From 007243c99e22b4029d9a146d2528aad4dc7820d1 Mon Sep 17 00:00:00 2001 From: Matthew Tran Date: Sun, 4 May 2025 04:34:20 -0700 Subject: [PATCH] wip6 --- .gitignore | 8 ++++---- README.md | 2 +- {scripts => config}/provision.py | 34 +++++++++++++++++++++----------- config/server.default | 3 +++ {scripts => config}/update.py | 13 +++++++++--- gitea/Dockerfile | 7 +++++++ minecraft_bedrock/Dockerfile | 2 +- monerod/entry.sh | 2 +- p2pool/entry.sh | 3 +-- terraria/config.default | 4 ++-- website/.dockerignore | 2 -- website/Dockerfile | 13 ++++++------ website/entry.sh | 17 ++++++++-------- website/{ip_update.py => ip.py} | 0 website/server.conf | 32 ++++++++++++------------------ 15 files changed, 80 insertions(+), 62 deletions(-) rename {scripts => config}/provision.py (91%) rename {scripts => config}/update.py (87%) create mode 100644 gitea/Dockerfile delete mode 100644 website/.dockerignore rename website/{ip_update.py => ip.py} (100%) diff --git a/.gitignore b/.gitignore index 1b3aa67..0171851 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,9 @@ config/server.json config/*.bu config/*.ign +# website +website/sendgrid.key + # minecraft minecraft/server.properties @@ -20,10 +23,7 @@ terraria/*.txt -# website -website/gitea -website/certbot -website/sendgrid.key + # nas nas/*.json diff --git a/README.md b/README.md index b5135e2..9f0883e 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Services deployed on [matthewtran.com](https://matthewtran.com). ## setup 1. Designate one computer as the configuration server. Create `config/server.json` which contains the configuration for the server to be provisioned. Reference `config/server.default` for fields. Run the following. - - `scripts/provision.py` + - `config/provision.py` 2. Create a [Fedora CoreOS](https://fedoraproject.org/coreos/download?stream=stable) installation media and boot it on the server to be provisioned. Run the following on it and reboot. - `sudo coreos-installer install /dev/ --ignition-url http:///server.ign --insecure-ignition` diff --git a/scripts/provision.py b/config/provision.py similarity index 91% rename from scripts/provision.py rename to config/provision.py index 816567e..4450eef 100755 --- a/scripts/provision.py +++ b/config/provision.py @@ -16,6 +16,11 @@ UIDS = { } PORTS = { + "web": [ + "80:80", # website + "443:443", + "2222:2222", # gitea + ], "monero": [ "18080:18080", # monerod "18081:18081", @@ -202,13 +207,20 @@ def copy_source(): "user": { "name": "core" }, "group": { "name": "core" }, }) - for f in Path(i).glob("*"): - but["storage"]["files"].append({ - "path": str(Path(SOURCE_DIR) / f), - "contents": { "inline": open(f, "r").read() }, - "user": { "name": "core" }, - "group": { "name": "core" }, - }) + for f in Path(i).glob("**/*"): + if f.is_dir(): + but["storage"]["directories"].append({ + "path": str(Path(SOURCE_DIR) / f), + "user": { "name": "core" }, + "group": { "name": "core" }, + }) + else: + but["storage"]["files"].append({ + "path": str(Path(SOURCE_DIR) / f), + "contents": { "inline": open(f, "rb").read() }, + "user": { "name": "core" }, + "group": { "name": "core" }, + }) def build_images(): but["storage"]["directories"].append({ "path": "/etc/containers/systemd/users" }) @@ -255,7 +267,7 @@ def run_containers(): f"ContainerName={img}", f"Image={img}.build", f"Pod={user}.pod", - f"Volume={str(Path(cfg["core"]["data_dir"]) / img)}:/root/data:z", + f"Volume={str(Path(cfg["core"]["data_dir"]) / img)}:/data:z", "[Install]", "WantedBy=default.target", ])} @@ -287,10 +299,10 @@ if __name__ == "__main__": run_containers() - # TODO add rest of containers - # add core to nas group + # TODO add nas + # TODO restrict access to source code... + # add core to all groups => owned by users only access by them too # TODO script to backup => restore backup if desired - # TODO reduce disk logging? # TODO generate ISO, else nginx if --insecure diff --git a/config/server.default b/config/server.default index 4131750..8159ce7 100644 --- a/config/server.default +++ b/config/server.default @@ -16,6 +16,9 @@ "wipe": false } ], + "website": { + "sendgrid_key": "" + }, "minecraft": { "world": "main" }, diff --git a/scripts/update.py b/config/update.py similarity index 87% rename from scripts/update.py rename to config/update.py index 8fed18d..4c9c628 100755 --- a/scripts/update.py +++ b/config/update.py @@ -3,11 +3,14 @@ import json import shutil import subprocess -from pathlib import Path SOURCE_DIR = "/var/source" IMAGES = { + "web": [ + "website", + "gitea", + ], "monero": [ "monerod", "p2pool", @@ -20,10 +23,14 @@ IMAGES = { } def generate(cfg): + # website + with open("website/sendgrid.key", "w") as f: + f.write(cfg["website"]["sendgrid_key"]) + # minecraft shutil.copy("minecraft/server.default", "minecraft/server.properties") with open("minecraft/server.properties", "a") as f: - f.write(f"level-name=data/{cfg["minecraft"]["world"]}\n") + f.write(f"level-name=/data/{cfg["minecraft"]["world"]}\n") # minecraft_bedrock shutil.copy("minecraft_bedrock/server.default", "minecraft_bedrock/server.properties") @@ -33,7 +40,7 @@ def generate(cfg): # terraria shutil.copy("terraria/config.default", "terraria/config.txt") with open("terraria/config.txt", "a") as f: - f.write(f"world=/root/data/worlds/{cfg["terraria"]["world"]}.wld\n") + f.write(f"world=/data/worlds/{cfg["terraria"]["world"]}.wld\n") f.write(f"autocreate={cfg["terraria"]["autogen"]["size"]}\n") # 1=small, 2=medium, 3=large f.write(f"difficulty={cfg["terraria"]["autogen"]["difficulty"]}\n") # 0=normal, 1=expert, 2=master, 3=journey with open("terraria/password.txt", "w") as f: diff --git a/gitea/Dockerfile b/gitea/Dockerfile new file mode 100644 index 0000000..bc0bb43 --- /dev/null +++ b/gitea/Dockerfile @@ -0,0 +1,7 @@ +FROM docker.io/gitea/gitea:1.23.7 + +# After boot, recommended to modify the following in gitea/conf/app.ini +# SSH_LISTEN_PORT=2222 +# DISABLE_REGISTRATION=true +# ENABLE_OPENID_SIGNIN=false +# ENABLE_OPENID_SIGNUP=false diff --git a/minecraft_bedrock/Dockerfile b/minecraft_bedrock/Dockerfile index e302776..4d280b1 100644 --- a/minecraft_bedrock/Dockerfile +++ b/minecraft_bedrock/Dockerfile @@ -13,5 +13,5 @@ COPY entry.sh ./ COPY permissions.json ./ COPY server.properties ./ -RUN ln -s /root/data /root/worlds +RUN ln -s /data /root/worlds CMD ["/bin/bash", "/root/entry.sh"] diff --git a/monerod/entry.sh b/monerod/entry.sh index 65d27a1..99b6bbe 100644 --- a/monerod/entry.sh +++ b/monerod/entry.sh @@ -3,7 +3,7 @@ # check bitmonero.log for log monero/monerod \ --prune-blockchain \ - --data-dir /root/data \ + --data-dir /data \ --rpc-bind-port 18089 \ --rpc-restricted-bind-ip 0.0.0.0 \ --rpc-restricted-bind-port 18081 \ diff --git a/p2pool/entry.sh b/p2pool/entry.sh index ad956fb..0068b76 100644 --- a/p2pool/entry.sh +++ b/p2pool/entry.sh @@ -1,7 +1,6 @@ #!/bin/sh -mkdir -p data -cd data +cd /data exec ~/p2pool \ --mini \ --host 127.0.0.1 \ diff --git a/terraria/config.default b/terraria/config.default index 53461a3..15ac03d 100644 --- a/terraria/config.default +++ b/terraria/config.default @@ -3,10 +3,10 @@ worldname=poopy # server options motd=poopy -worldpath=/root/data/worlds +worldpath=/data/worlds secure=1 # tmodloader options -modpath=/root/data/mods +modpath=/data/mods # generated options diff --git a/website/.dockerignore b/website/.dockerignore deleted file mode 100644 index f55a997..0000000 --- a/website/.dockerignore +++ /dev/null @@ -1,2 +0,0 @@ -gitea -certbot diff --git a/website/Dockerfile b/website/Dockerfile index c0a2350..c31a568 100644 --- a/website/Dockerfile +++ b/website/Dockerfile @@ -8,12 +8,11 @@ RUN apt-get update && apt-get -y upgrade RUN apt-get install -y nginx certbot python3-pip RUN pip3 install sendgrid --break-system-packages -RUN groupadd -g 2000 me && useradd -u 2000 -g 2000 -m me -USER me -WORKDIR /home/me -RUN mkdir nginx certbot +WORKDIR /root # TODO make the website code not terrible ;-; -COPY --chown=me:me html ./html -COPY --chown=me:me sendgrid.ke[y] ip_update.py ./ -COPY --chown=me:me server.conf entry.sh ./ +COPY html /var/www/html +COPY sendgrid.key ip.py ./ +COPY server.conf entry.sh ./ + +CMD ["/bin/bash", "/root/entry.sh"] diff --git a/website/entry.sh b/website/entry.sh index 0adbcb7..834267e 100644 --- a/website/entry.sh +++ b/website/entry.sh @@ -2,10 +2,9 @@ # get certs if needed certbot certonly --standalone \ - --http-01-port 8080 \ - --config-dir ~/certbot \ - --work-dir ~/certbot/work \ - --logs-dir ~/certbot/logs \ + --config-dir /data \ + --work-dir /data/work \ + --logs-dir /data/logs \ --non-interactive --agree-tos -m matthewlamtran@berkeley.edu \ -d matthewtran.com \ -d www.matthewtran.com \ @@ -14,16 +13,16 @@ certbot certonly --standalone \ # background process to renew certs and check ip changes update() { certbot renew --quiet \ - --config-dir ~/certbot \ - --work-dir ~/certbot/work \ - --logs-dir ~/certbot/logs + --config-dir /data \ + --work-dir /data/work \ + --logs-dir /data/logs sleep 86400 } update & -./ip_update.py & +./ip.py & # run server nginx -c ~/server.conf -trap 'echo "stopping website..."' TERM +trap 'echo "stopping website..."' SIGTERM SIGINT tail -f /dev/null & wait $! diff --git a/website/ip_update.py b/website/ip.py similarity index 100% rename from website/ip_update.py rename to website/ip.py diff --git a/website/server.conf b/website/server.conf index 1b0a292..0c280b7 100644 --- a/website/server.conf +++ b/website/server.conf @@ -1,6 +1,5 @@ # adapted from /etc/nginx/nginx.conf worker_processes auto; -pid /home/me/nginx/site.pid; error_log /dev/stderr; events { @@ -15,42 +14,37 @@ http { ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; - ssl_certificate /home/me/certbot/live/matthewtran.com/fullchain.pem; - ssl_certificate_key /home/me/certbot/live/matthewtran.com/privkey.pem; + ssl_certificate /data/live/matthewtran.com/fullchain.pem; + ssl_certificate_key /data/live/matthewtran.com/privkey.pem; include /etc/nginx/mime.types; default_type application/octet-stream; - access_log /dev/stdout; - client_body_temp_path /home/me/nginx/body; - proxy_temp_path /home/me/nginx/proxy; - fastcgi_temp_path /home/me/nginx/fastcgi; - uwsgi_temp_path /home/me/nginx/uwsgi; - scgi_temp_path /home/me/nginx/scgi; + access_log /dev/stdout; # SSL redirect server { - listen 8080 default_server; - listen [::]:8080 default_server; + listen 80 default_server; + listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } # default server { - listen 8443 ssl default_server; - listen [::]:8443 ssl default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; server_name _; return 404; } # website server { - listen 8443 ssl; - listen [::]:8443 ssl; + listen 443 ssl; + listen [::]:443 ssl; server_name matthewtran.com www.matthewtran.com; - root /home/me/html; + root /var/www/html; index index.html; location / { try_files $uri $uri/ =404; @@ -59,13 +53,13 @@ http { # gitea server { - listen 8443 ssl; - listen [::]:8443 ssl; + listen 443 ssl; + listen [::]:443 ssl; server_name git.matthewtran.com; location / { client_max_body_size 512M; - proxy_pass http://gitea:3000; + proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;