chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Working for homelab

Browse Source
This commit is contained in:
Chris
2023-03-23 20:29:29 +00:00
parent a6d5ceaa22
commit 678894d7db
18 changed files with 677 additions and 734 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.env.example
View File

@@ -7,7 +7,6 @@ USER_PASSWORD=
DOMAIN=scarif.local DOMAIN=scarif.local
LOCAL_IP=192.168.10.10 LOCAL_IP=192.168.10.10
SSH_KEY= # Will be added to authorized keys SSH_KEY= # Will be added to authorized keys
DIGITALOCEAN_TOKEN= # For enabling lets encrypt
# #
# Database settings # Database settings
@@ -44,16 +43,6 @@ NEXTCLOUD_ADMIN_PASSWORD=
COLLABORA_USER=${USERNAME} COLLABORA_USER=${USERNAME}
COLLABORA_PASSWORD= COLLABORA_PASSWORD=
#
# Monica settings (personel.scarif.space)
# Image: monica:fpm
#
MAIL_FROM=${USERNAME}@${DOMAIN}
MAIL_HOST=smtp.mailgun.org
MAIL_PORT=465
MAIL_USER=postmaster@mg.thinkzingy.com
MAIL_PASSWORD=
# #
# Jitsi settings (comms.scarif.space) # Jitsi settings (comms.scarif.space)
# Image: jitsi/web:latest # Image: jitsi/web:latest

0
INSTALL.md Normal file
View File

87
bootstrap.sh
View File

@@ -3,38 +3,34 @@
source /opt/scarif/.env source /opt/scarif/.env
echo "------- Generating system users -------" echo "------- Generating system users -------"
# Add me as a user and git for SSH passthrough to gitea (change passwords after finishing) ## Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris
useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git
# Set up privileges ## Set up privileges
echo "chris ALL=(ALL) ALL" >> /etc/sudoers echo "chris ALL=(ALL) ALL" >> /etc/sudoers
# Disable root login echo "root ALL=(ALL) ALL" >> /etc/sudoers
## Disable root login
passwd -l root passwd -l root
# Install necessary packages # Install necessary packages
echo "------- Installing packages -------" echo "------- Installing packages -------"
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot certbot-dns-digitalocean pacman -Syyu --noconfirm
pacman -S --noconfirm archlinux-keyring
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils
echo "------- Setting up SSH -------" echo "------- Setting up SSH -------"
# Remove old SSH keys in case running again # Remove old SSH keys in case running again
sudo -u git mkdir -p /home/git/.ssh
rm -f /home/git/.ssh/* rm -f /home/git/.ssh/*
# Generate SSH keys for git to enable SSH proxy # Generate SSH keys for git to enable SSH proxy
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N "" sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
# Add SSH key to authorized keys which is shared with docker container # Add SSH key to authorized keys which is shared with docker container
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
# Add current SSH key to main user's authorized keys # Add current SSH key to main user's authorized keys
mkdir /home/chris/.ssh mkdir -p /home/chris/.ssh
echo $SSH_KEY >> /home/chris/.ssh/authorized_keys echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
# Disable root login rm /etc/ssh/sshd_config
sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config
# Logout after 1 minute of inactivity
sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/" /etc/ssh/sshd_config
# Add banner art
sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config
# Limit number of sessions
sed -i "s/#MaxSessions/MaxSessions 4/" >> /etc/ssh/sshd_config
# Limit users
sed -i "s/#AllowUsers/AllowUsers chris git/" >> /etc/ssh/sshd_config
# Modify login messages # Modify login messages
echo "Clearance codes accepted! proceed:" > /etc/motd echo "Clearance codes accepted! proceed:" > /etc/motd
# Enforce a delay after a failed login attempt to prevent brute force attacks # Enforce a delay after a failed login attempt to prevent brute force attacks
@@ -43,7 +39,7 @@ echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
systemctl restart sshd systemctl restart sshd
echo "------- Enabling SSH passthrough -------" echo "------- Enabling SSH passthrough -------"
# Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough) ## Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
mkdir -p /var/lib/gitea mkdir -p /var/lib/gitea
cat <<"EOF" | sudo tee /usr/local/bin/gitea cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh #!/bin/sh
@@ -56,26 +52,26 @@ chmod +x /app/gitea/gitea
chown -R git /app/gitea/gitea chown -R git /app/gitea/gitea
chown -R git /var/lib/gitea chown -R git /var/lib/gitea
if [ $APP_ENV = "production" ] #if [ $APP_ENV = "production" ]
then #then
echo "------- Enabling certbot service -------" # echo "------- Enabling certbot service -------"
mkdir -p /root/.secret/certbot # mkdir -p /root/.secret/certbot
tee /root/.secret/certbot/digitalocean.ini <<END # tee /root/.secret/certbot/digitalocean.ini <<END
# DigitalOcean API credentials used by Certbot ## DigitalOcean API credentials used by Certbot
dns_digitalocean_token = $DIGITALOCEAN_TOKEN #dns_digitalocean_token = $DIGITALOCEAN_TOKEN
END #END
certbot certonly \ # certbot certonly \
--dns-digitalocean \ # --dns-digitalocean \
--dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \ # --dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \
-d *.$DOMAIN -d $DOMAIN \ # -d *.$DOMAIN -d $DOMAIN \
-m stofflees@gmail.com \ # -m stofflees@gmail.com \
--agree-tos \ # --agree-tos \
--no-eff-email # --no-eff-email
#
cp /opt/scarif/certbot/* /etc/systemd/system/ # cp /opt/scarif/certbot/* /etc/systemd/system/
systemctl enable --now certbot.timer # systemctl enable --now certbot.timer
fi #fi
echo "------- Adding config folders for jitsi -------" echo "------- Adding config folders for jitsi -------"
mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri} mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
@@ -83,17 +79,30 @@ mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-
echo "------- Setting up firewall -------" echo "------- Setting up firewall -------"
ufw default deny incoming ufw default deny incoming
ufw default allow outgoing ufw default allow outgoing
ufw allow 22 ufw allow 629
ufw allow 80 ufw allow 80
ufw allow 443 ufw allow 443
ufw allow 2049
ufw allow CIFS
ufw --force enable ufw --force enable
echo "------- Starting docker -------" echo "------- Starting docker -------"
systemctl enable docker --now systemctl enable docker --now
docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
# Create a super user for pinry ## Create user for jitsi
docker exec -it scarif_pinry_1 python manage.py createsuperuser --settings=pinry.settings.docker
# Create user for jitsi
docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${USER_PASSWORD} docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${USER_PASSWORD}
echo "------- Start Samba share -------"
ln -s /opt/scarif/smb.conf /etc/samba/smb.conf
smbpasswd -a chris
systemctl enable --now smb
echo "------- Start NFS share -------"
ln -s /opt/scarif/nfs.conf /etc/nfs.conf
ln -s /opt/scarif/exports /etc/exports
exportfs -arv
systemctl enable --now nfs4-server
systemctl enable --now zfs-share

393
docker-compose.yml
View File

@@ -15,20 +15,12 @@ x-logging: &logging
version: "3.4" version: "3.4"
services: services:
dashboard:
<<: *logging
image: rmountjoy/dashmachine:latest
volumes:
- dashboard:/dashmachine/dashmachine/user_data
restart: always
networks:
- nginx
foundry: foundry:
<<: *logging <<: *logging
image: felddy/foundryvtt:release image: felddy/foundryvtt:release
volumes: volumes:
- foundry:/data - /mnt/tower/foundry:/data
- /opt/scarif/foundry/patches:/data/patches
restart: always restart: always
environment: environment:
- "FOUNDRY_PASSWORD=${FOUNDRY_PASSWORD}" - "FOUNDRY_PASSWORD=${FOUNDRY_PASSWORD}"
@@ -40,44 +32,22 @@ services:
- FOUNDRY_PROXY_SSL=true - FOUNDRY_PROXY_SSL=true
- FOUNDRY_ROUTE_PREFIX=foundry - FOUNDRY_ROUTE_PREFIX=foundry
- CONTAINER_CACHE=/data/container_cache - CONTAINER_CACHE=/data/container_cache
- CONTAINER_PATCH_URLS=https://labs.scarif.space/chris/foundry-plutonium-install/raw/branch/main/plutonium.sh - CONTAINER_PATCHES=/data/patches
- FOUNDRY_UID=82 - FOUNDRY_UID=1000
- FOUNDRY_GID=82 - FOUNDRY_GID=1000
networks: networks:
- nginx - nginx
# monica:
# <<: *logging
# build: ./monica
# image: monica
# env_file: ./monica/.env
# environment:
# - APP_URL=https://personel.${DOMAIN}
# - DB_PASSWORD=${DB_PASSWORD}
# - DB_USERNAME=${DB_USER}
# - MAIL_FROM_ADDRESS=${MAIL_FROM}
# - MAIL_HOST=${MAIL_HOST}
# - MAIL_PORT=${MAIL_PORT}
# - MAIL_USERNAME=${MAIL_USER}
# - MAIL_PASSWORD=${MAIL_PASSWORD}
# volumes:
# - monica-data:/var/www/html/storage
# - monica-public:/var/www/html/public
# restart: always
# depends_on:
# - db
# networks:
# - db
# - nginx
nextcloud: nextcloud:
<<: *logging <<: *logging
build: ./nextcloud build: ./nextcloud
image: nextcloud image: nextcloud
restart: always restart: unless-stopped
user: 1000:1000
volumes: volumes:
- nextcloud:/var/www/html - nextcloud:/var/www/html
- foundry:/var/www/foundry - /mnt/tower/stardust:/var/www/html/data
- /mnt/tower/foundry:/var/www/foundry
environment: environment:
- REDIS_HOST=redis - REDIS_HOST=redis
- MYSQL_HOST=db - MYSQL_HOST=db
@@ -86,12 +56,16 @@ services:
- MYSQL_USER=${DB_USER} - MYSQL_USER=${DB_USER}
- NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD} - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
- NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER} - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
- MAIL_FROM=${MAIL_FROM} - MAIL_FROM_ADDRESS=${MAIL_FROM}
- MAIL_HOST=${MAIL_HOST} - SMTP_HOST=${MAIL_HOST}
- MAIL_PORT=${MAIL_PORT} - SMTP_PORT=${MAIL_PORT}
- MAIL_USER=${MAIL_USER} - SMTP_USER=${MAIL_USER}
- MAIL_PASSWORD=${MAIL_PASSWORD} - SMTP_PASSWORD=${MAIL_PASSWORD}
- NEXTCLOUD_TRUSTED_DOMAINS=tower.${DOMAIN} - "NEXTCLOUD_TRUSTED_DOMAINS=tower.${DOMAIN} 127.0.0.1"
- USER_UID=1000
- USER_GID=1000
- APACHE_RUN_USER=1000
- APACHE_RUN_GROUP=1000
depends_on: depends_on:
- db - db
- redis - redis
@@ -100,20 +74,17 @@ services:
- redis - redis
- nginx - nginx
extra_hosts: extra_hosts:
- "tower.scarif.space:${LOCAL_IP}" - "tower.${DOMAIN}:${LOCAL_IP}"
- "office.scarif.space:${LOCAL_IP}" - "office.${DOMAIN}:${LOCAL_IP}"
collabora: collabora:
<<: *logging <<: *logging
image: collabora/code image: collabora/code
restart: always restart: unless-stopped
cap_add: cap_add:
- MKNOD - MKNOD
# volumes:
# - /etc/timezone:/etc/timezone:ro
# - /etc/localtime:/etc/localtime:ro
environment: environment:
- DONT_GEN_SSL_CERT="True" - "DONT_GEN_SSL_CERT=True"
- domain=tower.${DOMAIN} - domain=tower.${DOMAIN}
- cert_domain=office.${DOMAIN} - cert_domain=office.${DOMAIN}
- server_name=office.${DOMAIN} - server_name=office.${DOMAIN}
@@ -124,20 +95,8 @@ services:
networks: networks:
- nginx - nginx
extra_hosts: extra_hosts:
- "tower.scarif.space:${LOCAL_IP}" - "tower.${DOMAIN}:${LOCAL_IP}"
- "office.scarif.space:${LOCAL_IP}" - "office.${DOMAIN}:${LOCAL_IP}"
pinry:
<<: *logging
image: 'getpinry/pinry'
volumes:
- pinry:/data
- ./pinry/local_settings.py:/data/local_settings.py
networks:
- nginx
- db
depends_on:
- db
gitea: gitea:
<<: *logging <<: *logging
@@ -158,6 +117,7 @@ services:
restart: always restart: always
volumes: volumes:
- gitea:/data - gitea:/data
- /mnt/tower/labs:/data/git
- /home/git/.ssh/:/data/git/.ssh/ - /home/git/.ssh/:/data/git/.ssh/
- /etc/timezone:/etc/timezone:ro - /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
@@ -171,26 +131,18 @@ services:
jitsi: jitsi:
<<: *logging <<: *logging
image: jitsi/web:latest image: jitsi/web:stable
restart: always restart: unless-stopped
volumes: volumes:
- ${CONFIG}/web:/config:Z - ${CONFIG}/web:/config:Z
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
environment: environment:
- ENABLE_LETSENCRYPT
- ENABLE_HTTP_REDIRECT
- ENABLE_HSTS
- ENABLE_XMPP_WEBSOCKET
- DISABLE_HTTPS
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- PUBLIC_URL
- TZ
- AMPLITUDE_ID - AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS - ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS - ANALYTICS_WHITELISTED_EVENTS
- BRIDGE_CHANNEL - AUDIO_QUALITY_OPUS_BITRATE
- AUTO_CAPTION_ON_RECORD
- BRANDING_DATA_URL - BRANDING_DATA_URL
- CALLSTATS_CUSTOM_SCRIPT_URL - CALLSTATS_CUSTOM_SCRIPT_URL
- CALLSTATS_ID - CALLSTATS_ID
@@ -198,30 +150,60 @@ services:
- CHROME_EXTENSION_BANNER_JSON - CHROME_EXTENSION_BANNER_JSON
- CONFCODE_URL - CONFCODE_URL
- CONFIG_EXTERNAL_CONNECT - CONFIG_EXTERNAL_CONNECT
- DEFAULT_LANGUAGE
- DEPLOYMENTINFO_ENVIRONMENT - DEPLOYMENTINFO_ENVIRONMENT
- DEPLOYMENTINFO_ENVIRONMENT_TYPE - DEPLOYMENTINFO_ENVIRONMENT_TYPE
- DEPLOYMENTINFO_REGION
- DEPLOYMENTINFO_SHARD
- DEPLOYMENTINFO_USERREGION - DEPLOYMENTINFO_USERREGION
- DESKTOP_SHARING_FRAMERATE_MIN
- DESKTOP_SHARING_FRAMERATE_MAX
- DIALIN_NUMBERS_URL - DIALIN_NUMBERS_URL
- DIALOUT_AUTH_URL - DIALOUT_AUTH_URL
- DIALOUT_CODES_URL - DIALOUT_CODES_URL
- DISABLE_AUDIO_LEVELS
- DISABLE_DEEP_LINKING
- DISABLE_GRANT_MODERATOR
- DISABLE_HTTPS
- DISABLE_KICKOUT
- DISABLE_LOCAL_RECORDING
- DISABLE_POLLS
- DISABLE_PRIVATE_CHAT
- DISABLE_PROFILE
- DISABLE_REACTIONS
- DISABLE_REMOTE_VIDEO_MENU
- DISABLE_START_FOR_ALL
- DROPBOX_APPKEY - DROPBOX_APPKEY
- DROPBOX_REDIRECT_URI - DROPBOX_REDIRECT_URI
- DYNAMIC_BRANDING_URL
- ENABLE_AUDIO_PROCESSING - ENABLE_AUDIO_PROCESSING
- ENABLE_AUTH - ENABLE_AUTH
- ENABLE_BREAKOUT_ROOMS
- ENABLE_CALENDAR - ENABLE_CALENDAR
- ENABLE_FILE_RECORDING_SERVICE - ENABLE_COLIBRI_WEBSOCKET
- ENABLE_FILE_RECORDING_SERVICE_SHARING - ENABLE_E2EPING
- ENABLE_FILE_RECORDING_SHARING
- ENABLE_GUESTS - ENABLE_GUESTS
- ENABLE_HSTS
- ENABLE_HTTP_REDIRECT
- ENABLE_IPV6 - ENABLE_IPV6
- ENABLE_LETS_ENCRYPT
- ENABLE_LIPSYNC - ENABLE_LIPSYNC
- ENABLE_NO_AUDIO_DETECTION - ENABLE_NO_AUDIO_DETECTION
- ENABLE_P2P - ENABLE_NOISY_MIC_DETECTION
- ENABLE_OCTO
- ENABLE_OPUS_RED
- ENABLE_PREJOIN_PAGE - ENABLE_PREJOIN_PAGE
- ENABLE_P2P
- ENABLE_WELCOME_PAGE - ENABLE_WELCOME_PAGE
- ENABLE_CLOSE_PAGE - ENABLE_CLOSE_PAGE
- ENABLE_LIVESTREAMING
- ENABLE_LOCAL_RECORDING_NOTIFY_ALL_PARTICIPANT
- ENABLE_LOCAL_RECORDING_SELF_START
- ENABLE_RECORDING - ENABLE_RECORDING
- ENABLE_REMB - ENABLE_REMB
- ENABLE_REQUIRE_DISPLAY_NAME - ENABLE_REQUIRE_DISPLAY_NAME
- ENABLE_SERVICE_RECORDING
- ENABLE_SIMULCAST - ENABLE_SIMULCAST
- ENABLE_STATS_ID - ENABLE_STATS_ID
- ENABLE_STEREO - ENABLE_STEREO
@@ -229,12 +211,22 @@ services:
- ENABLE_TALK_WHILE_MUTED - ENABLE_TALK_WHILE_MUTED
- ENABLE_TCC - ENABLE_TCC
- ENABLE_TRANSCRIPTIONS - ENABLE_TRANSCRIPTIONS
- ENABLE_XMPP_WEBSOCKET
- ENABLE_JAAS_COMPONENTS
- ETHERPAD_PUBLIC_URL - ETHERPAD_PUBLIC_URL
- ETHERPAD_URL_BASE - ETHERPAD_URL_BASE
- E2EPING_NUM_REQUESTS
- E2EPING_MAX_CONFERENCE_SIZE
- E2EPING_MAX_MESSAGE_PER_SECOND
- GOOGLE_ANALYTICS_ID - GOOGLE_ANALYTICS_ID
- GOOGLE_API_APP_CLIENT_ID - GOOGLE_API_APP_CLIENT_ID
- HIDE_PREMEETING_BUTTONS
- HIDE_PREJOIN_DISPLAY_NAME
- HIDE_PREJOIN_EXTRA_BUTTONS
- INVITE_SERVICE_URL - INVITE_SERVICE_URL
- JICOFO_AUTH_USER - LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- MATOMO_ENDPOINT - MATOMO_ENDPOINT
- MATOMO_SITE_ID - MATOMO_SITE_ID
- MICROSOFT_API_APP_CLIENT_ID - MICROSOFT_API_APP_CLIENT_ID
@@ -242,38 +234,59 @@ services:
- NGINX_WORKER_PROCESSES - NGINX_WORKER_PROCESSES
- NGINX_WORKER_CONNECTIONS - NGINX_WORKER_CONNECTIONS
- PEOPLE_SEARCH_URL - PEOPLE_SEARCH_URL
- PREFERRED_LANGUAGE
- PUBLIC_URL
- P2P_PREFERRED_CODEC
- RESOLUTION - RESOLUTION
- RESOLUTION_MIN - RESOLUTION_MIN
- RESOLUTION_WIDTH - RESOLUTION_WIDTH
- RESOLUTION_WIDTH_MIN - RESOLUTION_WIDTH_MIN
- START_AUDIO_ONLY
- START_AUDIO_MUTED - START_AUDIO_MUTED
- DISABLE_AUDIO_LEVELS - START_AUDIO_ONLY
- ENABLE_NOISY_MIC_DETECTION
- START_BITRATE - START_BITRATE
- START_SILENT
- START_WITH_AUDIO_MUTED
- START_VIDEO_MUTED - START_VIDEO_MUTED
- START_WITH_VIDEO_MUTED
- TESTING_CAP_SCREENSHARE_BITRATE - TESTING_CAP_SCREENSHARE_BITRATE
- TESTING_OCTO_PROBABILITY - TESTING_OCTO_PROBABILITY
- TOKEN_AUTH_URL
- TOOLBAR_BUTTONS
- TRANSLATION_LANGUAGES
- TRANSLATION_LANGUAGES_HEAD
- TZ
- USE_APP_LANGUAGE
- VIDEOQUALITY_BITRATE_H264_LOW
- VIDEOQUALITY_BITRATE_H264_STANDARD
- VIDEOQUALITY_BITRATE_H264_HIGH
- VIDEOQUALITY_BITRATE_VP8_LOW
- VIDEOQUALITY_BITRATE_VP8_STANDARD
- VIDEOQUALITY_BITRATE_VP8_HIGH
- VIDEOQUALITY_BITRATE_VP9_LOW
- VIDEOQUALITY_BITRATE_VP9_STANDARD
- VIDEOQUALITY_BITRATE_VP9_HIGH
- VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
- VIDEOQUALITY_PREFERRED_CODEC
- XMPP_AUTH_DOMAIN - XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE - XMPP_BOSH_URL_BASE
- XMPP_DOMAIN - XMPP_DOMAIN
- XMPP_GUEST_DOMAIN - XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN - XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN - XMPP_RECORDER_DOMAIN
- TOKEN_AUTH_URL - XMPP_PORT
- WHITEBOARD_ENABLED
- WHITEBOARD_COLLAB_SERVER_PUBLIC_URL
networks: networks:
nginx: nginx:
meet.jitsi: meet.jitsi:
aliases:
- ${XMPP_DOMAIN}
# XMPP server # XMPP server
prosody: prosody:
<<: *logging <<: *logging
image: jitsi/prosody:latest image: jitsi/prosody:stable
restart: always restart: unless-stopped
expose: expose:
- '5222' - '${XMPP_PORT:-52222}'
- '5347' - '5347'
- '5280' - '5280'
volumes: volumes:
@@ -281,46 +294,35 @@ services:
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
environment: environment:
- AUTH_TYPE - AUTH_TYPE
- DISABLE_POLLS
- ENABLE_AUTH - ENABLE_AUTH
- ENABLE_AV_MODERATION
- ENABLE_BREAKOUT_ROOMS
- ENABLE_END_CONFERENCE
- ENABLE_GUESTS - ENABLE_GUESTS
- ENABLE_IPV6
- ENABLE_LOBBY - ENABLE_LOBBY
- ENABLE_RECORDING
- ENABLE_XMPP_WEBSOCKET - ENABLE_XMPP_WEBSOCKET
- GLOBAL_MODULES - ENABLE_JAAS_COMPONENTS
- GC_TYPE
- GC_INC_TH
- GC_INC_SPEED
- GC_INC_STEP_SIZE
- GC_GEN_MIN_TH
- GC_GEN_MAX_TH
- GLOBAL_CONFIG - GLOBAL_CONFIG
- LDAP_URL - GLOBAL_MODULES
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_AUTH_METHOD
- LDAP_VERSION
- LDAP_USE_TLS
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_CROSS_DOMAIN
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JIBRI_RECORDER_USER - JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD - JIBRI_RECORDER_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JICOFO_AUTH_PASSWORD
- JICOFO_COMPONENT_SECRET
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JWT_APP_ID - JWT_APP_ID
- JWT_APP_SECRET - JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS - JWT_ACCEPTED_ISSUERS
@@ -328,40 +330,97 @@ services:
- JWT_ASAP_KEYSERVER - JWT_ASAP_KEYSERVER
- JWT_ALLOW_EMPTY - JWT_ALLOW_EMPTY
- JWT_AUTH_TYPE - JWT_AUTH_TYPE
- JWT_ENABLE_DOMAIN_VERIFICATION
- JWT_TOKEN_AUTH_MODULE - JWT_TOKEN_AUTH_MODULE
- MATRIX_UVS_URL
- MATRIX_UVS_ISSUER
- MATRIX_UVS_AUTH_TOKEN
- MATRIX_UVS_SYNC_POWER_LEVELS
- LOG_LEVEL - LOG_LEVEL
- LDAP_AUTH_METHOD
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_VERSION
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- LDAP_URL
- LDAP_USE_TLS
- MAX_PARTICIPANTS
- PROSODY_RESERVATION_ENABLED
- PROSODY_RESERVATION_REST_BASE_URL
- PUBLIC_URL - PUBLIC_URL
- TURN_CREDENTIALS
- TURN_HOST
- TURNS_HOST
- TURN_PORT
- TURNS_PORT
- TURN_TRANSPORT
- TZ - TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_MUC_CONFIGURATION
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_PORT
networks: networks:
meet.jitsi: meet.jitsi:
aliases: aliases:
- ${XMPP_SERVER} - ${XMPP_SERVER:-xmpp.meet.jitsi}
# Focus component # Focus component
jicofo: jicofo:
<<: *logging <<: *logging
image: jitsi/jicofo:latest image: jitsi/jicofo:stable
restart: always restart: unless-stopped
volumes: volumes:
- ${CONFIG}/jicofo:/config:Z - ${CONFIG}/jicofo:/config:Z
environment: environment:
- AUTH_TYPE - AUTH_TYPE
- BRIDGE_AVG_PARTICIPANT_STRESS
- BRIDGE_STRESS_THRESHOLD
- ENABLE_AUTH - ENABLE_AUTH
- ENABLE_AUTO_OWNER
- ENABLE_CODEC_VP8
- ENABLE_CODEC_VP9
- ENABLE_CODEC_H264
- ENABLE_OCTO
- ENABLE_RECORDING
- ENABLE_SCTP
- ENABLE_AUTO_LOGIN
- JICOFO_AUTH_PASSWORD
- JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
- JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
- JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
- JICOFO_ENABLE_HEALTH_CHECKS
- JIBRI_BREWERY_MUC
- JIBRI_REQUEST_RETRIES
- JIBRI_PENDING_TIMEOUT
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JVB_BREWERY_MUC
- MAX_BRIDGE_PARTICIPANTS
- OCTO_BRIDGE_SELECTION_STRATEGY
- SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- TZ
- XMPP_DOMAIN - XMPP_DOMAIN
- XMPP_AUTH_DOMAIN - XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN - XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- XMPP_SERVER - XMPP_SERVER
- JICOFO_COMPONENT_SECRET - XMPP_PORT
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_RESERVATION_REST_BASE_URL
- JVB_BREWERY_MUC
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JIBRI_BREWERY_MUC
- JIBRI_PENDING_TIMEOUT
- TZ
depends_on: depends_on:
- prosody - prosody
networks: networks:
@@ -370,31 +429,42 @@ services:
# Video bridge # Video bridge
jvb: jvb:
<<: *logging <<: *logging
image: jitsi/jvb:latest image: jitsi/jvb:stable
restart: always restart: unless-stopped
ports: ports:
- '${JVB_PORT}:${JVB_PORT}/udp' - '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp'
- '${JVB_TCP_PORT}:${JVB_TCP_PORT}' - '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080'
volumes: volumes:
- ${CONFIG}/jvb:/config:Z - ${CONFIG}/jvb:/config:Z
environment: environment:
- DOCKER_HOST_ADDRESS - DOCKER_HOST_ADDRESS
- XMPP_AUTH_DOMAIN - ENABLE_COLIBRI_WEBSOCKET
- XMPP_INTERNAL_MUC_DOMAIN - ENABLE_OCTO
- XMPP_SERVER - JVB_ADVERTISE_IPS
- JVB_ADVERTISE_PRIVATE_CANDIDATES
- JVB_AUTH_USER - JVB_AUTH_USER
- JVB_AUTH_PASSWORD - JVB_AUTH_PASSWORD
- JVB_BREWERY_MUC - JVB_BREWERY_MUC
- JVB_DISABLE_STUN
- JVB_PORT - JVB_PORT
- JVB_TCP_HARVESTER_DISABLED - JVB_MUC_NICKNAME
- JVB_TCP_PORT
- JVB_TCP_MAPPED_PORT
- JVB_STUN_SERVERS - JVB_STUN_SERVERS
- JVB_ENABLE_APIS - JVB_OCTO_BIND_ADDRESS
- JVB_OCTO_REGION
- JVB_OCTO_RELAY_ID
- JVB_WS_DOMAIN - JVB_WS_DOMAIN
- JVB_WS_SERVER_ID - JVB_WS_SERVER_ID
- PUBLIC_URL - PUBLIC_URL
- SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- COLIBRI_REST_ENABLED
- SHUTDOWN_REST_ENABLED
- TZ - TZ
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- XMPP_PORT
depends_on: depends_on:
- prosody - prosody
networks: networks:
@@ -432,42 +502,33 @@ services:
- /opt/ssl:/etc/nginx/certs:ro - /opt/ssl:/etc/nginx/certs:ro
- ./nginx/nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template - ./nginx/nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template
- ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh - ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh
- monica-public:/var/www/html/monica/public:ro
- monica-data:/var/www/html/monica/storage:ro
- nextcloud:/var/www/html/nextcloud:ro - nextcloud:/var/www/html/nextcloud:ro
- ./christmas:/var/www/html/christmas:ro - ./christmas:/var/www/html/christmas:ro
environment: environment:
- DOMAIN=${DOMAIN} - DOMAIN=${DOMAIN}
depends_on: depends_on:
- dashboard
# - monica
- nextcloud - nextcloud
- gitea - gitea
- collabora - collabora
- pinry
ports: ports:
- 80:80 - 80:80
- 443:443 - 443:443
networks: networks:
- nginx - nginx
# certs: certs:
# <<: *certs <<: *certs
# environment: environment:
# - SSL_SUBJECT=${DOMAIN} - SSL_SUBJECT=${DOMAIN}
# - CA_SUBJECT=chris@${DOMAIN} - CA_SUBJECT=chris@${DOMAIN}
# - SSL_KEY=/certs/${DOMAIN}.key - SSL_KEY=/certs/${DOMAIN}.key
# - SSL_CSR=/certs/${DOMAIN}.csr - SSL_CSR=/certs/${DOMAIN}.csr
# - SSL_CERT=/certs/${DOMAIN}.crt - SSL_CERT=/certs/${DOMAIN}.crt
volumes: volumes:
db: db:
gitea: gitea:
monica-public:
monica-data:
nextcloud: nextcloud:
dashboard:
pinry:
foundry: foundry:
networks: networks:

14
exports Normal file
View File

@@ -0,0 +1,14 @@
# /etc/exports - exports(5) - directories exported to NFS clients
#
# Example for NFSv3:
# /srv/home hostname1(rw,sync) hostname2(ro,sync)
# Example for NFSv4:
/mnt/tower/stardust/chris/files 192.168.2.0/24(rw,sync,no_subtree_check)
#/mnt/tower/stardust/chris/files 192.168.1.0/24(rw,sync)
# /srv/nfs4 hostname1(rw,sync,fsid=0)
# /srv/nfs4/home hostname1(rw,sync,nohide)
# Using Kerberos and integrity checking:
# /srv/nfs4 *(rw,sync,sec=krb5i,fsid=0)
# /srv/nfs4/home *(rw,sync,sec=krb5i,nohide)
#
# Use `exportfs -arv` to reload.

46
foundry/patches/plutonium-install.sh Normal file
View File

@@ -0,0 +1,46 @@
#!/bin/sh
# This patch script is for use with the felddy/foundryvtt Docker container.
# See: https://github.com/felddy/foundryvtt-docker#readme
# Installs the Plutonium module if it is not yet installed, and then patches the
# Foundry server to call the Plutonium backend.
MAIN_JS="${FOUNDRY_HOME}/resources/app/main.mjs"
MODULE_BACKEND_JS="/data/Data/modules/plutonium/server/${FOUNDRY_VERSION:0:3}.x/plutonium-backend.mjs"
MODULE_DIR="/data/Data/modules"
MODULE_URL="https://github.com/TheGiddyLimit/plutonium-next/raw/master/plutonium-foundry10.zip"
MODULE_DOC_URL="https://wiki.tercept.net/en/Plutonium/Plutonium_Installation"
WORKDIR=$(mktemp -d)
ZIP_FILE="${WORKDIR}/plutonium.zip"
log "Installing Plutonium module and backend."
log "See: ${MODULE_DOC_URL}"
if [ ! -f $MODULE_BACKEND_JS ]; then
log "Downloading Plutonium module."
curl -L --output "${ZIP_FILE}" "${MODULE_URL}" 2>&1 | tr "\r" "\n"
log "Ensuring module directory exists."
mkdir -p "${MODULE_DIR}"
log "Installing Plutonium module."
unzip -o "${ZIP_FILE}" -d "${MODULE_DIR}"
fi
log "Installing Plutonium backend."
cp "${MODULE_BACKEND_JS}" "${FOUNDRY_HOME}/resources/app/"
log "Patching main.mjs to use plutonium-backend."
sed -z --file=- --in-place=.orig ${MAIN_JS} << SED_SCRIPT
s/\(init\.default({[^}]\+})\)\
/await \1;\n(await import(".\/plutonium-backend.mjs")).Plutonium.init();/g\
w plutonium_patchlog.txt
SED_SCRIPT
if [ -s plutonium_patchlog.txt ]; then
log "Plutonium backend patch was applied successfully."
log "Plutonium art and media tools will be enabled."
else
log_error "Plutonium backend patch could not be applied."
log_error "main.js did not contain the expected source lines."
log_warn "Foundry Virtual Tabletop will still operate without the art and media tools enabled."
log_warn "Update this patch file to a version that supports Foundry Virtual Tabletop ${FOUNDRY_VERSION}."
fi
log "Cleaning up."
rm -r ${WORKDIR}

168
monica/.env
View File

@@ -1,168 +0,0 @@
#
# Welcome, friend ❤. Thanks for trying out Monica. We hope you'll have fun.
#
# Two choices: local|production. Use local if you want to install Monica as a
# development version. Use production otherwise.
APP_ENV=production
# true if you want to show debug information on errors. For production, put this
# to false.
APP_DEBUG=false
# The encryption key. This is the most important part of the application. Keep
# this secure otherwise, everyone will be able to access your application.
# Must be 32 characters long exactly.
# Use `php artisan key:generate` or `pwgen -s 32 1` to generate a random key.
APP_KEY=LUdDIZ6FcVn0Lvajb6IY4cwGvAaomVtP
# Prevent information leakage by referring to IDs with hashIds instead of
# the actual IDs used in the database.
HASH_SALT=YIfc5Go7H1TNxwnS7Uza
HASH_LENGTH=18
# The URL of your application.
#APP_URL=
# Force using APP_URL as base url of your application.
# You should not need this, unless you are using subdirectory config.
APP_FORCE_URL=false
# Database information
# To keep this information secure, we urge you to change the default password
# Currently only "mysql" compatible servers are working
DB_CONNECTION=mysql
DB_HOST=db
DB_PORT=3306
# You can use mysql unix socket if available, it overrides DB_HOST and DB_PORT values.
#DB_UNIX_SOCKET=/var/run/mysqld/mysqld.sock
DB_DATABASE=monica
#DB_USERNAME=
#DB_PASSWORD=
DB_PREFIX=
DB_TEST_HOST=127.0.0.1
DB_TEST_DATABASE=monica_test
DB_TEST_USERNAME=homestead
DB_TEST_PASSWORD=secret
# Use utf8mb4 database charset format to support emoji characters
# ⚠ be sure your DBMS supports utf8mb4 format
DB_USE_UTF8MB4=true
# Mail credentials used to send emails from the application.
MAIL_MAILER=smtp
#MAIL_HOST=
#MAIL_PORT=
#MAIL_USERNAME=
#MAIL_PASSWORD=
MAIL_ENCRYPTION=ssl
# Outgoing emails will be sent with these identity
#MAIL_FROM_ADDRESS=
MAIL_FROM_NAME="Scarif"
# New registration notification sent to this email
APP_EMAIL_NEW_USERS_NOTIFICATION=
# Ability to disable signups on your instance.
# Can be true or false. Default to false.
APP_DISABLE_SIGNUP=true
# Enable user email verification.
APP_SIGNUP_DOUBLE_OPTIN=false
# Set trusted proxy IP addresses.
# To trust all proxies that connect directly to your server, use a "*".
# To trust one or more specific proxies that connect directly to your server,
# use a comma separated list of IP addresses.
APP_TRUSTED_PROXIES=
# Enable automatic cloudflare trusted proxy discover
APP_TRUSTED_CLOUDFLARE=false
# Frequency of creation of new log files. Logs are written when an error occurs.
# Refer to config/logging.php for the possible values.
LOG_CHANNEL=daily
# Error tracking. Specific to hosted version on .com. You probably don't need
# those.
SENTRY_SUPPORT=false
SENTRY_LARAVEL_DSN=
# Send a daily ping to https://version.monicahq.com to check if a new version
# is available. When a new version is detected, you will have a message in the
# UI, as well as the release notes for the new changes. Can be true or false.
# Default to true.
CHECK_VERSION=true
# Cache, session, and queue parameters
# ⚠ Change this only if you know what you are doing
#. Cache: database, file, memcached, redis, dynamodb
#. Session: file, cookie, database, apc, memcached, redis, array
#. Queue: sync, database, beanstalkd, sqs, redis
# If Queue is not set to 'sync', you'll have to set a queue worker
# See https://laravel.com/docs/5.7/queues#running-the-queue-worker
CACHE_DRIVER=database
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_CONNECTION=database
# If you use redis, set the redis host or ip, like:
#REDIS_HOST=redis
# Maximum allowed size for uploaded files, in kilobytes.
# Make sure this is an integer, without commas or spaces.
DEFAULT_MAX_UPLOAD_SIZE=10240
# Maximum allowed storage size per account, in megabytes.
# Make sure this is an integer, without commas or spaces.
DEFAULT_MAX_STORAGE_SIZE=512
# Default filesystem to store uploaded files.
# Possible values: public|s3
DEFAULT_FILESYSTEM=public
# AWS keys for S3 when using this storage method
AWS_KEY=
AWS_SECRET=
AWS_REGION=us-east-1
AWS_BUCKET=
AWS_SERVER=
# Allow Two Factor Authentication feature on your instance
MFA_ENABLED=true
# Enable DAV support
DAV_ENABLED=true
# CLIENT ID and SECRET used for OAuth authentication
PASSPORT_PERSONAL_ACCESS_CLIENT_ID=
PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=
# Allow to access general statistics about your instance through a public API
# call
ALLOW_STATISTICS_THROUGH_PUBLIC_API_ACCESS=false
# Indicates that each user in the instance must comply to international policies
# like CASL or GDPR
POLICY_COMPLIANT=true
# Enable geolocation services
# This is used to translate addresses to GPS coordinates.
ENABLE_GEOLOCATION=false
# API key for geolocation services
# We use LocationIQ (https://locationiq.com/) to translate addresses to
# latitude/longitude coordinates. We could use Google instead but we don't
# want to give anything to Google, ever.
# LocationIQ offers 10,000 free requests per day.
LOCATION_IQ_API_KEY=
# Enable weather on contact profile page
# Weather can only be fetched if we know longitude/latitude - this is why
# you also need to activate the geolocation service above to make it work
ENABLE_WEATHER=false
# Access to weather data from darksky api
# https://darksky.net/dev/register
# Darksky provides an api with 1000 free API calls per day
# You need to enable the weather above if you provide an API key here.
DARKSKY_API_KEY=

29
monica/Dockerfile
View File

@@ -1,29 +0,0 @@
FROM monica:fpm
# Add wait-for-it
#ADD https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh /bin/wait-for-it.sh
#RUN chmod +x /bin/wait-for-it.sh
# Add S6 supervisor (for graceful stop)
ADD https://github.com/just-containers/s6-overlay/releases/download/v1.21.1.1/s6-overlay-amd64.tar.gz /tmp/
RUN tar xzf /tmp/s6-overlay-amd64.tar.gz -C /
COPY entrypoint.sh /usr/local/bin
RUN chmod 755 /usr/local/bin/entrypoint.sh
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["/init"]
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
# Copy PHP-FPM service script
COPY start-fpm.sh /etc/services.d/php_fpm/run
RUN chmod 755 /etc/services.d/php_fpm/run
# Copy cron service script
COPY start-cron.sh /etc/services.d/cron/run
RUN chmod 755 /etc/services.d/cron/run
# Copy queue service script
COPY start-queue.sh /etc/services.d/queue/run
RUN chmod 755 /etc/services.d/queue/run

72
monica/entrypoint.sh
View File

@@ -1,72 +0,0 @@
#!/bin/bash
set -Eeo pipefail
# wait for the database to start
waitfordb() {
HOST=${DB_HOST:-mysql}
PORT=${DB_PORT:-3306}
echo "Connecting to ${HOST}:${PORT}"
attempts=0
max_attempts=30
while [ $attempts -lt $max_attempts ]; do
busybox nc -w 1 "${HOST}:${PORT}" && break
echo "Waiting for ${HOST}:${PORT}..."
sleep 1
let "attempts=attempts+1"
done
if [ $attempts -eq $max_attempts ]; then
echo "Unable to contact your database at ${HOST}:${PORT}"
exit 1
fi
echo "Waiting for database to settle..."
sleep 3
}
if [ "$1" = "/init" ]; then
MONICADIR=/var/www/html
ARTISAN="php ${MONICADIR}/artisan"
# Ensure storage directories are present
STORAGE=${MONICADIR}/storage
mkdir -p ${STORAGE}/logs
mkdir -p ${STORAGE}/app/public
mkdir -p ${STORAGE}/framework/views
mkdir -p ${STORAGE}/framework/cache
mkdir -p ${STORAGE}/framework/sessions
chown -R www-data:www-data ${STORAGE}
chmod -R g+rw ${STORAGE}
if [ -z "${APP_KEY:-}" -o "$APP_KEY" = "ChangeMeBy32KeyLengthOrGenerated" ]; then
${ARTISAN} key:generate --no-interaction
else
echo "APP_KEY already set"
fi
# Run migrations
waitfordb
${ARTISAN} monica:update --force -vv
# Override the linking done by monica:update to use relative paths so the nginx directory can be anywhere
unlink ${MONICADIR}/public/storage
ln -s ../storage/app/public /var/www/html/public/storage
if [ -n "${SENTRY_SUPPORT:-}" -a "$SENTRY_SUPPORT" = "true" -a -z "${SENTRY_NORELEASE:-}" -a -n "${SENTRY_ENV:-}" ]; then
commit=$(cat .sentry-commit)
release=$(cat .sentry-release)
${ARTISAN} sentry:release --release="$release" --commit="$commit" --environment="$SENTRY_ENV" --force -v || true
fi
if [ ! -f "${STORAGE}/oauth-public.key" -o ! -f "${STORAGE}/oauth-private.key" ]; then
echo "Passport keys creation ..."
${ARTISAN} passport:keys
${ARTISAN} passport:client --personal --no-interaction
echo "! Please be careful to backup $MONICADIR/storage/oauth-public.key and $MONICADIR/storage/oauth-private.key files !"
fi
fi
exec "$@"

5
monica/start-cron.sh
View File

@@ -1,5 +0,0 @@
#!/usr/bin/with-contenv sh
set -eu;
# Start Cron
exec busybox crond -f -l 0 -L /proc/1/fd/1

5
monica/start-fpm.sh
View File

@@ -1,5 +0,0 @@
#!/usr/bin/with-contenv sh
set -e;
# Start PHP-FPM
php-fpm -R --nodaemonize

5
monica/start-queue.sh
View File

@@ -1,5 +0,0 @@
#!/usr/bin/with-contenv sh
set -eu;
# Start Queue
exec php /var/www/html/artisan queue:work --sleep=10 --timeout=0 --tries=3 --queue=default,migration >/proc/1/fd/1 2>/proc/1/fd/2

11
nextcloud/Dockerfile
View File

@@ -36,7 +36,16 @@ RUN mkdir -p \
/var/run/supervisord \ /var/run/supervisord \
; ;
COPY --chown=www-data:root config /var/www/html/config RUN addgroup -S -g 1000 nextcloud; \
adduser -S -u 1000 -G nextcloud nextcloud; \
sed -i -e "s/^user = .*$/user = nextcloud/" /usr/local/etc/php-fpm.d/www.conf; \
sed -i -e "s/^group = .*$/group = nextcloud/" /usr/local/etc/php-fpm.d/www.conf; \
chown -R nextcloud:root /var/www; \
chmod -R g=u /var/www; \
chown -R nextcloud:root /usr/local/etc/php/conf.d; \
chown -R nextcloud:root /var/log/supervisord;
# COPY --chown=nextcloud:root config /var/www/html/config
COPY supervisord.conf / COPY supervisord.conf /

3
nextcloud/config/config.php
View File

@@ -18,7 +18,8 @@ $CONFIG = [
*/ */
'trusted_domains' => 'trusted_domains' =>
[ [
'tower.scarif.space', 'tower.scarif.local',
'127.0.0.1',
], ],
/** /**

101
nfs.conf Normal file
View File

@@ -0,0 +1,101 @@
#
# This is a general configuration for the
# NFS daemons and tools
#
[general]
# pipefs-directory=/var/lib/nfs/rpc_pipefs
#
[nfsrahead]
# nfs=15000
# nfs4=16000
#
[exports]
# rootdir=/export
#
[exportfs]
# debug=0
#
[gssd]
# verbosity=0
# rpc-verbosity=0
# use-memcache=0
# use-machine-creds=1
# use-gss-proxy=0
# avoid-dns=1
# limit-to-legacy-enctypes=0
# context-timeout=0
# rpc-timeout=5
# keytab-file=/etc/krb5.keytab
# cred-cache-directory=
# preferred-realm=
# set-home=1
# upcall-timeout=30
# cancel-timed-out-upcalls=0
#
[lockd]
# port=0
# udp-port=0
#
[exportd]
# debug="all|auth|call|general|parse"
# manage-gids=n
# state-directory-path=/var/lib/nfs
# threads=1
# cache-use-ipaddr=n
# ttl=1800
[mountd]
# debug="all|auth|call|general|parse"
# manage-gids=n
# descriptors=0
# port=0
# threads=1
# reverse-lookup=n
# state-directory-path=/var/lib/nfs
# ha-callout=
# cache-use-ipaddr=n
# ttl=1800
#
[nfsdcld]
# debug=0
# storagedir=/var/lib/nfs/nfsdcld
#
[nfsdcltrack]
# debug=0
# storagedir=/var/lib/nfs/nfsdcltrack
#
[nfsd]
# debug=0
# threads=8
# host=
# port=0
# grace-time=90
# lease-time=90
# udp=n
# tcp=y
# vers3=y
# vers4=y
# vers4.0=y
# vers4.1=y
# vers4.2=y
rdma=y
rdma-port=20049
[statd]
# debug=0
# port=0
# outgoing-port=0
# name=
# state-directory-path=/var/lib/nfs/statd
# ha-callout=
# no-notify=0
#
[sm-notify]
# debug=0
# force=0
# retry-time=900
# outgoing-port=
# outgoing-addr=
# lift-grace=y
#
[svcgssd]
# principal=

188
nginx/nginx.conf.template
View File

@@ -68,142 +68,6 @@ http {
# Mitigate httpoxy attack (see README for details) # Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy ""; proxy_set_header Proxy "";
# upstream monica-handler {
# server monica:9000;
# }
#
# server {
# listen 443 ssl http2;
#
# ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
# ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
#
# server_name personel.${DOMAIN};
#
# ## HSTS ##
# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# # removed from this list could take several months.
# #
# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "none" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# # Remove X-Powered-By, which is an information leak
# fastcgi_hide_header X-Powered-By;
#
# root /var/www/html/monica/public;
#
# index index.html index.htm index.php;
#
# charset utf-8;
#
# location / {
# try_files $uri $uri/ /index.php?$query_string;
# }
#
# location ~ ^/(?:robots.txt|security.txt) {
# allow all;
# log_not_found off;
# access_log off;
# }
#
# error_page 404 500 502 503 504 /index.php;
#
# location ~ /\.well-known/(?:carddav|caldav) {
# return 301 $scheme://$host/dav;
# }
# location = /.well-known/security.txt {
# return 301 $scheme://$host/security.txt;
# }
# location ~ /\.(?!well-known).* {
# deny all;
# }
#
# # set max upload size
# client_max_body_size 10G;
# fastcgi_buffers 64 4K;
#
# # Enable gzip but do not remove ETag headers
# gzip on;
# gzip_vary on;
# gzip_comp_level 4;
# gzip_min_length 256;
# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
#
# # Uncomment if your server is build with the ngx_pagespeed module
# # This module is currently not supported.
# #pagespeed off;
#
# location ~ \.php$ {
# # regex to split $uri to $fastcgi_script_name and $fastcgi_path
# fastcgi_split_path_info ^(.+?\.php)(/.*)$;
#
# # Check that the PHP script exists before passing it
# try_files $fastcgi_script_name =404;
#
# fastcgi_pass monica-handler;
# fastcgi_index index.php;
#
# include fastcgi_params;
#
# # Cannot use $document_root as the path to monica on the docker container
# # is different to the path to the public files in this nginx container.
# fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name;
# # Bypass the fact that try_files resets $fastcgi_path_info
# # see: http://trac.nginx.org/nginx/ticket/321
# set $path_info $fastcgi_path_info;
# fastcgi_param PATH_INFO $path_info;
# }
#
# # Adding the cache control header for js and css files
# # Make sure it is BELOW the PHP block
# location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
# try_files $uri /index.php$request_uri;
# add_header Cache-Control "public, max-age=15778463";
#
# ## HSTS ##
# # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# # Note it is intended to have those duplicated to the ones above.
# # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# # removed from this list could take several months.
# #
# #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "none" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# # Optional: Don't log access to assets
# access_log off;
# }
#
# location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
# try_files $uri /index.php$request_uri;
#
# # Optional: Don't log access to assets
# access_log off;
# }
#
# # deny access to .htaccess files
# location ~ /\.ht {
# deny all;
# }
# }
upstream nextcloud-handler { upstream nextcloud-handler {
server nextcloud:9000; server nextcloud:9000;
} }
@@ -352,7 +216,7 @@ http {
ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key; ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
# static files # static files
location ^~ /loleaflet { location ^~ /browser {
proxy_pass http://collabora-handler; proxy_pass http://collabora-handler;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
} }
@@ -370,7 +234,7 @@ http {
} }
# main websocket # main websocket
location ~ ^/lool/(.*)/ws$ { location ~ ^/cool/(.*)/ws$ {
proxy_pass http://collabora-handler; proxy_pass http://collabora-handler;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
@@ -379,13 +243,13 @@ http {
} }
# download, presentation and image upload # download, presentation and image upload
location ~ ^/lool { location ~ ^/(c|l)ool {
proxy_pass http://collabora-handler; proxy_pass http://collabora-handler;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
} }
# Admin Console websocket # Admin Console websocket
location ^~ /lool/adminws { location ^~ /cool/adminws {
proxy_pass http://collabora-handler; proxy_pass http://collabora-handler;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
@@ -447,50 +311,6 @@ http {
} }
} }
upstream dashboard-handler {
server dashboard:5000;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
gzip_types text/plain text/css application/json application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
server_name command.${DOMAIN} ${DOMAIN};
location / {
proxy_pass http://dashboard-handler;
}
location /unauthorized {
return 301 https://$host/login;
}
}
upstream pinry-handler {
server pinry:80;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
gzip_types text/plain text/css application/json application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
server_name research.${DOMAIN};
location / {
proxy_pass http://pinry-handler;
}
}
upstream jitsi-handler { upstream jitsi-handler {
server jitsi:80; server jitsi:80;
} }

48
pinry/local_settings.py
View File

@@ -1,48 +0,0 @@
import os
# Please don't change following settings unless you know what you are doing
STATIC_ROOT = '/data/static'
MEDIA_ROOT = os.path.join(STATIC_ROOT, 'media')
# SECURITY WARNING: keep the secret key used in production secret!
# Or just write your own secret-key here instead of using a env-variable
SECRET_KEY = "LUdDIZ6FcVn0Lvajb6IY4cwGvAaomVtP"
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = False
TEMPLATE_DEBUG = DEBUG
# SECURITY WARNING: use your actual domain name in production!
ALLOWED_HOSTS = ['research.scarif.space', 'research.scarif.local']
# Database
# https://docs.djangoproject.com/en/1.10/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': '/data/production.db',
}
}
# Allow users to register by themselves
ALLOW_NEW_REGISTRATIONS = False
# Delete image files once you remove your pin
IMAGE_AUTO_DELETE = True
# thumbnail size control
IMAGE_SIZES = {
'thumbnail': {'size': [240, 0]},
'standard': {'size': [600, 0]},
'square': {'crop': True, 'size': [125, 125]},
}
# Whether people can view pins without login
PUBLIC = True
ENABLED_PLUGINS = [
'pinry_plugins.batteries.plugin_example.Plugin',
]

225
smb.conf Normal file
View File

@@ -0,0 +1,225 @@
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# Allow server side copying with MacOS clients
fruit:copyfile = yes
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYGROUP
# server string is the equivalent of the NT Description field
server string = Samba Server
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
hosts allow = 192.168.1. 192.168.2. 127.
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 500
# Specifies the Kerberos or Active Directory realm the host is part of
; realm = MY_REALM
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/samba/lib/smb.conf.%m
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
#[public]
#comment = Public Stuff
#path = /mnt/tower/stardust/chris/files/public
#public = yes
#writable = no
#printable = no
#write list = @chris
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
[stardust]
comment = Stardust
path = /mnt/tower/stardust/chris/files
valid users = chris
public = no
writable = yes
printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765