dragonlock2/matthewtran.com
1
0
Fork 0
mirror of https://github.com/dragonlock2/matthewtran.com.git synced 2025-10-11 12:07:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
55 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Matthew Tran 3fc2698db9 auto advertisement of time machine shares
2025-02-22 22:32:20 -08:00
minecraft
further secure containers
2025-02-19 22:17:31 -08:00
minecraft_bedrock
further secure containers
2025-02-19 22:17:31 -08:00
monerod
further secure containers
2025-02-19 22:17:31 -08:00
nas
add time machine support
2025-02-22 20:17:30 -08:00
p2pool
further secure containers
2025-02-19 22:17:31 -08:00
scripts
auto advertisement of time machine shares
2025-02-22 22:32:20 -08:00
terraria
further secure containers
2025-02-19 22:17:31 -08:00
website
further secure containers
2025-02-19 22:17:31 -08:00
.gitignore
add time machine support
2025-02-22 20:17:30 -08:00
compose.yml
(wip) nas container
2025-02-20 03:00:55 -08:00
LICENSE
Initial commit
2023-07-31 00:11:11 -07:00
README.md
auto advertisement of time machine shares
2025-02-22 22:32:20 -08:00

README.md

matthewtran.com

Services deployed on matthewtran.com.

  • website
  • gitea (git.matthewtran.com)
  • monerod
  • p2pool (xmrig -o matthewtran.com)
  • wireguard
  • minecraft
  • minecraft bedrock
  • terraria
  • nas (<server>/share on LAN)

setup

  1. Install Ubuntu Desktop 24.04.1 LTS with TPM-backed FDE. Server currently has a bug that makes TPM-backed FDE hard.
    • You may need to manually enable IPv6 on the network connection. Use Automatic not Automatic, DHCP only.
    • Add an SSH key if you need remote access, setup will disable password authentication.
    • Clone this repo and cd into it.
  2. Set up the server.
    • scripts/setup_server.py
  3. Set up the OpenWrt 24.10 router. Copy SSH keys first to make it easier. Use a strong root password.
    • scripts/setup_router.py <interface>
  4. Reboot the router and server.
  5. Configure, build, and start services.
    • Create website/sendgrid.key with a SendGrid API key.
    • Create terraria/password.txt if needed.
    • Create nas/mounts.json which contains a list of "<name>":"<directory>" for the SMB share.
    • Create nas/users.json which contains a list of "<user>":"<password>" for the SMB share.
    • scripts/setup_repo.py
    • Restore backups if needed. Make sure to set correct ownership. For example, chown -R 2000:2000 website/gitea.
    • docker compose build
    • docker compose up -d
  6. Optionally, add additional drives. This script formats the drive as LUKS/BTRFS with the key file stored in /opt/luks and auto-mounts on boot. Make sure to backup the key file elsewhere.
    • scripts/setup_drive.py <drive> <mount>
  7. Optionally, run scripts/setup_peer.py <name> for each WireGuard client.
  8. Optionally, add the following DNS entries at the registrar.
    hosts type data
    @, git, wg, www A <public IPv4>
    @, git, www AAAA <delegated prefix>::69
    wg AAAA <delegated prefix>::1

backup

Run scripts/backup.py and save the resultant data.zip somewhere. Also run the following commands for BTRFS maintenance. I should probably automate this.

btrfs device stats <mount>
btrfs scrub start -B <mount>

security

To protect against vulnerabilities, all services run as non-root users inside containers that are on separate networks by function and have all capabilities dropped. These non-root users have a UID that doesn't exist on the host and a GID that maps to their function. Hopefully, even in the event of a full container compromise and root escalation, there is little damage an attacker can do. The main security hole left is containers accessing the LAN and host, AppArmor might help with this.

Description
Stuff that's deployed on matthewtran.com
Readme Apache-2.0 5.3 MiB
Languages
Python 64.8%
HTML 13.8%
CSS 7.7%
Dockerfile 7.2%
Shell 4.1%
Other 2.4%