wip6

.gitignore

@@ -7,6 +7,9 @@ config/server.json
 config/*.bu
 config/*.ign
 
+# website
+website/sendgrid.key
+
 # minecraft
 minecraft/server.properties
 
@@ -20,10 +23,7 @@ terraria/*.txt
 
 
 
-# website
+
-website/gitea
-website/certbot
-website/sendgrid.key
 
 # nas
 nas/*.json

README.md

@@ -15,7 +15,7 @@ Services deployed on [matthewtran.com](https://matthewtran.com).
 ## setup
 
 1. Designate one computer as the configuration server. Create `config/server.json` which contains the configuration for the server to be provisioned. Reference `config/server.default` for fields. Run the following.
-    - `scripts/provision.py`
+    - `config/provision.py`
 2. Create a [Fedora CoreOS](https://fedoraproject.org/coreos/download?stream=stable) installation media and boot it on the server to be provisioned. Run the following on it and reboot.
     - `sudo coreos-installer install /dev/<boot drive> --ignition-url http://<config server ip>/server.ign --insecure-ignition`
 

config/provision.py

@@ -16,6 +16,11 @@ UIDS = {
 }
 
 PORTS = {
+    "web": [
+        "80:80", # website
+        "443:443",
+        "2222:2222", # gitea
+    ],
     "monero": [
         "18080:18080", # monerod
         "18081:18081",
@@ -202,13 +207,20 @@ def copy_source():
             "user": { "name": "core" },
             "group": { "name": "core" },
         })
-        for f in Path(i).glob("*"):
+        for f in Path(i).glob("**/*"):
-            but["storage"]["files"].append({
+            if f.is_dir():
-                "path": str(Path(SOURCE_DIR) / f),
+                but["storage"]["directories"].append({
-                "contents": { "inline": open(f, "r").read() },
+                    "path": str(Path(SOURCE_DIR) / f),
-                "user": { "name": "core" },
+                    "user": { "name": "core" },
-                "group": { "name": "core" },
+                    "group": { "name": "core" },
-            })
+                })
+            else:
+                but["storage"]["files"].append({
+                    "path": str(Path(SOURCE_DIR) / f),
+                    "contents": { "inline": open(f, "rb").read() },
+                    "user": { "name": "core" },
+                    "group": { "name": "core" },
+                })
 
 def build_images():
     but["storage"]["directories"].append({ "path": "/etc/containers/systemd/users" })
@@ -255,7 +267,7 @@ def run_containers():
                     f"ContainerName={img}",
                     f"Image={img}.build",
                     f"Pod={user}.pod",
-                    f"Volume={str(Path(cfg["core"]["data_dir"]) / img)}:/root/data:z",
+                    f"Volume={str(Path(cfg["core"]["data_dir"]) / img)}:/data:z",
                     "[Install]",
                     "WantedBy=default.target",
                 ])}
@@ -287,10 +299,10 @@ if __name__ == "__main__":
     run_containers()
 
 
-    # TODO add rest of containers
+    # TODO add nas
-        # add core to nas group
+    # TODO restrict access to source code...
+        # add core to all groups => owned by users only access by them too
     # TODO script to backup => restore backup if desired
-    # TODO reduce disk logging?
 
 
     # TODO generate ISO, else nginx if --insecure

config/server.default

@@ -16,6 +16,9 @@
             "wipe": false
         }
     ],
+    "website": {
+        "sendgrid_key": "<SendGrid API key from https://app.sendgrid.com/settings/api_keys>"
+    },
     "minecraft": {
         "world": "main"
     },

config/update.py

@@ -3,11 +3,14 @@
 import json
 import shutil
 import subprocess
-from pathlib import Path
 
 SOURCE_DIR = "/var/source"
 
 IMAGES = {
+    "web": [
+        "website",
+        "gitea",
+    ],
     "monero": [
         "monerod",
         "p2pool",
@@ -20,10 +23,14 @@ IMAGES = {
 }
 
 def generate(cfg):
+    # website
+    with open("website/sendgrid.key", "w") as f:
+        f.write(cfg["website"]["sendgrid_key"])
+
     # minecraft
     shutil.copy("minecraft/server.default", "minecraft/server.properties")
     with open("minecraft/server.properties", "a") as f:
-        f.write(f"level-name=data/{cfg["minecraft"]["world"]}\n")
+        f.write(f"level-name=/data/{cfg["minecraft"]["world"]}\n")
 
     # minecraft_bedrock
     shutil.copy("minecraft_bedrock/server.default", "minecraft_bedrock/server.properties")
@@ -33,7 +40,7 @@ def generate(cfg):
     # terraria
     shutil.copy("terraria/config.default", "terraria/config.txt")
     with open("terraria/config.txt", "a") as f:
-        f.write(f"world=/root/data/worlds/{cfg["terraria"]["world"]}.wld\n")
+        f.write(f"world=/data/worlds/{cfg["terraria"]["world"]}.wld\n")
         f.write(f"autocreate={cfg["terraria"]["autogen"]["size"]}\n") # 1=small, 2=medium, 3=large
         f.write(f"difficulty={cfg["terraria"]["autogen"]["difficulty"]}\n") # 0=normal, 1=expert, 2=master, 3=journey
     with open("terraria/password.txt", "w") as f:

gitea/Dockerfile

@@ -0,0 +1,7 @@
+FROM docker.io/gitea/gitea:1.23.7
+
+# After boot, recommended to modify the following in gitea/conf/app.ini
+# SSH_LISTEN_PORT=2222
+# DISABLE_REGISTRATION=true
+# ENABLE_OPENID_SIGNIN=false
+# ENABLE_OPENID_SIGNUP=false

minecraft_bedrock/Dockerfile

@@ -13,5 +13,5 @@ COPY entry.sh ./
 COPY permissions.json ./
 COPY server.properties ./
 
-RUN ln -s /root/data /root/worlds
+RUN ln -s /data /root/worlds
 CMD ["/bin/bash", "/root/entry.sh"]

monerod/entry.sh

@@ -3,7 +3,7 @@
 # check bitmonero.log for log
 monero/monerod \
     --prune-blockchain \
-    --data-dir /root/data \
+    --data-dir /data \
     --rpc-bind-port 18089 \
     --rpc-restricted-bind-ip 0.0.0.0 \
     --rpc-restricted-bind-port 18081 \

p2pool/entry.sh

@@ -1,7 +1,6 @@
 #!/bin/sh
 
-mkdir -p data
+cd /data
-cd data
 exec ~/p2pool \
     --mini \
     --host 127.0.0.1 \

terraria/config.default

@@ -3,10 +3,10 @@ worldname=poopy
 
 # server options
 motd=poopy
-worldpath=/root/data/worlds
+worldpath=/data/worlds
 secure=1
 
 # tmodloader options
-modpath=/root/data/mods
+modpath=/data/mods
 
 # generated options

website/.dockerignore

@@ -1,2 +0,0 @@
-gitea
-certbot

website/Dockerfile

@@ -8,12 +8,11 @@ RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y nginx certbot python3-pip
 RUN pip3 install sendgrid --break-system-packages
 
-RUN groupadd -g 2000 me && useradd -u 2000 -g 2000 -m me
+WORKDIR /root
-USER me
-WORKDIR /home/me
-RUN mkdir nginx certbot
 
 # TODO make the website code not terrible ;-;
-COPY --chown=me:me html ./html
+COPY html /var/www/html
-COPY --chown=me:me sendgrid.ke[y] ip_update.py ./
+COPY sendgrid.key ip.py ./
-COPY --chown=me:me server.conf entry.sh ./
+COPY server.conf entry.sh ./
+
+CMD ["/bin/bash", "/root/entry.sh"]

website/entry.sh

@@ -2,10 +2,9 @@
 
 # get certs if needed
 certbot certonly --standalone \
-    --http-01-port 8080 \
+    --config-dir /data \
-    --config-dir ~/certbot \
+    --work-dir /data/work \
-    --work-dir ~/certbot/work \
+    --logs-dir /data/logs \
-    --logs-dir ~/certbot/logs \
     --non-interactive --agree-tos -m matthewlamtran@berkeley.edu \
     -d matthewtran.com \
     -d www.matthewtran.com \
@@ -14,16 +13,16 @@ certbot certonly --standalone \
 # background process to renew certs and check ip changes
 update() {
     certbot renew --quiet \
-        --config-dir ~/certbot \
+        --config-dir /data \
-        --work-dir ~/certbot/work \
+        --work-dir /data/work \
-        --logs-dir ~/certbot/logs
+        --logs-dir /data/logs
     sleep 86400
 }
 update &
-./ip_update.py &
+./ip.py &
 
 # run server
 nginx -c ~/server.conf
-trap 'echo "stopping website..."' TERM
+trap 'echo "stopping website..."' SIGTERM SIGINT
 tail -f /dev/null &
 wait $!

website/server.conf

@@ -1,6 +1,5 @@
 # adapted from /etc/nginx/nginx.conf
 worker_processes auto;
-pid /home/me/nginx/site.pid;
 error_log /dev/stderr;
 
 events {
@@ -15,42 +14,37 @@ http {
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_certificate     /home/me/certbot/live/matthewtran.com/fullchain.pem;
+    ssl_certificate     /data/live/matthewtran.com/fullchain.pem;
-    ssl_certificate_key /home/me/certbot/live/matthewtran.com/privkey.pem;
+    ssl_certificate_key /data/live/matthewtran.com/privkey.pem;
 
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
-    access_log            /dev/stdout;
+    access_log /dev/stdout;
-    client_body_temp_path /home/me/nginx/body;
-    proxy_temp_path       /home/me/nginx/proxy;
-    fastcgi_temp_path     /home/me/nginx/fastcgi;
-    uwsgi_temp_path       /home/me/nginx/uwsgi;
-    scgi_temp_path        /home/me/nginx/scgi;
 
     # SSL redirect
     server {
-        listen 8080 default_server;
+        listen 80 default_server;
-        listen [::]:8080 default_server;
+        listen [::]:80 default_server;
         server_name _;
         return 301 https://$host$request_uri;
     }
 
     # default
     server {
-        listen 8443 ssl default_server;
+        listen 443 ssl default_server;
-        listen [::]:8443 ssl default_server;
+        listen [::]:443 ssl default_server;
         server_name _;
         return 404;
     }
 
     # website
     server {
-        listen 8443 ssl;
+        listen 443 ssl;
-        listen [::]:8443 ssl;
+        listen [::]:443 ssl;
         server_name matthewtran.com www.matthewtran.com;
 
-        root /home/me/html;
+        root /var/www/html;
         index index.html;
         location / {
             try_files $uri $uri/ =404;
@@ -59,13 +53,13 @@ http {
 
     # gitea
     server {
-        listen 8443 ssl;
+        listen 443 ssl;
-        listen [::]:8443 ssl;
+        listen [::]:443 ssl;
         server_name git.matthewtran.com;
 
         location / {
             client_max_body_size 512M;
-            proxy_pass http://gitea:3000;
+            proxy_pass http://127.0.0.1:3000;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;