diff --git a/ansible/README.md b/ansible/README.md index 3eb7abf..2abdccd 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -1,4 +1,9 @@ -Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "gandi_api_key=GANDI_API_KEY" --limit=cabinet` +Usage: + +``` +export GANDI_API_KEY=mykey +ansible-playbook main.yml -i hosts.cfg --extra-vars "gandi_api_key=$GANDI_API_KEY" --limit=cabinet +``` All additional variables: - `gandi_api_key`: gandi api key for dynamic dns @@ -10,19 +15,19 @@ Assumes: - OS (Debian) has been installed and IPs have been configured in hosts.cfg - Host is already trusted via ssh and can be ssh'd into using keys - Passwordless sudo is enabled for the user ansible uses - - Root and user pw is something memorable - ZFS server: - - ZFS is configured with a volume at /bigdata for sharing + - ZFS is configured with a volume at /bigdata - Media server: - - Create /media-vtluug folder + - Create /media-vtluug folder ??? TODO!! - Remote: - - joe/pew users have been created + - users have already been created - Laptop/etc: - Manually configure ssh and tor - TODO: - fix for network-online.target debian 10 bug + - add samba stuff for fogcutter diff --git a/ansible/files/fogcutter/sshtunnel.service b/ansible/files/fogcutter/sshtunnel.service index 8c09990..dced462 100644 --- a/ansible/files/fogcutter/sshtunnel.service +++ b/ansible/files/fogcutter/sshtunnel.service @@ -11,11 +11,11 @@ ExecStart=/usr/bin/ssh -Nn \ -o ServerAliveCountMax=3 \ -o ExitOnForwardFailure=yes \ -i /home/paul/.ssh/id_rsa_fast \ - -R 7000:127.0.0.1:8080 \ - -R 7001:127.0.0.1:8443 \ + -R 7000:127.0.0.1:80 \ + -R 7001:127.0.0.1:443 \ -R 7002:127.0.0.1:2222 \ -R 7003:127.0.0.1:25565 \ - -R 7004:127.0.0.1:8448 \ + -R 7004:127.0.0.1:8000 \ pew@polyvalent.seaturtle.pw Restart=always RestartSec=30 diff --git a/ansible/files/polyvalent/haproxy.cfg b/ansible/files/polyvalent/haproxy.cfg index acaed0f..54feed1 100644 --- a/ansible/files/polyvalent/haproxy.cfg +++ b/ansible/files/polyvalent/haproxy.cfg @@ -35,8 +35,8 @@ listen proxy25565 bind :::25565 server proxy7003 127.0.0.1:7003 -# matrix federation -listen proxy8448 +# tunnelvr +listen proxy8000 mode tcp - bind :::8448 + bind :::8000 server proxy7004 127.0.0.1:7004 diff --git a/ansible/files/smb.conf b/ansible/files/smb.conf new file mode 100644 index 0000000..5c1d791 --- /dev/null +++ b/ansible/files/smb.conf @@ -0,0 +1,234 @@ +# +# Sample configuration file for the Samba suite for Debian GNU/Linux. +# +# +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options most of which +# are not shown in this example +# +# Some options that are often worth tuning have been included as +# commented-out examples in this file. +# - When such options are commented with ";", the proposed setting +# differs from the default Samba behaviour +# - When commented with "#", the proposed setting is the default +# behaviour of Samba but the option is considered important +# enough to be mentioned here +# +# NOTE: Whenever you modify this file you should run the command +# "testparm" to check that you have not made any basic syntactic +# errors. + +#======================= Global Settings ======================= + +[global] + +## Browsing/Identification ### + +# Change this to the workgroup/NT-domain name your Samba server will part of + workgroup = PEWWG + +#### Networking #### + +# The specific set of interfaces / networks to bind to +# This can be either the interface name or an IP address/netmask; +# interface names are normally preferred +; interfaces = 127.0.0.0/8 eth0 +interfaces = 2601:5c0:c280:8e30::/64 10.42.0.0/24 eno1 + +# Only bind to the named interfaces and/or networks; you must use the +# 'interfaces' option above to use this. +# It is recommended that you enable this feature if your Samba machine is +# not protected by a firewall or is a firewall itself. However, this +# option cannot handle dynamic or non-broadcast interfaces correctly. +; bind interfaces only = yes + + + +#### Debugging/Accounting #### + +# This tells Samba to use a separate log file for each machine +# that connects + log file = /var/log/samba/log.%m + +# Cap the size of the individual log files (in KiB). + max log size = 1000 + +# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. +# Append syslog@1 if you want important messages to be sent to syslog too. + logging = file + +# Do something sensible when Samba crashes: mail the admin a backtrace + panic action = /usr/share/samba/panic-action %d + + +####### Authentication ####### + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + + obey pam restrictions = yes + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = yes + +# For Unix password sync to work on a Debian GNU/Linux system, the following +# parameters must be set (thanks to Ian Kahan < for +# sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = yes + +# This option controls how unsuccessful authentication attempts are mapped +# to anonymous connections + map to guest = bad user + +########## Domains ########### + +# +# The following settings only takes effect if 'server role = classic +# primary domain controller', 'server role = classic backup domain controller' +# or 'domain logons' is set +# + +# It specifies the location of the user's +# profile directory from the client point of view) The following +# required a [profiles] share to be setup on the samba server (see +# below) +; logon path = \\%N\profiles\%U +# Another common choice is storing the profile in the user's home directory +# (this is Samba's default) +# logon path = \\%N\%U\profile + +# The following setting only takes effect if 'domain logons' is set +# It specifies the location of a user's home directory (from the client +# point of view) +; logon drive = H: +# logon home = \\%N\%U + +# The following setting only takes effect if 'domain logons' is set +# It specifies the script to run during logon. The script must be stored +# in the [netlogon] share +# NOTE: Must be store in 'DOS' file format convention +; logon script = logon.cmd + +# This allows Unix users to be created on the domain controller via the SAMR +# RPC pipe. The example command creates a user account with a disabled Unix +# password; please adapt to your needs +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u + +# This allows machine accounts to be created on the domain controller via the +# SAMR RPC pipe. +# The following assumes a "machines" group exists on the system +; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u + +# This allows Unix groups to be created on the domain controller via the SAMR +# RPC pipe. +; add group script = /usr/sbin/addgroup --force-badname %g + +############ Misc ############ + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting +; include = /home/samba/etc/smb.conf.%m + +# Some defaults for winbind (make sure you're not using the ranges +# for something else.) +; idmap config * : backend = tdb +; idmap config * : range = 3000-7999 +; idmap config YOURDOMAINHERE : backend = tdb +; idmap config YOURDOMAINHERE : range = 100000-999999 +; template shell = /bin/bash + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 means that usershare is disabled. +# usershare max shares = 100 + +# Allow users who've been granted usershare privileges to create +# public shares, not just authenticated ones + usershare allow guests = yes + +#======================= Share Definitions ======================= + +[pew-photos] + comment = pew photos + browseable = yes + path = /bigdata/archive/photos + guest ok = no + read only = no + create mask = 0700 + directory mask = 0700 + valid users = paul + +[incoming-photos] + comment = incoming pew photos + browseable = yes + path = /bigdata/tmp/incoming-photos + guest ok = no + read only = no + create mask = 0700 + directory mask = 0700 + valid users = paul + +# Un-comment the following and create the netlogon directory for Domain Logons +# (you need to configure Samba to act as a domain controller too.) +;[netlogon] +; comment = Network Logon Service +; path = /home/samba/netlogon +; guest ok = yes +; read only = yes + +# Un-comment the following and create the profiles directory to store +# users profiles (see the "logon path" option above) +# (you need to configure Samba to act as a domain controller too.) +# The path below should be writable by all users so that their +# profile directory may be created the first time they log on +;[profiles] +; comment = Users profiles +; path = /home/samba/profiles +; guest ok = no +; browseable = no +; create mask = 0600 +; directory mask = 0700 + +;[printers] +; comment = All Printers +; browseable = no +; path = /var/spool/samba +; printable = yes +; guest ok = no +; read only = yes +; create mask = 0700 + +# Windows clients look for this share name as a source of downloadable +# printer drivers +;[print$] +; comment = Printer Drivers +; path = /var/lib/samba/printers +; browseable = yes +; read only = yes +; guest ok = no +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin + diff --git a/ansible/handlers.yml b/ansible/handlers.yml index a041d27..b82fb2e 100644 --- a/ansible/handlers.yml +++ b/ansible/handlers.yml @@ -55,3 +55,13 @@ daemon_reload: yes enabled: yes state: started + +- name: Restart smbd + service: + name: smbd + state: restarted + +- name: Restart dnsmasq + service: + name: dnsmasq + state: restarted diff --git a/ansible/hosts.cfg b/ansible/hosts.cfg index 2c34fdc..5f97e08 100644 --- a/ansible/hosts.cfg +++ b/ansible/hosts.cfg @@ -1,17 +1,14 @@ [all:vars] ansible_python_interpreter=/usr/bin/python3 -[compute] -fogcutter hostname=fogcutter.seaturtle.pw interface=eno1 +[homelab] +fogcutter hostname=fogcutter.seaturtle.pw interface=eno1 admin=joe [daily] -cabinet hostname=cabinet.seaturtle.pw interface=enp9s0 - -[nfs] -bigdummy hostname=bigdummy.seaturtle.pw interface=enp2s0 +cabinet hostname=cabinet.seaturtle.pw interface=enp9s0 admin=paul [irc] -joe@madone.seaturtle.pw hostname=madone.seaturtle.pw interface=enp1s0 +joe@madone.seaturtle.pw hostname=madone.seaturtle.pw interface=enp1s0 admin=joe -[proxy] -polyvalent hostname=polyvalent.seaturtle.pw interface=eth0 +[cloudlab] +joe@polyvalent hostname=polyvalent.seaturtle.pw interface=eth0 admin=joe diff --git a/ansible/main.yml b/ansible/main.yml index dfa78c0..96af6ab 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -1,7 +1,7 @@ # All hosts are debian 10 or 11 --- # Common -- hosts: daily,compute,nfs,proxy,irc +- hosts: daily,homelab,irc become: yes handlers: - import_tasks: handlers.yml @@ -15,6 +15,7 @@ apt: name: - apt-listchanges + - beets - chrony - curl - dma @@ -38,6 +39,11 @@ force_apt_get: yes update_cache: yes + - name: Install rclone + apt: + deb: https://downloads.rclone.org/rclone-current-linux-amd64.deb + force_apt_get: yes + - name: Disable MOTDs file: path: /etc/update-motd.d/10-uname @@ -111,7 +117,7 @@ owner: root group: mail mode: '0640' - when: dma_auth is defined + when: dma_auth is defined and dma_auth != '' ## Changes will take effect during next reboot, does not effect static IPs - name: Configure sysctl with IPv6 privacy extensions @@ -144,7 +150,7 @@ msg: Manually get tor hostname # Common dynamic settings -- hosts: compute,daily,proxy +- hosts: daily,homelab become: yes handlers: - import_tasks: handlers.yml @@ -156,7 +162,7 @@ owner: root group: root mode: '0755' - when: gandi_api_key is defined + when: gandi_api_key is defined and gandi_api_key != '' - name: Add Dynamic DNS cronjob cron: @@ -166,11 +172,9 @@ user: root when: gandi_api_key is defined -# docker -- hosts: irc,compute +# Docker +- hosts: homelab,irc become: yes - handlers: - - import_tasks: handlers.yml tasks: - name: Add Docker GPG key apt_key: @@ -189,19 +193,42 @@ force_apt_get: yes update_cache: yes -# Custom repo config -- hosts: compute + - name: Add admin to docker group + user: + name: "{{ admin }}" + groups: docker + append: yes + +# Compute config +- hosts: homelab become: yes handlers: - import_tasks: handlers.yml tasks: - - name: Install compute packages + - name: Install samba, zfs stuff apt: name: - - sshfs + - zfs-auto-snapshot + - zfs-zed force_apt_get: yes update_cache: yes + - name: Configure zfs-zed + copy: + src: files/zed.rc + dest: /etc/zfs/zed.d/zed.rc + owner: root + group: root + mode: '0644' + notify: Restart zfs-zed + + - name: Install weekly bigdata scrub cron job + cron: + name: 'Weekly zfs pool status check' + special_time: weekly + job: '/usr/sbin/zpool status | mail -s "ZFS STATUS" paulsw.pw+alerts@gmail.com' + user: root + - name: Mount vtluug /media via sshfs mount: src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media @@ -210,18 +237,31 @@ opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast state: mounted + - name: Install rclone + apt: + deb: https://downloads.rclone.org/rclone-current-linux-amd64.deb + force_apt_get: yes + + - debug: + msg: Manually configure rclone remote drive + + - name: Backup data cronjob - Monday + cron: + name: 'Backup data' + minute: '0' + hour: '0' + day: '*' + month: '*' + weekday: '1' + user: paul + job: "/home/paul/scripts-private/{{ inventory_hostname }}/backup.sh" + # IRC config - hosts: irc become: yes handlers: - import_tasks: handlers.yml tasks: - - name: Add joe to docker group - user: - name: joe - groups: docker - append: yes - - name: Install weechat systemd service copy: src: files/weechat.service @@ -230,6 +270,3 @@ group: root mode: '0644' notify: Enable weechat service - - - debug: - msg: Clone docker repo to start services diff --git a/ansible/templates/dnsmasq.conf.j2 b/ansible/templates/dnsmasq.conf.j2 new file mode 100644 index 0000000..3c0b256 --- /dev/null +++ b/ansible/templates/dnsmasq.conf.j2 @@ -0,0 +1,681 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +domain-needed +# Never forward addresses in the non-routed address spaces. +bogus-priv + +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 +server=2001:1608:10:25::9249:d69b +server=84.200.70.40 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +interface={{ interface }} +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface= + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC algorithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overridden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissible to give name, address and MAC in any +# order. + +# Always allocate the host with Ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with Ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with Ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two Ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the InfiniBand interface with hardware address +# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the +# ip address 192.168.0.61. The client id is derived from the prefix +# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of +# hex digits of the hardware address. +#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose Ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with Ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also that the [] around the IPv6 address are obligatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set option 58 client renewal time (T1). Defaults to half of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T1,1m + +# Set option 59 rebinding time (T2). Defaults to 7/8 of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T2,2m + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this if you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built-in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for iPXE. The idea is to send two different +# filenames, the first loads iPXE, and the second tells iPXE what to +# load. The dhcp-match sets the ipxe tag for requests from iPXE. +#dhcp-boot=undionly.kpxe +#dhcp-match=set:ipxe,175 # iPXE sends a 175 option. +#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php + +# Encapsulated options for iPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Do not abort if the tftp-root is unavailable +#tftp-no-fail + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fashion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039. +# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit +# option with a DHCPACK including a Rapid Commit option and fully committed address +# and configuration information. This must only be enabled if either the server is +# the only server for the subnet, or multiple servers are present and they each +# commit a binding for all clients. +#dhcp-rapid-commit + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/,*.conf + +# If a DHCP client claims that its name is "wpad", ignore that. +# This fixes a security hole. see CERT Vulnerability VU#598349 +#dhcp-name-match=set:wpad-ignore,wpad +#dhcp-ignore-names=tag:wpad-ignore diff --git a/ansible/templates/gandi-ddns.sh.j2 b/ansible/templates/gandi-ddns.sh.j2 index 2ee288a..5eced39 100644 --- a/ansible/templates/gandi-ddns.sh.j2 +++ b/ansible/templates/gandi-ddns.sh.j2 @@ -3,7 +3,7 @@ APIKEY={{ gandi_api_key }} NAME=$(hostname --short) -IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}') +IPV6=$(ip -6 addr | grep global | grep -v temporary | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}') curl \ --header "Authorization: Apikey $APIKEY" \ diff --git a/fogcutter/docker/airsonic.sh b/fogcutter/docker/airsonic.sh deleted file mode 100755 index cd8e72f..0000000 --- a/fogcutter/docker/airsonic.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -set -e - -up () { - docker network create pew-net || true - - # Exposed on port 4040 in pew-net - docker run \ - --detach \ - --name airsonic \ - --restart unless-stopped \ - --env PUID=1000 \ - --env PGID=1000 \ - --env TZ=US/Eastern \ - --volume /bigdata/k8s-config/airsonic/config:/config:rw \ - --volume /bigdata/media/music:/media/music:ro \ - --volume /bigdata/media/playlists:/media/playlists:ro \ - --volume /bigdata/media/podcasts:/media/podcasts:ro \ - --network pew-net \ - ghcr.io/linuxserver/airsonic:v10.6.2-ls83 -} - -down () { - docker stop airsonic || true - docker rm airsonic || true -} - -logs () { - docker logs --follow airsonic -} - -$@ diff --git a/fogcutter/docker/firefly.sh b/fogcutter/docker/firefly.sh index c2dec9c..c63fee0 100755 --- a/fogcutter/docker/firefly.sh +++ b/fogcutter/docker/firefly.sh @@ -25,13 +25,14 @@ up () { --env APP_URL=https://ff.seaturtle.pw \ --volume /bigdata/k8s-config/firefly/data:/var/www/html/storage/upload:rw \ --network pew-net \ - docker.io/jc5x/firefly-iii:version-5.4.6 + docker.io/fireflyiii/core:latest # Exposed on port 3306 in pew-net docker run \ --detach \ --name firefly-mariadb \ --restart unless-stopped \ + --label com.centurylinklabs.watchtower.enable=false \ --env MYSQL_RANDOM_ROOT_PASSWORD=notnullvalue \ --env MYSQL_PASSWORD=firefly \ --env MYSQL_DATABASE=firefly \ diff --git a/fogcutter/docker/geoserver.sh b/fogcutter/docker/geoserver.sh new file mode 100755 index 0000000..f3587c1 --- /dev/null +++ b/fogcutter/docker/geoserver.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +set -e + +up () { + docker network create pew-net || true + + # Exposed on port 8080 in pew-net + docker run \ + --detach \ + --name geoserver \ + --restart unless-stopped \ + --volume /bigdata/gis/geoserver/config/geoserver-web.xml:/usr/local/geoserver/WEB-INF/web.xml:ro \ + --volume /bigdata/gis/geoserver/extensions:/var/local/geoserver-exts:ro \ + --volume /bigdata/gis/geoserver/data:/var/local/geoserver:rw \ + --volume /bigdata/gis/store:/gis/store:ro \ + --publish 8181:8080 \ + --network pew-net \ + docker.io/oscarfonts/geoserver:2.20.2 + #--volume /bigdata/k8s-config/geoserver/config/tomcat-web.xml:/usr/local/tomcat/conf/web.xml:ro \ + + # Exposed on port 5432 in pew-net + docker run \ + --detach \ + --name geoserver-postgis \ + --env POSTGRES_PASSWORD=postgres \ + --restart unless-stopped \ + --volume /bigdata/gis/geoserver/postgis:/var/lib/postgresql/data:rw \ + --network pew-net \ + docker.io/postgis/postgis:14-3.2-alpine +} + +down () { + docker stop geoserver || true + docker rm geoserver || true + docker stop geoserver-postgis || true + docker rm geoserver-postgis || true +} + +logs () { + docker logs --follow geoserver +} + +logsp () { + docker logs --follow geoserver-postgis +} + +$@ diff --git a/fogcutter/docker/gitea.sh b/fogcutter/docker/gitea.sh index e74333e..076b5d6 100755 --- a/fogcutter/docker/gitea.sh +++ b/fogcutter/docker/gitea.sh @@ -24,7 +24,7 @@ up () { --volume /etc/timezone:/etc/timezone:ro \ --publish 2222:2222 \ --network pew-net \ - docker.io/gitea/gitea:1.12.5 + docker.io/gitea/gitea:latest } down () { diff --git a/fogcutter/docker/jellyfin.sh b/fogcutter/docker/jellyfin.sh index bfca3a6..9407e63 100755 --- a/fogcutter/docker/jellyfin.sh +++ b/fogcutter/docker/jellyfin.sh @@ -18,7 +18,7 @@ up () { --volume /bigdata/media/movies:/media/movies:ro \ --volume /bigdata/media/music:/media/music:ro \ --network pew-net \ - ghcr.io/linuxserver/jellyfin:10.7.0-1-ls100 + ghcr.io/linuxserver/jellyfin:latest } down () { diff --git a/fogcutter/docker/minecraft.sh b/fogcutter/docker/minecraft.sh index b9b5c90..6c56b3e 100755 --- a/fogcutter/docker/minecraft.sh +++ b/fogcutter/docker/minecraft.sh @@ -9,8 +9,8 @@ up () { --restart unless-stopped \ --env EULA=TRUE \ --env MAX_MEMORY=8G \ - --env VERSION=1.15.2 \ - --volume /bigdata/k8s-config/minecraft/data:/data:rw \ + --env VERSION=1.18.1 \ + --volume /bigdata/k8s-config/minecraft/1.18-data:/data:rw \ --publish 127.0.0.1:25565:25565 \ docker.io/itzg/minecraft-server:latest } diff --git a/fogcutter/docker/nextcloud/nextcloud-cron.service b/fogcutter/docker/nextcloud/nextcloud-cron.service deleted file mode 100644 index f57db9d..0000000 --- a/fogcutter/docker/nextcloud/nextcloud-cron.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Nextcloud cron and scan for any new ebooks - -[Service] -Type=simple -ExecStart=/usr/bin/docker exec nextcloud /bin/bash -c "if ! command -v sudo &> /dev/null; then apt-get update && apt-get install -y sudo; fi; sudo -u www-data php -f /var/www/html/cron.php && sudo -u www-data /var/www/html/occ files:scan --path='/pew/files/ebooks'" - -[Install] -WantedBy=default.target diff --git a/fogcutter/docker/nextcloud/nextcloud-cron.timer b/fogcutter/docker/nextcloud/nextcloud-cron.timer deleted file mode 100644 index fcdc6ff..0000000 --- a/fogcutter/docker/nextcloud/nextcloud-cron.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Run nextcloud-cron service every 10 minutes and on boot - -[Timer] -OnBootSec=10min -OnUnitActiveSec=10min - -[Install] -WantedBy=timers.target diff --git a/fogcutter/docker/nextcloud/nextcloud.sh b/fogcutter/docker/nextcloud/nextcloud.sh deleted file mode 100755 index 5ffec50..0000000 --- a/fogcutter/docker/nextcloud/nextcloud.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash - -set -e - -# to scan new files: k exec --stdin --tty nextcloud-POD -npew -- /bin/bash -c "/var/www/html/occ files:scan --path='/USER/files'" - -up () { - loginctl enable-linger $USER - docker network create pew-net || true - - # Exposed on port 80 in pew-net - # Must edit /var/www/html/config/config.php file after initial setup to change settings - docker run \ - --detach \ - --name nextcloud \ - --restart unless-stopped \ - --env OVERWRITEHOST=nc.seaturtle.pw \ - --env OVERWRITEPROTOCOL=https \ - --env MYSQL_DATABASE=nextcloud \ - --env MYSQL_USER=nextcloud \ - --env MYSQL_PASSWORD=nextcloud \ - --env MYSQL_HOST=nextcloud-mariadb \ - --env REDIS_HOST=nextcloud-redis \ - --env REDIS_HOST_PASSWORD=nextcloud \ - --volume /bigdata/k8s-config/nextcloud/data:/var/www/html:rw \ - --network pew-net \ - docker.io/nextcloud:20.0.1-apache - - # Exposed on port 3306 in pew-net - docker run \ - --detach \ - --name nextcloud-mariadb \ - --restart unless-stopped \ - --env MYSQL_RANDOM_ROOT_PASSWORD=notnullvalue \ - --env MYSQL_PASSWORD=nextcloud \ - --env MYSQL_DATABASE=nextcloud \ - --env MYSQL_USER=nextcloud \ - --volume /bigdata/k8s-config/nextcloud/mariadb:/var/lib/mysql:rw \ - --network pew-net \ - docker.io/mariadb:10.5.6 - - # Exposed on port 6379 in pew-net - docker run \ - --detach \ - --name nextcloud-redis \ - --restart unless-stopped \ - --network pew-net \ - docker.io/redis:6.0.9 --requirepass nextcloud - - # Setup nextcloud cron and continuous scanning for new files - cp nextcloud-cron.service nextcloud-cron.timer $HOME/.config/systemd/user/ - systemctl start --user nextcloud-cron.timer || systemctl restart --user nextcloud-cron.timer - systemctl enable --user nextcloud-cron.timer - -} - -down () { - docker stop nextcloud || true - docker rm nextcloud || true - docker stop nextcloud-mariadb || true - docker rm nextcloud-mariadb || true - docker stop nextcloud-redis || true - docker rm nextcloud-redis || true -} - -logs () { - docker logs -f nextcloud -} - -logsm () { - docker logs -f nextcloud-mariadb -} - -logsr () { - docker logs -f nextcloud-redis -} - -$@ diff --git a/fogcutter/docker/nfs.sh b/fogcutter/docker/nfs.sh new file mode 100755 index 0000000..9378707 --- /dev/null +++ b/fogcutter/docker/nfs.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +up () { + # Poll interval: 1800s (30 mins) + docker run \ + --detach \ + --name nfs \ + --volume /bigdata/tmp/echarlie-photos:/bigdata/tmp/echarlie-photos:rw \ + --volume /bigdata/k8s-config/nfs/exports.txt:/etc/exports.txt \ + --volume /var/run/docker.sock:/var/run/docker.sock:rw \ + erichough/nfs-server:latest +} + +down () { + docker stop nfs || true + docker rm nfs || true +} + +logs () { + docker logs --follow nfs +} + +$@ diff --git a/fogcutter/docker/nginx.sh b/fogcutter/docker/nginx.sh index 05cd031..c633f3c 100755 --- a/fogcutter/docker/nginx.sh +++ b/fogcutter/docker/nginx.sh @@ -17,16 +17,17 @@ up () { --env URL=seaturtle.pw \ --env VALIDATION=http \ --env EMAIL=paulsw.pw@gmail.com \ - --env SUBDOMAINS=airsonic,cave,ff,git,jf,nc,plex \ + --env SUBDOMAINS=cave,ff,git,jf,nc,plex \ + --env EXTRA_DOMAINS=paul.walko.org,tile.bigcavemaps.com \ --volume /bigdata/k8s-config/nginx/nginx.conf:/config/nginx/nginx.conf:ro \ --volume /bigdata/files:/files:ro \ --volume /bigdata/k8s-config/nginx/config:/config:rw \ --volume /bigdata/k8s-config/nginx/ssl.conf:/config/nginx/ssl.conf:ro \ --volume /bigdata/k8s-config/nginx/site-confs:/config/nginx/site-confs:ro \ - --publish 127.0.0.1:80:80 \ + --publish 80:80 \ --publish 443:443 \ --network pew-net \ - ghcr.io/linuxserver/swag:1.15.0-ls57 + ghcr.io/linuxserver/swag:latest } down () { diff --git a/fogcutter/docker/paperless.sh b/fogcutter/docker/paperless.sh new file mode 100755 index 0000000..0d45094 --- /dev/null +++ b/fogcutter/docker/paperless.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +set -e + +up () { + docker network create pew-net || true + + # Exposed on port 8000 in pew-net + docker run \ + --detach \ + --name paperless \ + --restart unless-stopped \ + --env USERMAP_UID=1000 \ + --env USERMAP_GID=1000 \ + --env PAPERLESS_REDIS=redis://paperless-redis:6379 \ + --env PAPERLESS_DBHOST=paperless-psql \ + --env PAPERLESS_TIKA_ENABLED=1 \ + --env PAPERLESS_TIKA_GOTENBERG_EDPOINT=http://paperless-gotenberg:3000 \ + --env PAPERLESS_TIKA_ENDPOINT=http://paperless-tika:9998 \ + --volume /bigdata/k8s-config/paperless/paperless/data:/usr/src/paperless/data:rw \ + --volume /bigdata/k8s-config/paperless/paperless/media:/usr/src/paperless/media:rw \ + --volume /bigdata/k8s-config/paperless/paperless/export:/usr/src/paperless/export:rw \ + --volume /bigdata/k8s-config/paperless/paperless/consume:/usr/src/paperless/consume:rw \ + --network pew-net \ + docker.io/jonaswinkler/paperless-ng:latest + + docker run \ + --detach \ + --name paperless-gotenberg \ + --restart unless-stopped \ + --env DISABLE_GOOGLE_CHROME=1 \ + --network pew-net \ + docker.io/thecodingmachine/gotenberg:latest + + docker run \ + --detach \ + --name paperless-psql \ + --env POSTGRES_DB=paperless \ + --env POSTGRES_USER=paperless \ + --env POSTGRES_PASSWORD=paperless \ + --volume /bigdata/k8s-config/paperless/postgres:/var/lib/postgresql/data:rw \ + --network pew-net \ + docker.io/postgres:13 + + docker run \ + --detach \ + --name paperless-redis \ + --restart unless-stopped \ + --network pew-net \ + docker.io/redis:6.0 + + docker run \ + --detach \ + --name paperless-tika \ + --restart unless-stopped \ + --network pew-net \ + docker.io/apache/tika:latest +} + +down () { + docker stop paperless || true + docker rm paperless || true + docker stop paperless-gotenberg || true + docker rm paperless-gotenberg || true + docker stop paperless-psql || true + docker rm paperless-psql || true + docker stop paperless-redis || true + docker rm paperless-redis || true + docker stop paperless-tika || true + docker rm paperless-tika || true +} + +logs () { + docker logs --follow paperless +} + +logsg () { + docker logs --follow paperless-gotenberg +} + +logsp () { + docker logs --follow paperless-psql +} + +logsr () { + docker logs --follow paperless-redis +} + +logst () { + docker logs --follow paperless-tika +} + +$@ diff --git a/fogcutter/docker/plex.sh b/fogcutter/docker/plex.sh index ba5c09c..63bab91 100755 --- a/fogcutter/docker/plex.sh +++ b/fogcutter/docker/plex.sh @@ -18,7 +18,7 @@ up () { --volume /bigdata/media/music:/media/music:ro \ --volume /media-vtluug:/media/media-vtluug:ro \ --network pew-net \ - ghcr.io/linuxserver/plex:1.20.3.3483-211702a9f-ls122 + ghcr.io/linuxserver/plex:latest } down () { diff --git a/fogcutter/docker/tunnelvr-fileserver.sh b/fogcutter/docker/tunnelvr-fileserver.sh new file mode 100755 index 0000000..06e0b7f --- /dev/null +++ b/fogcutter/docker/tunnelvr-fileserver.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +set -e + +##### Update as follows ##### +#/etc/apache2/conf.d # cat dav_svn.conf +#LoadModule dav_svn_module /usr/lib/apache2/mod_dav_svn.so +#LoadModule authz_svn_module /usr/lib/apache2/mod_authz_svn.so +# +# +# DAV svn +# SVNParentPath /home/svn +# SVNListParentPath On +# Allow from All +# Satisfy Any +## AuthType Basic +## AuthName "Subversion Repository" +## AuthUserFile /etc/subversion/passwd +# AuthzSVNAccessFile /etc/subversion/subversion-access-control +## Require valid-user +# + + +# See https://github.com/elleFlorio/svn-docker for adding users + +up () { + docker network create pew-net || true + + # Exposed on port 80 in pew-net + docker run \ + --detach \ + --name tunnelvr-fileserver \ + --restart unless-stopped \ + --volume /bigdata/archive/vpicc-private/tunnelvr:/home/svn:rw \ + --volume svn_config:/etc/subversion \ + --volume svnadmin_config:/opt/svnadmin/data \ + --publish 10.42.0.203:8081:80 \ + --publish 10.42.0.203:3690:3690 \ + --network pew-net \ + elleflorio/svn-server:latest +} + +down () { + docker stop tunnelvr-fileserver || true + docker rm tunnelvr-fileserver || true +} + +logs () { + docker logs --follow tunnelvr-fileserver +} + +$@ diff --git a/fogcutter/docker/tunnelvr.sh b/fogcutter/docker/tunnelvr.sh new file mode 100755 index 0000000..ed35837 --- /dev/null +++ b/fogcutter/docker/tunnelvr.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +up () { + # Exposed on port 8000 + docker run \ + --detach \ + --name tunnelvr \ + --restart unless-stopped \ + --volume /bigdata/k8s-config/tunnelvr/caddywebserver:/home/caver/.local/share/godot/app_userdata/tunnelvr_v0.7/caddywebserver:ro \ + --publish 127.0.0.1:8000:8000 \ + ghcr.io/paulwalko/tunnelvr-server:testv8 +} + +down () { + docker stop tunnelvr || true + docker rm tunnelvr || true +} + +logs () { + docker logs --follow tunnelvr +} + +$@ diff --git a/fogcutter/docker/unifi.sh b/fogcutter/docker/unifi.sh new file mode 100755 index 0000000..dea5d3e --- /dev/null +++ b/fogcutter/docker/unifi.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -e + +up () { + docker run \ + --detach \ + --name unifi \ + --restart unless-stopped \ + --env PUID=1000 \ + --env GUID=1000 \ + --volume /bigdata/k8s-config/unifi/config:/config:rw \ + --publish 3478:3478/udp \ + --publish 10001:10001/udp \ + --publish 8080:8080/tcp \ + --publish 8443:8443/tcp \ + ghcr.io/linuxserver/unifi-controller:6.5.54-ls134 +} + +down () { + docker stop unifi || true + docker rm unifi || true +} + +logs () { + docker logs --follow unifi +} + +$@ diff --git a/fogcutter/docker/watchtower.sh b/fogcutter/docker/watchtower.sh new file mode 100755 index 0000000..f67b36f --- /dev/null +++ b/fogcutter/docker/watchtower.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +up () { + # Poll interval: 1800s (30 mins) + docker run \ + --detach \ + --name watchtower \ + --volume /var/run/docker.sock:/var/run/docker.sock:rw \ + ghcr.io/containrrr/watchtower:amd64-1.3.0 --interval 1800 +} + +down () { + docker stop watchtower || true + docker rm watchtower || true +} + +logs () { + docker logs --follow watchtower +} + +$@ diff --git a/madone/docker/nginx/default b/madone/docker/nginx/default index b9f8852..55ba074 100644 --- a/madone/docker/nginx/default +++ b/madone/docker/nginx/default @@ -1,6 +1,8 @@ ## Based on version below; heavily modified for me ## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default + +### madone ### # Redirect HTTPS to HTTP server { listen 80; @@ -33,3 +35,43 @@ server { proxy_read_timeout 8h; } } + +### uptime ### +# Redirect HTTPS to HTTP +server { + listen 80; + listen [::]:80; + server_name uptime.seaturtle.pw; + + return 301 https://uptime.seaturtle.pw$request_uri; +} + +# Reference: https://gist.github.com/CodeCrafter912/4305d5a1873e2a220e7da848b87be937 +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name uptime.seaturtle.pw; + + set $monitorId zx0Y5uROBD; + + # ssl conf + include /config/nginx/ssl.conf; + + client_max_body_size 1M; + + location / { + proxy_set_header Host "stats.uptimerobot.com"; + proxy_set_header Accept-Encoding ""; + proxy_pass_request_headers on; + proxy_pass https://stats.uptimerobot.com/; + proxy_ssl_server_name on; + + rewrite ^\/([0-9]+) /$monitorId/$1 break; + rewrite ^\/$ /$monitorId break; + + sub_filter_once off; + sub_filter_types text/html; + sub_filter "stats.uptimerobot.com" "$host"; + sub_filter "https://stats.uptimerobot.com/$monitorId" "https://$host"; + } +} diff --git a/madone/docker/nginx/launch.sh b/madone/docker/nginx/launch.sh index ae35965..c1ce458 100755 --- a/madone/docker/nginx/launch.sh +++ b/madone/docker/nginx/launch.sh @@ -1,6 +1,9 @@ #!/bin/bash -docker run \ +set -e + +up () { + docker run \ --name nginx \ --detach \ --restart unless-stopped \ @@ -9,7 +12,7 @@ docker run \ --env EMAIL=sysadmin@seaturtle.pw \ --env URL=seaturtle.pw \ --env ONLY_SUBDOMAINS=true \ - --env SUBDOMAINS=madone \ + --env SUBDOMAINS=madone,uptime \ --env VALIDATION=html \ --env TZ=US/Eastern \ --volume $PWD/nginx-config:/config:rw \ @@ -20,3 +23,16 @@ docker run \ --publish [2001:bc8:6005:19:208:a2ff:fe0c:917c]:80:80 \ --publish [2001:bc8:6005:19:208:a2ff:fe0c:917c]:443:443 \ linuxserver/letsencrypt:1.3.0-ls110 +} + +down () { + docker stop nginx || true + docker rm nginx || true +} + +logs () { + docker logs -f nginx +} + + +$@