From 979adc3b1395a9ec1fed8fa4603e1670eefbcc64 Mon Sep 17 00:00:00 2001
From: finn <git@hot.oily.dad>
Date: Fri, 9 Aug 2024 18:47:22 -0700
Subject: [PATCH 1/3] initial working ssh entry

---
 .gitignore           |  7 +++---
 compose.yaml         | 25 +++++++++++++-----
 proxy/conf           | 60 ++++++++------------------------------------
 sshtun/Dockerfile    | 18 +++++++++++++
 sshtun/entrypoint.sh |  8 ++++++
 5 files changed, 59 insertions(+), 59 deletions(-)
 create mode 100644 sshtun/Dockerfile
 create mode 100755 sshtun/entrypoint.sh

diff --git a/.gitignore b/.gitignore
index 541eeaa..5afb6e5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,8 @@
-gitea/
+gitea
 .env
-pmb-pf/
+pmb-pf
 venv
 zapp.db
 db/bu
-tor/hidden_service/
+tor/hidden_service
+sshtun/oilykey
diff --git a/compose.yaml b/compose.yaml
index bff8591..fd2ce88 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -31,7 +31,7 @@ services:
     #tty: true
     restart: always
     # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
-    command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
+    #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
     container_name: backend
     environment:
       - MYSQL_USER=flasku
@@ -96,12 +96,12 @@ services:
   proxy:
     build: proxy
     restart: always
-    volumes:
-      - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
-      - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
+    #volumes:
+    #  - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
+    #  - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
     ports:
-      - 80:80
-      - 443:443
+      - "80:80"
+      - "443:443"
     depends_on: 
       - backend
     networks:
@@ -135,6 +135,19 @@ services:
     networks:
       - backnet
 
+  sshtun:
+    build:
+      context: sshtun
+      dockerfile: Dockerfile
+    restart: always
+    ports:
+      - "22222:22"
+    expose:
+      - "11111"
+      - "11112"
+    networks:
+      - frontnet
+
 volumes:
   db-data:
   pmb-root:
diff --git a/proxy/conf b/proxy/conf
index 80f6015..04abcd7 100755
--- a/proxy/conf
+++ b/proxy/conf
@@ -1,52 +1,12 @@
-#server {
-#    listen       80;
-#    server_name  localhost;
-#    location / {
-#        proxy_pass   http://backend:8000;
-#    }
-
-
-# always redirect to https
 server {
-	listen 80 default_server;
-	server_name _;
-	return 301 https://$host$request_uri;
+    listen       80;
+    server_name  localhost;
+    location / {
+        proxy_pass   http://backend:8000;
+    }
+    location /gutty{
+        proxy_pass   http://gitea:3000;
+    }
+
+
 }
-
-server {
-	listen 443 ssl http2;
-	# use the certificates
-	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
-	server_name oily.dad www.oily.dad;
-	root /var/www/html;
-	index index.php index.html index.htm;
-
-
-	location / {
-		proxy_pass http://backend:8000/;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	# use the certificates
-	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
-	server_name gut.oily.dad;
-	root /var/www/html;
-	index index.php index.html index.htm;
-
-	location / {
-		client_max_body_size 512M;
-	        #proxy_pass http://localhost:3000;
-	        proxy_set_header Connection $http_connection;
-        	proxy_set_header Upgrade $http_upgrade;
-	        proxy_set_header Host $host;
-	        proxy_set_header X-Real-IP $remote_addr;
-	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	        proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_pass http://gitea:3000/;
-	}
-}
-
diff --git a/sshtun/Dockerfile b/sshtun/Dockerfile
new file mode 100644
index 0000000..602bacd
--- /dev/null
+++ b/sshtun/Dockerfile
@@ -0,0 +1,18 @@
+FROM debian:12-slim
+
+RUN apt update && apt install -y openssh-server socat
+
+RUN adduser --disabled-password --gecos "" finn
+
+RUN mkdir /home/finn/.ssh
+
+# only one pubkey -- wildcard to conceal filename
+COPY ./oilykey/*.pub /home/finn/.ssh/authorized_keys
+
+RUN mkdir /var/run/sshd
+RUN echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
+
+COPY ./entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/sshtun/entrypoint.sh b/sshtun/entrypoint.sh
new file mode 100755
index 0000000..55ebd77
--- /dev/null
+++ b/sshtun/entrypoint.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Container goal:
+# autossh -N -R 11111:localhost:11434 -i sshtun/oilykey/<SOMEKEY> -p 22222 <SOMEURL>
+# forwards    rem_c_port:(operator_pc:op_pc_port) ...some args...  rem_host_p rem_host_url 
+
+nohup socat TCP-LISTEN:11112,fork TCP:localhost:11111 &
+/usr/sbin/sshd -D
+

From 8f8c0c140169188298c99fafd3effc6da8b5c12c Mon Sep 17 00:00:00 2001
From: finn <git@hot.oily.dad>
Date: Fri, 9 Aug 2024 18:58:40 -0700
Subject: [PATCH 2/3] fix composes

---
 compose.yaml.local | 17 +++++++++++++++--
 compose.yaml.prod  | 17 +++++++++++++++--
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/compose.yaml.local b/compose.yaml.local
index 4b1bd31..fd2ce88 100644
--- a/compose.yaml.local
+++ b/compose.yaml.local
@@ -100,8 +100,8 @@ services:
     #  - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
     #  - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
     ports:
-      - 80:80
-      - 443:443
+      - "80:80"
+      - "443:443"
     depends_on: 
       - backend
     networks:
@@ -135,6 +135,19 @@ services:
     networks:
       - backnet
 
+  sshtun:
+    build:
+      context: sshtun
+      dockerfile: Dockerfile
+    restart: always
+    ports:
+      - "22222:22"
+    expose:
+      - "11111"
+      - "11112"
+    networks:
+      - frontnet
+
 volumes:
   db-data:
   pmb-root:
diff --git a/compose.yaml.prod b/compose.yaml.prod
index bff8591..9eec933 100644
--- a/compose.yaml.prod
+++ b/compose.yaml.prod
@@ -100,8 +100,8 @@ services:
       - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
       - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
     ports:
-      - 80:80
-      - 443:443
+      - "80:80"
+      - "443:443"
     depends_on: 
       - backend
     networks:
@@ -135,6 +135,19 @@ services:
     networks:
       - backnet
 
+  sshtun:
+    build:
+      context: sshtun
+      dockerfile: Dockerfile
+    restart: always
+    ports:
+      - "22222:22"
+    expose:
+      - "11111"
+      - "11112"
+    networks:
+      - frontnet
+
 volumes:
   db-data:
   pmb-root:

From 60280917c659c5bf283100f5f327bfbe15da5071 Mon Sep 17 00:00:00 2001
From: finn <git@hot.oily.dad>
Date: Sat, 10 Aug 2024 02:08:35 +0000
Subject: [PATCH 3/3] set default to prod

---
 compose.yaml |  8 +++----
 proxy/conf   | 60 +++++++++++++++++++++++++++++++++++++++++++---------
 2 files changed, 54 insertions(+), 14 deletions(-)

diff --git a/compose.yaml b/compose.yaml
index fd2ce88..9eec933 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -31,7 +31,7 @@ services:
     #tty: true
     restart: always
     # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
-    #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
+    command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
     container_name: backend
     environment:
       - MYSQL_USER=flasku
@@ -96,9 +96,9 @@ services:
   proxy:
     build: proxy
     restart: always
-    #volumes:
-    #  - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
-    #  - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
+    volumes:
+      - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
+      - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
     ports:
       - "80:80"
       - "443:443"
diff --git a/proxy/conf b/proxy/conf
index 04abcd7..80f6015 100755
--- a/proxy/conf
+++ b/proxy/conf
@@ -1,12 +1,52 @@
+#server {
+#    listen       80;
+#    server_name  localhost;
+#    location / {
+#        proxy_pass   http://backend:8000;
+#    }
+
+
+# always redirect to https
 server {
-    listen       80;
-    server_name  localhost;
-    location / {
-        proxy_pass   http://backend:8000;
-    }
-    location /gutty{
-        proxy_pass   http://gitea:3000;
-    }
-
-
+	listen 80 default_server;
+	server_name _;
+	return 301 https://$host$request_uri;
 }
+
+server {
+	listen 443 ssl http2;
+	# use the certificates
+	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
+	server_name oily.dad www.oily.dad;
+	root /var/www/html;
+	index index.php index.html index.htm;
+
+
+	location / {
+		proxy_pass http://backend:8000/;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	# use the certificates
+	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
+	server_name gut.oily.dad;
+	root /var/www/html;
+	index index.php index.html index.htm;
+
+	location / {
+		client_max_body_size 512M;
+	        #proxy_pass http://localhost:3000;
+	        proxy_set_header Connection $http_connection;
+        	proxy_set_header Upgrade $http_upgrade;
+	        proxy_set_header Host $host;
+	        proxy_set_header X-Real-IP $remote_addr;
+	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	        proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_pass http://gitea:3000/;
+	}
+}
+