5 天之前 · 32d533b6cc
--- a/README.md
+++ b/README.md
@@ -55,7 +55,8 @@ If you want, you can also add this config snippet to all your nodes and add your
    sudo cryptsetup --verify-passphrase luksFormat /dev/sdX1 -c aes -s 256 -h sha256
    sudo cryptsetup luksOpen /dev/sdX1 volumes
    sudo mkfs -t ext4 -m 1 -O dir_index,sparse_super /dev/mapper/volumes
    #mount -t auto /dev/mapper/volumes /media/volumes
    sudo mkdir -p /media/volumes
    #sudo mount -t auto /dev/mapper/volumes /media/volumes

    sudo dd if=/dev/urandom of=/root/volumes_luks_pwd bs=1024 count=4
    sudo chmod 0400 /root/volumes_luks_pwd
--- a/compose_parse.py
+++ b/compose_parse.py
@@ -0,0 +1,42 @@
 #!/usr/bin/env python

 import sys
 import yaml

 DOCKER_COMPOSE_TEMPLATE = 'docker-compose.yml.template'
 DOCKER_COMPOSE = 'docker-compose.yml'

 def get_compose():
    with open(DOCKER_COMPOSE_TEMPLATE, 'r') as stream:
        try:
            return yaml.load(stream)
        except yaml.YAMLError as exc:
            print(exc)

 def get_dependencies(stream, submodules):
    result = submodules
    for service in stream['services']:
        if service not in submodules:
            continue
        if 'depends_on' in stream['services'][service]:
            result = result + stream['services'][service]['depends_on']
    return result
 def process_compose(stream, submodules):
    result = stream
    services = {}
    for service in stream['services']:
        if service in submodules:
            services[service] = stream['services'][service]

    result['services'] = services

    return result

 def main(args):
    s = get_compose()
    computed_submodules = get_dependencies(s, ['haproxy'])
    r2 = process_compose(s, computed_submodules)
    print r2

 if __name__ == '__main__':
    main(sys.argv[1:])
--- a/dependencies.dot
+++ b/dependencies.dot
@@ -0,0 +1,12 @@
 digraph containers {
 nextcloud -> db
 nextcloud -> openldap
 nextcloud -> haproxy
 haproxy -> nextcloud
 gogs -> db
 gogs -> openldap
 gogs -> haproxy
 haproxy -> gitea
 mail -> openldap
 sftp
 }
--- a/dependencies.png
+++ b/dependencies.png
--- a/dhs_start_on_boot.sh
+++ b/dhs_start_on_boot.sh
@@ -0,0 +1,35 @@
 #!/bin/bash

 # Create file at /etc/systemd/system/dhs.service:
 # [Unit]
 # Description=Start Docker home server

 # [Service]
 # ExecStart=/usr/local/bin/dhs_start_on_boot.sh

 # [Install]
 # WantedBy=default.target

 DHS_PATH=$HOME/docker_home_server
 cd ${DHS_PATH}

 # clean previous containers
 for i in $(docker ps -a | grep Exited | grep dhs | cut -f 1 -d " "); do
    docker rm $i;
 done;

 # start dhs
 docker-compose --compatibility -p dhs up -d

 # start kerberos
 #docker start kerberos_vol

 # wait (specially for Nextcloud)
 sleep 300

 # add DNS to pihole
 ${DHS_PATH}/add_dns_entries_noswarm.sh
 # add users
 ${DHS_PATH}/add_users_noswarm.sh
 # update Nextcloud apps
 ${DHS_PATH}/nextcloud_apps_after_update_noswarm.sh
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -156,6 +156,8 @@ services:
    environment:
      FTLCONF_dns_listeningMode: 'all'
    ports:
      #- "2053:53/tcp"
      #- "2053:53/udp"
      - "53:53/tcp"
      - "53:53/udp"
      # - "67:67/udp" # for DHCP
--- a/images/email/Dockerfile
+++ b/images/email/Dockerfile
@@ -1,4 +1,4 @@
 FROM debian:stretch
 FROM debian:buster

 ENV DEBIAN_FRONTEND=noninteractive

--- a/images/haproxy/Dockerfile
+++ b/images/haproxy/Dockerfile
@@ -1,4 +1,4 @@
 FROM debian:stretch
 FROM debian:buster

 RUN apt-get update && apt-get install -y haproxy cron certbot

--- a/images/haproxy/haproxy.cfg
+++ b/images/haproxy/haproxy.cfg
@@ -1,5 +1,8 @@
 global
    maxconn 4096
    # https://stackoverflow.com/a/50480260
    # https://serverfault.com/a/984667
    hard-stop-after 600s
    #tune.ssl.default-dh-param 2048

 defaults
@@ -22,13 +25,13 @@ frontend https-in
    #acl gitea-acl ssl_fc_sni ${GITEA_URL}
    acl nextcloud-acl ssl_fc_sni_reg ^${NEXTCLOUD_SERVER_NAME}\.
    acl gitea-acl ssl_fc_sni_reg ^${GITEA_SERVER_NAME}\.
    acl blog1-acl ssl_fc_sni_reg ^${BLOG_1_SERVER_NAME}\.
    #acl blog1-acl ssl_fc_sni_reg ^${BLOG_1_SERVER_NAME}\.
    acl hauk-acl ssl_fc_sni_reg ^${HAUK_SERVER_NAME}\.

    use_backend letsencrypt-backend if letsencrypt-acl
    use_backend nextcloud if nextcloud-acl
    use_backend gitea if gitea-acl
    use_backend blog1 if blog1-acl
    #use_backend blog1 if blog1-acl
    use_backend hauk if hauk-acl

    default_backend nextcloud
@@ -41,6 +44,10 @@ backend nextcloud
    #redirect http to https
    #redirect scheme https if !{ ssl_fc }

    # https://www.haproxy.com/de/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
    # https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"

    server nextcloud nextcloud:443 maxconn 32 check ssl verify none

 backend gitea
@@ -49,13 +56,13 @@ backend gitea

    server gitea gitea:2443 maxconn 32 check ssl verify none

 backend blog1
    # https://forum.ghost.org/t/cant-get-full-site-ssl/12478/6
    # https://blog.woodenstake.se/starting-a-blog-again/
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server blog1 blog1:2368 maxconn 32
 #backend blog1
 #    # https://forum.ghost.org/t/cant-get-full-site-ssl/12478/6
 #    # https://blog.woodenstake.se/starting-a-blog-again/
 #    option forwardfor
 #    http-request set-header X-Forwarded-Port %[dst_port]
 #    http-request add-header X-Forwarded-Proto https if { ssl_fc }
 #    server blog1 blog1:2368 maxconn 32

 backend hauk
    server hauk hauk:80 maxconn 32
@@ -73,9 +80,10 @@ frontend http-in
    use_backend nextcloud-insecure if is_nextcloud
    use_backend gitea-insecure if is_gitea
    use_backend hauk-insecure if is_hauk
    default_backend pihole-insecure
    #default_backend pihole-insecure

 backend nextcloud-insecure
    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
    server nextcloud nextcloud:80 maxconn 32

 backend gitea-insecure
@@ -84,8 +92,8 @@ backend gitea-insecure
 backend hauk-insecure
    server hauk hauk:80 maxconn 32

 backend pihole-insecure
    server pihole pihole:80 maxconn 32
 #backend pihole-insecure
 #    server pihole pihole:80 maxconn 32

 # LE Backend
 backend letsencrypt-backend
--- a/images/mariadb/Dockerfile
+++ b/images/mariadb/Dockerfile
@@ -2,7 +2,7 @@
 # MariaDB Dockerfile

 # Pull base image.
 FROM debian:stretch
 FROM debian:buster

 ENV DEBIAN_FRONTEND=noninteractive

--- a/images/nextcloud/Dockerfile
+++ b/images/nextcloud/Dockerfile
@@ -10,7 +10,7 @@ ARG NEXTCLOUD_BACKUP_PATH
 RUN \
    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
    apt-get update && \
    apt-get install -y wget bzip2 vim rsync mariadb-client cron sudo php-imagick php7.4-gmp php7.4-intl && \
    apt-get install -y wget bzip2 vim rsync mariadb-client cron sudo php7.4-imagick php7.4-gmp php7.4-intl && \
    apt-get clean

 # Change upload-limits and -sizes
--- a/images/nextcloud/Dockerfile.template
+++ b/images/nextcloud/Dockerfile.template
@@ -10,7 +10,7 @@ ARG NEXTCLOUD_BACKUP_PATH
 RUN \
    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
    apt-get update && \
    apt-get install -y wget bzip2 vim rsync mariadb-client cron sudo php-imagick php7.4-gmp php7.4-intl && \
    apt-get install -y wget bzip2 vim rsync mariadb-client cron sudo php7.4-imagick php7.4-gmp php7.4-intl && \
    apt-get clean

 # Change upload-limits and -sizes
--- a/images/nextcloud/default
+++ b/images/nextcloud/default
@@ -58,6 +58,7 @@ server {
        fastcgi_param PATH_INFO $2;
        fastcgi_param HTTPS on;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_param PHP_VALUE "memory_limit = 512M";
    }

    location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
@@ -71,6 +72,7 @@ server {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param PHP_VALUE "memory_limit = 512M";
        include fastcgi_params;
    }

--- a/images/nextcloud/docker-entrypoint.sh
+++ b/images/nextcloud/docker-entrypoint.sh
@@ -117,7 +117,7 @@ echo "Configuring Nextcloud"
 cd /var/www/nextcloud
 # https://github.com/nextcloud/server/pull/18130#issuecomment-604518403
 sudo -u www-data rm -Rf /srv/nextcloud/data/admin
 sudo -u www-data php occ maintenance:install --database "mysql" --database-host ${DB_HOST} --database-name ${NEXTCLOUD_DB_NAME}  --database-user ${NEXTCLOUD_DB_USER} --database-pass ${NEXTCLOUD_DB_PWD} --admin-user "admin" --admin-pass ${NEXTCLOUD_ADMIN_PWD} --data-dir ${NEXTCLOUD_DATA_PATH}
 sudo -u www-data php occ maintenance:install --database "mysql" --database-host ${DB_HOST} --database-name ${NEXTCLOUD_DB_NAME}  --database-user ${NEXTCLOUD_DB_USER} --database-pass ${NEXTCLOUD_DB_PWD} --admin-user "admin" --admin-pass ${NEXTCLOUD_ADMIN_PWD} --data-dir ${NEXTCLOUD_DATA_PATH} | echo "maintenance:install gone!"
 check_result $? "Initializing Config"
 # Password salt and secret are used by Passman and must remain the same after
 # restarting of the instance, otherwise vaults would become inaccessible
--- a/images/nginx-php/Dockerfile
+++ b/images/nginx-php/Dockerfile
@@ -7,9 +7,11 @@ RUN apt-get update && \
    sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 # update and install php
 RUN apt-get update && \
    apt-get install -y php7.4 php7.4-fpm php-pear php7.4-common \
    php7.4-mysql php7.4-cli php7.4-gd php7.4-curl php-apcu php7.4-opcache \
    php7.4-mbstring php7.4-ldap php7.4-zip php7.4-intl && \
    apt-get install -y --allow-unauthenticated \
    php7.4 php7.4-fpm php-pear php7.4-common \
    php7.4-mysql php7.4-cli php7.4-gd php7.4-curl php7.4-apcu php7.4-opcache \
    php7.4-mbstring php7.4-ldap php7.4-zip php7.4-intl php7.4-imagick \
    php7.4-bcmath php7.4-xml && \
    apt-get clean

 # overwrite the default-configuration with our own settings - enabling PHP
--- a/images/nginx-php/Dockerfile.template
+++ b/images/nginx-php/Dockerfile.template
@@ -7,9 +7,11 @@ RUN apt-get update && \
    sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 # update and install php
 RUN apt-get update && \
    apt-get install -y php7.4 php7.4-fpm php-pear php7.4-common \
    php7.4-mysql php7.4-cli php7.4-gd php7.4-curl php-apcu php7.4-opcache \
    php7.4-mbstring php7.4-ldap php7.4-zip php7.4-intl && \
    apt-get install -y --allow-unauthenticated \
    php7.4 php7.4-fpm php-pear php7.4-common \
    php7.4-mysql php7.4-cli php7.4-gd php7.4-curl php7.4-apcu php7.4-opcache \
    php7.4-mbstring php7.4-ldap php7.4-zip php7.4-intl php7.4-imagick \
    php7.4-bcmath php7.4-xml && \
    apt-get clean

 # overwrite the default-configuration with our own settings - enabling PHP
--- a/images/nginx-php/default
+++ b/images/nginx-php/default
@@ -45,7 +45,7 @@ server {

 	# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
 	#location /RequestDenied {
 	#	proxy_pass http://127.0.0.1:8080;    
 	#	proxy_pass http://127.0.0.1:8080;
 	#}

 	#error_page 404 /404.html;
@@ -63,10 +63,10 @@ server {
 	#	fastcgi_split_path_info ^(.+\.php)(/.+)$;
 	#	# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
 	#
 	#	# With php7.0-cgi alone:
 	#	# With php7.4-cgi alone:
 	#	fastcgi_pass 127.0.0.1:9000;
 	#	# With php7.0-fpm:
 	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
 	#	# With php7.4-fpm:
 	#	fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
 	#	fastcgi_index index.php;
 	#	include fastcgi_params;
 	#}
@@ -83,11 +83,12 @@ server {
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param PHP_VALUE "memory_limit = 512M";
        include fastcgi_params;
    }
                    

    # deny access to .htaccess files
    location ~ /\.ht {
        deny all;
--- a/images/openldap/Dockerfile
+++ b/images/openldap/Dockerfile
@@ -1,4 +1,4 @@
 FROM debian:stretch
 FROM debian:buster

 # Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
 RUN groupadd -r openldap && useradd -r -g openldap -u 999 openldap
--- a/images/sftp/Dockerfile
+++ b/images/sftp/Dockerfile
@@ -1,4 +1,4 @@
 FROM debian:stretch
 FROM debian:buster

 # Install dependencies
 RUN apt-get update \
--- a/set_arch.sh
+++ b/set_arch.sh
@@ -9,17 +9,17 @@ fi
 case ${ARCH} in
    #'rpi') IMAGE='resin/raspberrypi3-debian:latest' ;;
    'rpi')
        IMAGE='arm32v7/debian:stretch'
        IMAGE='arm32v7/debian:buster'
        ARCH_PREFIX='rpi'
        GO_ARCH='armv6l'
        ;;
    'arm64')
        IMAGE='arm64v7/debian:stretch'
        IMAGE='arm64v7/debian:buster'
        ARCH_PREFIX='arm64'
        GO_ARCH='arm64'
        ;;
    'amd64')
        IMAGE='debian:stretch'
        IMAGE='debian:buster'
        ARCH_PREFIX='amd64'
        GO_ARCH='amd64'
        ;;