From 678894d7dbc3720c9b51cf2c50b71b514266df93 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 23 Mar 2023 20:29:29 +0000 Subject: [PATCH] Working for homelab --- .env.example | 11 - INSTALL.md | 0 bootstrap.sh | 87 +++--- docker-compose.yml | 393 ++++++++++++++++----------- exports | 14 + foundry/patches/plutonium-install.sh | 46 ++++ monica/.env | 168 ------------ monica/Dockerfile | 29 -- monica/entrypoint.sh | 72 ----- monica/start-cron.sh | 5 - monica/start-fpm.sh | 5 - monica/start-queue.sh | 5 - nextcloud/Dockerfile | 11 +- nextcloud/config/config.php | 3 +- nfs.conf | 101 +++++++ nginx/nginx.conf.template | 188 +------------ pinry/local_settings.py | 48 ---- smb.conf | 225 +++++++++++++++ 18 files changed, 677 insertions(+), 734 deletions(-) create mode 100644 INSTALL.md create mode 100644 exports create mode 100644 foundry/patches/plutonium-install.sh delete mode 100644 monica/.env delete mode 100644 monica/Dockerfile delete mode 100644 monica/entrypoint.sh delete mode 100644 monica/start-cron.sh delete mode 100644 monica/start-fpm.sh delete mode 100644 monica/start-queue.sh create mode 100644 nfs.conf delete mode 100644 pinry/local_settings.py create mode 100644 smb.conf diff --git a/.env.example b/.env.example index ccb80b6..8a5cdb4 100644 --- a/.env.example +++ b/.env.example @@ -7,7 +7,6 @@ USER_PASSWORD= DOMAIN=scarif.local LOCAL_IP=192.168.10.10 SSH_KEY= # Will be added to authorized keys -DIGITALOCEAN_TOKEN= # For enabling lets encrypt # # Database settings @@ -44,16 +43,6 @@ NEXTCLOUD_ADMIN_PASSWORD= COLLABORA_USER=${USERNAME} COLLABORA_PASSWORD= -# -# Monica settings (personel.scarif.space) -# Image: monica:fpm -# -MAIL_FROM=${USERNAME}@${DOMAIN} -MAIL_HOST=smtp.mailgun.org -MAIL_PORT=465 -MAIL_USER=postmaster@mg.thinkzingy.com -MAIL_PASSWORD= - # # Jitsi settings (comms.scarif.space) # Image: jitsi/web:latest diff --git a/INSTALL.md b/INSTALL.md new file mode 100644 index 0000000..e69de29 diff --git a/bootstrap.sh b/bootstrap.sh index bf3f944..d66c52d 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -3,38 +3,34 @@ source /opt/scarif/.env echo "------- Generating system users -------" -# Add me as a user and git for SSH passthrough to gitea (change passwords after finishing) +## Add me as a user and git for SSH passthrough to gitea (change passwords after finishing) useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git -# Set up privileges +## Set up privileges echo "chris ALL=(ALL) ALL" >> /etc/sudoers -# Disable root login +echo "root ALL=(ALL) ALL" >> /etc/sudoers +## Disable root login passwd -l root # Install necessary packages echo "------- Installing packages -------" -pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot certbot-dns-digitalocean +pacman -Syyu --noconfirm +pacman -S --noconfirm archlinux-keyring +pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils echo "------- Setting up SSH -------" # Remove old SSH keys in case running again +sudo -u git mkdir -p /home/git/.ssh rm -f /home/git/.ssh/* # Generate SSH keys for git to enable SSH proxy sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N "" # Add SSH key to authorized keys which is shared with docker container echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys # Add current SSH key to main user's authorized keys -mkdir /home/chris/.ssh +mkdir -p /home/chris/.ssh echo $SSH_KEY >> /home/chris/.ssh/authorized_keys -# Disable root login -sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config -# Logout after 1 minute of inactivity -sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/" /etc/ssh/sshd_config -# Add banner art -sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config -# Limit number of sessions -sed -i "s/#MaxSessions/MaxSessions 4/" >> /etc/ssh/sshd_config -# Limit users -sed -i "s/#AllowUsers/AllowUsers chris git/" >> /etc/ssh/sshd_config +rm /etc/ssh/sshd_config +ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config # Modify login messages echo "Clearance codes accepted! proceed:" > /etc/motd # Enforce a delay after a failed login attempt to prevent brute force attacks @@ -43,7 +39,7 @@ echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login systemctl restart sshd echo "------- Enabling SSH passthrough -------" -# Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough) +## Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough) mkdir -p /var/lib/gitea cat <<"EOF" | sudo tee /usr/local/bin/gitea #!/bin/sh @@ -56,26 +52,26 @@ chmod +x /app/gitea/gitea chown -R git /app/gitea/gitea chown -R git /var/lib/gitea -if [ $APP_ENV = "production" ] -then - echo "------- Enabling certbot service -------" - mkdir -p /root/.secret/certbot - tee /root/.secret/certbot/digitalocean.ini <&1 | tr "\r" "\n" + log "Ensuring module directory exists." + mkdir -p "${MODULE_DIR}" + log "Installing Plutonium module." + unzip -o "${ZIP_FILE}" -d "${MODULE_DIR}" +fi +log "Installing Plutonium backend." +cp "${MODULE_BACKEND_JS}" "${FOUNDRY_HOME}/resources/app/" +log "Patching main.mjs to use plutonium-backend." +sed -z --file=- --in-place=.orig ${MAIN_JS} << SED_SCRIPT +s/\(init\.default({[^}]\+})\)\ +/await \1;\n(await import(".\/plutonium-backend.mjs")).Plutonium.init();/g\ +w plutonium_patchlog.txt +SED_SCRIPT +if [ -s plutonium_patchlog.txt ]; then + log "Plutonium backend patch was applied successfully." + log "Plutonium art and media tools will be enabled." +else + log_error "Plutonium backend patch could not be applied." + log_error "main.js did not contain the expected source lines." + log_warn "Foundry Virtual Tabletop will still operate without the art and media tools enabled." + log_warn "Update this patch file to a version that supports Foundry Virtual Tabletop ${FOUNDRY_VERSION}." +fi +log "Cleaning up." +rm -r ${WORKDIR} + diff --git a/monica/.env b/monica/.env deleted file mode 100644 index 3bd6ee0..0000000 --- a/monica/.env +++ /dev/null @@ -1,168 +0,0 @@ -# -# Welcome, friend ❤. Thanks for trying out Monica. We hope you'll have fun. -# - -# Two choices: local|production. Use local if you want to install Monica as a -# development version. Use production otherwise. -APP_ENV=production - -# true if you want to show debug information on errors. For production, put this -# to false. -APP_DEBUG=false - -# The encryption key. This is the most important part of the application. Keep -# this secure otherwise, everyone will be able to access your application. -# Must be 32 characters long exactly. -# Use `php artisan key:generate` or `pwgen -s 32 1` to generate a random key. -APP_KEY=LUdDIZ6FcVn0Lvajb6IY4cwGvAaomVtP - -# Prevent information leakage by referring to IDs with hashIds instead of -# the actual IDs used in the database. -HASH_SALT=YIfc5Go7H1TNxwnS7Uza -HASH_LENGTH=18 - -# The URL of your application. -#APP_URL= - -# Force using APP_URL as base url of your application. -# You should not need this, unless you are using subdirectory config. -APP_FORCE_URL=false - -# Database information -# To keep this information secure, we urge you to change the default password -# Currently only "mysql" compatible servers are working -DB_CONNECTION=mysql -DB_HOST=db -DB_PORT=3306 -# You can use mysql unix socket if available, it overrides DB_HOST and DB_PORT values. -#DB_UNIX_SOCKET=/var/run/mysqld/mysqld.sock -DB_DATABASE=monica -#DB_USERNAME= -#DB_PASSWORD= -DB_PREFIX= -DB_TEST_HOST=127.0.0.1 -DB_TEST_DATABASE=monica_test -DB_TEST_USERNAME=homestead -DB_TEST_PASSWORD=secret - -# Use utf8mb4 database charset format to support emoji characters -# ⚠ be sure your DBMS supports utf8mb4 format -DB_USE_UTF8MB4=true - -# Mail credentials used to send emails from the application. -MAIL_MAILER=smtp -#MAIL_HOST= -#MAIL_PORT= -#MAIL_USERNAME= -#MAIL_PASSWORD= -MAIL_ENCRYPTION=ssl -# Outgoing emails will be sent with these identity -#MAIL_FROM_ADDRESS= -MAIL_FROM_NAME="Scarif" -# New registration notification sent to this email -APP_EMAIL_NEW_USERS_NOTIFICATION= - -# Ability to disable signups on your instance. -# Can be true or false. Default to false. -APP_DISABLE_SIGNUP=true - -# Enable user email verification. -APP_SIGNUP_DOUBLE_OPTIN=false - -# Set trusted proxy IP addresses. -# To trust all proxies that connect directly to your server, use a "*". -# To trust one or more specific proxies that connect directly to your server, -# use a comma separated list of IP addresses. -APP_TRUSTED_PROXIES= - -# Enable automatic cloudflare trusted proxy discover -APP_TRUSTED_CLOUDFLARE=false - -# Frequency of creation of new log files. Logs are written when an error occurs. -# Refer to config/logging.php for the possible values. -LOG_CHANNEL=daily - -# Error tracking. Specific to hosted version on .com. You probably don't need -# those. -SENTRY_SUPPORT=false -SENTRY_LARAVEL_DSN= - -# Send a daily ping to https://version.monicahq.com to check if a new version -# is available. When a new version is detected, you will have a message in the -# UI, as well as the release notes for the new changes. Can be true or false. -# Default to true. -CHECK_VERSION=true - -# Cache, session, and queue parameters -# ⚠ Change this only if you know what you are doing -#. Cache: database, file, memcached, redis, dynamodb -#. Session: file, cookie, database, apc, memcached, redis, array -#. Queue: sync, database, beanstalkd, sqs, redis -# If Queue is not set to 'sync', you'll have to set a queue worker -# See https://laravel.com/docs/5.7/queues#running-the-queue-worker -CACHE_DRIVER=database -SESSION_DRIVER=file -SESSION_LIFETIME=120 -QUEUE_CONNECTION=database - -# If you use redis, set the redis host or ip, like: -#REDIS_HOST=redis - -# Maximum allowed size for uploaded files, in kilobytes. -# Make sure this is an integer, without commas or spaces. -DEFAULT_MAX_UPLOAD_SIZE=10240 - -# Maximum allowed storage size per account, in megabytes. -# Make sure this is an integer, without commas or spaces. -DEFAULT_MAX_STORAGE_SIZE=512 - -# Default filesystem to store uploaded files. -# Possible values: public|s3 -DEFAULT_FILESYSTEM=public - -# AWS keys for S3 when using this storage method -AWS_KEY= -AWS_SECRET= -AWS_REGION=us-east-1 -AWS_BUCKET= -AWS_SERVER= - -# Allow Two Factor Authentication feature on your instance -MFA_ENABLED=true - -# Enable DAV support -DAV_ENABLED=true - -# CLIENT ID and SECRET used for OAuth authentication -PASSPORT_PERSONAL_ACCESS_CLIENT_ID= -PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET= - -# Allow to access general statistics about your instance through a public API -# call -ALLOW_STATISTICS_THROUGH_PUBLIC_API_ACCESS=false - -# Indicates that each user in the instance must comply to international policies -# like CASL or GDPR -POLICY_COMPLIANT=true - -# Enable geolocation services -# This is used to translate addresses to GPS coordinates. -ENABLE_GEOLOCATION=false - -# API key for geolocation services -# We use LocationIQ (https://locationiq.com/) to translate addresses to -# latitude/longitude coordinates. We could use Google instead but we don't -# want to give anything to Google, ever. -# LocationIQ offers 10,000 free requests per day. -LOCATION_IQ_API_KEY= - -# Enable weather on contact profile page -# Weather can only be fetched if we know longitude/latitude - this is why -# you also need to activate the geolocation service above to make it work -ENABLE_WEATHER=false - -# Access to weather data from darksky api -# https://darksky.net/dev/register -# Darksky provides an api with 1000 free API calls per day -# You need to enable the weather above if you provide an API key here. -DARKSKY_API_KEY= diff --git a/monica/Dockerfile b/monica/Dockerfile deleted file mode 100644 index 1b1cd34..0000000 --- a/monica/Dockerfile +++ /dev/null @@ -1,29 +0,0 @@ -FROM monica:fpm - -# Add wait-for-it -#ADD https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh /bin/wait-for-it.sh -#RUN chmod +x /bin/wait-for-it.sh - -# Add S6 supervisor (for graceful stop) -ADD https://github.com/just-containers/s6-overlay/releases/download/v1.21.1.1/s6-overlay-amd64.tar.gz /tmp/ -RUN tar xzf /tmp/s6-overlay-amd64.tar.gz -C / - -COPY entrypoint.sh /usr/local/bin -RUN chmod 755 /usr/local/bin/entrypoint.sh - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] -CMD ["/init"] - -RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" - -# Copy PHP-FPM service script -COPY start-fpm.sh /etc/services.d/php_fpm/run -RUN chmod 755 /etc/services.d/php_fpm/run - -# Copy cron service script -COPY start-cron.sh /etc/services.d/cron/run -RUN chmod 755 /etc/services.d/cron/run - -# Copy queue service script -COPY start-queue.sh /etc/services.d/queue/run -RUN chmod 755 /etc/services.d/queue/run diff --git a/monica/entrypoint.sh b/monica/entrypoint.sh deleted file mode 100644 index 29c5eb0..0000000 --- a/monica/entrypoint.sh +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/bash - -set -Eeo pipefail - -# wait for the database to start -waitfordb() { - HOST=${DB_HOST:-mysql} - PORT=${DB_PORT:-3306} - echo "Connecting to ${HOST}:${PORT}" - - attempts=0 - max_attempts=30 - while [ $attempts -lt $max_attempts ]; do - busybox nc -w 1 "${HOST}:${PORT}" && break - echo "Waiting for ${HOST}:${PORT}..." - sleep 1 - let "attempts=attempts+1" - done - - if [ $attempts -eq $max_attempts ]; then - echo "Unable to contact your database at ${HOST}:${PORT}" - exit 1 - fi - - echo "Waiting for database to settle..." - sleep 3 -} - -if [ "$1" = "/init" ]; then - - MONICADIR=/var/www/html - ARTISAN="php ${MONICADIR}/artisan" - - # Ensure storage directories are present - STORAGE=${MONICADIR}/storage - mkdir -p ${STORAGE}/logs - mkdir -p ${STORAGE}/app/public - mkdir -p ${STORAGE}/framework/views - mkdir -p ${STORAGE}/framework/cache - mkdir -p ${STORAGE}/framework/sessions - chown -R www-data:www-data ${STORAGE} - chmod -R g+rw ${STORAGE} - - if [ -z "${APP_KEY:-}" -o "$APP_KEY" = "ChangeMeBy32KeyLengthOrGenerated" ]; then - ${ARTISAN} key:generate --no-interaction - else - echo "APP_KEY already set" - fi - - # Run migrations - waitfordb - ${ARTISAN} monica:update --force -vv - # Override the linking done by monica:update to use relative paths so the nginx directory can be anywhere - unlink ${MONICADIR}/public/storage - ln -s ../storage/app/public /var/www/html/public/storage - - if [ -n "${SENTRY_SUPPORT:-}" -a "$SENTRY_SUPPORT" = "true" -a -z "${SENTRY_NORELEASE:-}" -a -n "${SENTRY_ENV:-}" ]; then - commit=$(cat .sentry-commit) - release=$(cat .sentry-release) - ${ARTISAN} sentry:release --release="$release" --commit="$commit" --environment="$SENTRY_ENV" --force -v || true - fi - - if [ ! -f "${STORAGE}/oauth-public.key" -o ! -f "${STORAGE}/oauth-private.key" ]; then - echo "Passport keys creation ..." - ${ARTISAN} passport:keys - ${ARTISAN} passport:client --personal --no-interaction - echo "! Please be careful to backup $MONICADIR/storage/oauth-public.key and $MONICADIR/storage/oauth-private.key files !" - fi - -fi - -exec "$@" diff --git a/monica/start-cron.sh b/monica/start-cron.sh deleted file mode 100644 index 1309842..0000000 --- a/monica/start-cron.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/with-contenv sh -set -eu; - -# Start Cron -exec busybox crond -f -l 0 -L /proc/1/fd/1 diff --git a/monica/start-fpm.sh b/monica/start-fpm.sh deleted file mode 100644 index 9ee8a0a..0000000 --- a/monica/start-fpm.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/with-contenv sh -set -e; - -# Start PHP-FPM -php-fpm -R --nodaemonize diff --git a/monica/start-queue.sh b/monica/start-queue.sh deleted file mode 100644 index 6adc690..0000000 --- a/monica/start-queue.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/with-contenv sh -set -eu; - -# Start Queue -exec php /var/www/html/artisan queue:work --sleep=10 --timeout=0 --tries=3 --queue=default,migration >/proc/1/fd/1 2>/proc/1/fd/2 diff --git a/nextcloud/Dockerfile b/nextcloud/Dockerfile index 1c9f80a..af319e0 100644 --- a/nextcloud/Dockerfile +++ b/nextcloud/Dockerfile @@ -36,7 +36,16 @@ RUN mkdir -p \ /var/run/supervisord \ ; -COPY --chown=www-data:root config /var/www/html/config +RUN addgroup -S -g 1000 nextcloud; \ + adduser -S -u 1000 -G nextcloud nextcloud; \ + sed -i -e "s/^user = .*$/user = nextcloud/" /usr/local/etc/php-fpm.d/www.conf; \ + sed -i -e "s/^group = .*$/group = nextcloud/" /usr/local/etc/php-fpm.d/www.conf; \ + chown -R nextcloud:root /var/www; \ + chmod -R g=u /var/www; \ + chown -R nextcloud:root /usr/local/etc/php/conf.d; \ + chown -R nextcloud:root /var/log/supervisord; + +# COPY --chown=nextcloud:root config /var/www/html/config COPY supervisord.conf / diff --git a/nextcloud/config/config.php b/nextcloud/config/config.php index 54ad20f..3322130 100755 --- a/nextcloud/config/config.php +++ b/nextcloud/config/config.php @@ -18,7 +18,8 @@ $CONFIG = [ */ 'trusted_domains' => [ - 'tower.scarif.space', + 'tower.scarif.local', + '127.0.0.1', ], /** diff --git a/nfs.conf b/nfs.conf new file mode 100644 index 0000000..323f072 --- /dev/null +++ b/nfs.conf @@ -0,0 +1,101 @@ +# +# This is a general configuration for the +# NFS daemons and tools +# +[general] +# pipefs-directory=/var/lib/nfs/rpc_pipefs +# +[nfsrahead] +# nfs=15000 +# nfs4=16000 +# +[exports] +# rootdir=/export +# +[exportfs] +# debug=0 +# +[gssd] +# verbosity=0 +# rpc-verbosity=0 +# use-memcache=0 +# use-machine-creds=1 +# use-gss-proxy=0 +# avoid-dns=1 +# limit-to-legacy-enctypes=0 +# context-timeout=0 +# rpc-timeout=5 +# keytab-file=/etc/krb5.keytab +# cred-cache-directory= +# preferred-realm= +# set-home=1 +# upcall-timeout=30 +# cancel-timed-out-upcalls=0 +# +[lockd] +# port=0 +# udp-port=0 +# +[exportd] +# debug="all|auth|call|general|parse" +# manage-gids=n +# state-directory-path=/var/lib/nfs +# threads=1 +# cache-use-ipaddr=n +# ttl=1800 +[mountd] +# debug="all|auth|call|general|parse" +# manage-gids=n +# descriptors=0 +# port=0 +# threads=1 +# reverse-lookup=n +# state-directory-path=/var/lib/nfs +# ha-callout= +# cache-use-ipaddr=n +# ttl=1800 +# +[nfsdcld] +# debug=0 +# storagedir=/var/lib/nfs/nfsdcld +# +[nfsdcltrack] +# debug=0 +# storagedir=/var/lib/nfs/nfsdcltrack +# +[nfsd] +# debug=0 +# threads=8 +# host= +# port=0 +# grace-time=90 +# lease-time=90 +# udp=n +# tcp=y +# vers3=y +# vers4=y +# vers4.0=y +# vers4.1=y +# vers4.2=y +rdma=y +rdma-port=20049 + +[statd] +# debug=0 +# port=0 +# outgoing-port=0 +# name= +# state-directory-path=/var/lib/nfs/statd +# ha-callout= +# no-notify=0 +# +[sm-notify] +# debug=0 +# force=0 +# retry-time=900 +# outgoing-port= +# outgoing-addr= +# lift-grace=y +# +[svcgssd] +# principal= diff --git a/nginx/nginx.conf.template b/nginx/nginx.conf.template index cc38711..5ebbb52 100644 --- a/nginx/nginx.conf.template +++ b/nginx/nginx.conf.template @@ -68,142 +68,6 @@ http { # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; -# upstream monica-handler { -# server monica:9000; -# } -# -# server { -# listen 443 ssl http2; -# -# ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; -# ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; -# -# server_name personel.${DOMAIN}; -# -# ## HSTS ## -# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. -# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. -# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting -# # removed from this list could take several months. -# # -# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; -# -# add_header Referrer-Policy "no-referrer" always; -# add_header X-Content-Type-Options "nosniff" always; -# add_header X-Download-Options "noopen" always; -# add_header X-Frame-Options "SAMEORIGIN" always; -# add_header X-Permitted-Cross-Domain-Policies "none" always; -# add_header X-Robots-Tag "none" always; -# add_header X-XSS-Protection "1; mode=block" always; -# -# # Remove X-Powered-By, which is an information leak -# fastcgi_hide_header X-Powered-By; -# -# root /var/www/html/monica/public; -# -# index index.html index.htm index.php; -# -# charset utf-8; -# -# location / { -# try_files $uri $uri/ /index.php?$query_string; -# } -# -# location ~ ^/(?:robots.txt|security.txt) { -# allow all; -# log_not_found off; -# access_log off; -# } -# -# error_page 404 500 502 503 504 /index.php; -# -# location ~ /\.well-known/(?:carddav|caldav) { -# return 301 $scheme://$host/dav; -# } -# location = /.well-known/security.txt { -# return 301 $scheme://$host/security.txt; -# } -# location ~ /\.(?!well-known).* { -# deny all; -# } -# -# # set max upload size -# client_max_body_size 10G; -# fastcgi_buffers 64 4K; -# -# # Enable gzip but do not remove ETag headers -# gzip on; -# gzip_vary on; -# gzip_comp_level 4; -# gzip_min_length 256; -# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; -# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; -# -# # Uncomment if your server is build with the ngx_pagespeed module -# # This module is currently not supported. -# #pagespeed off; -# -# location ~ \.php$ { -# # regex to split $uri to $fastcgi_script_name and $fastcgi_path -# fastcgi_split_path_info ^(.+?\.php)(/.*)$; -# -# # Check that the PHP script exists before passing it -# try_files $fastcgi_script_name =404; -# -# fastcgi_pass monica-handler; -# fastcgi_index index.php; -# -# include fastcgi_params; -# -# # Cannot use $document_root as the path to monica on the docker container -# # is different to the path to the public files in this nginx container. -# fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name; -# # Bypass the fact that try_files resets $fastcgi_path_info -# # see: http://trac.nginx.org/nginx/ticket/321 -# set $path_info $fastcgi_path_info; -# fastcgi_param PATH_INFO $path_info; -# } -# -# # Adding the cache control header for js and css files -# # Make sure it is BELOW the PHP block -# location ~ \.(?:css|js|woff2?|svg|gif|json)$ { -# try_files $uri /index.php$request_uri; -# add_header Cache-Control "public, max-age=15778463"; -# -# ## HSTS ## -# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. -# # Note it is intended to have those duplicated to the ones above. -# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. -# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting -# # removed from this list could take several months. -# # -# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; -# -# add_header Referrer-Policy "no-referrer" always; -# add_header X-Content-Type-Options "nosniff" always; -# add_header X-Download-Options "noopen" always; -# add_header X-Frame-Options "SAMEORIGIN" always; -# add_header X-Permitted-Cross-Domain-Policies "none" always; -# add_header X-Robots-Tag "none" always; -# add_header X-XSS-Protection "1; mode=block" always; -# -# # Optional: Don't log access to assets -# access_log off; -# } -# -# location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { -# try_files $uri /index.php$request_uri; -# -# # Optional: Don't log access to assets -# access_log off; -# } -# -# # deny access to .htaccess files -# location ~ /\.ht { -# deny all; -# } -# } - upstream nextcloud-handler { server nextcloud:9000; } @@ -352,7 +216,7 @@ http { ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; # static files - location ^~ /loleaflet { + location ^~ /browser { proxy_pass http://collabora-handler; proxy_set_header Host $http_host; } @@ -370,7 +234,7 @@ http { } # main websocket - location ~ ^/lool/(.*)/ws$ { + location ~ ^/cool/(.*)/ws$ { proxy_pass http://collabora-handler; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; @@ -379,13 +243,13 @@ http { } # download, presentation and image upload - location ~ ^/lool { + location ~ ^/(c|l)ool { proxy_pass http://collabora-handler; proxy_set_header Host $http_host; } # Admin Console websocket - location ^~ /lool/adminws { + location ^~ /cool/adminws { proxy_pass http://collabora-handler; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; @@ -447,50 +311,6 @@ http { } } - upstream dashboard-handler { - server dashboard:5000; - } - - server { - listen 443 ssl http2; - - ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; - ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; - - gzip_types text/plain text/css application/json application/x-javascript - text/xml application/xml application/xml+rss text/javascript; - - server_name command.${DOMAIN} ${DOMAIN}; - - location / { - proxy_pass http://dashboard-handler; - } - - location /unauthorized { - return 301 https://$host/login; - } - } - - upstream pinry-handler { - server pinry:80; - } - - server { - listen 443 ssl http2; - - ssl_certificate /etc/nginx/certs/${DOMAIN}.crt; - ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; - - gzip_types text/plain text/css application/json application/x-javascript - text/xml application/xml application/xml+rss text/javascript; - - server_name research.${DOMAIN}; - - location / { - proxy_pass http://pinry-handler; - } - } - upstream jitsi-handler { server jitsi:80; } diff --git a/pinry/local_settings.py b/pinry/local_settings.py deleted file mode 100644 index bcce682..0000000 --- a/pinry/local_settings.py +++ /dev/null @@ -1,48 +0,0 @@ -import os - - -# Please don't change following settings unless you know what you are doing -STATIC_ROOT = '/data/static' - -MEDIA_ROOT = os.path.join(STATIC_ROOT, 'media') - -# SECURITY WARNING: keep the secret key used in production secret! -# Or just write your own secret-key here instead of using a env-variable -SECRET_KEY = "LUdDIZ6FcVn0Lvajb6IY4cwGvAaomVtP" - -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = False -TEMPLATE_DEBUG = DEBUG - -# SECURITY WARNING: use your actual domain name in production! -ALLOWED_HOSTS = ['research.scarif.space', 'research.scarif.local'] - -# Database -# https://docs.djangoproject.com/en/1.10/ref/settings/#databases - -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.sqlite3', - 'NAME': '/data/production.db', - } -} - -# Allow users to register by themselves -ALLOW_NEW_REGISTRATIONS = False - -# Delete image files once you remove your pin -IMAGE_AUTO_DELETE = True - -# thumbnail size control -IMAGE_SIZES = { - 'thumbnail': {'size': [240, 0]}, - 'standard': {'size': [600, 0]}, - 'square': {'crop': True, 'size': [125, 125]}, -} - -# Whether people can view pins without login -PUBLIC = True - -ENABLED_PLUGINS = [ - 'pinry_plugins.batteries.plugin_example.Plugin', -] diff --git a/smb.conf b/smb.conf new file mode 100644 index 0000000..b23d039 --- /dev/null +++ b/smb.conf @@ -0,0 +1,225 @@ +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options (perhaps too +# many!) most of which are not shown in this example +# +# For a step to step guide on installing, configuring and using samba, +# read the Samba-HOWTO-Collection. This may be obtained from: +# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf +# +# Many working examples of smb.conf files can be found in the +# Samba-Guide which is generated daily and can be downloaded from: +# http://www.samba.org/samba/docs/Samba-Guide.pdf +# +# Any line which starts with a ; (semi-colon) or a # (hash) +# is a comment and is ignored. In this example we will use a # +# for commentry and a ; for parts of the config file that you +# may wish to enable +# +# NOTE: Whenever you modify this file you should run the command "testparm" +# to check that you have not made any basic syntactic errors. +# +#======================= Global Settings ===================================== +[global] + +# Allow server side copying with MacOS clients + fruit:copyfile = yes + +# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH + workgroup = MYGROUP + +# server string is the equivalent of the NT Description field + server string = Samba Server + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + +# This option is important for security. It allows you to restrict +# connections to machines which are on your local network. The +# following example restricts access to two C class networks and +# the "loopback" interface. For more examples of the syntax see +# the smb.conf man page + hosts allow = 192.168.1. 192.168.2. 127. + +# Uncomment this if you want a guest account, you must add this to /etc/passwd +# otherwise the user "nobody" is used +; guest account = pcguest + +# this tells Samba to use a separate log file for each machine +# that connects + log file = /var/log/samba/log.%m + +# Put a capping on the size of the log files (in Kb). + max log size = 500 + +# Specifies the Kerberos or Active Directory realm the host is part of +; realm = MY_REALM + +# Backend to store user information in. New installations should +# use either tdbsam or ldapsam. smbpasswd is available for backwards +# compatibility. tdbsam requires no further configuration. +; passdb backend = tdbsam + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting. +# Note: Consider carefully the location in the configuration file of +# this line. The included file is read at that point. +; include = /usr/local/samba/lib/smb.conf.%m + +# Configure Samba to use multiple interfaces +# If you have multiple network interfaces then you must list them +# here. See the man page for details. +; interfaces = 192.168.12.2/24 192.168.13.2/24 + +# Where to store roving profiles (only for Win95 and WinNT) +# %L substitutes for this servers netbios name, %U is username +# You must uncomment the [Profiles] share below +; logon path = \\%L\Profiles\%U + +# Windows Internet Name Serving Support Section: +# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server +; wins support = yes + +# WINS Server - Tells the NMBD components of Samba to be a WINS Client +# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both +; wins server = w.x.y.z + +# WINS Proxy - Tells Samba to answer name resolution queries on +# behalf of a non WINS capable client, for this to work there must be +# at least one WINS Server on the network. The default is NO. +; wins proxy = yes + +# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names +# via DNS nslookups. The default is NO. + dns proxy = no + +# These scripts are used on a domain controller or stand-alone +# machine to add or delete corresponding unix accounts +; add user script = /usr/sbin/useradd %u +; add group script = /usr/sbin/groupadd %g +; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u +; delete user script = /usr/sbin/userdel %u +; delete user from group script = /usr/sbin/deluser %u %g +; delete group script = /usr/sbin/groupdel %g + + +#============================ Share Definitions ============================== +[homes] + comment = Home Directories + browseable = no + writable = yes + +# Un-comment the following and create the netlogon directory for Domain Logons +; [netlogon] +; comment = Network Logon Service +; path = /usr/local/samba/lib/netlogon +; guest ok = yes +; writable = no +; share modes = no + + +# Un-comment the following to provide a specific roving profile share +# the default is to use the user's home directory +;[Profiles] +; path = /usr/local/samba/profiles +; browseable = no +; guest ok = yes + + +# NOTE: If you have a BSD-style print system there is no need to +# specifically define each individual printer +[printers] + comment = All Printers + path = /usr/spool/samba + browseable = no +# Set public = yes to allow user 'guest account' to print + guest ok = no + writable = no + printable = yes + +# This one is useful for people to share files +[tmp] + comment = Temporary file space + path = /tmp + read only = no + public = yes + +# A publicly accessible directory, but read only, except for people in +# the "staff" group +#[public] + #comment = Public Stuff + #path = /mnt/tower/stardust/chris/files/public + #public = yes + #writable = no + #printable = no + #write list = @chris + +# Other examples. +# +# A private printer, usable only by fred. Spool data will be placed in fred's +# home directory. Note that fred must have write access to the spool directory, +# wherever it is. +;[fredsprn] +; comment = Fred's Printer +; valid users = fred +; path = /homes/fred +; printer = freds_printer +; public = no +; writable = no +; printable = yes + +# A private directory, usable only by fred. Note that fred requires write +# access to the directory. +[stardust] + comment = Stardust + path = /mnt/tower/stardust/chris/files + valid users = chris + public = no + writable = yes + printable = no + +# a service which has a different directory for each machine that connects +# this allows you to tailor configurations to incoming machines. You could +# also use the %U option to tailor it by user name. +# The %m gets replaced with the machine name that is connecting. +;[pchome] +; comment = PC Directories +; path = /usr/pc/%m +; public = no +; writable = yes + +# A publicly accessible directory, read/write to all users. Note that all files +# created in the directory by users will be owned by the default user, so +# any user with access can delete any other user's files. Obviously this +# directory must be writable by the default user. Another user could of course +# be specified, in which case all files would be owned by that user instead. +;[public] +; path = /usr/somewhere/else/public +; public = yes +; only guest = yes +; writable = yes +; printable = no + +# The following two entries demonstrate how to share a directory so that two +# users can place files there that will be owned by the specific users. In this +# setup, the directory should be writable by both users and should have the +# sticky bit set on it to prevent abuse. Obviously this could be extended to +# as many users as required. +;[myshare] +; comment = Mary's and Fred's stuff +; path = /usr/somewhere/shared +; valid users = mary fred +; public = no +; writable = yes +; printable = no +; create mask = 0765 +