dragonlock2/matthewtran.com
1
0
Fork 0
mirror of https://github.com/dragonlock2/matthewtran.com.git synced 2025-10-11 20:17:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

further secure containers

Browse Source
This commit is contained in:
Matthew Tran 2025-02-19 22:17:31 -08:00
parent 36c4019c01
commit e7b4e8aa46
15 changed files with 129 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -1,6 +1,6 @@
# matthewtran.com # matthewtran.com
Stuff that's deployed on [matthewtran.com](https://matthewtran.com). Currently running the following services. Services deployed on [matthewtran.com](https://matthewtran.com).
- website - website
- gitea ([git.matthewtran.com](https://git.matthewtran.com)) - gitea ([git.matthewtran.com](https://git.matthewtran.com))
@ -8,8 +8,8 @@ Stuff that's deployed on [matthewtran.com](https://matthewtran.com). Currently r
- p2pool (`xmrig -o matthewtran.com`) - p2pool (`xmrig -o matthewtran.com`)
- wireguard - wireguard
- minecraft - minecraft
- ~~minecraft bedrock~~ - minecraft bedrock
- ~~terraria~~ - terraria
## setup ## setup

73
compose.yml
View File

@ -17,23 +17,30 @@ networks:
config: config:
- subnet: "172.22.0.0/16" - subnet: "172.22.0.0/16"
- subnet: "fd3a:138e:8fd0:0022::/64" - subnet: "fd3a:138e:8fd0:0022::/64"
nas:
enable_ipv6: true
ipam:
config:
- subnet: "172.23.0.0/16"
- subnet: "fd3a:138e:8fd0:0023::/64"
services: services:
website: website:
restart: always restart: always
build: website/. build: website/.
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] entrypoint: ["/bin/sh", "/home/me/entry.sh"]
ports: ports:
- "80:8080" - "80:8080"
- "443:8443" - "443:8443"
networks: networks:
- web - web
volumes: volumes:
- ./website/certbot:/home/ubuntu/certbot - ./website/certbot:/home/me/certbot
cap_drop: cap_drop:
- ALL - ALL
gitea: gitea:
restart: always restart: always
image: gitea/gitea:latest-rootless image: gitea/gitea:latest-rootless
user: "2000:2000"
ports: ports:
- "2222:2222" - "2222:2222"
networks: networks:
@ -48,7 +55,7 @@ services:
monerod: monerod:
restart: always restart: always
build: monerod/. build: monerod/.
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] entrypoint: ["/bin/sh", "/home/me/entry.sh"]
stdin_open: true stdin_open: true
tty: true tty: true
ports: ports:
@ -57,14 +64,14 @@ services:
networks: networks:
- monero - monero
volumes: volumes:
- ./monerod/.bitmonero:/home/ubuntu/.bitmonero - ./monerod/.bitmonero:/home/me/.bitmonero
cap_drop: cap_drop:
- ALL - ALL
p2pool: p2pool:
stop_grace_period: 1m # TODO reduce m_shutdownCountdown to reduce this stop_grace_period: 1m # TODO reduce m_shutdownCountdown to reduce this
restart: always restart: always
build: p2pool/. build: p2pool/.
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] entrypoint: ["/bin/sh", "/home/me/entry.sh"]
stdin_open: true stdin_open: true
tty: true tty: true
ports: ports:
@ -74,43 +81,43 @@ services:
networks: networks:
- monero - monero
volumes: volumes:
- ./p2pool/cache:/home/ubuntu/cache - ./p2pool/cache:/home/me/cache
cap_drop: cap_drop:
- ALL - ALL
minecraft: minecraft:
restart: always restart: always
build: minecraft/. build: minecraft/.
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] entrypoint: ["/bin/sh", "/home/me/entry.sh"]
ports: ports:
- "25565:25565" - "25565:25565"
networks: networks:
- game - game
volumes: volumes:
- ./minecraft/worlds:/home/ubuntu/worlds - ./minecraft/worlds:/home/me/worlds
cap_drop:
- ALL
minecraft_bedrock:
restart: always
build: minecraft_bedrock/.
entrypoint: ["/bin/sh", "/home/me/entry.sh"]
ports:
- "19132:19132/udp"
- "19133:19133/udp"
networks:
- game
volumes:
- ./minecraft_bedrock/worlds:/home/me/worlds
cap_drop:
- ALL
terraria:
restart: always
build: terraria/.
entrypoint: ["/bin/sh", "/home/me/entry.sh"]
ports:
- "7777:7777"
networks:
- game
volumes:
- ./terraria/worlds:/home/me/worlds
cap_drop: cap_drop:
- ALL - ALL
# minecraft_bedrock:
# restart: always
# build: minecraft_bedrock/.
# entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
# ports:
# - "19132:19132/udp"
# - "19133:19133/udp"
# networks:
# - game
# volumes:
# - ./minecraft_bedrock/worlds:/home/ubuntu/worlds
# cap_drop:
# - ALL
# terraria:
# restart: always
# build: terraria/.
# entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
# ports:
# - "7777:7777"
# networks:
# - game
# volumes:
# - ./terraria/worlds:/home/ubuntu/worlds
# cap_drop:
# - ALL

3
minecraft/.dockerignore
View File

@ -1,2 +1 @@
world/ worlds/
world.*/

13
minecraft/Dockerfile
View File

@ -3,8 +3,9 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget openjdk-21-jre RUN apt-get install -y wget openjdk-21-jre
USER ubuntu RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
WORKDIR /home/ubuntu USER me
WORKDIR /home/me
# from https://github.com/itzg/rcon-cli # from https://github.com/itzg/rcon-cli
RUN wget -O rcon-cli.tar.gz https://github.com/itzg/rcon-cli/releases/download/1.6.9/rcon-cli_1.6.9_linux_amd64.tar.gz RUN wget -O rcon-cli.tar.gz https://github.com/itzg/rcon-cli/releases/download/1.6.9/rcon-cli_1.6.9_linux_amd64.tar.gz
@ -13,7 +14,7 @@ RUN tar xvf rcon-cli.tar.gz && rm rcon-cli.tar.gz
# from https://www.minecraft.net/en-us/download/server (currently 1.21.4) # from https://www.minecraft.net/en-us/download/server (currently 1.21.4)
RUN wget https://piston-data.mojang.com/v1/objects/4707d00eb834b446575d89a61a11b5d548d8c001/server.jar RUN wget https://piston-data.mojang.com/v1/objects/4707d00eb834b446575d89a61a11b5d548d8c001/server.jar
COPY --chown=ubuntu:ubuntu eula.txt ./ COPY --chown=me:me eula.txt ./
COPY --chown=ubuntu:ubuntu entry.sh ./ COPY --chown=me:me entry.sh ./
COPY --chown=ubuntu:ubuntu server.properties ./ COPY --chown=me:me server.properties ./
COPY --chown=ubuntu:ubuntu ops.json ./ COPY --chown=me:me ops.json ./

15
minecraft_bedrock/Dockerfile
View File

@ -3,13 +3,14 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget unzip curl tmux RUN apt-get install -y wget unzip curl tmux
USER ubuntu RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
WORKDIR /home/ubuntu USER me
WORKDIR /home/me
# from https://www.minecraft.net/en-us/download/server/bedrock (currently 1.21.31.04) # from https://www.minecraft.net/en-us/download/server/bedrock (currently 1.21.61.01)
RUN wget -O server.zip --user-agent "Mozilla/5.0" https://www.minecraft.net/bedrockdedicatedserver/bin-linux/bedrock-server-1.21.31.04.zip RUN wget -O server.zip --user-agent "Mozilla/5.0" https://www.minecraft.net/bedrockdedicatedserver/bin-linux/bedrock-server-1.21.61.01.zip
RUN unzip server.zip && rm server.zip RUN unzip server.zip && rm server.zip
COPY --chown=ubuntu:ubuntu entry.sh ./ COPY --chown=me:me entry.sh ./
COPY --chown=ubuntu:ubuntu server.properties ./ COPY --chown=me:me server.properties ./
COPY --chown=ubuntu:ubuntu permissions.json ./ COPY --chown=me:me permissions.json ./

7
monerod/Dockerfile
View File

@ -3,11 +3,12 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget bzip2 RUN apt-get install -y wget bzip2
USER ubuntu RUN groupadd -g 2001 me && useradd -u 2001 -g 2001 -m me
WORKDIR /home/ubuntu USER me
WORKDIR /home/me
RUN wget https://downloads.getmonero.org/cli/monero-linux-x64-v0.18.3.4.tar.bz2 -O monerod.tar.bz2 RUN wget https://downloads.getmonero.org/cli/monero-linux-x64-v0.18.3.4.tar.bz2 -O monerod.tar.bz2
RUN tar xvf monerod.tar.bz2 && rm monerod.tar.bz2 RUN tar xvf monerod.tar.bz2 && rm monerod.tar.bz2
RUN mv monero-x86_64-linux-gnu-v0.18.3.4 monero RUN mv monero-x86_64-linux-gnu-v0.18.3.4 monero
COPY --chown=ubuntu:ubuntu entry.sh ./ COPY --chown=me:me entry.sh ./

7
p2pool/Dockerfile
View File

@ -3,12 +3,13 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget RUN apt-get install -y wget
USER ubuntu RUN groupadd -g 2001 me && useradd -u 2001 -g 2001 -m me
WORKDIR /home/ubuntu USER me
WORKDIR /home/me
# currently v4.3 # currently v4.3
RUN wget https://github.com/SChernykh/p2pool/releases/download/v4.3/p2pool-v4.3-linux-x64.tar.gz -O p2pool.tar.gz RUN wget https://github.com/SChernykh/p2pool/releases/download/v4.3/p2pool-v4.3-linux-x64.tar.gz -O p2pool.tar.gz
RUN tar xvf p2pool.tar.gz && rm p2pool.tar.gz RUN tar xvf p2pool.tar.gz && rm p2pool.tar.gz
RUN mv p2pool-v4.3-linux-x64/p2pool ./p2pool RUN mv p2pool-v4.3-linux-x64/p2pool ./p2pool
COPY --chown=ubuntu:ubuntu entry.sh ./ COPY --chown=me:me entry.sh ./

1
scripts/backup.py
View File

@ -9,6 +9,5 @@ if __name__ == "__main__":
"terraria/worlds", "terraria/worlds",
"terraria/password.txt", "terraria/password.txt",
"website/gitea", "website/gitea",
"website/certbot",
"website/sendgrid.key", "website/sendgrid.key",
], check=True) ], check=True)

5
scripts/setup_drive.py
View File

@ -1,5 +1,7 @@
#!/usr/bin/sudo /usr/bin/python3 #!/usr/bin/sudo /usr/bin/python3
import os
import shutil
import subprocess import subprocess
import sys import sys
from pathlib import Path from pathlib import Path
@ -27,7 +29,8 @@ if __name__ == "__main__":
run(f"cryptsetup luksOpen --key-file={key} /dev/{drive} {drive}_luks") run(f"cryptsetup luksOpen --key-file={key} /dev/{drive} {drive}_luks")
run(f"mkfs.btrfs /dev/mapper/{drive}_luks") run(f"mkfs.btrfs /dev/mapper/{drive}_luks")
run(f"mount /dev/mapper/{drive}_luks {mount}") run(f"mount /dev/mapper/{drive}_luks {mount}")
mount.chmod(0o777) shutil.chown(mount, os.getlogin(), "nas")
mount.chmod(0o770)
# TODO modify /etc/crypttab instead once Ubuntu fixed # TODO modify /etc/crypttab instead once Ubuntu fixed
with open("/opt/luks.sh", "a") as f: with open("/opt/luks.sh", "a") as f:

35
scripts/setup_repo.py
View File

@ -1,18 +1,27 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import shutil
from pathlib import Path from pathlib import Path
if __name__ == "__main__": if __name__ == "__main__":
# create folders with same UID/GID as user so containers have access # create folders in group "web" so containers have access
PATHS = [ PATHS = {
"website/certbot", "web": [
"website/gitea/config", "website/certbot",
"website/gitea/data", "website/gitea/config",
"monerod/.bitmonero", "website/gitea/data",
"p2pool/cache", ],
"minecraft/worlds", "monero": [
"minecraft_bedrock/worlds", "monerod/.bitmonero",
"terraria/worlds", "p2pool/cache",
] ],
for p in PATHS: "game": [
Path(p).mkdir(parents=True, exist_ok=True) "minecraft/worlds",
"minecraft_bedrock/worlds",
"terraria/worlds",
]
}
for group in PATHS:
for p in PATHS[group]:
Path(p).mkdir(parents=True, exist_ok=True)
shutil.chown(p, group=group)

12
scripts/setup_server.py
View File

@ -24,6 +24,17 @@ if __name__ == "__main__":
if not file.exists(): if not file.exists():
with file.open("w") as f: with file.open("w") as f:
f.write("PasswordAuthentication no\n") f.write("PasswordAuthentication no\n")
try:
run("addgroup --gid 2000 web")
run("addgroup --gid 2001 monero")
run("addgroup --gid 2002 game")
run("addgroup --gid 2003 nas")
run(f"adduser {os.getlogin()} web")
run(f"adduser {os.getlogin()} monero")
run(f"adduser {os.getlogin()} game")
run(f"adduser {os.getlogin()} nas")
except:
pass
# install docker and configure # install docker and configure
run("snap install docker") run("snap install docker")
@ -61,6 +72,7 @@ if __name__ == "__main__":
f.writelines(s + "\n" for s in [ f.writelines(s + "\n" for s in [
"#!/bin/sh", "#!/bin/sh",
"iptables -N DOCKER-USER || true", "iptables -N DOCKER-USER || true",
"iptables -I DOCKER-USER -d 10.0.0.0/8 -j DROP", # xfinity gateway
"iptables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH "iptables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH
"ip6tables -N DOCKER-USER || true", "ip6tables -N DOCKER-USER || true",
"ip6tables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH "ip6tables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH

13
terraria/Dockerfile
View File

@ -3,18 +3,19 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget unzip RUN apt-get install -y wget unzip
USER ubuntu RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
WORKDIR /home/ubuntu USER me
WORKDIR /home/me
# from https://terraria.fandom.com/wiki/Server (currently 1.4.4.9) # from https://terraria.fandom.com/wiki/Server (currently 1.4.4.9)
RUN wget https://terraria.org/api/download/pc-dedicated-server/terraria-server-1449.zip RUN wget https://terraria.org/api/download/pc-dedicated-server/terraria-server-1449.zip
RUN unzip terraria-server-1449.zip && rm terraria-server-1449.zip RUN unzip terraria-server-1449.zip && rm terraria-server-1449.zip
RUN mv 1449/ server/ RUN mv 1449/ server/
COPY --chown=ubuntu:ubuntu entry.sh ./ COPY --chown=me:me entry.sh ./
WORKDIR /home/ubuntu/server/Linux WORKDIR /home/me/server/Linux
RUN chmod +x TerrariaServer.bin.x86_64 RUN chmod +x TerrariaServer.bin.x86_64
COPY --chown=ubuntu:ubuntu password.default ./password.txt COPY --chown=me:me password.default ./password.txt
COPY --chown=ubuntu:ubuntu config.txt password.tx[t] ./ COPY --chown=me:me config.txt password.tx[t] ./

4
terraria/config.txt
View File

@ -1,6 +1,6 @@
world=/home/ubuntu/worlds/legendary.wld world=/home/me/worlds/legendary.wld
autocreate=3 autocreate=3
seed=getfixedboi seed=getfixedboi
worldname=legendary worldname=legendary
difficulty=2 difficulty=2
worldpath=/home/ubuntu/worlds worldpath=/home/me/worlds

11
website/Dockerfile
View File

@ -8,11 +8,12 @@ RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y nginx certbot python3-pip RUN apt-get install -y nginx certbot python3-pip
RUN pip3 install sendgrid --break-system-packages RUN pip3 install sendgrid --break-system-packages
USER ubuntu RUN groupadd -g 2000 me && useradd -u 2000 -g 2000 -m me
WORKDIR /home/ubuntu USER me
WORKDIR /home/me
RUN mkdir nginx certbot RUN mkdir nginx certbot
# TODO make the website code not terrible ;-; # TODO make the website code not terrible ;-;
COPY --chown=ubuntu:ubuntu html ./html COPY --chown=me:me html ./html
COPY --chown=ubuntu:ubuntu sendgrid.ke[y] ip_update.py ./ COPY --chown=me:me sendgrid.ke[y] ip_update.py ./
COPY --chown=ubuntu:ubuntu server.conf entry.sh ./ COPY --chown=me:me server.conf entry.sh ./

18
website/server.conf
View File

@ -1,6 +1,6 @@
# adapted from /etc/nginx/nginx.conf # adapted from /etc/nginx/nginx.conf
worker_processes auto; worker_processes auto;
pid /home/ubuntu/nginx/site.pid; pid /home/me/nginx/site.pid;
error_log /dev/stderr; error_log /dev/stderr;
events { events {
@ -15,18 +15,18 @@ http {
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_certificate /home/ubuntu/certbot/live/matthewtran.com/fullchain.pem; ssl_certificate /home/me/certbot/live/matthewtran.com/fullchain.pem;
ssl_certificate_key /home/ubuntu/certbot/live/matthewtran.com/privkey.pem; ssl_certificate_key /home/me/certbot/live/matthewtran.com/privkey.pem;
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
access_log /dev/stdout; access_log /dev/stdout;
client_body_temp_path /home/ubuntu/nginx/body; client_body_temp_path /home/me/nginx/body;
proxy_temp_path /home/ubuntu/nginx/proxy; proxy_temp_path /home/me/nginx/proxy;
fastcgi_temp_path /home/ubuntu/nginx/fastcgi; fastcgi_temp_path /home/me/nginx/fastcgi;
uwsgi_temp_path /home/ubuntu/nginx/uwsgi; uwsgi_temp_path /home/me/nginx/uwsgi;
scgi_temp_path /home/ubuntu/nginx/scgi; scgi_temp_path /home/me/nginx/scgi;
# SSL redirect # SSL redirect
server { server {
@ -50,7 +50,7 @@ http {
listen [::]:8443 ssl; listen [::]:8443 ssl;
server_name matthewtran.com www.matthewtran.com; server_name matthewtran.com www.matthewtran.com;
root /home/ubuntu/html; root /home/me/html;
index index.html; index index.html;
location / { location / {
try_files $uri $uri/ =404; try_files $uri $uri/ =404;