzip_comp_level 6;
          # gzip_buffers 16 8k;
          # gzip_http_version 1.1;
          # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

          ##
          # Virtual Host Configs
          ##

          include /etc/nginx/conf.d/*.conf;
          include /etc/nginx/sites-enabled/*;
      }


      #mail {
      #       # See sample authentication script at:
      #       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
      #
      #       # auth_http localhost/auth.php;
      #       # pop3_capabilities "TOP" "USER";
      #       # imap_capabilities "IMAP4rev1" "UIDPLUS";
      #
      #       server {
      #               listen     localhost:110;
      #               protocol   pop3;
      #               proxy      on;
      #       }
      #
      #       server {
      #               listen     localhost:143;
      #               protocol   imap;
      #               proxy      on;
      #       }
      #}

Default

 

user www-data;
       worker_processes auto;
       pid /run/nginx.pid;
       include /etc/nginx/modules-enabled/*.conf;

       events {
         worker_connections 768;
         # multi_accept on;
       }

       http {

         ##
         # Basic Settings
         ##

         sendfile on;
         tcp_nopush on;
         types_hash_max_size 2048;
         # server_tokens off;

         # server_names_hash_bucket_size 64;
         # server_name_in_redirect off;

         include /etc/nginx/mime.types;
         default_type application/octet-stream;

         ##
         # SSL Settings
         ##

         ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
         ssl_prefer_server_ciphers on;

         ##
         # Logging Settings
         ##

         access_log /var/log/nginx/access.log;
         error_log /var/log/nginx/error.log;

         ##
         # Gzip Settings
         ##

         gzip on;

         # gzip_vary on;
         # gzip_proxied any;
         # gzip_comp_level 6;
         # gzip_buffers 16 8k;
         # gzip_http_version 1.1;
         # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

         ##
         # Virtual Host Configs
         ##

         include /etc/nginx/conf.d/*.conf;
         include /etc/nginx/sites-enabled/*;
       }


## Original: https://raw.githubusercontent.com/linuxserver/docker-letsencrypt/master/root/defaults/default

       # redirect all traffic to https
       server {
           listen 80 default_server;
           listen [::]:80 default_server;
           server_name _;
           return 301 https://\$host\$request_uri;
       }

       # main server block
       server {
           listen 443 ssl http2 default_server;
           listen [::]:443 ssl http2 default_server;

           # root /config/www;
           # index index.html index.htm index.php;

           server_name _;

           # # enable subfolder method reverse proxy confs
           # include /config/nginx/proxy-confs/*.subfolder.conf;

           # all ssl related config moved to ssl.conf
           include /config/nginx/ssl.conf;

           # enable for ldap auth
           #include /config/nginx/ldap.conf;

           # enable for Authelia
           #include /config/nginx/authelia-server.conf;

           client_max_body_size 0;

           # location / {
           #     try_files $uri $uri/ /index.html /index.php?$args =404;
           # }

           location /video {
                return 301 /files/$request_uri;
           }

           # location ~ \.php$ {
           #     fastcgi_split_path_info ^(.+\.php)(/.+)$;
           #     fastcgi_pass 127.0.0.1:9000;
           #     fastcgi_index index.php;
           #     include /etc/nginx/fastcgi_params;
           # }

           # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
           # notice this is within the same server block as the base
           # don't forget to generate the .htpasswd file as described on docker hub
           #	location ^~ /cp {
           #		auth_basic "Restricted";
           #		auth_basic_user_file /config/nginx/.htpasswd;
           #		include /config/nginx/proxy.conf;
           #		proxy_pass http://192.168.1.50:5050/cp;
           #	}
       }

       # enable subdomain method reverse proxy confs
       include /config/nginx/proxy-confs/*.subdomain.conf;
       # enable proxy cache for auth
       proxy_cache_path cache/ keys_zone=auth_cache:10m;


mkdir /etc/nginx/conf.d
      mkdir /etc/nginx/sites-enabled
      cat > /etc/nginx/nginx.conf <<EOF
      <<nginx-config>>
      EOF
      cat > /etc/nginx/sites-enabled/default.conf <<EOF
      <<router-config>>
      EOF
      <<reload-router>>


    + mkdir /etc/nginx/conf.d
    mkdir: cannot create directory ‘/etc/nginx/conf.d’: File exists
    + mkdir /etc/nginx/sites-enabled
    mkdir: cannot create directory ‘/etc/nginx/sites-enabled’: File exists
    > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    Error response from daemon: Container b5c5fd4fbfd389e45a84e44b86f479d3a4cb050c37461de4474ea50e8eca2dbe is not running
    + docker start ingress
    ingress

Restart

 

docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`' # Reload configuration without restart
docker start ingress # Start it in case it stopped


    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    failed to resize tty, using default size
    + docker start ingress
    ingress

    [....] Reloading nginx: nginx[?25l7[ ok 8[?12l[?25h.

Nextcloud

Install nextcloud

  • Install docker

docker rm -f nextcloud
docker run --name=nextcloud -d \
       -v /mnt/vols/nextcloud/vols/main:/var/www/html \
       -v /mnt/vols/nextcloud/vols/apps:/var/www/html/custom_apps \
       -v /mnt/vols/nextcloud/vols/config:/var/www/html/config \
       -v /mnt/vols/nextcloud/vols/data:/var/www/html/data \
       -e OVERWRITEHOST=cloud.codigoparallevar.com \
       -e OVERWRITEPROTOCOL=https \
       --restart=unless-stopped \
       --network internal \
       --memory=380m \
       nextcloud:29.0.3


      nextcloud
      5d9a7adcc0172648143f2a43cd6c6d4931a7572d2252abed28e88a9cc2ae18a8

Add router config

 

server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          server_name cloud.codigoparallevar.com;
          include /config/nginx/ssl.conf;

          # Add headers to serve security related headers
          # Before enabling Strict-Transport-Security headers please read into this
          # topic first.
          #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
          #
          # WARNING: Only add the preload option once you read about
          # the consequences in https://hstspreload.org/. This option
          # will add the domain to a hardcoded list that is shipped
          # in all major browsers and getting removed from this list
          # could take several months.
          add_header Referrer-Policy "no-referrer" always;
          add_header X-Content-Type-Options "nosniff" always;
          add_header X-Download-Options "noopen" always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-Permitted-Cross-Domain-Policies "none" always;
          add_header X-Robots-Tag "none" always;
          add_header X-XSS-Protection "1; mode=block" always;

          # Remove X-Powered-By, which is an information leak
          fastcgi_hide_header X-Powered-By;

          # set max upload size
          client_max_body_size 100M;
          fastcgi_buffers 64 4K;

          # Enable gzip but do not remove ETag headers
          gzip on;
          gzip_vary on;
          gzip_comp_level 4;
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

          location / {
              include /config/nginx/proxy.conf;
              proxy_pass  http://nextcloud:80;
          }
      }


cat > /etc/nginx/sites-enabled/cloud.conf <<EOF
      <<cloud-router-config>>
      EOF
      <<reload-router>>


    > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    Error response from daemon: Cannot link to a non running container: /hubzilla-server AS /ingress/hubzilla-server
    + docker start ingress
    ingress

Mail

Prepare mail classifier

 

    # Sieve filter

    # Declare the extensions used by this script.
    #
    require ["fileinto", "reject"];

    # Test sieve
    #
    if header :contains "Subject" "Sieve Test" {
       fileinto "Junk";
    }

  # enabled rulename "PayPal" from matchcase "\"servicio@paypal.es\" <servicio@paypal.es>" move "#imap/NewMail/archive/srv/PayPal"
  # enabled rulename "Patreon" from matchcase "Patreon <bingo@patreon.com>" move "#imap/NewMail/archive/srv/Patreon"
  # enabled rulename "FSF" from matchcase "<info@fsf.org>" move "#imap/NewMail/archive/coms/FSF"
  # enabled rulename "EFF" from matchcase "<membership@eff.org>" move "#imap/NewMail/archive/coms/EFF"
  # enabled rulename "DBD" from matchcase "<info@defectivebydesign.org>" move "#imap/NewMail/archive/coms/DBD"
  # enabled rulename "Software clown" from matchcase "Itamar Turner-Trauring <itamar@codewithoutrules.com>" move "#imap/NewMail/archive/soft-clown"
  # enabled rulename "EFF - action" from matchcase "<action@eff.org>" move "#imap/NewMail/archive/coms/EFF"
  # enabled rulename "TheBatch" from matchcase "\"deeplearning.ai\" <thebatch@deeplearning.ai>" move "#imap/NewMail/archive/lists"
  # enabled rulename "Dribble" header "Sender" matchcase "no-reply@n.dribbble.com" mark_as_read move "#imap/NewMail/archive/lists/design/dribble"
  # enabled rulename "Stack Overflow list" from matchcase "\"Stack Overflow\" <do-not-reply@stackoverflow.email>" | from matchcase "Stack Overflow <do-not-reply@stackoverflow.email>" mark_as_read move "#imap/NewMail/archive/lists/StackOverflow"
  # enabled rulename "DEGIRO" from matchcase "DEGIRO <clientes@degiro.es>" move "#imap/NewMail/archive/srv/banca/degiro"
  # enabled rulename "Spam - Elitetorrent" from matchcase "\"elitetorrent1.com\" <info@elitetorrent1.com>" mark_as_spam
  # enabled rulename "@163 spam" inreplyto matchcase "@163.com" | from matchcase "@163.com" mark_as_spam set_score 0
  # enabled rulename "CGPGrey" from matchcase "Grey <Email@CGPGrey.com>" move "#imap/NewMail/archive/lists/grey"
  # enabled rulename "Julia Evans" from matchcase "Julia Evans <julia@jvns.ca>" move "#imap/NewMail/archive/lists/julia evans"
  # enabled rulename "EFFEctor" from matchcase "\"EFFector List\" <editor@eff.org>" move "#imap/NewMail/archive/coms/EFFector"
  # enabled rulename "UseParagon" from matchcase "\"Brandon Foo\" <brandon@useparagon.com>" move "#imap/NewMail/archive/startups/pm-competitors"
  # enabled rulename "SourceHut" from matchcase "sourcehut <outgoing@sr.ht>" move "#imap/NewMail/archive/srv/sourcehut"
  # enabled rulename "ANDBanc" from matchcase "<andbank@bancononline.com>" move "#imap/NewMail/archive/srv/banca/andbank"
  # enabled rulename "Amazon" from matchcase "\"Amazon.es\" <auto-confirm@amazon.es>" move "#imap/NewMail/archive/srv/Amazon"

    # Mailing lists
    #
    elsif header :contains "List-Id" "~mil/sxmo-devel.lists.sr.ht" {
        fileinto "archive/coms/sxmo";
    }
    # "Tails"
    elsif header :contains "List-Id" "amnesia-news.boum.org" {
        fileinto "archive/coms/tails";
    }
    # "PyVigo"
    elsif header :contains "List-Id" "vigo.lists.es.python.org" {
        fileinto "archive/coms";
    }
    # "BOE" header "List-Id"
    elsif header :contains "List-Id" "9416fe6b76f2c3f985c1f8e0f.30885.list-id.mcsv.net" {
        fileinto "archive/boe";
    }
    # "PyMad"
    elsif header :contains "List-Id" "python-madrid-list.meetup.com" {
        fileinto "archive/coms/python-madrid";
    }
    # "Brechadigital"
    elsif header :contains "List-Id" "brechadigital.inventati.org" {
        fileinto  "archive/coms/brechadigital";
    }
    # "eu-gene"
    elsif header :contains "List-Id" "eu-gene.we.lurk.org" {
                               fileinto  "archive/coms/gen";
    }
    # "Trisquel"
    elsif header :contains "List-Id" "trisquel-devel.listas.trisquel.info" {
      fileinto "archive/coms/trisquel";
    }
    # "NCN"
    elsif header :contains "List-Id" "noconname.listas.noconname.org" {
      fileinto "archive/sec/no-con-name";
    }
    # "AptGetUpdate"
    elsif header :contains "List-Id" "aptgetupdate.lists.riseup.net" {
      fileinto "archive/coms/aptgetupdate";
    }
    # "SV"
    elsif header :contains "List-Id" "sector-virus.googlegroups.com" {
      fileinto "archive/sec/sv";
    }
    # "Una al dia"
    elsif header :contains "List-Id" "dd62599a9195e52f2dca2ab9a.63065.list-id.mcsv.net" {
      fileinto "#imap/NewMail/archive/una-al-dia";
    }
    # "GPUL"
    elsif header :contains "List-Id" "asociacion.lists.gpul.org" {
      fileinto "archive/coms/gpul";
    }
    # "Replicant"
    elsif header :contains "List-Id" "replicant.osuosl.org" {
      fileinto "archive/coms/replicant";
    }
    # "FreedomBox"
    elsif header :contains "List-Id" "freedombox-discuss.alioth-lists.debian.net" {
      fileinto "archive/coms/freedom-box";
    }
    # "FullDisclosure"
    elsif header :contains "List-Id" "fulldisclosure.seclists.org" {
      fileinto "archive/fd";
    }
    # "TWIML"
    elsif anyof (header :contains "List-Id" "96b64078a550522835ec6034e.272005.list-id.mcsv.net",
            address :contains "From" "@twimlai.com") {
      fileinto "archive/lists/twiml";
    }
    # "Rooted"
    elsif header :contains "List-Id" "rootedcon.listas.rooted.es" {
      fileinto "archive/sec/rooted";
    }
    # "LaBrecha"
    elsif header :contains "List-Id" "Participa-Brecha.googlegroups.com" {
      fileinto "archive/coms/brechadigital/Participa-brecha";
    }
    # "Python Vigo"
    elsif header :contains "List-Id" "vigo.lists.es.python.org" {
      fileinto "archive/coms/pyvigo";
    }
    # "LibrePlanet"
    elsif header :contains "List-Id" "libreplanet-discuss.libreplanet.org" {
      fileinto "archive/coms/libreplanet";
    }
    # "ElBinario"
    elsif header :contains "List-Id" "binario.listas.elbinario.net" {
      fileinto "archive/coms/el-binario";
    }
    # "Crafting interpreters"
    elsif header :contains "List-Id" "0952ca43ed2536d6717766b88.303821.list-id.mcsv.net" {
      fileinto "archive/crafting-interpreters";
    }
    # "RxJs"
    elsif header :contains "List-Id" "c22e7832272fe0663b822a283.114397.list-id.mcsv.net" {
      fileinto "archive/lists/rxjs";
    }
    # "NMap"
    elsif header :contains "List-Id" "announce.nmap.org" {
      fileinto "archive/sec";
    }
    # "N8N"
    elsif header :contains "List-Id" "2c8845820b0d9053a7bd0fa5f.44345.list-id.mcsv.net" {
      fileinto "archive/startups/pm-competitors";
    }
    # "OrgMode"
    elsif header :contains "List-Id" "emacs-orgmode.gnu.org" {
      fileinto "archive/coms/orgmode";
    }
    # "Tech podcasts - Nacion lumpen"
    elsif header :contains "List-Id" "nacion-lumpen.googlegroups.com" {
      fileinto "archive/lists/podcasts/tech/nacion-lumpen";
    }

    # Keep the rest.

  • Test sieve rules

VERSION=2022-05-13
FNAME=$(mktemp --suffix='.sieve')

cat > "$FNAME" <<_EOF_
<<mail-sieve>>
_EOF_

docker run --rm \
       -v "$FNAME":/var/lib/dovecot/sieve/default.sieve:ro \
       --entrypoint=ash \
       kenkeiras/mail-server:$VERSION -c "/usr/bin/sievec /var/lib/dovecot/sieve/default.sieve"

result=$?
rm "$FNAME"
if [ $result -eq 0 ];
then
    echo "OK"
else
    echo "[ERROR]"
fi
exit $result

  OK

Configure mail

 

# See man 5 aliases for format
postmaster: kenkeiras
me: kenkeiras
xmpp: kenkeiras
www-data: kenkeiras
bluestash: kenkeiras
sergio: kenkeiras
sergio.martinez: kenkeiras
sergio.mportela: kenkeiras
nullhub: kenkeiras
admin: kenkeiras
hivemind: kenkeiras
tweetcodes: kenkeiras
oneliners: kenkeiras

Install mail

 

VERSION=2022-05-13
docker pull -q kenkeiras/mail-server:$VERSION
docker rm -f mail

# Configure aliases
cat > /etc/postfix/aliases <<_EOF_
<<mail-aliases>>
_EOF_

# Configure sieve
cat > /var/lib/dovecot/sieve/default.sieve <<_EOF_
<<mail-sieve>>
_EOF_

docker run --name=mail -d    \
       -p 25:25 -p 465:465   \
       -p 143:143 -p 993:993 \
       -v /mnt/vols/mail/spool:/var/spool/postfix \
       -v /mnt/vols/mail/var:/var/lib/postfix     \
       -v /mnt/vols/mail/certs:/extra/mail-certs  \
       -v /etc/dovecot/passdb:/etc/dovecot/passdb \
       -v /etc/postfix/aliases:/etc/aliases       \
       -v /var/lib/dovecot/sieve/default.sieve:/var/lib/dovecot/sieve/default.sieve \
       -v /mnt/vols/mail/mailboxes:/var/mail      \
       -e HOSTNAME='codigoparallevar.com' \
       -e DOMAIN='codigoparallevar.com'   \
       -e POSSIBLE_DESTINATIONS='mail.codigoparallevar.com,mail.codigoparallevar.com,codigoparallevar.com,www.codigoparallevar.com' \
       -e CERT_DIRECTORY='/extra/mail-certs' \
       -e USERNAME='kenkeiras' \
       --restart=unless-stopped \
      --network internal \
      --memory=190m \
      kenkeiras/mail-server:$VERSION


    docker.io/kenkeiras/mail-server:2022-05-13
    mail
    832b4a020f776d1e1baf1534afd6d2750b1bbe6bba4ce66dd0d91e2ebc1e8848

DISCARDED

[ 100% ] Hubzilla

ARCHIVE

DONE

Setup MySQL

DONE

Prepare config

 

       #
       # These groups are read by MariaDB server.
       # Use it for options that only the server (but not clients) should see
       #
       # See the examples of server my.cnf files in /usr/share/mysql/
       #

       # this is read by the standalone daemon and embedded servers
       [server]

       # this is only for the mysqld standalone daemon
       [mysqld]

       #
       # * Basic Settings
       #
       user		= mysql
       pid-file	= /var/run/mysqld/mysqld.pid
       socket		= /var/run/mysqld/mysqld.sock
       port		= 3306
       basedir		= /usr
       datadir		= /var/lib/mysql
       tmpdir		= /tmp
       lc-messages-dir	= /usr/share/mysql
       skip-external-locking

       # Instead of skip-networking the default is now to listen only on
       # localhost which is more compatible and is not less secure.
       bind-address		= 0.0.0.0

       #
       # * Fine Tuning
       #
       key_buffer_size		= 16M
       max_allowed_packet	= 16M
       thread_stack		= 192K
       thread_cache_size       = 8
       # This replaces the startup script and checks MyISAM tables if needed
       # the first time they are touched
       myisam_recover_options  = BACKUP
       #max_connections        = 100
       #table_cache            = 64
       #thread_concurrency     = 10

       #
       # * Query Cache Configuration
       #
       query_cache_limit	= 1M
       query_cache_size        = 16M

       #
       # * Logging and Replication
       #
       # Both location gets rotated by the cronjob.
       # Be aware that this log type is a performance killer.
       # As of 5.1 you can enable the log at runtime!
       #general_log_file        = /var/log/mysql/mysql.log
       #general_log             = 1
       #
       # Error log - should be very few entries.
       #
       log_error = /var/log/mysql/error.log
       #
       # Enable the slow query log to see queries with especially long duration
       #slow_query_log_file	= /var/log/mysql/mariadb-slow.log
       #long_query_time = 10
       #log_slow_rate_limit	= 1000
       #log_slow_verbosity	= query_plan
       #log-queries-not-using-indexes
       #
       # The following can be used as easy to replay backup logs or for replication.
       # note: if you are setting up a replication slave, see README.Debian about
       #       other settings you may need to change.
       #server-id		= 1
       #log_bin			= /var/log/mysql/mysql-bin.log
       expire_logs_days	= 10
       max_binlog_size   = 100M
       #binlog_do_db		= include_database_name
       #binlog_ignore_db	= exclude_database_name

       #
       # * InnoDB
       #
       # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
       # Read the manual for more InnoDB related options. There are many!

       #
       # * Security Features
       #
       # Read the manual, too, if you want chroot!
       # chroot = /var/lib/mysql/
       #
       # For generating SSL certificates you can use for example the GUI tool "tinyca".
       #
       # ssl-ca=/etc/mysql/cacert.pem
       # ssl-cert=/etc/mysql/server-cert.pem
       # ssl-key=/etc/mysql/server-key.pem
       #
       # Accept only connections using the latest and most secure TLS protocol version.
       # ..when MariaDB is compiled with OpenSSL:
       # ssl-cipher=TLSv1.2
       # ..when MariaDB is compiled with YaSSL (default in Debian):
       # ssl=on

       #
       # * Character sets
       #
       # MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
       # utf8 4-byte character set. See also client.cnf
       #
       character-set-server  = utf8mb4
       collation-server      = utf8mb4_general_ci

       #
       # * Unix socket authentication plugin is built-in since 10.0.22-6
       #
       # Needed so the root database user can authenticate without a password but
       # only when running as the unix root user.
       #
       # Also available for other users if required.
       # See https://mariadb.com/kb/en/unix_socket-authentication-plugin/

       # this is only for embedded server
       [embedded]

       # This group is only read by MariaDB servers, not by MySQL.
       # If you use the same .cnf file for MySQL and MariaDB,
       # you can put MariaDB-only options here
       [mariadb]

       # This group is only read by MariaDB-10.1 servers.
       # If you use the same .cnf file for MariaDB of different versions,
       # use this group for options that older servers don't understand
       [mariadb-10.1]

mkdir -p /etc/mysql/
       cat > /etc/mysql/micro.cnf <<EOF
       <<server-config>>
       EOF


     + mkdir -p /etc/mysql/
     > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat

DONE

Launch container

 

docker rm -f hubzilla-mysql
docker run -d --name=hubzilla-mysql \
       -v /mnt/vols/hubzilla/mysql:/var/lib/mysql \
       -v /etc/mysql/micro.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf \
       -e MYSQL_RANDOM_ROOT_PASSWORD="yes" \
       --network internal \
       mariadb:10


    + docker rm -f hubzilla-mysql
    Error: No such container: hubzilla-mysql
    > > > > > + docker run -d --name=hubzilla-mysql -v /mnt/vols/hubzilla/mysql:/var/lib/mysql -v /etc/mysql/micro.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf -e MYSQL_RANDOM_ROOT_PASSWORD=yes --network internal mariadb:10
    cd5a9677a3be549fdf975a1ed75c47d468a3f4501280e05bab1991be7838aaff

DONE

Configure Hubzilla

 

docker rm -f hubzilla-server
docker run -d --name=hubzilla-server \
       -v /mnt//vols/hubzilla/data:/data \
       -e SERVERNAME=social.codigoparallevar.com \
       --link=hubzilla-mysql:mysql \
       --network=internal \
       kenkeiras/hubzilla:testing


    + docker rm -f hubzilla-server
    hubzilla-server
    > > > > > + docker run -d --name=hubzilla-server -v /mnt//vols/hubzilla/data:/data -e SERVERNAME=social.codigoparallevar.com --link=hubzilla-mysql:mysql --network=internal kenkeiras/hubzilla:testing
    ebba1f6ecc996ec0f137e3c3a793c2e59bf49055ba134f8ad42668af141c5f19

DONE

Configure router

 

server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          server_name social.codigoparallevar.com;
          include /config/nginx/ssl.conf;

          # Add headers to serve security related headers
          # Before enabling Strict-Transport-Security headers please read into this
          # topic first.
          #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
          #
          # WARNING: Only add the preload option once you read about
          # the consequences in https://hstspreload.org/. This option
          # will add the domain to a hardcoded list that is shipped
          # in all major browsers and getting removed from this list
          # could take several months.
          add_header Referrer-Policy "no-referrer" always;
          add_header X-Content-Type-Options "nosniff" always;
          add_header X-Download-Options "noopen" always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-Permitted-Cross-Domain-Policies "none" always;
          add_header X-Robots-Tag "none" always;
          add_header X-XSS-Protection "1; mode=block" always;

          # Remove X-Powered-By, which is an information leak
          fastcgi_hide_header X-Powered-By;

          # set max upload size
          client_max_body_size 100M;
          fastcgi_buffers 64 4K;

          # Enable gzip but do not remove ETag headers
          gzip on;
          gzip_vary on;
          gzip_comp_level 4;
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

          location / {
              proxy_set_header X-Forwarded-Proto https;
              include /config/nginx/proxy.conf;
              proxy_pass  http://hubzilla-server:80;
          }
      }


cat > /etc/nginx/sites-enabled/social.conf <<EOF
      <<hubzilla-router-config>>
      EOF
      <<reload-router>>


    > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    + docker start ingress
    ingress

DONE

Test migration

DONE

Can login

Does send mails

ARCHIVE

  • Probably is no longer needed

DONE

Pleroma test

ARCHIVE

DONE

Network

 

docker network create pleroma-test


52dde94ff2e18ed1e1c5a6f301fdada68445c7b2314a2cd08ad406036806f33a

DONE

DB

 

docker rm -f pleroma-test-postgres || true
  docker run -d --name=pleroma-test-postgres \
           -e POSTGRES_PASSWORD="CHANGE_THIS"  \
           -e POSTGRES_USER=pleroma \
           -e POSTGRES_DB=pleroma \
           -v /mnt/vols/hubzilla/pleroma-test/postgres:/var/lib/postgresql/data/ \
           --network=internal \
           --memory=190m \
           --restart=unless-stopped \
    postgres:9.6-alpine


+ docker rm -f pleroma-test-postgres
pleroma-test-postgres
> > > > > > > > + docker run -d --name=pleroma-test-postgres -e POSTGRES_PASSWORD=LJQit53q7qWowwaRgdZSuj9mMsRXxUfZ -e POSTGRES_USER=pleroma -e POSTGRES_DB=pleroma -v /mnt/vols/hubzilla/pleroma-test/postgres:/var/lib/postgresql/data/ --network=internal --memory=190m --restart=unless-stopped postgres:9.6-alpine
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
7eef83b7972fafba427dcae5ad2e93c9ff11cd1eb6d59723b07b8372158b5136

Add citext extension

 

docker exec -i pleroma-test-postgres psql -U pleroma -c "CREATE EXTENSION IF NOT EXISTS citext;"


+ docker exec -i pleroma-test-postgres psql -U pleroma -c 'CREATE EXTENSION IF NOT EXISTS citext;'
CREATE EXTENSION

DONE

Backend

Build

 

mkdir -p /mnt/vols/hubzilla/pleroma-test/code/ || true
  git clone https://github.com/angristan/docker-pleroma /mnt/vols/hubzilla/pleroma-test/code/docker-pleroma
  cd /mnt/vols/hubzilla/pleroma-test/code/docker-pleroma
  docker build -t pleroma .

Run

 

docker rm -f pleroma-test-backend || true
  docker run -d --name=pleroma-test-backend \
             --link=pleroma-test-postgres:db \
             -e DB_PASS="CHANGE_THIS" \
             -e DOMAIN='pleromatest.codigoparallevar.com' \
             -v /mnt/vols/hubzilla/pleroma-test/uploads:/pleroma/uploads/ \
             --network=internal \
             --memory=380m \
             --restart=unless-stopped \
      pleroma-test


    + docker rm -f pleroma-test-backend
    Error: No such container: pleroma-test-backend
    > > > > > > > > + docker run -d --name=pleroma-test-backend --link=pleroma-test-postgres:db -e DB_PASS=LJQit53q7qWowwaRgdZSuj9mMsRXxUfZ -e DOMAIN=pleromatest.codigoparallevar.com -v /mnt/vols/hubzilla/pleroma-test/uploads:/pleroma/uploads/ --network=internal --memory=190m --restart=unless-stopped pleroma-test
    WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
    e2c10538606f8f2ce930c5e4d36a921a2176c8941b5fce8b9f58959b0de1fb72

Configure router

 

server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          server_name pleromatest.codigoparallevar.com;
          include /config/nginx/ssl.conf;

          # Add headers to serve security related headers
          # Before enabling Strict-Transport-Security headers please read into this
          # topic first.
          #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
          #
          # WARNING: Only add the preload option once you read about
          # the consequences in https://hstspreload.org/. This option
          # will add the domain to a hardcoded list that is shipped
          # in all major browsers and getting removed from this list
          # could take several months.
          add_header Referrer-Policy "no-referrer" always;
          add_header X-Content-Type-Options "nosniff" always;
          add_header X-Download-Options "noopen" always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-Permitted-Cross-Domain-Policies "none" always;
          add_header X-Robots-Tag "none" always;
          add_header X-XSS-Protection "1; mode=block" always;

          # Remove X-Powered-By, which is an information leak
          fastcgi_hide_header X-Powered-By;

          # set max upload size
          client_max_body_size 100M;
          fastcgi_buffers 64 4K;

          # Enable gzip but do not remove ETag headers
          gzip on;
          gzip_vary on;
          gzip_comp_level 4;
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

          location / {
              include /config/nginx/proxy.conf;
              proxy_pass  http://pleroma-test-backend:4000;
          }
      }


cat > /etc/nginx/sites-enabled/pleroma-test.conf <<EOF
      <<pleroma-test-router-config>>
      EOF
      <<reload-router>>


    > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    cat: /var/run/nginx.pid: No such file or directory
    sh: you need to specify whom to kill
    + docker start ingress
    ingress

DISCARDED

Frontend

GoToSocial

A lightweight ActivityPub server written in Go.

DONE

Install service

 

version: "3.3"

services:
  gotosocial:
    image: superseriousbusiness/gotosocial:0.17.3
    container_name: gotosocial
    user: 1001:1001
    networks:
      - gotosocial
      - internal
    environment:
      GTS_HOST: social.codigoparallevar.com
      GTS_DB_TYPE: sqlite
      GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
      GTS_LETSENCRYPT_ENABLED: "false"
      GTS_LETSENCRYPT_EMAIL_ADDRESS: ""
      GTS_ACCOUNTS_REGISTRATION_OPEN: "false"
      ## For reverse proxy setups:
      # GTS_TRUSTED_PROXIES: "172.x.x.x"
    # ports:
      # - "443:8080"
      ## For letsencrypt:
      #- "80:80"
      ## For reverse proxy setups:
      # - "127.0.0.1:8080:8080"
    volumes:
      - /mnt/vols/hubzilla/gotosocial/storage:/gotosocial/storage
    restart: "always"

networks:
  gotosocial:
    ipam:
      driver: default
  internal:
    # name: internal
    external: true

  • Upload configuration

cat > /mnt/vols/hubzilla/gotosocial/docker-compose.yaml <<EOF
<<gotosocial-docker-compose.yaml>>
EOF

date


  Mon 28 Oct 2024 01:52:21 AM CET

  • Start docker compose

docker-compose up -d

DONE

Install reverse proxy

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name social.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://gotosocial:8080;
    }
}


cat > /etc/nginx/sites-enabled/social.conf <<EOF
<<gotosocial-router-config>>
EOF
<<reload-router>>


    ingress

DISCARDED

Configure trusted proxy

See Reverse proxy with NGINX, fixing it is needed for proper rate limiting.

Matrix

Synapse

DONE

Launch container

 

docker rm -f matrix-server
      docker run -d --name=matrix-server \
             -v /mnt/vols/misc/matrix:/data \
             -p 8448:8448 -p 8008:8008 \
             --network=internal \
             --memory=480m \
             matrixdotorg/synapse:v1.92.2


    4ed9e53489037ca6fa24674ea211a876605f2dcbaaee87f9bdbf493a9b3f143e

DONE

Configure router

 

server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          server_name matrix.codigoparallevar.com;
          include /config/nginx/ssl.conf;

          # Add headers to serve security related headers
          # Before enabling Strict-Transport-Security headers please read into this
          # topic first.
          #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
          #
          # WARNING: Only add the preload option once you read about
          # the consequences in https://hstspreload.org/. This option
          # will add the domain to a hardcoded list that is shipped
          # in all major browsers and getting removed from this list
          # could take several months.
          add_header Referrer-Policy "no-referrer" always;
          add_header X-Content-Type-Options "nosniff" always;
          add_header X-Download-Options "noopen" always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-Permitted-Cross-Domain-Policies "none" always;
          add_header X-Robots-Tag "none" always;
          add_header X-XSS-Protection "1; mode=block" always;

          # Remove X-Powered-By, which is an information leak
          fastcgi_hide_header X-Powered-By;

          # set max upload size
          client_max_body_size 100M;
          fastcgi_buffers 64 4K;

          # Enable gzip but do not remove ETag headers
          gzip on;
          gzip_vary on;
          gzip_comp_level 4;
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

          location / {
              include /config/nginx/proxy.conf;
              proxy_pass  https://matrix-server:8448;
          }
      }


cat > /etc/nginx/sites-enabled/matrix.conf <<EOF
<<matrix-router-config>>
EOF
<<reload-router>>


    ingress

Gitea

DONE

Configure container

 

docker rm -f gitea-server || true
docker run -d --name=gitea-server \
       -v /mnt/vols/misc/gitea:/data \
       -p 2022:22 \
       --network=internal \
       --memory=380m \
       gitea/gitea:1.22.3


    gitea-server
    6f9926933212d5abf1679ec210667f7233282b132e19b59317879d29d9bb4aca

DONE

Add action runner

 

docker rm -f gitea-server-action-runner || true
docker  run -d --name=gitea-server-action-runner \
        -e GITEA_INSTANCE_URL=https://code.codigoparallevar.com \
        -e GITEA_RUNNER_REGISTRATION_TOKEN=GITEA-REGISTRATION-TOKEN-HERE \
        -v /var/run/docker.sock:/var/run/docker.sock \
        gitea/act_runner:nightly

DONE

Configure router

 

server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          server_name code.codigoparallevar.com;
          include /config/nginx/ssl.conf;

          # Add headers to serve security related headers
          # Before enabling Strict-Transport-Security headers please read into this
          # topic first.
          #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
          #
          # WARNING: Only add the preload option once you read about
          # the consequences in https://hstspreload.org/. This option
          # will add the domain to a hardcoded list that is shipped
          # in all major browsers and getting removed from this list
          # could take several months.
          add_header Referrer-Policy "no-referrer" always;
          add_header X-Content-Type-Options "nosniff" always;
          add_header X-Download-Options "noopen" always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-Permitted-Cross-Domain-Policies "none" always;
          add_header X-Robots-Tag "none" always;
          add_header X-XSS-Protection "1; mode=block" always;

          # Remove X-Powered-By, which is an information leak
          fastcgi_hide_header X-Powered-By;

          # set max upload size
          client_max_body_size 100M;
          fastcgi_buffers 64 4K;

          # Enable gzip but do not remove ETag headers
          gzip on;
          gzip_vary on;
          gzip_comp_level 4;
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

          location / {
              include /config/nginx/proxy.conf;
              proxy_pass  http://gitea-server:3000;
          }
      }


cat > /etc/nginx/sites-enabled/gitea.conf <<EOF
      <<gitea-router-config>>
      EOF
      <<reload-router>>


    > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    failed to resize tty, using default size
    + docker start ingress
    ingress

Grocy

An self-hosted ERP for groceries.

DONE

Configure container

 

docker rm -f grocy-server || true
docker run -d --name=grocy-server \
         -e PUID=1000 \
         -e PGID=1000 \
         -e TZ=Europe/Madrid \
         -v /mnt/vols/misc/grocy:/config \
         --restart unless-stopped \
         --memory=190m \
         --network=internal \
         lscr.io/linuxserver/grocy:latest


    grocy-server
    7dfe690da60afb834cdcf5d7da097da98afd0edf18b4bef5f863140daba01103

DONE

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name grocy.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://grocy-server:80;
    }
}


cat > /etc/nginx/sites-enabled/grocy.conf <<EOF
<<grocy-router-config>>
EOF
<<reload-router>>


ingress

DISCARDED

TechTree

ARCHIVE

DONE

Configure database

 

docker rm -f techtree-postgres || true
      docker run -d --name=techtree-postgres \
             -e POSTGRES_PASSWORD=CHANGE_THIS \
             -v /mnt/vols/misc/techtree/postgres:/var/lib/postgresql/data/ \
             --network=internal \
             --memory=190m \
             postgres:10


    + docker rm -f techtree-postgres
    techtree-postgres
    > > > > > + docker run -d --name=techtree-postgres -e POSTGRES_PASSWORD=CHANGE_THIS -v /mnt/vols/misc/techtree/postgres:/var/lib/postgresql/data/ --network=internal --memory=190m postgres:10
    WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
    39c9bed6f75969b116d60ca291a711e8ad5a1331ed2af3ae7466e8461a03a17f

DONE

Configure container

 

docker rm -f techtree-server
      source ~/.techtree-credentials.sh

      GENPASSWD() {
          openssl passwd hex 1 2 3 4 5 6|tr -d '/\n'
      }

      docker run -d --name=techtree-server -m 500m \
             --link=techtree-postgres:db \
             -e DATABASE_URL=postgres://${TT_USERNAME}:${TT_PASSWORD}@db:5432/${TT_DB} \
             -e SECRET_KEY_BASE="`GENPASSWD`" \
             -e PORT=80 \
             -e MIX_ENV=prod \
             --network=internal \
             --memory=190m \
             kenkeiras/techtree:prod

      clean_techtree_credentials


    + docker rm -f techtree-server
    techtree-server
    + source /root/.techtree-credentials.sh
    ++ TT_USERNAME=techtree
    ++ TT_DB=techtree
    ++ TT_PASSWORD=D677oBFOZ5y5YXIzi4N37LGw1ANLawL9YcU7E8YNGgX4ZQ6BQCj2oodHfXi3ECiUkEyNhkHuB2vSA.3YblgT3IN46g
    server# > > server# server# > > > > > > > > ++ GENPASSWD
    ++ tr -d '/\n'
    ++ openssl passwd hex 1 2 3 4 5 6
    + docker run -d --name=techtree-server -m 500m --link=techtree-postgres:db -e DATABASE_URL=postgres://techtree:D677oBFOZ5y5YXIzi4N37LGw1ANLawL9YcU7E8YNGgX4ZQ6BQCj2oodHfXi3ECiUkEyNhkHuB2vSA.3YblgT3IN46g@db:5432/techtree -e SECRET_KEY_BASE=O5hSnbBNbmqZ6BPBqKvuj2ZDc1AoHKCdIlsa4cWKSJm4zLPFWqMs6veQMhLsFmW6WbAUTn1Ni4z1sOcFa918xjy6PQ -e PORT=80 -e MIX_ENV=prod --network=internal --memory=190m kenkeiras/techtree:prod
    WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
    332084157ece622a25088577813a1f986e610afab8c11369e25983c496fc7253
    server# + clean_techtree_credentials
    + unset TT_USERNAME
    + unset TT_DB
    + unset TT_PASSWORD

DONE

Configure router

 

server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          server_name techtree.spiral.systems;
          include /config/nginx/ssl.conf;

          # Add headers to serve security related headers
          # Before enabling Strict-Transport-Security headers please read into this
          # topic first.
          #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
          #
          # WARNING: Only add the preload option once you read about
          # the consequences in https://hstspreload.org/. This option
          # will add the domain to a hardcoded list that is shipped
          # in all major browsers and getting removed from this list
          # could take several months.
          add_header Referrer-Policy "no-referrer" always;
          add_header X-Content-Type-Options "nosniff" always;
          add_header X-Download-Options "noopen" always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-Permitted-Cross-Domain-Policies "none" always;
          add_header X-Robots-Tag "none" always;
          add_header X-XSS-Protection "1; mode=block" always;

          # Remove X-Powered-By, which is an information leak
          fastcgi_hide_header X-Powered-By;

          # set max upload size
          client_max_body_size 100M;
          fastcgi_buffers 64 4K;

          # Enable gzip but do not remove ETag headers
          gzip on;
          gzip_vary on;
          gzip_comp_level 4;
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

          location / {
              include /config/nginx/proxy.conf;
              proxy_pass  http://techtree-server:80;
          }
      }


cat > /etc/nginx/sites-enabled/techtree.conf <<EOF
      <<techtree-router-config>>
      EOF
      <<reload-router>>


    > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    + docker start ingress
    ingress

Notes API

You are most probably reading these notes already. The API just provides the search function right now.

Configure container

 

docker pull kenkeiras/notes-api-server:latest
docker rm -f notes-api-server
docker run -d --name notes-api-server \
       -e DB_PATH=/db.sqlite3 \
       -v /mnt/vols/misc/codigoparallevar-api/db.sqlite3:/db.sqlite3:ro \
       --network=internal \
       kenkeiras/notes-api-server:latest


    latest: Pulling from kenkeiras/notes-api-server
    Digest: sha256:3ae36797c7da7bcc5dc2c16c49df877aa10a91d6db8aeffb2e54b4a0a3c53c9c
    Status: Image is up to date for kenkeiras/notes-api-server:latest
    docker.io/kenkeiras/notes-api-server:latest
    00b9dd0068778aabc77856a7954c678f12b1a54bde721910ad37c23ad2c7ea9c

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name api.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 1M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://notes-api-server:3000;
    }
}


cat > /etc/nginx/sites-enabled/notes-api.conf <<EOF
<<notes-api-router-config>>
EOF
<<reload-router>>


    ingress

Wallabag

DONE

Configure container

 

docker rm -f wallabag-server
      docker run -d --name wallabag-server \
             -e SYMFONY__ENV__DOMAIN_NAME=https://wallabag.codigoparallevar.com \
             -v /mnt/vols/misc/wallabag/data:/var/www/wallabag/data \
             -v /mnt/vols/misc/wallabag/images:/var/www/wallabag/web/assets/images \
             --network=internal \
             wallabag/wallabag:2.3.8


    091a97105d4f80c2767dc5da26b5d41e8b2f5f999889c10d54efb2a2ab9ac7ef

DONE

Configure router

 

server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          server_name wallabag.codigoparallevar.com;
          include /config/nginx/ssl.conf;

          # Add headers to serve security related headers
          # Before enabling Strict-Transport-Security headers please read into this
          # topic first.
          #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
          #
          # WARNING: Only add the preload option once you read about
          # the consequences in https://hstspreload.org/. This option
          # will add the domain to a hardcoded list that is shipped
          # in all major browsers and getting removed from this list
          # could take several months.
          add_header Referrer-Policy "no-referrer" always;
          add_header X-Content-Type-Options "nosniff" always;
          add_header X-Download-Options "noopen" always;
          add_header X-Frame-Options "SAMEORIGIN" always;
          add_header X-Permitted-Cross-Domain-Policies "none" always;
          add_header X-Robots-Tag "none" always;
          add_header X-XSS-Protection "1; mode=block" always;

          # Remove X-Powered-By, which is an information leak
          fastcgi_hide_header X-Powered-By;

          # set max upload size
          client_max_body_size 100M;
          fastcgi_buffers 64 4K;

          # Enable gzip but do not remove ETag headers
          gzip on;
          gzip_vary on;
          gzip_comp_level 4;
          gzip_min_length 256;
          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

          location / {
              include /config/nginx/proxy.conf;
              proxy_pass  http://wallabag-server:80;
          }
      }


cat > /etc/nginx/sites-enabled/wallabag.conf <<EOF
<<wallabag-router-config>>
EOF
<<reload-router>>


    ingress

Wiki

DONE

Configure router

 

# main server block
      server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          root /opt/wiki;
          # index index.html index.htm index.php;

          server_name wiki.codigoparallevar.com;

          # # enable subfolder method reverse proxy confs
          # include /config/nginx/proxy-confs/*.subfolder.conf;

          # all ssl related config moved to ssl.conf
          include /config/nginx/ssl.conf;

          # enable for ldap auth
          #include /config/nginx/ldap.conf;

          # enable for Authelia
          #include /config/nginx/authelia-server.conf;

          client_max_body_size 0;

          # location / {
          #     try_files $uri $uri/ /index.html /index.php?$args =404;
          # }
      }


cat > /etc/nginx/sites-enabled/wiki.conf <<EOF
      <<wiki-router-config>>
      EOF
      <<reload-router>>


    > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    failed to resize tty, using default size
    + docker start ingress
    ingress

DISCARDED

BeeRol

DONE

Configure router

 

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/beerol;
    # index index.html index.htm index.php;

    server_name beerol.quest;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}


cat > /etc/nginx/sites-enabled/beerol.conf <<EOF
<<beerol-router-config>>
EOF
<<reload-router>>


    ingress

Birracoin

Configure router

 

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/birracoin;
    # index index.html index.htm index.php;

    server_name birracoin.com;
    server_name www.birracoin.com;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}


cat > /etc/nginx/sites-enabled/birracoin.conf <<EOF
<<birracoin-router-config>>
EOF
<<reload-router>>


> > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

Prosody

DONE

Configure container

 

docker rm -f prosody-server
      docker run -d --name prosody-server \
             -v /mnt/vols/misc/prosody/data:/var/lib/prosody \
             -v /mnt/vols/misc/prosody/etc:/etc/prosody \
             -v /mnt/vols/misc/prosody/certs:/extra/certs \
             -p 5222:5222 \
             -p 5269:5269 \
             -p 5280:5280 \
             --network=internal \
             --memory=190m \
             prosody/prosody:0.11


    + docker rm -f prosody-server
    prosody-server
    > > > > > > > > > + docker run -d --name prosody-server -v /mnt/vols/misc/prosody/data:/var/lib/prosody -v /mnt/vols/misc/prosody/etc:/etc/prosody -v /mnt/vols/misc/prosody/certs:/extra/certs -p 5222:5222 -p 5269:5269 -p 5280:5280 --network=internal --memory=190m prosody/prosody:0.11
    WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
    9b5c70494e984865e6caa46796b22dd4a4e48ac3c6df267adaae582fb22eb00f

Grok

 

# main server block
      server {
          listen 443 ssl http2;
          listen [::]:443 ssl http2;

          # index index.html index.htm index.php;

          server_name grok.spiral.systems;

          # # enable subfolder method reverse proxy confs
          # include /config/nginx/proxy-confs/*.subfolder.conf;

          # all ssl related config moved to ssl.conf
          include /config/nginx/ssl.conf;

          # enable for ldap auth
          #include /config/nginx/ldap.conf;

          # enable for Authelia
          #include /config/nginx/authelia-server.conf;

          client_max_body_size 0;

          location / {
              proxy_pass http://172.17.0.1:1234;
          }
      }


cat > /etc/nginx/sites-enabled/grok.conf <<EOF
      <<grok-router-config>>
      EOF
      <<reload-router>>


    > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
    + docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
    cat: /var/run/nginx.pid: No such file or directory
    sh: you need to specify whom to kill
    + docker start ingress
    ingress

Wireguard VPN

  • Fiddling with WireGuard to check how useful can it be to connect to home machines from a remote location.

Installation

 

apt-get install -y wireguard


  Reading package lists... 100%

Reading package lists... Done
  Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 1%

Building dependency tree... 2%

Building dependency tree... 3%

Building dependency tree... 4%

Building dependency tree... 5%

Building dependency tree... 6%

Building dependency tree... 7%

Building dependency tree... 8%

Building dependency tree... 9%

Building dependency tree... 10%

Building dependency tree... 11%

Building dependency tree... 12%

Building dependency tree... 13%

Building dependency tree... 14%

Building dependency tree... 15%

Building dependency tree... 16%

Building dependency tree... 17%

Building dependency tree... 18%

Building dependency tree... 19%

Building dependency tree... 20%

Building dependency tree... 21%

Building dependency tree... 22%

Building dependency tree... 23%

Building dependency tree... 24%

Building dependency tree... 25%

Building dependency tree... 26%

Building dependency tree... 27%

Building dependency tree... 28%

Building dependency tree... 29%

Building dependency tree... 30%

Building dependency tree... 31%

Building dependency tree... 32%

Building dependency tree... 33%

Building dependency tree... 34%

Building dependency tree... 35%

Building dependency tree... 36%

Building dependency tree... 37%

Building dependency tree... 38%

Building dependency tree... 39%

Building dependency tree... 40%

Building dependency tree... 41%

Building dependency tree... 42%

Building dependency tree... 43%

Building dependency tree... 44%

Building dependency tree... 45%

Building dependency tree... 46%

Building dependency tree... 47%

Building dependency tree... 48%

Building dependency tree... 49%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... 51%

Building dependency tree... 52%

Building dependency tree... 53%

Building dependency tree... 54%

Building dependency tree... 55%

Building dependency tree... 56%

Building dependency tree... 57%

Building dependency tree... 58%

Building dependency tree... 59%

Building dependency tree... 60%

Building dependency tree... 61%

Building dependency tree... 62%

Building dependency tree... 63%

Building dependency tree... 64%

Building dependency tree... 65%

Building dependency tree... 66%

Building dependency tree... 67%

Building dependency tree... 68%

Building dependency tree... 69%

Building dependency tree... 70%

Building dependency tree... 71%

Building dependency tree... 72%

Building dependency tree... 73%

Building dependency tree... 74%

Building dependency tree... 75%

Building dependency tree... 76%

Building dependency tree... 77%

Building dependency tree... 78%

Building dependency tree... 79%

Building dependency tree... 80%

Building dependency tree... 81%

Building dependency tree... 82%

Building dependency tree... 83%

Building dependency tree... 84%

Building dependency tree... 85%

Building dependency tree... 86%

Building dependency tree... 87%

Building dependency tree... 88%

Building dependency tree... 89%

Building dependency tree... 90%

Building dependency tree... 91%

Building dependency tree... 92%

Building dependency tree... 93%

Building dependency tree... 94%

Building dependency tree... 95%

Building dependency tree... 96%

Building dependency tree... 97%

Building dependency tree... 98%

Building dependency tree... 99%

Building dependency tree
  Reading state information... 0%

Reading state information... 0%

Reading state information... 1%

Reading state information... 3%

Reading state information... 3%

Reading state information... 4%

Reading state information... 5%

Reading state information... 6%

Reading state information... 7%

Reading state information... 8%

Reading state information... 9%

Reading state information... 10%

Reading state information... 11%

Reading state information... 12%

Reading state information... 13%

Reading state information... 14%

Reading state information... 15%

Reading state information... 16%

Reading state information... 17%

Reading state information... 18%

Reading state information... 19%

Reading state information... 20%

Reading state information... 21%

Reading state information... 22%

Reading state information... 23%

Reading state information... 24%

Reading state information... 25%

Reading state information... 26%

Reading state information... 27%

Reading state information... 28%

Reading state information... 29%

Reading state information... 30%

Reading state information... 31%

Reading state information... 32%

Reading state information... 33%

Reading state information... 34%

Reading state information... 35%

Reading state information... 36%

Reading state information... 37%

Reading state information... 39%

Reading state information... 39%

Reading state information... 40%

Reading state information... 41%

Reading state information... 42%

Reading state information... 43%

Reading state information... 44%

Reading state information... 45%

Reading state information... 46%

Reading state information... 47%

Reading state information... 48%

Reading state information... 49%

Reading state information... 50%

Reading state information... 51%

Reading state information... 52%

Reading state information... 53%

Reading state information... 55%

Reading state information... 55%

Reading state information... 56%

Reading state information... 57%

Reading state information... 58%

Reading state information... 59%

Reading state information... 60%

Reading state information... 61%

Reading state information... 62%

Reading state information... 63%

Reading state information... 64%

Reading state information... 65%

Reading state information... 67%

Reading state information... 67%

Reading state information... 68%

Reading state information... 69%

Reading state information... 70%

Reading state information... 71%

Reading state information... 72%

Reading state information... 73%

Reading state information... 75%

Reading state information... 75%

Reading state information... 76%

Reading state information... 77%

Reading state information... 78%

Reading state information... 79%

Reading state information... 80%

Reading state information... 81%

Reading state information... 82%

Reading state information... 83%

Reading state information... 85%

Reading state information... 85%

Reading state information... 86%

Reading state information... 87%

Reading state information... 88%

Reading state information... 89%

Reading state information... 90%

Reading state information... 91%

Reading state information... 92%

Reading state information... 93%

Reading state information... 94%

Reading state information... 95%

Reading state information... 96%

Reading state information... 97%

Reading state information... 100%

Reading state information... Done
  wireguard is already the newest version (1.0.20210223-1~bpo10+1).
  The following packages were automatically installed and are no longer required:
    git-man liberror-perl
  Use 'apt autoremove' to remove them.
  0 upgraded, 0 newly installed, 0 to remove and 33 not upgraded.

Setup

 

# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported

Docker Watchtower

Docker's watchtower updates Docker images when new tags are available on the registry.

docker rm -f watchtower || true
docker run -d --name=watchtower \
         -v /var/run/docker.sock:/var/run/docker.sock \
         --memory=190m \
         containrrr/watchtower

Update certificates

 

docker exec -i ingress ls -lh /etc/letsencrypt/live/codigoparallevar.com/


total 12K
-rw-r--r-- 1 abc users  692 Apr  1  2024 README
lrwxrwxrwx 1 abc users   44 Sep 29 02:09 cert.pem -> ../../archive/codigoparallevar.com/cert4.pem
lrwxrwxrwx 1 abc users   45 Sep 29 02:09 chain.pem -> ../../archive/codigoparallevar.com/chain4.pem
lrwxrwxrwx 1 abc users   49 Sep 29 02:09 fullchain.pem -> ../../archive/codigoparallevar.com/fullchain4.pem
-rw-r--r-- 1 abc users 3.5K Sep 29 02:09 priv-fullchain-bundle.pem
lrwxrwxrwx 1 abc users   47 Sep 29 02:09 privkey.pem -> ../../archive/codigoparallevar.com/privkey4.pem
-rw------- 1 abc users 3.0K Sep 29 02:09 privkey.pfx

set -eux

VER=4

# Mail certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain${VER}.pem /mnt/vols/mail/certs/fullchain.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey${VER}.pem /mnt/vols/mail/certs/privkey.pem
docker restart mail

# Prosody certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain${VER}.pem /mnt/vols/misc/prosody/certs/fullchain.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey${VER}.pem /mnt/vols/misc/prosody/certs/privkey.pem
sudo chown 101:0 -R /mnt/vols/misc/prosody/certs/
docker restart prosody-server

# Matrix certs
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/privkey${VER}.pem /mnt/vols/misc/matrix/privkey.pem
docker cp ingress:/etc/letsencrypt/archive/codigoparallevar.com/fullchain${VER}.pem /mnt/vols/misc/matrix/fullchain.pem
sudo chown 991:991 -R /mnt/vols/misc/matrix/
docker restart matrix-server


mail
prosody-server
matrix-server