diff --git a/docker-madone/nginx/README.md b/docker-madone/nginx/README.md new file mode 100644 index 0000000..1a08bd2 --- /dev/null +++ b/docker-madone/nginx/README.md @@ -0,0 +1 @@ +Mostly stolen from https://github.com/vtluug/docker-manifests/tree/master/sczi/nginx diff --git a/docker-madone/nginx/launch.sh b/docker-madone/nginx/launch.sh new file mode 100755 index 0000000..d1d739c --- /dev/null +++ b/docker-madone/nginx/launch.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +docker run \ + --name nginx \ + --detach \ + --restart unless-stopped \ + --env PUID=1000 \ + --env PGID=1000 \ + --env EMAIL=sysadmin@seaturtle.pw \ + --env URL=seaturtle.pw \ + --env ONLY_SUBDOMAINS=true \ + --env SUBDOMAINS=madone \ + --env VALIDATION=html \ + --env TZ=US/Eastern \ + --volume $PWD/config:/config:rw \ + --volume $PWD/nginx.conf:/config/nginx/nginx.conf:ro \ + --volume $PWD/site-confs:/config/nginx/site-confs:ro \ + --publish 51.159.29.122:80:80 \ + --publish 51.159.29.122:443:443 \ + --publish [2001:bc8:6005:19:208:a2ff:fe0c:917c]:80:80 \ + --publish [2001:bc8:6005:19:208:a2ff:fe0c:917c]:443:443 \ + --network pew-net \ + linuxserver/letsencrypt:latest diff --git a/docker-madone/nginx/nginx.conf b/docker-madone/nginx/nginx.conf new file mode 100644 index 0000000..4c3f0ca --- /dev/null +++ b/docker-madone/nginx/nginx.conf @@ -0,0 +1,63 @@ +## Version 2018/04/07 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf + +user abc; +worker_processes 4; +pid /run/nginx.pid; +include /etc/nginx/modules/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + client_max_body_size 0; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /config/log/nginx/access.log; + error_log /config/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /config/nginx/site-confs/default; + include /config/nginx/site-confs/*.enabled; +} + +daemon off; diff --git a/vps/services/web/site-confs/default b/docker-madone/nginx/site-confs/default similarity index 52% rename from vps/services/web/site-confs/default rename to docker-madone/nginx/site-confs/default index c09b734..f63f895 100644 --- a/vps/services/web/site-confs/default +++ b/docker-madone/nginx/site-confs/default @@ -4,13 +4,26 @@ # This is the main file that will be pe present no matter what # Individual sites are specified in /config/nginx/sites/*.enabled -# Redirect HTTP traffic to HTTPS +# Redirect unknown HTTP traffic to https://seaturtle.pw server { listen 80 default_server; listen [::]:80 default_server; server_name _; + + return 301 https://seaturtle.pw; +} - return 301 https://$host$request_uri; +# Redirect unknown HTTPS traffic to https://seaturtle.pw +# If we don't have a cert for the site the client get an error but that's fine +server { + listen 443 default_server; + listen [::]:443 default_server; + server_name _; + + # ssl conf + include /config/nginx/ssl.conf; + + return 301 https://seaturtle.pw; } # Enabled sites are included in /config/nginx/nginx.conf diff --git a/docker-madone/nginx/site-confs/madone.seaturtle.pw b/docker-madone/nginx/site-confs/madone.seaturtle.pw new file mode 100644 index 0000000..bf11e82 --- /dev/null +++ b/docker-madone/nginx/site-confs/madone.seaturtle.pw @@ -0,0 +1,51 @@ +server { + listen 80; + listen [::]:80; + server_name madone.seaturtle.pw; + + return 301 https://seaturtle.pw$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name madone.seaturtle.pw; + + # ssl conf + include /config/nginx/ssl.conf; + + client_max_body_size 1M; + + # Proxy syncthing + location /syncthing/ { + auth_basic "not today buddy"; + auth_basic_user_file /config/nginx/syncthing-htpasswd; + proxy_set_header X-Real_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-proto $scheme; + proxy_pass http://syncthing:8384/; + } + + # Proxy weechat + location /weechat { + proxy_pass http://172.17.0.1:9001; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 8h; + } + + # Serve misc files + location /files { + alias /files-docker; + autoindex on; + } + + # Serve syncthing files + location /sync { + auth_basic "nope definitely not today buddy"; + auth_basic_user_file /config/nginx/sync-htpasswd; + alias /sync-docker; + autoindex on; + } +} diff --git a/docker-madone/syncthing/launch.sh b/docker-madone/syncthing/launch.sh new file mode 100755 index 0000000..7dad8ad --- /dev/null +++ b/docker-madone/syncthing/launch.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Assumes pew-net exists +# Create mounted dirs (as non-root) before launching + +docker run \ + --name syncthing \ + --detach \ + --restart unless-stopped \ + --env PUID=1000 \ + --env PGID=1000 \ + --env TZ=Europe/London \ + --env UMASK_SET=022 \ + --volume $PWD/config:/config:rw \ + --volume $PWD/sync:/sync-docker:rw \ + --publish 22000:22000 \ + --publish 21027:21027/udp \ + --network pew-net \ + linuxserver/syncthing:latest diff --git a/space_scraper.py b/space_scraper.py index 3fb5f1a..cb6d756 100755 --- a/space_scraper.py +++ b/space_scraper.py @@ -1,3 +1,5 @@ +#!/usr/bin/env python3 + import json from selenium import webdriver from selenium.webdriver.common.by import By diff --git a/vps/hosts.cfg b/vps/hosts.cfg deleted file mode 100644 index 7e70c04..0000000 --- a/vps/hosts.cfg +++ /dev/null @@ -1,3 +0,0 @@ -[irc-etc] -# User must be changed from root to admin user after initial run -joe@madone.seaturtle.pw diff --git a/vps/scaleway-setup.yml b/vps/scaleway-setup.yml deleted file mode 100644 index 5e554ec..0000000 --- a/vps/scaleway-setup.yml +++ /dev/null @@ -1,104 +0,0 @@ ---- -- hosts: irc-etc - become: yes - handlers: - - name: Restart ssh - service: - name: ssh - state: restarted - - tasks: - - name: ping host - ping: - - - name: Allow passwordless sudo - lineinfile: - path: /etc/sudoers - state: present - regexp: '^%sudo' - line: '%sudo ALL=(ALL) NOPASSWD:ALL' - validate: 'visudo -cf %s' - - - name: Create admin user - user: - name: joe - groups: sudo - shell: /bin/bash - - - name: Create normal user - user: - name: pew - shell: /bin/bash - - - name: Add authorized ssh key from localhost - authorized_key: - user: "{{ item }}" - state: present - key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" - with_items: - - joe - - pew - - - name: Disable password ssh - lineinfile: dest=/etc/ssh/sshd_config - regexp="^PasswordAuthentication" - line="PasswordAuthentication no" - state=present - notify: Restart ssh - - # May have to be done manually - - name: Disallow root SSH access - lineinfile: dest=/etc/ssh/sshd_config - regexp="^PermitRootLogin" - line="PermitRootLogin no" - state=present - notify: Restart ssh - - - name: Update apt and upgrade packages - apt: - update_cache: yes - upgrade: yes - - - name: Install packages - apt: - pkg: - - apt-transport-https - - ca-certificates - - curl - - git - - gnupg - - htop - - iodine - - mosh - - oidentd - - software-properties-common - - tmux - - weechat - - zsh - state: latest - - - name: Add Docker and Syncthing GPG key - apt_key: - url: https://download.docker.com/linux/ubuntu/gpg - - - name: Add Docker and Syncthing APT repository - apt_repository: - repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable - -- name: Update apt - apt: - update_cache: yes - - # May require a reboot - - name: Install Docker & Synthing - apt: - pkg: - - docker-ce - - docker-compose - state: latest - - - name: Add admin user to docker group - user: - name: joe - groups: docker - append: yes diff --git a/vps/services/web/docker-compose.yml b/vps/services/web/docker-compose.yml deleted file mode 100644 index 2fef0e6..0000000 --- a/vps/services/web/docker-compose.yml +++ /dev/null @@ -1,49 +0,0 @@ -version: '3' - -services: - letsencrypt: - restart: unless-stopped - image: linuxserver/letsencrypt - cap_add: - - NET_ADMIN - environment: - PUID: 1000 - PGID: 1000 - EMAIL: sysadmin@seaturtle.pw - # URL field must be working since nginx only starts if letsencrypt works - URL: seaturtle.pw - SUBDOMAINS: madone - EXTRA_DOMAINS: www.paul.walko.org,paul.walko.org - VALIDATION: html # TODO Switch to dns + gandi api once pr is merged - TZ: America/New_York - volumes: - # nginx persistent storage - - /home/joe/docker/nginx/config:/config - # RO settings - - ./htpasswd:/secrets/htpasswd # Create once deployed - - ./nginx.conf:/config/nginx/nginx.conf:ro - - ./ssl.conf:/config/nginx/ssl.conf:ro - - ./site-confs:/config/nginx/site-confs:ro - - ./jail.local:/config/jail2ban/jail.local:ro - # etc files - - /home/joe/docker/syncthing/sync:/sync:ro - ports: - - 10.21.2.155:80:80 - - 10.21.2.155:443:443 - - 2001:bc8:4728:8d0d::1:80:80 - - 2001:bc8:4728:8d0d::1:443:443 - - syncthing: - restart: unless-stopped - image: linuxserver/syncthing - environment: - PUID: 1000 - PGID: 1000 - TZ: America/Eastern - UMASK_SET: <022> - volumes: - - /home/joe/docker/syncthing/config:/config - - /home/joe/docker/syncthing/sync:/sync - ports: - - 22000:22000 - - 21027:21027/udp diff --git a/vps/services/web/jail.local b/vps/services/web/jail.local deleted file mode 100644 index 07ba140..0000000 --- a/vps/services/web/jail.local +++ /dev/null @@ -1,46 +0,0 @@ -# This is the custom version of the jail.conf for fail2ban -# Feel free to modify this and add additional filters -# Then you can drop the new filter conf files into the fail2ban-filters -# folder and restart the container - -[DEFAULT] - -# "bantime" is the number of seconds that a host is banned. -bantime = 600 - -# A host is banned if it has generated "maxretry" during the last "findtime" -# seconds. -findtime = 600 - -# "maxretry" is the number of failures before a host get banned. -maxretry = 5 - - -[ssh] - -enabled = false - - -[nginx-http-auth] - -enabled = true -filter = nginx-http-auth -port = http,https -logpath = /config/log/nginx/error.log - - -[nginx-badbots] - -enabled = true -port = http,https -filter = nginx-badbots -logpath = /config/log/nginx/access.log -maxretry = 2 - - -[nginx-botsearch] - -enabled = true -port = http,https -filter = nginx-botsearch -logpath = /config/log/nginx/access.log diff --git a/vps/services/web/nginx.conf b/vps/services/web/nginx.conf deleted file mode 100644 index a1e0fd4..0000000 --- a/vps/services/web/nginx.conf +++ /dev/null @@ -1,101 +0,0 @@ -## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf - -user abc; -worker_processes 4; -pid /run/nginx.pid; -include /etc/nginx/modules/*.conf; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - client_max_body_size 0; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # Logging Settings - ## - - access_log /config/log/nginx/access.log; - error_log /config/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # nginx-naxsi config - ## - # Uncomment it if you installed nginx-naxsi - ## - - #include /etc/nginx/naxsi_core.rules; - - ## - # nginx-passenger config - ## - # Uncomment it if you installed nginx-passenger - ## - - #passenger_root /usr; - #passenger_ruby /usr/bin/ruby; - - ## - # Virtual Host Configs - ## - include /etc/nginx/conf.d/*.conf; - include /config/nginx/site-confs/default; - include /config/nginx/site-confs/*.enabled; -} - - -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#} -daemon off; diff --git a/vps/services/web/site-confs/seaturtle.pw.enabled b/vps/services/web/site-confs/seaturtle.pw.enabled deleted file mode 100644 index 1c06561..0000000 --- a/vps/services/web/site-confs/seaturtle.pw.enabled +++ /dev/null @@ -1,43 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name seaturtle.pw paul.walko.org www.paul.walko.org; - - # ssl conf - include /config/nginx/ssl.conf; - - client_max_body_size 1M; - - # Main site - location / { - proxy_pass https://paulwalko.github.io; - } - - location /files { - alias /files; - autoindex on; - } - - location /sync { - auth_basic "Restricted Content"; - auth_basic_user_file /secrets/htpasswd; - alias /sync; - autoindex on; - } - - location /syncthing/ { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass https://syncthing:8384/; - } - - location /weechat { - proxy_pass http://127.0.0.1:9001/weechat; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_read_timeout 604800; - proxy_set_header X-RealIP $remote_addr; - } -} diff --git a/vps/services/web/ssl.conf b/vps/services/web/ssl.conf deleted file mode 100644 index a7c5faf..0000000 --- a/vps/services/web/ssl.conf +++ /dev/null @@ -1,36 +0,0 @@ -## Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf - -# session settings -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; -ssl_session_tickets off; - -# Diffie-Hellman parameter for DHE cipher suites -ssl_dhparam /config/nginx/dhparams.pem; - -# ssl certs -#ssl_certificate /config/keys/letsencrypt/fullchain.pem; -#ssl_certificate_key /config/keys/letsencrypt/privkey.pem; -ssl_certificate /etc/letsencrypt/live/seaturtle.pw/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/seaturtle.pw/privkey.pem; - -# protocols -ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; -ssl_prefer_server_ciphers on; -ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; - -# HSTS, remove # from the line below to enable HSTS -#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - -# OCSP Stapling -ssl_stapling on; -ssl_stapling_verify on; - -# Optional additional headers -#add_header Content-Security-Policy "upgrade-insecure-requests"; -#add_header X-Frame-Options "SAMEORIGIN" always; -#add_header X-XSS-Protection "1; mode=block" always; -#add_header X-Content-Type-Options "nosniff" always; -#add_header X-UA-Compatible "IE=Edge" always; -#add_header Cache-Control "no-transform" always; -#add_header Referrer-Policy "same-origin" always; diff --git a/vps/weechat.service b/vps/weechat.service deleted file mode 100644 index 6fbc01a..0000000 --- a/vps/weechat.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Weechat IRC Client (in tmux) -After=network.target - -[Service] -User=pew -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/bin/tmux new-session -d -s irc /usr/bin/weechat -ExecStop=/usr/bin/tmux kill-session -t irc - -[Install] -WantedBy=multi-user.target