From 60d7407abb7ef1f5db57926e6883fc1722a7d1e4 Mon Sep 17 00:00:00 2001 From: Mike Phares Date: Tue, 23 Jul 2024 17:35:22 -0700 Subject: [PATCH] resh install on Ubuntu Server with Docker at OS level then explore Podman Quadlet --- .gitignore | 6 +- etc/.pihole/.gitignore | 12 + etc/.pihole/advanced/pihole-admin.conf | 82 ++ etc/apt/sources.list | 43 +- etc/bash_history_2024-07-22.txt | 28 + etc/dhcpcd.conf | 4 + etc/dnsmasq.d/01-pihole.conf | 39 + etc/dnsmasq.d/06-rfc6761.conf | 42 + etc/group | 52 +- etc/group- | 50 +- etc/gshadow | 38 +- etc/gshadow- | 36 +- etc/hosts | 2 +- ....updated-options-ssl-nginx-conf-digest.txt | 1 + .../.updated-ssl-dhparams-pem-digest.txt | 1 + .../meta.json | 1 + .../private_key.json | 1 + .../regr.json | 1 + .../archive/phares3757.ddns.net/cert1.pem | 25 + .../archive/phares3757.ddns.net/chain1.pem | 26 + .../phares3757.ddns.net/fullchain1.pem | 51 ++ .../archive/phares3757.ddns.net/privkey1.pem | 5 + etc/letsencrypt/live/README | 14 + .../live/phares3757.ddns.net/README | 14 + etc/letsencrypt/options-ssl-nginx.conf | 14 + .../renewal/phares3757.ddns.net.conf | 15 + etc/letsencrypt/ssl-dhparams.pem | 8 + etc/lighttpd/lighttpd.conf | 61 ++ .../dashkiosk.beelink.server.conf | 32 - .../sites-available/dashkiosk.ddns.net.conf | 32 - etc/nginx/sites-available/default | 399 +-------- .../filebrowser.beelink.server.conf | 32 - .../sites-available/filebrowser.ddns.net.conf | 32 - .../gogs3757.beelink.server.conf | 32 - .../sites-available/gogs3757.ddns.net.conf | 32 - .../immich3757.beelink.server.conf | 32 - .../sites-available/immich3757.ddns.net.conf | 32 - .../music3757.beelink.server.conf | 32 - .../sites-available/music3757.ddns.net.conf | 32 - .../nextcloud3757.beelink.server.conf | 32 - .../nextcloud3757.ddns.net.conf | 32 - .../phares3757.beelink.server.conf | 32 - .../sites-available/phares3757.ddns.net.conf | 32 - .../photoprism.beelink.server.conf | 32 - .../sites-available/photoprism.ddns.net.conf | 32 - .../pi-hole.beelink.server.conf | 32 - .../sites-available/pi-hole.ddns.net.conf | 32 - .../syncthing3757.beelink.server.conf | 32 - .../syncthing3757.ddns.net.conf | 32 - etc/passwd | 27 +- etc/passwd- | 25 +- etc/pihole/dhcp.leases | 0 etc/pihole/setupVars.conf | 14 + etc/shadow | 71 +- etc/shadow- | 69 +- etc/sysctl.conf | 6 +- etc/systemd/resolved.conf | 11 +- etc/systemd/system/gogs-daemon.service | 30 - etc/systemd/system/snap.certbot.renew.service | 16 + etc/systemd/system/snap.certbot.renew.timer | 14 + .../snap.immich-distribution.acme.service | 17 - .../snap.immich-distribution.acme.timer | 14 - .../snap.immich-distribution.haproxy.service | 19 - ...stribution.immich-machine-learning.service | 19 - ...-distribution.immich-microservices.service | 20 - ....immich-distribution.immich-server.service | 20 - .../snap.immich-distribution.manager.service | 20 - .../snap.immich-distribution.postgres.service | 20 - ...p.immich-distribution.redis-server.service | 20 - ...p.immich-distribution.sync-service.service | 20 - .../system/snap.ubuntu-frame.daemon.service | 6 +- etc/unbound/unbound.conf | 10 + etc/unbound/unbound.conf.d/pi-hole.conf | 66 ++ opt/copy/gitea/.env | 9 + opt/copy/gitea/compose.yaml | 37 + opt/copy/immich/.env | 22 + opt/copy/immich/compose.yaml | 93 +++ opt/copy/kestra/compose.yaml | 65 ++ opt/copy/lxconsole/compose.yaml | 15 + opt/copy/wekan/compose.yaml | 780 ++++++++++++++++++ 80 files changed, 1846 insertions(+), 1440 deletions(-) create mode 100644 etc/.pihole/.gitignore create mode 100644 etc/.pihole/advanced/pihole-admin.conf create mode 100644 etc/bash_history_2024-07-22.txt create mode 100644 etc/dnsmasq.d/01-pihole.conf create mode 100644 etc/dnsmasq.d/06-rfc6761.conf create mode 100644 etc/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt create mode 100644 etc/letsencrypt/.updated-ssl-dhparams-pem-digest.txt create mode 100644 etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/meta.json create mode 100644 etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/private_key.json create mode 100644 etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/regr.json create mode 100644 etc/letsencrypt/archive/phares3757.ddns.net/cert1.pem create mode 100644 etc/letsencrypt/archive/phares3757.ddns.net/chain1.pem create mode 100644 etc/letsencrypt/archive/phares3757.ddns.net/fullchain1.pem create mode 100644 etc/letsencrypt/archive/phares3757.ddns.net/privkey1.pem create mode 100644 etc/letsencrypt/live/README create mode 100644 etc/letsencrypt/live/phares3757.ddns.net/README create mode 100644 etc/letsencrypt/options-ssl-nginx.conf create mode 100644 etc/letsencrypt/renewal/phares3757.ddns.net.conf create mode 100644 etc/letsencrypt/ssl-dhparams.pem create mode 100644 etc/lighttpd/lighttpd.conf delete mode 100644 etc/nginx/sites-available/dashkiosk.beelink.server.conf delete mode 100644 etc/nginx/sites-available/dashkiosk.ddns.net.conf delete mode 100644 etc/nginx/sites-available/filebrowser.beelink.server.conf delete mode 100644 etc/nginx/sites-available/filebrowser.ddns.net.conf delete mode 100644 etc/nginx/sites-available/gogs3757.beelink.server.conf delete mode 100644 etc/nginx/sites-available/gogs3757.ddns.net.conf delete mode 100644 etc/nginx/sites-available/immich3757.beelink.server.conf delete mode 100644 etc/nginx/sites-available/immich3757.ddns.net.conf delete mode 100644 etc/nginx/sites-available/music3757.beelink.server.conf delete mode 100644 etc/nginx/sites-available/music3757.ddns.net.conf delete mode 100644 etc/nginx/sites-available/nextcloud3757.beelink.server.conf delete mode 100644 etc/nginx/sites-available/nextcloud3757.ddns.net.conf delete mode 100644 etc/nginx/sites-available/phares3757.beelink.server.conf delete mode 100644 etc/nginx/sites-available/phares3757.ddns.net.conf delete mode 100644 etc/nginx/sites-available/photoprism.beelink.server.conf delete mode 100644 etc/nginx/sites-available/photoprism.ddns.net.conf delete mode 100644 etc/nginx/sites-available/pi-hole.beelink.server.conf delete mode 100644 etc/nginx/sites-available/pi-hole.ddns.net.conf delete mode 100644 etc/nginx/sites-available/syncthing3757.beelink.server.conf delete mode 100644 etc/nginx/sites-available/syncthing3757.ddns.net.conf create mode 100644 etc/pihole/dhcp.leases create mode 100644 etc/pihole/setupVars.conf delete mode 100644 etc/systemd/system/gogs-daemon.service create mode 100644 etc/systemd/system/snap.certbot.renew.service create mode 100644 etc/systemd/system/snap.certbot.renew.timer delete mode 100644 etc/systemd/system/snap.immich-distribution.acme.service delete mode 100644 etc/systemd/system/snap.immich-distribution.acme.timer delete mode 100644 etc/systemd/system/snap.immich-distribution.haproxy.service delete mode 100644 etc/systemd/system/snap.immich-distribution.immich-machine-learning.service delete mode 100644 etc/systemd/system/snap.immich-distribution.immich-microservices.service delete mode 100644 etc/systemd/system/snap.immich-distribution.immich-server.service delete mode 100644 etc/systemd/system/snap.immich-distribution.manager.service delete mode 100644 etc/systemd/system/snap.immich-distribution.postgres.service delete mode 100644 etc/systemd/system/snap.immich-distribution.redis-server.service delete mode 100644 etc/systemd/system/snap.immich-distribution.sync-service.service create mode 100644 etc/unbound/unbound.conf create mode 100644 etc/unbound/unbound.conf.d/pi-hole.conf create mode 100644 opt/copy/gitea/.env create mode 100644 opt/copy/gitea/compose.yaml create mode 100644 opt/copy/immich/.env create mode 100644 opt/copy/immich/compose.yaml create mode 100644 opt/copy/kestra/compose.yaml create mode 100644 opt/copy/lxconsole/compose.yaml create mode 100644 opt/copy/wekan/compose.yaml diff --git a/.gitignore b/.gitignore index 3b20535..cc5ec05 100644 --- a/.gitignore +++ b/.gitignore @@ -34,9 +34,9 @@ !etc/unbound/unbound.conf !etc/unbound/unbound.conf.d/pi-hole.conf +!etc/cups/* !etc/dnsmasq.d/* !etc/fstab/* -!etc/letsencrypt/* !etc/netplan/* !etc/nginx/sites-available/* !etc/mysql/mariadb.conf.d/* @@ -44,6 +44,10 @@ !etc/postgresql/* !etc/wsl/* +!etc/letsencrypt/**/* + +!opt/copy/**/* + # !home/gogs/gogs/custom/conf/app.ini # !home/syncthing/.config/syncthing/config.xml # !usr/local/etc/gogs/conf/app.ini diff --git a/etc/.pihole/.gitignore b/etc/.pihole/.gitignore new file mode 100644 index 0000000..8016472 --- /dev/null +++ b/etc/.pihole/.gitignore @@ -0,0 +1,12 @@ +.DS_Store +*.pyc +*.swp +__pycache__ +.cache +.pytest_cache +.tox +.eggs +*.egg-info +.idea/ +*.iml +.vscode/ diff --git a/etc/.pihole/advanced/pihole-admin.conf b/etc/.pihole/advanced/pihole-admin.conf new file mode 100644 index 0000000..0bb6eac --- /dev/null +++ b/etc/.pihole/advanced/pihole-admin.conf @@ -0,0 +1,82 @@ +# Pi-hole: A black hole for Internet advertisements +# (c) 2017 Pi-hole, LLC (https://pi-hole.net) +# Network-wide ad blocking via your own hardware. +# +# Lighttpd config for Pi-hole +# +# This file is copyright under the latest version of the EUPL. +# Please see LICENSE file for your rights under this license. + +############################################################################### +# FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE. # +# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE # +############################################################################### + +server.errorlog := "/var/log/lighttpd/error-pihole.log" + +$HTTP["url"] =~ "^/admin/" { + server.document-root = "/var/www/html" + server.stream-response-body = 1 + accesslog.filename = "/var/log/lighttpd/access-pihole.log" + accesslog.format = "%{%s}t|%h|%V|%r|%s|%b" + + fastcgi.server = ( + ".php" => ( + "localhost" => ( + "socket" => "/run/lighttpd/pihole-php-fastcgi.socket", + "bin-path" => "/usr/bin/php-cgi", + "min-procs" => 1, + "max-procs" => 1, + "bin-environment" => ( + "PHP_FCGI_CHILDREN" => "4", + "PHP_FCGI_MAX_REQUESTS" => "10000", + ), + "bin-copy-environment" => ( + "PATH", "SHELL", "USER" + ), + "broken-scriptfilename" => "enable", + ) + ) + ) + + # X-Pi-hole is a response header for debugging using curl -I + # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >. + # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled) + # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code. + # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS). + # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. + # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all. + setenv.add-response-header = ( + "X-Pi-hole" => "The Pi-hole Web interface is working!", + "X-Frame-Options" => "DENY", + "X-XSS-Protection" => "0", + "X-Content-Type-Options" => "nosniff", + "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';", + "X-Permitted-Cross-Domain-Policies" => "none", + "Referrer-Policy" => "same-origin" + ) + + # Block . files from being served, such as .git, .github, .gitignore + $HTTP["url"] =~ "^/admin/\." { + url.access-deny = ("") + } + + # allow teleporter and API qr code iframe on settings page + $HTTP["url"] =~ "/(teleporter|api_token)\.php$" { + $HTTP["referer"] =~ "/admin/settings\.php" { + setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" ) + } + } +} +else $HTTP["url"] == "/admin" { + url.redirect = ("" => "/admin/") +} + +$HTTP["host"] == "pi.hole" { + $HTTP["url"] == "/" { + url.redirect = ("" => "/admin/") + } +} + +# (keep this on one line for basic-install.sh filtering during install) +server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" ) diff --git a/etc/apt/sources.list b/etc/apt/sources.list index de7b3cf..eb39b94 100644 --- a/etc/apt/sources.list +++ b/etc/apt/sources.list @@ -1,42 +1 @@ -# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to -# newer versions of the distribution. -deb http://us.archive.ubuntu.com/ubuntu/ mantic main restricted -# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic main restricted - -## Major bug fix updates produced after the final release of the -## distribution. -deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates main restricted -# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates main restricted - -## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu -## team. Also, please note that software in universe WILL NOT receive any -## review or updates from the Ubuntu security team. -deb http://us.archive.ubuntu.com/ubuntu/ mantic universe -# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic universe -deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates universe -# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates universe - -## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu -## team, and may not be under a free licence. Please satisfy yourself as to -## your rights to use the software. Also, please note that software in -## multiverse WILL NOT receive any review or updates from the Ubuntu -## security team. -deb http://us.archive.ubuntu.com/ubuntu/ mantic multiverse -# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic multiverse -deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates multiverse -# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates multiverse - -## N.B. software from this repository may not have been tested as -## extensively as that contained in the main release, although it includes -## newer versions of some applications which may provide useful features. -## Also, please note that software in backports WILL NOT receive any review -## or updates from the Ubuntu security team. -deb http://us.archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse -# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse - -deb http://security.ubuntu.com/ubuntu/ mantic-security main restricted -# deb-src http://security.ubuntu.com/ubuntu/ mantic-security main restricted -deb http://security.ubuntu.com/ubuntu/ mantic-security universe -# deb-src http://security.ubuntu.com/ubuntu/ mantic-security universe -deb http://security.ubuntu.com/ubuntu/ mantic-security multiverse -# deb-src http://security.ubuntu.com/ubuntu/ mantic-security multiverse +# Ubuntu sources have moved to /etc/apt/sources.list.d/ubuntu.sources diff --git a/etc/bash_history_2024-07-22.txt b/etc/bash_history_2024-07-22.txt new file mode 100644 index 0000000..b410263 --- /dev/null +++ b/etc/bash_history_2024-07-22.txt @@ -0,0 +1,28 @@ +apt-get update +apt upgrade -y +apt install snapd -y +apt install sudo links unzip nginx git nano ncdu -y +snap install dashkiosk +snap install ubuntu-frame wpe-webkit-mir-kiosk +snap set wpe-webkit-mir-kiosk daemon=true +snap set wpe-webkit-mir-kiosk url=http://localhost:9400/receiver +exit +wpe-webkit-mir-kiosk.cog http://localhost:9400/receiver +/snap/wpe-webkit-mir-kiosk/current/bin/setup.sh +wpe-webkit-mir-kiosk.cog http://localhost:9400/receiver +snap set ubuntu-frame daemon=true +exit +reboot +cat /root/.ssh/authorized_keys +nano /root/.ssh/authorized_keys +adduser lphares +mkdir /home/lphares/.ssh +cp /root/.ssh/authorized_keys /home/lphares/.ssh/authorized_keys +chown lphares:lphares -R /home/lphares +adduser bmiller +mkdir /home/bmiller/.ssh +cp /root/.ssh/authorized_keys /home/bmiller/.ssh/authorized_keys +chown bmiller:bmiller -R /home/bmiller +ln -s /var/log/nginx /var/www/html/log-nginx +ls -la /var/www/html +exit diff --git a/etc/dhcpcd.conf b/etc/dhcpcd.conf index 916e82d..815b0ef 100644 --- a/etc/dhcpcd.conf +++ b/etc/dhcpcd.conf @@ -46,3 +46,7 @@ require dhcp_server_identifier #slaac hwaddr # OR generate Stable Private IPv6 Addresses based from the DUID slaac private +interface enp2s0 + static ip_address=192.168.11.2/25 + static routers=192.168.11.1 + static domain_name_servers= diff --git a/etc/dnsmasq.d/01-pihole.conf b/etc/dnsmasq.d/01-pihole.conf new file mode 100644 index 0000000..fdd5aaa --- /dev/null +++ b/etc/dnsmasq.d/01-pihole.conf @@ -0,0 +1,39 @@ +# Pi-hole: A black hole for Internet advertisements +# (c) 2017 Pi-hole, LLC (https://pi-hole.net) +# Network-wide ad blocking via your own hardware. +# +# Dnsmasq config for Pi-hole's FTLDNS +# +# This file is copyright under the latest version of the EUPL. +# Please see LICENSE file for your rights under this license. + +############################################################################### +# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. # +# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE # +# # +# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: # +# /etc/pihole/setupVars.conf # +# # +# ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE # +# WITHIN /etc/dnsmasq.d/yourname.conf # +############################################################################### + +addn-hosts=/etc/pihole/local.list +addn-hosts=/etc/pihole/custom.list + + +localise-queries + + +no-resolv + +log-queries +log-facility=/var/log/pihole/pihole.log + +log-async +cache-size=10000 +server=127.0.0.1#5335 +domain-needed +expand-hosts +bogus-priv +local-service diff --git a/etc/dnsmasq.d/06-rfc6761.conf b/etc/dnsmasq.d/06-rfc6761.conf new file mode 100644 index 0000000..fcdd001 --- /dev/null +++ b/etc/dnsmasq.d/06-rfc6761.conf @@ -0,0 +1,42 @@ +# Pi-hole: A black hole for Internet advertisements +# (c) 2021 Pi-hole, LLC (https://pi-hole.net) +# Network-wide ad blocking via your own hardware. +# +# RFC 6761 config file for Pi-hole +# +# This file is copyright under the latest version of the EUPL. +# Please see LICENSE file for your rights under this license. + +############################################################################### +# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. # +# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE # +# # +# CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE # +# WITHIN /etc/dnsmasq.d/yourname.conf # +############################################################################### + +# RFC 6761: Caching DNS servers SHOULD recognize +# test, localhost, invalid +# names as special and SHOULD NOT attempt to look up NS records for them, or +# otherwise query authoritative DNS servers in an attempt to resolve these +# names. +server=/test/ +server=/localhost/ +server=/invalid/ + +# The same RFC requests something similar for +# 10.in-addr.arpa. 21.172.in-addr.arpa. 27.172.in-addr.arpa. +# 16.172.in-addr.arpa. 22.172.in-addr.arpa. 28.172.in-addr.arpa. +# 17.172.in-addr.arpa. 23.172.in-addr.arpa. 29.172.in-addr.arpa. +# 18.172.in-addr.arpa. 24.172.in-addr.arpa. 30.172.in-addr.arpa. +# 19.172.in-addr.arpa. 25.172.in-addr.arpa. 31.172.in-addr.arpa. +# 20.172.in-addr.arpa. 26.172.in-addr.arpa. 168.192.in-addr.arpa. +# Pi-hole implements this via the dnsmasq option "bogus-priv" (see +# 01-pihole.conf) because this also covers IPv6. + +# OpenWRT furthermore blocks bind, local, onion domains +# see https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=package/network/services/dnsmasq/files/rfc6761.conf;hb=HEAD +# and https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml +# We do not include the ".local" rule ourselves, see https://github.com/pi-hole/pi-hole/pull/4282#discussion_r689112972 +server=/bind/ +server=/onion/ diff --git a/etc/group b/etc/group index b129e67..48e96fb 100644 --- a/etc/group +++ b/etc/group @@ -2,7 +2,7 @@ root:x:0: daemon:x:1: bin:x:2: sys:x:3: -adm:x:4:mike +adm:x:4:syslog,phares tty:x:5: disk:x:6: lp:x:7: @@ -15,12 +15,12 @@ kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: -cdrom:x:24:mike +cdrom:x:24:phares floppy:x:25: tape:x:26: -sudo:x:27:mike +sudo:x:27:phares audio:x:29: -dip:x:30:mike +dip:x:30:phares www-data:x:33: backup:x:34: operator:x:37: @@ -31,27 +31,35 @@ shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: -plugdev:x:46:mike +plugdev:x:46:phares staff:x:50: games:x:60: -users:x:100:lphares,bmiller,gogs +users:x:100:lphares,bmiller nogroup:x:65534: systemd-journal:x:999: systemd-network:x:998: systemd-timesync:x:997: -input:x:101: -sgx:x:102: -kvm:x:103: -render:x:104: -lxd:x:105:mike -messagebus:x:106: -systemd-resolve:x:996: -_ssh:x:107: -polkitd:x:995: -netdev:x:108: -mike:x:1000: -lphares:x:1002:bmiller -bmiller:x:1003: -gogs:x:1004: -snapd-range-524288-root:x:524288: -snap_daemon:x:584788: +input:x:996: +sgx:x:995: +kvm:x:994: +render:x:993: +lxd:x:101:phares +messagebus:x:102: +systemd-resolve:x:992: +_ssh:x:103: +polkitd:x:991: +crontab:x:990: +syslog:x:104: +uuidd:x:105: +rdma:x:106: +tcpdump:x:107: +tss:x:108: +landscape:x:109: +fwupd-refresh:x:989: +netdev:x:110: +phares:x:1000: +lphares:x:1001:bmiller +bmiller:x:1002: +pihole:x:1003:www-data +unbound:x:111: +docker:x:988: diff --git a/etc/group- b/etc/group- index 65af17b..1d11428 100644 --- a/etc/group- +++ b/etc/group- @@ -2,7 +2,7 @@ root:x:0: daemon:x:1: bin:x:2: sys:x:3: -adm:x:4:mike +adm:x:4:syslog,phares tty:x:5: disk:x:6: lp:x:7: @@ -15,12 +15,12 @@ kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: -cdrom:x:24:mike +cdrom:x:24:phares floppy:x:25: tape:x:26: -sudo:x:27:mike +sudo:x:27:phares audio:x:29: -dip:x:30:mike +dip:x:30:phares www-data:x:33: backup:x:34: operator:x:37: @@ -31,26 +31,34 @@ shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: -plugdev:x:46:mike +plugdev:x:46:phares staff:x:50: games:x:60: -users:x:100:lphares,bmiller,gogs +users:x:100:lphares,bmiller nogroup:x:65534: systemd-journal:x:999: systemd-network:x:998: systemd-timesync:x:997: -input:x:101: -sgx:x:102: -kvm:x:103: -render:x:104: -lxd:x:105:mike -messagebus:x:106: -systemd-resolve:x:996: -_ssh:x:107: -polkitd:x:995: -netdev:x:108: -mike:x:1000: -lphares:x:1002:bmiller -bmiller:x:1003: -gogs:x:1004: -snapd-range-524288-root:x:524288: +input:x:996: +sgx:x:995: +kvm:x:994: +render:x:993: +lxd:x:101:phares +messagebus:x:102: +systemd-resolve:x:992: +_ssh:x:103: +polkitd:x:991: +crontab:x:990: +syslog:x:104: +uuidd:x:105: +rdma:x:106: +tcpdump:x:107: +tss:x:108: +landscape:x:109: +fwupd-refresh:x:989: +netdev:x:110: +phares:x:1000: +lphares:x:1001:bmiller +bmiller:x:1002: +pihole:x:1003:www-data +unbound:x:111: diff --git a/etc/gshadow b/etc/gshadow index 97f9295..5241d9a 100644 --- a/etc/gshadow +++ b/etc/gshadow @@ -2,7 +2,7 @@ root:*:: daemon:*:: bin:*:: sys:*:: -adm:*::mike +adm:*::syslog,phares tty:*:: disk:*:: lp:*:: @@ -15,12 +15,12 @@ kmem:*:: dialout:*:: fax:*:: voice:*:: -cdrom:*::mike +cdrom:*::phares floppy:*:: tape:*:: -sudo:*::mike +sudo:*::phares audio:*:: -dip:*::mike +dip:*::phares www-data:*:: backup:*:: operator:*:: @@ -31,27 +31,35 @@ shadow:*:: utmp:*:: video:*:: sasl:*:: -plugdev:*::mike +plugdev:*::phares staff:*:: games:*:: -users:*::lphares,bmiller,gogs +users:*::lphares,bmiller nogroup:*:: systemd-journal:!*:: systemd-network:!*:: systemd-timesync:!*:: -input:!:: -sgx:!:: -kvm:!:: -render:!:: -lxd:!::mike +input:!*:: +sgx:!*:: +kvm:!*:: +render:!*:: +lxd:!::phares messagebus:!:: systemd-resolve:!*:: _ssh:!:: polkitd:!*:: +crontab:!*:: +syslog:!:: +uuidd:!:: +rdma:!:: +tcpdump:!:: +tss:!:: +landscape:!:: +fwupd-refresh:!*:: netdev:!:: -mike:!:: +phares:!:: lphares:!::bmiller bmiller:!:: -gogs:!:: -snapd-range-524288-root:!:: -snap_daemon:!:: +pihole:!::www-data +unbound:!:: +docker:!:: diff --git a/etc/gshadow- b/etc/gshadow- index d96c850..8783622 100644 --- a/etc/gshadow- +++ b/etc/gshadow- @@ -2,7 +2,7 @@ root:*:: daemon:*:: bin:*:: sys:*:: -adm:*::mike +adm:*::syslog,phares tty:*:: disk:*:: lp:*:: @@ -15,12 +15,12 @@ kmem:*:: dialout:*:: fax:*:: voice:*:: -cdrom:*::mike +cdrom:*::phares floppy:*:: tape:*:: -sudo:*::mike +sudo:*::phares audio:*:: -dip:*::mike +dip:*::phares www-data:*:: backup:*:: operator:*:: @@ -31,26 +31,34 @@ shadow:*:: utmp:*:: video:*:: sasl:*:: -plugdev:*::mike +plugdev:*::phares staff:*:: games:*:: -users:*::lphares,bmiller,gogs +users:*::lphares,bmiller nogroup:*:: systemd-journal:!*:: systemd-network:!*:: systemd-timesync:!*:: -input:!:: -sgx:!:: -kvm:!:: -render:!:: -lxd:!::mike +input:!*:: +sgx:!*:: +kvm:!*:: +render:!*:: +lxd:!::phares messagebus:!:: systemd-resolve:!*:: _ssh:!:: polkitd:!*:: +crontab:!*:: +syslog:!:: +uuidd:!:: +rdma:!:: +tcpdump:!:: +tss:!:: +landscape:!:: +fwupd-refresh:!*:: netdev:!:: -mike:!:: +phares:!:: lphares:!::bmiller bmiller:!:: -gogs:!:: -snapd-range-524288-root:!:: +pihole:!::www-data +unbound:!:: diff --git a/etc/hosts b/etc/hosts index c7ba52d..486975f 100644 --- a/etc/hosts +++ b/etc/hosts @@ -1,5 +1,5 @@ 127.0.0.1 localhost -127.0.1.1 server +127.0.1.1 beelink # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback diff --git a/etc/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt b/etc/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt new file mode 100644 index 0000000..132bbd8 --- /dev/null +++ b/etc/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt @@ -0,0 +1 @@ +5e21cc66989f26ec46116d979421e538131cf8ab33ffff3f682fbfe491b0ace8 \ No newline at end of file diff --git a/etc/letsencrypt/.updated-ssl-dhparams-pem-digest.txt b/etc/letsencrypt/.updated-ssl-dhparams-pem-digest.txt new file mode 100644 index 0000000..42a8ee2 --- /dev/null +++ b/etc/letsencrypt/.updated-ssl-dhparams-pem-digest.txt @@ -0,0 +1 @@ +9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b \ No newline at end of file diff --git a/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/meta.json b/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/meta.json new file mode 100644 index 0000000..0a4695b --- /dev/null +++ b/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/meta.json @@ -0,0 +1 @@ +{"creation_dt": "2024-07-23T03:12:26Z", "creation_host": "beelink"} \ No newline at end of file diff --git a/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/private_key.json b/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/private_key.json new file mode 100644 index 0000000..e47e956 --- /dev/null +++ b/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/private_key.json @@ -0,0 +1 @@ +{"n": "tAPgSFbPGk0aKdR6Pk3_0WtZ_YpjzRewuttzTYHV8m8adMKO771G-NMB_zSoYoWmia9s1tj1KCF3P6bnVQzDE3ZbBLfeIFT9GaGCczgDpMEWs6rkWfLWGW93IQoqEJi0f2ati7UpaO22NcnhFAkDmIAyLmaYxv_cTAgeGurv690379v_I38b0rxfw8woGlpfYzvyY_UiEbeK4sMT_TnZdq6ZYgcu770d_ZgYlhstK_jKnumH9G2zaxs3kgRKSoyd8LT4VmLHTIoVT8eEFT1abz0bFo2uPWOaxHtQjI2S8qLEQI9Tg15oy86SPDYDGpY6HfgshasA3Pm9-IUV0tgTUQ", "e": "AQAB", "d": "BzTTX9aNPMMFHvfaJF3OI3kPIQyF7fxaqGcsT3y4-ATcCGn9e7oD58HXSnsj4xgVvjhxc2fODBHwnN-SCcTdvA0B5TUsRWSBmVilbYjM8kEUlNxso4JTldVe7aU-qiKQjPLPwb3euF56oroJMn8hT5O1pWviT0GsUG5P51usEbDu81t_ZZcn-I21Xe9jQ0mXgNsS1c18cX6AlDMhAlm7aw6gUJdrnScbsWp0sDXQiOzLEvwm1ahjUioEtiQiHH1Jsa2mYcuGhrWyrx-Xlt0TzfslocDbHbgCFKPG6XLVBoBbWb4Hm3LBA7naiuEY_Dmi-wQUtHiJELwSu4opkNRxTQ", "p": "23HhNDzEaiDI2Gg2-qxkOBEwCDT9b1If_vGSwZRzPLJBijy5ypXDdtQifCgLEeNJm0CJSa9SZcZjyDZH7_JLFO8bWl1pjf095SwJBK3Sc9uavr8jl-OzAbX_fHOL1ZHhvI4vsBQhc6dsushPFCFEcvaokTuxf8QZUEP0DLsNWh8", "q": "0gCJICISX_tcQ7AmbBsJDFTnU2IqAo3nG0UXcoHSlMXJqkkjjaPo7TZ-CMlt8dbSZX1ekvw8nvRq7tHuNDqflNgfyxt0gHnjkzYowlM83OIMiMbMtV9ddDwYCYGJYZTPEVVRW6s6A1Pb97-2b-IiDoQkdohC0NxhIPM4ntw9xI8", "dp": "ovJ0320gDA48FTWNXaYU5O0eVXnDlp3M1GpdJxEsYK2crSFadGuwsNPkp3y0e5viVD4fs29UJ-6guVJVKH8p8Wl7TiZ-8shQ5ZNFPwwzcYRn66vSqj6R9XtHMwo5k2S30mNiVcUc8dwoiKmkzrXFNfiiQvWoX88lXMyYs7tRttE", "dq": "iNJWhTwNssFnZKaA8hBPPdyXdulPK6jeuRKz6yQQWmPfN3Y9lswDN4I4bWsnmdh37i3Xj3aN3JaskPrv8tF7JZQGauNxbT98-W3g8nMfBV62AetcdpMypUd99buTEaPNoaJvxoTx4Dcj6u_aYlz4CXMo-p1ewwvCsKAm9MHT8Js", "qi": "2VGQ-m3oki_uXi85Ybs2u-4tDFVL7zsFaoYtV8-KMOaYyd6N65kk2EjFWSXRa6BnAqoELEXr0cV9ZJA2YF4WfLQwCLVntyDN6Dc0_9du81qIc_efqBcY_fNMeEfDKAOZkslKIKkWJaP9CAXyI4_ctHdiAhFowdSCcBFTZ2O9xa4", "kty": "RSA"} \ No newline at end of file diff --git a/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/regr.json b/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/regr.json new file mode 100644 index 0000000..c210f37 --- /dev/null +++ b/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/regr.json @@ -0,0 +1 @@ +{"body": {}, "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1851917407"} \ No newline at end of file diff --git a/etc/letsencrypt/archive/phares3757.ddns.net/cert1.pem b/etc/letsencrypt/archive/phares3757.ddns.net/cert1.pem new file mode 100644 index 0000000..d13b8d9 --- /dev/null +++ b/etc/letsencrypt/archive/phares3757.ddns.net/cert1.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJzCCA6ygAwIBAgISBLIxc7whwwFJZCApth1UIMcPMAoGCCqGSM49BAMDMDIx +CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF +NjAeFw0yNDA3MjMwMjEzNDhaFw0yNDEwMjEwMjEzNDdaMB4xHDAaBgNVBAMTE3Bo +YXJlczM3NTcuZGRucy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQdWJOW +xYvavXWc5dOMmGpaToaiTDrDRZ+oKsywjM/KChalQiNYLUSJqp3Dh5eoRfQ09K50 +X6yJOJaQxb0FFzC1o4ICtDCCArAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBScvr8E +AeV+Re+aj/j90JHjpLTkuzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU +0jBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNy +Lm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzCBuwYDVR0R +BIGzMIGwgg9hZmZpcm0uZGRucy5uZXSCGGdpdGVhLnBoYXJlcy5kdWNrZG5zLm9y +Z4IZaW1taWNoLnBoYXJlcy5kdWNrZG5zLm9yZ4IYbXVzaWMucGhhcmVzLmR1Y2tk +bnMub3JnghNwaGFyZXMzNzU3LmRkbnMubmV0ghlxdWFydHoucGhhcmVzLmR1Y2tk +bnMub3Jngh52YXVsdHdhcmRlbi5waGFyZXMuZHVja2Rucy5vcmcwEwYDVR0gBAww +CjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBIsONr2qZHNA/l +agL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAZDdlLOuAAAEAwBIMEYCIQCpfmsaNEgL +DrwdkCY+7NbJayn43Gv4sUjD4arZVJntKgIhAOyuzAjCF9JGPMSqNlSXd83zX89g +eKGUwLWltfIe+zVbAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A +AAGQ3ZSztwAABAMARzBFAiEA4JYbBt/ZdGzUZk4evX3alv6QobD5D0An4NG0vF5G +JkQCICph30m0Ev4uFpVvLUx1CJlTR/gJMJ+0U8RbE95c9xyYMAoGCCqGSM49BAMD +A2kAMGYCMQCy5ix9dZALkOcFIWoAI0t2UzXBho7+eRGsXfIiLrBfYw8eDALPAglI +glGBo2OmRs8CMQCXQwaoJRZG2IPnVS+0JMDZq2PzhyyV9Tycj77wRrYHwOHWwyA6 +9UaLhFqUL/sVdwo= +-----END CERTIFICATE----- diff --git a/etc/letsencrypt/archive/phares3757.ddns.net/chain1.pem b/etc/letsencrypt/archive/phares3757.ddns.net/chain1.pem new file mode 100644 index 0000000..65797c8 --- /dev/null +++ b/etc/letsencrypt/archive/phares3757.ddns.net/chain1.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw +WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G +h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV +6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw +gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj +v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g +BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc +MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL +pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp +eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH +pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 +s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu +h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv +YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 +ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 +LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ +EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY +Ig46v9mFmBvyH04= +-----END CERTIFICATE----- diff --git a/etc/letsencrypt/archive/phares3757.ddns.net/fullchain1.pem b/etc/letsencrypt/archive/phares3757.ddns.net/fullchain1.pem new file mode 100644 index 0000000..0600f92 --- /dev/null +++ b/etc/letsencrypt/archive/phares3757.ddns.net/fullchain1.pem @@ -0,0 +1,51 @@ +-----BEGIN CERTIFICATE----- +MIIEJzCCA6ygAwIBAgISBLIxc7whwwFJZCApth1UIMcPMAoGCCqGSM49BAMDMDIx +CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF +NjAeFw0yNDA3MjMwMjEzNDhaFw0yNDEwMjEwMjEzNDdaMB4xHDAaBgNVBAMTE3Bo +YXJlczM3NTcuZGRucy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQdWJOW +xYvavXWc5dOMmGpaToaiTDrDRZ+oKsywjM/KChalQiNYLUSJqp3Dh5eoRfQ09K50 +X6yJOJaQxb0FFzC1o4ICtDCCArAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBScvr8E +AeV+Re+aj/j90JHjpLTkuzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU +0jBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNy +Lm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzCBuwYDVR0R +BIGzMIGwgg9hZmZpcm0uZGRucy5uZXSCGGdpdGVhLnBoYXJlcy5kdWNrZG5zLm9y +Z4IZaW1taWNoLnBoYXJlcy5kdWNrZG5zLm9yZ4IYbXVzaWMucGhhcmVzLmR1Y2tk +bnMub3JnghNwaGFyZXMzNzU3LmRkbnMubmV0ghlxdWFydHoucGhhcmVzLmR1Y2tk +bnMub3Jngh52YXVsdHdhcmRlbi5waGFyZXMuZHVja2Rucy5vcmcwEwYDVR0gBAww +CjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBIsONr2qZHNA/l +agL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAZDdlLOuAAAEAwBIMEYCIQCpfmsaNEgL +DrwdkCY+7NbJayn43Gv4sUjD4arZVJntKgIhAOyuzAjCF9JGPMSqNlSXd83zX89g +eKGUwLWltfIe+zVbAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A +AAGQ3ZSztwAABAMARzBFAiEA4JYbBt/ZdGzUZk4evX3alv6QobD5D0An4NG0vF5G +JkQCICph30m0Ev4uFpVvLUx1CJlTR/gJMJ+0U8RbE95c9xyYMAoGCCqGSM49BAMD +A2kAMGYCMQCy5ix9dZALkOcFIWoAI0t2UzXBho7+eRGsXfIiLrBfYw8eDALPAglI +glGBo2OmRs8CMQCXQwaoJRZG2IPnVS+0JMDZq2PzhyyV9Tycj77wRrYHwOHWwyA6 +9UaLhFqUL/sVdwo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw +WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G +h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV +6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw +gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj +v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g +BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc +MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL +pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp +eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH +pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 +s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu +h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv +YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 +ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 +LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ +EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY +Ig46v9mFmBvyH04= +-----END CERTIFICATE----- diff --git a/etc/letsencrypt/archive/phares3757.ddns.net/privkey1.pem b/etc/letsencrypt/archive/phares3757.ddns.net/privkey1.pem new file mode 100644 index 0000000..5ed60c2 --- /dev/null +++ b/etc/letsencrypt/archive/phares3757.ddns.net/privkey1.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWJ4x7Qxn+VXJXETc +HorPVTm5TMqwASdTvWnGchZodiWhRANCAAQdWJOWxYvavXWc5dOMmGpaToaiTDrD +RZ+oKsywjM/KChalQiNYLUSJqp3Dh5eoRfQ09K50X6yJOJaQxb0FFzC1 +-----END PRIVATE KEY----- diff --git a/etc/letsencrypt/live/README b/etc/letsencrypt/live/README new file mode 100644 index 0000000..00b733c --- /dev/null +++ b/etc/letsencrypt/live/README @@ -0,0 +1,14 @@ +This directory contains your keys and certificates. + +`[cert name]/privkey.pem` : the private key for your certificate. +`[cert name]/fullchain.pem`: the certificate file used in most server software. +`[cert name]/chain.pem` : used for OCSP stapling in Nginx >=1.3.7. +`[cert name]/cert.pem` : will break many server configurations, and should not be used + without reading further documentation (see link below). + +WARNING: DO NOT MOVE OR RENAME THESE FILES! + Certbot expects these files to remain in this location in order + to function properly! + +We recommend not moving these files. For more information, see the Certbot +User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates. diff --git a/etc/letsencrypt/live/phares3757.ddns.net/README b/etc/letsencrypt/live/phares3757.ddns.net/README new file mode 100644 index 0000000..5050078 --- /dev/null +++ b/etc/letsencrypt/live/phares3757.ddns.net/README @@ -0,0 +1,14 @@ +This directory contains your keys and certificates. + +`privkey.pem` : the private key for your certificate. +`fullchain.pem`: the certificate file used in most server software. +`chain.pem` : used for OCSP stapling in Nginx >=1.3.7. +`cert.pem` : will break many server configurations, and should not be used + without reading further documentation (see link below). + +WARNING: DO NOT MOVE OR RENAME THESE FILES! + Certbot expects these files to remain in this location in order + to function properly! + +We recommend not moving these files. For more information, see the Certbot +User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates. diff --git a/etc/letsencrypt/options-ssl-nginx.conf b/etc/letsencrypt/options-ssl-nginx.conf new file mode 100644 index 0000000..f2aadba --- /dev/null +++ b/etc/letsencrypt/options-ssl-nginx.conf @@ -0,0 +1,14 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. Contents are based on https://ssl-config.mozilla.org + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/etc/letsencrypt/renewal/phares3757.ddns.net.conf b/etc/letsencrypt/renewal/phares3757.ddns.net.conf new file mode 100644 index 0000000..677b5ec --- /dev/null +++ b/etc/letsencrypt/renewal/phares3757.ddns.net.conf @@ -0,0 +1,15 @@ +# renew_before_expiry = 30 days +version = 2.11.0 +archive_dir = /etc/letsencrypt/archive/phares3757.ddns.net +cert = /etc/letsencrypt/live/phares3757.ddns.net/cert.pem +privkey = /etc/letsencrypt/live/phares3757.ddns.net/privkey.pem +chain = /etc/letsencrypt/live/phares3757.ddns.net/chain.pem +fullchain = /etc/letsencrypt/live/phares3757.ddns.net/fullchain.pem + +# Options used in the renewal process +[renewalparams] +account = 805d2f39f581c9a2a417db3d91bfc764 +authenticator = nginx +installer = nginx +server = https://acme-v02.api.letsencrypt.org/directory +key_type = ecdsa diff --git a/etc/letsencrypt/ssl-dhparams.pem b/etc/letsencrypt/ssl-dhparams.pem new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/etc/letsencrypt/ssl-dhparams.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/etc/lighttpd/lighttpd.conf b/etc/lighttpd/lighttpd.conf new file mode 100644 index 0000000..032773b --- /dev/null +++ b/etc/lighttpd/lighttpd.conf @@ -0,0 +1,61 @@ +### Documentation +# https://wiki.lighttpd.net/ +# +### Configuration Syntax +# https://wiki.lighttpd.net/Docs_Configuration +# +### Configuration Options +# https://wiki.lighttpd.net/Docs_ConfigurationOptions +# + +### Debian lighttpd base configuration + +server.modules = ( + "mod_indexfile", + "mod_access", + "mod_alias", + "mod_redirect", +) + +server.document-root = "/var/www/html" +server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) +server.errorlog = "/var/log/lighttpd/error.log" +server.pid-file = "/run/lighttpd.pid" +server.username = "www-data" +server.groupname = "www-data" +server.port = 8005 + +# strict parsing and normalization of URL for consistency and security +# https://wiki.lighttpd.net/Server_http-parseoptsDetails +# (might need to explicitly set "url-path-2f-decode" = "disable" +# if a specific application is encoding URLs inside url-path) +server.http-parseopts = ( + "header-strict" => "enable",# default + "host-strict" => "enable",# default + "host-normalize" => "enable",# default + "url-normalize-unreserved"=> "enable",# recommended highly + "url-normalize-required" => "enable",# recommended + "url-ctrls-reject" => "enable",# recommended + "url-path-2f-decode" => "enable",# recommended highly (unless breaks app) + #"url-path-2f-reject" => "enable", + "url-path-dotseg-remove" => "enable",# recommended highly (unless breaks app) + #"url-path-dotseg-reject" => "enable", + #"url-query-20-plus" => "enable",# consistency in query string + "url-invalid-utf8-reject" => "enable",# recommended highly (unless breaks app) +) + +index-file.names = ( "index.php", "index.html" ) +url.access-deny = ( "~", ".inc" ) +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) + +include_shell "/usr/share/lighttpd/create-mime.conf.pl" +include "/etc/lighttpd/conf-enabled/*.conf" + +# default listening port for IPv6 is same as default IPv4 port +include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port + +### Customizations +# customizations should generally be placed in separate files such as +# /etc/lighttpd/conf-available/00_vars.conf # override variables for *.conf +# /etc/lighttpd/conf-available/99_custom.conf # override *.conf settings +# and then enabled using lighty-enable-mod (1) diff --git a/etc/nginx/sites-available/dashkiosk.beelink.server.conf b/etc/nginx/sites-available/dashkiosk.beelink.server.conf deleted file mode 100644 index 35960ac..0000000 --- a/etc/nginx/sites-available/dashkiosk.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = dashkiosk.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = dashkiosk.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = dashkiosk.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/dashkiosk.ddns.net.conf b/etc/nginx/sites-available/dashkiosk.ddns.net.conf deleted file mode 100644 index 0c75a70..0000000 --- a/etc/nginx/sites-available/dashkiosk.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = dashkiosk.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = dashkiosk.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = dashkiosk.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/default b/etc/nginx/sites-available/default index ce3178e..da364d7 100644 --- a/etc/nginx/sites-available/default +++ b/etc/nginx/sites-available/default @@ -7,370 +7,35 @@ server { try_files $uri $uri/ =404; } } -server { - # touch /etc/nginx/sites-available/phares3757.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/phares3757.beelink.server.key -out /etc/nginx/phares3757.beelink.server.crt -config /etc/nginx/sites-available/phares3757.beelink.server.conf - ssl_certificate 'phares3757.beelink.server.crt'; - ssl_certificate_key 'phares3757.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name phares3757.beelink.server; - root /etc/pihole; - autoindex on; - autoindex_format json; - index index.html index.htm index.nginx-debian.html; - server_name _; - location / { - try_files $uri $uri/ =404; - } -} -server { - # touch /etc/nginx/sites-available/dashkiosk.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/dashkiosk.beelink.server.key -out /etc/nginx/dashkiosk.beelink.server.crt -config /etc/nginx/sites-available/dashkiosk.beelink.server.conf - ssl_certificate 'dashkiosk.beelink.server.crt'; - ssl_certificate_key 'dashkiosk.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name dashkiosk.beelink.server; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:9400/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/filebrowser.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/filebrowser.beelink.server.key -out /etc/nginx/filebrowser.beelink.server.crt -config /etc/nginx/sites-available/filebrowser.beelink.server.conf - ssl_certificate 'filebrowser.beelink.server.crt'; - ssl_certificate_key 'filebrowser.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name filebrowser.beelink.server; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:8080/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/gogs3757.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/gogs3757.beelink.server.key -out /etc/nginx/gogs3757.beelink.server.crt -config /etc/nginx/sites-available/gogs3757.beelink.server.conf - ssl_certificate 'gogs3757.beelink.server.crt'; - ssl_certificate_key 'gogs3757.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name gogs3757.beelink.server; - client_max_body_size 5000m; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:3000/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/immich3757.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/immich3757.beelink.server.key -out /etc/nginx/immich3757.beelink.server.crt -config /etc/nginx/sites-available/immich3757.beelink.server.conf - ssl_certificate 'immich3757.beelink.server.crt'; - ssl_certificate_key 'immich3757.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name immich3757.beelink.server; - client_max_body_size 50000M; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_redirect off; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - location / { - proxy_pass http://localhost:3001/; - } -} -server { - # touch /etc/nginx/sites-available/nextcloud3757.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nextcloud3757.beelink.server.key -out /etc/nginx/nextcloud3757.beelink.server.crt -config /etc/nginx/sites-available/nextcloud3757.beelink.server.conf - ssl_certificate 'nextcloud3757.beelink.server.crt'; - ssl_certificate_key 'nextcloud3757.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name nextcloud3757.beelink.server; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:8081/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/music3757.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/music3757.beelink.server.key -out /etc/nginx/music3757.beelink.server.crt -config /etc/nginx/sites-available/music3757.beelink.server.conf - ssl_certificate 'music3757.beelink.server.crt'; - ssl_certificate_key 'music3757.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name music3757.beelink.server; - root /var/www/html; # /home/syncthing/Loft-5G; - index index.html index.htm index.nginx-debian.html; - location / { - try_files $uri $uri/ =404; - } -} -server { - # touch /etc/nginx/sites-available/photoprism.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/photoprism.beelink.server.key -out /etc/nginx/photoprism.beelink.server.crt -config /etc/nginx/sites-available/photoprism.beelink.server.conf - ssl_certificate 'photoprism.beelink.server.crt'; - ssl_certificate_key 'photoprism.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name photoprism.beelink.server; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:2342/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/pi-hole.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/pi-hole.beelink.server.key -out /etc/nginx/pi-hole.beelink.server.crt -config /etc/nginx/sites-available/pi-hole.beelink.server.conf - ssl_certificate 'pi-hole.beelink.server.crt'; - ssl_certificate_key 'pi-hole.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name pi-hole.beelink.server; - location = / { - return 302 https://$host/admin/; - } - location /admin/ { - proxy_pass http://localhost:8005/admin/; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} -server { - # touch /etc/nginx/sites-available/syncthing3757.beelink.server.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/syncthing3757.beelink.server.key -out /etc/nginx/syncthing3757.beelink.server.crt -config /etc/nginx/sites-available/syncthing3757.beelink.server.conf - ssl_certificate 'syncthing3757.beelink.server.crt'; - ssl_certificate_key 'syncthing3757.beelink.server.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name syncthing3757.beelink.server; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:8384/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/phares3757.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/phares3757.ddns.net.key -out /etc/nginx/phares3757.ddns.net.crt -config /etc/nginx/sites-available/phares3757.ddns.net.conf - ssl_certificate 'phares3757.ddns.net.crt'; - ssl_certificate_key 'phares3757.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name phares3757.ddns.net; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:80/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/dashkiosk.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/dashkiosk.ddns.net.key -out /etc/nginx/dashkiosk.ddns.net.crt -config /etc/nginx/sites-available/dashkiosk.ddns.net.conf - ssl_certificate 'dashkiosk.ddns.net.crt'; - ssl_certificate_key 'dashkiosk.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name dashkiosk.ddns.net; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:9400/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/filebrowser.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/filebrowser.ddns.net.key -out /etc/nginx/filebrowser.ddns.net.crt -config /etc/nginx/sites-available/filebrowser.ddns.net.conf - ssl_certificate 'filebrowser.ddns.net.crt'; - ssl_certificate_key 'filebrowser.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name filebrowser.ddns.net; - client_max_body_size 5000m; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:8080/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/gogs3757.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/gogs3757.ddns.net.key -out /etc/nginx/gogs3757.ddns.net.crt -config /etc/nginx/sites-available/gogs3757.ddns.net.conf - ssl_certificate 'gogs3757.ddns.net.crt'; - ssl_certificate_key 'gogs3757.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name gogs3757.ddns.net; - client_max_body_size 5000m; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:3000/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/immich3757.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/immich3757.ddns.net.key -out /etc/nginx/immich3757.ddns.net.crt -config /etc/nginx/sites-available/immich3757.ddns.net.conf - ssl_certificate 'immich3757.ddns.net.crt'; - ssl_certificate_key 'immich3757.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name immich3757.ddns.net; - client_max_body_size 50000M; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_redirect off; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - location / { - proxy_pass http://localhost:3001/; - } -} -server { - # touch /etc/nginx/sites-available/nextcloud3757.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nextcloud3757.ddns.net.key -out /etc/nginx/nextcloud3757.ddns.net.crt -config /etc/nginx/sites-available/nextcloud3757.ddns.net.conf - ssl_certificate 'nextcloud3757.ddns.net.crt'; - ssl_certificate_key 'nextcloud3757.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name nextcloud3757.ddns.net; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:8081/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/music3757.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/music3757.ddns.net.key -out /etc/nginx/music3757.ddns.net.crt -config /etc/nginx/sites-available/music3757.ddns.net.conf - ssl_certificate 'music3757.ddns.net.crt'; - ssl_certificate_key 'music3757.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name music3757.ddns.net; - root /var/www/html; # /home/syncthing/Loft-5G; - index index.html index.htm index.nginx-debian.html; - location / { - try_files $uri $uri/ =404; - } -} -server { - # touch /etc/nginx/sites-available/photoprism.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/photoprism.ddns.net.key -out /etc/nginx/photoprism.ddns.net.crt -config /etc/nginx/sites-available/photoprism.ddns.net.conf - ssl_certificate 'photoprism.ddns.net.crt'; - ssl_certificate_key 'photoprism.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name photoprism.ddns.net; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:2342/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/pi-hole.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/pi-hole.ddns.net.key -out /etc/nginx/pi-hole.ddns.net.crt -config /etc/nginx/sites-available/pi-hole.ddns.net.conf - ssl_certificate 'pi-hole.ddns.net.crt'; - ssl_certificate_key 'pi-hole.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name pi-hole.ddns.net; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:8005/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} -server { - # touch /etc/nginx/sites-available/syncthing3757.ddns.net.conf - # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/syncthing3757.ddns.net.key -out /etc/nginx/syncthing3757.ddns.net.crt -config /etc/nginx/sites-available/syncthing3757.ddns.net.conf - ssl_certificate 'syncthing3757.ddns.net.crt'; - ssl_certificate_key 'syncthing3757.ddns.net.key'; - listen 443 ssl http2; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - server_name syncthing3757.ddns.net; - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:8384/; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - } -} +include /etc/nginx/include/affirm.conf; +# include /etc/nginx/include/ansible.conf; +# include /etc/nginx/include/assistant.conf; +# include /etc/nginx/include/casa.conf; +include /etc/nginx/include/codeserver.conf; +include /etc/nginx/include/dashkiosk.conf; +include /etc/nginx/include/dockge.conf; +# include /etc/nginx/include/docmost.conf; +# include /etc/nginx/include/emby.conf; +# include /etc/nginx/include/filebrowser.conf; +# include /etc/nginx/include/gogs.conf; +include /etc/nginx/include/gitea.conf; +include /etc/nginx/include/immich.conf; +include /etc/nginx/include/incus.conf; +# include /etc/nginx/include/invoice.conf; +include /etc/nginx/include/lxconsole.conf; +include /etc/nginx/include/kestra.conf; +include /etc/nginx/include/music.conf; +# include /etc/nginx/include/nextcloud.conf; +# include /etc/nginx/include/owncast.conf; +include /etc/nginx/include/phares.conf; +# include /etc/nginx/include/photoprism.conf; +# include /etc/nginx/include/pihole.conf; +# include /etc/nginx/include/proxmox.conf; +include /etc/nginx/include/quartz.conf; +# include /etc/nginx/include/readeck.conf; +# include /etc/nginx/include/syncthing.conf; +# include /etc/nginx/include/terraform.conf; +# include /etc/nginx/include/uptimekuma.conf; +include /etc/nginx/include/vaultwarden.conf; +# include /etc/nginx/include/vscodium.conf; +# include /etc/nginx/include/wekan.conf; \ No newline at end of file diff --git a/etc/nginx/sites-available/filebrowser.beelink.server.conf b/etc/nginx/sites-available/filebrowser.beelink.server.conf deleted file mode 100644 index 5831fca..0000000 --- a/etc/nginx/sites-available/filebrowser.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = filebrowser.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = filebrowser.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = filebrowser.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/filebrowser.ddns.net.conf b/etc/nginx/sites-available/filebrowser.ddns.net.conf deleted file mode 100644 index 45c53cf..0000000 --- a/etc/nginx/sites-available/filebrowser.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = filebrowser.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = filebrowser.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = filebrowser.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/gogs3757.beelink.server.conf b/etc/nginx/sites-available/gogs3757.beelink.server.conf deleted file mode 100644 index 8b8c8ad..0000000 --- a/etc/nginx/sites-available/gogs3757.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = gogs3757.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = gogs3757.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = gogs3757.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/gogs3757.ddns.net.conf b/etc/nginx/sites-available/gogs3757.ddns.net.conf deleted file mode 100644 index f129d14..0000000 --- a/etc/nginx/sites-available/gogs3757.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = gogs3757.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = gogs3757.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = gogs3757.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/immich3757.beelink.server.conf b/etc/nginx/sites-available/immich3757.beelink.server.conf deleted file mode 100644 index d79a63e..0000000 --- a/etc/nginx/sites-available/immich3757.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = immich3757.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = immich3757.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = immich3757.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/immich3757.ddns.net.conf b/etc/nginx/sites-available/immich3757.ddns.net.conf deleted file mode 100644 index fb2e622..0000000 --- a/etc/nginx/sites-available/immich3757.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = immich3757.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = immich3757.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = immich3757.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/music3757.beelink.server.conf b/etc/nginx/sites-available/music3757.beelink.server.conf deleted file mode 100644 index 308274f..0000000 --- a/etc/nginx/sites-available/music3757.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = music3757.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = music3757.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = music3757.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/music3757.ddns.net.conf b/etc/nginx/sites-available/music3757.ddns.net.conf deleted file mode 100644 index 852b998..0000000 --- a/etc/nginx/sites-available/music3757.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = music3757.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = music3757.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = music3757.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/nextcloud3757.beelink.server.conf b/etc/nginx/sites-available/nextcloud3757.beelink.server.conf deleted file mode 100644 index 0d40fd5..0000000 --- a/etc/nginx/sites-available/nextcloud3757.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = nextcloud3757.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = nextcloud3757.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = nextcloud3757.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/nextcloud3757.ddns.net.conf b/etc/nginx/sites-available/nextcloud3757.ddns.net.conf deleted file mode 100644 index 25ee374..0000000 --- a/etc/nginx/sites-available/nextcloud3757.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = nextcloud3757.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = nextcloud3757.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = nextcloud3757.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/phares3757.beelink.server.conf b/etc/nginx/sites-available/phares3757.beelink.server.conf deleted file mode 100644 index 9da5282..0000000 --- a/etc/nginx/sites-available/phares3757.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = phares3757.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = phares3757.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = phares3757.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/phares3757.ddns.net.conf b/etc/nginx/sites-available/phares3757.ddns.net.conf deleted file mode 100644 index cd94925..0000000 --- a/etc/nginx/sites-available/phares3757.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = phares3757.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = phares3757.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = phares3757.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/photoprism.beelink.server.conf b/etc/nginx/sites-available/photoprism.beelink.server.conf deleted file mode 100644 index 9dd3edb..0000000 --- a/etc/nginx/sites-available/photoprism.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = photoprism.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = photoprism.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = photoprism.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/photoprism.ddns.net.conf b/etc/nginx/sites-available/photoprism.ddns.net.conf deleted file mode 100644 index 82bf3a8..0000000 --- a/etc/nginx/sites-available/photoprism.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = photoprism.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = photoprism.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = photoprism.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/pi-hole.beelink.server.conf b/etc/nginx/sites-available/pi-hole.beelink.server.conf deleted file mode 100644 index 608dd80..0000000 --- a/etc/nginx/sites-available/pi-hole.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = pi-hole.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = pi-hole.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = pi-hole.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/pi-hole.ddns.net.conf b/etc/nginx/sites-available/pi-hole.ddns.net.conf deleted file mode 100644 index 6478d30..0000000 --- a/etc/nginx/sites-available/pi-hole.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = pi-hole.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = pi-hole.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = pi-hole.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/syncthing3757.beelink.server.conf b/etc/nginx/sites-available/syncthing3757.beelink.server.conf deleted file mode 100644 index b8e289e..0000000 --- a/etc/nginx/sites-available/syncthing3757.beelink.server.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = syncthing3757.beelink.server.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = syncthing3757.beelink.server -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = syncthing3757.beelink.server -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/nginx/sites-available/syncthing3757.ddns.net.conf b/etc/nginx/sites-available/syncthing3757.ddns.net.conf deleted file mode 100644 index 610f3cf..0000000 --- a/etc/nginx/sites-available/syncthing3757.ddns.net.conf +++ /dev/null @@ -1,32 +0,0 @@ -[req] -default_bits = 2048 -default_keyfile = syncthing3757.ddns.net.key -distinguished_name = req_distinguished_name -req_extensions = req_ext -x509_extensions = v3_ca - -[req_distinguished_name] -countryName = Country Name (2 letter code) -countryName_default = US -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Arizona -localityName = Locality Name (eg, city) -localityName_default = Anthem -organizationName = Organization Name (eg, company) -organizationName_default = Phares -organizationalUnitName = organizationalunit -organizationalUnitName_default = Development -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = syncthing3757.ddns.net -commonName_max = 64 - -[req_ext] -subjectAltName = @alt_names - -[v3_ca] -subjectAltName = @alt_names - -[alt_names] -DNS.1 = syncthing3757.ddns.net -DNS.10 = localhost -DNS.11 = 127.0.0.1 diff --git a/etc/passwd b/etc/passwd index 3ae3b65..5547641 100644 --- a/etc/passwd +++ b/etc/passwd @@ -19,15 +19,20 @@ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false -messagebus:x:101:106::/nonexistent:/usr/sbin/nologin -systemd-resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin +messagebus:x:101:102::/nonexistent:/usr/sbin/nologin +systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin pollinate:x:102:1::/var/cache/pollinate:/bin/false -polkitd:x:995:995:polkit:/nonexistent:/usr/sbin/nologin -usbmux:x:103:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin -sshd:x:104:65534::/run/sshd:/usr/sbin/nologin -mike:x:1000:1000:Mike Phares:/home/mike:/bin/bash -lphares:x:1002:1002:Logan Phares,,,:/home/lphares:/bin/bash -bmiller:x:1003:1003:Bill Miller,,,:/home/bmiller:/bin/bash -gogs:x:1004:1004:gogs,,,:/home/gogs:/bin/bash -snapd-range-524288-root:x:524288:524288::/nonexistent:/usr/bin/false -snap_daemon:x:584788:584788::/nonexistent:/usr/bin/false +polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin +syslog:x:103:104::/nonexistent:/usr/sbin/nologin +uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin +tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin +tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false +landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin +fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin +usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin +sshd:x:109:65534::/run/sshd:/usr/sbin/nologin +phares:x:1000:1000:Mike Phares:/home/phares:/bin/bash +lphares:x:1001:1001:Logan Phares,,,:/home/lphares:/bin/bash +bmiller:x:1002:1002:Bill Miller,,,:/home/bmiller:/bin/bash +pihole:x:999:1003::/home/pihole:/usr/sbin/nologin +unbound:x:110:111::/var/lib/unbound:/usr/sbin/nologin diff --git a/etc/passwd- b/etc/passwd- index d1c5fac..30e9546 100644 --- a/etc/passwd- +++ b/etc/passwd- @@ -19,14 +19,19 @@ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false -messagebus:x:101:106::/nonexistent:/usr/sbin/nologin -systemd-resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin +messagebus:x:101:102::/nonexistent:/usr/sbin/nologin +systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin pollinate:x:102:1::/var/cache/pollinate:/bin/false -polkitd:x:995:995:polkit:/nonexistent:/usr/sbin/nologin -usbmux:x:103:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin -sshd:x:104:65534::/run/sshd:/usr/sbin/nologin -mike:x:1000:1000:Mike Phares:/home/mike:/bin/bash -lphares:x:1002:1002:Logan Phares,,,:/home/lphares:/bin/bash -bmiller:x:1003:1003:Bill Miller,,,:/home/bmiller:/bin/bash -gogs:x:1004:1004:gogs,,,:/home/gogs:/bin/bash -snapd-range-524288-root:x:524288:524288::/nonexistent:/usr/bin/false +polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin +syslog:x:103:104::/nonexistent:/usr/sbin/nologin +uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin +tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin +tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false +landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin +fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin +usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin +sshd:x:109:65534::/run/sshd:/usr/sbin/nologin +phares:x:1000:1000:Mike Phares:/home/phares:/bin/bash +lphares:x:1001:1001:Logan Phares,,,:/home/lphares:/bin/bash +bmiller:x:1002:1002:Bill Miller,,,:/home/bmiller:/bin/bash +pihole:x:999:1003::/home/pihole:/usr/sbin/nologin diff --git a/etc/pihole/dhcp.leases b/etc/pihole/dhcp.leases new file mode 100644 index 0000000..e69de29 diff --git a/etc/pihole/setupVars.conf b/etc/pihole/setupVars.conf new file mode 100644 index 0000000..7080dca --- /dev/null +++ b/etc/pihole/setupVars.conf @@ -0,0 +1,14 @@ +PIHOLE_INTERFACE=enp2s0 +QUERY_LOGGING=true +INSTALL_WEB_SERVER=true +INSTALL_WEB_INTERFACE=true +LIGHTTPD_ENABLED=true +CACHE_SIZE=10000 +DNS_FQDN_REQUIRED=true +DNS_BOGUS_PRIV=true +DNSMASQ_LISTENING=local +WEBPASSWORD=4f2f4f253d64a90315c0ace8a61b6b6e828f8d8d996b0a0b0e153230617bedd3 +BLOCKING_ENABLED=true +PIHOLE_DNS_1=127.0.0.1#5335 +DNSSEC=false +REV_SERVER=false diff --git a/etc/shadow b/etc/shadow index c324260..592bfc7 100644 --- a/etc/shadow +++ b/etc/shadow @@ -1,33 +1,38 @@ -root:*:19641:0:99999:7::: -daemon:*:19641:0:99999:7::: -bin:*:19641:0:99999:7::: -sys:*:19641:0:99999:7::: -sync:*:19641:0:99999:7::: -games:*:19641:0:99999:7::: -man:*:19641:0:99999:7::: -lp:*:19641:0:99999:7::: -mail:*:19641:0:99999:7::: -news:*:19641:0:99999:7::: -uucp:*:19641:0:99999:7::: -proxy:*:19641:0:99999:7::: -www-data:*:19641:0:99999:7::: -backup:*:19641:0:99999:7::: -list:*:19641:0:99999:7::: -irc:*:19641:0:99999:7::: -_apt:*:19641:0:99999:7::: -nobody:*:19641:0:99999:7::: -systemd-network:!*:19641:::::: -systemd-timesync:!*:19641:::::: -dhcpcd:!:19641:::::: -messagebus:!:19641:::::: -systemd-resolve:!*:19641:::::: -pollinate:!:19641:::::: -polkitd:!*:19641:::::: -usbmux:!:19834:::::: -sshd:!:19834:::::: -mike:$6$QRbDvWDeiwqDRfuu$krk4b6ITBDmi/CMIWLAQdBfYmZXzMSbsrzyhEkrIfCC7wLK6mZZ3E7jn1OReEgFTxtx.oVibHh.l5U3jpskZo/:19834:0:99999:7::: -lphares:$y$j9T$PuVm73wgRxF7.efV0ZbNC/$IjHAHZzMBNr9YPbxF9T0jNhAf0CrHkb3tqmXNKmJWEC:19835:0:99999:7::: -bmiller:$y$j9T$98wrMjOMoquxT8z19JnsA.$UVr695OobiLESI/H028IMhVHOoKsZzdfyrhCMr3fp1.:19835:0:99999:7::: -gogs:$y$j9T$pSEx/jhTuuaKMUAMExHgk/$.ELBs7.03JbQvvYMEHsM4oWddabw673rythGqgp2eE3:19835:0:99999:7::: -snapd-range-524288-root:!:19860:::::: -snap_daemon:!:19860:::::: +root:*:19836:0:99999:7::: +daemon:*:19836:0:99999:7::: +bin:*:19836:0:99999:7::: +sys:*:19836:0:99999:7::: +sync:*:19836:0:99999:7::: +games:*:19836:0:99999:7::: +man:*:19836:0:99999:7::: +lp:*:19836:0:99999:7::: +mail:*:19836:0:99999:7::: +news:*:19836:0:99999:7::: +uucp:*:19836:0:99999:7::: +proxy:*:19836:0:99999:7::: +www-data:*:19836:0:99999:7::: +backup:*:19836:0:99999:7::: +list:*:19836:0:99999:7::: +irc:*:19836:0:99999:7::: +_apt:*:19836:0:99999:7::: +nobody:*:19836:0:99999:7::: +systemd-network:!*:19836:::::: +systemd-timesync:!*:19836:::::: +dhcpcd:!:19836:::::: +messagebus:!:19836:::::: +systemd-resolve:!*:19836:::::: +pollinate:!:19836:::::: +polkitd:!*:19836:::::: +syslog:!:19836:::::: +uuidd:!:19836:::::: +tcpdump:!:19836:::::: +tss:!:19836:::::: +landscape:!:19836:::::: +fwupd-refresh:!*:19836:::::: +usbmux:!:19927:::::: +sshd:!:19927:::::: +phares:$6$LmgqfVuKR4/5T6by$yxaJ71xy0Exf7laLI6OMkgqabo5r8bzlFPZekwuGRYO8JJMH2tKeTD2W1JOVD0X2pgL5Ob73xB45Vl/lIGYsO.:19927:0:99999:7::: +lphares:$y$j9T$bai9Rz4yLf4MoGt4s6iJB/$rzofcXaHGl0hmnnx1gZwsF4/IoTkcJRA2MX.Tc3E6l6:19927:0:99999:7::: +bmiller:$y$j9T$xqZANIbaE1MCQCukITvTr0$d55.kptZwaAVL4uPmeYm2cygatWo5NG5LW8V833OST1:19927:0:99999:7::: +pihole:!:19927:::::: +unbound:!:19927:::::: diff --git a/etc/shadow- b/etc/shadow- index 603182e..3f69e9e 100644 --- a/etc/shadow- +++ b/etc/shadow- @@ -1,32 +1,37 @@ -root:*:19641:0:99999:7::: -daemon:*:19641:0:99999:7::: -bin:*:19641:0:99999:7::: -sys:*:19641:0:99999:7::: -sync:*:19641:0:99999:7::: -games:*:19641:0:99999:7::: -man:*:19641:0:99999:7::: -lp:*:19641:0:99999:7::: -mail:*:19641:0:99999:7::: -news:*:19641:0:99999:7::: -uucp:*:19641:0:99999:7::: -proxy:*:19641:0:99999:7::: -www-data:*:19641:0:99999:7::: -backup:*:19641:0:99999:7::: -list:*:19641:0:99999:7::: -irc:*:19641:0:99999:7::: -_apt:*:19641:0:99999:7::: -nobody:*:19641:0:99999:7::: -systemd-network:!*:19641:::::: -systemd-timesync:!*:19641:::::: -dhcpcd:!:19641:::::: -messagebus:!:19641:::::: -systemd-resolve:!*:19641:::::: -pollinate:!:19641:::::: -polkitd:!*:19641:::::: -usbmux:!:19834:::::: -sshd:!:19834:::::: -mike:$6$QRbDvWDeiwqDRfuu$krk4b6ITBDmi/CMIWLAQdBfYmZXzMSbsrzyhEkrIfCC7wLK6mZZ3E7jn1OReEgFTxtx.oVibHh.l5U3jpskZo/:19834:0:99999:7::: -lphares:$y$j9T$PuVm73wgRxF7.efV0ZbNC/$IjHAHZzMBNr9YPbxF9T0jNhAf0CrHkb3tqmXNKmJWEC:19835:0:99999:7::: -bmiller:$y$j9T$98wrMjOMoquxT8z19JnsA.$UVr695OobiLESI/H028IMhVHOoKsZzdfyrhCMr3fp1.:19835:0:99999:7::: -gogs:$y$j9T$pSEx/jhTuuaKMUAMExHgk/$.ELBs7.03JbQvvYMEHsM4oWddabw673rythGqgp2eE3:19835:0:99999:7::: -snapd-range-524288-root:!:19860:::::: +root:*:19836:0:99999:7::: +daemon:*:19836:0:99999:7::: +bin:*:19836:0:99999:7::: +sys:*:19836:0:99999:7::: +sync:*:19836:0:99999:7::: +games:*:19836:0:99999:7::: +man:*:19836:0:99999:7::: +lp:*:19836:0:99999:7::: +mail:*:19836:0:99999:7::: +news:*:19836:0:99999:7::: +uucp:*:19836:0:99999:7::: +proxy:*:19836:0:99999:7::: +www-data:*:19836:0:99999:7::: +backup:*:19836:0:99999:7::: +list:*:19836:0:99999:7::: +irc:*:19836:0:99999:7::: +_apt:*:19836:0:99999:7::: +nobody:*:19836:0:99999:7::: +systemd-network:!*:19836:::::: +systemd-timesync:!*:19836:::::: +dhcpcd:!:19836:::::: +messagebus:!:19836:::::: +systemd-resolve:!*:19836:::::: +pollinate:!:19836:::::: +polkitd:!*:19836:::::: +syslog:!:19836:::::: +uuidd:!:19836:::::: +tcpdump:!:19836:::::: +tss:!:19836:::::: +landscape:!:19836:::::: +fwupd-refresh:!*:19836:::::: +usbmux:!:19927:::::: +sshd:!:19927:::::: +phares:$6$LmgqfVuKR4/5T6by$yxaJ71xy0Exf7laLI6OMkgqabo5r8bzlFPZekwuGRYO8JJMH2tKeTD2W1JOVD0X2pgL5Ob73xB45Vl/lIGYsO.:19927:0:99999:7::: +lphares:$y$j9T$bai9Rz4yLf4MoGt4s6iJB/$rzofcXaHGl0hmnnx1gZwsF4/IoTkcJRA2MX.Tc3E6l6:19927:0:99999:7::: +bmiller:$y$j9T$xqZANIbaE1MCQCukITvTr0$d55.kptZwaAVL4uPmeYm2cygatWo5NG5LW8V833OST1:19927:0:99999:7::: +pihole:!:19927:::::: diff --git a/etc/sysctl.conf b/etc/sysctl.conf index eb96ed5..c9d1e48 100644 --- a/etc/sysctl.conf +++ b/etc/sysctl.conf @@ -42,7 +42,7 @@ # # Do not accept ICMP redirects (prevent MITM attacks) #net.ipv4.conf.all.accept_redirects = 0 -#net.ipv6.conf.all.accept_redirects = 0 +#net.ipv4.conf.default.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) @@ -51,10 +51,6 @@ # Do not send ICMP redirects (we are not a router) #net.ipv4.conf.all.send_redirects = 0 # -# Do not accept IP source route packets (we are not a router) -#net.ipv4.conf.all.accept_source_route = 0 -#net.ipv6.conf.all.accept_source_route = 0 -# # Log Martian Packets #net.ipv4.conf.all.log_martians = 1 # diff --git a/etc/systemd/resolved.conf b/etc/systemd/resolved.conf index 9f70947..87fd639 100644 --- a/etc/systemd/resolved.conf +++ b/etc/systemd/resolved.conf @@ -6,9 +6,11 @@ # any later version. # # Entries in this file show the compile time defaults. Local configuration -# should be created by either modifying this file, or by creating "drop-ins" in -# the resolved.conf.d/ subdirectory. The latter is generally recommended. -# Defaults can be restored by simply deleting this file and all drop-ins. +# should be created by either modifying this file (or a copy of it placed in +# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in +# the /etc/systemd/resolved.conf.d/ directory. The latter is generally +# recommended. Defaults can be restored by simply deleting the main +# configuration file and all drop-ins located in /etc/. # # Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config. # @@ -28,7 +30,8 @@ #LLMNR=no #Cache=no-negative #CacheFromLocalhost=no -#DNSStubListener=yes +DNSStubListener=no #DNSStubListenerExtra= #ReadEtcHosts=yes #ResolveUnicastSingleLabel=no +#StaleRetentionSec=0 diff --git a/etc/systemd/system/gogs-daemon.service b/etc/systemd/system/gogs-daemon.service deleted file mode 100644 index 6b07a21..0000000 --- a/etc/systemd/system/gogs-daemon.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Gogs -After=syslog.target -After=network.target - -[Service] -# Modify these two values and uncomment them if you have -# repos with lots of files and get an HTTP error 500 because -# of that -### -#LimitMEMLOCK=infinity -#LimitNOFILE=65535 -Type=simple -User=gogs -Group=gogs -WorkingDirectory=/home/gogs/gogs -ExecStart=/home/gogs/gogs/gogs web -Restart=always -Environment=USER=gogs HOME=/home/gogs - -# Some distributions may not support these hardening directives -# If you cannot start the service due -# to an unknown option, comment out the ones not supported by your version of systemd. -ProtectSystem=full -PrivateDevices=yes -PrivateTmp=yes -NoNewPrivileges=true - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.certbot.renew.service b/etc/systemd/system/snap.certbot.renew.service new file mode 100644 index 0000000..a988190 --- /dev/null +++ b/etc/systemd/system/snap.certbot.renew.service @@ -0,0 +1,16 @@ +[Unit] +# Auto-generated, DO NOT EDIT +Description=Service for snap application certbot.renew +Requires=snap-certbot-3834.mount +Wants=network.target +After=snap-certbot-3834.mount network.target snapd.apparmor.service +X-Snappy=yes + +[Service] +EnvironmentFile=-/etc/environment +ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew +SyslogIdentifier=certbot.renew +Restart=no +WorkingDirectory=/var/snap/certbot/3834 +TimeoutStopSec=30 +Type=oneshot diff --git a/etc/systemd/system/snap.certbot.renew.timer b/etc/systemd/system/snap.certbot.renew.timer new file mode 100644 index 0000000..409cd51 --- /dev/null +++ b/etc/systemd/system/snap.certbot.renew.timer @@ -0,0 +1,14 @@ +[Unit] +# Auto-generated, DO NOT EDIT +Description=Timer renew for snap application certbot.renew +Requires=snap-certbot-3834.mount +After=snap-certbot-3834.mount +X-Snappy=yes + +[Timer] +Unit=snap.certbot.renew.service +OnCalendar=*-*-* 03:24 +OnCalendar=*-*-* 20:15 + +[Install] +WantedBy=timers.target diff --git a/etc/systemd/system/snap.immich-distribution.acme.service b/etc/systemd/system/snap.immich-distribution.acme.service deleted file mode 100644 index 3f78444..0000000 --- a/etc/systemd/system/snap.immich-distribution.acme.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.acme -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run --timer="00:00-24:00/2" immich-distribution.acme -SyslogIdentifier=immich-distribution.acme -Restart=on-failure -RestartSec=60 -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple diff --git a/etc/systemd/system/snap.immich-distribution.acme.timer b/etc/systemd/system/snap.immich-distribution.acme.timer deleted file mode 100644 index cc9a3db..0000000 --- a/etc/systemd/system/snap.immich-distribution.acme.timer +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Timer acme for snap application immich-distribution.acme -Requires=snap-immich\x2ddistribution-131.mount -After=snap-immich\x2ddistribution-131.mount -X-Snappy=yes - -[Timer] -Unit=snap.immich-distribution.acme.service -OnCalendar=*-*-* 00:00 -OnCalendar=*-*-* 12:00 - -[Install] -WantedBy=timers.target diff --git a/etc/systemd/system/snap.immich-distribution.haproxy.service b/etc/systemd/system/snap.immich-distribution.haproxy.service deleted file mode 100644 index 07faa72..0000000 --- a/etc/systemd/system/snap.immich-distribution.haproxy.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.haproxy -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run immich-distribution.haproxy -SyslogIdentifier=immich-distribution.haproxy -Restart=on-failure -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.immich-distribution.immich-machine-learning.service b/etc/systemd/system/snap.immich-distribution.immich-machine-learning.service deleted file mode 100644 index 587f527..0000000 --- a/etc/systemd/system/snap.immich-distribution.immich-machine-learning.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.immich-machine-learning -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run immich-distribution.immich-machine-learning -SyslogIdentifier=immich-distribution.immich-machine-learning -Restart=on-failure -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.immich-distribution.immich-microservices.service b/etc/systemd/system/snap.immich-distribution.immich-microservices.service deleted file mode 100644 index df5c952..0000000 --- a/etc/systemd/system/snap.immich-distribution.immich-microservices.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.immich-microservices -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snap.immich-distribution.redis-server.service snap.immich-distribution.postgres.service snap.immich-distribution.immich-server.service snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run immich-distribution.immich-microservices -SyslogIdentifier=immich-distribution.immich-microservices -Restart=on-failure -RestartSec=10 -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.immich-distribution.immich-server.service b/etc/systemd/system/snap.immich-distribution.immich-server.service deleted file mode 100644 index 4a7d0ba..0000000 --- a/etc/systemd/system/snap.immich-distribution.immich-server.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.immich-server -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snap.immich-distribution.redis-server.service snap.immich-distribution.postgres.service snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run immich-distribution.immich-server -SyslogIdentifier=immich-distribution.immich-server -Restart=on-failure -RestartSec=10 -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.immich-distribution.manager.service b/etc/systemd/system/snap.immich-distribution.manager.service deleted file mode 100644 index 88d9577..0000000 --- a/etc/systemd/system/snap.immich-distribution.manager.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.manager -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snap.immich-distribution.immich-server.service snap.immich-distribution.immich-microservices.service snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run immich-distribution.manager -SyslogIdentifier=immich-distribution.manager -Restart=on-failure -RestartSec=60 -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.immich-distribution.postgres.service b/etc/systemd/system/snap.immich-distribution.postgres.service deleted file mode 100644 index c193f80..0000000 --- a/etc/systemd/system/snap.immich-distribution.postgres.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.postgres -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run immich-distribution.postgres -SyslogIdentifier=immich-distribution.postgres -Restart=on-failure -RestartSec=10 -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.immich-distribution.redis-server.service b/etc/systemd/system/snap.immich-distribution.redis-server.service deleted file mode 100644 index f1f0024..0000000 --- a/etc/systemd/system/snap.immich-distribution.redis-server.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.redis-server -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run immich-distribution.redis-server -SyslogIdentifier=immich-distribution.redis-server -Restart=on-failure -RestartSec=10 -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.immich-distribution.sync-service.service b/etc/systemd/system/snap.immich-distribution.sync-service.service deleted file mode 100644 index 30bc835..0000000 --- a/etc/systemd/system/snap.immich-distribution.sync-service.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -# Auto-generated, DO NOT EDIT -Description=Service for snap application immich-distribution.sync-service -Requires=snap-immich\x2ddistribution-131.mount -Wants=network.target -After=snap-immich\x2ddistribution-131.mount network.target snap.immich-distribution.immich-server.service snapd.apparmor.service -X-Snappy=yes - -[Service] -EnvironmentFile=-/etc/environment -ExecStart=/usr/bin/snap run immich-distribution.sync-service -SyslogIdentifier=immich-distribution.sync-service -Restart=on-failure -RestartSec=10 -WorkingDirectory=/var/snap/immich-distribution/131 -TimeoutStopSec=30 -Type=simple - -[Install] -WantedBy=multi-user.target diff --git a/etc/systemd/system/snap.ubuntu-frame.daemon.service b/etc/systemd/system/snap.ubuntu-frame.daemon.service index b3bc30f..4169a7b 100644 --- a/etc/systemd/system/snap.ubuntu-frame.daemon.service +++ b/etc/systemd/system/snap.ubuntu-frame.daemon.service @@ -1,9 +1,9 @@ [Unit] # Auto-generated, DO NOT EDIT Description=Service for snap application ubuntu-frame.daemon -Requires=snap-ubuntu\x2dframe-9120.mount +Requires=snap-ubuntu\x2dframe-9750.mount Wants=network.target -After=snap-ubuntu\x2dframe-9120.mount network.target snapd.apparmor.service +After=snap-ubuntu\x2dframe-9750.mount network.target snapd.apparmor.service X-Snappy=yes [Service] @@ -12,7 +12,7 @@ ExecStart=/usr/bin/snap run ubuntu-frame.daemon SyslogIdentifier=ubuntu-frame.daemon Restart=on-failure RestartSec=3 -WorkingDirectory=/var/snap/ubuntu-frame/9120 +WorkingDirectory=/var/snap/ubuntu-frame/9750 TimeoutStopSec=30 Type=simple diff --git a/etc/unbound/unbound.conf b/etc/unbound/unbound.conf new file mode 100644 index 0000000..fa5185f --- /dev/null +++ b/etc/unbound/unbound.conf @@ -0,0 +1,10 @@ +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. +include-toplevel: "/etc/unbound/unbound.conf.d/*.conf" diff --git a/etc/unbound/unbound.conf.d/pi-hole.conf b/etc/unbound/unbound.conf.d/pi-hole.conf new file mode 100644 index 0000000..a45d94e --- /dev/null +++ b/etc/unbound/unbound.conf.d/pi-hole.conf @@ -0,0 +1,66 @@ +server: + # If no logfile is specified, syslog is used + # logfile: "/var/log/unbound/unbound.log" + verbosity: 0 + + interface: 127.0.0.1 + port: 5335 + do-ip4: yes + do-udp: yes + do-tcp: yes + + # May be set to yes if you have IPv6 connectivity + do-ip6: no + + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Use this only when you downloaded the list of primary root servers! + # If you use the default dns-root-data package, unbound will find it automatically + #root-hints: "/var/lib/unbound/root.hints" + + # Trust glue only if it is within the server's authority + harden-glue: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped: yes + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # IP fragmentation is unreliable on the Internet today, and can cause + # transmission failures when large DNS messages are sent via UDP. Even + # when fragmentation does work, it may not be secure; it is theoretically + # possible to spoof parts of a fragmented DNS message, without easy + # detection at the receiving end. Recently, there was an excellent study + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # in collaboration with NLnet Labs explored DNS using real world data from the + # the RIPE Atlas probes and the researchers suggested different values for + # IPv4 and IPv6 and in different scenarios. They advise that servers should + # be configured to limit DNS messages sent over UDP to a size that will not + # trigger fragmentation on typical network links. DNS servers can switch + # from UDP to TCP when a DNS response is too big to fit in this limited + # buffer size. This value has also been suggested in DNS Flag Day 2020. + edns-buffer-size: 1232 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads: 1 + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + # Ensure privacy of local IP ranges + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + private-address: fd00::/8 + private-address: fe80::/10 diff --git a/opt/copy/gitea/.env b/opt/copy/gitea/.env new file mode 100644 index 0000000..96937fe --- /dev/null +++ b/opt/copy/gitea/.env @@ -0,0 +1,9 @@ +GITEA__database__DB_TYPE=postgres +GITEA__database__HOST=postgres:5432 +GITEA__database__NAME=gitea +GITEA__database__USER=gitea +GITEA__database__PASSWD=gitea + +POSTGRES_USER=gitea +POSTGRES_PASSWORD=gitea +POSTGRES_DB=gitea \ No newline at end of file diff --git a/opt/copy/gitea/compose.yaml b/opt/copy/gitea/compose.yaml new file mode 100644 index 0000000..42ab6c2 --- /dev/null +++ b/opt/copy/gitea/compose.yaml @@ -0,0 +1,37 @@ +services: + postgres: + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + - POSTGRES_DB=${POSTGRES_DB} + image: postgres:14 + restart: always + volumes: + - gitea-postgres:/var/lib/postgresql/data + server: + depends_on: + postgres: + condition: service_started + environment: + - GITEA__database__DB_TYPE=${GITEA__database__DB_TYPE} + - GITEA__database__HOST=${GITEA__database__HOST} + - GITEA__database__NAME=${GITEA__database__NAME} + - GITEA__database__USER=${GITEA__database__USER} + - GITEA__database__PASSWD=${GITEA__database__PASSWD} + image: gitea/gitea:latest-rootless + ports: + - 3000:3000 + - 2222:2222 + restart: always + volumes: + - gitea-data:/var/lib/gitea + - gitea-config:/etc/gitea + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro +volumes: + gitea-config: + driver: local + gitea-data: + driver: local + gitea-postgres: + driver: local diff --git a/opt/copy/immich/.env b/opt/copy/immich/.env new file mode 100644 index 0000000..f1c928b --- /dev/null +++ b/opt/copy/immich/.env @@ -0,0 +1,22 @@ +# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables + +# # The location where your uploaded files are stored +# UPLOAD_LOCATION=/opt/stacks/immich/upload +# # The location where your database files are stored +# DB_DATA_LOCATION=/opt/stacks/immich/database +# The location where your external files are stored +EXTERNAL_LOCATION=/home/phares/immich/photos + +# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List +# TZ=Etc/UTC + +# The Immich version to use. You can pin this to a specific version like "v1.71.0" +IMMICH_VERSION=release + +# Connection secret for postgres. You should change it to a random password +DB_PASSWORD=postgres + +# The values below this line do not need to be changed +################################################################################### +DB_USERNAME=postgres +DB_DATABASE_NAME=immich \ No newline at end of file diff --git a/opt/copy/immich/compose.yaml b/opt/copy/immich/compose.yaml new file mode 100644 index 0000000..fd8f61b --- /dev/null +++ b/opt/copy/immich/compose.yaml @@ -0,0 +1,93 @@ +# +# WARNING: Make sure to use the docker-compose.yml of the current release: +# +# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml +# +# The compose file on main may not be compatible with the latest release. +# + +name: immich +networks: {} +services: + database: + command: + - postgres + - -c + - shared_preload_libraries=vectors.so + - -c + - search_path="$$user", public, vectors + - -c + - logging_collector=on + - -c + - max_wal_size=2GB + - -c + - shared_buffers=512MB + - -c + - wal_compression=on + container_name: immich_postgres + environment: + POSTGRES_DB: ${DB_DATABASE_NAME} + POSTGRES_INITDB_ARGS: --data-checksums + POSTGRES_PASSWORD: ${DB_PASSWORD} + POSTGRES_USER: ${DB_USERNAME} + healthcheck: + interval: 5m + start_interval: 30s + start_period: 5m + test: pg_isready --dbname='${DB_DATABASE_NAME}' || exit 1; Chksum="$$(psql + --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only + --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM + pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ + "$$Chksum" = '0' ] || exit 1 + image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 + restart: always + volumes: + - postgres-data:/var/lib/postgresql/data + immich-machine-learning: + container_name: immich_machine_learning + env_file: + - .env + # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag. + # Example tag: ${IMMICH_VERSION:-release}-cuda + image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} + restart: always + # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration + # file: hwaccel.ml.yml + # service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable + volumes: + - model-cache:/cache + immich-server: + container_name: immich_server + depends_on: + - redis + - database + env_file: + - .env + image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} + ports: + - 2283:3001 + restart: always + # extends: + # file: hwaccel.transcoding.yml + # service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding + volumes: + - upload-data:/usr/src/app/upload + - /etc/localtime:/etc/localtime:ro + # - external-data:/usr/src/app/external + - ${EXTERNAL_LOCATION}:/usr/src/app/external:ro + # profiles: + # - donotstart + redis: + container_name: immich_redis + healthcheck: + test: redis-cli ping || exit 1 + image: docker.io/redis:6.2-alpine@sha256:d6c2911ac51b289db208767581a5d154544f2b2fe4914ea5056443f62dc6e900 + restart: always +volumes: + model-cache: null + postgres-data: + driver: local + upload-data: + driver: local + # external-data: + # driver: local diff --git a/opt/copy/kestra/compose.yaml b/opt/copy/kestra/compose.yaml new file mode 100644 index 0000000..81186ad --- /dev/null +++ b/opt/copy/kestra/compose.yaml @@ -0,0 +1,65 @@ +services: + kestra: + command: server standalone --worker-thread=128 + depends_on: + postgres: + condition: service_started + environment: + KESTRA_CONFIGURATION: | + datasources: + postgres: + url: jdbc:postgresql://postgres:5432/kestra + driverClassName: org.postgresql.Driver + username: kestra + password: k3str4 + kestra: + server: + basic-auth: + enabled: false + username: "admin@kestra.io" # it must be a valid email address + password: kestra + repository: + type: postgres + storage: + type: local + local: + base-path: "/app/storage" + queue: + type: postgres + tasks: + tmp-dir: + path: /tmp/kestra-wd/tmp + url: http://localhost:5002/ + image: kestra/kestra:latest-full + ports: + - "5002:8080" + # - "8081:8081" + pull_policy: always + # Note that this is meant for development only. Refer to the documentation for production deployments of Kestra which runs without a root user. + user: "root" + volumes: + - kestra-data:/app/storage + - /var/run/docker.sock:/var/run/docker.sock + - /tmp/kestra-wd:/tmp/kestra-wd + postgres: + environment: + POSTGRES_DB: kestra + POSTGRES_PASSWORD: k3str4 + POSTGRES_USER: kestra + healthcheck: + interval: 30s + retries: 10 + test: + [ + "CMD-SHELL", + "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" + ] + timeout: 10s + image: postgres + volumes: + - postgres-data:/var/lib/postgresql/data +volumes: + kestra-data: + driver: local + postgres-data: + driver: local diff --git a/opt/copy/lxconsole/compose.yaml b/opt/copy/lxconsole/compose.yaml new file mode 100644 index 0000000..fc02279 --- /dev/null +++ b/opt/copy/lxconsole/compose.yaml @@ -0,0 +1,15 @@ +networks: {} +services: + lxconsole: + image: penninglabs/lxconsole:latest + ports: + - 5004:5000 + restart: unless-stopped + volumes: + - certs:/opt/lxconsole/certs + - server:/opt/lxconsole/instance +volumes: + certs: + driver: local + server: + driver: local diff --git a/opt/copy/wekan/compose.yaml b/opt/copy/wekan/compose.yaml new file mode 100644 index 0000000..06677e5 --- /dev/null +++ b/opt/copy/wekan/compose.yaml @@ -0,0 +1,780 @@ +# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required. +#--------------------------------------------------------------------------------------------------------- +# ==== CREATING USERS AND LOGGING IN TO WEKAN ==== +# https://github.com/wekan/wekan/wiki/Adding-users +#--------------------------------------------------------------------------------------------------------- +# ==== FORGOT PASSWORD ==== +# https://github.com/wekan/wekan/wiki/Forgot-Password +#--------------------------------------------------------------------------------------------------------- +# ==== Upgrading Wekan to new version ===== +# NOTE: MongoDB has changed from 3.x to 4.x, in that case you need backup/restore with --noIndexRestore +# see https://github.com/wekan/wekan/wiki/Backup +# 1) Stop Wekan: +# docker-compose stop +# 2) Remove old Wekan app (wekan-app only, not that wekan-db container that has all your data) +# docker rm wekan-app +# 3) Get newest docker-compose.yml from https://github.com/wekan/wekan to have correct image, +# for example: "image: quay.io/wekan/wekan" or version tag "image: quay.io/wekan/wekan:v4.52" +# 4) Start Wekan: +# docker-compose up -d +#---------------------------------------------------------------------------------- +# ==== OPTIONAL: DEDICATED DOCKER USER ==== +# 1) Optionally create a dedicated user for Wekan, for example: +# sudo useradd -d /home/wekan -m -s /bin/bash wekan +# 2) Add this user to the docker group, then logout+login or reboot: +# sudo usermod -aG docker wekan +# 3) Then login as user wekan. +# 4) Create this file /home/wekan/docker-compose.yml with your modifications. +#---------------------------------------------------------------------------------- +# ==== RUN DOCKER AS SERVICE ==== +# 1a) Running Docker as service, on Systemd like Debian 9, Ubuntu 16.04, CentOS 7: +# sudo systemctl enable docker +# sudo systemctl start docker +# 1b) Running Docker as service, on init.d like Debian 8, Ubuntu 14.04, CentOS 6: +# sudo update-rc.d docker defaults +# sudo service docker start +# ---------------------------------------------------------------------------------- +# ==== USAGE OF THIS docker-compose.yml ==== +# 1) For seeing does Wekan work, try this and check with your web browser: +# docker-compose up +# 2) Stop Wekan and start Wekan in background: +# docker-compose stop +# docker-compose up -d +# 3) See running Docker containers: +# docker ps +# 4) Stop Docker containers: +# docker-compose stop +# ---------------------------------------------------------------------------------- +# ===== INSIDE DOCKER CONTAINERS, AND BACKUP/RESTORE ==== +# https://github.com/wekan/wekan/wiki/Backup +# If really necessary, repair MongoDB: https://github.com/wekan/wekan-mongodb/issues/6#issuecomment-424004116 +# 1) Going inside containers: +# a) Wekan app, does not contain data +# docker exec -it wekan-app bash +# b) MongoDB, contains all data +# docker exec -it wekan-db bash +# 2) Copying database to outside of container: +# docker exec -it wekan-db bash +# cd /data +# mongodump +# exit +# docker cp wekan-db:/data/dump . +# 3) Restoring database +# # 1) Stop wekan +# docker stop wekan-app +# # 2) Go inside database container +# docker exec -it wekan-db bash +# # 3) and data directory +# cd /data +# # 4) Remove previous dump +# rm -rf dump +# # 5) Exit db container +# exit +# # 6) Copy dump to inside docker container +# docker cp dump wekan-db:/data/ +# # 7) Go inside database container +# docker exec -it wekan-db bash +# # 8) and data directory +# cd /data +# # 9) Restore +# mongorestore --drop +# # 10) Exit db container +# exit +# # 11) Start wekan +# docker start wekan-app +#------------------------------------------------------------------------- + +services: + + wekandb: + #------------------------------------------------------------------------------------- + # ==== MONGODB FROM DOCKER HUB ==== + image: mongo:6 + #------------------------------------------------------------------------------------- + container_name: wekan-db + restart: always + # command: mongod --oplogSize 128 + # Syslog: mongod --syslog --oplogSize 128 --quiet + # Disable MongoDB logs: + command: mongod --logpath /dev/null --oplogSize 128 --quiet + networks: + - wekan-tier + expose: + - 27017 + volumes: + - /etc/localtime:/etc/localtime:ro + - wekan-db:/data/db + - wekan-db-dump:/dump + #- /etc/timezone:/etc/timezone:ro # Do not use https://github.com/wekan/wekan/issues/5123 + + wekan: + #------------------------------------------------------------------------------------- + # ==== WEKAN FROM GITHUB/QUAY/DOCKER HUB ==== + # All of GitHub, Quay and Docker Hub have latest, but because + # latest tag changes when is newest release, + # when upgrading would be better to use version tag. + # a) Using specific version tag is better: + # image: ghcr.io/wekan/wekan:v6.89 + # image: quay.io/wekan/wekan:v6.89 + # image: wekanteam/wekan:v6.89 + # b) GitHub Container registry. + # b1) Latest release tag: + image: ghcr.io/wekan/wekan:latest + # b2) Newest git commit automatic build: + #image: ghcr.io/wekan/wekan:main + # c) Quay: + #image: quay.io/wekan/wekan:latest + # d) Docker Hub: + #image: wekanteam/wekan:latest + #------------------------------------------------------------------------------------- + container_name: wekan-app + # On CentOS 7 there is seccomp issue with glibc 6, + # so CentOS 7 users shoud use these security_opt seccomp:unconfined + # settings to get WeKan working. See: + # - https://github.com/wekan/wekan/issues/4585 + # - https://github.com/wekan/wekan/issues/4587 + #security_opt: + # - seccomp:unconfined + restart: always + networks: + - wekan-tier + #------------------------------------------------------------------------------------- + # ==== BUILD wekan-app DOCKER CONTAINER FROM SOURCE, if you uncomment these ==== + # ==== and use commands: docker-compose up -d --build + #build: + # context: . + # dockerfile: Dockerfile + #------------------------------------------------------------------------------------- + ports: + # Docker outsideport:insideport. Do not add anything extra here. + # For example, if you want to have wekan on port 3001, + # use 3001:8080 . Do not add any extra address etc here, that way it does not work. + # remove port mapping if you use nginx reverse proxy, port 8080 is already exposed to wekan-tier network + - 5003:8080 + environment: + #----------------------------------------------------------------- + # ==== WRITEABLE PATH FOR FILE UPLOADS ==== + - WRITABLE_PATH=/data + #----------------------------------------------------------------- + # ==== AWS S3 FOR FILES ==== + # Any region. For example: + # us-standard,us-west-1,us-west-2, + # eu-west-1,eu-central-1, + # ap-southeast-1,ap-northeast-1,sa-east-1 + # + #- S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "xxx"}}' + #----------------------------------------------------------------- + # ==== MONGO_URL ==== + - MONGO_URL=mongodb://wekandb:27017/wekan + #--------------------------------------------------------------- + # ==== ROOT_URL SETTING ==== + # Change ROOT_URL to your real Wekan URL, for example: + # If you have Caddy/Nginx/Apache providing SSL + # - https://example.com + # - https://boards.example.com + # This can be problematic with avatars https://github.com/wekan/wekan/issues/1776 + # - https://example.com/wekan + # If without https, can be only wekan node, no need for Caddy/Nginx/Apache if you don't need them + # - http://example.com + # - http://boards.example.com + # - http://192.168.1.100 <=== using at local LAN + - ROOT_URL=http://localhost # <=== using only at same laptop/desktop where Wekan is installed + #--------------------------------------------------------------- + # ==== EMAIL SETTINGS ==== + # Email settings are only at MAIL_URL and MAIL_FROM. + # Admin Panel has test button, but it's not used for settings. + # see https://github.com/wekan/wekan/wiki/Troubleshooting-Mail + # For SSL in email, change smtp:// to smtps:// + # NOTE: Special characters need to be url-encoded in MAIL_URL. + # You can encode those characters for example at: https://www.urlencoder.org + #- MAIL_URL=smtp://user:pass@mailserver.example.com:25/ + - MAIL_URL=smtp://:25/?ignoreTLS=true&tls={rejectUnauthorized:false} + - MAIL_FROM=Wekan Notifications + # Currently MAIL_SERVICE is not in use. + #- MAIL_SERVICE=Outlook365 + #- MAIL_SERVICE_USER=firstname.lastname@hotmail.com + #- MAIL_SERVICE_PASSWORD=SecretPassword + #--------------------------------------------------------------- + # https://github.com/wekan/wekan/issues/3585#issuecomment-1021522132 + # Add more Node heap, this is done by default at Dockerfile: + # - NODE_OPTIONS="--max_old_space_size=4096" + # Add more stack, this is done at Dockerfile: + # bash -c "ulimit -s 65500; exec node --stack-size=65500 main.js" + #--------------------------------------------------------------- + # ==== OPTIONAL: MONGO OPLOG SETTINGS ===== + # https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-378343587 + # We've fixed our CPU usage problem today with an environment + # change around Wekan. I wasn't aware during implementation + # that if you're using more than 1 instance of Wekan + # (or any MeteorJS based tool) you're supposed to set + # MONGO_OPLOG_URL as an environment variable. + # Without setting it, Meteor will perform a poll-and-diff + # update of it's dataset. With it, Meteor will update from + # the OPLOG. See here + # https://blog.meteor.com/tuning-meteor-mongo-livedata-for-scalability-13fe9deb8908 + # After setting + # MONGO_OPLOG_URL=mongodb://:@/local?authSource=admin&replicaSet=rsWekan + # the CPU usage for all Wekan instances dropped to an average + # of less than 10% with only occasional spikes to high usage + # (I guess when someone is doing a lot of work) + # - MONGO_OPLOG_URL=mongodb://:@/local?authSource=admin&replicaSet=rsWekan + #--------------------------------------------------------------- + # ==== OPTIONAL: KADIRA PERFORMANCE MONITORING FOR METEOR ==== + # https://github.com/edemaine/kadira-compose + # https://github.com/meteor/meteor-apm-agent + # https://blog.meteor.com/kadira-apm-is-now-open-source-490469ffc85f + #- APM_OPTIONS_ENDPOINT=http://:11011 + #- APM_APP_ID= + #- APM_APP_SECRET= + #--------------------------------------------------------------- + # ==== OPTIONAL: LOGS AND STATS ==== + # https://github.com/wekan/wekan/wiki/Logs + # + # Daily export of Wekan changes as JSON to Logstash and ElasticSearch / Kibana (ELK) + # https://github.com/wekan/wekan-logstash + # + # Statistics Python script for Wekan Dashboard + # https://github.com/wekan/wekan-stats + # + # Console, file, and zulip logger on database changes https://github.com/wekan/wekan/pull/1010 + # with fix to replace console.log by winston logger https://github.com/wekan/wekan/pull/1033 + # but there could be bug https://github.com/wekan/wekan/issues/1094 + # + # There is Feature Request: Logging date and time of all activity with summary reports, + # and requesting reason for changing card to other column https://github.com/wekan/wekan/issues/1598 + #--------------------------------------------------------------- + # ==== NUMBER OF SEARCH RESULTS PER PAGE BY DEFAULT ==== + #- RESULTS_PER_PAGE=20 + #--------------------------------------------------------------- + # ==== AFTER OIDC LOGIN, ADD USERS AUTOMATICALLY TO THIS BOARD ID ==== + # https://github.com/wekan/wekan/pull/5098 + #- DEFAULT_BOARD_ID=abcd1234 + #--------------------------------------------------------------- + # ==== WEKAN API AND EXPORT BOARD ==== + # Wekan Export Board works when WITH_API=true. + # https://github.com/wekan/wekan/wiki/REST-API + # https://github.com/wekan/wekan-gogs + # If you disable Wekan API with false, Export Board does not work. + - WITH_API=true + #--------------------------------------------------------------- + # ==== PASSWORD BRUTE FORCE PROTECTION ==== + #https://atmospherejs.com/lucasantoniassi/accounts-lockout + #Defaults below. Uncomment to change. wekan/server/accounts-lockout.js + #- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3 + #- ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60 + #- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15 + #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3 + #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60 + #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15 + #--------------------------------------------------------------- + # ==== ACCOUNT OPTIONS ==== + # https://docs.meteor.com/api/accounts-multi.html#AccountsCommon-config + # Defaults below. Uncomment to change. wekan/server/accounts-common.js + # - ACCOUNTS_COMMON_LOGIN_EXPIRATION_IN_DAYS=90 + #--------------------------------------------------------------- + # ==== RICH TEXT EDITOR IN CARD COMMENTS ==== + # https://github.com/wekan/wekan/pull/2560 + - RICHER_CARD_COMMENT_EDITOR=false + #--------------------------------------------------------------- + # ==== CARD OPENED, SEND WEBHOOK MESSAGE ==== + # https://github.com/wekan/wekan/issues/2518 + - CARD_OPENED_WEBHOOK_ENABLED=false + #--------------------------------------------------------------- + # ==== Allow configuration to validate uploaded attachments ==== + #-ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM=/usr/local/bin/avscan {file} + #-ATTACHMENTS_UPLOAD_MIME_TYPES=image/*,text/* + #-ATTACHMENTS_UPLOAD_MAX_SIZE=5000000 + #--------------------------------------------------------------- + # ==== Allow configuration to validate uploaded avatars ==== + #-AVATARS_UPLOAD_EXTERNAL_PROGRAM=/usr/local/bin/avscan {file} + #-AVATARS_UPLOAD_MIME_TYPES=image/* + #-AVATARS_UPLOAD_MAX_SIZE=500000 + #--------------------------------------------------------------- + # ==== Allow to shrink attached/pasted image ==== + # https://github.com/wekan/wekan/pull/2544 + #- MAX_IMAGE_PIXEL=1024 + #- IMAGE_COMPRESS_RATIO=80 + #--------------------------------------------------------------- + # ==== NOTIFICATION TRAY AFTER READ DAYS BEFORE REMOVE ===== + # Number of days after a notification is read before we remove it. + # Default: 2 + #- NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE=2 + #--------------------------------------------------------------- + # ==== BIGEVENTS DUE ETC NOTIFICATIONS ===== + # https://github.com/wekan/wekan/pull/2541 + # Introduced a system env var BIGEVENTS_PATTERN default as "NONE", + # so any activityType matches the pattern, system will send out + # notifications to all board members no matter they are watching + # or tracking the board or not. Owner of the wekan server can + # disable the feature by setting this variable to "NONE" or + # change the pattern to any valid regex. i.e. '|' delimited + # activityType names. + # a) Example + #- BIGEVENTS_PATTERN=due + # b) All + #- BIGEVENTS_PATTERN=received|start|due|end + # c) Disabled + - BIGEVENTS_PATTERN=NONE + #--------------------------------------------------------------- + # ==== EMAIL DUE DATE NOTIFICATION ===== + # https://github.com/wekan/wekan/pull/2536 + # System timelines will be showing any user modification for + # dueat startat endat receivedat, also notification to + # the watchers and if any card is due, about due or past due. + # + # Notify due days, default is None, 2 days before and on the event day + #- NOTIFY_DUE_DAYS_BEFORE_AND_AFTER=2,0 + # + # Notify due at hour of day. Default every morning at 8am. Can be 0-23. + # If env variable has parsing error, use default. Notification sent to watchers. + #- NOTIFY_DUE_AT_HOUR_OF_DAY=8 + #----------------------------------------------------------------- + # ==== EMAIL NOTIFICATION TIMEOUT, ms ===== + # Default: 30000 ms = 30s + #- EMAIL_NOTIFICATION_TIMEOUT=30000 + #----------------------------------------------------------------- + # ==== CORS ===== + # CORS: Set Access-Control-Allow-Origin header. + #- CORS=* + # CORS_ALLOW_HEADERS: Set Access-Control-Allow-Headers header. "Authorization,Content-Type" is required for cross-origin use of the API. + #- CORS_ALLOW_HEADERS=Authorization,Content-Type + # CORS_EXPOSE_HEADERS: Set Access-Control-Expose-Headers header. This is not needed for typical CORS situations + #- CORS_EXPOSE_HEADERS=* + #----------------------------------------------------------------- + # ==== MATOMO INTEGRATION ==== + # Optional: Integration with Matomo https://matomo.org that is installed to your server + # The address of the server where Matomo is hosted. + #- MATOMO_ADDRESS=https://example.com/matomo + # The value of the site ID given in Matomo server for Wekan + #- MATOMO_SITE_ID=1 + # The option do not track which enables users to not be tracked by matomo + #- MATOMO_DO_NOT_TRACK=true + # The option that allows matomo to retrieve the username: + #- MATOMO_WITH_USERNAME=true + #----------------------------------------------------------------- + # ==== BROWSER POLICY AND TRUSTED IFRAME URL ==== + # Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside. + # Setting this to false is not recommended, it also disables all other browser policy protections + # and allows all iframing etc. See wekan/server/policy.js + - BROWSER_POLICY_ENABLED=true + # When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside. + #- TRUSTED_URL=https://intra.example.com + #----------------------------------------------------------------- + # ==== METRICS ALLOWED IP ADDRESSES ==== + # https://github.com/wekan/wekan/wiki/Metrics + #- METRICS_ALLOWED_IP_ADDRESSES=192.168.0.100,192.168.0.200 + #----------------------------------------------------------------- + # ==== OUTGOING WEBHOOKS ==== + # What to send to Outgoing Webhook, or leave out. If commented out the default values will be: cardId,listId,oldListId,boardId,comment,user,card,commentId,swimlaneId,customerField,customFieldValue + #- WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,board,list,swimlane,commentId + #----------------------------------------------------------------- + # ==== Debug OIDC OAuth2 etc ==== + #- DEBUG=true + #--------------------------------------------- + # ==== AUTOLOGIN WITH OIDC/OAUTH2 ==== + # https://github.com/wekan/wekan/wiki/autologin + #- OIDC_REDIRECTION_ENABLED=true + #----------------------------------------------------------------- + # ==== OAUTH2 ORACLE on premise identity manager OIM ==== + #- ORACLE_OIM_ENABLED=true + #----------------------------------------------------------------- + # ==== OAUTH2 AZURE ==== + # https://github.com/wekan/wekan/wiki/Azure + # 1) Register the application with Azure. Make sure you capture + # the application ID as well as generate a secret key. + # 2) Configure the environment variables. This differs slightly + # by installation type, but make sure you have the following: + #- OAUTH2_ENABLED=true + # Optional OAuth2 CA Cert, see https://github.com/wekan/wekan/issues/3299 + #- OAUTH2_CA_CERT=ABCD1234 + # Use OAuth2 ADFS additional changes. Also needs OAUTH2_ENABLED=true setting. + #- OAUTH2_ADFS_ENABLED=false + # Azure AD B2C. https://github.com/wekan/wekan/issues/5242 + #- OAUTH2_B2C_ENABLED=false + # OAuth2 login style: popup or redirect. + #- OAUTH2_LOGIN_STYLE=redirect + # Application GUID captured during app registration: + #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx + # Secret key generated during app registration: + #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + #- OAUTH2_SERVER_URL=https://login.microsoftonline.com/ + #- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize + #- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo + #- OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token + # The claim name you want to map to the unique ID field: + #- OAUTH2_ID_MAP=email + # The claim name you want to map to the username field: + #- OAUTH2_USERNAME_MAP=email + # The claim name you want to map to the full name field: + #- OAUTH2_FULLNAME_MAP=name + # The claim name you want to map to the email field: + #- OAUTH2_EMAIL_MAP=email + #----------------------------------------------------------------- + # ==== OAUTH2 Nextcloud ==== + # 1) Register the application with Nextcloud: https://your.nextcloud/index.php/settings/admin/security + # Make sure you capture the application ID as well as generate a secret key. + # Use https://your.wekan/_oauth/oidc for the redirect URI. + # 2) Configure the environment variables. This differs slightly + # by installation type, but make sure you have the following: + #- OAUTH2_ENABLED=true + # OAuth2 login style: popup or redirect. + #- OAUTH2_LOGIN_STYLE=redirect + # Application GUID captured during app registration: + #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx + # Secret key generated during app registration: + #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + #- OAUTH2_SERVER_URL=https://your-nextcloud.tld + #- OAUTH2_AUTH_ENDPOINT=/index.php/apps/oauth2/authorize + #- OAUTH2_USERINFO_ENDPOINT=/ocs/v2.php/cloud/user?format=json + #- OAUTH2_TOKEN_ENDPOINT=/index.php/apps/oauth2/api/v1/token + # The claim name you want to map to the unique ID field: + #- OAUTH2_ID_MAP=id + # The claim name you want to map to the username field: + #- OAUTH2_USERNAME_MAP=id + # The claim name you want to map to the full name field: + #- OAUTH2_FULLNAME_MAP=display-name + # The claim name you want to map to the email field: + #- OAUTH2_EMAIL_MAP=email + #----------------------------------------------------------------- + # ==== OAUTH2 KEYCLOAK ==== + # https://github.com/wekan/wekan/wiki/Keycloak <== MAPPING INFO, REQUIRED + #- OAUTH2_ENABLED=true + # OAuth2 login style: popup or redirect. + #- OAUTH2_LOGIN_STYLE=redirect + #- OAUTH2_CLIENT_ID= + #- OAUTH2_SERVER_URL=/auth + #- OAUTH2_AUTH_ENDPOINT=/realms//protocol/openid-connect/auth + #- OAUTH2_USERINFO_ENDPOINT=/realms//protocol/openid-connect/userinfo + #- OAUTH2_TOKEN_ENDPOINT=/realms//protocol/openid-connect/token + #- OAUTH2_SECRET= + #----------------------------------------------------------------- + # ==== OAUTH2 DOORKEEPER ==== + # https://github.com/wekan/wekan/issues/1874 + # https://github.com/wekan/wekan/wiki/OAuth2 + # Enable the OAuth2 connection + #- OAUTH2_ENABLED=true + # OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2 + # OAuth2 login style: popup or redirect. + #- OAUTH2_LOGIN_STYLE=redirect + # OAuth2 Client ID. + #- OAUTH2_CLIENT_ID=abcde12345 + # OAuth2 Secret. + #- OAUTH2_SECRET=54321abcde + # OAuth2 Server URL. + #- OAUTH2_SERVER_URL=https://chat.example.com + # OAuth2 Authorization Endpoint. + #- OAUTH2_AUTH_ENDPOINT=/oauth/authorize + # OAuth2 Userinfo Endpoint. + #- OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo + # OAuth2 Token Endpoint. + #- OAUTH2_TOKEN_ENDPOINT=/oauth/token + # OAUTH2 ID Token Whitelist Fields. + #- OAUTH2_ID_TOKEN_WHITELIST_FIELDS="" + # OAUTH2 Request Permissions. + #- OAUTH2_REQUEST_PERMISSIONS=openid profile email + # OAuth2 ID Mapping + #- OAUTH2_ID_MAP= + # OAuth2 Username Mapping + #- OAUTH2_USERNAME_MAP= + # OAuth2 Fullname Mapping + #- OAUTH2_FULLNAME_MAP= + # OAuth2 Email Mapping + #- OAUTH2_EMAIL_MAP= + #----------------------------------------------------------------- + # ==== LDAP: UNCOMMENT ALL TO ENABLE LDAP ==== + # https://github.com/wekan/wekan/wiki/LDAP + # For Snap settings see https://github.com/wekan/wekan-snap/wiki/Supported-settings-keys + # Most settings work both on Snap and Docker below. + # Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required. + # + # The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap. + # (this is set properly in the Admin Panel, changing this item does not remove Password login option) + #- DEFAULT_AUTHENTICATION_METHOD=ldap + # + # Enable or not the connection by the LDAP + #- LDAP_ENABLE=true + # + # The port of the LDAP server + #- LDAP_PORT=389 + # + # The host server for the LDAP server + #- LDAP_HOST=localhost + # + #----------------------------------------------------------------- + # ==== LDAP AD Simple Auth ==== + # + # Set to true, if you want to connect with Active Directory by Simple Authentication. + # When using AD Simple Auth, LDAP_BASEDN is not needed. + # + # Example: + #- LDAP_AD_SIMPLE_AUTH=true + # + # === LDAP User Authentication === + # + # a) Option to login to the LDAP server with the user's own username and password, instead of + # an administrator key. Default: false (use administrator key). + # + # b) When using AD Simple Auth, set to true, when login user is used for binding, + # and LDAP_BASEDN is not needed. + # + # Example: + #- LDAP_USER_AUTHENTICATION=true + # + # Which field is used to find the user for the user authentication. Default: uid. + #- LDAP_USER_AUTHENTICATION_FIELD=uid + # + # === LDAP Default Domain === + # + # a) In case AD SimpleAuth is configured, the default domain is appended to the given + # loginname for creating the correct username for the bind request to AD. + # + # b) The default domain of the ldap it is used to create email if the field is not map + # correctly with the LDAP_SYNC_USER_DATA_FIELDMAP + # + # Example : + #- LDAP_DEFAULT_DOMAIN=mydomain.com + # + #----------------------------------------------------------------- + # ==== LDAP BASEDN Auth ==== + # + # The base DN for the LDAP Tree + #- LDAP_BASEDN=ou=user,dc=example,dc=org + # + #----------------------------------------------------------------- + # Fallback on the default authentication method + #- LDAP_LOGIN_FALLBACK=false + # + # Reconnect to the server if the connection is lost + #- LDAP_RECONNECT=true + # + # Overall timeout, in milliseconds + #- LDAP_TIMEOUT=10000 + # + # Specifies the timeout for idle LDAP connections in milliseconds + #- LDAP_IDLE_TIMEOUT=10000 + # + # Connection timeout, in milliseconds + #- LDAP_CONNECT_TIMEOUT=10000 + # + # If the LDAP needs a user account to search + #- LDAP_AUTHENTIFICATION=true + # + # The search user DN - You need quotes when you have spaces in parameters + # 2 examples: + #- LDAP_AUTHENTIFICATION_USERDN=CN=ldap admin,CN=users,DC=domainmatter,DC=lan + #- LDAP_AUTHENTIFICATION_USERDN=CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com + # + # The password for the search user + #- LDAP_AUTHENTIFICATION_PASSWORD=pwd + # + # Enable logs for the module + #- LDAP_LOG_ENABLED=true + # + # If the sync of the users should be done in the background + #- LDAP_BACKGROUND_SYNC=false + # + # At which interval does the background task sync. + # The format must be as specified in: + # https://bunkat.github.io/later/parsers.html#text + #- LDAP_BACKGROUND_SYNC_INTERVAL=every 1 hour + # + #- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false + # + #- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false + # + # If using LDAPS: LDAP_ENCRYPTION=ssl + #- LDAP_ENCRYPTION=false + # + # The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file. + #- LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIE+G2FIdAgIC...-----END CERTIFICATE----- + # + # Reject Unauthorized Certificate + #- LDAP_REJECT_UNAUTHORIZED=false + # + # Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed + #- LDAP_USER_SEARCH_FILTER= + # + # base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree) + #- LDAP_USER_SEARCH_SCOPE=one + # + # Which field is used to find the user, like uid / sAMAccountName + #- LDAP_USER_SEARCH_FIELD=sAMAccountName + # + # Used for pagination (0=unlimited) + #- LDAP_SEARCH_PAGE_SIZE=0 + # + # The limit number of entries (0=unlimited) + #- LDAP_SEARCH_SIZE_LIMIT=0 + # + # Enable group filtering. Note the authenticated ldap user must be able to query all relevant group data with own login data from ldap. + #- LDAP_GROUP_FILTER_ENABLE=false + # + # The object class for filtering. Example: group + #- LDAP_GROUP_FILTER_OBJECTCLASS= + # + # The attribute of a group identifying it. Example: cn + #- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE= + # + # The attribute inside a group object listing its members. Example: member + #- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE= + # + # The format of the value of LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE. Example: 'dn' if the users dn is saved as value into the attribute. + #- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT= + # + # The group name (id) that matches all users. + #- LDAP_GROUP_FILTER_GROUP_NAME= + # + # LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid + #- LDAP_UNIQUE_IDENTIFIER_FIELD= + # + # LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8 + #- LDAP_UTF8_NAMES_SLUGIFY=true + # + # LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName + #- LDAP_USERNAME_FIELD=sAMAccountName + # + # LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName + #- LDAP_FULLNAME_FIELD=fullname + # + #- LDAP_MERGE_EXISTING_USERS=false + # + # Allow existing account matching by e-mail address when username does not match + #- LDAP_EMAIL_MATCH_ENABLE=true + # + # LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match + #- LDAP_EMAIL_MATCH_REQUIRE=true + # + # LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching + #- LDAP_EMAIL_MATCH_VERIFIED=true + # + # LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address + #- LDAP_EMAIL_FIELD=mail + #----------------------------------------------------------------- + #- LDAP_SYNC_USER_DATA=false + # + #- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"} + # + #- LDAP_SYNC_GROUP_ROLES= + # + # The default domain of the ldap it is used to create email if the field is not map correctly + # with the LDAP_SYNC_USER_DATA_FIELDMAP is defined in setting LDAP_DEFAULT_DOMAIN above. + # + # Enable/Disable syncing of admin status based on ldap groups: + #- LDAP_SYNC_ADMIN_STATUS=true + # + # Comma separated list of admin group names to sync. + #- LDAP_SYNC_ADMIN_GROUPS=group1,group2 + #--------------------------------------------------------------------- + # Login to LDAP automatically with HTTP header. + # In below example for siteminder, at right side of = is header name. + #- HEADER_LOGIN_ID=HEADERUID + #- HEADER_LOGIN_FIRSTNAME=HEADERFIRSTNAME + #- HEADER_LOGIN_LASTNAME=HEADERLASTNAME + #- HEADER_LOGIN_EMAIL=HEADEREMAILADDRESS + #--------------------------------------------------------------------- + # ==== LOGOUT TIMER, probably does not work yet ==== + # LOGOUT_WITH_TIMER : Enables or not the option logout with timer + # example : LOGOUT_WITH_TIMER=true + #- LOGOUT_WITH_TIMER= + # + # LOGOUT_IN : The number of days + # example : LOGOUT_IN=1 + #- LOGOUT_IN= + # + # LOGOUT_ON_HOURS : The number of hours + # example : LOGOUT_ON_HOURS=9 + #- LOGOUT_ON_HOURS= + # + # LOGOUT_ON_MINUTES : The number of minutes + # example : LOGOUT_ON_MINUTES=55 + #- LOGOUT_ON_MINUTES= + #------------------------------------------------------------------- + # Hide password login form + # - PASSWORD_LOGIN_ENABLED=true + #------------------------------------------------------------------- + #- CAS_ENABLED=true + #- CAS_BASE_URL=https://cas.example.com/cas + #- CAS_LOGIN_URL=https://cas.example.com/login + #- CAS_VALIDATE_URL=https://cas.example.com/cas/p3/serviceValidate + #--------------------------------------------------------------------- + #- SAML_ENABLED=true + #- SAML_PROVIDER= + #- SAML_ENTRYPOINT= + #- SAML_ISSUER= + #- SAML_CERT= + #- SAML_IDPSLO_REDIRECTURL= + #- SAML_PRIVATE_KEYFILE= + #- SAML_PUBLIC_CERTFILE= + #- SAML_IDENTIFIER_FORMAT= + #- SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE= + #- SAML_ATTRIBUTES= + #--------------------------------------------------------------------- + # Wait spinner to use + # - WAIT_SPINNER=Bounce + #--------------------------------------------------------------------- + depends_on: + - wekandb + volumes: + - /etc/localtime:/etc/localtime:ro + - wekan-files:/data:rw + +#--------------------------------------------------------------------------------- +# ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ==== +# When using Wekan both at office LAN and remote VPN: +# 1) Have above Wekan docker container config with LAN IP address +# 2) Copy all of above wekan container config below, look above of this part above and all config below it, +# before above depends_on: part: +# +# wekan: +# #------------------------------------------------------------------------------------- +# # ==== MONGODB AND METEOR VERSION ==== +# # a) For Wekan Meteor 1.8.x version at meteor-1.8 branch, ..... +# +# +# and change name to different name like wekan2 or wekanvpn, and change ROOT_URL to server VPN IP +# address. +# 3) This way both Wekan containers can use same MongoDB database +# and see the same Wekan boards. +# 4) You could also add 3rd Wekan container for 3rd network etc. +# EXAMPLE: +# wekan2: +# ....COPY CONFIG FROM ABOVE TO HERE... +# environment: +# - ROOT_URL='http://10.10.10.10' +# ...COPY CONFIG FROM ABOVE TO HERE... +#--------------------------------------------------------------------------------- + +# OPTIONAL NGINX CONFIG FOR REVERSE PROXY +# nginx: +# image: nginx +# container_name: nginx +# restart: always +# networks: +# - wekan-tier +# depends_on: +# - wekan +# ports: +# - 80:80 +# - 443:443 +# volumes: +# - ./nginx/ssl:/etc/nginx/ssl/:ro +# - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro +## Alternative volume config: +## volumes: +## - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro +## - ./nginx/ssl/ssl.conf:/etc/nginx/conf.d/ssl/ssl.conf:ro +## - ./nginx/ssl/testvm-ehu.crt:/etc/nginx/conf.d/ssl/certs/mycert.crt:ro +## - ./nginx/ssl/testvm-ehu.key:/etc/nginx/conf.d/ssl/certs/mykey.key:ro +## - ./nginx/ssl/pphrase:/etc/nginx/conf.d/ssl/pphrase:ro + +volumes: + wekan-files: + driver: local + wekan-db: + driver: local + wekan-db-dump: + driver: local + +networks: + wekan-tier: + driver: bridge \ No newline at end of file