From 972244dac6f1bdf862c776158120125ba0301e74 Mon Sep 17 00:00:00 2001 From: Paul Walko Date: Sun, 25 Aug 2019 14:17:20 -0400 Subject: [PATCH] add ansible, docker configs --- ansible/README.md | 13 ++ ansible/files/20auto-upgrades | 2 + ansible/files/50unattended-upgrades | 146 +++++++++++++ ansible/files/chrony.conf | 32 +++ ansible/files/exports | 1 + ansible/files/logind.conf | 37 ++++ ansible/files/sshd_config | 122 +++++++++++ ansible/handlers.yml | 18 ++ ansible/hosts.cfg | 8 + ansible/main.yml | 196 ++++++++++++++++++ ansible/templates/local.conf.j2 | 1 + docker-cabinet/syncthing/launch.sh | 16 ++ docker-fogcutter/airsonic/launch.sh | 15 ++ docker-fogcutter/minecraft/launch.sh | 12 ++ docker-fogcutter/nginx/README.md | 1 + docker-fogcutter/nginx/jail.local | 46 ++++ docker-fogcutter/nginx/launch.sh | 23 ++ docker-fogcutter/nginx/nginx.conf | 61 ++++++ docker-fogcutter/nginx/site-confs/default | 29 +++ .../site-confs/donskoy.seaturtle.pw.enabled | 50 +++++ .../nginx/site-confs/seaturtle.pw.enabled | 35 ++++ docker-fogcutter/nginx/ssl.conf | 36 ++++ docker-fogcutter/plex/launch.sh | 15 ++ docker-fogcutter/ut04/launch.sh | 10 + 24 files changed, 925 insertions(+) create mode 100644 ansible/README.md create mode 100644 ansible/files/20auto-upgrades create mode 100644 ansible/files/50unattended-upgrades create mode 100644 ansible/files/chrony.conf create mode 100644 ansible/files/exports create mode 100644 ansible/files/logind.conf create mode 100644 ansible/files/sshd_config create mode 100644 ansible/handlers.yml create mode 100644 ansible/hosts.cfg create mode 100644 ansible/main.yml create mode 100644 ansible/templates/local.conf.j2 create mode 100755 docker-cabinet/syncthing/launch.sh create mode 100755 docker-fogcutter/airsonic/launch.sh create mode 100755 docker-fogcutter/minecraft/launch.sh create mode 100644 docker-fogcutter/nginx/README.md create mode 100644 docker-fogcutter/nginx/jail.local create mode 100755 docker-fogcutter/nginx/launch.sh create mode 100644 docker-fogcutter/nginx/nginx.conf create mode 100644 docker-fogcutter/nginx/site-confs/default create mode 100644 docker-fogcutter/nginx/site-confs/donskoy.seaturtle.pw.enabled create mode 100644 docker-fogcutter/nginx/site-confs/seaturtle.pw.enabled create mode 100644 docker-fogcutter/nginx/ssl.conf create mode 100755 docker-fogcutter/plex/launch.sh create mode 100755 docker-fogcutter/ut04/launch.sh diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 0000000..91b539d --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,13 @@ +Assumes: + +- OS (Debian) has been installed and IPs have been configured in hosts.cfg + +- Host is already trusted via ssh and can be ssh'd into using keys + +- Passwordless sudo is enabled for the user ansible uses + +- Secure boot is disabled (wireguard is an unsigned module) + +- Wireguard is configured on 10.200.0.0/24; See https://wiki.debian.org/Wireguard + +- ZFS is configured with a volume at /bigdata for sharing diff --git a/ansible/files/20auto-upgrades b/ansible/files/20auto-upgrades new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/ansible/files/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/ansible/files/50unattended-upgrades b/ansible/files/50unattended-upgrades new file mode 100644 index 0000000..54fc785 --- /dev/null +++ b/ansible/files/50unattended-upgrades @@ -0,0 +1,146 @@ +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. +// +// Lines below have the format format is "keyword=value,...". A +// package will be upgraded only if the values in its metadata match +// all the supplied keywords in a line. (In other words, omitted +// keywords are wild cards.) The keywords originate from the Release +// file, but several aliases are accepted. The accepted keywords are: +// a,archive,suite (eg, "stable") +// c,component (eg, "main", "contrib", "non-free") +// l,label (eg, "Debian", "Debian-Security") +// o,origin (eg, "Debian", "Unofficial Multimedia Packages") +// n,codename (eg, "jessie", "jessie-updates") +// site (eg, "http.debian.net") +// The available values on the system are printed by the command +// "apt-cache policy", and can be debugged by running +// "unattended-upgrades -d" and looking at the log file. +// +// Within lines unattended-upgrades allows 2 macros whose values are +// derived from /etc/debian_version: +// ${distro_id} Installed origin. +// ${distro_codename} Installed codename (eg, "buster") +Unattended-Upgrade::Origins-Pattern { + // Codename based matching: + // This will follow the migration of a release through different + // archives (e.g. from testing to stable and later oldstable). + // Software will be the latest available for the named release, + // but the Debian release itself will not be automatically upgraded. +// "origin=Debian,codename=${distro_codename}-updates"; +// "origin=Debian,codename=${distro_codename}-proposed-updates"; +// "origin=Debian,codename=${distro_codename},label=Debian"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; + + // Archive or Suite based matching: + // Note that this will silently match a different release after + // migration to the specified archive (e.g. testing becomes the + // new stable). +// "o=Debian,a=stable"; +// "o=Debian,a=stable-updates"; +// "o=Debian,a=proposed-updates"; +// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; +}; + +// Python regular expressions, matching packages to exclude from upgrading +Unattended-Upgrade::Package-Blacklist { + // The following matches all packages starting with linux- +// "linux-"; + + // Use $ to explicitely define the end of a package name. Without + // the $, "libc6" would match all of them. +// "libc6$"; +// "libc6-dev$"; +// "libc6-i686$"; + + // Special characters need escaping +// "libstdc\+\+6$"; + + // The following matches packages like xen-system-amd64, xen-utils-4.1, + // xenstore-utils and libxenstore3.0 +// "(lib)?xen(store)?"; + + // For more information about Python regular expressions, see + // https://docs.python.org/3/howto/regex.html +}; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +//Unattended-Upgrade::AutoFixInterruptedDpkg "true"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGTERM. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +//Unattended-Upgrade::MinimalSteps "true"; + +// Install all updates when the machine is shutting down +// instead of doing it in the background while the machine is running. +// This will (obviously) make shutdown slower. +// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. +// This allows more time for unattended-upgrades to shut down gracefully +// or even install a few packages in InstallOnShutdown mode, but is still a +// big step back from the 30 minutes allowed for InstallOnShutdown previously. +// Users enabling InstallOnShutdown mode are advised to increase +// InhibitDelayMaxSec even further, possibly to 30 minutes. +//Unattended-Upgrade::InstallOnShutdown "false"; + +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" +//Unattended-Upgrade::Mail ""; + +// Set this value to "true" to get emails only on errors. Default +// is to always send a mail if Unattended-Upgrade::Mail is set +//Unattended-Upgrade::MailOnlyOnError "false"; + +// Remove unused automatically installed kernel-related packages +// (kernel images, kernel headers and kernel version locked tools). +//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; + +// Do automatic removal of newly unused dependencies after the upgrade +//Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; + +// Do automatic removal of unused packages after the upgrade +// (equivalent to apt-get autoremove) +//Unattended-Upgrade::Remove-Unused-Dependencies "false"; + +// Automatically reboot *WITHOUT CONFIRMATION* if +// the file /var/run/reboot-required is found after the upgrade +//Unattended-Upgrade::Automatic-Reboot "false"; + +// Automatically reboot even if there are users currently logged in +// when Unattended-Upgrade::Automatic-Reboot is set to true +//Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; + +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +//Unattended-Upgrade::Automatic-Reboot-Time "02:00"; + +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +//Acquire::http::Dl-Limit "70"; + +// Enable logging to syslog. Default is False +// Unattended-Upgrade::SyslogEnable "false"; + +// Specify syslog facility. Default is daemon +// Unattended-Upgrade::SyslogFacility "daemon"; + +// Download and install upgrades only on AC power +// (i.e. skip or gracefully stop updates on battery) +// Unattended-Upgrade::OnlyOnACPower "true"; + +// Download and install upgrades only on non-metered connection +// (i.e. skip or gracefully stop updates on a metered connection) +// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; + +// Verbose logging +// Unattended-Upgrade::Verbose "false"; + +// Print debugging information both in unattended-upgrades and +// in unattended-upgrade-shutdown +// Unattended-Upgrade::Debug "false"; diff --git a/ansible/files/chrony.conf b/ansible/files/chrony.conf new file mode 100644 index 0000000..c95b259 --- /dev/null +++ b/ansible/files/chrony.conf @@ -0,0 +1,32 @@ +# Welcome to the chrony configuration file. See chrony.conf(5) for more +# information about usuable directives. +server ntp-1.vt.edu iburst +server ntp-2.vt.edu iburst +server ntp-3.vt.edu iburst +server ntp-4.vt.edu iburst +pool 2.debian.pool.ntp.org iburst + +# This directive specify the location of the file containing ID/key pairs for +# NTP authentication. +keyfile /etc/chrony/chrony.keys + +# This directive specify the file into which chronyd will store the rate +# information. +driftfile /var/lib/chrony/chrony.drift + +# Uncomment the following line to turn logging on. +#log tracking measurements statistics + +# Log files location. +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. +rtcsync + +# Step the system clock instead of slewing it if the adjustment is larger than +# one second, but only in the first three clock updates. +makestep 1 3 diff --git a/ansible/files/exports b/ansible/files/exports new file mode 100644 index 0000000..5ddf02a --- /dev/null +++ b/ansible/files/exports @@ -0,0 +1 @@ +/bigdata 10.42.0.0/24(ro,all_squash,no_subtree_check) 10.200.0.0/24(rw,no_subtree_check,no_root_squash) diff --git a/ansible/files/logind.conf b/ansible/files/logind.conf new file mode 100644 index 0000000..16e43ba --- /dev/null +++ b/ansible/files/logind.conf @@ -0,0 +1,37 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See logind.conf(5) for details. + +[Login] +#NAutoVTs=6 +#ReserveVT=6 +#KillUserProcesses=no +#KillOnlyUsers= +#KillExcludeUsers=root +#InhibitDelayMaxSec=5 +HandlePowerKey=ignore +HandleSuspendKey=ignore +HandleHibernateKey=ignore +#HandleLidSwitch=suspend +#HandleLidSwitchExternalPower=suspend +#HandleLidSwitchDocked=ignore +#PowerKeyIgnoreInhibited=no +#SuspendKeyIgnoreInhibited=no +#HibernateKeyIgnoreInhibited=no +#LidSwitchIgnoreInhibited=yes +#HoldoffTimeoutSec=30s +#IdleAction=ignore +#IdleActionSec=30min +#RuntimeDirectorySize=10% +#RemoveIPC=yes +#InhibitorsMax=8192 +#SessionsMax=8192 diff --git a/ansible/files/sshd_config b/ansible/files/sshd_config new file mode 100644 index 0000000..2b335b7 --- /dev/null +++ b/ansible/files/sshd_config @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 22 +Port 2222 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/ansible/handlers.yml b/ansible/handlers.yml new file mode 100644 index 0000000..706c406 --- /dev/null +++ b/ansible/handlers.yml @@ -0,0 +1,18 @@ +--- +- name: Restart systemd-logind service + service: + name: systemd-logind + state: restarted + +- name: Restart chrony service + service: + name: chrony + state: restarted + +- name: Restart sshd service + service: + name: sshd + state: restarted + +- name: Re-export exportfs + command: exportfs -arv diff --git a/ansible/hosts.cfg b/ansible/hosts.cfg new file mode 100644 index 0000000..72737eb --- /dev/null +++ b/ansible/hosts.cfg @@ -0,0 +1,8 @@ +[router] +corsa + +[nfs] +bigdummy interface=enp2s0 + +[compute] +fogcutter interface=eno1 diff --git a/ansible/main.yml b/ansible/main.yml new file mode 100644 index 0000000..ee1ca49 --- /dev/null +++ b/ansible/main.yml @@ -0,0 +1,196 @@ +# All hosts are debian 10 +--- +# Common +- hosts: compute,nfs,router + become: yes + handlers: + - import_tasks: handlers.yml + tasks: + # Core + - name: Install common packages + apt: + name: + - apt-listchanges + - chrony + - curl + - git + - htop + - iperf3 + - mosh + - nmap + - tmux + - unattended-upgrades + - vim + force_apt_get: yes + update_cache: yes + + # TODO Change defaults + - name: Configure unattended-upgrades + copy: + src: files/50unattended-upgrades + dest: /etc/apt/apt.conf.d/50unattended-upgrades + owner: root + group: root + mode: '0644' + + - name: Enable unattended-upgrades + copy: + src: files/20auto-upgrades + dest: /etc/apt/apt.conf.d/20auto-upgrades + owner: root + group: root + mode: '0644' + + - name: Disable power and reset buttons + copy: + src: files/logind.conf + dest: /etc/systemd/logind.conf + owner: root + group: root + mode: '0644' + notify: Restart systemd-logind service + + - name: Set chrony ntp servers + copy: + src: files/chrony.conf + dest: /etc/chrony/chrony.conf + owner: root + group: root + mode: '0644' + notify: Restart chrony service + + # Core networking + - name: Configure sshd_config to listen on 2222/22 and disable password auth + copy: + src: files/sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: '0644' + notify: Restart sshd service + + ## Changes will take effect during next reboot + ## (determined by unattended-upgrades) + - name: Configure sysctl with IPv6 privacy extensions + template: + src: templates/local.conf.j2 + dest: /etc/sysctl.d/local.conf + owner: root + group: root + mode: '0644' + +### Router +##- hosts: router +## become: yes +## tasks: +## - name: Install frrouting and related router packages +## - name: Configure bgp, etc??? + +# Media networking (Wireguard VPN, NFS) +- hosts: compute,nfs + become: yes + handlers: + - import_tasks: handlers.yml + tasks: + - name: Add unstable repository + shell: | + echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable + args: + creates: /etc/apt/sources.list.d/unstable.list + + - name: Install media networking packages + apt: + name: + - nfs-common + - wireguard + force_apt_get: yes + update_cache: yes + + # Manually do wireguard config https://wiki.debian.org/Wireguard + +# NFS core config +# ASSUMES /bigdata IS CONFIGURED (make sure dir is 755) +- hosts: nfs + become: yes + handlers: + - import_tasks: handlers.yml + tasks: + - name: Install NFS server package + apt: + name: nfs-kernel-server + force_apt_get: yes + update_cache: yes + + - name: Export /bigdata + copy: + src: files/exports + dest: /etc/exports + owner: root + group: root + mode: '0644' + notify: Re-export exportfs + +# Compute core config +- hosts: compute + become: yes + tasks: + - name: Install Docker + compute packages + apt: + name: + - apt-transport-https + - ca-certificates + - curl + - gnupg2 + - software-properties-common + - sshfs + force_apt_get: yes + update_cache: yes + + - name: Mount bigdummy /bigdata via NFS + mount: + src: 10.200.0.202:/bigdata + path: /bigdata + fstype: nfs + opts: soft,nodev,nosuid + state: mounted + + - name: Create /media-vtluug directory + file: + path: /media-vtluug + state: directory + mode: '0755' + + # Might require running manually mounting + - name: Mount vtluug /media via sshfs + mount: + src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media + path: /media-vtluug + fstype: fuse.sshfs + opts: allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa + state: mounted + + - name: Add Docker GPG key + apt_key: + url: https://download.docker.com/linux/debian/gpg + + - name: Add Docker APT repository + apt_repository: + repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable + + - name: Install Docker CE + apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + force_apt_get: yes + update_cache: yes + + - name: Add paul to docker group + user: + name: paul + groups: docker + append: yes + + # Clone docker-manifests repo to start services diff --git a/ansible/templates/local.conf.j2 b/ansible/templates/local.conf.j2 new file mode 100644 index 0000000..72b57c9 --- /dev/null +++ b/ansible/templates/local.conf.j2 @@ -0,0 +1 @@ +net.ipv6.conf.{{ interface }}.use_tempaddr=2 diff --git a/docker-cabinet/syncthing/launch.sh b/docker-cabinet/syncthing/launch.sh new file mode 100755 index 0000000..7f443e4 --- /dev/null +++ b/docker-cabinet/syncthing/launch.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +docker run \ + --name syncthing \ + --detach \ + --restart unless-stopped \ + --env PUID=1000 \ + --env PGID=1000 \ + --env TZ=Europe/London \ + --env UMASK_SET=022 \ + --volume $HOME/.config/syncthing:/config:rw \ + --volume $HOME/sync:/sync-docker:rw \ + --publish 8384:8384 \ + --publish 22000:22000 \ + --publish 21027:21027/udp \ + linuxserver/syncthing:latest diff --git a/docker-fogcutter/airsonic/launch.sh b/docker-fogcutter/airsonic/launch.sh new file mode 100755 index 0000000..dd7df9d --- /dev/null +++ b/docker-fogcutter/airsonic/launch.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +docker run \ + --name airsonic \ + --detach \ + --restart unless-stopped \ + --env PUID=1000 \ + --env PGID=1000 \ + --env TZ=US/Easter \ + --volume $PWD/config:/config \ + --volume /bigdata/media/music:/media/music:ro \ + --volume /bigdata/media/playlists:/media/playlists \ + --volume /bigdata/media/podcasts:/media/podcasts:ro \ + --publish 10.42.0.203:4040:4040 \ + linuxserver/airsonic:latest diff --git a/docker-fogcutter/minecraft/launch.sh b/docker-fogcutter/minecraft/launch.sh new file mode 100755 index 0000000..342553e --- /dev/null +++ b/docker-fogcutter/minecraft/launch.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +docker run \ + --name minecraft \ + --detach \ + --restart unless-stopped \ + --env EULA=TRUE \ + --env MAX_MEMORY=8G \ + --volume $PWD/data:/data \ + --publish 10.42.0.203:25565:25565 \ + --publish [2601:5c0:c100:6e65:96c6:91ff:feab:69e3]:25565:25565 \ + itzg/minecraft-server:latest diff --git a/docker-fogcutter/nginx/README.md b/docker-fogcutter/nginx/README.md new file mode 100644 index 0000000..1a08bd2 --- /dev/null +++ b/docker-fogcutter/nginx/README.md @@ -0,0 +1 @@ +Mostly stolen from https://github.com/vtluug/docker-manifests/tree/master/sczi/nginx diff --git a/docker-fogcutter/nginx/jail.local b/docker-fogcutter/nginx/jail.local new file mode 100644 index 0000000..07ba140 --- /dev/null +++ b/docker-fogcutter/nginx/jail.local @@ -0,0 +1,46 @@ +# This is the custom version of the jail.conf for fail2ban +# Feel free to modify this and add additional filters +# Then you can drop the new filter conf files into the fail2ban-filters +# folder and restart the container + +[DEFAULT] + +# "bantime" is the number of seconds that a host is banned. +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 + +# "maxretry" is the number of failures before a host get banned. +maxretry = 5 + + +[ssh] + +enabled = false + + +[nginx-http-auth] + +enabled = true +filter = nginx-http-auth +port = http,https +logpath = /config/log/nginx/error.log + + +[nginx-badbots] + +enabled = true +port = http,https +filter = nginx-badbots +logpath = /config/log/nginx/access.log +maxretry = 2 + + +[nginx-botsearch] + +enabled = true +port = http,https +filter = nginx-botsearch +logpath = /config/log/nginx/access.log diff --git a/docker-fogcutter/nginx/launch.sh b/docker-fogcutter/nginx/launch.sh new file mode 100755 index 0000000..83b9a4f --- /dev/null +++ b/docker-fogcutter/nginx/launch.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +docker run \ + --name nginx \ + --detach \ + --restart unless-stopped \ + --env PUID=1000 \ + --env PGID=1000 \ + --env EMAIL=sysadmin@seaturtle.pw \ + --env URL=seaturtle.pw \ + --env SUBDOMAINS=birman,donskoy,fogcutter,madone,manx,sphynx,www \ + --env VALIDATION=html \ + --env TZ=US/Eastern \ + --volume $PWD/config:/config:rw \ + --volume $PWD/nginx.conf:/config/nginx/nginx.conf:ro \ + --volume $PWD/ssl.conf:/config/nginx/ssl.conf:ro \ + --volume $PWD/site-confs:/config/nginx/site-confs:ro \ + --volume $PWD/jail.local:/config/jail2ban/jail.local:ro \ + --publish 10.42.0.203:80:80 \ + --publish 10.42.0.203:443:443 \ + --publish [2601:5c0:c100:6e65:96c6:91ff:feab:69e3]:80:80 \ + --publish [2601:5c0:c100:6e65:96c6:91ff:feab:69e3]:443:443 \ + linuxserver/letsencrypt:latest diff --git a/docker-fogcutter/nginx/nginx.conf b/docker-fogcutter/nginx/nginx.conf new file mode 100644 index 0000000..e25439c --- /dev/null +++ b/docker-fogcutter/nginx/nginx.conf @@ -0,0 +1,61 @@ +## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf + +user abc; +worker_processes 4; +pid /run/nginx.pid; +include /etc/nginx/modules/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + client_max_body_size 0; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /config/log/nginx/access.log; + error_log /config/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /config/nginx/site-confs/default; + include /config/nginx/site-confs/*.enabled; +} diff --git a/docker-fogcutter/nginx/site-confs/default b/docker-fogcutter/nginx/site-confs/default new file mode 100644 index 0000000..f63f895 --- /dev/null +++ b/docker-fogcutter/nginx/site-confs/default @@ -0,0 +1,29 @@ +## Based on version below; but heavily modified for LUUG +## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default + +# This is the main file that will be pe present no matter what +# Individual sites are specified in /config/nginx/sites/*.enabled + +# Redirect unknown HTTP traffic to https://seaturtle.pw +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 301 https://seaturtle.pw; +} + +# Redirect unknown HTTPS traffic to https://seaturtle.pw +# If we don't have a cert for the site the client get an error but that's fine +server { + listen 443 default_server; + listen [::]:443 default_server; + server_name _; + + # ssl conf + include /config/nginx/ssl.conf; + + return 301 https://seaturtle.pw; +} + +# Enabled sites are included in /config/nginx/nginx.conf diff --git a/docker-fogcutter/nginx/site-confs/donskoy.seaturtle.pw.enabled b/docker-fogcutter/nginx/site-confs/donskoy.seaturtle.pw.enabled new file mode 100644 index 0000000..cb61952 --- /dev/null +++ b/docker-fogcutter/nginx/site-confs/donskoy.seaturtle.pw.enabled @@ -0,0 +1,50 @@ +server { + listen 80; + listen [::]:80; + server_name donskoy.seaturtle.pw; + + return 301 https://donskoy.seaturtle.pw$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name www.seaturtle.pw; + + # ssl conf + include /config/nginx/ssl.conf; + + return 301 https://seaturtle.pw$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name donskoy.seaturtle.pw; + + # ssl conf + include /config/nginx/ssl.conf; + + client_max_body_size 1M; + + # Main site + location / { + proxy_pass http://bitwardenrs:80; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Notifications + location /notifications/hub { + proxy_pass http://bitwardenrs:3012; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + # Notification negotiation? + location /notifications/hub/negotiate { + proxy_pass http://bitwardenrs:80; + } +} diff --git a/docker-fogcutter/nginx/site-confs/seaturtle.pw.enabled b/docker-fogcutter/nginx/site-confs/seaturtle.pw.enabled new file mode 100644 index 0000000..e1f7388 --- /dev/null +++ b/docker-fogcutter/nginx/site-confs/seaturtle.pw.enabled @@ -0,0 +1,35 @@ +server { + listen 80; + listen [::]:80; + server_name seaturtle.pw www.seaturtle.pw; + + return 301 https://seaturtle.pw$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name www.seaturtle.pw; + + # ssl conf + include /config/nginx/ssl.conf; + + return 301 https://seaturtle.pw$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name seaturtle.pw; + + # ssl conf + include /config/nginx/ssl.conf; + + client_max_body_size 1M; + + # Main site + location / { + proxy_pass https://paulwalko.github.io; + } +} + diff --git a/docker-fogcutter/nginx/ssl.conf b/docker-fogcutter/nginx/ssl.conf new file mode 100644 index 0000000..d2c6d9e --- /dev/null +++ b/docker-fogcutter/nginx/ssl.conf @@ -0,0 +1,36 @@ +## Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf + +# session settings +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# Diffie-Hellman parameter for DHE cipher suites +ssl_dhparam /config/nginx/dhparams.pem; + +# ssl certs +#ssl_certificate /config/keys/letsencrypt/fullchain.pem; +#ssl_certificate_key /config/keys/letsencrypt/privkey.pem; +ssl_certificate /etc/letsencrypt/live/vtluug.org/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/vtluug.org/privkey.pem; + +# protocols +ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers on; +ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + +# HSTS, remove # from the line below to enable HSTS +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + +# OCSP Stapling +ssl_stapling on; +ssl_stapling_verify on; + +# Optional additional headers +#add_header Content-Security-Policy "upgrade-insecure-requests"; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-XSS-Protection "1; mode=block" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header Cache-Control "no-transform" always; +#add_header Referrer-Policy "same-origin" always; diff --git a/docker-fogcutter/plex/launch.sh b/docker-fogcutter/plex/launch.sh new file mode 100755 index 0000000..ad3f2a1 --- /dev/null +++ b/docker-fogcutter/plex/launch.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +docker run \ + --name plex \ + --detach \ + --restart unless-stopped \ + --env PUID=1000 \ + --env PGID=1000 \ + --env VERSION=docker \ + --volume $PWD/config:/config:rw \ + --volume /bigdata/media/movies:/media/movies:ro \ + --volume /bigdata/media/music:/media/music:ro \ + --volume /media-vtluug:/media/media-vtluug:ro \ + --net host \ + linuxserver/plex:latest diff --git a/docker-fogcutter/ut04/launch.sh b/docker-fogcutter/ut04/launch.sh new file mode 100755 index 0000000..659e1a9 --- /dev/null +++ b/docker-fogcutter/ut04/launch.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +docker run -d \ + --name ut2004 \ + -p 10.42.0.203:5000:80 \ + -p 10.42.0.203:7777:7777 \ + -p 10.42.0.203:7778:7778 \ + -e "CONFIG_1=[Engine.AccessControl];AdminPassword=password123;[UWeb.WebServer];bEnabled=True" \ + -e "UT2004_CMD=CTF-FACECLASSIC?game=XGame.xCTFGame" \ + reflectivecode/ut2004