Table of contents

Private servers configuration

cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec Private servers configuration cluster_ce3ba47d_39c1_4760_b0ae_818f2c2ecd1b [100%] Hubzilla cluster_96d8f71e_1113_42fd_9c43_5de25e2fa7f7 Setup MySQL cluster_256e74be_bed3_4dd3_a2fc_b4af2300555d Test migration cluster_6eb18c7c_ad3a_4288_a0cb_e953ec39e99b Pleroma test cluster_882fdd58_bcd3_441d_8ba5_d6e7fb244a45 Backend cluster_36f9f60d_955e_422d_aad0_3987d0f454c8 DB cluster_dde0295c_d791_4859_96d5_1a1114b82f4d TechTree cluster_9c9fa300_d39b_450b_8d1f_2d301e0aba52 Nextcloud cluster_013f8790_a198_4176_99c4_9d8636261c62 Mail cluster_bc3279c9_d315_4eb0_8a83_d889718a3d9e [2/3] Tasks cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81 Classification cluster_fee5cc82_0278_4cb4_b9bc_920beaff95b9 Router cluster_f9f76f9d_512a_4024_8cf8_78aa6e6eefa0 Add base config cluster_b957db6e_b6cf_402e_8dd2_ce408c4eb830 Scrap Notes cluster_d59b9486_f9f7_4f2d_b7c8_34a48d2cacca Birracoin cluster_adb4e6bb_2155_4eb5_9849_51a395ca95dd Navidrome cluster_3ab9b898_edd8_4929_9413_01ec5b22cc6a Grocy cluster_88fa215b_2e7b_418f_ba63_881a54a4a06a Wallabag cluster_cc3fc80e_2b7f_4127_a33a_a7f9e0ec1774 Matrix cluster_7d76606c_dc72_4c1e_940a_12830da6a161 Synapse cluster_797e8e61_bf07_4040_b43f_5f096236a76b Wireguard VPN cluster_62e02df4_e737_4ff4_a761_a0b5f4402d7f Notes API cluster_e6993653_eaf1_4108_bce3_002eb949e1ea GoToSocial cluster_a7efbbc6_b4c3_4e0f_af0e_25c4e4c75ce8 Forgejo cluster_6d70f532_09f4_4e0c_80c6_ae0986420009 BeeRol cluster_9689225f_e635_478c_916c_107543af5fc2 Wiki cluster_53753b17_6b23_4baa_8629_4f977bc25f12 Prosody _8e1ce4eb_fa7c_4425_8a4c_cbe559eef988 Launch container _bc2b9fa8_2cf1_46a4_8b23_2a5e1c77793e Prepare config _ef072bc6_4fc3_4d17_8197_c42242a13e30 Configure router _dc8e1a7e_e063_4767_ab84_6a1c412c8777 Can login _a05d77c0_cc41_43f1_8801_aed1f9ffde6c Does send mails _89f89ce6_ae49_4079_8f50_082f66eaad79 Test everything continues working _68e94c30_dadd_401f_b884_47ff953b28e4 Lock old instance _0ab7ae92_f73e_480d_9b65_a54601e455da Configure Hubzilla _8655ef02_07df_4e82_88f0_29fadbe0333e Generate certificate _bc3febbb_0153_429a_8166_64b247e24d40 Migrate DNS _5a667ea3_4929_4d27_9bde_64839b5e93e9 Network _588b28d6_1f55_4af1_916b_4f8d47f2451c Frontend _5fc2df11_8899_4f41_b505_c30b07a5f385 Run _90fd8dc8_781a_4ff7_9f98_4803b918ae34 Build _9eeaaa5d_0c2c_43f0_8da4_9893913c7199 Configure router _f42b589b_2db5_4cb1_8c41_86eeacb788fa Add citext extension _42b1b150_1232_4ad6_a5ba_fe19fa275184 Configure router _c8ea4ef4_f625_40b3_be0d_1845d91b17e2 Configure container _d19f123e_8721_46e1_bd8f_9e68332840fb Configure database _fe3e0ec7_17db_482c_a85f_f4143dc2dbce Update server packages _afd9b50d_ec11_4f18_9820_263ae34a63d8 Add router config _a9c82abd_cca7_40e9_824c_ae0809494b24 Install nextcloud _d07fcf27_d6fc_41e3_a9d0_b2e2902aec23 Install docker _87ca199b_e9ba_497b_a7ac_7bbc5d195fee Troubleshooting _87e141a4_cf91_4544_b3c7_a7a0b63f224d Add DMARC _5a8c7b19_fdd9_436d_a97b_19a6a4d305a6 Add DKIM _923f728c_3e2a_48ab_ba83_9fe1e8f067a4 Configure mail _01c5e29d_7e0b_483d_a07e_0b61eaf4aef1 Install mail _f3415283_1d9c_4f12_8406_83292771bdd1 Email _01c5e29d_7e0b_483d_a07e_0b61eaf4aef1->_f3415283_1d9c_4f12_8406_83292771bdd1 _e4717756_19eb_4317_be7a_bee43f8c2d9a Prepare mail classifier _27ad1b8d_0c29_4306_8fbc_7623e89eb85f Sieve _e4717756_19eb_4317_be7a_bee43f8c2d9a->_27ad1b8d_0c29_4306_8fbc_7623e89eb85f _9c60401a_a3e0_4001_934d_a473541c7247 Docker Watchtower _9a16a238_49ab_4a49_9381_ff58317587b7 Restart _d7328a0b_f16b_4ebd_ae50_71cd744448a8 Install one with letsencrypt _ec314f28_d506_4f25_9ec1_ddbfa7a7dc96 Default _498f3cb0_14aa_485b_8e51_1afca1d9e5a9 Base config _5381f07e_0bf8_45cd_8bba_826f39d121ae Deploy _862a2190_87f2_4339_b85a_49ea07963323 Configure router _a26e8fb3_ce13_4424_b968_717557b87ead Configure router _610a67fd_5b7b_40f3_bebd_35f8b24d9e8b Container _ee20dad0_f9ef_4dbb_acb4_274ed06a9670 Configure router _4f49e647_b85a_4aa1_88d3_9f8ea8a49aac Autoconfigure SSHFS _42bd2c04_d36d_45c3_8998_84271d198f01 Configure container _ef1f99b0_9e61_450e_a8c0_2f8a87402d23 Configure router _95c9eaa7_c132_4c04_95b4_461b1a444b07 Configure container _344f28c5_c04f_46b7_9162_ab37f5e207f7 Configure router _2af6ca81_8601_49b3_85b2_543859ffc29a Configure router _2ced388a_58ac_4b6f_af20_94ca315bd227 Check matrix certs & federation _702f624f_2d27_4ea4_b441_615a8ce31d16 Launch container _647eb700_5f5c_4292_8f3c_5184e850440c Installation _38eec485_12a9_4def_933b_65ca1f2a3eef Setup _6b528b8e_0d61_4c95_9461_868036855066 Create docker network _2b2f02e2_791c_435d_a166_6a6feeaa67bc Configure container _4314b1a2_0741_4790_b979_6e22c9f1500e Configure router _df844d7e_7054_414b_90e7_372a160e0028 Configure trusted proxy _8aac777d_9056_48cf_af11_5b8ea02008ae Install reverse proxy _bbd91c61_313c_432a_934e_0d4410f00432 Install service _62504d21_24e2_40bc_a327_7bb50e95c6be Configure router _faabba3a_94ca_4970_a202_97774d650620 Add action runner _1572a3ac_63c9_4f08_b65a_fb9765fb9dba Configure container _4bcfa5ce_f59a_48ec_899c_179adb4416c9 Grok _c841cde2_8eb3_4fc5_ad41_90d46146af73 Configure router _dce5ea95_4b53_431a_9216_26c547fae17b Update certificates _5da3b97f_3787_45a5_b7e7_95a1315422b4 Configure router _89437bf5_9f1d_4456_9345_587260b6da6a Configure container _03eedb49_bcf7_417c_8db4_e051994ca72c Utils _bd0b3058_08f9_4a7b_85e8_87f40fc60794 Nextcloud _1e0ac86f_4754_4ddf_96a7_b34a1cae5b96 Synapse _5a895a21_132a_44e3_8105_1f6f0c094bc2 Systems Administration _78cc2dc0_87e7_478b_a51d_7fe28f1e62f3 Kodi for Alpine Linux Ansible recipes _78cc2dc0_87e7_478b_a51d_7fe28f1e62f3->__0:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec _2813a24c_e58b_4f57_ae87_48bdfac11704 WireGuard _65b53b3b_2af6_451e_a639_b303f842c474 SQLite FTS5 _65b53b3b_2af6_451e_a639_b303f842c474->__1:cluster_62e02df4_e737_4ff4_a761_a0b5f4402d7f _5a84e07e_7598_43b4_99f0_927ed08dd7b7 ActivityPub _ea48ec1d_f9d4_4fb7_b39a_faa7b6e2ba95 🪧 Notes index _ea48ec1d_f9d4_4fb7_b39a_faa7b6e2ba95->__2:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec _ff5c276f_5eec_4b59_9962_c092a240b068 December Adventure 2024 _ff5c276f_5eec_4b59_9962_c092a240b068->__3:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec _ff5c276f_5eec_4b59_9962_c092a240b068->__4:cluster_e6993653_eaf1_4108_bce3_002eb949e1ea _b0b8e32a_1052_485c_b3a8_91102ae2cc85 Server-based mail processing _b0b8e32a_1052_485c_b3a8_91102ae2cc85->_f3415283_1d9c_4f12_8406_83292771bdd1 _27ad1b8d_0c29_4306_8fbc_7623e89eb85f->_e4717756_19eb_4317_be7a_bee43f8c2d9a _34112603_5776_4592_9f27_598bb0b18285 Literate Devops with Emacs __5:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec->_5a895a21_132a_44e3_8105_1f6f0c094bc2 __6:cluster_5aafa9e6_6344_49b8_86c2_7387d28a86ec->_34112603_5776_4592_9f27_598bb0b18285 __7:cluster_9c9fa300_d39b_450b_8d1f_2d301e0aba52->_bd0b3058_08f9_4a7b_85e8_87f40fc60794 __8:cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81->_e4717756_19eb_4317_be7a_bee43f8c2d9a __9:cluster_89c839b3_c665_48ae_8f01_e5550cdb1e81->_b0b8e32a_1052_485c_b3a8_91102ae2cc85 __10:cluster_e6993653_eaf1_4108_bce3_002eb949e1ea->_5a84e07e_7598_43b4_99f0_927ed08dd7b7 __11:cluster_7d76606c_dc72_4c1e_940a_12830da6a161->_1e0ac86f_4754_4ddf_96a7_b34a1cae5b96 __12:cluster_797e8e61_bf07_4040_b43f_5f096236a76b->_2813a24c_e58b_4f57_ae87_48bdfac11704

This is a literate devops file based on Howard Abrahams's one... at some point I will expose the .org file instead of the rendered version 🤷. While it does configure the servers at codigoparallevar.com, don't take it too seriously 😉.

This file also doubles as a stress-test of mixing code and result blocks, which I had some trouble converting to DOM in the past, so do know that they might have been rendering problems on this file 😅.

Utils

  • Use C-c C-n C-s to create a remote region

(defun start-remote-command ()
  (interactive)
  (insert "\#+BEGIN_SRC shell  :async :dir /ssh:root@personal_server: :noweb yes :results drawer")
  (indent-for-tab-command)
  (insert "\n#+END_SRC")
  (indent-for-tab-command)
  (insert "\n"))

(local-set-key (kbd "C-c o a s") 'start-remote-command)

: start-remote-command

  • Run this to test the connection

hostname -I


192.168.1.33 172.18.0.1 172.19.0.1 172.21.0.1 172.20.0.1 172.17.0.1 172.22.0.1 10.0.3.1

  • Install mosh

apt-get install -y mosh


      Reading package lists... 100%

Reading package lists... Done
      Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
      Reading state information... 0%

Reading state information... Done
      mosh is already the newest version (1.3.2-2.1+b1).
      0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Update server packages

 

apt update
apt upgrade -y

Install docker

 

apt-get install -y \
        apt-transport-https \
        ca-certificates \
        curl \
        gnupg-agent \
        software-properties-common


        > > > > + apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
        Reading package lists... 100%

Reading package lists... Done
        Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
        Reading state information... 0%

Reading state information... Done
        curl is already the newest version (7.64.0-4+deb10u1).
        gnupg-agent is already the newest version (2.2.12-1+deb10u1).
        software-properties-common is already the newest version (0.96.20.2-2).
        apt-transport-https is already the newest version (1.8.2.1).
        ca-certificates is already the newest version (20200601~deb10u1).
        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

  • Add Docker’s official GPG key

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -


+ apt-key add -
+ curl -fsSL https://download.docker.com/linux/debian/gpg
OK

  • Add repository

add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/debian \
   $(lsb_release -cs) \
   stable"


> > ++ lsb_release -cs
+ add-apt-repository 'deb [arch=amd64] https://download.docker.com/linux/debian    buster    stable'

  • Update APT and install Docker

apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io


        + apt-get update
        [Working]
            
Hit:1 http://mirror.hetzner.de/debian/packages buster InRelease
        [Connecting to prod.debian.map.fastly.net (2a04:4e42:3::204)] [Connecting to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                                                           
Hit:2 http://mirror.hetzner.de/debian/packages buster-updates InRelease
        
                                                                                                                                           
Hit:3 http://mirror.hetzner.de/debian/packages buster-backports InRelease
        
                                                                                                                                           
Hit:4 http://mirror.hetzner.de/debian/security buster/updates InRelease
        [Connecting to prod.debian.map.fastly.net (2a04:4e42:1b::204)] [Waiting for headers] [Connecting to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                                                                                  
Hit:5 http://security.debian.org buster/updates InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:6 http://deb.debian.org/debian buster InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:7 http://deb.debian.org/debian buster-updates InRelease
        [Waiting for headers] [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                                                  
Hit:8 http://deb.debian.org/debian buster-backports InRelease
        [Connected to download.docker.com (2600:9000:2190:fe00:3:db06:4200:93a1)]
                                                                            
Hit:9 https://download.docker.com/linux/debian buster InRelease
        [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
0% [Working]
20% [Working]
             

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 27%

Reading package lists... 27%

Reading package lists... 45%

Reading package lists... 45%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 46%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 47%

Reading package lists... 48%

Reading package lists... 48%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 49%

Reading package lists... 76%

Reading package lists... 76%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 95%

Reading package lists... 97%

Reading package lists... 97%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... Done
        + apt-get install -y docker-ce docker-ce-cli containerd.io
        Reading package lists... 100%

Reading package lists... Done
        Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree
        Reading state information... 0%

Reading state information... Done
        containerd.io is already the newest version (1.2.13-2).
        docker-ce-cli is already the newest version (5:19.03.12~3-0~debian-buster).
        docker-ce is already the newest version (5:19.03.12~3-0~debian-buster).
        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Create docker network

 

docker network ls | grep internal || docker network create internal


+ grep internal
+ docker network ls
+ docker network create internal
b04d6928f041216947f403ec9b13e0c0b95e01b2b17cc519712768e673c06d80

Router

Install one with letsencrypt

 

VERSION=4.1.1
# Starting with version 1.30 it fails with
# s6-rc: warning: unable to start service legacy-cont-init: command exited 1"
docker pull linuxserver/swag:$VERSION
docker rm -f ingress
docker run -d \
       --name=ingress \
       --cap-add=NET_ADMIN \
       -e PUID=1000 \
       -e PGID=1000 \
       -e TZ=Europe/Madrid \
       -e URL=codigoparallevar.com \
       -e SUBDOMAINS=cloud,social,social,matrix,www,code,wallabag,wiki,pleromatest,api,grocy,sn,navidrome \
       -e VALIDATION=http \
       -e ONLY_SUBDOMAINS=false \
       -e EXTRA_DOMAINS=birracoin.com,www.birracoin.com \
       -e STAGING=false \
       -e EMAIL='me@codigoparallevar.com' \
       -p 443:443 \
       -p 80:80 \
       -v letsencrypt_config:/config \
       -v /etc/nginx/sites-enabled:/config/nginx/site-confs/ \
       -v /etc/nginx/sites-available:/etc/nginx/sites-available:ro \
       -v /mnt/vols/misc/codigoparallevar:/var/lib/nginx/html:ro \
       -v /mnt/vols/misc/wiki:/opt/wiki:ro \
       -v /mnt/vols/misc/birracoin:/opt/birracoin:ro \
       -v /mnt/vols/misc/beerol:/opt/beerol:ro \
       -v /mnt/vols/misc/scrap-notes:/opt/scrap-notes:ro \
       -v /dev/null:/etc/nginx/conf.d/stream.conf:ro \
       --restart unless-stopped \
       --network=internal \
       --memory=190m \
       linuxserver/swag:$VERSION


    4.1.1: Pulling from linuxserver/swag

    
9342356981ab: Pulling fs layer 

    
e1cde46db0e1: Pulling fs layer 

    
d519c5e6641c: Pulling fs layer 

    
b918803e403e: Pulling fs layer 

    
74c0c465cbac: Pulling fs layer 

    
d655cd1d914e: Pulling fs layer 

    
ca0449319690: Pulling fs layer 

    
58915f1c20dc: Pulling fs layer 

    
e2c850fc16f4: Pulling fs layer 

    
16f1ebbf481d: Pulling fs layer 

    
7b7f20292469: Pulling fs layer 

b918803e403e: Waiting 

74c0c465cbac: Waiting 

d655cd1d914e: Waiting 

ca0449319690: Waiting 

58915f1c20dc: Waiting 

e2c850fc16f4: Waiting 

16f1ebbf481d: Waiting 

7b7f20292469: Waiting 

d519c5e6641c: Downloading     934B/1.359kB

d519c5e6641c: Downloading  1.359kB/1.359kB

d519c5e6641c: Verifying Checksum 

d519c5e6641c: Download complete 

e1cde46db0e1: Downloading     933B/6.214kB

e1cde46db0e1: Downloading  6.214kB/6.214kB

e1cde46db0e1: Verifying Checksum 

e1cde46db0e1: Download complete 

9342356981ab: Downloading  63.15kB/6.211MB

9342356981ab: Downloading  3.587MB/6.211MB

9342356981ab: Verifying Checksum 

9342356981ab: Download complete 

9342356981ab: Extracting  65.54kB/6.211MB

9342356981ab: Extracting  589.8kB/6.211MB

9342356981ab: Extracting  1.901MB/6.211MB

9342356981ab: Extracting  2.621MB/6.211MB

9342356981ab: Extracting  3.604MB/6.211MB

9342356981ab: Extracting  4.915MB/6.211MB

9342356981ab: Extracting  6.211MB/6.211MB

9342356981ab: Pull complete 

e1cde46db0e1: Extracting  6.214kB/6.214kB

e1cde46db0e1: Pull complete 

d519c5e6641c: Extracting  1.359kB/1.359kB

d519c5e6641c: Extracting  1.359kB/1.359kB

d519c5e6641c: Pull complete 

b918803e403e: Downloading     700B/700B

b918803e403e: Verifying Checksum 

b918803e403e: Download complete 

b918803e403e: Extracting     700B/700B

b918803e403e: Extracting     700B/700B

b918803e403e: Pull complete 

74c0c465cbac: Downloading     427B/427B

74c0c465cbac: Verifying Checksum 

74c0c465cbac: Download complete 

74c0c465cbac: Extracting     427B/427B

74c0c465cbac: Extracting     427B/427B

74c0c465cbac: Pull complete 

d655cd1d914e: Downloading  63.22kB/5.921MB

d655cd1d914e: Verifying Checksum 

d655cd1d914e: Download complete 

d655cd1d914e: Extracting  65.54kB/5.921MB

d655cd1d914e: Extracting  1.114MB/5.921MB

d655cd1d914e: Extracting  1.638MB/5.921MB

d655cd1d914e: Extracting  2.097MB/5.921MB

d655cd1d914e: Extracting  3.277MB/5.921MB

d655cd1d914e: Extracting  4.456MB/5.921MB

d655cd1d914e: Extracting  5.177MB/5.921MB

d655cd1d914e: Extracting  5.767MB/5.921MB

d655cd1d914e: Extracting  5.898MB/5.921MB

d655cd1d914e: Extracting  5.921MB/5.921MB

d655cd1d914e: Pull complete 

ca0449319690: Downloading     935B/4.625kB

ca0449319690: Downloading  4.625kB/4.625kB

ca0449319690: Verifying Checksum 

ca0449319690: Download complete 

ca0449319690: Extracting  4.625kB/4.625kB

ca0449319690: Extracting  4.625kB/4.625kB

ca0449319690: Pull complete 

58915f1c20dc: Downloading  127.4kB/12.67MB

e2c850fc16f4: Downloading     934B/8.394kB

e2c850fc16f4: Downloading  8.394kB/8.394kB

e2c850fc16f4: Verifying Checksum 

e2c850fc16f4: Download complete 

58915f1c20dc: Downloading  4.064MB/12.67MB

58915f1c20dc: Downloading  9.189MB/12.67MB

58915f1c20dc: Verifying Checksum 

58915f1c20dc: Download complete 

58915f1c20dc: Extracting  131.1kB/12.67MB

58915f1c20dc: Extracting  1.049MB/12.67MB

58915f1c20dc: Extracting  3.146MB/12.67MB

58915f1c20dc: Extracting  5.767MB/12.67MB

58915f1c20dc: Extracting  6.947MB/12.67MB

58915f1c20dc: Extracting  9.306MB/12.67MB

58915f1c20dc: Extracting  10.35MB/12.67MB

58915f1c20dc: Extracting  11.53MB/12.67MB

58915f1c20dc: Extracting  12.67MB/12.67MB

58915f1c20dc: Pull complete 

e2c850fc16f4: Extracting  8.394kB/8.394kB

e2c850fc16f4: Extracting  8.394kB/8.394kB

e2c850fc16f4: Pull complete 

7b7f20292469: Downloading     933B/21.73kB

7b7f20292469: Downloading  21.73kB/21.73kB

7b7f20292469: Verifying Checksum 

7b7f20292469: Download complete 

16f1ebbf481d: Downloading  532.5kB/107MB

16f1ebbf481d: Downloading  5.358MB/107MB

16f1ebbf481d: Downloading  10.74MB/107MB

16f1ebbf481d: Downloading  18.23MB/107MB

16f1ebbf481d: Downloading  24.62MB/107MB

16f1ebbf481d: Downloading  29.43MB/107MB

16f1ebbf481d: Downloading  36.39MB/107MB

16f1ebbf481d: Downloading   42.8MB/107MB

16f1ebbf481d: Downloading  49.23MB/107MB

16f1ebbf481d: Downloading  58.86MB/107MB

16f1ebbf481d: Downloading  65.28MB/107MB

16f1ebbf481d: Downloading  72.22MB/107MB

16f1ebbf481d: Downloading  81.29MB/107MB

16f1ebbf481d: Downloading  89.86MB/107MB

16f1ebbf481d: Downloading  101.6MB/107MB

16f1ebbf481d: Verifying Checksum 

16f1ebbf481d: Download complete 

16f1ebbf481d: Extracting  557.1kB/107MB

16f1ebbf481d: Extracting  1.671MB/107MB

16f1ebbf481d: Extracting  4.456MB/107MB

16f1ebbf481d: Extracting  6.128MB/107MB

16f1ebbf481d: Extracting  8.913MB/107MB

16f1ebbf481d: Extracting  11.14MB/107MB

16f1ebbf481d: Extracting  12.26MB/107MB

16f1ebbf481d: Extracting  16.71MB/107MB

16f1ebbf481d: Extracting  17.83MB/107MB

16f1ebbf481d: Extracting  20.05MB/107MB

16f1ebbf481d: Extracting  22.84MB/107MB

16f1ebbf481d: Extracting  25.62MB/107MB

16f1ebbf481d: Extracting  26.74MB/107MB

16f1ebbf481d: Extracting  28.41MB/107MB

16f1ebbf481d: Extracting  29.52MB/107MB

16f1ebbf481d: Extracting   31.2MB/107MB

16f1ebbf481d: Extracting  33.42MB/107MB

16f1ebbf481d: Extracting  36.77MB/107MB

16f1ebbf481d: Extracting  37.88MB/107MB

16f1ebbf481d: Extracting  40.67MB/107MB

16f1ebbf481d: Extracting  42.34MB/107MB

16f1ebbf481d: Extracting  45.68MB/107MB

16f1ebbf481d: Extracting  47.35MB/107MB

16f1ebbf481d: Extracting  49.58MB/107MB

16f1ebbf481d: Extracting  50.69MB/107MB

16f1ebbf481d: Extracting  51.81MB/107MB

16f1ebbf481d: Extracting  52.36MB/107MB

16f1ebbf481d: Extracting  53.48MB/107MB

16f1ebbf481d: Extracting  54.03MB/107MB

16f1ebbf481d: Extracting  55.15MB/107MB

16f1ebbf481d: Extracting  57.38MB/107MB

16f1ebbf481d: Extracting  58.49MB/107MB

16f1ebbf481d: Extracting  62.95MB/107MB

16f1ebbf481d: Extracting  67.96MB/107MB

16f1ebbf481d: Extracting  73.53MB/107MB

16f1ebbf481d: Extracting  75.76MB/107MB

16f1ebbf481d: Extracting  77.99MB/107MB

16f1ebbf481d: Extracting  82.44MB/107MB

16f1ebbf481d: Extracting  86.34MB/107MB

16f1ebbf481d: Extracting  88.01MB/107MB

16f1ebbf481d: Extracting  89.69MB/107MB

16f1ebbf481d: Extracting  93.03MB/107MB

16f1ebbf481d: Extracting  95.26MB/107MB

16f1ebbf481d: Extracting   98.6MB/107MB

16f1ebbf481d: Extracting  100.3MB/107MB

16f1ebbf481d: Extracting  101.4MB/107MB

16f1ebbf481d: Extracting  103.6MB/107MB

16f1ebbf481d: Extracting  104.7MB/107MB

16f1ebbf481d: Extracting  105.8MB/107MB

16f1ebbf481d: Extracting    107MB/107MB

16f1ebbf481d: Extracting    107MB/107MB

16f1ebbf481d: Pull complete 

7b7f20292469: Extracting  21.73kB/21.73kB

7b7f20292469: Extracting  21.73kB/21.73kB

7b7f20292469: Pull complete 
Digest: sha256:a3a5ef8804a045beae2647c4fedb576638512db2518607ac83cee6eb81d9c17c
    Status: Downloaded newer image for linuxserver/swag:4.1.1
    docker.io/linuxserver/swag:4.1.1
    ingress
    de12b0d57108ca7b3041bab6929481c7a3b91919dcdee3d32ca6ec72cf5e0118

Add base config

Base config

ARCHIVE 

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Default

 

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 768;
  # multi_accept on;
}

http {

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  types_hash_max_size 2048;
  # server_tokens off;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;

  # gzip_vary on;
  # gzip_proxied any;
  # gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}


## Original: https://raw.githubusercontent.com/linuxserver/docker-letsencrypt/master/root/defaults/default

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://\$host\$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    # root /config/www;
    # index index.html index.htm index.php;

    server_name _;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }

    location /video {
         return 301 /files/$request_uri;
    }

    # location ~ \.php$ {
    #     fastcgi_split_path_info ^(.+\.php)(/.+)$;
    #     fastcgi_pass 127.0.0.1:9000;
    #     fastcgi_index index.php;
    #     include /etc/nginx/fastcgi_params;
    # }

    # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
    # notice this is within the same server block as the base
    # don't forget to generate the .htpasswd file as described on docker hub
    #	location ^~ /cp {
    #		auth_basic "Restricted";
    #		auth_basic_user_file /config/nginx/.htpasswd;
    #		include /config/nginx/proxy.conf;
    #		proxy_pass http://192.168.1.50:5050/cp;
    #	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;


mkdir /etc/nginx/conf.d
mkdir /etc/nginx/sites-enabled
cat > /etc/nginx/nginx.conf <<EOF
<<nginx-config>>
EOF
cat > /etc/nginx/sites-enabled/default.conf <<EOF
<<router-config>>
EOF
<<reload-router>>


+ mkdir /etc/nginx/conf.d
mkdir: cannot create directory ‘/etc/nginx/conf.d’: File exists
+ mkdir /etc/nginx/sites-enabled
mkdir: cannot create directory ‘/etc/nginx/sites-enabled’: File exists
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
Error response from daemon: Container b5c5fd4fbfd389e45a84e44b86f479d3a4cb050c37461de4474ea50e8eca2dbe is not running
+ docker start ingress
ingress

Restart

 

docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`' # Reload configuration without restart
docker start ingress # Start it in case it stopped


+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
failed to resize tty, using default size
+ docker start ingress
ingress

[....] Reloading nginx: nginx[?25l7[ ok 8[?12l[?25h.

Nextcloud

Install nextcloud

  • Install docker

docker rm -f nextcloud
docker run --name=nextcloud -d \
       -v /mnt/vols/nextcloud/vols/main:/var/www/html \
       -v /mnt/vols/nextcloud/vols/apps:/var/www/html/custom_apps \
       -v /mnt/vols/nextcloud/vols/config:/var/www/html/config \
       -v /mnt/vols/nextcloud/vols/data:/var/www/html/data \
       -e OVERWRITEHOST=cloud.codigoparallevar.com \
       -e OVERWRITEPROTOCOL=https \
       --restart=unless-stopped \
       --network internal \
       --memory=1G \
       nextcloud:31.0.5


ea26c7a423a17cc8f866c9cc5b37aaad6594f6dd5056a790883c0de6341d5ad4

Add router config

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://nextcloud:80;
    }
}


cat > /etc/nginx/sites-enabled/cloud.conf <<EOF
<<cloud-router-config>>
EOF
<<reload-router>>


> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
Error response from daemon: Cannot link to a non running container: /hubzilla-server AS /ingress/hubzilla-server
+ docker start ingress
ingress

Mail

Prepare mail classifier

 

  # Sieve filter

  # Declare the extensions used by this script.
  #
  require ["fileinto", "reject"];

  # Test sieve
  #
  if header :contains "Subject" "Sieve Test" {
     fileinto "Junk";
  }

# enabled rulename "PayPal" from matchcase "\"servicio@paypal.es\" <servicio@paypal.es>" move "#imap/NewMail/archive/srv/PayPal"
# enabled rulename "Patreon" from matchcase "Patreon <bingo@patreon.com>" move "#imap/NewMail/archive/srv/Patreon"
# enabled rulename "FSF" from matchcase "<info@fsf.org>" move "#imap/NewMail/archive/coms/FSF"
# enabled rulename "EFF" from matchcase "<membership@eff.org>" move "#imap/NewMail/archive/coms/EFF"
# enabled rulename "DBD" from matchcase "<info@defectivebydesign.org>" move "#imap/NewMail/archive/coms/DBD"
# enabled rulename "Software clown" from matchcase "Itamar Turner-Trauring <itamar@codewithoutrules.com>" move "#imap/NewMail/archive/soft-clown"
# enabled rulename "EFF - action" from matchcase "<action@eff.org>" move "#imap/NewMail/archive/coms/EFF"
# enabled rulename "TheBatch" from matchcase "\"deeplearning.ai\" <thebatch@deeplearning.ai>" move "#imap/NewMail/archive/lists"
# enabled rulename "Dribble" header "Sender" matchcase "no-reply@n.dribbble.com" mark_as_read move "#imap/NewMail/archive/lists/design/dribble"
# enabled rulename "Stack Overflow list" from matchcase "\"Stack Overflow\" <do-not-reply@stackoverflow.email>" | from matchcase "Stack Overflow <do-not-reply@stackoverflow.email>" mark_as_read move "#imap/NewMail/archive/lists/StackOverflow"
# enabled rulename "DEGIRO" from matchcase "DEGIRO <clientes@degiro.es>" move "#imap/NewMail/archive/srv/banca/degiro"
# enabled rulename "Spam - Elitetorrent" from matchcase "\"elitetorrent1.com\" <info@elitetorrent1.com>" mark_as_spam
# enabled rulename "@163 spam" inreplyto matchcase "@163.com" | from matchcase "@163.com" mark_as_spam set_score 0
# enabled rulename "CGPGrey" from matchcase "Grey <Email@CGPGrey.com>" move "#imap/NewMail/archive/lists/grey"
# enabled rulename "Julia Evans" from matchcase "Julia Evans <julia@jvns.ca>" move "#imap/NewMail/archive/lists/julia evans"
# enabled rulename "EFFEctor" from matchcase "\"EFFector List\" <editor@eff.org>" move "#imap/NewMail/archive/coms/EFFector"
# enabled rulename "UseParagon" from matchcase "\"Brandon Foo\" <brandon@useparagon.com>" move "#imap/NewMail/archive/startups/pm-competitors"
# enabled rulename "SourceHut" from matchcase "sourcehut <outgoing@sr.ht>" move "#imap/NewMail/archive/srv/sourcehut"
# enabled rulename "ANDBanc" from matchcase "<andbank@bancononline.com>" move "#imap/NewMail/archive/srv/banca/andbank"
# enabled rulename "Amazon" from matchcase "\"Amazon.es\" <auto-confirm@amazon.es>" move "#imap/NewMail/archive/srv/Amazon"

  # Mailing lists
  #
  elsif header :contains "List-Id" "~mil/sxmo-devel.lists.sr.ht" {
      fileinto "archive/coms/sxmo";
  }
  # "Tails"
  elsif header :contains "List-Id" "amnesia-news.boum.org" {
      fileinto "archive/coms/tails";
  }
  # "PyVigo"
  elsif header :contains "List-Id" "vigo.lists.es.python.org" {
      fileinto "archive/coms";
  }
  # "BOE" header "List-Id"
  elsif header :contains "List-Id" "9416fe6b76f2c3f985c1f8e0f.30885.list-id.mcsv.net" {
      fileinto "archive/boe";
  }
  # "PyMad"
  elsif header :contains "List-Id" "python-madrid-list.meetup.com" {
      fileinto "archive/coms/python-madrid";
  }
  # "Brechadigital"
  elsif header :contains "List-Id" "brechadigital.inventati.org" {
      fileinto  "archive/coms/brechadigital";
  }
  # "eu-gene"
  elsif header :contains "List-Id" "eu-gene.we.lurk.org" {
                             fileinto  "archive/coms/gen";
  }
  # "Trisquel"
  elsif header :contains "List-Id" "trisquel-devel.listas.trisquel.info" {
    fileinto "archive/coms/trisquel";
  }
  # "NCN"
  elsif header :contains "List-Id" "noconname.listas.noconname.org" {
    fileinto "archive/sec/no-con-name";
  }
  # "AptGetUpdate"
  elsif header :contains "List-Id" "aptgetupdate.lists.riseup.net" {
    fileinto "archive/coms/aptgetupdate";
  }
  # "SV"
  elsif header :contains "List-Id" "sector-virus.googlegroups.com" {
    fileinto "archive/sec/sv";
  }
  # "Una al dia"
  elsif header :contains "List-Id" "dd62599a9195e52f2dca2ab9a.63065.list-id.mcsv.net" {
    fileinto "#imap/NewMail/archive/una-al-dia";
  }
  # "GPUL"
  elsif header :contains "List-Id" "asociacion.lists.gpul.org" {
    fileinto "archive/coms/gpul";
  }
  # "Replicant"
  elsif header :contains "List-Id" "replicant.osuosl.org" {
    fileinto "archive/coms/replicant";
  }
  # "FreedomBox"
  elsif header :contains "List-Id" "freedombox-discuss.alioth-lists.debian.net" {
    fileinto "archive/coms/freedom-box";
  }
  # "FullDisclosure"
  elsif header :contains "List-Id" "fulldisclosure.seclists.org" {
    fileinto "archive/fd";
  }
  # "TWIML"
  elsif anyof (header :contains "List-Id" "96b64078a550522835ec6034e.272005.list-id.mcsv.net",
          address :contains "From" "@twimlai.com") {
    fileinto "archive/lists/twiml";
  }
  # "Rooted"
  elsif header :contains "List-Id" "rootedcon.listas.rooted.es" {
    fileinto "archive/sec/rooted";
  }
  # "LaBrecha"
  elsif header :contains "List-Id" "Participa-Brecha.googlegroups.com" {
    fileinto "archive/coms/brechadigital/Participa-brecha";
  }
  # "Python Vigo"
  elsif header :contains "List-Id" "vigo.lists.es.python.org" {
    fileinto "archive/coms/pyvigo";
  }
  # "LibrePlanet"
  elsif header :contains "List-Id" "libreplanet-discuss.libreplanet.org" {
    fileinto "archive/coms/libreplanet";
  }
  # "ElBinario"
  elsif header :contains "List-Id" "binario.listas.elbinario.net" {
    fileinto "archive/coms/el-binario";
  }
  # "Crafting interpreters"
  elsif header :contains "List-Id" "0952ca43ed2536d6717766b88.303821.list-id.mcsv.net" {
    fileinto "archive/crafting-interpreters";
  }
  # "RxJs"
  elsif header :contains "List-Id" "c22e7832272fe0663b822a283.114397.list-id.mcsv.net" {
    fileinto "archive/lists/rxjs";
  }
  # "NMap"
  elsif header :contains "List-Id" "announce.nmap.org" {
    fileinto "archive/sec";
  }
  # "N8N"
  elsif header :contains "List-Id" "2c8845820b0d9053a7bd0fa5f.44345.list-id.mcsv.net" {
    fileinto "archive/startups/pm-competitors";
  }
  # "OrgMode"
  elsif header :contains "List-Id" "emacs-orgmode.gnu.org" {
    fileinto "archive/coms/orgmode";
  }
  # "Tech podcasts - Nacion lumpen"
  elsif header :contains "List-Id" "nacion-lumpen.googlegroups.com" {
    fileinto "archive/lists/podcasts/tech/nacion-lumpen";
  }

  # Keep the rest.

  • Test sieve rules

VERSION=2022-05-13
FNAME=$(mktemp --suffix='.sieve')

cat > "$FNAME" <<_EOF_
<<mail-sieve>>
_EOF_

docker run --rm \
       -v "$FNAME":/var/lib/dovecot/sieve/default.sieve:ro \
       --entrypoint=ash \
       kenkeiras/mail-server:$VERSION -c "/usr/bin/sievec /var/lib/dovecot/sieve/default.sieve"

result=$?
rm "$FNAME"
if [ $result -eq 0 ];
then
    echo "OK"
else
    echo "[ERROR]"
fi
exit $result

OK

Configure mail

 

# See man 5 aliases for format
postmaster: kenkeiras
me: kenkeiras
xmpp: kenkeiras
www-data: kenkeiras
bluestash: kenkeiras
sergio: kenkeiras
sergio.martinez: kenkeiras
sergio.mportela: kenkeiras
nullhub: kenkeiras
admin: kenkeiras
hivemind: kenkeiras
tweetcodes: kenkeiras
oneliners: kenkeiras

Install mail

 

VERSION=2022-05-13
docker pull -q kenkeiras/mail-server:$VERSION
docker rm -f mail

# Configure aliases
cat > /etc/postfix/aliases <<_EOF_
<<mail-aliases>>
_EOF_

# Configure sieve
cat > /var/lib/dovecot/sieve/default.sieve <<_EOF_
<<mail-sieve>>
_EOF_

docker run --name=mail -d    \
       -p 25:25 -p 465:465   \
       -p 143:143 -p 993:993 \
       -v /mnt/vols/mail/spool:/var/spool/postfix \
       -v /mnt/vols/mail/var:/var/lib/postfix     \
       -v /mnt/vols/mail/certs:/extra/mail-certs  \
       -v /etc/dovecot/passdb:/etc/dovecot/passdb \
       -v /etc/postfix/aliases:/etc/aliases       \
       -v /var/lib/dovecot/sieve/default.sieve:/var/lib/dovecot/sieve/default.sieve \
       -v /mnt/vols/mail/mailboxes:/var/mail      \
       -e HOSTNAME='codigoparallevar.com' \
       -e DOMAIN='codigoparallevar.com'   \
       -e POSSIBLE_DESTINATIONS='mail.codigoparallevar.com,mail.codigoparallevar.com,codigoparallevar.com,www.codigoparallevar.com' \
       -e CERT_DIRECTORY='/extra/mail-certs' \
       -e USERNAME='kenkeiras' \
       --restart=unless-stopped \
      --network internal \
      --memory=190m \
      kenkeiras/mail-server:$VERSION


docker.io/kenkeiras/mail-server:2022-05-13
mail
832b4a020f776d1e1baf1534afd6d2750b1bbe6bba4ce66dd0d91e2ebc1e8848

DISCARDED

[ 100% ] Hubzilla

ARCHIVE

DONE

Setup MySQL

DONE

Prepare config

 

#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#

# this is read by the standalone daemon and embedded servers
[server]

# this is only for the mysqld standalone daemon
[mysqld]

#
# * Basic Settings
#
user		= mysql
pid-file	= /var/run/mysqld/mysqld.pid
socket		= /var/run/mysqld/mysqld.sock
port		= 3306
basedir		= /usr
datadir		= /var/lib/mysql
tmpdir		= /tmp
lc-messages-dir	= /usr/share/mysql
skip-external-locking

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address		= 0.0.0.0

#
# * Fine Tuning
#
key_buffer_size		= 16M
max_allowed_packet	= 16M
thread_stack		= 192K
thread_cache_size       = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam_recover_options  = BACKUP
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10

#
# * Query Cache Configuration
#
query_cache_limit	= 1M
query_cache_size        = 16M

#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file	= /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_rate_limit	= 1000
#log_slow_verbosity	= query_plan
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id		= 1
#log_bin			= /var/log/mysql/mysql-bin.log
expire_logs_days	= 10
max_binlog_size   = 100M
#binlog_do_db		= include_database_name
#binlog_ignore_db	= exclude_database_name

#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!

#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
# ssl-cipher=TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
# ssl=on

#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
#
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci

#
# * Unix socket authentication plugin is built-in since 10.0.22-6
#
# Needed so the root database user can authenticate without a password but
# only when running as the unix root user.
#
# Also available for other users if required.
# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/

# this is only for embedded server
[embedded]

# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]

# This group is only read by MariaDB-10.1 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.1]

mkdir -p /etc/mysql/
cat > /etc/mysql/micro.cnf <<EOF
<<server-config>>
EOF


+ mkdir -p /etc/mysql/
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat

DONE

Launch container

 

docker rm -f hubzilla-mysql
docker run -d --name=hubzilla-mysql \
       -v /mnt/vols/hubzilla/mysql:/var/lib/mysql \
       -v /etc/mysql/micro.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf \
       -e MYSQL_RANDOM_ROOT_PASSWORD="yes" \
       --network internal \
       mariadb:10


+ docker rm -f hubzilla-mysql
Error: No such container: hubzilla-mysql
> > > > > + docker run -d --name=hubzilla-mysql -v /mnt/vols/hubzilla/mysql:/var/lib/mysql -v /etc/mysql/micro.cnf:/etc/mysql/mariadb.conf.d/50-server.cnf -e MYSQL_RANDOM_ROOT_PASSWORD=yes --network internal mariadb:10
cd5a9677a3be549fdf975a1ed75c47d468a3f4501280e05bab1991be7838aaff

DONE

Configure Hubzilla

 

docker rm -f hubzilla-server
docker run -d --name=hubzilla-server \
       -v /mnt//vols/hubzilla/data:/data \
       -e SERVERNAME=social.codigoparallevar.com \
       --link=hubzilla-mysql:mysql \
       --network=internal \
       kenkeiras/hubzilla:testing


+ docker rm -f hubzilla-server
hubzilla-server
> > > > > + docker run -d --name=hubzilla-server -v /mnt//vols/hubzilla/data:/data -e SERVERNAME=social.codigoparallevar.com --link=hubzilla-mysql:mysql --network=internal kenkeiras/hubzilla:testing
ebba1f6ecc996ec0f137e3c3a793c2e59bf49055ba134f8ad42668af141c5f19

DONE

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name social.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        proxy_set_header X-Forwarded-Proto https;
        include /config/nginx/proxy.conf;
        proxy_pass  http://hubzilla-server:80;
    }
}


cat > /etc/nginx/sites-enabled/social.conf <<EOF
<<hubzilla-router-config>>
EOF
<<reload-router>>


> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

DONE

Test migration

DONE

Can login

Does send mails

ARCHIVE

  • Probably is no longer needed

DONE

Pleroma test

ARCHIVE

DONE

Network

 

docker network create pleroma-test


52dde94ff2e18ed1e1c5a6f301fdada68445c7b2314a2cd08ad406036806f33a

DONE

DB

 

docker rm -f pleroma-test-postgres || true
docker run -d --name=pleroma-test-postgres \
         -e POSTGRES_PASSWORD="CHANGE_THIS"  \
         -e POSTGRES_USER=pleroma \
         -e POSTGRES_DB=pleroma \
         -v /mnt/vols/hubzilla/pleroma-test/postgres:/var/lib/postgresql/data/ \
         --network=internal \
         --memory=190m \
         --restart=unless-stopped \
  postgres:9.6-alpine


+ docker rm -f pleroma-test-postgres
pleroma-test-postgres
> > > > > > > > + docker run -d --name=pleroma-test-postgres -e POSTGRES_PASSWORD=LJQit53q7qWowwaRgdZSuj9mMsRXxUfZ -e POSTGRES_USER=pleroma -e POSTGRES_DB=pleroma -v /mnt/vols/hubzilla/pleroma-test/postgres:/var/lib/postgresql/data/ --network=internal --memory=190m --restart=unless-stopped postgres:9.6-alpine
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
7eef83b7972fafba427dcae5ad2e93c9ff11cd1eb6d59723b07b8372158b5136

Add citext extension

 

docker exec -i pleroma-test-postgres psql -U pleroma -c "CREATE EXTENSION IF NOT EXISTS citext;"


+ docker exec -i pleroma-test-postgres psql -U pleroma -c 'CREATE EXTENSION IF NOT EXISTS citext;'
CREATE EXTENSION

DONE

Backend

Build

 

mkdir -p /mnt/vols/hubzilla/pleroma-test/code/ || true
git clone https://github.com/angristan/docker-pleroma /mnt/vols/hubzilla/pleroma-test/code/docker-pleroma
cd /mnt/vols/hubzilla/pleroma-test/code/docker-pleroma
docker build -t pleroma .

Run

 

docker rm -f pleroma-test-backend || true
docker run -d --name=pleroma-test-backend \
           --link=pleroma-test-postgres:db \
           -e DB_PASS="CHANGE_THIS" \
           -e DOMAIN='pleromatest.codigoparallevar.com' \
           -v /mnt/vols/hubzilla/pleroma-test/uploads:/pleroma/uploads/ \
           --network=internal \
           --memory=380m \
           --restart=unless-stopped \
    pleroma-test


+ docker rm -f pleroma-test-backend
Error: No such container: pleroma-test-backend
> > > > > > > > + docker run -d --name=pleroma-test-backend --link=pleroma-test-postgres:db -e DB_PASS=LJQit53q7qWowwaRgdZSuj9mMsRXxUfZ -e DOMAIN=pleromatest.codigoparallevar.com -v /mnt/vols/hubzilla/pleroma-test/uploads:/pleroma/uploads/ --network=internal --memory=190m --restart=unless-stopped pleroma-test
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
e2c10538606f8f2ce930c5e4d36a921a2176c8941b5fce8b9f58959b0de1fb72

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name pleromatest.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://pleroma-test-backend:4000;
    }
}


cat > /etc/nginx/sites-enabled/pleroma-test.conf <<EOF
<<pleroma-test-router-config>>
EOF
<<reload-router>>


> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
cat: /var/run/nginx.pid: No such file or directory
sh: you need to specify whom to kill
+ docker start ingress
ingress

DISCARDED

Frontend

GoToSocial

A lightweight ActivityPub server written in Go.

DONE

Install service

 

version: "3.3"

services:
  gotosocial:
    image: superseriousbusiness/gotosocial:0.19.2
    container_name: gotosocial
    user: 1001:1001
    networks:
      - gotosocial
      - internal
    environment:
      GTS_HOST: social.codigoparallevar.com
      GTS_DB_TYPE: sqlite
      GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
      GTS_LETSENCRYPT_ENABLED: "false"
      GTS_LETSENCRYPT_EMAIL_ADDRESS: ""
      GTS_ACCOUNTS_REGISTRATION_OPEN: "false"
      # For reverse proxy setups:
      GTS_TRUSTED_PROXIES: "172.0.0.0/8"
      # Increased for more cool emoji 🤷
      GTS_MEDIA_EMOJI_LOCAL_MAX_SIZE: "100KiB"
      # For better interoperability, at the cost of more storage
      GTS_MEDIA_EMOJI_REMOTE_MAX_SIZE: "1000KiB"
    # ports:
      # - "443:8080"
      ## For letsencrypt:
      #- "80:80"
      ## For reverse proxy setups:
      # - "127.0.0.1:8080:8080"
    volumes:
      - /mnt/vols/hubzilla/gotosocial/storage:/gotosocial/storage
    restart: "always"

networks:
  gotosocial:
    ipam:
      driver: default
  internal:
    # name: internal
    external: true

  • Upload configuration

cat > /mnt/vols/hubzilla/gotosocial/docker-compose.yaml <<EOF
<<gotosocial-docker-compose.yaml>>
EOF

date


Mon 22 Sep 2025 12:12:13 AM CEST

  • Start docker compose

docker-compose up -d


    
0.19.2: Pulling from superseriousbusiness/gotosocial

    
0368fd46e3c6: Pulling fs layer

    
af1104f5e689: Pulling fs layer

    
c541e8ad926a: Pulling fs layer

    
4f4fb700ef54: Pulling fs layer

    
cfa0d01053f8: Pulling fs layer

    
5ecbff228e33: Pulling fs layer

    
5b26d43943f4: Pulling fs layer

4f4fb700ef54: Waiting

cfa0d01053f8: Waiting

5ecbff228e33: Waiting

5b26d43943f4: Waiting

0368fd46e3c6: Downloading [>                                                  ]  37.69kB/3.638MB

af1104f5e689: Downloading [==================================================>]     124B/124B

af1104f5e689: Verifying Checksum

af1104f5e689: Download complete

c541e8ad926a: Downloading [==================================================>]     125B/125B

c541e8ad926a: Verifying Checksum

c541e8ad926a: Download complete

0368fd46e3c6: Verifying Checksum

0368fd46e3c6: Download complete

0368fd46e3c6: Extracting [>                                                  ]  65.54kB/3.638MB

0368fd46e3c6: Extracting [=========================>                         ]  1.835MB/3.638MB

0368fd46e3c6: Extracting [==================================================>]  3.638MB/3.638MB

0368fd46e3c6: Pull complete

af1104f5e689: Extracting [==================================================>]     124B/124B

af1104f5e689: Extracting [==================================================>]     124B/124B

af1104f5e689: Pull complete

c541e8ad926a: Extracting [==================================================>]     125B/125B

c541e8ad926a: Extracting [==================================================>]     125B/125B

c541e8ad926a: Pull complete

4f4fb700ef54: Downloading [==================================================>]      32B/32B

4f4fb700ef54: Verifying Checksum

4f4fb700ef54: Download complete

4f4fb700ef54: Extracting [==================================================>]      32B/32B

4f4fb700ef54: Extracting [==================================================>]      32B/32B

4f4fb700ef54: Pull complete

cfa0d01053f8: Downloading [>                                                  ]  303.1kB/29.97MB

cfa0d01053f8: Downloading [=================>                                 ]  10.21MB/29.97MB

5ecbff228e33: Downloading [>                                                  ]  39.71kB/3.913MB

cfa0d01053f8: Downloading [=========================================>         ]  24.98MB/29.97MB

5ecbff228e33: Downloading [===============================================>   ]  3.736MB/3.913MB

5ecbff228e33: Verifying Checksum

5ecbff228e33: Download complete

cfa0d01053f8: Verifying Checksum

cfa0d01053f8: Download complete

cfa0d01053f8: Extracting [>                                                  ]  327.7kB/29.97MB

cfa0d01053f8: Extracting [===>                                               ]  1.966MB/29.97MB

cfa0d01053f8: Extracting [======>                                            ]  3.604MB/29.97MB

cfa0d01053f8: Extracting [========>                                          ]  5.243MB/29.97MB

cfa0d01053f8: Extracting [===========>                                       ]  6.881MB/29.97MB

cfa0d01053f8: Extracting [==============>                                    ]  8.847MB/29.97MB

5b26d43943f4: Downloading [>                                                  ]     932B/61.81kB

cfa0d01053f8: Extracting [==================>                                ]  10.81MB/29.97MB

5b26d43943f4: Downloading [==================================================>]  61.81kB/61.81kB

5b26d43943f4: Verifying Checksum

5b26d43943f4: Download complete

cfa0d01053f8: Extracting [=====================>                             ]  12.78MB/29.97MB

cfa0d01053f8: Extracting [========================>                          ]  14.75MB/29.97MB

cfa0d01053f8: Extracting [==========================>                        ]  15.73MB/29.97MB

cfa0d01053f8: Extracting [==============================>                    ]  18.35MB/29.97MB

cfa0d01053f8: Extracting [=================================>                 ]  19.99MB/29.97MB

cfa0d01053f8: Extracting [====================================>              ]  21.95MB/29.97MB

cfa0d01053f8: Extracting [================================================>  ]  29.16MB/29.97MB

cfa0d01053f8: Extracting [==================================================>]  29.97MB/29.97MB

cfa0d01053f8: Pull complete

5ecbff228e33: Extracting [>                                                  ]  65.54kB/3.913MB

5ecbff228e33: Extracting [=========================>                         ]  1.966MB/3.913MB

5ecbff228e33: Extracting [==================================================>]  3.913MB/3.913MB

5ecbff228e33: Pull complete

5b26d43943f4: Extracting [==========================>                        ]  32.77kB/61.81kB

5b26d43943f4: Extracting [==================================================>]  61.81kB/61.81kB

5b26d43943f4: Pull complete

Digest: sha256:1aa074861fdb9913950ea9ee8923f342a1593b4c66dd9c3a1592140ac9164966
    
Status: Downloaded newer image for superseriousbusiness/gotosocial:0.19.2

DONE

Install reverse proxy

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name social.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://gotosocial:8080;
    }
}


cat > /etc/nginx/sites-enabled/social.conf <<EOF
<<gotosocial-router-config>>
EOF
<<reload-router>>


ingress

DISCARDED

Configure trusted proxy

See Reverse proxy with NGINX, fixing it is needed for proper rate limiting.

Matrix

Synapse

DONE

Launch container

 

docker rm -f matrix-server
docker run -d --name=matrix-server \
       -v /mnt/vols/misc/matrix:/data \
       -p 8448:8448 -p 8008:8008 \
       --network=internal \
       --memory=300m \
       --restart unless-stopped \
     matrixdotorg/synapse:v1.124.0


matrix-server
23c25aa9ca89c0782619c903e67109ec0e21aa216993f012a483a89cc413ee7a

DONE

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name matrix.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  https://matrix-server:8448;
    }
}


cat > /etc/nginx/sites-enabled/matrix.conf <<EOF
<<matrix-router-config>>
EOF
<<reload-router>>


ingress

Forgejo

DONE

Configure container

 

docker rm -f forge-server || true
docker run -d --name=forge-server \
       -v /mnt/vols/misc/gitea:/data \
       -p 2022:22 \
       --network=internal \
       --restart unless-stopped \
       --memory=380m \
       codeberg.org/forgejo/forgejo:12


forge-server
605bd8a4e13055bcc1f1b778cb52946036eea7af1693168b94bb42960659c103

TODO

Add action runner

 

docker rm -f gitea-server-action-runner || true
docker  run -d --name=gitea-server-action-runner \
        -e GITEA_INSTANCE_URL=https://code.codigoparallevar.com \
        -e GITEA_RUNNER_REGISTRATION_TOKEN=GITEA-REGISTRATION-TOKEN-HERE \
        -v /var/run/docker.sock:/var/run/docker.sock \
        gitea/act_runner:nightly

DONE

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name code.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://forge-server:3000;
    }
}


cat > /etc/nginx/sites-enabled/forge.conf <<EOF
<<forge-router-config>>
EOF
<<reload-router>>


ingress

Grocy

An self-hosted ERP for groceries.

DONE

Configure container

 

docker rm -f grocy-server || true
docker run -d --name=grocy-server \
         -e PUID=1000 \
         -e PGID=1000 \
         -e TZ=Europe/Madrid \
         -v /mnt/vols/misc/grocy:/config \
         --restart unless-stopped \
         --memory=190m \
         --network=internal \
         lscr.io/linuxserver/grocy:latest


grocy-server
7dfe690da60afb834cdcf5d7da097da98afd0edf18b4bef5f863140daba01103

DONE

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name grocy.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://grocy-server:80;
    }
}


cat > /etc/nginx/sites-enabled/grocy.conf <<EOF
<<grocy-router-config>>
EOF
<<reload-router>>


ingress

DISCARDED

TechTree

ARCHIVE

DONE

Configure database

 

docker rm -f techtree-postgres || true
docker run -d --name=techtree-postgres \
       -e POSTGRES_PASSWORD=CHANGE_THIS \
       -v /mnt/vols/misc/techtree/postgres:/var/lib/postgresql/data/ \
       --network=internal \
       --memory=190m \
       postgres:10


+ docker rm -f techtree-postgres
techtree-postgres
> > > > > + docker run -d --name=techtree-postgres -e POSTGRES_PASSWORD=CHANGE_THIS -v /mnt/vols/misc/techtree/postgres:/var/lib/postgresql/data/ --network=internal --memory=190m postgres:10
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
39c9bed6f75969b116d60ca291a711e8ad5a1331ed2af3ae7466e8461a03a17f

DONE

Configure container

 

docker rm -f techtree-server
source ~/.techtree-credentials.sh

GENPASSWD() {
    openssl passwd hex 1 2 3 4 5 6|tr -d '/\n'
}

docker run -d --name=techtree-server -m 500m \
       --link=techtree-postgres:db \
       -e DATABASE_URL=postgres://${TT_USERNAME}:${TT_PASSWORD}@db:5432/${TT_DB} \
       -e SECRET_KEY_BASE="`GENPASSWD`" \
       -e PORT=80 \
       -e MIX_ENV=prod \
       --network=internal \
       --memory=190m \
       kenkeiras/techtree:prod

clean_techtree_credentials


+ docker rm -f techtree-server
techtree-server
+ source /root/.techtree-credentials.sh
++ TT_USERNAME=techtree
++ TT_DB=techtree
++ TT_PASSWORD=D677oBFOZ5y5YXIzi4N37LGw1ANLawL9YcU7E8YNGgX4ZQ6BQCj2oodHfXi3ECiUkEyNhkHuB2vSA.3YblgT3IN46g
server# > > server# server# > > > > > > > > ++ GENPASSWD
++ tr -d '/\n'
++ openssl passwd hex 1 2 3 4 5 6
+ docker run -d --name=techtree-server -m 500m --link=techtree-postgres:db -e DATABASE_URL=postgres://techtree:D677oBFOZ5y5YXIzi4N37LGw1ANLawL9YcU7E8YNGgX4ZQ6BQCj2oodHfXi3ECiUkEyNhkHuB2vSA.3YblgT3IN46g@db:5432/techtree -e SECRET_KEY_BASE=O5hSnbBNbmqZ6BPBqKvuj2ZDc1AoHKCdIlsa4cWKSJm4zLPFWqMs6veQMhLsFmW6WbAUTn1Ni4z1sOcFa918xjy6PQ -e PORT=80 -e MIX_ENV=prod --network=internal --memory=190m kenkeiras/techtree:prod
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
332084157ece622a25088577813a1f986e610afab8c11369e25983c496fc7253
server# + clean_techtree_credentials
+ unset TT_USERNAME
+ unset TT_DB
+ unset TT_PASSWORD

DONE

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name techtree.spiral.systems;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://techtree-server:80;
    }
}


cat > /etc/nginx/sites-enabled/techtree.conf <<EOF
<<techtree-router-config>>
EOF
<<reload-router>>


> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

Notes API

You are most probably reading these notes already. The API just provides the search function right now.

Configure container

 

docker pull kenkeiras/notes-api-server:latest
docker rm -f notes-api-server
docker run -d --name notes-api-server \
       -e DB_PATH=/db.sqlite3 \
       -v /mnt/vols/misc/codigoparallevar-api/db.sqlite3:/db.sqlite3:ro \
       --network=internal \
       kenkeiras/notes-api-server:latest


latest: Pulling from kenkeiras/notes-api-server
Digest: sha256:3ae36797c7da7bcc5dc2c16c49df877aa10a91d6db8aeffb2e54b4a0a3c53c9c
Status: Image is up to date for kenkeiras/notes-api-server:latest
docker.io/kenkeiras/notes-api-server:latest
00b9dd0068778aabc77856a7954c678f12b1a54bde721910ad37c23ad2c7ea9c

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name api.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 1M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://notes-api-server:3000;
    }
}


cat > /etc/nginx/sites-enabled/notes-api.conf <<EOF
<<notes-api-router-config>>
EOF
<<reload-router>>


ingress

Wallabag

DONE

Configure container

 

docker rm -f wallabag-server
docker run -d --name wallabag-server \
       -e SYMFONY__ENV__DOMAIN_NAME=https://wallabag.codigoparallevar.com \
       -v /mnt/vols/misc/wallabag/data:/var/www/wallabag/data \
       -v /mnt/vols/misc/wallabag/images:/var/www/wallabag/web/assets/images \
       --network=internal \
       wallabag/wallabag:2.6.12


wallabag-server
fd57df8ccd13e3bccb61666f30a9a42c9c4ce2c070b48d596d9318707131fb36

DONE

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name wallabag.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://wallabag-server:80;
    }
}


cat > /etc/nginx/sites-enabled/wallabag.conf <<EOF
<<wallabag-router-config>>
EOF
<<reload-router>>


ingress

Wiki

DONE

Configure router

 

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/wiki;
    # index index.html index.htm index.php;

    server_name wiki.codigoparallevar.com;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}


cat > /etc/nginx/sites-enabled/wiki.conf <<EOF
<<wiki-router-config>>
EOF
<<reload-router>>


> > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
failed to resize tty, using default size
+ docker start ingress
ingress

Scrap Notes

DONE

Configure router

 

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/scrap-notes;
    # index index.html index.htm index.php;

    server_name sn.codigoparallevar.com;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}


cat > /etc/nginx/sites-enabled/scrap-notes.conf <<EOF
<<scrap-notes-router-config>>
EOF
<<reload-router>>


ingress

DONE

Deploy

 

cd ~/repos/org-web-editor && make && cd dist && rsync -HPaz . personal_server:/mnt/vols/misc/scrap-notes/

echo $?


make: Nothing to be done for 'all'.
sending incremental file list
0

DISCARDED

BeeRol

ARCHIVE

DONE

Configure router

 

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/beerol;
    # index index.html index.htm index.php;

    server_name beerol.quest;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}


cat > /etc/nginx/sites-enabled/beerol.conf <<EOF
<<beerol-router-config>>
EOF
<<reload-router>>


ingress

Birracoin

Configure router

 

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /opt/birracoin;
    # index index.html index.htm index.php;

    server_name birracoin.com;
    server_name www.birracoin.com;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    # location / {
    #     try_files $uri $uri/ /index.html /index.php?$args =404;
    # }
}


cat > /etc/nginx/sites-enabled/birracoin.conf <<EOF
<<birracoin-router-config>>
EOF
<<reload-router>>


> > > > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
+ docker start ingress
ingress

Prosody

DONE

Configure container

 

docker rm -f prosody-server
docker run -d --name prosody-server \
       -v /mnt/vols/misc/prosody/data:/var/lib/prosody \
       -v /mnt/vols/misc/prosody/etc:/etc/prosody \
       -v /mnt/vols/misc/prosody/certs:/extra/certs \
       -p 5222:5222 \
       -p 5269:5269 \
       -p 5280:5280 \
       --network=internal \
       --memory=190m \
       prosody/prosody:0.11


+ docker rm -f prosody-server
prosody-server
> > > > > > > > > + docker run -d --name prosody-server -v /mnt/vols/misc/prosody/data:/var/lib/prosody -v /mnt/vols/misc/prosody/etc:/etc/prosody -v /mnt/vols/misc/prosody/certs:/extra/certs -p 5222:5222 -p 5269:5269 -p 5280:5280 --network=internal --memory=190m prosody/prosody:0.11
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
9b5c70494e984865e6caa46796b22dd4a4e48ac3c6df267adaae582fb22eb00f

Navidrome

DONE

Container

 

docker rm -f navidrome
docker run -d \
   --name navidrome \
   --restart=unless-stopped \
   --user 1001:1001 \
   --network=internal \
   -v /mnt/vols/misc/navidrome/music:/music:ro \
   -v /mnt/vols/misc/navidrome/data:/data \
   -p 4533:4533 \
   -e ND_LOGLEVEL=info \
   deluan/navidrome:latest


navidrome
208e2f8fa295ddf4408a80ea55843addc13e7645c07ff1ac2c361833737ff938

DONE

Configure router

 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name navidrome.codigoparallevar.com;
    include /config/nginx/ssl.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # set max upload size
    client_max_body_size 100M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass  http://navidrome:4533;
    }
}


cat > /etc/nginx/sites-enabled/navidrome.conf <<EOF
<<navidrome-router-config>>
EOF
<<reload-router>>

Grok

 

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # index index.html index.htm index.php;

    server_name grok.spiral.systems;

    # # enable subfolder method reverse proxy confs
    # include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    client_max_body_size 0;

    location / {
        proxy_pass http://172.17.0.1:1234;
    }
}


cat > /etc/nginx/sites-enabled/grok.conf <<EOF
<<grok-router-config>>
EOF
<<reload-router>>


> > > > > > > > > > > > > > > > > > > > > > > > > > > + cat
+ docker exec -it ingress sh -c 'kill -s HUP `cat /var/run/nginx.pid`'
cat: /var/run/nginx.pid: No such file or directory
sh: you need to specify whom to kill
+ docker start ingress
ingress

Wireguard VPN

  • Fiddling with WireGuard to check how useful can it be to connect to home machines from a remote location.

Installation

 

apt-get install -y wireguard


  Reading package lists... 100%

Reading package lists... Done
  Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 1%

Building dependency tree... 2%

Building dependency tree... 3%

Building dependency tree... 4%

Building dependency tree... 5%

Building dependency tree... 6%

Building dependency tree... 7%

Building dependency tree... 8%

Building dependency tree... 9%

Building dependency tree... 10%

Building dependency tree... 11%

Building dependency tree... 12%

Building dependency tree... 13%

Building dependency tree... 14%

Building dependency tree... 15%

Building dependency tree... 16%

Building dependency tree... 17%

Building dependency tree... 18%

Building dependency tree... 19%

Building dependency tree... 20%

Building dependency tree... 21%

Building dependency tree... 22%

Building dependency tree... 23%

Building dependency tree... 24%

Building dependency tree... 25%

Building dependency tree... 26%

Building dependency tree... 27%

Building dependency tree... 28%

Building dependency tree... 29%

Building dependency tree... 30%

Building dependency tree... 31%

Building dependency tree... 32%

Building dependency tree... 33%

Building dependency tree... 34%

Building dependency tree... 35%

Building dependency tree... 36%

Building dependency tree... 37%

Building dependency tree... 38%

Building dependency tree... 39%

Building dependency tree... 40%

Building dependency tree... 41%

Building dependency tree... 42%

Building dependency tree... 43%

Building dependency tree... 44%

Building dependency tree... 45%

Building dependency tree... 46%

Building dependency tree... 47%

Building dependency tree... 48%

Building dependency tree... 49%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... 51%

Building dependency tree... 52%

Building dependency tree... 53%

Building dependency tree... 54%

Building dependency tree... 55%

Building dependency tree... 56%

Building dependency tree... 57%

Building dependency tree... 58%

Building dependency tree... 59%

Building dependency tree... 60%

Building dependency tree... 61%

Building dependency tree... 62%

Building dependency tree... 63%

Building dependency tree... 64%

Building dependency tree... 65%

Building dependency tree... 66%

Building dependency tree... 67%

Building dependency tree... 68%

Building dependency tree... 69%

Building dependency tree... 70%

Building dependency tree... 71%

Building dependency tree... 72%

Building dependency tree... 73%

Building dependency tree... 74%

Building dependency tree... 75%

Building dependency tree... 76%

Building dependency tree... 77%

Building dependency tree... 78%

Building dependency tree... 79%

Building dependency tree... 80%

Building dependency tree... 81%

Building dependency tree... 82%

Building dependency tree... 83%

Building dependency tree... 84%

Building dependency tree... 85%

Building dependency tree... 86%

Building dependency tree... 87%

Building dependency tree... 88%

Building dependency tree... 89%

Building dependency tree... 90%

Building dependency tree... 91%

Building dependency tree... 92%

Building dependency tree... 93%

Building dependency tree... 94%

Building dependency tree... 95%

Building dependency tree... 96%

Building dependency tree... 97%

Building dependency tree... 98%

Building dependency tree... 99%

Building dependency tree
  Reading state information... 0%

Reading state information... 0%

Reading state information... 1%

Reading state information... 3%

Reading state information... 3%

Reading state information... 4%

Reading state information... 5%

Reading state information... 6%

Reading state information... 7%

Reading state information... 8%

Reading state information... 9%

Reading state information... 10%

Reading state information... 11%

Reading state information... 12%

Reading state information... 13%

Reading state information... 14%

Reading state information... 15%

Reading state information... 16%

Reading state information... 17%

Reading state information... 18%

Reading state information... 19%

Reading state information... 20%

Reading state information... 21%

Reading state information... 22%

Reading state information... 23%

Reading state information... 24%

Reading state information... 25%

Reading state information... 26%

Reading state information... 27%

Reading state information... 28%

Reading state information... 29%

Reading state information... 30%

Reading state information... 31%

Reading state information... 32%

Reading state information... 33%

Reading state information... 34%

Reading state information... 35%

Reading state information... 36%

Reading state information... 37%

Reading state information... 39%

Reading state information... 39%

Reading state information... 40%

Reading state information... 41%

Reading state information... 42%

Reading state information... 43%

Reading state information... 44%

Reading state information... 45%

Reading state information... 46%

Reading state information... 47%

Reading state information... 48%

Reading state information... 49%

Reading state information... 50%

Reading state information... 51%

Reading state information... 52%

Reading state information... 53%

Reading state information... 55%

Reading state information... 55%

Reading state information... 56%

Reading state information... 57%

Reading state information... 58%

Reading state information... 59%

Reading state information... 60%

Reading state information... 61%

Reading state information... 62%

Reading state information... 63%

Reading state information... 64%

Reading state information... 65%

Reading state information... 67%

Reading state information... 67%

Reading state information... 68%

Reading state information... 69%

Reading state information... 70%

Reading state information... 71%

Reading state information... 72%

Reading state information... 73%

Reading state information... 75%

Reading state information... 75%

Reading state information... 76%

Reading state information... 77%

Reading state information... 78%

Reading state information... 79%

Reading state information... 80%

Reading state information... 81%

Reading state information... 82%

Reading state information... 83%

Reading state information... 85%

Reading state information... 85%

Reading state information... 86%

Reading state information... 87%

Reading state information... 88%

Reading state information... 89%

Reading state information... 90%

Reading state information... 91%

Reading state information... 92%

Reading state information... 93%

Reading state information... 94%

Reading state information... 95%

Reading state information... 96%

Reading state information... 97%

Reading state information... 100%

Reading state information... Done
  wireguard is already the newest version (1.0.20210223-1~bpo10+1).
  The following packages were automatically installed and are no longer required:
    git-man liberror-perl
  Use 'apt autoremove' to remove them.
  0 upgraded, 0 newly installed, 0 to remove and 33 not upgraded.

Setup

 

# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported

Docker Watchtower

Docker's watchtower updates Docker images when new tags are available on the registry.

docker rm -f watchtower || true
docker run -d --name=watchtower \
         -v /var/run/docker.sock:/var/run/docker.sock \
         --memory=190m \
         containrrr/watchtower

Update certificates

 

docker exec -i ingress ls -lh /config/etc/letsencrypt/live/codigoparallevar.com/


total 12K
-rw-r--r-- 1 abc users  692 Oct 28 14:34 README
lrwxrwxrwx 1 abc users   44 Oct 28 14:34 cert.pem -> ../../archive/codigoparallevar.com/cert1.pem
lrwxrwxrwx 1 abc users   45 Oct 28 14:34 chain.pem -> ../../archive/codigoparallevar.com/chain1.pem
lrwxrwxrwx 1 abc users   49 Oct 28 14:34 fullchain.pem -> ../../archive/codigoparallevar.com/fullchain1.pem
-rw-r--r-- 1 abc users 3.6K Oct 28 14:34 priv-fullchain-bundle.pem
lrwxrwxrwx 1 abc users   47 Oct 28 14:34 privkey.pem -> ../../archive/codigoparallevar.com/privkey1.pem
-rw------- 1 abc users 3.1K Oct 28 14:34 privkey.pfx

set -eux

VER=1

# Mail certs
docker cp ingress:/config/etc/letsencrypt/archive/codigoparallevar.com/fullchain${VER}.pem /mnt/vols/mail/certs/fullchain.pem
docker cp ingress:/config/etc/letsencrypt/archive/codigoparallevar.com/privkey${VER}.pem /mnt/vols/mail/certs/privkey.pem
docker restart mail

# Prosody certs
docker cp ingress:/config/etc/letsencrypt/archive/codigoparallevar.com/fullchain${VER}.pem /mnt/vols/misc/prosody/certs/fullchain.pem
docker cp ingress:/config/etc/letsencrypt/archive/codigoparallevar.com/privkey${VER}.pem /mnt/vols/misc/prosody/certs/privkey.pem
sudo chown 101:0 -R /mnt/vols/misc/prosody/certs/
docker restart prosody-server

# Matrix certs
docker cp ingress:/config/etc/letsencrypt/archive/codigoparallevar.com/privkey${VER}.pem /mnt/vols/misc/matrix/privkey.pem
docker cp ingress:/config/etc/letsencrypt/archive/codigoparallevar.com/fullchain${VER}.pem /mnt/vols/misc/matrix/fullchain.pem
sudo chown 991:991 -R /mnt/vols/misc/matrix/
docker restart matrix-server


mail
prosody-server
matrix-server