diff --git a/.gitignore b/.gitignore index 541eeaa..5afb6e5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ -gitea/ +gitea .env -pmb-pf/ +pmb-pf venv zapp.db db/bu -tor/hidden_service/ +tor/hidden_service +sshtun/oilykey diff --git a/compose.yaml b/compose.yaml index bff8591..fd2ce88 100644 --- a/compose.yaml +++ b/compose.yaml @@ -31,7 +31,7 @@ services: #tty: true restart: always # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi) - command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"] + #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"] container_name: backend environment: - MYSQL_USER=flasku @@ -96,12 +96,12 @@ services: proxy: build: proxy restart: always - volumes: - - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro - - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro + #volumes: + # - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro + # - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro ports: - - 80:80 - - 443:443 + - "80:80" + - "443:443" depends_on: - backend networks: @@ -135,6 +135,19 @@ services: networks: - backnet + sshtun: + build: + context: sshtun + dockerfile: Dockerfile + restart: always + ports: + - "22222:22" + expose: + - "11111" + - "11112" + networks: + - frontnet + volumes: db-data: pmb-root: diff --git a/proxy/conf b/proxy/conf index 80f6015..04abcd7 100755 --- a/proxy/conf +++ b/proxy/conf @@ -1,52 +1,12 @@ -#server { -# listen 80; -# server_name localhost; -# location / { -# proxy_pass http://backend:8000; -# } - - -# always redirect to https server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; + listen 80; + server_name localhost; + location / { + proxy_pass http://backend:8000; + } + location /gutty{ + proxy_pass http://gitea:3000; + } + + } - -server { - listen 443 ssl http2; - # use the certificates - ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem; - server_name oily.dad www.oily.dad; - root /var/www/html; - index index.php index.html index.htm; - - - location / { - proxy_pass http://backend:8000/; - } -} - -server { - listen 443 ssl http2; - # use the certificates - ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem; - server_name gut.oily.dad; - root /var/www/html; - index index.php index.html index.htm; - - location / { - client_max_body_size 512M; - #proxy_pass http://localhost:3000; - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://gitea:3000/; - } -} - diff --git a/sshtun/Dockerfile b/sshtun/Dockerfile new file mode 100644 index 0000000..602bacd --- /dev/null +++ b/sshtun/Dockerfile @@ -0,0 +1,18 @@ +FROM debian:12-slim + +RUN apt update && apt install -y openssh-server socat + +RUN adduser --disabled-password --gecos "" finn + +RUN mkdir /home/finn/.ssh + +# only one pubkey -- wildcard to conceal filename +COPY ./oilykey/*.pub /home/finn/.ssh/authorized_keys + +RUN mkdir /var/run/sshd +RUN echo "PermitRootLogin no" >> /etc/ssh/sshd_config +RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config + +COPY ./entrypoint.sh / + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/sshtun/entrypoint.sh b/sshtun/entrypoint.sh new file mode 100755 index 0000000..55ebd77 --- /dev/null +++ b/sshtun/entrypoint.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# Container goal: +# autossh -N -R 11111:localhost:11434 -i sshtun/oilykey/ -p 22222 +# forwards rem_c_port:(operator_pc:op_pc_port) ...some args... rem_host_p rem_host_url + +nohup socat TCP-LISTEN:11112,fork TCP:localhost:11111 & +/usr/sbin/sshd -D +