chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Working for homelab

Browse Source
This commit is contained in:
Chris
2023-03-23 20:29:29 +00:00
parent a6d5ceaa22
commit 678894d7db
18 changed files with 677 additions and 734 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.env.example
View File

@@ -7,7 +7,6 @@ USER_PASSWORD=
DOMAIN=scarif.local
LOCAL_IP=192.168.10.10
SSH_KEY= # Will be added to authorized keys
DIGITALOCEAN_TOKEN= # For enabling lets encrypt
#
# Database settings
@@ -44,16 +43,6 @@ NEXTCLOUD_ADMIN_PASSWORD=
COLLABORA_USER=${USERNAME}
COLLABORA_PASSWORD=
#
# Monica settings (personel.scarif.space)
# Image: monica:fpm
#
MAIL_FROM=${USERNAME}@${DOMAIN}
MAIL_HOST=smtp.mailgun.org
MAIL_PORT=465
MAIL_USER=postmaster@mg.thinkzingy.com
MAIL_PASSWORD=
#
# Jitsi settings (comms.scarif.space)
# Image: jitsi/web:latest

0
INSTALL.md Normal file
View File

87
bootstrap.sh
View File

@@ -3,38 +3,34 @@
source /opt/scarif/.env
echo "------- Generating system users -------"
# Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
## Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris
useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git
# Set up privileges
## Set up privileges
echo "chris ALL=(ALL) ALL" >> /etc/sudoers
# Disable root login
echo "root ALL=(ALL) ALL" >> /etc/sudoers
## Disable root login
passwd -l root
# Install necessary packages
echo "------- Installing packages -------"
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot certbot-dns-digitalocean
pacman -Syyu --noconfirm
pacman -S --noconfirm archlinux-keyring
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils
echo "------- Setting up SSH -------"
# Remove old SSH keys in case running again
sudo -u git mkdir -p /home/git/.ssh
rm -f /home/git/.ssh/*
# Generate SSH keys for git to enable SSH proxy
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
# Add SSH key to authorized keys which is shared with docker container
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
# Add current SSH key to main user's authorized keys
mkdir /home/chris/.ssh
mkdir -p /home/chris/.ssh
echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
# Disable root login
sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config
# Logout after 1 minute of inactivity
sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/" /etc/ssh/sshd_config
# Add banner art
sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config
# Limit number of sessions
sed -i "s/#MaxSessions/MaxSessions 4/" >> /etc/ssh/sshd_config
# Limit users
sed -i "s/#AllowUsers/AllowUsers chris git/" >> /etc/ssh/sshd_config
rm /etc/ssh/sshd_config
ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config
# Modify login messages
echo "Clearance codes accepted! proceed:" > /etc/motd
# Enforce a delay after a failed login attempt to prevent brute force attacks
@@ -43,7 +39,7 @@ echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
systemctl restart sshd
echo "------- Enabling SSH passthrough -------"
# Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
## Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
mkdir -p /var/lib/gitea
cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
@@ -56,26 +52,26 @@ chmod +x /app/gitea/gitea
chown -R git /app/gitea/gitea
chown -R git /var/lib/gitea
if [ $APP_ENV = "production" ]
then
echo "------- Enabling certbot service -------"
mkdir -p /root/.secret/certbot
tee /root/.secret/certbot/digitalocean.ini <<END
# DigitalOcean API credentials used by Certbot
dns_digitalocean_token = $DIGITALOCEAN_TOKEN
END
#if [ $APP_ENV = "production" ]
#then
# echo "------- Enabling certbot service -------"
# mkdir -p /root/.secret/certbot
# tee /root/.secret/certbot/digitalocean.ini <<END
## DigitalOcean API credentials used by Certbot
#dns_digitalocean_token = $DIGITALOCEAN_TOKEN
#END
certbot certonly \
--dns-digitalocean \
--dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \
-d *.$DOMAIN -d $DOMAIN \
-m stofflees@gmail.com \
--agree-tos \
--no-eff-email
cp /opt/scarif/certbot/* /etc/systemd/system/
systemctl enable --now certbot.timer
fi
# certbot certonly \
# --dns-digitalocean \
# --dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \
# -d *.$DOMAIN -d $DOMAIN \
# -m stofflees@gmail.com \
# --agree-tos \
# --no-eff-email
#
# cp /opt/scarif/certbot/* /etc/systemd/system/
# systemctl enable --now certbot.timer
#fi
echo "------- Adding config folders for jitsi -------"
mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
@@ -83,17 +79,30 @@ mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-
echo "------- Setting up firewall -------"
ufw default deny incoming
ufw default allow outgoing
ufw allow 22
ufw allow 629
ufw allow 80
ufw allow 443
ufw allow 2049
ufw allow CIFS
ufw --force enable
echo "------- Starting docker -------"
systemctl enable docker --now
docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
# Create a super user for pinry
docker exec -it scarif_pinry_1 python manage.py createsuperuser --settings=pinry.settings.docker
# Create user for jitsi
## Create user for jitsi
docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${USER_PASSWORD}
echo "------- Start Samba share -------"
ln -s /opt/scarif/smb.conf /etc/samba/smb.conf
smbpasswd -a chris
systemctl enable --now smb
echo "------- Start NFS share -------"
ln -s /opt/scarif/nfs.conf /etc/nfs.conf
ln -s /opt/scarif/exports /etc/exports
exportfs -arv
systemctl enable --now nfs4-server
systemctl enable --now zfs-share

393
docker-compose.yml
View File

@@ -15,20 +15,12 @@ x-logging: &logging
version: "3.4"
services:
dashboard:
<<: *logging
image: rmountjoy/dashmachine:latest
volumes:
- dashboard:/dashmachine/dashmachine/user_data
restart: always
networks:
- nginx
foundry:
<<: *logging
image: felddy/foundryvtt:release
volumes:
- foundry:/data
- /mnt/tower/foundry:/data
- /opt/scarif/foundry/patches:/data/patches
restart: always
environment:
- "FOUNDRY_PASSWORD=${FOUNDRY_PASSWORD}"
@@ -40,44 +32,22 @@ services:
- FOUNDRY_PROXY_SSL=true
- FOUNDRY_ROUTE_PREFIX=foundry
- CONTAINER_CACHE=/data/container_cache
- CONTAINER_PATCH_URLS=https://labs.scarif.space/chris/foundry-plutonium-install/raw/branch/main/plutonium.sh
- FOUNDRY_UID=82
- FOUNDRY_GID=82
- CONTAINER_PATCHES=/data/patches
- FOUNDRY_UID=1000
- FOUNDRY_GID=1000
networks:
- nginx
# monica:
# <<: *logging
# build: ./monica
# image: monica
# env_file: ./monica/.env
# environment:
# - APP_URL=https://personel.${DOMAIN}
# - DB_PASSWORD=${DB_PASSWORD}
# - DB_USERNAME=${DB_USER}
# - MAIL_FROM_ADDRESS=${MAIL_FROM}
# - MAIL_HOST=${MAIL_HOST}
# - MAIL_PORT=${MAIL_PORT}
# - MAIL_USERNAME=${MAIL_USER}
# - MAIL_PASSWORD=${MAIL_PASSWORD}
# volumes:
# - monica-data:/var/www/html/storage
# - monica-public:/var/www/html/public
# restart: always
# depends_on:
# - db
# networks:
# - db
# - nginx
nextcloud:
<<: *logging
build: ./nextcloud
image: nextcloud
restart: always
restart: unless-stopped
user: 1000:1000
volumes:
- nextcloud:/var/www/html
- foundry:/var/www/foundry
- /mnt/tower/stardust:/var/www/html/data
- /mnt/tower/foundry:/var/www/foundry
environment:
- REDIS_HOST=redis
- MYSQL_HOST=db
@@ -86,12 +56,16 @@ services:
- MYSQL_USER=${DB_USER}
- NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
- NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
- MAIL_FROM=${MAIL_FROM}
- MAIL_HOST=${MAIL_HOST}
- MAIL_PORT=${MAIL_PORT}
- MAIL_USER=${MAIL_USER}
- MAIL_PASSWORD=${MAIL_PASSWORD}
- NEXTCLOUD_TRUSTED_DOMAINS=tower.${DOMAIN}
- MAIL_FROM_ADDRESS=${MAIL_FROM}
- SMTP_HOST=${MAIL_HOST}
- SMTP_PORT=${MAIL_PORT}
- SMTP_USER=${MAIL_USER}
- SMTP_PASSWORD=${MAIL_PASSWORD}
- "NEXTCLOUD_TRUSTED_DOMAINS=tower.${DOMAIN} 127.0.0.1"
- USER_UID=1000
- USER_GID=1000
- APACHE_RUN_USER=1000
- APACHE_RUN_GROUP=1000
depends_on:
- db
- redis
@@ -100,20 +74,17 @@ services:
- redis
- nginx
extra_hosts:
- "tower.scarif.space:${LOCAL_IP}"
- "office.scarif.space:${LOCAL_IP}"
- "tower.${DOMAIN}:${LOCAL_IP}"
- "office.${DOMAIN}:${LOCAL_IP}"
collabora:
<<: *logging
image: collabora/code
restart: always
restart: unless-stopped
cap_add:
- MKNOD
# volumes:
# - /etc/timezone:/etc/timezone:ro
# - /etc/localtime:/etc/localtime:ro
environment:
- DONT_GEN_SSL_CERT="True"
- "DONT_GEN_SSL_CERT=True"
- domain=tower.${DOMAIN}
- cert_domain=office.${DOMAIN}
- server_name=office.${DOMAIN}
@@ -124,20 +95,8 @@ services:
networks:
- nginx
extra_hosts:
- "tower.scarif.space:${LOCAL_IP}"
- "office.scarif.space:${LOCAL_IP}"
pinry:
<<: *logging
image: 'getpinry/pinry'
volumes:
- pinry:/data
- ./pinry/local_settings.py:/data/local_settings.py
networks:
- nginx
- db
depends_on:
- db
- "tower.${DOMAIN}:${LOCAL_IP}"
- "office.${DOMAIN}:${LOCAL_IP}"
gitea:
<<: *logging
@@ -158,6 +117,7 @@ services:
restart: always
volumes:
- gitea:/data
- /mnt/tower/labs:/data/git
- /home/git/.ssh/:/data/git/.ssh/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
@@ -171,26 +131,18 @@ services:
jitsi:
<<: *logging
image: jitsi/web:latest
restart: always
image: jitsi/web:stable
restart: unless-stopped
volumes:
- ${CONFIG}/web:/config:Z
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
environment:
- ENABLE_LETSENCRYPT
- ENABLE_HTTP_REDIRECT
- ENABLE_HSTS
- ENABLE_XMPP_WEBSOCKET
- DISABLE_HTTPS
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- PUBLIC_URL
- TZ
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
- BRIDGE_CHANNEL
- AUDIO_QUALITY_OPUS_BITRATE
- AUTO_CAPTION_ON_RECORD
- BRANDING_DATA_URL
- CALLSTATS_CUSTOM_SCRIPT_URL
- CALLSTATS_ID
@@ -198,30 +150,60 @@ services:
- CHROME_EXTENSION_BANNER_JSON
- CONFCODE_URL
- CONFIG_EXTERNAL_CONNECT
- DEFAULT_LANGUAGE
- DEPLOYMENTINFO_ENVIRONMENT
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
- DEPLOYMENTINFO_REGION
- DEPLOYMENTINFO_SHARD
- DEPLOYMENTINFO_USERREGION
- DESKTOP_SHARING_FRAMERATE_MIN
- DESKTOP_SHARING_FRAMERATE_MAX
- DIALIN_NUMBERS_URL
- DIALOUT_AUTH_URL
- DIALOUT_CODES_URL
- DISABLE_AUDIO_LEVELS
- DISABLE_DEEP_LINKING
- DISABLE_GRANT_MODERATOR
- DISABLE_HTTPS
- DISABLE_KICKOUT
- DISABLE_LOCAL_RECORDING
- DISABLE_POLLS
- DISABLE_PRIVATE_CHAT
- DISABLE_PROFILE
- DISABLE_REACTIONS
- DISABLE_REMOTE_VIDEO_MENU
- DISABLE_START_FOR_ALL
- DROPBOX_APPKEY
- DROPBOX_REDIRECT_URI
- DYNAMIC_BRANDING_URL
- ENABLE_AUDIO_PROCESSING
- ENABLE_AUTH
- ENABLE_BREAKOUT_ROOMS
- ENABLE_CALENDAR
- ENABLE_FILE_RECORDING_SERVICE
- ENABLE_FILE_RECORDING_SERVICE_SHARING
- ENABLE_COLIBRI_WEBSOCKET
- ENABLE_E2EPING
- ENABLE_FILE_RECORDING_SHARING
- ENABLE_GUESTS
- ENABLE_HSTS
- ENABLE_HTTP_REDIRECT
- ENABLE_IPV6
- ENABLE_LETS_ENCRYPT
- ENABLE_LIPSYNC
- ENABLE_NO_AUDIO_DETECTION
- ENABLE_P2P
- ENABLE_NOISY_MIC_DETECTION
- ENABLE_OCTO
- ENABLE_OPUS_RED
- ENABLE_PREJOIN_PAGE
- ENABLE_P2P
- ENABLE_WELCOME_PAGE
- ENABLE_CLOSE_PAGE
- ENABLE_LIVESTREAMING
- ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT
- ENABLE_LOCAL_RECORDING_SELF_START
- ENABLE_RECORDING
- ENABLE_REMB
- ENABLE_REQUIRE_DISPLAY_NAME
- ENABLE_SERVICE_RECORDING
- ENABLE_SIMULCAST
- ENABLE_STATS_ID
- ENABLE_STEREO
@@ -229,12 +211,22 @@ services:
- ENABLE_TALK_WHILE_MUTED
- ENABLE_TCC
- ENABLE_TRANSCRIPTIONS
- ENABLE_XMPP_WEBSOCKET
- ENABLE_JAAS_COMPONENTS
- ETHERPAD_PUBLIC_URL
- ETHERPAD_URL_BASE
- E2EPING_NUM_REQUESTS
- E2EPING_MAX_CONFERENCE_SIZE
- E2EPING_MAX_MESSAGE_PER_SECOND
- GOOGLE_ANALYTICS_ID
- GOOGLE_API_APP_CLIENT_ID
- HIDE_PREMEETING_BUTTONS
- HIDE_PREJOIN_DISPLAY_NAME
- HIDE_PREJOIN_EXTRA_BUTTONS
- INVITE_SERVICE_URL
- JICOFO_AUTH_USER
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- MATOMO_ENDPOINT
- MATOMO_SITE_ID
- MICROSOFT_API_APP_CLIENT_ID
@@ -242,38 +234,59 @@ services:
- NGINX_WORKER_PROCESSES
- NGINX_WORKER_CONNECTIONS
- PEOPLE_SEARCH_URL
- PREFERRED_LANGUAGE
- PUBLIC_URL
- P2P_PREFERRED_CODEC
- RESOLUTION
- RESOLUTION_MIN
- RESOLUTION_WIDTH
- RESOLUTION_WIDTH_MIN
- START_AUDIO_ONLY
- START_AUDIO_MUTED
- DISABLE_AUDIO_LEVELS
- ENABLE_NOISY_MIC_DETECTION
- START_AUDIO_ONLY
- START_BITRATE
- START_SILENT
- START_WITH_AUDIO_MUTED
- START_VIDEO_MUTED
- START_WITH_VIDEO_MUTED
- TESTING_CAP_SCREENSHARE_BITRATE
- TESTING_OCTO_PROBABILITY
- TOKEN_AUTH_URL
- TOOLBAR_BUTTONS
- TRANSLATION_LANGUAGES
- TRANSLATION_LANGUAGES_HEAD
- TZ
- USE_APP_LANGUAGE
- VIDEOQUALITY_BITRATE_H264_LOW
- VIDEOQUALITY_BITRATE_H264_STANDARD
- VIDEOQUALITY_BITRATE_H264_HIGH
- VIDEOQUALITY_BITRATE_VP8_LOW
- VIDEOQUALITY_BITRATE_VP8_STANDARD
- VIDEOQUALITY_BITRATE_VP8_HIGH
- VIDEOQUALITY_BITRATE_VP9_LOW
- VIDEOQUALITY_BITRATE_VP9_STANDARD
- VIDEOQUALITY_BITRATE_VP9_HIGH
- VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
- VIDEOQUALITY_PREFERRED_CODEC
- XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE
- XMPP_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- TOKEN_AUTH_URL
- XMPP_PORT
- WHITEBOARD_ENABLED
- WHITEBOARD_COLLAB_SERVER_PUBLIC_URL
networks:
nginx:
meet.jitsi:
aliases:
- ${XMPP_DOMAIN}
# XMPP server
prosody:
<<: *logging
image: jitsi/prosody:latest
restart: always
image: jitsi/prosody:stable
restart: unless-stopped
expose:
- '5222'
- '${XMPP_PORT:-52222}'
- '5347'
- '5280'
volumes:
@@ -281,46 +294,35 @@ services:
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
environment:
- AUTH_TYPE
- DISABLE_POLLS
- ENABLE_AUTH
- ENABLE_AV_MODERATION
- ENABLE_BREAKOUT_ROOMS
- ENABLE_END_CONFERENCE
- ENABLE_GUESTS
- ENABLE_IPV6
- ENABLE_LOBBY
- ENABLE_RECORDING
- ENABLE_XMPP_WEBSOCKET
- GLOBAL_MODULES
- ENABLE_JAAS_COMPONENTS
- GC_TYPE
- GC_INC_TH
- GC_INC_SPEED
- GC_INC_STEP_SIZE
- GC_GEN_MIN_TH
- GC_GEN_MAX_TH
- GLOBAL_CONFIG
- LDAP_URL
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_AUTH_METHOD
- LDAP_VERSION
- LDAP_USE_TLS
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_CROSS_DOMAIN
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- GLOBAL_MODULES
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JICOFO_AUTH_PASSWORD
- JICOFO_COMPONENT_SECRET
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JWT_APP_ID
- JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS
@@ -328,40 +330,97 @@ services:
- JWT_ASAP_KEYSERVER
- JWT_ALLOW_EMPTY
- JWT_AUTH_TYPE
- JWT_ENABLE_DOMAIN_VERIFICATION
- JWT_TOKEN_AUTH_MODULE
- MATRIX_UVS_URL
- MATRIX_UVS_ISSUER
- MATRIX_UVS_AUTH_TOKEN
- MATRIX_UVS_SYNC_POWER_LEVELS
- LOG_LEVEL
- LDAP_AUTH_METHOD
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_VERSION
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- LDAP_URL
- LDAP_USE_TLS
- MAX_PARTICIPANTS
- PROSODY_RESERVATION_ENABLED
- PROSODY_RESERVATION_REST_BASE_URL
- PUBLIC_URL
- TURN_CREDENTIALS
- TURN_HOST
- TURNS_HOST
- TURN_PORT
- TURNS_PORT
- TURN_TRANSPORT
- TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_MUC_CONFIGURATION
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_PORT
networks:
meet.jitsi:
aliases:
- ${XMPP_SERVER}
- ${XMPP_SERVER:-xmpp.meet.jitsi}
# Focus component
jicofo:
<<: *logging
image: jitsi/jicofo:latest
restart: always
image: jitsi/jicofo:stable
restart: unless-stopped
volumes:
- ${CONFIG}/jicofo:/config:Z
environment:
- AUTH_TYPE
- BRIDGE_AVG_PARTICIPANT_STRESS
- BRIDGE_STRESS_THRESHOLD
- ENABLE_AUTH
- ENABLE_AUTO_OWNER
- ENABLE_CODEC_VP8
- ENABLE_CODEC_VP9
- ENABLE_CODEC_H264
- ENABLE_OCTO
- ENABLE_RECORDING
- ENABLE_SCTP
- ENABLE_AUTO_LOGIN
- JICOFO_AUTH_PASSWORD
- JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
- JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
- JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
- JICOFO_ENABLE_HEALTH_CHECKS
- JIBRI_BREWERY_MUC
- JIBRI_REQUEST_RETRIES
- JIBRI_PENDING_TIMEOUT
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JVB_BREWERY_MUC
- MAX_BRIDGE_PARTICIPANTS
- OCTO_BRIDGE_SELECTION_STRATEGY
- SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- XMPP_SERVER
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_RESERVATION_REST_BASE_URL
- JVB_BREWERY_MUC
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JIBRI_BREWERY_MUC
- JIBRI_PENDING_TIMEOUT
- TZ
- XMPP_PORT
depends_on:
- prosody
networks:
@@ -370,31 +429,42 @@ services:
# Video bridge
jvb:
<<: *logging
image: jitsi/jvb:latest
restart: always
image: jitsi/jvb:stable
restart: unless-stopped
ports:
- '${JVB_PORT}:${JVB_PORT}/udp'
- '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
- '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp'
- '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080'
volumes:
- ${CONFIG}/jvb:/config:Z
environment:
- DOCKER_HOST_ADDRESS
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- ENABLE_COLIBRI_WEBSOCKET
- ENABLE_OCTO
- JVB_ADVERTISE_IPS
- JVB_ADVERTISE_PRIVATE_CANDIDATES
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JVB_BREWERY_MUC
- JVB_DISABLE_STUN
- JVB_PORT
- JVB_TCP_HARVESTER_DISABLED
- JVB_TCP_PORT
- JVB_TCP_MAPPED_PORT
- JVB_MUC_NICKNAME
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_OCTO_BIND_ADDRESS
- JVB_OCTO_REGION
- JVB_OCTO_RELAY_ID
- JVB_WS_DOMAIN
- JVB_WS_SERVER_ID
- PUBLIC_URL
- SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- COLIBRI_REST_ENABLED
- SHUTDOWN_REST_ENABLED
- TZ
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- XMPP_PORT
depends_on:
- prosody
networks:
@@ -432,42 +502,33 @@ services:
- /opt/ssl:/etc/nginx/certs:ro
- ./nginx/nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template
- ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh
- monica-public:/var/www/html/monica/public:ro
- monica-data:/var/www/html/monica/storage:ro
- nextcloud:/var/www/html/nextcloud:ro
- ./christmas:/var/www/html/christmas:ro
environment:
- DOMAIN=${DOMAIN}
depends_on:
- dashboard
# - monica
- nextcloud
- gitea
- collabora
- pinry
ports:
- 80:80
- 443:443
networks:
- nginx
# certs:
# <<: *certs
# environment:
# - SSL_SUBJECT=${DOMAIN}
# - CA_SUBJECT=chris@${DOMAIN}
# - SSL_KEY=/certs/${DOMAIN}.key
# - SSL_CSR=/certs/${DOMAIN}.csr
# - SSL_CERT=/certs/${DOMAIN}.crt
certs:
<<: *certs
environment:
- SSL_SUBJECT=${DOMAIN}
- CA_SUBJECT=chris@${DOMAIN}
- SSL_KEY=/certs/${DOMAIN}.key
- SSL_CSR=/certs/${DOMAIN}.csr
- SSL_CERT=/certs/${DOMAIN}.crt
volumes:
db:
gitea:
monica-public:
monica-data:
nextcloud:
dashboard:
pinry:
foundry:
networks:

14
exports Normal file
View File

@@ -0,0 +1,14 @@
# /etc/exports - exports(5) - directories exported to NFS clients
#
# Example for NFSv3:
# /srv/home hostname1(rw,sync) hostname2(ro,sync)
# Example for NFSv4:
/mnt/tower/stardust/chris/files 192.168.2.0/24(rw,sync,no_subtree_check)
#/mnt/tower/stardust/chris/files 192.168.1.0/24(rw,sync)
# /srv/nfs4 hostname1(rw,sync,fsid=0)
# /srv/nfs4/home hostname1(rw,sync,nohide)
# Using Kerberos and integrity checking:
# /srv/nfs4 *(rw,sync,sec=krb5i,fsid=0)
# /srv/nfs4/home *(rw,sync,sec=krb5i,nohide)
#
# Use `exportfs -arv` to reload.

46
foundry/patches/plutonium-install.sh Normal file
View File

@@ -0,0 +1,46 @@
#!/bin/sh
# This patch script is for use with the felddy/foundryvtt Docker container.
# See: https://github.com/felddy/foundryvtt-docker#readme
# Installs the Plutonium module if it is not yet installed, and then patches the
# Foundry server to call the Plutonium backend.
MAIN_JS="${FOUNDRY_HOME}/resources/app/main.mjs"
MODULE_BACKEND_JS="/data/Data/modules/plutonium/server/${FOUNDRY_VERSION:0:3}.x/plutonium-backend.mjs"
MODULE_DIR="/data/Data/modules"
MODULE_URL="https://github.com/TheGiddyLimit/plutonium-next/raw/master/plutonium-foundry10.zip"
MODULE_DOC_URL="https://wiki.tercept.net/en/Plutonium/Plutonium_Installation"
WORKDIR=$(mktemp -d)
ZIP_FILE="${WORKDIR}/plutonium.zip"
log "Installing Plutonium module and backend."
log "See: ${MODULE_DOC_URL}"
if [ ! -f $MODULE_BACKEND_JS ]; then
log "Downloading Plutonium module."
curl -L --output "${ZIP_FILE}" "${MODULE_URL}" 2>&1 | tr "\r" "\n"
log "Ensuring module directory exists."
mkdir -p "${MODULE_DIR}"
log "Installing Plutonium module."
unzip -o "${ZIP_FILE}" -d "${MODULE_DIR}"
fi
log "Installing Plutonium backend."
cp "${MODULE_BACKEND_JS}" "${FOUNDRY_HOME}/resources/app/"
log "Patching main.mjs to use plutonium-backend."
sed -z --file=- --in-place=.orig ${MAIN_JS} << SED_SCRIPT
s/\(init\.default({[^}]\+})\)\
/await \1;\n(await import(".\/plutonium-backend.mjs")).Plutonium.init();/g\
w plutonium_patchlog.txt
SED_SCRIPT
if [ -s plutonium_patchlog.txt ]; then
log "Plutonium backend patch was applied successfully."
log "Plutonium art and media tools will be enabled."
else
log_error "Plutonium backend patch could not be applied."
log_error "main.js did not contain the expected source lines."
log_warn "Foundry Virtual Tabletop will still operate without the art and media tools enabled."
log_warn "Update this patch file to a version that supports Foundry Virtual Tabletop ${FOUNDRY_VERSION}."
fi
log "Cleaning up."
rm -r ${WORKDIR}

168
monica/.env
View File

@@ -1,168 +0,0 @@
#
# Welcome, friend ❤. Thanks for trying out Monica. We hope you'll have fun.
#
# Two choices: local|production. Use local if you want to install Monica as a
# development version. Use production otherwise.
APP_ENV=production
# true if you want to show debug information on errors. For production, put this
# to false.
APP_DEBUG=false
# The encryption key. This is the most important part of the application. Keep
# this secure otherwise, everyone will be able to access your application.
# Must be 32 characters long exactly.
# Use `php artisan key:generate` or `pwgen -s 32 1` to generate a random key.
APP_KEY=LUdDIZ6FcVn0Lvajb6IY4cwGvAaomVtP
# Prevent information leakage by referring to IDs with hashIds instead of
# the actual IDs used in the database.
HASH_SALT=YIfc5Go7H1TNxwnS7Uza
HASH_LENGTH=18
# The URL of your application.
#APP_URL=
# Force using APP_URL as base url of your application.
# You should not need this, unless you are using subdirectory config.
APP_FORCE_URL=false
# Database information
# To keep this information secure, we urge you to change the default password
# Currently only "mysql" compatible servers are working
DB_CONNECTION=mysql
DB_HOST=db
DB_PORT=3306
# You can use mysql unix socket if available, it overrides DB_HOST and DB_PORT values.
#DB_UNIX_SOCKET=/var/run/mysqld/mysqld.sock
DB_DATABASE=monica
#DB_USERNAME=
#DB_PASSWORD=
DB_PREFIX=
DB_TEST_HOST=127.0.0.1
DB_TEST_DATABASE=monica_test
DB_TEST_USERNAME=homestead
DB_TEST_PASSWORD=secret
# Use utf8mb4 database charset format to support emoji characters
# ⚠ be sure your DBMS supports utf8mb4 format
DB_USE_UTF8MB4=true
# Mail credentials used to send emails from the application.
MAIL_MAILER=smtp
#MAIL_HOST=
#MAIL_PORT=
#MAIL_USERNAME=
#MAIL_PASSWORD=
MAIL_ENCRYPTION=ssl
# Outgoing emails will be sent with these identity
#MAIL_FROM_ADDRESS=
MAIL_FROM_NAME="Scarif"
# New registration notification sent to this email
APP_EMAIL_NEW_USERS_NOTIFICATION=
# Ability to disable signups on your instance.
# Can be true or false. Default to false.
APP_DISABLE_SIGNUP=true
# Enable user email verification.
APP_SIGNUP_DOUBLE_OPTIN=false
# Set trusted proxy IP addresses.
# To trust all proxies that connect directly to your server, use a "*".
# To trust one or more specific proxies that connect directly to your server,
# use a comma separated list of IP addresses.
APP_TRUSTED_PROXIES=
# Enable automatic cloudflare trusted proxy discover
APP_TRUSTED_CLOUDFLARE=false
# Frequency of creation of new log files. Logs are written when an error occurs.
# Refer to config/logging.php for the possible values.
LOG_CHANNEL=daily
# Error tracking. Specific to hosted version on .com. You probably don't need
# those.
SENTRY_SUPPORT=false
SENTRY_LARAVEL_DSN=
# Send a daily ping to https://version.monicahq.com to check if a new version
# is available. When a new version is detected, you will have a message in the
# UI, as well as the release notes for the new changes. Can be true or false.
# Default to true.
CHECK_VERSION=true
# Cache, session, and queue parameters
# ⚠ Change this only if you know what you are doing
#. Cache: database, file, memcached, redis, dynamodb
#. Session: file, cookie, database, apc, memcached, redis, array
#. Queue: sync, database, beanstalkd, sqs, redis
# If Queue is not set to 'sync', you'll have to set a queue worker
# See https://laravel.com/docs/5.7/queues#running-the-queue-worker
CACHE_DRIVER=database
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_CONNECTION=database
# If you use redis, set the redis host or ip, like:
#REDIS_HOST=redis
# Maximum allowed size for uploaded files, in kilobytes.
# Make sure this is an integer, without commas or spaces.
DEFAULT_MAX_UPLOAD_SIZE=10240
# Maximum allowed storage size per account, in megabytes.
# Make sure this is an integer, without commas or spaces.
DEFAULT_MAX_STORAGE_SIZE=512
# Default filesystem to store uploaded files.
# Possible values: public|s3
DEFAULT_FILESYSTEM=public
# AWS keys for S3 when using this storage method
AWS_KEY=
AWS_SECRET=
AWS_REGION=us-east-1
AWS_BUCKET=
AWS_SERVER=
# Allow Two Factor Authentication feature on your instance
MFA_ENABLED=true
# Enable DAV support
DAV_ENABLED=true
# CLIENT ID and SECRET used for OAuth authentication
PASSPORT_PERSONAL_ACCESS_CLIENT_ID=
PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=
# Allow to access general statistics about your instance through a public API
# call
ALLOW_STATISTICS_THROUGH_PUBLIC_API_ACCESS=false
# Indicates that each user in the instance must comply to international policies
# like CASL or GDPR
POLICY_COMPLIANT=true
# Enable geolocation services
# This is used to translate addresses to GPS coordinates.
ENABLE_GEOLOCATION=false
# API key for geolocation services
# We use LocationIQ (https://locationiq.com/) to translate addresses to
# latitude/longitude coordinates. We could use Google instead but we don't
# want to give anything to Google, ever.
# LocationIQ offers 10,000 free requests per day.
LOCATION_IQ_API_KEY=
# Enable weather on contact profile page
# Weather can only be fetched if we know longitude/latitude - this is why
# you also need to activate the geolocation service above to make it work
ENABLE_WEATHER=false
# Access to weather data from darksky api
# https://darksky.net/dev/register
# Darksky provides an api with 1000 free API calls per day
# You need to enable the weather above if you provide an API key here.
DARKSKY_API_KEY=

29
monica/Dockerfile
View File

@@ -1,29 +0,0 @@
FROM monica:fpm
# Add wait-for-it
#ADD https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh /bin/wait-for-it.sh
#RUN chmod +x /bin/wait-for-it.sh
# Add S6 supervisor (for graceful stop)
ADD https://github.com/just-containers/s6-overlay/releases/download/v1.21.1.1/s6-overlay-amd64.tar.gz /tmp/
RUN tar xzf /tmp/s6-overlay-amd64.tar.gz -C /
COPY entrypoint.sh /usr/local/bin
RUN chmod 755 /usr/local/bin/entrypoint.sh
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["/init"]
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
# Copy PHP-FPM service script
COPY start-fpm.sh /etc/services.d/php_fpm/run
RUN chmod 755 /etc/services.d/php_fpm/run
# Copy cron service script
COPY start-cron.sh /etc/services.d/cron/run
RUN chmod 755 /etc/services.d/cron/run
# Copy queue service script
COPY start-queue.sh /etc/services.d/queue/run
RUN chmod 755 /etc/services.d/queue/run

72
monica/entrypoint.sh
View File

@@ -1,72 +0,0 @@
#!/bin/bash
set -Eeo pipefail
# wait for the database to start
waitfordb() {
HOST=${DB_HOST:-mysql}
PORT=${DB_PORT:-3306}
echo "Connecting to ${HOST}:${PORT}"
attempts=0
max_attempts=30
while [ $attempts -lt $max_attempts ]; do
busybox nc -w 1 "${HOST}:${PORT}" && break
echo "Waiting for ${HOST}:${PORT}..."
sleep 1
let "attempts=attempts+1"
done
if [ $attempts -eq $max_attempts ]; then
echo "Unable to contact your database at ${HOST}:${PORT}"
exit 1
fi
echo "Waiting for database to settle..."
sleep 3
}
if [ "$1" = "/init" ]; then
MONICADIR=/var/www/html
ARTISAN="php ${MONICADIR}/artisan"
# Ensure storage directories are present
STORAGE=${MONICADIR}/storage
mkdir -p ${STORAGE}/logs
mkdir -p ${STORAGE}/app/public
mkdir -p ${STORAGE}/framework/views
mkdir -p ${STORAGE}/framework/cache
mkdir -p ${STORAGE}/framework/sessions
chown -R www-data:www-data ${STORAGE}
chmod -R g+rw ${STORAGE}
if [ -z "${APP_KEY:-}" -o "$APP_KEY" = "ChangeMeBy32KeyLengthOrGenerated" ]; then
${ARTISAN} key:generate --no-interaction
else
echo "APP_KEY already set"
fi
# Run migrations
waitfordb
${ARTISAN} monica:update --force -vv
# Override the linking done by monica:update to use relative paths so the nginx directory can be anywhere
unlink ${MONICADIR}/public/storage
ln -s ../storage/app/public /var/www/html/public/storage
if [ -n "${SENTRY_SUPPORT:-}" -a "$SENTRY_SUPPORT" = "true" -a -z "${SENTRY_NORELEASE:-}" -a -n "${SENTRY_ENV:-}" ]; then
commit=$(cat .sentry-commit)
release=$(cat .sentry-release)
${ARTISAN} sentry:release --release="$release" --commit="$commit" --environment="$SENTRY_ENV" --force -v || true
fi
if [ ! -f "${STORAGE}/oauth-public.key" -o ! -f "${STORAGE}/oauth-private.key" ]; then
echo "Passport keys creation ..."
${ARTISAN} passport:keys
${ARTISAN} passport:client --personal --no-interaction
echo "! Please be careful to backup $MONICADIR/storage/oauth-public.key and $MONICADIR/storage/oauth-private.key files !"
fi
fi
exec "$@"

5
monica/start-cron.sh
View File

@@ -1,5 +0,0 @@
#!/usr/bin/with-contenv sh
set -eu;
# Start Cron
exec busybox crond -f -l 0 -L /proc/1/fd/1

5
monica/start-fpm.sh
View File

@@ -1,5 +0,0 @@
#!/usr/bin/with-contenv sh
set -e;
# Start PHP-FPM
php-fpm -R --nodaemonize

5
monica/start-queue.sh
View File

@@ -1,5 +0,0 @@
#!/usr/bin/with-contenv sh
set -eu;
# Start Queue
exec php /var/www/html/artisan queue:work --sleep=10 --timeout=0 --tries=3 --queue=default,migration >/proc/1/fd/1 2>/proc/1/fd/2

11
nextcloud/Dockerfile
View File

@@ -36,7 +36,16 @@ RUN mkdir -p \
/var/run/supervisord \
;
COPY --chown=www-data:root config /var/www/html/config
RUN addgroup -S -g 1000 nextcloud; \
adduser -S -u 1000 -G nextcloud nextcloud; \
sed -i -e "s/^user = .*$/user = nextcloud/" /usr/local/etc/php-fpm.d/www.conf; \
sed -i -e "s/^group = .*$/group = nextcloud/" /usr/local/etc/php-fpm.d/www.conf; \
chown -R nextcloud:root /var/www; \
chmod -R g=u /var/www; \
chown -R nextcloud:root /usr/local/etc/php/conf.d; \
chown -R nextcloud:root /var/log/supervisord;
# COPY --chown=nextcloud:root config /var/www/html/config
COPY supervisord.conf /

3
nextcloud/config/config.php
View File

@@ -18,7 +18,8 @@ $CONFIG = [
*/
'trusted_domains' =>
[
'tower.scarif.space',
'tower.scarif.local',
'127.0.0.1',
],
/**

101
nfs.conf Normal file
View File

@@ -0,0 +1,101 @@
#
# This is a general configuration for the
# NFS daemons and tools
#
[general]
# pipefs-directory=/var/lib/nfs/rpc_pipefs
#
[nfsrahead]
# nfs=15000
# nfs4=16000
#
[exports]
# rootdir=/export
#
[exportfs]
# debug=0
#
[gssd]
# verbosity=0
# rpc-verbosity=0
# use-memcache=0
# use-machine-creds=1
# use-gss-proxy=0
# avoid-dns=1
# limit-to-legacy-enctypes=0
# context-timeout=0
# rpc-timeout=5
# keytab-file=/etc/krb5.keytab
# cred-cache-directory=
# preferred-realm=
# set-home=1
# upcall-timeout=30
# cancel-timed-out-upcalls=0
#
[lockd]
# port=0
# udp-port=0
#
[exportd]
# debug="all|auth|call|general|parse"
# manage-gids=n
# state-directory-path=/var/lib/nfs
# threads=1
# cache-use-ipaddr=n
# ttl=1800
[mountd]
# debug="all|auth|call|general|parse"
# manage-gids=n
# descriptors=0
# port=0
# threads=1
# reverse-lookup=n
# state-directory-path=/var/lib/nfs
# ha-callout=
# cache-use-ipaddr=n
# ttl=1800
#
[nfsdcld]
# debug=0
# storagedir=/var/lib/nfs/nfsdcld
#
[nfsdcltrack]
# debug=0
# storagedir=/var/lib/nfs/nfsdcltrack
#
[nfsd]
# debug=0
# threads=8
# host=
# port=0
# grace-time=90
# lease-time=90
# udp=n
# tcp=y
# vers3=y
# vers4=y
# vers4.0=y
# vers4.1=y
# vers4.2=y
rdma=y
rdma-port=20049
[statd]
# debug=0
# port=0
# outgoing-port=0
# name=
# state-directory-path=/var/lib/nfs/statd
# ha-callout=
# no-notify=0
#
[sm-notify]
# debug=0
# force=0
# retry-time=900
# outgoing-port=
# outgoing-addr=
# lift-grace=y
#
[svcgssd]
# principal=

188
nginx/nginx.conf.template
View File

@@ -68,142 +68,6 @@ http {
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
# upstream monica-handler {
# server monica:9000;
# }
#
# server {
# listen 443 ssl http2;
#
# ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
# ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
#
# server_name personel.${DOMAIN};
#
# ## HSTS ##
# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# # removed from this list could take several months.
# #
# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "none" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# # Remove X-Powered-By, which is an information leak
# fastcgi_hide_header X-Powered-By;
#
# root /var/www/html/monica/public;
#
# index index.html index.htm index.php;
#
# charset utf-8;
#
# location / {
# try_files $uri $uri/ /index.php?$query_string;
# }
#
# location ~ ^/(?:robots.txt|security.txt) {
# allow all;
# log_not_found off;
# access_log off;
# }
#
# error_page 404 500 502 503 504 /index.php;
#
# location ~ /\.well-known/(?:carddav|caldav) {
# return 301 $scheme://$host/dav;
# }
# location = /.well-known/security.txt {
# return 301 $scheme://$host/security.txt;
# }
# location ~ /\.(?!well-known).* {
# deny all;
# }
#
# # set max upload size
# client_max_body_size 10G;
# fastcgi_buffers 64 4K;
#
# # Enable gzip but do not remove ETag headers
# gzip on;
# gzip_vary on;
# gzip_comp_level 4;
# gzip_min_length 256;
# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
#
# # Uncomment if your server is build with the ngx_pagespeed module
# # This module is currently not supported.
# #pagespeed off;
#
# location ~ \.php$ {
# # regex to split $uri to $fastcgi_script_name and $fastcgi_path
# fastcgi_split_path_info ^(.+?\.php)(/.*)$;
#
# # Check that the PHP script exists before passing it
# try_files $fastcgi_script_name =404;
#
# fastcgi_pass monica-handler;
# fastcgi_index index.php;
#
# include fastcgi_params;
#
# # Cannot use $document_root as the path to monica on the docker container
# # is different to the path to the public files in this nginx container.
# fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name;
# # Bypass the fact that try_files resets $fastcgi_path_info
# # see: http://trac.nginx.org/nginx/ticket/321
# set $path_info $fastcgi_path_info;
# fastcgi_param PATH_INFO $path_info;
# }
#
# # Adding the cache control header for js and css files
# # Make sure it is BELOW the PHP block
# location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
# try_files $uri /index.php$request_uri;
# add_header Cache-Control "public, max-age=15778463";
#
# ## HSTS ##
# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# # Note it is intended to have those duplicated to the ones above.
# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# # removed from this list could take several months.
# #
# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "none" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# # Optional: Don't log access to assets
# access_log off;
# }
#
# location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
# try_files $uri /index.php$request_uri;
#
# # Optional: Don't log access to assets
# access_log off;
# }
#
# # deny access to .htaccess files
# location ~ /\.ht {
# deny all;
# }
# }
upstream nextcloud-handler {
server nextcloud:9000;
}
@@ -352,7 +216,7 @@ http {
ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
# static files
location ^~ /loleaflet {
location ^~ /browser {
proxy_pass http://collabora-handler;
proxy_set_header Host $http_host;
}
@@ -370,7 +234,7 @@ http {
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://collabora-handler;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
@@ -379,13 +243,13 @@ http {
}
# download, presentation and image upload
location ~ ^/lool {
location ~ ^/(c|l)ool {
proxy_pass http://collabora-handler;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /lool/adminws {
location ^~ /cool/adminws {
proxy_pass http://collabora-handler;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
@@ -447,50 +311,6 @@ http {
}
}
upstream dashboard-handler {
server dashboard:5000;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
gzip_types text/plain text/css application/json application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
server_name command.${DOMAIN} ${DOMAIN};
location / {
proxy_pass http://dashboard-handler;
}
location /unauthorized {
return 301 https://$host/login;
}
}
upstream pinry-handler {
server pinry:80;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
gzip_types text/plain text/css application/json application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
server_name research.${DOMAIN};
location / {
proxy_pass http://pinry-handler;
}
}
upstream jitsi-handler {
server jitsi:80;
}

48
pinry/local_settings.py
View File

@@ -1,48 +0,0 @@
import os
# Please don't change following settings unless you know what you are doing
STATIC_ROOT = '/data/static'
MEDIA_ROOT = os.path.join(STATIC_ROOT, 'media')
# SECURITY WARNING: keep the secret key used in production secret!
# Or just write your own secret-key here instead of using a env-variable
SECRET_KEY = "LUdDIZ6FcVn0Lvajb6IY4cwGvAaomVtP"
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = False
TEMPLATE_DEBUG = DEBUG
# SECURITY WARNING: use your actual domain name in production!
ALLOWED_HOSTS = ['research.scarif.space', 'research.scarif.local']
# Database
# https://docs.djangoproject.com/en/1.10/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': '/data/production.db',
}
}
# Allow users to register by themselves
ALLOW_NEW_REGISTRATIONS = False
# Delete image files once you remove your pin
IMAGE_AUTO_DELETE = True
# thumbnail size control
IMAGE_SIZES = {
'thumbnail': {'size': [240, 0]},
'standard': {'size': [600, 0]},
'square': {'crop': True, 'size': [125, 125]},
}
# Whether people can view pins without login
PUBLIC = True
ENABLED_PLUGINS = [
'pinry_plugins.batteries.plugin_example.Plugin',
]

225
smb.conf Normal file
View File

@@ -0,0 +1,225 @@
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# Allow server side copying with MacOS clients
fruit:copyfile = yes
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYGROUP
# server string is the equivalent of the NT Description field
server string = Samba Server
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
hosts allow = 192.168.1. 192.168.2. 127.
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 500
# Specifies the Kerberos or Active Directory realm the host is part of
; realm = MY_REALM
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/samba/lib/smb.conf.%m
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
#[public]
#comment = Public Stuff
#path = /mnt/tower/stardust/chris/files/public
#public = yes
#writable = no
#printable = no
#write list = @chris
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
[stardust]
comment = Stardust
path = /mnt/tower/stardust/chris/files
valid users = chris
public = no
writable = yes
printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765