dragonlock2/matthewtran.com
1
0
Fork 0
mirror of https://github.com/dragonlock2/matthewtran.com.git synced 2025-10-11 20:17:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

further secure containers

Browse Source
This commit is contained in:
Matthew Tran 2025-02-19 22:17:31 -08:00
parent 36c4019c01
commit e7b4e8aa46
15 changed files with 129 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -1,6 +1,6 @@
# matthewtran.com
Stuff that's deployed on [matthewtran.com](https://matthewtran.com). Currently running the following services.
Services deployed on [matthewtran.com](https://matthewtran.com).
- website
- gitea ([git.matthewtran.com](https://git.matthewtran.com))
@ -8,8 +8,8 @@ Stuff that's deployed on [matthewtran.com](https://matthewtran.com). Currently r
- p2pool (`xmrig -o matthewtran.com`)
- wireguard
- minecraft
- ~~minecraft bedrock~~
- ~~terraria~~
- minecraft bedrock
- terraria
## setup

73
compose.yml
View File

@ -17,23 +17,30 @@ networks:
config:
- subnet: "172.22.0.0/16"
- subnet: "fd3a:138e:8fd0:0022::/64"
nas:
enable_ipv6: true
ipam:
config:
- subnet: "172.23.0.0/16"
- subnet: "fd3a:138e:8fd0:0023::/64"
services:
website:
restart: always
build: website/.
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
entrypoint: ["/bin/sh", "/home/me/entry.sh"]
ports:
- "80:8080"
- "443:8443"
networks:
- web
volumes:
- ./website/certbot:/home/ubuntu/certbot
- ./website/certbot:/home/me/certbot
cap_drop:
- ALL
gitea:
restart: always
image: gitea/gitea:latest-rootless
user: "2000:2000"
ports:
- "2222:2222"
networks:
@ -48,7 +55,7 @@ services:
monerod:
restart: always
build: monerod/.
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
entrypoint: ["/bin/sh", "/home/me/entry.sh"]
stdin_open: true
tty: true
ports:
@ -57,14 +64,14 @@ services:
networks:
- monero
volumes:
- ./monerod/.bitmonero:/home/ubuntu/.bitmonero
- ./monerod/.bitmonero:/home/me/.bitmonero
cap_drop:
- ALL
p2pool:
stop_grace_period: 1m # TODO reduce m_shutdownCountdown to reduce this
restart: always
build: p2pool/.
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
entrypoint: ["/bin/sh", "/home/me/entry.sh"]
stdin_open: true
tty: true
ports:
@ -74,43 +81,43 @@ services:
networks:
- monero
volumes:
- ./p2pool/cache:/home/ubuntu/cache
- ./p2pool/cache:/home/me/cache
cap_drop:
- ALL
minecraft:
restart: always
build: minecraft/.
entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
entrypoint: ["/bin/sh", "/home/me/entry.sh"]
ports:
- "25565:25565"
networks:
- game
volumes:
- ./minecraft/worlds:/home/ubuntu/worlds
- ./minecraft/worlds:/home/me/worlds
cap_drop:
- ALL
minecraft_bedrock:
restart: always
build: minecraft_bedrock/.
entrypoint: ["/bin/sh", "/home/me/entry.sh"]
ports:
- "19132:19132/udp"
- "19133:19133/udp"
networks:
- game
volumes:
- ./minecraft_bedrock/worlds:/home/me/worlds
cap_drop:
- ALL
terraria:
restart: always
build: terraria/.
entrypoint: ["/bin/sh", "/home/me/entry.sh"]
ports:
- "7777:7777"
networks:
- game
volumes:
- ./terraria/worlds:/home/me/worlds
cap_drop:
- ALL
# minecraft_bedrock:
# restart: always
# build: minecraft_bedrock/.
# entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
# ports:
# - "19132:19132/udp"
# - "19133:19133/udp"
# networks:
# - game
# volumes:
# - ./minecraft_bedrock/worlds:/home/ubuntu/worlds
# cap_drop:
# - ALL
# terraria:
# restart: always
# build: terraria/.
# entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
# ports:
# - "7777:7777"
# networks:
# - game
# volumes:
# - ./terraria/worlds:/home/ubuntu/worlds
# cap_drop:
# - ALL

3
minecraft/.dockerignore
View File

@ -1,2 +1 @@
world/
world.*/
worlds/

13
minecraft/Dockerfile
View File

@ -3,8 +3,9 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget openjdk-21-jre
USER ubuntu
WORKDIR /home/ubuntu
RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
USER me
WORKDIR /home/me
# from https://github.com/itzg/rcon-cli
RUN wget -O rcon-cli.tar.gz https://github.com/itzg/rcon-cli/releases/download/1.6.9/rcon-cli_1.6.9_linux_amd64.tar.gz
@ -13,7 +14,7 @@ RUN tar xvf rcon-cli.tar.gz && rm rcon-cli.tar.gz
# from https://www.minecraft.net/en-us/download/server (currently 1.21.4)
RUN wget https://piston-data.mojang.com/v1/objects/4707d00eb834b446575d89a61a11b5d548d8c001/server.jar
COPY --chown=ubuntu:ubuntu eula.txt ./
COPY --chown=ubuntu:ubuntu entry.sh ./
COPY --chown=ubuntu:ubuntu server.properties ./
COPY --chown=ubuntu:ubuntu ops.json ./
COPY --chown=me:me eula.txt ./
COPY --chown=me:me entry.sh ./
COPY --chown=me:me server.properties ./
COPY --chown=me:me ops.json ./

15
minecraft_bedrock/Dockerfile
View File

@ -3,13 +3,14 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget unzip curl tmux
USER ubuntu
WORKDIR /home/ubuntu
RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
USER me
WORKDIR /home/me
# from https://www.minecraft.net/en-us/download/server/bedrock (currently 1.21.31.04)
RUN wget -O server.zip --user-agent "Mozilla/5.0" https://www.minecraft.net/bedrockdedicatedserver/bin-linux/bedrock-server-1.21.31.04.zip
# from https://www.minecraft.net/en-us/download/server/bedrock (currently 1.21.61.01)
RUN wget -O server.zip --user-agent "Mozilla/5.0" https://www.minecraft.net/bedrockdedicatedserver/bin-linux/bedrock-server-1.21.61.01.zip
RUN unzip server.zip && rm server.zip
COPY --chown=ubuntu:ubuntu entry.sh ./
COPY --chown=ubuntu:ubuntu server.properties ./
COPY --chown=ubuntu:ubuntu permissions.json ./
COPY --chown=me:me entry.sh ./
COPY --chown=me:me server.properties ./
COPY --chown=me:me permissions.json ./

7
monerod/Dockerfile
View File

@ -3,11 +3,12 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget bzip2
USER ubuntu
WORKDIR /home/ubuntu
RUN groupadd -g 2001 me && useradd -u 2001 -g 2001 -m me
USER me
WORKDIR /home/me
RUN wget https://downloads.getmonero.org/cli/monero-linux-x64-v0.18.3.4.tar.bz2 -O monerod.tar.bz2
RUN tar xvf monerod.tar.bz2 && rm monerod.tar.bz2
RUN mv monero-x86_64-linux-gnu-v0.18.3.4 monero
COPY --chown=ubuntu:ubuntu entry.sh ./
COPY --chown=me:me entry.sh ./

7
p2pool/Dockerfile
View File

@ -3,12 +3,13 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget
USER ubuntu
WORKDIR /home/ubuntu
RUN groupadd -g 2001 me && useradd -u 2001 -g 2001 -m me
USER me
WORKDIR /home/me
# currently v4.3
RUN wget https://github.com/SChernykh/p2pool/releases/download/v4.3/p2pool-v4.3-linux-x64.tar.gz -O p2pool.tar.gz
RUN tar xvf p2pool.tar.gz && rm p2pool.tar.gz
RUN mv p2pool-v4.3-linux-x64/p2pool ./p2pool
COPY --chown=ubuntu:ubuntu entry.sh ./
COPY --chown=me:me entry.sh ./

1
scripts/backup.py
View File

@ -9,6 +9,5 @@ if __name__ == "__main__":
"terraria/worlds",
"terraria/password.txt",
"website/gitea",
"website/certbot",
"website/sendgrid.key",
], check=True)

5
scripts/setup_drive.py
View File

@ -1,5 +1,7 @@
#!/usr/bin/sudo /usr/bin/python3
import os
import shutil
import subprocess
import sys
from pathlib import Path
@ -27,7 +29,8 @@ if __name__ == "__main__":
run(f"cryptsetup luksOpen --key-file={key} /dev/{drive} {drive}_luks")
run(f"mkfs.btrfs /dev/mapper/{drive}_luks")
run(f"mount /dev/mapper/{drive}_luks {mount}")
mount.chmod(0o777)
shutil.chown(mount, os.getlogin(), "nas")
mount.chmod(0o770)
# TODO modify /etc/crypttab instead once Ubuntu fixed
with open("/opt/luks.sh", "a") as f:

15
scripts/setup_repo.py
View File

@ -1,18 +1,27 @@
#!/usr/bin/env python3
import shutil
from pathlib import Path
if __name__ == "__main__":
# create folders with same UID/GID as user so containers have access
PATHS = [
# create folders in group "web" so containers have access
PATHS = {
"web": [
"website/certbot",
"website/gitea/config",
"website/gitea/data",
],
"monero": [
"monerod/.bitmonero",
"p2pool/cache",
],
"game": [
"minecraft/worlds",
"minecraft_bedrock/worlds",
"terraria/worlds",
]
for p in PATHS:
}
for group in PATHS:
for p in PATHS[group]:
Path(p).mkdir(parents=True, exist_ok=True)
shutil.chown(p, group=group)

12
scripts/setup_server.py
View File

@ -24,6 +24,17 @@ if __name__ == "__main__":
if not file.exists():
with file.open("w") as f:
f.write("PasswordAuthentication no\n")
try:
run("addgroup --gid 2000 web")
run("addgroup --gid 2001 monero")
run("addgroup --gid 2002 game")
run("addgroup --gid 2003 nas")
run(f"adduser {os.getlogin()} web")
run(f"adduser {os.getlogin()} monero")
run(f"adduser {os.getlogin()} game")
run(f"adduser {os.getlogin()} nas")
except:
pass
# install docker and configure
run("snap install docker")
@ -61,6 +72,7 @@ if __name__ == "__main__":
f.writelines(s + "\n" for s in [
"#!/bin/sh",
"iptables -N DOCKER-USER || true",
"iptables -I DOCKER-USER -d 10.0.0.0/8 -j DROP", # xfinity gateway
"iptables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH
"ip6tables -N DOCKER-USER || true",
"ip6tables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH

13
terraria/Dockerfile
View File

@ -3,18 +3,19 @@ FROM ubuntu:24.04
RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y wget unzip
USER ubuntu
WORKDIR /home/ubuntu
RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
USER me
WORKDIR /home/me
# from https://terraria.fandom.com/wiki/Server (currently 1.4.4.9)
RUN wget https://terraria.org/api/download/pc-dedicated-server/terraria-server-1449.zip
RUN unzip terraria-server-1449.zip && rm terraria-server-1449.zip
RUN mv 1449/ server/
COPY --chown=ubuntu:ubuntu entry.sh ./
COPY --chown=me:me entry.sh ./
WORKDIR /home/ubuntu/server/Linux
WORKDIR /home/me/server/Linux
RUN chmod +x TerrariaServer.bin.x86_64
COPY --chown=ubuntu:ubuntu password.default ./password.txt
COPY --chown=ubuntu:ubuntu config.txt password.tx[t] ./
COPY --chown=me:me password.default ./password.txt
COPY --chown=me:me config.txt password.tx[t] ./

4
terraria/config.txt
View File

@ -1,6 +1,6 @@
world=/home/ubuntu/worlds/legendary.wld
world=/home/me/worlds/legendary.wld
autocreate=3
seed=getfixedboi
worldname=legendary
difficulty=2
worldpath=/home/ubuntu/worlds
worldpath=/home/me/worlds

11
website/Dockerfile
View File

@ -8,11 +8,12 @@ RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y nginx certbot python3-pip
RUN pip3 install sendgrid --break-system-packages
USER ubuntu
WORKDIR /home/ubuntu
RUN groupadd -g 2000 me && useradd -u 2000 -g 2000 -m me
USER me
WORKDIR /home/me
RUN mkdir nginx certbot
# TODO make the website code not terrible ;-;
COPY --chown=ubuntu:ubuntu html ./html
COPY --chown=ubuntu:ubuntu sendgrid.ke[y] ip_update.py ./
COPY --chown=ubuntu:ubuntu server.conf entry.sh ./
COPY --chown=me:me html ./html
COPY --chown=me:me sendgrid.ke[y] ip_update.py ./
COPY --chown=me:me server.conf entry.sh ./

18
website/server.conf
View File

@ -1,6 +1,6 @@
# adapted from /etc/nginx/nginx.conf
worker_processes auto;
pid /home/ubuntu/nginx/site.pid;
pid /home/me/nginx/site.pid;
error_log /dev/stderr;
events {
@ -15,18 +15,18 @@ http {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_certificate /home/ubuntu/certbot/live/matthewtran.com/fullchain.pem;
ssl_certificate_key /home/ubuntu/certbot/live/matthewtran.com/privkey.pem;
ssl_certificate /home/me/certbot/live/matthewtran.com/fullchain.pem;
ssl_certificate_key /home/me/certbot/live/matthewtran.com/privkey.pem;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
client_body_temp_path /home/ubuntu/nginx/body;
proxy_temp_path /home/ubuntu/nginx/proxy;
fastcgi_temp_path /home/ubuntu/nginx/fastcgi;
uwsgi_temp_path /home/ubuntu/nginx/uwsgi;
scgi_temp_path /home/ubuntu/nginx/scgi;
client_body_temp_path /home/me/nginx/body;
proxy_temp_path /home/me/nginx/proxy;
fastcgi_temp_path /home/me/nginx/fastcgi;
uwsgi_temp_path /home/me/nginx/uwsgi;
scgi_temp_path /home/me/nginx/scgi;
# SSL redirect
server {
@ -50,7 +50,7 @@ http {
listen [::]:8443 ssl;
server_name matthewtran.com www.matthewtran.com;
root /home/ubuntu/html;
root /home/me/html;
index index.html;
location / {
try_files $uri $uri/ =404;