phares3757/linux-ubuntu-server
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

resh install on Ubuntu Server with Docker at OS level then explore Podman Quadlet

Browse Source
This commit is contained in:
Mike Phares 2024-07-23 17:35:22 -07:00
parent 929745ed1b
commit 60d7407abb
80 changed files with 1846 additions and 1440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -34,9 +34,9 @@
!etc/unbound/unbound.conf !etc/unbound/unbound.conf
!etc/unbound/unbound.conf.d/pi-hole.conf !etc/unbound/unbound.conf.d/pi-hole.conf
!etc/cups/*
!etc/dnsmasq.d/* !etc/dnsmasq.d/*
!etc/fstab/* !etc/fstab/*
!etc/letsencrypt/*
!etc/netplan/* !etc/netplan/*
!etc/nginx/sites-available/* !etc/nginx/sites-available/*
!etc/mysql/mariadb.conf.d/* !etc/mysql/mariadb.conf.d/*
@ -44,6 +44,10 @@
!etc/postgresql/* !etc/postgresql/*
!etc/wsl/* !etc/wsl/*
!etc/letsencrypt/**/*
!opt/copy/**/*
# !home/gogs/gogs/custom/conf/app.ini # !home/gogs/gogs/custom/conf/app.ini
# !home/syncthing/.config/syncthing/config.xml # !home/syncthing/.config/syncthing/config.xml
# !usr/local/etc/gogs/conf/app.ini # !usr/local/etc/gogs/conf/app.ini

12
etc/.pihole/.gitignore vendored Normal file
View File

@ -0,0 +1,12 @@
.DS_Store
*.pyc
*.swp
__pycache__
.cache
.pytest_cache
.tox
.eggs
*.egg-info
.idea/
*.iml
.vscode/

82
etc/.pihole/advanced/pihole-admin.conf Normal file
View File

@ -0,0 +1,82 @@
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Lighttpd config for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
###############################################################################
# FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
###############################################################################
server.errorlog := "/var/log/lighttpd/error-pihole.log"
$HTTP["url"] =~ "^/admin/" {
server.document-root = "/var/www/html"
server.stream-response-body = 1
accesslog.filename = "/var/log/lighttpd/access-pihole.log"
accesslog.format = "%{%s}t|%h|%V|%r|%s|%b"
fastcgi.server = (
".php" => (
"localhost" => (
"socket" => "/run/lighttpd/pihole-php-fastcgi.socket",
"bin-path" => "/usr/bin/php-cgi",
"min-procs" => 1,
"max-procs" => 1,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "4",
"PHP_FCGI_MAX_REQUESTS" => "10000",
),
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
),
"broken-scriptfilename" => "enable",
)
)
)
# X-Pi-hole is a response header for debugging using curl -I
# X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
# X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled)
# X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
# Content-Security-Policy tells the browser where resources are allowed to be loaded and if its allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
# X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
# Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
setenv.add-response-header = (
"X-Pi-hole" => "The Pi-hole Web interface is working!",
"X-Frame-Options" => "DENY",
"X-XSS-Protection" => "0",
"X-Content-Type-Options" => "nosniff",
"Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "same-origin"
)
# Block . files from being served, such as .git, .github, .gitignore
$HTTP["url"] =~ "^/admin/\." {
url.access-deny = ("")
}
# allow teleporter and API qr code iframe on settings page
$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
$HTTP["referer"] =~ "/admin/settings\.php" {
setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
}
}
}
else $HTTP["url"] == "/admin" {
url.redirect = ("" => "/admin/")
}
$HTTP["host"] == "pi.hole" {
$HTTP["url"] == "/" {
url.redirect = ("" => "/admin/")
}
}
# (keep this on one line for basic-install.sh filtering during install)
server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" )

43
etc/apt/sources.list
View File

@ -1,42 +1 @@
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # Ubuntu sources have moved to /etc/apt/sources.list.d/ubuntu.sources
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ mantic main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ mantic universe
# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic universe
deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates universe
# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://us.archive.ubuntu.com/ubuntu/ mantic multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ mantic-updates multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ mantic-security main restricted
# deb-src http://security.ubuntu.com/ubuntu/ mantic-security main restricted
deb http://security.ubuntu.com/ubuntu/ mantic-security universe
# deb-src http://security.ubuntu.com/ubuntu/ mantic-security universe
deb http://security.ubuntu.com/ubuntu/ mantic-security multiverse
# deb-src http://security.ubuntu.com/ubuntu/ mantic-security multiverse

28
etc/bash_history_2024-07-22.txt Normal file
View File

@ -0,0 +1,28 @@
apt-get update
apt upgrade -y
apt install snapd -y
apt install sudo links unzip nginx git nano ncdu -y
snap install dashkiosk
snap install ubuntu-frame wpe-webkit-mir-kiosk
snap set wpe-webkit-mir-kiosk daemon=true
snap set wpe-webkit-mir-kiosk url=http://localhost:9400/receiver
exit
wpe-webkit-mir-kiosk.cog http://localhost:9400/receiver
/snap/wpe-webkit-mir-kiosk/current/bin/setup.sh
wpe-webkit-mir-kiosk.cog http://localhost:9400/receiver
snap set ubuntu-frame daemon=true
exit
reboot
cat /root/.ssh/authorized_keys
nano /root/.ssh/authorized_keys
adduser lphares
mkdir /home/lphares/.ssh
cp /root/.ssh/authorized_keys /home/lphares/.ssh/authorized_keys
chown lphares:lphares -R /home/lphares
adduser bmiller
mkdir /home/bmiller/.ssh
cp /root/.ssh/authorized_keys /home/bmiller/.ssh/authorized_keys
chown bmiller:bmiller -R /home/bmiller
ln -s /var/log/nginx /var/www/html/log-nginx
ls -la /var/www/html
exit

4
etc/dhcpcd.conf
View File

@ -46,3 +46,7 @@ require dhcp_server_identifier
#slaac hwaddr #slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID # OR generate Stable Private IPv6 Addresses based from the DUID
slaac private slaac private
interface enp2s0
static ip_address=192.168.11.2/25
static routers=192.168.11.1
static domain_name_servers=

39
etc/dnsmasq.d/01-pihole.conf Normal file
View File

@ -0,0 +1,39 @@
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
###############################################################################
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: #
# /etc/pihole/setupVars.conf #
# #
# ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE #
# WITHIN /etc/dnsmasq.d/yourname.conf #
###############################################################################
addn-hosts=/etc/pihole/local.list
addn-hosts=/etc/pihole/custom.list
localise-queries
no-resolv
log-queries
log-facility=/var/log/pihole/pihole.log
log-async
cache-size=10000
server=127.0.0.1#5335
domain-needed
expand-hosts
bogus-priv
local-service

42
etc/dnsmasq.d/06-rfc6761.conf Normal file
View File

@ -0,0 +1,42 @@
# Pi-hole: A black hole for Internet advertisements
# (c) 2021 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# RFC 6761 config file for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
###############################################################################
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE #
# WITHIN /etc/dnsmasq.d/yourname.conf #
###############################################################################
# RFC 6761: Caching DNS servers SHOULD recognize
# test, localhost, invalid
# names as special and SHOULD NOT attempt to look up NS records for them, or
# otherwise query authoritative DNS servers in an attempt to resolve these
# names.
server=/test/
server=/localhost/
server=/invalid/
# The same RFC requests something similar for
# 10.in-addr.arpa. 21.172.in-addr.arpa. 27.172.in-addr.arpa.
# 16.172.in-addr.arpa. 22.172.in-addr.arpa. 28.172.in-addr.arpa.
# 17.172.in-addr.arpa. 23.172.in-addr.arpa. 29.172.in-addr.arpa.
# 18.172.in-addr.arpa. 24.172.in-addr.arpa. 30.172.in-addr.arpa.
# 19.172.in-addr.arpa. 25.172.in-addr.arpa. 31.172.in-addr.arpa.
# 20.172.in-addr.arpa. 26.172.in-addr.arpa. 168.192.in-addr.arpa.
# Pi-hole implements this via the dnsmasq option "bogus-priv" (see
# 01-pihole.conf) because this also covers IPv6.
# OpenWRT furthermore blocks bind, local, onion domains
# see https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=package/network/services/dnsmasq/files/rfc6761.conf;hb=HEAD
# and https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
# We do not include the ".local" rule ourselves, see https://github.com/pi-hole/pi-hole/pull/4282#discussion_r689112972
server=/bind/
server=/onion/

52
etc/group
View File

@ -2,7 +2,7 @@ root:x:0:
daemon:x:1: daemon:x:1:
bin:x:2: bin:x:2:
sys:x:3: sys:x:3:
adm:x:4:mike adm:x:4:syslog,phares
tty:x:5: tty:x:5:
disk:x:6: disk:x:6:
lp:x:7: lp:x:7:
@ -15,12 +15,12 @@ kmem:x:15:
dialout:x:20: dialout:x:20:
fax:x:21: fax:x:21:
voice:x:22: voice:x:22:
cdrom:x:24:mike cdrom:x:24:phares
floppy:x:25: floppy:x:25:
tape:x:26: tape:x:26:
sudo:x:27:mike sudo:x:27:phares
audio:x:29: audio:x:29:
dip:x:30:mike dip:x:30:phares
www-data:x:33: www-data:x:33:
backup:x:34: backup:x:34:
operator:x:37: operator:x:37:
@ -31,27 +31,35 @@ shadow:x:42:
utmp:x:43: utmp:x:43:
video:x:44: video:x:44:
sasl:x:45: sasl:x:45:
plugdev:x:46:mike plugdev:x:46:phares
staff:x:50: staff:x:50:
games:x:60: games:x:60:
users:x:100:lphares,bmiller,gogs users:x:100:lphares,bmiller
nogroup:x:65534: nogroup:x:65534:
systemd-journal:x:999: systemd-journal:x:999:
systemd-network:x:998: systemd-network:x:998:
systemd-timesync:x:997: systemd-timesync:x:997:
input:x:101: input:x:996:
sgx:x:102: sgx:x:995:
kvm:x:103: kvm:x:994:
render:x:104: render:x:993:
lxd:x:105:mike lxd:x:101:phares
messagebus:x:106: messagebus:x:102:
systemd-resolve:x:996: systemd-resolve:x:992:
_ssh:x:107: _ssh:x:103:
polkitd:x:995: polkitd:x:991:
netdev:x:108: crontab:x:990:
mike:x:1000: syslog:x:104:
lphares:x:1002:bmiller uuidd:x:105:
bmiller:x:1003: rdma:x:106:
gogs:x:1004: tcpdump:x:107:
snapd-range-524288-root:x:524288: tss:x:108:
snap_daemon:x:584788: landscape:x:109:
fwupd-refresh:x:989:
netdev:x:110:
phares:x:1000:
lphares:x:1001:bmiller
bmiller:x:1002:
pihole:x:1003:www-data
unbound:x:111:
docker:x:988:

50
etc/group-
View File

@ -2,7 +2,7 @@ root:x:0:
daemon:x:1: daemon:x:1:
bin:x:2: bin:x:2:
sys:x:3: sys:x:3:
adm:x:4:mike adm:x:4:syslog,phares
tty:x:5: tty:x:5:
disk:x:6: disk:x:6:
lp:x:7: lp:x:7:
@ -15,12 +15,12 @@ kmem:x:15:
dialout:x:20: dialout:x:20:
fax:x:21: fax:x:21:
voice:x:22: voice:x:22:
cdrom:x:24:mike cdrom:x:24:phares
floppy:x:25: floppy:x:25:
tape:x:26: tape:x:26:
sudo:x:27:mike sudo:x:27:phares
audio:x:29: audio:x:29:
dip:x:30:mike dip:x:30:phares
www-data:x:33: www-data:x:33:
backup:x:34: backup:x:34:
operator:x:37: operator:x:37:
@ -31,26 +31,34 @@ shadow:x:42:
utmp:x:43: utmp:x:43:
video:x:44: video:x:44:
sasl:x:45: sasl:x:45:
plugdev:x:46:mike plugdev:x:46:phares
staff:x:50: staff:x:50:
games:x:60: games:x:60:
users:x:100:lphares,bmiller,gogs users:x:100:lphares,bmiller
nogroup:x:65534: nogroup:x:65534:
systemd-journal:x:999: systemd-journal:x:999:
systemd-network:x:998: systemd-network:x:998:
systemd-timesync:x:997: systemd-timesync:x:997:
input:x:101: input:x:996:
sgx:x:102: sgx:x:995:
kvm:x:103: kvm:x:994:
render:x:104: render:x:993:
lxd:x:105:mike lxd:x:101:phares
messagebus:x:106: messagebus:x:102:
systemd-resolve:x:996: systemd-resolve:x:992:
_ssh:x:107: _ssh:x:103:
polkitd:x:995: polkitd:x:991:
netdev:x:108: crontab:x:990:
mike:x:1000: syslog:x:104:
lphares:x:1002:bmiller uuidd:x:105:
bmiller:x:1003: rdma:x:106:
gogs:x:1004: tcpdump:x:107:
snapd-range-524288-root:x:524288: tss:x:108:
landscape:x:109:
fwupd-refresh:x:989:
netdev:x:110:
phares:x:1000:
lphares:x:1001:bmiller
bmiller:x:1002:
pihole:x:1003:www-data
unbound:x:111:

38
etc/gshadow
View File

@ -2,7 +2,7 @@ root:*::
daemon:*:: daemon:*::
bin:*:: bin:*::
sys:*:: sys:*::
adm:*::mike adm:*::syslog,phares
tty:*:: tty:*::
disk:*:: disk:*::
lp:*:: lp:*::
@ -15,12 +15,12 @@ kmem:*::
dialout:*:: dialout:*::
fax:*:: fax:*::
voice:*:: voice:*::
cdrom:*::mike cdrom:*::phares
floppy:*:: floppy:*::
tape:*:: tape:*::
sudo:*::mike sudo:*::phares
audio:*:: audio:*::
dip:*::mike dip:*::phares
www-data:*:: www-data:*::
backup:*:: backup:*::
operator:*:: operator:*::
@ -31,27 +31,35 @@ shadow:*::
utmp:*:: utmp:*::
video:*:: video:*::
sasl:*:: sasl:*::
plugdev:*::mike plugdev:*::phares
staff:*:: staff:*::
games:*:: games:*::
users:*::lphares,bmiller,gogs users:*::lphares,bmiller
nogroup:*:: nogroup:*::
systemd-journal:!*:: systemd-journal:!*::
systemd-network:!*:: systemd-network:!*::
systemd-timesync:!*:: systemd-timesync:!*::
input:!:: input:!*::
sgx:!:: sgx:!*::
kvm:!:: kvm:!*::
render:!:: render:!*::
lxd:!::mike lxd:!::phares
messagebus:!:: messagebus:!::
systemd-resolve:!*:: systemd-resolve:!*::
_ssh:!:: _ssh:!::
polkitd:!*:: polkitd:!*::
crontab:!*::
syslog:!::
uuidd:!::
rdma:!::
tcpdump:!::
tss:!::
landscape:!::
fwupd-refresh:!*::
netdev:!:: netdev:!::
mike:!:: phares:!::
lphares:!::bmiller lphares:!::bmiller
bmiller:!:: bmiller:!::
gogs:!:: pihole:!::www-data
snapd-range-524288-root:!:: unbound:!::
snap_daemon:!:: docker:!::

36
etc/gshadow-
View File

@ -2,7 +2,7 @@ root:*::
daemon:*:: daemon:*::
bin:*:: bin:*::
sys:*:: sys:*::
adm:*::mike adm:*::syslog,phares
tty:*:: tty:*::
disk:*:: disk:*::
lp:*:: lp:*::
@ -15,12 +15,12 @@ kmem:*::
dialout:*:: dialout:*::
fax:*:: fax:*::
voice:*:: voice:*::
cdrom:*::mike cdrom:*::phares
floppy:*:: floppy:*::
tape:*:: tape:*::
sudo:*::mike sudo:*::phares
audio:*:: audio:*::
dip:*::mike dip:*::phares
www-data:*:: www-data:*::
backup:*:: backup:*::
operator:*:: operator:*::
@ -31,26 +31,34 @@ shadow:*::
utmp:*:: utmp:*::
video:*:: video:*::
sasl:*:: sasl:*::
plugdev:*::mike plugdev:*::phares
staff:*:: staff:*::
games:*:: games:*::
users:*::lphares,bmiller,gogs users:*::lphares,bmiller
nogroup:*:: nogroup:*::
systemd-journal:!*:: systemd-journal:!*::
systemd-network:!*:: systemd-network:!*::
systemd-timesync:!*:: systemd-timesync:!*::
input:!:: input:!*::
sgx:!:: sgx:!*::
kvm:!:: kvm:!*::
render:!:: render:!*::
lxd:!::mike lxd:!::phares
messagebus:!:: messagebus:!::
systemd-resolve:!*:: systemd-resolve:!*::
_ssh:!:: _ssh:!::
polkitd:!*:: polkitd:!*::
crontab:!*::
syslog:!::
uuidd:!::
rdma:!::
tcpdump:!::
tss:!::
landscape:!::
fwupd-refresh:!*::
netdev:!:: netdev:!::
mike:!:: phares:!::
lphares:!::bmiller lphares:!::bmiller
bmiller:!:: bmiller:!::
gogs:!:: pihole:!::www-data
snapd-range-524288-root:!:: unbound:!::

2
etc/hosts
View File

@ -1,5 +1,5 @@
127.0.0.1 localhost 127.0.0.1 localhost
127.0.1.1 server 127.0.1.1 beelink
# The following lines are desirable for IPv6 capable hosts # The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback ::1 ip6-localhost ip6-loopback

1
etc/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt Normal file
View File

@ -0,0 +1 @@
5e21cc66989f26ec46116d979421e538131cf8ab33ffff3f682fbfe491b0ace8

1
etc/letsencrypt/.updated-ssl-dhparams-pem-digest.txt Normal file
View File

@ -0,0 +1 @@
9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b

1
etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/meta.json Normal file
View File

@ -0,0 +1 @@
{"creation_dt": "2024-07-23T03:12:26Z", "creation_host": "beelink"}

1
etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/private_key.json Normal file
View File

@ -0,0 +1 @@
{"n": "tAPgSFbPGk0aKdR6Pk3_0WtZ_YpjzRewuttzTYHV8m8adMKO771G-NMB_zSoYoWmia9s1tj1KCF3P6bnVQzDE3ZbBLfeIFT9GaGCczgDpMEWs6rkWfLWGW93IQoqEJi0f2ati7UpaO22NcnhFAkDmIAyLmaYxv_cTAgeGurv690379v_I38b0rxfw8woGlpfYzvyY_UiEbeK4sMT_TnZdq6ZYgcu770d_ZgYlhstK_jKnumH9G2zaxs3kgRKSoyd8LT4VmLHTIoVT8eEFT1abz0bFo2uPWOaxHtQjI2S8qLEQI9Tg15oy86SPDYDGpY6HfgshasA3Pm9-IUV0tgTUQ", "e": "AQAB", "d": "BzTTX9aNPMMFHvfaJF3OI3kPIQyF7fxaqGcsT3y4-ATcCGn9e7oD58HXSnsj4xgVvjhxc2fODBHwnN-SCcTdvA0B5TUsRWSBmVilbYjM8kEUlNxso4JTldVe7aU-qiKQjPLPwb3euF56oroJMn8hT5O1pWviT0GsUG5P51usEbDu81t_ZZcn-I21Xe9jQ0mXgNsS1c18cX6AlDMhAlm7aw6gUJdrnScbsWp0sDXQiOzLEvwm1ahjUioEtiQiHH1Jsa2mYcuGhrWyrx-Xlt0TzfslocDbHbgCFKPG6XLVBoBbWb4Hm3LBA7naiuEY_Dmi-wQUtHiJELwSu4opkNRxTQ", "p": "23HhNDzEaiDI2Gg2-qxkOBEwCDT9b1If_vGSwZRzPLJBijy5ypXDdtQifCgLEeNJm0CJSa9SZcZjyDZH7_JLFO8bWl1pjf095SwJBK3Sc9uavr8jl-OzAbX_fHOL1ZHhvI4vsBQhc6dsushPFCFEcvaokTuxf8QZUEP0DLsNWh8", "q": "0gCJICISX_tcQ7AmbBsJDFTnU2IqAo3nG0UXcoHSlMXJqkkjjaPo7TZ-CMlt8dbSZX1ekvw8nvRq7tHuNDqflNgfyxt0gHnjkzYowlM83OIMiMbMtV9ddDwYCYGJYZTPEVVRW6s6A1Pb97-2b-IiDoQkdohC0NxhIPM4ntw9xI8", "dp": "ovJ0320gDA48FTWNXaYU5O0eVXnDlp3M1GpdJxEsYK2crSFadGuwsNPkp3y0e5viVD4fs29UJ-6guVJVKH8p8Wl7TiZ-8shQ5ZNFPwwzcYRn66vSqj6R9XtHMwo5k2S30mNiVcUc8dwoiKmkzrXFNfiiQvWoX88lXMyYs7tRttE", "dq": "iNJWhTwNssFnZKaA8hBPPdyXdulPK6jeuRKz6yQQWmPfN3Y9lswDN4I4bWsnmdh37i3Xj3aN3JaskPrv8tF7JZQGauNxbT98-W3g8nMfBV62AetcdpMypUd99buTEaPNoaJvxoTx4Dcj6u_aYlz4CXMo-p1ewwvCsKAm9MHT8Js", "qi": "2VGQ-m3oki_uXi85Ybs2u-4tDFVL7zsFaoYtV8-KMOaYyd6N65kk2EjFWSXRa6BnAqoELEXr0cV9ZJA2YF4WfLQwCLVntyDN6Dc0_9du81qIc_efqBcY_fNMeEfDKAOZkslKIKkWJaP9CAXyI4_ctHdiAhFowdSCcBFTZ2O9xa4", "kty": "RSA"}

1
etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/805d2f39f581c9a2a417db3d91bfc764/regr.json Normal file
View File

@ -0,0 +1 @@
{"body": {}, "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/1851917407"}

25
etc/letsencrypt/archive/phares3757.ddns.net/cert1.pem Normal file
View File

@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIEJzCCA6ygAwIBAgISBLIxc7whwwFJZCApth1UIMcPMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDA3MjMwMjEzNDhaFw0yNDEwMjEwMjEzNDdaMB4xHDAaBgNVBAMTE3Bo
YXJlczM3NTcuZGRucy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQdWJOW
xYvavXWc5dOMmGpaToaiTDrDRZ+oKsywjM/KChalQiNYLUSJqp3Dh5eoRfQ09K50
X6yJOJaQxb0FFzC1o4ICtDCCArAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBScvr8E
AeV+Re+aj/j90JHjpLTkuzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU
0jBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNy
Lm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzCBuwYDVR0R
BIGzMIGwgg9hZmZpcm0uZGRucy5uZXSCGGdpdGVhLnBoYXJlcy5kdWNrZG5zLm9y
Z4IZaW1taWNoLnBoYXJlcy5kdWNrZG5zLm9yZ4IYbXVzaWMucGhhcmVzLmR1Y2tk
bnMub3JnghNwaGFyZXMzNzU3LmRkbnMubmV0ghlxdWFydHoucGhhcmVzLmR1Y2tk
bnMub3Jngh52YXVsdHdhcmRlbi5waGFyZXMuZHVja2Rucy5vcmcwEwYDVR0gBAww
CjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBIsONr2qZHNA/l
agL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAZDdlLOuAAAEAwBIMEYCIQCpfmsaNEgL
DrwdkCY+7NbJayn43Gv4sUjD4arZVJntKgIhAOyuzAjCF9JGPMSqNlSXd83zX89g
eKGUwLWltfIe+zVbAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A
AAGQ3ZSztwAABAMARzBFAiEA4JYbBt/ZdGzUZk4evX3alv6QobD5D0An4NG0vF5G
JkQCICph30m0Ev4uFpVvLUx1CJlTR/gJMJ+0U8RbE95c9xyYMAoGCCqGSM49BAMD
A2kAMGYCMQCy5ix9dZALkOcFIWoAI0t2UzXBho7+eRGsXfIiLrBfYw8eDALPAglI
glGBo2OmRs8CMQCXQwaoJRZG2IPnVS+0JMDZq2PzhyyV9Tycj77wRrYHwOHWwyA6
9UaLhFqUL/sVdwo=
-----END CERTIFICATE-----

26
etc/letsencrypt/archive/phares3757.ddns.net/chain1.pem Normal file
View File

@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----

51
etc/letsencrypt/archive/phares3757.ddns.net/fullchain1.pem Normal file
View File

@ -0,0 +1,51 @@
-----BEGIN CERTIFICATE-----
MIIEJzCCA6ygAwIBAgISBLIxc7whwwFJZCApth1UIMcPMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDA3MjMwMjEzNDhaFw0yNDEwMjEwMjEzNDdaMB4xHDAaBgNVBAMTE3Bo
YXJlczM3NTcuZGRucy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQdWJOW
xYvavXWc5dOMmGpaToaiTDrDRZ+oKsywjM/KChalQiNYLUSJqp3Dh5eoRfQ09K50
X6yJOJaQxb0FFzC1o4ICtDCCArAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBScvr8E
AeV+Re+aj/j90JHjpLTkuzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU
0jBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNy
Lm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzCBuwYDVR0R
BIGzMIGwgg9hZmZpcm0uZGRucy5uZXSCGGdpdGVhLnBoYXJlcy5kdWNrZG5zLm9y
Z4IZaW1taWNoLnBoYXJlcy5kdWNrZG5zLm9yZ4IYbXVzaWMucGhhcmVzLmR1Y2tk
bnMub3JnghNwaGFyZXMzNzU3LmRkbnMubmV0ghlxdWFydHoucGhhcmVzLmR1Y2tk
bnMub3Jngh52YXVsdHdhcmRlbi5waGFyZXMuZHVja2Rucy5vcmcwEwYDVR0gBAww
CjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBIsONr2qZHNA/l
agL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAZDdlLOuAAAEAwBIMEYCIQCpfmsaNEgL
DrwdkCY+7NbJayn43Gv4sUjD4arZVJntKgIhAOyuzAjCF9JGPMSqNlSXd83zX89g
eKGUwLWltfIe+zVbAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A
AAGQ3ZSztwAABAMARzBFAiEA4JYbBt/ZdGzUZk4evX3alv6QobD5D0An4NG0vF5G
JkQCICph30m0Ev4uFpVvLUx1CJlTR/gJMJ+0U8RbE95c9xyYMAoGCCqGSM49BAMD
A2kAMGYCMQCy5ix9dZALkOcFIWoAI0t2UzXBho7+eRGsXfIiLrBfYw8eDALPAglI
glGBo2OmRs8CMQCXQwaoJRZG2IPnVS+0JMDZq2PzhyyV9Tycj77wRrYHwOHWwyA6
9UaLhFqUL/sVdwo=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----

5
etc/letsencrypt/archive/phares3757.ddns.net/privkey1.pem Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWJ4x7Qxn+VXJXETc
HorPVTm5TMqwASdTvWnGchZodiWhRANCAAQdWJOWxYvavXWc5dOMmGpaToaiTDrD
RZ+oKsywjM/KChalQiNYLUSJqp3Dh5eoRfQ09K50X6yJOJaQxb0FFzC1
-----END PRIVATE KEY-----

14
etc/letsencrypt/live/README Normal file
View File

@ -0,0 +1,14 @@
This directory contains your keys and certificates.
`[cert name]/privkey.pem` : the private key for your certificate.
`[cert name]/fullchain.pem`: the certificate file used in most server software.
`[cert name]/chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`[cert name]/cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

14
etc/letsencrypt/live/phares3757.ddns.net/README Normal file
View File

@ -0,0 +1,14 @@
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

14
etc/letsencrypt/options-ssl-nginx.conf Normal file
View File

@ -0,0 +1,14 @@
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

15
etc/letsencrypt/renewal/phares3757.ddns.net.conf Normal file
View File

@ -0,0 +1,15 @@
# renew_before_expiry = 30 days
version = 2.11.0
archive_dir = /etc/letsencrypt/archive/phares3757.ddns.net
cert = /etc/letsencrypt/live/phares3757.ddns.net/cert.pem
privkey = /etc/letsencrypt/live/phares3757.ddns.net/privkey.pem
chain = /etc/letsencrypt/live/phares3757.ddns.net/chain.pem
fullchain = /etc/letsencrypt/live/phares3757.ddns.net/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 805d2f39f581c9a2a417db3d91bfc764
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

8
etc/letsencrypt/ssl-dhparams.pem Normal file
View File

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

61
etc/lighttpd/lighttpd.conf Normal file
View File

@ -0,0 +1,61 @@
### Documentation
# https://wiki.lighttpd.net/
#
### Configuration Syntax
# https://wiki.lighttpd.net/Docs_Configuration
#
### Configuration Options
# https://wiki.lighttpd.net/Docs_ConfigurationOptions
#
### Debian lighttpd base configuration
server.modules = (
"mod_indexfile",
"mod_access",
"mod_alias",
"mod_redirect",
)
server.document-root = "/var/www/html"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 8005
# strict parsing and normalization of URL for consistency and security
# https://wiki.lighttpd.net/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
# if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
"header-strict" => "enable",# default
"host-strict" => "enable",# default
"host-normalize" => "enable",# default
"url-normalize-unreserved"=> "enable",# recommended highly
"url-normalize-required" => "enable",# recommended
"url-ctrls-reject" => "enable",# recommended
"url-path-2f-decode" => "enable",# recommended highly (unless breaks app)
#"url-path-2f-reject" => "enable",
"url-path-dotseg-remove" => "enable",# recommended highly (unless breaks app)
#"url-path-dotseg-reject" => "enable",
#"url-query-20-plus" => "enable",# consistency in query string
"url-invalid-utf8-reject" => "enable",# recommended highly (unless breaks app)
)
index-file.names = ( "index.php", "index.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"
# default listening port for IPv6 is same as default IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
### Customizations
# customizations should generally be placed in separate files such as
# /etc/lighttpd/conf-available/00_vars.conf # override variables for *.conf
# /etc/lighttpd/conf-available/99_custom.conf # override *.conf settings
# and then enabled using lighty-enable-mod (1)

32
etc/nginx/sites-available/dashkiosk.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = dashkiosk.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = dashkiosk.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dashkiosk.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/dashkiosk.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = dashkiosk.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = dashkiosk.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dashkiosk.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

399
etc/nginx/sites-available/default
View File

@ -7,370 +7,35 @@ server {
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
} }
server { include /etc/nginx/include/affirm.conf;
# touch /etc/nginx/sites-available/phares3757.beelink.server.conf # include /etc/nginx/include/ansible.conf;
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/phares3757.beelink.server.key -out /etc/nginx/phares3757.beelink.server.crt -config /etc/nginx/sites-available/phares3757.beelink.server.conf # include /etc/nginx/include/assistant.conf;
ssl_certificate 'phares3757.beelink.server.crt'; # include /etc/nginx/include/casa.conf;
ssl_certificate_key 'phares3757.beelink.server.key'; include /etc/nginx/include/codeserver.conf;
listen 443 ssl http2; include /etc/nginx/include/dashkiosk.conf;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; include /etc/nginx/include/dockge.conf;
server_name phares3757.beelink.server; # include /etc/nginx/include/docmost.conf;
root /etc/pihole; # include /etc/nginx/include/emby.conf;
autoindex on; # include /etc/nginx/include/filebrowser.conf;
autoindex_format json; # include /etc/nginx/include/gogs.conf;
index index.html index.htm index.nginx-debian.html; include /etc/nginx/include/gitea.conf;
server_name _; include /etc/nginx/include/immich.conf;
location / { include /etc/nginx/include/incus.conf;
try_files $uri $uri/ =404; # include /etc/nginx/include/invoice.conf;
} include /etc/nginx/include/lxconsole.conf;
} include /etc/nginx/include/kestra.conf;
server { include /etc/nginx/include/music.conf;
# touch /etc/nginx/sites-available/dashkiosk.beelink.server.conf # include /etc/nginx/include/nextcloud.conf;
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/dashkiosk.beelink.server.key -out /etc/nginx/dashkiosk.beelink.server.crt -config /etc/nginx/sites-available/dashkiosk.beelink.server.conf # include /etc/nginx/include/owncast.conf;
ssl_certificate 'dashkiosk.beelink.server.crt'; include /etc/nginx/include/phares.conf;
ssl_certificate_key 'dashkiosk.beelink.server.key'; # include /etc/nginx/include/photoprism.conf;
listen 443 ssl http2; # include /etc/nginx/include/pihole.conf;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # include /etc/nginx/include/proxmox.conf;
server_name dashkiosk.beelink.server; include /etc/nginx/include/quartz.conf;
location / { # include /etc/nginx/include/readeck.conf;
proxy_set_header Host $host; # include /etc/nginx/include/syncthing.conf;
proxy_set_header X-Real-IP $remote_addr; # include /etc/nginx/include/terraform.conf;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # include /etc/nginx/include/uptimekuma.conf;
proxy_set_header X-Forwarded-Proto $scheme; include /etc/nginx/include/vaultwarden.conf;
proxy_pass http://localhost:9400/; # include /etc/nginx/include/vscodium.conf;
proxy_read_timeout 600s; # include /etc/nginx/include/wekan.conf;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/filebrowser.beelink.server.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/filebrowser.beelink.server.key -out /etc/nginx/filebrowser.beelink.server.crt -config /etc/nginx/sites-available/filebrowser.beelink.server.conf
ssl_certificate 'filebrowser.beelink.server.crt';
ssl_certificate_key 'filebrowser.beelink.server.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name filebrowser.beelink.server;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/gogs3757.beelink.server.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/gogs3757.beelink.server.key -out /etc/nginx/gogs3757.beelink.server.crt -config /etc/nginx/sites-available/gogs3757.beelink.server.conf
ssl_certificate 'gogs3757.beelink.server.crt';
ssl_certificate_key 'gogs3757.beelink.server.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name gogs3757.beelink.server;
client_max_body_size 5000m;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3000/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/immich3757.beelink.server.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/immich3757.beelink.server.key -out /etc/nginx/immich3757.beelink.server.crt -config /etc/nginx/sites-available/immich3757.beelink.server.conf
ssl_certificate 'immich3757.beelink.server.crt';
ssl_certificate_key 'immich3757.beelink.server.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name immich3757.beelink.server;
client_max_body_size 50000M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
location / {
proxy_pass http://localhost:3001/;
}
}
server {
# touch /etc/nginx/sites-available/nextcloud3757.beelink.server.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nextcloud3757.beelink.server.key -out /etc/nginx/nextcloud3757.beelink.server.crt -config /etc/nginx/sites-available/nextcloud3757.beelink.server.conf
ssl_certificate 'nextcloud3757.beelink.server.crt';
ssl_certificate_key 'nextcloud3757.beelink.server.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name nextcloud3757.beelink.server;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8081/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/music3757.beelink.server.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/music3757.beelink.server.key -out /etc/nginx/music3757.beelink.server.crt -config /etc/nginx/sites-available/music3757.beelink.server.conf
ssl_certificate 'music3757.beelink.server.crt';
ssl_certificate_key 'music3757.beelink.server.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name music3757.beelink.server;
root /var/www/html; # /home/syncthing/Loft-5G;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
# touch /etc/nginx/sites-available/photoprism.beelink.server.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/photoprism.beelink.server.key -out /etc/nginx/photoprism.beelink.server.crt -config /etc/nginx/sites-available/photoprism.beelink.server.conf
ssl_certificate 'photoprism.beelink.server.crt';
ssl_certificate_key 'photoprism.beelink.server.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name photoprism.beelink.server;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:2342/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/pi-hole.beelink.server.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/pi-hole.beelink.server.key -out /etc/nginx/pi-hole.beelink.server.crt -config /etc/nginx/sites-available/pi-hole.beelink.server.conf
ssl_certificate 'pi-hole.beelink.server.crt';
ssl_certificate_key 'pi-hole.beelink.server.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name pi-hole.beelink.server;
location = / {
return 302 https://$host/admin/;
}
location /admin/ {
proxy_pass http://localhost:8005/admin/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
# touch /etc/nginx/sites-available/syncthing3757.beelink.server.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/syncthing3757.beelink.server.key -out /etc/nginx/syncthing3757.beelink.server.crt -config /etc/nginx/sites-available/syncthing3757.beelink.server.conf
ssl_certificate 'syncthing3757.beelink.server.crt';
ssl_certificate_key 'syncthing3757.beelink.server.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name syncthing3757.beelink.server;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8384/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/phares3757.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/phares3757.ddns.net.key -out /etc/nginx/phares3757.ddns.net.crt -config /etc/nginx/sites-available/phares3757.ddns.net.conf
ssl_certificate 'phares3757.ddns.net.crt';
ssl_certificate_key 'phares3757.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name phares3757.ddns.net;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:80/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/dashkiosk.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/dashkiosk.ddns.net.key -out /etc/nginx/dashkiosk.ddns.net.crt -config /etc/nginx/sites-available/dashkiosk.ddns.net.conf
ssl_certificate 'dashkiosk.ddns.net.crt';
ssl_certificate_key 'dashkiosk.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name dashkiosk.ddns.net;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:9400/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/filebrowser.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/filebrowser.ddns.net.key -out /etc/nginx/filebrowser.ddns.net.crt -config /etc/nginx/sites-available/filebrowser.ddns.net.conf
ssl_certificate 'filebrowser.ddns.net.crt';
ssl_certificate_key 'filebrowser.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name filebrowser.ddns.net;
client_max_body_size 5000m;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/gogs3757.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/gogs3757.ddns.net.key -out /etc/nginx/gogs3757.ddns.net.crt -config /etc/nginx/sites-available/gogs3757.ddns.net.conf
ssl_certificate 'gogs3757.ddns.net.crt';
ssl_certificate_key 'gogs3757.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name gogs3757.ddns.net;
client_max_body_size 5000m;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3000/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/immich3757.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/immich3757.ddns.net.key -out /etc/nginx/immich3757.ddns.net.crt -config /etc/nginx/sites-available/immich3757.ddns.net.conf
ssl_certificate 'immich3757.ddns.net.crt';
ssl_certificate_key 'immich3757.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name immich3757.ddns.net;
client_max_body_size 50000M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
location / {
proxy_pass http://localhost:3001/;
}
}
server {
# touch /etc/nginx/sites-available/nextcloud3757.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nextcloud3757.ddns.net.key -out /etc/nginx/nextcloud3757.ddns.net.crt -config /etc/nginx/sites-available/nextcloud3757.ddns.net.conf
ssl_certificate 'nextcloud3757.ddns.net.crt';
ssl_certificate_key 'nextcloud3757.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name nextcloud3757.ddns.net;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8081/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/music3757.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/music3757.ddns.net.key -out /etc/nginx/music3757.ddns.net.crt -config /etc/nginx/sites-available/music3757.ddns.net.conf
ssl_certificate 'music3757.ddns.net.crt';
ssl_certificate_key 'music3757.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name music3757.ddns.net;
root /var/www/html; # /home/syncthing/Loft-5G;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
# touch /etc/nginx/sites-available/photoprism.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/photoprism.ddns.net.key -out /etc/nginx/photoprism.ddns.net.crt -config /etc/nginx/sites-available/photoprism.ddns.net.conf
ssl_certificate 'photoprism.ddns.net.crt';
ssl_certificate_key 'photoprism.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name photoprism.ddns.net;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:2342/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/pi-hole.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/pi-hole.ddns.net.key -out /etc/nginx/pi-hole.ddns.net.crt -config /etc/nginx/sites-available/pi-hole.ddns.net.conf
ssl_certificate 'pi-hole.ddns.net.crt';
ssl_certificate_key 'pi-hole.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name pi-hole.ddns.net;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8005/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
# touch /etc/nginx/sites-available/syncthing3757.ddns.net.conf
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/syncthing3757.ddns.net.key -out /etc/nginx/syncthing3757.ddns.net.crt -config /etc/nginx/sites-available/syncthing3757.ddns.net.conf
ssl_certificate 'syncthing3757.ddns.net.crt';
ssl_certificate_key 'syncthing3757.ddns.net.key';
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
server_name syncthing3757.ddns.net;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8384/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}

32
etc/nginx/sites-available/filebrowser.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = filebrowser.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = filebrowser.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = filebrowser.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/filebrowser.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = filebrowser.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = filebrowser.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = filebrowser.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/gogs3757.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = gogs3757.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = gogs3757.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = gogs3757.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/gogs3757.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = gogs3757.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = gogs3757.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = gogs3757.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/immich3757.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = immich3757.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = immich3757.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = immich3757.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/immich3757.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = immich3757.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = immich3757.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = immich3757.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/music3757.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = music3757.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = music3757.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = music3757.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/music3757.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = music3757.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = music3757.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = music3757.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/nextcloud3757.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = nextcloud3757.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = nextcloud3757.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = nextcloud3757.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/nextcloud3757.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = nextcloud3757.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = nextcloud3757.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = nextcloud3757.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/phares3757.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = phares3757.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = phares3757.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = phares3757.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/phares3757.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = phares3757.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = phares3757.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = phares3757.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/photoprism.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = photoprism.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = photoprism.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = photoprism.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/photoprism.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = photoprism.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = photoprism.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = photoprism.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/pi-hole.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = pi-hole.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = pi-hole.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = pi-hole.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/pi-hole.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = pi-hole.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = pi-hole.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = pi-hole.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/syncthing3757.beelink.server.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = syncthing3757.beelink.server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = syncthing3757.beelink.server
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = syncthing3757.beelink.server
DNS.10 = localhost
DNS.11 = 127.0.0.1

32
etc/nginx/sites-available/syncthing3757.ddns.net.conf
View File

@ -1,32 +0,0 @@
[req]
default_bits = 2048
default_keyfile = syncthing3757.ddns.net.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Arizona
localityName = Locality Name (eg, city)
localityName_default = Anthem
organizationName = Organization Name (eg, company)
organizationName_default = Phares
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = syncthing3757.ddns.net
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = syncthing3757.ddns.net
DNS.10 = localhost
DNS.11 = 127.0.0.1

27
etc/passwd
View File

@ -19,15 +19,20 @@ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
messagebus:x:101:106::/nonexistent:/usr/sbin/nologin messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false pollinate:x:102:1::/var/cache/pollinate:/bin/false
polkitd:x:995:995:polkit:/nonexistent:/usr/sbin/nologin polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
usbmux:x:103:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin syslog:x:103:104::/nonexistent:/usr/sbin/nologin
sshd:x:104:65534::/run/sshd:/usr/sbin/nologin uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
mike:x:1000:1000:Mike Phares:/home/mike:/bin/bash tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
lphares:x:1002:1002:Logan Phares,,,:/home/lphares:/bin/bash tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
bmiller:x:1003:1003:Bill Miller,,,:/home/bmiller:/bin/bash landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
gogs:x:1004:1004:gogs,,,:/home/gogs:/bin/bash fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
snapd-range-524288-root:x:524288:524288::/nonexistent:/usr/bin/false usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
snap_daemon:x:584788:584788::/nonexistent:/usr/bin/false sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
phares:x:1000:1000:Mike Phares:/home/phares:/bin/bash
lphares:x:1001:1001:Logan Phares,,,:/home/lphares:/bin/bash
bmiller:x:1002:1002:Bill Miller,,,:/home/bmiller:/bin/bash
pihole:x:999:1003::/home/pihole:/usr/sbin/nologin
unbound:x:110:111::/var/lib/unbound:/usr/sbin/nologin

25
etc/passwd-
View File

@ -19,14 +19,19 @@ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
messagebus:x:101:106::/nonexistent:/usr/sbin/nologin messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false pollinate:x:102:1::/var/cache/pollinate:/bin/false
polkitd:x:995:995:polkit:/nonexistent:/usr/sbin/nologin polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
usbmux:x:103:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin syslog:x:103:104::/nonexistent:/usr/sbin/nologin
sshd:x:104:65534::/run/sshd:/usr/sbin/nologin uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
mike:x:1000:1000:Mike Phares:/home/mike:/bin/bash tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
lphares:x:1002:1002:Logan Phares,,,:/home/lphares:/bin/bash tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
bmiller:x:1003:1003:Bill Miller,,,:/home/bmiller:/bin/bash landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
gogs:x:1004:1004:gogs,,,:/home/gogs:/bin/bash fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
snapd-range-524288-root:x:524288:524288::/nonexistent:/usr/bin/false usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
phares:x:1000:1000:Mike Phares:/home/phares:/bin/bash
lphares:x:1001:1001:Logan Phares,,,:/home/lphares:/bin/bash
bmiller:x:1002:1002:Bill Miller,,,:/home/bmiller:/bin/bash
pihole:x:999:1003::/home/pihole:/usr/sbin/nologin

0
etc/pihole/dhcp.leases Normal file
View File

14
etc/pihole/setupVars.conf Normal file
View File

@ -0,0 +1,14 @@
PIHOLE_INTERFACE=enp2s0
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=10000
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSMASQ_LISTENING=local
WEBPASSWORD=4f2f4f253d64a90315c0ace8a61b6b6e828f8d8d996b0a0b0e153230617bedd3
BLOCKING_ENABLED=true
PIHOLE_DNS_1=127.0.0.1#5335
DNSSEC=false
REV_SERVER=false

71
etc/shadow
View File

@ -1,33 +1,38 @@
root:*:19641:0:99999:7::: root:*:19836:0:99999:7:::
daemon:*:19641:0:99999:7::: daemon:*:19836:0:99999:7:::
bin:*:19641:0:99999:7::: bin:*:19836:0:99999:7:::
sys:*:19641:0:99999:7::: sys:*:19836:0:99999:7:::
sync:*:19641:0:99999:7::: sync:*:19836:0:99999:7:::
games:*:19641:0:99999:7::: games:*:19836:0:99999:7:::
man:*:19641:0:99999:7::: man:*:19836:0:99999:7:::
lp:*:19641:0:99999:7::: lp:*:19836:0:99999:7:::
mail:*:19641:0:99999:7::: mail:*:19836:0:99999:7:::
news:*:19641:0:99999:7::: news:*:19836:0:99999:7:::
uucp:*:19641:0:99999:7::: uucp:*:19836:0:99999:7:::
proxy:*:19641:0:99999:7::: proxy:*:19836:0:99999:7:::
www-data:*:19641:0:99999:7::: www-data:*:19836:0:99999:7:::
backup:*:19641:0:99999:7::: backup:*:19836:0:99999:7:::
list:*:19641:0:99999:7::: list:*:19836:0:99999:7:::
irc:*:19641:0:99999:7::: irc:*:19836:0:99999:7:::
_apt:*:19641:0:99999:7::: _apt:*:19836:0:99999:7:::
nobody:*:19641:0:99999:7::: nobody:*:19836:0:99999:7:::
systemd-network:!*:19641:::::: systemd-network:!*:19836::::::
systemd-timesync:!*:19641:::::: systemd-timesync:!*:19836::::::
dhcpcd:!:19641:::::: dhcpcd:!:19836::::::
messagebus:!:19641:::::: messagebus:!:19836::::::
systemd-resolve:!*:19641:::::: systemd-resolve:!*:19836::::::
pollinate:!:19641:::::: pollinate:!:19836::::::
polkitd:!*:19641:::::: polkitd:!*:19836::::::
usbmux:!:19834:::::: syslog:!:19836::::::
sshd:!:19834:::::: uuidd:!:19836::::::
mike:$6$QRbDvWDeiwqDRfuu$krk4b6ITBDmi/CMIWLAQdBfYmZXzMSbsrzyhEkrIfCC7wLK6mZZ3E7jn1OReEgFTxtx.oVibHh.l5U3jpskZo/:19834:0:99999:7::: tcpdump:!:19836::::::
lphares:$y$j9T$PuVm73wgRxF7.efV0ZbNC/$IjHAHZzMBNr9YPbxF9T0jNhAf0CrHkb3tqmXNKmJWEC:19835:0:99999:7::: tss:!:19836::::::
bmiller:$y$j9T$98wrMjOMoquxT8z19JnsA.$UVr695OobiLESI/H028IMhVHOoKsZzdfyrhCMr3fp1.:19835:0:99999:7::: landscape:!:19836::::::
gogs:$y$j9T$pSEx/jhTuuaKMUAMExHgk/$.ELBs7.03JbQvvYMEHsM4oWddabw673rythGqgp2eE3:19835:0:99999:7::: fwupd-refresh:!*:19836::::::
snapd-range-524288-root:!:19860:::::: usbmux:!:19927::::::
snap_daemon:!:19860:::::: sshd:!:19927::::::
phares:$6$LmgqfVuKR4/5T6by$yxaJ71xy0Exf7laLI6OMkgqabo5r8bzlFPZekwuGRYO8JJMH2tKeTD2W1JOVD0X2pgL5Ob73xB45Vl/lIGYsO.:19927:0:99999:7:::
lphares:$y$j9T$bai9Rz4yLf4MoGt4s6iJB/$rzofcXaHGl0hmnnx1gZwsF4/IoTkcJRA2MX.Tc3E6l6:19927:0:99999:7:::
bmiller:$y$j9T$xqZANIbaE1MCQCukITvTr0$d55.kptZwaAVL4uPmeYm2cygatWo5NG5LW8V833OST1:19927:0:99999:7:::
pihole:!:19927::::::
unbound:!:19927::::::

69
etc/shadow-
View File

@ -1,32 +1,37 @@
root:*:19641:0:99999:7::: root:*:19836:0:99999:7:::
daemon:*:19641:0:99999:7::: daemon:*:19836:0:99999:7:::
bin:*:19641:0:99999:7::: bin:*:19836:0:99999:7:::
sys:*:19641:0:99999:7::: sys:*:19836:0:99999:7:::
sync:*:19641:0:99999:7::: sync:*:19836:0:99999:7:::
games:*:19641:0:99999:7::: games:*:19836:0:99999:7:::
man:*:19641:0:99999:7::: man:*:19836:0:99999:7:::
lp:*:19641:0:99999:7::: lp:*:19836:0:99999:7:::
mail:*:19641:0:99999:7::: mail:*:19836:0:99999:7:::
news:*:19641:0:99999:7::: news:*:19836:0:99999:7:::
uucp:*:19641:0:99999:7::: uucp:*:19836:0:99999:7:::
proxy:*:19641:0:99999:7::: proxy:*:19836:0:99999:7:::
www-data:*:19641:0:99999:7::: www-data:*:19836:0:99999:7:::
backup:*:19641:0:99999:7::: backup:*:19836:0:99999:7:::
list:*:19641:0:99999:7::: list:*:19836:0:99999:7:::
irc:*:19641:0:99999:7::: irc:*:19836:0:99999:7:::
_apt:*:19641:0:99999:7::: _apt:*:19836:0:99999:7:::
nobody:*:19641:0:99999:7::: nobody:*:19836:0:99999:7:::
systemd-network:!*:19641:::::: systemd-network:!*:19836::::::
systemd-timesync:!*:19641:::::: systemd-timesync:!*:19836::::::
dhcpcd:!:19641:::::: dhcpcd:!:19836::::::
messagebus:!:19641:::::: messagebus:!:19836::::::
systemd-resolve:!*:19641:::::: systemd-resolve:!*:19836::::::
pollinate:!:19641:::::: pollinate:!:19836::::::
polkitd:!*:19641:::::: polkitd:!*:19836::::::
usbmux:!:19834:::::: syslog:!:19836::::::
sshd:!:19834:::::: uuidd:!:19836::::::
mike:$6$QRbDvWDeiwqDRfuu$krk4b6ITBDmi/CMIWLAQdBfYmZXzMSbsrzyhEkrIfCC7wLK6mZZ3E7jn1OReEgFTxtx.oVibHh.l5U3jpskZo/:19834:0:99999:7::: tcpdump:!:19836::::::
lphares:$y$j9T$PuVm73wgRxF7.efV0ZbNC/$IjHAHZzMBNr9YPbxF9T0jNhAf0CrHkb3tqmXNKmJWEC:19835:0:99999:7::: tss:!:19836::::::
bmiller:$y$j9T$98wrMjOMoquxT8z19JnsA.$UVr695OobiLESI/H028IMhVHOoKsZzdfyrhCMr3fp1.:19835:0:99999:7::: landscape:!:19836::::::
gogs:$y$j9T$pSEx/jhTuuaKMUAMExHgk/$.ELBs7.03JbQvvYMEHsM4oWddabw673rythGqgp2eE3:19835:0:99999:7::: fwupd-refresh:!*:19836::::::
snapd-range-524288-root:!:19860:::::: usbmux:!:19927::::::
sshd:!:19927::::::
phares:$6$LmgqfVuKR4/5T6by$yxaJ71xy0Exf7laLI6OMkgqabo5r8bzlFPZekwuGRYO8JJMH2tKeTD2W1JOVD0X2pgL5Ob73xB45Vl/lIGYsO.:19927:0:99999:7:::
lphares:$y$j9T$bai9Rz4yLf4MoGt4s6iJB/$rzofcXaHGl0hmnnx1gZwsF4/IoTkcJRA2MX.Tc3E6l6:19927:0:99999:7:::
bmiller:$y$j9T$xqZANIbaE1MCQCukITvTr0$d55.kptZwaAVL4uPmeYm2cygatWo5NG5LW8V833OST1:19927:0:99999:7:::
pihole:!:19927::::::

6
etc/sysctl.conf
View File

@ -42,7 +42,7 @@
# #
# Do not accept ICMP redirects (prevent MITM attacks) # Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0 #net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0 #net.ipv4.conf.default.accept_redirects = 0
# _or_ # _or_
# Accept ICMP redirects only for gateways listed in our default # Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default) # gateway list (enabled by default)
@ -51,10 +51,6 @@
# Do not send ICMP redirects (we are not a router) # Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0 #net.ipv4.conf.all.send_redirects = 0
# #
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets # Log Martian Packets
#net.ipv4.conf.all.log_martians = 1 #net.ipv4.conf.all.log_martians = 1
# #

11
etc/systemd/resolved.conf
View File

@ -6,9 +6,11 @@
# any later version. # any later version.
# #
# Entries in this file show the compile time defaults. Local configuration # Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in # should be created by either modifying this file (or a copy of it placed in
# the resolved.conf.d/ subdirectory. The latter is generally recommended. # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# Defaults can be restored by simply deleting this file and all drop-ins. # the /etc/systemd/resolved.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
# #
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config. # Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
# #
@ -28,7 +30,8 @@
#LLMNR=no #LLMNR=no
#Cache=no-negative #Cache=no-negative
#CacheFromLocalhost=no #CacheFromLocalhost=no
#DNSStubListener=yes DNSStubListener=no
#DNSStubListenerExtra= #DNSStubListenerExtra=
#ReadEtcHosts=yes #ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no #ResolveUnicastSingleLabel=no
#StaleRetentionSec=0

30
etc/systemd/system/gogs-daemon.service
View File

@ -1,30 +0,0 @@
[Unit]
Description=Gogs
After=syslog.target
After=network.target
[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
Type=simple
User=gogs
Group=gogs
WorkingDirectory=/home/gogs/gogs
ExecStart=/home/gogs/gogs/gogs web
Restart=always
Environment=USER=gogs HOME=/home/gogs
# Some distributions may not support these hardening directives
# If you cannot start the service due
# to an unknown option, comment out the ones not supported by your version of systemd.
ProtectSystem=full
PrivateDevices=yes
PrivateTmp=yes
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

16
etc/systemd/system/snap.certbot.renew.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=snap-certbot-3834.mount
Wants=network.target
After=snap-certbot-3834.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/3834
TimeoutStopSec=30
Type=oneshot

14
etc/systemd/system/snap.certbot.renew.timer Normal file
View File

@ -0,0 +1,14 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=snap-certbot-3834.mount
After=snap-certbot-3834.mount
X-Snappy=yes
[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 03:24
OnCalendar=*-*-* 20:15
[Install]
WantedBy=timers.target

17
etc/systemd/system/snap.immich-distribution.acme.service
View File

@ -1,17 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.acme
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00-24:00/2" immich-distribution.acme
SyslogIdentifier=immich-distribution.acme
Restart=on-failure
RestartSec=60
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple

14
etc/systemd/system/snap.immich-distribution.acme.timer
View File

@ -1,14 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer acme for snap application immich-distribution.acme
Requires=snap-immich\x2ddistribution-131.mount
After=snap-immich\x2ddistribution-131.mount
X-Snappy=yes
[Timer]
Unit=snap.immich-distribution.acme.service
OnCalendar=*-*-* 00:00
OnCalendar=*-*-* 12:00
[Install]
WantedBy=timers.target

19
etc/systemd/system/snap.immich-distribution.haproxy.service
View File

@ -1,19 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.haproxy
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run immich-distribution.haproxy
SyslogIdentifier=immich-distribution.haproxy
Restart=on-failure
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple
[Install]
WantedBy=multi-user.target

19
etc/systemd/system/snap.immich-distribution.immich-machine-learning.service
View File

@ -1,19 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.immich-machine-learning
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run immich-distribution.immich-machine-learning
SyslogIdentifier=immich-distribution.immich-machine-learning
Restart=on-failure
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple
[Install]
WantedBy=multi-user.target

20
etc/systemd/system/snap.immich-distribution.immich-microservices.service
View File

@ -1,20 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.immich-microservices
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snap.immich-distribution.redis-server.service snap.immich-distribution.postgres.service snap.immich-distribution.immich-server.service snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run immich-distribution.immich-microservices
SyslogIdentifier=immich-distribution.immich-microservices
Restart=on-failure
RestartSec=10
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple
[Install]
WantedBy=multi-user.target

20
etc/systemd/system/snap.immich-distribution.immich-server.service
View File

@ -1,20 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.immich-server
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snap.immich-distribution.redis-server.service snap.immich-distribution.postgres.service snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run immich-distribution.immich-server
SyslogIdentifier=immich-distribution.immich-server
Restart=on-failure
RestartSec=10
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple
[Install]
WantedBy=multi-user.target

20
etc/systemd/system/snap.immich-distribution.manager.service
View File

@ -1,20 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.manager
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snap.immich-distribution.immich-server.service snap.immich-distribution.immich-microservices.service snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run immich-distribution.manager
SyslogIdentifier=immich-distribution.manager
Restart=on-failure
RestartSec=60
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple
[Install]
WantedBy=multi-user.target

20
etc/systemd/system/snap.immich-distribution.postgres.service
View File

@ -1,20 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.postgres
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run immich-distribution.postgres
SyslogIdentifier=immich-distribution.postgres
Restart=on-failure
RestartSec=10
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple
[Install]
WantedBy=multi-user.target

20
etc/systemd/system/snap.immich-distribution.redis-server.service
View File

@ -1,20 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.redis-server
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run immich-distribution.redis-server
SyslogIdentifier=immich-distribution.redis-server
Restart=on-failure
RestartSec=10
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple
[Install]
WantedBy=multi-user.target

20
etc/systemd/system/snap.immich-distribution.sync-service.service
View File

@ -1,20 +0,0 @@
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application immich-distribution.sync-service
Requires=snap-immich\x2ddistribution-131.mount
Wants=network.target
After=snap-immich\x2ddistribution-131.mount network.target snap.immich-distribution.immich-server.service snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run immich-distribution.sync-service
SyslogIdentifier=immich-distribution.sync-service
Restart=on-failure
RestartSec=10
WorkingDirectory=/var/snap/immich-distribution/131
TimeoutStopSec=30
Type=simple
[Install]
WantedBy=multi-user.target

6
etc/systemd/system/snap.ubuntu-frame.daemon.service
View File

@ -1,9 +1,9 @@
[Unit] [Unit]
# Auto-generated, DO NOT EDIT # Auto-generated, DO NOT EDIT
Description=Service for snap application ubuntu-frame.daemon Description=Service for snap application ubuntu-frame.daemon
Requires=snap-ubuntu\x2dframe-9120.mount Requires=snap-ubuntu\x2dframe-9750.mount
Wants=network.target Wants=network.target
After=snap-ubuntu\x2dframe-9120.mount network.target snapd.apparmor.service After=snap-ubuntu\x2dframe-9750.mount network.target snapd.apparmor.service
X-Snappy=yes X-Snappy=yes
[Service] [Service]
@ -12,7 +12,7 @@ ExecStart=/usr/bin/snap run ubuntu-frame.daemon
SyslogIdentifier=ubuntu-frame.daemon SyslogIdentifier=ubuntu-frame.daemon
Restart=on-failure Restart=on-failure
RestartSec=3 RestartSec=3
WorkingDirectory=/var/snap/ubuntu-frame/9120 WorkingDirectory=/var/snap/ubuntu-frame/9750
TimeoutStopSec=30 TimeoutStopSec=30
Type=simple Type=simple

10
etc/unbound/unbound.conf Normal file
View File

@ -0,0 +1,10 @@
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

66
etc/unbound/unbound.conf.d/pi-hole.conf Normal file
View File

@ -0,0 +1,66 @@
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

9
opt/copy/gitea/.env Normal file
View File

@ -0,0 +1,9 @@
GITEA__database__DB_TYPE=postgres
GITEA__database__HOST=postgres:5432
GITEA__database__NAME=gitea
GITEA__database__USER=gitea
GITEA__database__PASSWD=gitea
POSTGRES_USER=gitea
POSTGRES_PASSWORD=gitea
POSTGRES_DB=gitea

37
opt/copy/gitea/compose.yaml Normal file
View File

@ -0,0 +1,37 @@
services:
postgres:
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_DB=${POSTGRES_DB}
image: postgres:14
restart: always
volumes:
- gitea-postgres:/var/lib/postgresql/data
server:
depends_on:
postgres:
condition: service_started
environment:
- GITEA__database__DB_TYPE=${GITEA__database__DB_TYPE}
- GITEA__database__HOST=${GITEA__database__HOST}
- GITEA__database__NAME=${GITEA__database__NAME}
- GITEA__database__USER=${GITEA__database__USER}
- GITEA__database__PASSWD=${GITEA__database__PASSWD}
image: gitea/gitea:latest-rootless
ports:
- 3000:3000
- 2222:2222
restart: always
volumes:
- gitea-data:/var/lib/gitea
- gitea-config:/etc/gitea
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
volumes:
gitea-config:
driver: local
gitea-data:
driver: local
gitea-postgres:
driver: local

22
opt/copy/immich/.env Normal file
View File

@ -0,0 +1,22 @@
# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
# # The location where your uploaded files are stored
# UPLOAD_LOCATION=/opt/stacks/immich/upload
# # The location where your database files are stored
# DB_DATA_LOCATION=/opt/stacks/immich/database
# The location where your external files are stored
EXTERNAL_LOCATION=/home/phares/immich/photos
# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
# TZ=Etc/UTC
# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release
# Connection secret for postgres. You should change it to a random password
DB_PASSWORD=postgres
# The values below this line do not need to be changed
###################################################################################
DB_USERNAME=postgres
DB_DATABASE_NAME=immich

93
opt/copy/immich/compose.yaml Normal file
View File

@ -0,0 +1,93 @@
#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
#
# The compose file on main may not be compatible with the latest release.
#
name: immich
networks: {}
services:
database:
command:
- postgres
- -c
- shared_preload_libraries=vectors.so
- -c
- search_path="$$user", public, vectors
- -c
- logging_collector=on
- -c
- max_wal_size=2GB
- -c
- shared_buffers=512MB
- -c
- wal_compression=on
container_name: immich_postgres
environment:
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: --data-checksums
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
healthcheck:
interval: 5m
start_interval: 30s
start_period: 5m
test: pg_isready --dbname='${DB_DATABASE_NAME}' || exit 1; Chksum="$$(psql
--dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only
--no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM
pg_stat_database')"; echo "checksum failure count is $$Chksum"; [
"$$Chksum" = '0' ] || exit 1
image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
restart: always
volumes:
- postgres-data:/var/lib/postgresql/data
immich-machine-learning:
container_name: immich_machine_learning
env_file:
- .env
# For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
# Example tag: ${IMMICH_VERSION:-release}-cuda
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
restart: always
# extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
# file: hwaccel.ml.yml
# service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
volumes:
- model-cache:/cache
immich-server:
container_name: immich_server
depends_on:
- redis
- database
env_file:
- .env
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
ports:
- 2283:3001
restart: always
# extends:
# file: hwaccel.transcoding.yml
# service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
volumes:
- upload-data:/usr/src/app/upload
- /etc/localtime:/etc/localtime:ro
# - external-data:/usr/src/app/external
- ${EXTERNAL_LOCATION}:/usr/src/app/external:ro
# profiles:
# - donotstart
redis:
container_name: immich_redis
healthcheck:
test: redis-cli ping || exit 1
image: docker.io/redis:6.2-alpine@sha256:d6c2911ac51b289db208767581a5d154544f2b2fe4914ea5056443f62dc6e900
restart: always
volumes:
model-cache: null
postgres-data:
driver: local
upload-data:
driver: local
# external-data:
# driver: local

65
opt/copy/kestra/compose.yaml Normal file
View File

@ -0,0 +1,65 @@
services:
kestra:
command: server standalone --worker-thread=128
depends_on:
postgres:
condition: service_started
environment:
KESTRA_CONFIGURATION: |
datasources:
postgres:
url: jdbc:postgresql://postgres:5432/kestra
driverClassName: org.postgresql.Driver
username: kestra
password: k3str4
kestra:
server:
basic-auth:
enabled: false
username: "admin@kestra.io" # it must be a valid email address
password: kestra
repository:
type: postgres
storage:
type: local
local:
base-path: "/app/storage"
queue:
type: postgres
tasks:
tmp-dir:
path: /tmp/kestra-wd/tmp
url: http://localhost:5002/
image: kestra/kestra:latest-full
ports:
- "5002:8080"
# - "8081:8081"
pull_policy: always
# Note that this is meant for development only. Refer to the documentation for production deployments of Kestra which runs without a root user.
user: "root"
volumes:
- kestra-data:/app/storage
- /var/run/docker.sock:/var/run/docker.sock
- /tmp/kestra-wd:/tmp/kestra-wd
postgres:
environment:
POSTGRES_DB: kestra
POSTGRES_PASSWORD: k3str4
POSTGRES_USER: kestra
healthcheck:
interval: 30s
retries: 10
test:
[
"CMD-SHELL",
"pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
]
timeout: 10s
image: postgres
volumes:
- postgres-data:/var/lib/postgresql/data
volumes:
kestra-data:
driver: local
postgres-data:
driver: local

15
opt/copy/lxconsole/compose.yaml Normal file
View File

@ -0,0 +1,15 @@
networks: {}
services:
lxconsole:
image: penninglabs/lxconsole:latest
ports:
- 5004:5000
restart: unless-stopped
volumes:
- certs:/opt/lxconsole/certs
- server:/opt/lxconsole/instance
volumes:
certs:
driver: local
server:
driver: local

780
opt/copy/wekan/compose.yaml Normal file
View File

@ -0,0 +1,780 @@
# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required.
#---------------------------------------------------------------------------------------------------------
# ==== CREATING USERS AND LOGGING IN TO WEKAN ====
# https://github.com/wekan/wekan/wiki/Adding-users
#---------------------------------------------------------------------------------------------------------
# ==== FORGOT PASSWORD ====
# https://github.com/wekan/wekan/wiki/Forgot-Password
#---------------------------------------------------------------------------------------------------------
# ==== Upgrading Wekan to new version =====
# NOTE: MongoDB has changed from 3.x to 4.x, in that case you need backup/restore with --noIndexRestore
# see https://github.com/wekan/wekan/wiki/Backup
# 1) Stop Wekan:
# docker-compose stop
# 2) Remove old Wekan app (wekan-app only, not that wekan-db container that has all your data)
# docker rm wekan-app
# 3) Get newest docker-compose.yml from https://github.com/wekan/wekan to have correct image,
# for example: "image: quay.io/wekan/wekan" or version tag "image: quay.io/wekan/wekan:v4.52"
# 4) Start Wekan:
# docker-compose up -d
#----------------------------------------------------------------------------------
# ==== OPTIONAL: DEDICATED DOCKER USER ====
# 1) Optionally create a dedicated user for Wekan, for example:
# sudo useradd -d /home/wekan -m -s /bin/bash wekan
# 2) Add this user to the docker group, then logout+login or reboot:
# sudo usermod -aG docker wekan
# 3) Then login as user wekan.
# 4) Create this file /home/wekan/docker-compose.yml with your modifications.
#----------------------------------------------------------------------------------
# ==== RUN DOCKER AS SERVICE ====
# 1a) Running Docker as service, on Systemd like Debian 9, Ubuntu 16.04, CentOS 7:
# sudo systemctl enable docker
# sudo systemctl start docker
# 1b) Running Docker as service, on init.d like Debian 8, Ubuntu 14.04, CentOS 6:
# sudo update-rc.d docker defaults
# sudo service docker start
# ----------------------------------------------------------------------------------
# ==== USAGE OF THIS docker-compose.yml ====
# 1) For seeing does Wekan work, try this and check with your web browser:
# docker-compose up
# 2) Stop Wekan and start Wekan in background:
# docker-compose stop
# docker-compose up -d
# 3) See running Docker containers:
# docker ps
# 4) Stop Docker containers:
# docker-compose stop
# ----------------------------------------------------------------------------------
# ===== INSIDE DOCKER CONTAINERS, AND BACKUP/RESTORE ====
# https://github.com/wekan/wekan/wiki/Backup
# If really necessary, repair MongoDB: https://github.com/wekan/wekan-mongodb/issues/6#issuecomment-424004116
# 1) Going inside containers:
# a) Wekan app, does not contain data
# docker exec -it wekan-app bash
# b) MongoDB, contains all data
# docker exec -it wekan-db bash
# 2) Copying database to outside of container:
# docker exec -it wekan-db bash
# cd /data
# mongodump
# exit
# docker cp wekan-db:/data/dump .
# 3) Restoring database
# # 1) Stop wekan
# docker stop wekan-app
# # 2) Go inside database container
# docker exec -it wekan-db bash
# # 3) and data directory
# cd /data
# # 4) Remove previous dump
# rm -rf dump
# # 5) Exit db container
# exit
# # 6) Copy dump to inside docker container
# docker cp dump wekan-db:/data/
# # 7) Go inside database container
# docker exec -it wekan-db bash
# # 8) and data directory
# cd /data
# # 9) Restore
# mongorestore --drop
# # 10) Exit db container
# exit
# # 11) Start wekan
# docker start wekan-app
#-------------------------------------------------------------------------
services:
wekandb:
#-------------------------------------------------------------------------------------
# ==== MONGODB FROM DOCKER HUB ====
image: mongo:6
#-------------------------------------------------------------------------------------
container_name: wekan-db
restart: always
# command: mongod --oplogSize 128
# Syslog: mongod --syslog --oplogSize 128 --quiet
# Disable MongoDB logs:
command: mongod --logpath /dev/null --oplogSize 128 --quiet
networks:
- wekan-tier
expose:
- 27017
volumes:
- /etc/localtime:/etc/localtime:ro
- wekan-db:/data/db
- wekan-db-dump:/dump
#- /etc/timezone:/etc/timezone:ro # Do not use https://github.com/wekan/wekan/issues/5123
wekan:
#-------------------------------------------------------------------------------------
# ==== WEKAN FROM GITHUB/QUAY/DOCKER HUB ====
# All of GitHub, Quay and Docker Hub have latest, but because
# latest tag changes when is newest release,
# when upgrading would be better to use version tag.
# a) Using specific version tag is better:
# image: ghcr.io/wekan/wekan:v6.89
# image: quay.io/wekan/wekan:v6.89
# image: wekanteam/wekan:v6.89
# b) GitHub Container registry.
# b1) Latest release tag:
image: ghcr.io/wekan/wekan:latest
# b2) Newest git commit automatic build:
#image: ghcr.io/wekan/wekan:main
# c) Quay:
#image: quay.io/wekan/wekan:latest
# d) Docker Hub:
#image: wekanteam/wekan:latest
#-------------------------------------------------------------------------------------
container_name: wekan-app
# On CentOS 7 there is seccomp issue with glibc 6,
# so CentOS 7 users shoud use these security_opt seccomp:unconfined
# settings to get WeKan working. See:
# - https://github.com/wekan/wekan/issues/4585
# - https://github.com/wekan/wekan/issues/4587
#security_opt:
# - seccomp:unconfined
restart: always
networks:
- wekan-tier
#-------------------------------------------------------------------------------------
# ==== BUILD wekan-app DOCKER CONTAINER FROM SOURCE, if you uncomment these ====
# ==== and use commands: docker-compose up -d --build
#build:
# context: .
# dockerfile: Dockerfile
#-------------------------------------------------------------------------------------
ports:
# Docker outsideport:insideport. Do not add anything extra here.
# For example, if you want to have wekan on port 3001,
# use 3001:8080 . Do not add any extra address etc here, that way it does not work.
# remove port mapping if you use nginx reverse proxy, port 8080 is already exposed to wekan-tier network
- 5003:8080
environment:
#-----------------------------------------------------------------
# ==== WRITEABLE PATH FOR FILE UPLOADS ====
- WRITABLE_PATH=/data
#-----------------------------------------------------------------
# ==== AWS S3 FOR FILES ====
# Any region. For example:
# us-standard,us-west-1,us-west-2,
# eu-west-1,eu-central-1,
# ap-southeast-1,ap-northeast-1,sa-east-1
#
#- S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "xxx"}}'
#-----------------------------------------------------------------
# ==== MONGO_URL ====
- MONGO_URL=mongodb://wekandb:27017/wekan
#---------------------------------------------------------------
# ==== ROOT_URL SETTING ====
# Change ROOT_URL to your real Wekan URL, for example:
# If you have Caddy/Nginx/Apache providing SSL
# - https://example.com
# - https://boards.example.com
# This can be problematic with avatars https://github.com/wekan/wekan/issues/1776
# - https://example.com/wekan
# If without https, can be only wekan node, no need for Caddy/Nginx/Apache if you don't need them
# - http://example.com
# - http://boards.example.com
# - http://192.168.1.100 <=== using at local LAN
- ROOT_URL=http://localhost # <=== using only at same laptop/desktop where Wekan is installed
#---------------------------------------------------------------
# ==== EMAIL SETTINGS ====
# Email settings are only at MAIL_URL and MAIL_FROM.
# Admin Panel has test button, but it's not used for settings.
# see https://github.com/wekan/wekan/wiki/Troubleshooting-Mail
# For SSL in email, change smtp:// to smtps://
# NOTE: Special characters need to be url-encoded in MAIL_URL.
# You can encode those characters for example at: https://www.urlencoder.org
#- MAIL_URL=smtp://user:pass@mailserver.example.com:25/
- MAIL_URL=smtp://<mail_url>:25/?ignoreTLS=true&tls={rejectUnauthorized:false}
- MAIL_FROM=Wekan Notifications <noreply.wekan@mydomain.com>
# Currently MAIL_SERVICE is not in use.
#- MAIL_SERVICE=Outlook365
#- MAIL_SERVICE_USER=firstname.lastname@hotmail.com
#- MAIL_SERVICE_PASSWORD=SecretPassword
#---------------------------------------------------------------
# https://github.com/wekan/wekan/issues/3585#issuecomment-1021522132
# Add more Node heap, this is done by default at Dockerfile:
# - NODE_OPTIONS="--max_old_space_size=4096"
# Add more stack, this is done at Dockerfile:
# bash -c "ulimit -s 65500; exec node --stack-size=65500 main.js"
#---------------------------------------------------------------
# ==== OPTIONAL: MONGO OPLOG SETTINGS =====
# https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-378343587
# We've fixed our CPU usage problem today with an environment
# change around Wekan. I wasn't aware during implementation
# that if you're using more than 1 instance of Wekan
# (or any MeteorJS based tool) you're supposed to set
# MONGO_OPLOG_URL as an environment variable.
# Without setting it, Meteor will perform a poll-and-diff
# update of it's dataset. With it, Meteor will update from
# the OPLOG. See here
# https://blog.meteor.com/tuning-meteor-mongo-livedata-for-scalability-13fe9deb8908
# After setting
# MONGO_OPLOG_URL=mongodb://<username>:<password>@<mongoDbURL>/local?authSource=admin&replicaSet=rsWekan
# the CPU usage for all Wekan instances dropped to an average
# of less than 10% with only occasional spikes to high usage
# (I guess when someone is doing a lot of work)
# - MONGO_OPLOG_URL=mongodb://<username>:<password>@<mongoDbURL>/local?authSource=admin&replicaSet=rsWekan
#---------------------------------------------------------------
# ==== OPTIONAL: KADIRA PERFORMANCE MONITORING FOR METEOR ====
# https://github.com/edemaine/kadira-compose
# https://github.com/meteor/meteor-apm-agent
# https://blog.meteor.com/kadira-apm-is-now-open-source-490469ffc85f
#- APM_OPTIONS_ENDPOINT=http://<kadira-ip>:11011
#- APM_APP_ID=
#- APM_APP_SECRET=
#---------------------------------------------------------------
# ==== OPTIONAL: LOGS AND STATS ====
# https://github.com/wekan/wekan/wiki/Logs
#
# Daily export of Wekan changes as JSON to Logstash and ElasticSearch / Kibana (ELK)
# https://github.com/wekan/wekan-logstash
#
# Statistics Python script for Wekan Dashboard
# https://github.com/wekan/wekan-stats
#
# Console, file, and zulip logger on database changes https://github.com/wekan/wekan/pull/1010
# with fix to replace console.log by winston logger https://github.com/wekan/wekan/pull/1033
# but there could be bug https://github.com/wekan/wekan/issues/1094
#
# There is Feature Request: Logging date and time of all activity with summary reports,
# and requesting reason for changing card to other column https://github.com/wekan/wekan/issues/1598
#---------------------------------------------------------------
# ==== NUMBER OF SEARCH RESULTS PER PAGE BY DEFAULT ====
#- RESULTS_PER_PAGE=20
#---------------------------------------------------------------
# ==== AFTER OIDC LOGIN, ADD USERS AUTOMATICALLY TO THIS BOARD ID ====
# https://github.com/wekan/wekan/pull/5098
#- DEFAULT_BOARD_ID=abcd1234
#---------------------------------------------------------------
# ==== WEKAN API AND EXPORT BOARD ====
# Wekan Export Board works when WITH_API=true.
# https://github.com/wekan/wekan/wiki/REST-API
# https://github.com/wekan/wekan-gogs
# If you disable Wekan API with false, Export Board does not work.
- WITH_API=true
#---------------------------------------------------------------
# ==== PASSWORD BRUTE FORCE PROTECTION ====
#https://atmospherejs.com/lucasantoniassi/accounts-lockout
#Defaults below. Uncomment to change. wekan/server/accounts-lockout.js
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60
#- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60
#- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15
#---------------------------------------------------------------
# ==== ACCOUNT OPTIONS ====
# https://docs.meteor.com/api/accounts-multi.html#AccountsCommon-config
# Defaults below. Uncomment to change. wekan/server/accounts-common.js
# - ACCOUNTS_COMMON_LOGIN_EXPIRATION_IN_DAYS=90
#---------------------------------------------------------------
# ==== RICH TEXT EDITOR IN CARD COMMENTS ====
# https://github.com/wekan/wekan/pull/2560
- RICHER_CARD_COMMENT_EDITOR=false
#---------------------------------------------------------------
# ==== CARD OPENED, SEND WEBHOOK MESSAGE ====
# https://github.com/wekan/wekan/issues/2518
- CARD_OPENED_WEBHOOK_ENABLED=false
#---------------------------------------------------------------
# ==== Allow configuration to validate uploaded attachments ====
#-ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM=/usr/local/bin/avscan {file}
#-ATTACHMENTS_UPLOAD_MIME_TYPES=image/*,text/*
#-ATTACHMENTS_UPLOAD_MAX_SIZE=5000000
#---------------------------------------------------------------
# ==== Allow configuration to validate uploaded avatars ====
#-AVATARS_UPLOAD_EXTERNAL_PROGRAM=/usr/local/bin/avscan {file}
#-AVATARS_UPLOAD_MIME_TYPES=image/*
#-AVATARS_UPLOAD_MAX_SIZE=500000
#---------------------------------------------------------------
# ==== Allow to shrink attached/pasted image ====
# https://github.com/wekan/wekan/pull/2544
#- MAX_IMAGE_PIXEL=1024
#- IMAGE_COMPRESS_RATIO=80
#---------------------------------------------------------------
# ==== NOTIFICATION TRAY AFTER READ DAYS BEFORE REMOVE =====
# Number of days after a notification is read before we remove it.
# Default: 2
#- NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE=2
#---------------------------------------------------------------
# ==== BIGEVENTS DUE ETC NOTIFICATIONS =====
# https://github.com/wekan/wekan/pull/2541
# Introduced a system env var BIGEVENTS_PATTERN default as "NONE",
# so any activityType matches the pattern, system will send out
# notifications to all board members no matter they are watching
# or tracking the board or not. Owner of the wekan server can
# disable the feature by setting this variable to "NONE" or
# change the pattern to any valid regex. i.e. '|' delimited
# activityType names.
# a) Example
#- BIGEVENTS_PATTERN=due
# b) All
#- BIGEVENTS_PATTERN=received|start|due|end
# c) Disabled
- BIGEVENTS_PATTERN=NONE
#---------------------------------------------------------------
# ==== EMAIL DUE DATE NOTIFICATION =====
# https://github.com/wekan/wekan/pull/2536
# System timelines will be showing any user modification for
# dueat startat endat receivedat, also notification to
# the watchers and if any card is due, about due or past due.
#
# Notify due days, default is None, 2 days before and on the event day
#- NOTIFY_DUE_DAYS_BEFORE_AND_AFTER=2,0
#
# Notify due at hour of day. Default every morning at 8am. Can be 0-23.
# If env variable has parsing error, use default. Notification sent to watchers.
#- NOTIFY_DUE_AT_HOUR_OF_DAY=8
#-----------------------------------------------------------------
# ==== EMAIL NOTIFICATION TIMEOUT, ms =====
# Default: 30000 ms = 30s
#- EMAIL_NOTIFICATION_TIMEOUT=30000
#-----------------------------------------------------------------
# ==== CORS =====
# CORS: Set Access-Control-Allow-Origin header.
#- CORS=*
# CORS_ALLOW_HEADERS: Set Access-Control-Allow-Headers header. "Authorization,Content-Type" is required for cross-origin use of the API.
#- CORS_ALLOW_HEADERS=Authorization,Content-Type
# CORS_EXPOSE_HEADERS: Set Access-Control-Expose-Headers header. This is not needed for typical CORS situations
#- CORS_EXPOSE_HEADERS=*
#-----------------------------------------------------------------
# ==== MATOMO INTEGRATION ====
# Optional: Integration with Matomo https://matomo.org that is installed to your server
# The address of the server where Matomo is hosted.
#- MATOMO_ADDRESS=https://example.com/matomo
# The value of the site ID given in Matomo server for Wekan
#- MATOMO_SITE_ID=1
# The option do not track which enables users to not be tracked by matomo
#- MATOMO_DO_NOT_TRACK=true
# The option that allows matomo to retrieve the username:
#- MATOMO_WITH_USERNAME=true
#-----------------------------------------------------------------
# ==== BROWSER POLICY AND TRUSTED IFRAME URL ====
# Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.
# Setting this to false is not recommended, it also disables all other browser policy protections
# and allows all iframing etc. See wekan/server/policy.js
- BROWSER_POLICY_ENABLED=true
# When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside.
#- TRUSTED_URL=https://intra.example.com
#-----------------------------------------------------------------
# ==== METRICS ALLOWED IP ADDRESSES ====
# https://github.com/wekan/wekan/wiki/Metrics
#- METRICS_ALLOWED_IP_ADDRESSES=192.168.0.100,192.168.0.200
#-----------------------------------------------------------------
# ==== OUTGOING WEBHOOKS ====
# What to send to Outgoing Webhook, or leave out. If commented out the default values will be: cardId,listId,oldListId,boardId,comment,user,card,commentId,swimlaneId,customerField,customFieldValue
#- WEBHOOKS_ATTRIBUTES=cardId,listId,oldListId,boardId,comment,user,card,board,list,swimlane,commentId
#-----------------------------------------------------------------
# ==== Debug OIDC OAuth2 etc ====
#- DEBUG=true
#---------------------------------------------
# ==== AUTOLOGIN WITH OIDC/OAUTH2 ====
# https://github.com/wekan/wekan/wiki/autologin
#- OIDC_REDIRECTION_ENABLED=true
#-----------------------------------------------------------------
# ==== OAUTH2 ORACLE on premise identity manager OIM ====
#- ORACLE_OIM_ENABLED=true
#-----------------------------------------------------------------
# ==== OAUTH2 AZURE ====
# https://github.com/wekan/wekan/wiki/Azure
# 1) Register the application with Azure. Make sure you capture
# the application ID as well as generate a secret key.
# 2) Configure the environment variables. This differs slightly
# by installation type, but make sure you have the following:
#- OAUTH2_ENABLED=true
# Optional OAuth2 CA Cert, see https://github.com/wekan/wekan/issues/3299
#- OAUTH2_CA_CERT=ABCD1234
# Use OAuth2 ADFS additional changes. Also needs OAUTH2_ENABLED=true setting.
#- OAUTH2_ADFS_ENABLED=false
# Azure AD B2C. https://github.com/wekan/wekan/issues/5242
#- OAUTH2_B2C_ENABLED=false
# OAuth2 login style: popup or redirect.
#- OAUTH2_LOGIN_STYLE=redirect
# Application GUID captured during app registration:
#- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
# Secret key generated during app registration:
#- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#- OAUTH2_SERVER_URL=https://login.microsoftonline.com/
#- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
#- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
#- OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token
# The claim name you want to map to the unique ID field:
#- OAUTH2_ID_MAP=email
# The claim name you want to map to the username field:
#- OAUTH2_USERNAME_MAP=email
# The claim name you want to map to the full name field:
#- OAUTH2_FULLNAME_MAP=name
# The claim name you want to map to the email field:
#- OAUTH2_EMAIL_MAP=email
#-----------------------------------------------------------------
# ==== OAUTH2 Nextcloud ====
# 1) Register the application with Nextcloud: https://your.nextcloud/index.php/settings/admin/security
# Make sure you capture the application ID as well as generate a secret key.
# Use https://your.wekan/_oauth/oidc for the redirect URI.
# 2) Configure the environment variables. This differs slightly
# by installation type, but make sure you have the following:
#- OAUTH2_ENABLED=true
# OAuth2 login style: popup or redirect.
#- OAUTH2_LOGIN_STYLE=redirect
# Application GUID captured during app registration:
#- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
# Secret key generated during app registration:
#- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#- OAUTH2_SERVER_URL=https://your-nextcloud.tld
#- OAUTH2_AUTH_ENDPOINT=/index.php/apps/oauth2/authorize
#- OAUTH2_USERINFO_ENDPOINT=/ocs/v2.php/cloud/user?format=json
#- OAUTH2_TOKEN_ENDPOINT=/index.php/apps/oauth2/api/v1/token
# The claim name you want to map to the unique ID field:
#- OAUTH2_ID_MAP=id
# The claim name you want to map to the username field:
#- OAUTH2_USERNAME_MAP=id
# The claim name you want to map to the full name field:
#- OAUTH2_FULLNAME_MAP=display-name
# The claim name you want to map to the email field:
#- OAUTH2_EMAIL_MAP=email
#-----------------------------------------------------------------
# ==== OAUTH2 KEYCLOAK ====
# https://github.com/wekan/wekan/wiki/Keycloak <== MAPPING INFO, REQUIRED
#- OAUTH2_ENABLED=true
# OAuth2 login style: popup or redirect.
#- OAUTH2_LOGIN_STYLE=redirect
#- OAUTH2_CLIENT_ID=<Keycloak create Client ID>
#- OAUTH2_SERVER_URL=<Keycloak server name>/auth
#- OAUTH2_AUTH_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/auth
#- OAUTH2_USERINFO_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/userinfo
#- OAUTH2_TOKEN_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/token
#- OAUTH2_SECRET=<keycloak client secret>
#-----------------------------------------------------------------
# ==== OAUTH2 DOORKEEPER ====
# https://github.com/wekan/wekan/issues/1874
# https://github.com/wekan/wekan/wiki/OAuth2
# Enable the OAuth2 connection
#- OAUTH2_ENABLED=true
# OAuth2 docs: https://github.com/wekan/wekan/wiki/OAuth2
# OAuth2 login style: popup or redirect.
#- OAUTH2_LOGIN_STYLE=redirect
# OAuth2 Client ID.
#- OAUTH2_CLIENT_ID=abcde12345
# OAuth2 Secret.
#- OAUTH2_SECRET=54321abcde
# OAuth2 Server URL.
#- OAUTH2_SERVER_URL=https://chat.example.com
# OAuth2 Authorization Endpoint.
#- OAUTH2_AUTH_ENDPOINT=/oauth/authorize
# OAuth2 Userinfo Endpoint.
#- OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo
# OAuth2 Token Endpoint.
#- OAUTH2_TOKEN_ENDPOINT=/oauth/token
# OAUTH2 ID Token Whitelist Fields.
#- OAUTH2_ID_TOKEN_WHITELIST_FIELDS=""
# OAUTH2 Request Permissions.
#- OAUTH2_REQUEST_PERMISSIONS=openid profile email
# OAuth2 ID Mapping
#- OAUTH2_ID_MAP=
# OAuth2 Username Mapping
#- OAUTH2_USERNAME_MAP=
# OAuth2 Fullname Mapping
#- OAUTH2_FULLNAME_MAP=
# OAuth2 Email Mapping
#- OAUTH2_EMAIL_MAP=
#-----------------------------------------------------------------
# ==== LDAP: UNCOMMENT ALL TO ENABLE LDAP ====
# https://github.com/wekan/wekan/wiki/LDAP
# For Snap settings see https://github.com/wekan/wekan-snap/wiki/Supported-settings-keys
# Most settings work both on Snap and Docker below.
# Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required.
#
# The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap.
# (this is set properly in the Admin Panel, changing this item does not remove Password login option)
#- DEFAULT_AUTHENTICATION_METHOD=ldap
#
# Enable or not the connection by the LDAP
#- LDAP_ENABLE=true
#
# The port of the LDAP server
#- LDAP_PORT=389
#
# The host server for the LDAP server
#- LDAP_HOST=localhost
#
#-----------------------------------------------------------------
# ==== LDAP AD Simple Auth ====
#
# Set to true, if you want to connect with Active Directory by Simple Authentication.
# When using AD Simple Auth, LDAP_BASEDN is not needed.
#
# Example:
#- LDAP_AD_SIMPLE_AUTH=true
#
# === LDAP User Authentication ===
#
# a) Option to login to the LDAP server with the user's own username and password, instead of
# an administrator key. Default: false (use administrator key).
#
# b) When using AD Simple Auth, set to true, when login user is used for binding,
# and LDAP_BASEDN is not needed.
#
# Example:
#- LDAP_USER_AUTHENTICATION=true
#
# Which field is used to find the user for the user authentication. Default: uid.
#- LDAP_USER_AUTHENTICATION_FIELD=uid
#
# === LDAP Default Domain ===
#
# a) In case AD SimpleAuth is configured, the default domain is appended to the given
# loginname for creating the correct username for the bind request to AD.
#
# b) The default domain of the ldap it is used to create email if the field is not map
# correctly with the LDAP_SYNC_USER_DATA_FIELDMAP
#
# Example :
#- LDAP_DEFAULT_DOMAIN=mydomain.com
#
#-----------------------------------------------------------------
# ==== LDAP BASEDN Auth ====
#
# The base DN for the LDAP Tree
#- LDAP_BASEDN=ou=user,dc=example,dc=org
#
#-----------------------------------------------------------------
# Fallback on the default authentication method
#- LDAP_LOGIN_FALLBACK=false
#
# Reconnect to the server if the connection is lost
#- LDAP_RECONNECT=true
#
# Overall timeout, in milliseconds
#- LDAP_TIMEOUT=10000
#
# Specifies the timeout for idle LDAP connections in milliseconds
#- LDAP_IDLE_TIMEOUT=10000
#
# Connection timeout, in milliseconds
#- LDAP_CONNECT_TIMEOUT=10000
#
# If the LDAP needs a user account to search
#- LDAP_AUTHENTIFICATION=true
#
# The search user DN - You need quotes when you have spaces in parameters
# 2 examples:
#- LDAP_AUTHENTIFICATION_USERDN=CN=ldap admin,CN=users,DC=domainmatter,DC=lan
#- LDAP_AUTHENTIFICATION_USERDN=CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com
#
# The password for the search user
#- LDAP_AUTHENTIFICATION_PASSWORD=pwd
#
# Enable logs for the module
#- LDAP_LOG_ENABLED=true
#
# If the sync of the users should be done in the background
#- LDAP_BACKGROUND_SYNC=false
#
# At which interval does the background task sync.
# The format must be as specified in:
# https://bunkat.github.io/later/parsers.html#text
#- LDAP_BACKGROUND_SYNC_INTERVAL=every 1 hour
#
#- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false
#
#- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false
#
# If using LDAPS: LDAP_ENCRYPTION=ssl
#- LDAP_ENCRYPTION=false
#
# The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file.
#- LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIE+G2FIdAgIC...-----END CERTIFICATE-----
#
# Reject Unauthorized Certificate
#- LDAP_REJECT_UNAUTHORIZED=false
#
# Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
#- LDAP_USER_SEARCH_FILTER=
#
# base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree)
#- LDAP_USER_SEARCH_SCOPE=one
#
# Which field is used to find the user, like uid / sAMAccountName
#- LDAP_USER_SEARCH_FIELD=sAMAccountName
#
# Used for pagination (0=unlimited)
#- LDAP_SEARCH_PAGE_SIZE=0
#
# The limit number of entries (0=unlimited)
#- LDAP_SEARCH_SIZE_LIMIT=0
#
# Enable group filtering. Note the authenticated ldap user must be able to query all relevant group data with own login data from ldap.
#- LDAP_GROUP_FILTER_ENABLE=false
#
# The object class for filtering. Example: group
#- LDAP_GROUP_FILTER_OBJECTCLASS=
#
# The attribute of a group identifying it. Example: cn
#- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=
#
# The attribute inside a group object listing its members. Example: member
#- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=
#
# The format of the value of LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE. Example: 'dn' if the users dn is saved as value into the attribute.
#- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=
#
# The group name (id) that matches all users.
#- LDAP_GROUP_FILTER_GROUP_NAME=
#
# LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid
#- LDAP_UNIQUE_IDENTIFIER_FIELD=
#
# LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8
#- LDAP_UTF8_NAMES_SLUGIFY=true
#
# LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName
#- LDAP_USERNAME_FIELD=sAMAccountName
#
# LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName
#- LDAP_FULLNAME_FIELD=fullname
#
#- LDAP_MERGE_EXISTING_USERS=false
#
# Allow existing account matching by e-mail address when username does not match
#- LDAP_EMAIL_MATCH_ENABLE=true
#
# LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
#- LDAP_EMAIL_MATCH_REQUIRE=true
#
# LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
#- LDAP_EMAIL_MATCH_VERIFIED=true
#
# LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
#- LDAP_EMAIL_FIELD=mail
#-----------------------------------------------------------------
#- LDAP_SYNC_USER_DATA=false
#
#- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}
#
#- LDAP_SYNC_GROUP_ROLES=
#
# The default domain of the ldap it is used to create email if the field is not map correctly
# with the LDAP_SYNC_USER_DATA_FIELDMAP is defined in setting LDAP_DEFAULT_DOMAIN above.
#
# Enable/Disable syncing of admin status based on ldap groups:
#- LDAP_SYNC_ADMIN_STATUS=true
#
# Comma separated list of admin group names to sync.
#- LDAP_SYNC_ADMIN_GROUPS=group1,group2
#---------------------------------------------------------------------
# Login to LDAP automatically with HTTP header.
# In below example for siteminder, at right side of = is header name.
#- HEADER_LOGIN_ID=HEADERUID
#- HEADER_LOGIN_FIRSTNAME=HEADERFIRSTNAME
#- HEADER_LOGIN_LASTNAME=HEADERLASTNAME
#- HEADER_LOGIN_EMAIL=HEADEREMAILADDRESS
#---------------------------------------------------------------------
# ==== LOGOUT TIMER, probably does not work yet ====
# LOGOUT_WITH_TIMER : Enables or not the option logout with timer
# example : LOGOUT_WITH_TIMER=true
#- LOGOUT_WITH_TIMER=
#
# LOGOUT_IN : The number of days
# example : LOGOUT_IN=1
#- LOGOUT_IN=
#
# LOGOUT_ON_HOURS : The number of hours
# example : LOGOUT_ON_HOURS=9
#- LOGOUT_ON_HOURS=
#
# LOGOUT_ON_MINUTES : The number of minutes
# example : LOGOUT_ON_MINUTES=55
#- LOGOUT_ON_MINUTES=
#-------------------------------------------------------------------
# Hide password login form
# - PASSWORD_LOGIN_ENABLED=true
#-------------------------------------------------------------------
#- CAS_ENABLED=true
#- CAS_BASE_URL=https://cas.example.com/cas
#- CAS_LOGIN_URL=https://cas.example.com/login
#- CAS_VALIDATE_URL=https://cas.example.com/cas/p3/serviceValidate
#---------------------------------------------------------------------
#- SAML_ENABLED=true
#- SAML_PROVIDER=
#- SAML_ENTRYPOINT=
#- SAML_ISSUER=
#- SAML_CERT=
#- SAML_IDPSLO_REDIRECTURL=
#- SAML_PRIVATE_KEYFILE=
#- SAML_PUBLIC_CERTFILE=
#- SAML_IDENTIFIER_FORMAT=
#- SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE=
#- SAML_ATTRIBUTES=
#---------------------------------------------------------------------
# Wait spinner to use
# - WAIT_SPINNER=Bounce
#---------------------------------------------------------------------
depends_on:
- wekandb
volumes:
- /etc/localtime:/etc/localtime:ro
- wekan-files:/data:rw
#---------------------------------------------------------------------------------
# ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ====
# When using Wekan both at office LAN and remote VPN:
# 1) Have above Wekan docker container config with LAN IP address
# 2) Copy all of above wekan container config below, look above of this part above and all config below it,
# before above depends_on: part:
#
# wekan:
# #-------------------------------------------------------------------------------------
# # ==== MONGODB AND METEOR VERSION ====
# # a) For Wekan Meteor 1.8.x version at meteor-1.8 branch, .....
#
#
# and change name to different name like wekan2 or wekanvpn, and change ROOT_URL to server VPN IP
# address.
# 3) This way both Wekan containers can use same MongoDB database
# and see the same Wekan boards.
# 4) You could also add 3rd Wekan container for 3rd network etc.
# EXAMPLE:
# wekan2:
# ....COPY CONFIG FROM ABOVE TO HERE...
# environment:
# - ROOT_URL='http://10.10.10.10'
# ...COPY CONFIG FROM ABOVE TO HERE...
#---------------------------------------------------------------------------------
# OPTIONAL NGINX CONFIG FOR REVERSE PROXY
# nginx:
# image: nginx
# container_name: nginx
# restart: always
# networks:
# - wekan-tier
# depends_on:
# - wekan
# ports:
# - 80:80
# - 443:443
# volumes:
# - ./nginx/ssl:/etc/nginx/ssl/:ro
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
## Alternative volume config:
## volumes:
## - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
## - ./nginx/ssl/ssl.conf:/etc/nginx/conf.d/ssl/ssl.conf:ro
## - ./nginx/ssl/testvm-ehu.crt:/etc/nginx/conf.d/ssl/certs/mycert.crt:ro
## - ./nginx/ssl/testvm-ehu.key:/etc/nginx/conf.d/ssl/certs/mykey.key:ro
## - ./nginx/ssl/pphrase:/etc/nginx/conf.d/ssl/pphrase:ro
volumes:
wekan-files:
driver: local
wekan-db:
driver: local
wekan-db-dump:
driver: local
networks:
wekan-tier:
driver: bridge