finn/site
2
1
Fork 1
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

initial re-commit to wipe commit histoy due to public repo

Browse Source
This commit is contained in:
finn 2024-07-06 21:10:44 +00:00
commit a20ba3505a
17 changed files with 465 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
gitea/*

9
LICENSE Normal file
View File

@ -0,0 +1,9 @@
MIT License
Copyright (c) 2024 finn
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

66
README.md Normal file
View File

@ -0,0 +1,66 @@
# Site Setup
### Sec:
* This repo is public. Mind cred slip-ups.
* Please note changes to /etc/sshd/sshd_conf made by lll script. If different method is used, audit manually.
* Note app Dockerfile debug console, found at /console. Werkzeug/flask is WILDLY insecure if left in dev/dbg.
* Avoid docker socks stuff.
### Install:
apt install unattended-upgrades docker.io docker-compose ufw ssh
apt install vim git tmux htop
Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate:
apt install python3-flask python3-full pip
pip install mysql-connector-python
### Admin general:
usermod -aG docker finn
### Admin firewall:
ufw default deny incoming
ufw default allow outgoing
ufw allow "OpenSSH"
ufw allow "WWW Full"
ufw enable
### Admin dns:
set up domainUpdate script\
set up cron job for script
### Filesystem:
docker dir (d)
certbot dns
tmp for awesome compose or compose sandboxing
site (main dc) TRACKED HERE
db - holds init script
proxy - important conf
backend - app
gitea - managed primarily by gitea
other - ref and non-sensitive files for dns
### Timeline:
set up certbot dns\
see tar of cert dir with script
### Notes:
This repo is minimally-sensitive. Falling outside the repo dir structure are reference awesome-compose files used as baseline -- nginx-flask-mysql -- and certs, containing letsencrypt script. Script may be backed up into repo carefully, sanitizing any tkens.
TODO: gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE
### Changing gitea subdomain:
Find in proxy/conf.\
Find in gitea conf.\
Rebuild images.

23
backend/Dockerfile Executable file
View File

@ -0,0 +1,23 @@
# syntax=docker/dockerfile:1.4
FROM python:3-alpine AS builder
WORKDIR /code
COPY requirements.txt /code
RUN target=/root/.cache/pip \
pip3 install -r requirements.txt
COPY . .
ENV FLASK_APP app.py
# This might be scary to leave on
#ENV FLASK_ENV development
ENV FLASK_RUN_PORT 8000
ENV FLASK_RUN_HOST 0.0.0.0
RUN flask --version
EXPOSE 8000
CMD ["flask", "run"]

59
backend/app.py Executable file
View File

@ -0,0 +1,59 @@
import os
from datetime import datetime
from flask import Flask
import mysql.connector
class DBManager:
def __init__(self, database='flask', host="db", user="flasku", password="flaskp"):
envuser = os.getenv("MYSQL_USER")
envpass = os.getenv("MYSQL_PASSWORD")
#printf("DEBUG:" + envuser + envpass)
self.connection = mysql.connector.connect(
user=envuser,
#user=user,
password=envpass,
#password=password,
host=host, # name of the mysql service as set in the docker compose file
database=database
#auth_plugin='mysql_native_password'
)
self.cursor = self.connection.cursor()
def populate_db(self):
self.cursor.execute('DROP TABLE IF EXISTS blog')
self.cursor.execute('CREATE TABLE blog (id INT AUTO_INCREMENT PRIMARY KEY, title VARCHAR(255))')
self.cursor.executemany('INSERT INTO blog (id, title) VALUES (%s, %s);', [(i, 'Database entry #%d'% i) for i in range (1,5)])
self.connection.commit()
def query_titles(self):
self.cursor.execute('SELECT title FROM blog')
rec = []
for c in self.cursor:
rec.append(c[0])
return rec
server = Flask(__name__)
conn = None
@server.route('/')
def listBlog():
global conn
if not conn:
conn = DBManager()
conn.populate_db()
rec = conn.query_titles()
response = ''
for c in rec:
response = response + '<div> Log: ' + c + '</div>'
dt = datetime.now()
dtFormatted = dt.strftime("%Y-%m-%d %H:%M")
response = response + '<div>Delta: ' + dtFormatted + '</div>'
return response
if __name__ == '__main__':
server.run()

3
backend/requirements.txt Executable file
View File

@ -0,0 +1,3 @@
Flask==3.0.3
Werkzeug==3.0.3
mysql-connector-python

2
backend/requirements.txt.orig Executable file
View File

@ -0,0 +1,2 @@
Flask==2.0.1
mysql-connector==2.2.9

95
compose.yaml Normal file
View File

@ -0,0 +1,95 @@
services:
db:
image: mariadb:10-focal
#command: '--default-authentication-plugin=mysql_native_password'
restart: always
healthcheck:
test: ['CMD-SHELL', 'mysqladmin ping -h 127.0.0.1 --password="rootpass" --silent']
interval: 3s
retries: 5
start_period: 30s
volumes:
- db-data:/var/lib/mysql
- "./db/init:/docker-entrypoint-initdb.d/"
networks:
- backnet
environment:
#- MYSQL_DATABASE=gitea
#- MYSQL_USER=gitea
#- MYSQL_PASSWORD=gitea
- MYSQL_ROOT_PASSWORD=rootpass
expose:
- 3306
- 33060
backend:
build:
context: backend
target: builder
restart: always
environment:
- MYSQL_USER=flasku
- MYSQL_PASSWORD=flaskp
#ports:
# - 8000:8000
expose:
- 8000
networks:
- backnet
- frontnet
depends_on:
db:
condition: service_healthy
gutsub:
image: gitea/gitea:latest
container_name: gitea
restart: always
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__database__DB_TYPE=mysql
- GITEA__database__HOST=db:3306
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD=giteap
- GITEA__repository__DEFAULT_BRANCH=master
#- GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API=true
# To disable new users after setup:
#- GITEA__service__DISABLE_REGISTRATION=false
networks:
- backnet
- frontnet
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
#ports:
# - "3000:3000"
# - "222:22"
depends_on:
db:
condition: service_healthy
proxy:
build: proxy
restart: always
volumes:
- /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt
- /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt
ports:
- 80:80
- 443:443
depends_on:
- backend
networks:
- frontnet
volumes:
db-data:
networks:
backnet:
frontnet:

12
db/init/01-databases.sql Normal file
View File

@ -0,0 +1,12 @@
-- create databases
CREATE DATABASE IF NOT EXISTS `gitea`;
CREATE DATABASE IF NOT EXISTS `flask`;
-- create root user and grant rights
CREATE USER 'gitea' IDENTIFIED BY 'giteap';
CREATE USER 'flasku' IDENTIFIED BY 'flaskp';
--CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'gitea';
--GRANT ALL ON `gitea` TO 'gitea'@'localhost';
GRANT ALL ON gitea.* TO 'gitea';
GRANT ALL ON flask.* TO 'flasku';

79
nfmREADME.md Normal file
View File

@ -0,0 +1,79 @@
## Compose sample application
### Python/Flask with Nginx proxy and MySQL database
Project structure:
```
.
├── compose.yaml
├── flask
│   ├── Dockerfile
│   ├── requirements.txt
│   └── server.py
└── nginx
   └── nginx.conf
```
[_compose.yaml_](compose.yaml)
```
services:
backend:
build:
context: backend
target: builder
...
db:
# We use a mariadb image which supports both amd64 & arm64 architecture
image: mariadb:10-focal
# If you really want to use MySQL, uncomment the following line
#image: mysql:8
...
proxy:
build: proxy
...
```
The compose file defines an application with three services `proxy`, `backend` and `db`.
When deploying the application, docker compose maps port 80 of the proxy service container to port 80 of the host as specified in the file.
Make sure port 80 on the host is not already being in use.
> **_INFO_**
> For compatibility purpose between `AMD64` and `ARM64` architecture, we use a MariaDB as database instead of MySQL.
> You still can use the MySQL image by uncommenting the following line in the Compose file
> `#image: mysql:8`
## Deploy with docker compose
```
$ docker compose up -d
Creating network "nginx-flask-mysql_default" with the default driver
Pulling db (mysql:8.0.19)...
5.7: Pulling from library/mysql
...
...
WARNING: Image for service proxy was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Creating nginx-flask-mysql_db_1 ... done
Creating nginx-flask-mysql_backend_1 ... done
Creating nginx-flask-mysql_proxy_1 ... done
```
## Expected result
Listing containers should show three containers running and the port mapping as below:
```
$ docker compose ps
NAME COMMAND SERVICE STATUS PORTS
nginx-flask-mysql-backend-1 "flask run" backend running 0.0.0.0:8000->8000/tcp
nginx-flask-mysql-db-1 "docker-entrypoint.s…" db running (healthy) 3306/tcp, 33060/tcp
nginx-flask-mysql-proxy-1 "nginx -g 'daemon of…" proxy running 0.0.0.0:80->80/tcp
```
After the application starts, navigate to `http://localhost:80` in your web browser or run:
```
$ curl localhost:80
<div>Blog post #1</div><div>Blog post #2</div><div>Blog post #3</div><div>Blog post #4</div>
```
Stop and remove the containers
```
$ docker compose down
```

13
other/cbd.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# Need to try next with arg --user 1000:1000 Nope, fails internall even with extra args
# For me, use certbot@hod
docker run -it --rm --name certbot \
-v "/home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt" \
-v "/home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/dns-linode certonly \
--dns-linode \
--dns-linode-credentials /etc/letsencrypt/ddnscred.txt \
-d "oily.dad" \
-d "*.oily.dad"

4
other/ddnscred.txt.sterile Normal file
View File

@ -0,0 +1,4 @@
# Base ddns token
dns_linode_key = 1234
dns_linode_version = 4

24
other/haphazard_reboot.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
# Random Reboot after minimum uptime script
# Flat 1 in $CHANCE chance of reboot -- crontab freq matters.
# Expected per hour run
# 1000000 is one day
# chance 192 is average 8 day
MIN_UT=4000000
CHANCE=192
UPTIMEVAL=$(uptime | cut -f 2 -d ' ' | sed "s/://g")
echo "Flat uptime:$UPTIMEVAL"
#UPTIMEVAL=220000
if [[ $UPTIMEVAL -gt $MIN_UT ]] ; then
echo "gt success, now random"
if [[ $(( $RANDOM % 48 )) == 0 ]] ; then
echo "random success"
reboot
fi
fi

13
other/renew.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# Need to try next with arg --user 1000:1000 Nope, fails internall even with extra args
# For me, use certbot@hod
# RENEW SCRIPT
docker run -it --rm --name certbot \
-v "/home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt" \
-v "/home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/dns-linode renew \
--dns-linode \
--dns-linode-credentials /etc/letsencrypt/ddnscred.txt \
--dry-run

2
proxy/Dockerfile Executable file
View File

@ -0,0 +1,2 @@
FROM nginx:alpine
COPY conf /etc/nginx/conf.d/default.conf

52
proxy/conf Executable file
View File

@ -0,0 +1,52 @@
#server {
# listen 80;
# server_name localhost;
# location / {
# proxy_pass http://backend:8000;
# }
# always redirect to https
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
# use the certificates
ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
server_name oily.dad www.oily.dad;
root /var/www/html;
index index.php index.html index.htm;
location / {
proxy_pass http://backend:8000/;
}
}
server {
listen 443 ssl http2;
# use the certificates
ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
server_name gut.oily.dad;
root /var/www/html;
index index.php index.html index.htm;
location / {
client_max_body_size 512M;
#proxy_pass http://localhost:3000;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitea:3000/;
}
}

8
proxy/oldconf Executable file
View File

@ -0,0 +1,8 @@
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://backend:8000;
}
}