finn/site
2
1
Fork 1
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: finn:caddy
Branches Tags
finn:master finn:caddy finn:nc
..
compare: finn:c116021b2997c34e0022f23895c5a92c635649e4
Branches Tags
finn:caddy finn:master finn:nc

4 Commits
caddy ... c116021b29

Author SHA1 Message Date
finn
c116021b29 checkpoint build fixes for pmb and be 2026-03-19 16:03:12 -07:00
finn
d813c3c70e update proxy 2026-03-19 15:02:05 -07:00
finn
854b7a2338 update db helper 2026-03-19 14:52:24 -07:00
finn
901e5b29b6 add nc to network 2026-03-19 14:46:30 -07:00
20 changed files with 191 additions and 353 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,8 +1,6 @@
gitea gitea
.env .env
pmb-pf pmb-pf
stump
kavita
venv venv
zapp.db zapp.db
db/bu db/bu

7
README.md
View File

@@ -19,18 +19,15 @@ Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate
### Admin general: ### Admin general:
- `usermod -aG docker finn` usermod -aG docker finn
- edit `/etc/systemd/journald.conf`
- set or append `SystemMaxUse=500M`
### Admin firewall: ### Admin firewall:
```
ufw default deny incoming ufw default deny incoming
ufw default allow outgoing ufw default allow outgoing
ufw allow "OpenSSH" ufw allow "OpenSSH"
ufw allow "WWW Full" ufw allow "WWW Full"
ufw enable ufw enable
```
### Admin dns: ### Admin dns:

4
backend/Dockerfile
View File

@@ -1,9 +1,9 @@
# syntax=docker/dockerfile:1.4 # syntax=docker/dockerfile:1.4
FROM python:3-slim-bookworm AS builder FROM python:3.12-slim-bookworm AS builder
# Second line optional/debug/qol # Second line optional/debug/qol
RUN apt update && apt install -y \ RUN apt update && apt install -y \
libmariadb-dev gcc \ libmariadb-dev gcc python3-setuptools \
mariadb-client mariadb-client

56
backend/requirements.txt
View File

@@ -1,28 +1,28 @@
alembic alembic==1.13.2
blinker blinker==1.8.2
click click==8.1.7
dnspython dnspython==2.6.1
email_validator email_validator==2.2.0
Flask Flask==3.0.3
Flask-Login Flask-Login==0.6.3
Flask-Mail Flask-Mail==0.10.0
Flask-Migrate Flask-Migrate==4.0.7
Flask-SQLAlchemy Flask-SQLAlchemy==3.1.1
Flask-WTF Flask-WTF==1.2.1
greenlet greenlet==3.0.3
idna idna==3.7
itsdangerous itsdangerous==2.2.0
Jinja2 Jinja2==3.1.4
Mako Mako==1.3.5
mariadb mariadb==1.1.10
MarkupSafe MarkupSafe==2.1.5
packaging packaging==24.1
pillow pillow==10.4.0
pydenticon pydenticon==0.3.1
PyJWT PyJWT==2.9.0
python-dotenv python-dotenv==1.0.1
SQLAlchemy SQLAlchemy==2.0.31
typing_extensions typing_extensions==4.12.2
uWSGI uWSGI==2.0.26
Werkzeug Werkzeug==3.0.3
WTForms WTForms==3.1.2

28
backend/requirements.txt.old
View File

@@ -1,28 +0,0 @@
alembic==1.13.2
blinker==1.8.2
click==8.1.7
dnspython==2.6.1
email_validator==2.2.0
Flask==3.0.3
Flask-Login==0.6.3
Flask-Mail==0.10.0
Flask-Migrate==4.0.7
Flask-SQLAlchemy==3.1.1
Flask-WTF==1.2.1
greenlet==3.0.3
idna==3.7
itsdangerous==2.2.0
Jinja2==3.1.4
Mako==1.3.5
mariadb==1.1.10
MarkupSafe==2.1.5
packaging==24.1
pillow==10.4.0
pydenticon==0.3.1
PyJWT==2.9.0
python-dotenv==1.0.1
SQLAlchemy==2.0.31
typing_extensions==4.12.2
uWSGI==2.0.28
Werkzeug==3.0.3
WTForms==3.1.2

46
compose.yaml
View File

@@ -31,7 +31,7 @@ services:
#tty: true #tty: true
restart: always restart: always
# Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi) # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
#command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "--buffer-size", "16384", "--limit-as", "2048", "-w", "microblog:app"] #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
container_name: backend container_name: backend
environment: environment:
- MYSQL_USER=flasku - MYSQL_USER=flasku
@@ -99,9 +99,9 @@ services:
proxy: proxy:
build: proxy build: proxy
restart: always restart: always
volumes: #volumes:
- /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro # - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
- /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro # - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
@@ -121,11 +121,11 @@ services:
- frontnet - frontnet
pmb: pmb:
#build: build:
# args: args:
# GPG_PP: $BUILD_GPG_PP GPG_PP: $BUILD_GPG_PP
# context: pmb-pf context: pmb-pf
# dockerfile: Dockerfile dockerfile: Dockerfile
image: site_pmb:latest image: site_pmb:latest
expose: expose:
- "25" - "25"
@@ -138,34 +138,6 @@ services:
networks: networks:
- backnet - backnet
stump:
image: aaronleopold/stump
#image: aaronleopold/stump:nightly
container_name: stump
# Replace my paths (prior to the colons) with your own
volumes:
- ./stump:/config
#- /mnt/hub/rocky-remote/st/rockybookshare/:/rocky-remote
#- /mnt/hub/rocky-remote/st/briebookshare/:/rocky-redundant
#- /mnt/hub/brie-remote/st/bookshare:/brie-remote
- /home/armbian/mnt/gouda/st/data/:/bookshare/gouda
- /home/armbian/mnt/rocky/st/data/:/bookshare/rocky
#ports:
# - 10801:10801
environment:
- PUID=1000
- PGID=1000
- STUMP_ENABLE_UPLOAD=true
- ENABLE_KOREADER_SYNC=true
- ENABLE_OPDS_PROGRESSION=true
- STUMP_MAX_SCANNER_CONCURRENCY=2
- STUMP_MAX_THUMBNAIL_CONCURRENCY=1
- STUMP_VERBOSITY=1
restart: unless-stopped
networks:
- frontnet
- backnet
sshtun: sshtun:
build: build:
context: sshtun context: sshtun

2
compose.yaml.prod
View File

@@ -81,7 +81,7 @@ services:
- GITEA__server__LANDING_PAGE=explore - GITEA__server__LANDING_PAGE=explore
- GITEA__ui__REACTIONS="+1, -1, fu, heart, laugh, confused, hooray, eyes, gun, boom, poop, kiss, rocket, bomb, chart_with_downwards_trend, eggplant" - GITEA__ui__REACTIONS="+1, -1, fu, heart, laugh, confused, hooray, eyes, gun, boom, poop, kiss, rocket, bomb, chart_with_downwards_trend, eggplant"
# To disable new users after setup: # To disable new users after setup:
- GITEA__service__DISABLE_REGISTRATION=false - GITEA__service__DISABLE_REGISTRATION=true
networks: networks:
- backnet - backnet
- frontnet - frontnet

7
db/init/01-databases.sql
View File

@@ -1,12 +1,15 @@
-- create databases -- create databases
CREATE DATABASE IF NOT EXISTS `gitea`; CREATE DATABASE IF NOT EXISTS `gitea`;
CREATE DATABASE IF NOT EXISTS `flask`; CREATE DATABASE IF NOT EXISTS `flask`;
CREATE DATABASE IF NOT EXISTS `nextcloud`;
-- create root user and grant rights -- create root user and grant rights
CREATE USER 'gitea'@'gitea.backnet' IDENTIFIED BY 'giteap'; CREATE USER IF NOT EXISTS 'gitea'@'gitea.backnet' IDENTIFIED BY 'giteap';
CREATE USER 'flasku'@'backend.backnet' IDENTIFIED BY 'flaskp'; CREATE USER IF NOT EXISTS 'flasku'@'backend.backnet' IDENTIFIED BY 'flaskp';
CREATE USER IF NOT EXISTS 'nextcloud'@'nextcloud.backnet' IDENTIFIED BY 'nextcloudp';
--CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'gitea'; --CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'gitea';
--GRANT ALL ON `gitea` TO 'gitea'@'localhost'; --GRANT ALL ON `gitea` TO 'gitea'@'localhost';
GRANT ALL ON gitea.* TO 'gitea'@'gitea.backnet'; GRANT ALL ON gitea.* TO 'gitea'@'gitea.backnet';
GRANT ALL ON flask.* TO 'flasku'@'backend.backnet'; GRANT ALL ON flask.* TO 'flasku'@'backend.backnet';
GRANT ALL ON nextcloud.* TO 'nextcloud'@'nextcloud.backnet';

4
dotenv
View File

@@ -31,4 +31,8 @@ FLASK_ADMIN_EMAIL="git@aaa"
FLASK_JWT_PHRASE="jwtphrase" FLASK_JWT_PHRASE="jwtphrase"
FLASK_REAL_HOSTNAME="localhost" FLASK_REAL_HOSTNAME="localhost"
# Nextcloud:
DOTENV_MYSQL_NEXTCLOUD_PASSWORD="nextcloudp"
DOTENV_NEXTCLOUD_ADMIN_PASSWORD="adminp"

5
ls_rclone.sh
View File

@@ -1,5 +0,0 @@
rclone ls :sftp: \
--sftp-host=localhost \
--sftp-port=11111 \
--sftp-user=armbian \
--sftp-key-file=/home/armbian/.ssh/armbian-brie-202604

72
proxy/Caddyfile
View File

@@ -1,72 +0,0 @@
# Global options
{
# Disable auto HTTPS since we're using existing certificates
auto_https off
}
# HTTP to HTTPS redirect
:80 {
redir https://{host}{uri} permanent
}
# Main domain - oily.dad and www.oily.dad
oily.dad, www.oily.dad {
# Root directory (not strictly needed for reverse proxy)
root * /var/www/html
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Onion-Location header
header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion{path}
# Reverse proxy to backend
reverse_proxy http://backend:8000 {
# Preserve original host header
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
}
}
# Subdomain for Gitea - gut.oily.dad
gut.oily.dad {
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Reverse proxy to Gitea
reverse_proxy http://gitea:3000 {
# WebSocket support for Gitea
header_up Connection {>Connection}
header_up Upgrade {>Upgrade}
# Preserve original headers
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
}
}
# Subdomain for Stump - stump.oily.dad
stump.oily.dad {
# kavita supports gzip seems to work with stump
encode gzip
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Reverse proxy to Stump
reverse_proxy http://stump:10801 {
#reverse_proxy http://kavita:5000 {
# WebSocket support for Stump (if needed)
header_up Connection {>Connection}
header_up Upgrade {>Upgrade}
# Preserve original headers
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
}
}

65
proxy/Caddyfile.maybeno
View File

@@ -1,65 +0,0 @@
# Global options
{
# Disable auto HTTPS since we're using existing certificates
auto_https off
}
# HTTP to HTTPS redirect
:80 {
redir https://{host}{uri} permanent
}
# Main domain - oily.dad and www.oily.dad
oily.dad, www.oily.dad {
# Root directory (not strictly needed for reverse proxy)
root * /var/www/html
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Onion-Location header
header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion{path}
# Reverse proxy to backend
reverse_proxy http://backend:8000 {
# Preserve original host header
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
}
}
# Subdomain for Gitea - gut.oily.dad
gut.oily.dad {
# Root directory (not strictly needed for reverse proxy)
root * /var/www/html
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Reverse proxy to Gitea
reverse_proxy http://gitea:3000 {
# WebSocket support for Gitea
header_up Connection {>Connection}
header_up Upgrade {>Upgrade}
# Preserve original headers
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
}
}
# Subdomain for Stump (comics/books) - book.oily.dad
book.oily.dad {
# Root directory (not strictly needed for reverse proxy)
root * /var/www/html
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Reverse proxy to Stump
#reverse_proxy http://stump:10801 {
reverse_proxy http://kavita:5000
}

74
proxy/Caddyfile.old
View File

@@ -1,74 +0,0 @@
# Global options
{
# Disable auto HTTPS since we're using existing certificates
auto_https off
}
# HTTP to HTTPS redirect
:80 {
redir https://{host}{uri} permanent
}
# Main domain - oily.dad and www.oily.dad
oily.dad, www.oily.dad {
# Root directory (not strictly needed for reverse proxy)
root * /var/www/html
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Onion-Location header
header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion{path}
# Reverse proxy to backend
reverse_proxy http://backend:8000 {
# Preserve original host header
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
}
}
# Subdomain for Gitea - gut.oily.dad
gut.oily.dad {
# Root directory (not strictly needed for reverse proxy)
root * /var/www/html
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Reverse proxy to Gitea
reverse_proxy http://gitea:3000 {
# WebSocket support for Gitea
header_up Connection {>Connection}
header_up Upgrade {>Upgrade}
# Preserve original headers
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
}
}
# Subdomain for Stump (comics/books) - book.oily.dad
book.oily.dad {
# Root directory (not strictly needed for reverse proxy)
root * /var/www/html
# Use existing SSL certificates
tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
# Reverse proxy to Stump
#reverse_proxy http://stump:10801 {
reverse_proxy http://kavita:5000 {
# WebSocket support for Stump (if needed)
header_up Connection {>Connection}
header_up Upgrade {>Upgrade}
# Preserve original headers
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
}
}

12
proxy/Dockerfile
View File

@@ -1,10 +1,2 @@
FROM caddy:alpine FROM nginx:alpine
COPY conf /etc/nginx/conf.d/default.conf
# Copy Caddyfile configuration
COPY Caddyfile /etc/caddy/Caddyfile
# Create directory for www root
RUN mkdir -p /var/www/html
# Caddy runs as non-root user by default
# Ports 80 and 443 are exposed by the base image

20
proxy/baseconf Executable file
View File

@@ -0,0 +1,20 @@
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://backend:8000;
}
location /gutty{
proxy_pass http://gitea:3000;
}
location /nextcloud{
client_max_body_size 512M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://nextcloud/;
}
}

20
proxy/conf Executable file
View File

@@ -0,0 +1,20 @@
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://backend:8000;
}
location /gutty{
proxy_pass http://gitea:3000;
}
location /nextcloud{
client_max_body_size 512M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://nextcloud/;
}
}

17
proxy/giteaconf Normal file
View File

@@ -0,0 +1,17 @@
server {
listen 80;
server_name localhost;
location / {
client_max_body_size 512M;
#proxy_pass http://localhost:3000;
proxy_pass http://gitea:3000;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

72
proxy/sslconf Executable file
View File

@@ -0,0 +1,72 @@
#server {
# listen 80;
# server_name localhost;
# location / {
# proxy_pass http://backend:8000;
# }
# always redirect to https
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
# use the certificates
ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
server_name oily.dad www.oily.dad;
root /var/www/html;
index index.php index.html index.htm;
add_header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion$request_uri;
location / {
proxy_pass http://backend:8000/;
}
}
server {
listen 443 ssl http2;
# use the certificates
ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
server_name gut.oily.dad;
root /var/www/html;
index index.php index.html index.htm;
location / {
client_max_body_size 512M;
#proxy_pass http://localhost:3000;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitea:3000/;
}
}
server {
listen 443 ssl http2;
# use the certificates
ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
server_name nextcloud.oily.dad;
root /var/www/html;
index index.php index.html index.htm;
location / {
client_max_body_size 512M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://nextcloud/;
}
}

23
sshtun/Dockerfile
View File

@@ -1,20 +1,15 @@
FROM debian:13-slim FROM debian:12-slim
RUN apt update RUN apt update && apt install -y openssh-server socat
RUN apt install -y \
openssh-server \
socat
RUN adduser --disabled-password --gecos "" armbian RUN adduser --disabled-password --gecos "" finn
# ssh: RUN mkdir /home/finn/.ssh
RUN mkdir /home/armbian/.ssh
# only one pubkey -- wildcard just to conceal filename # only one pubkey -- wildcard to conceal filename
COPY ./oilykey/*.pub /home/armbian/.ssh/authorized_keys COPY ./oilykey/*.pub /home/finn/.ssh/authorized_keys
COPY ./oilykey/* /home/armbian/.ssh/
RUN chown -R armbian:armbian /home/armbian/.ssh/ RUN mkdir /var/run/sshd
RUN chmod 600 /home/armbian/.ssh/*
#RUN mkdir /var/run/sshd
RUN echo "PermitRootLogin no" >> /etc/ssh/sshd_config RUN echo "PermitRootLogin no" >> /etc/ssh/sshd_config
RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config

8
sshtun/manual_rclone.sh
View File

@@ -1,8 +0,0 @@
rclone mount :sftp: /armbian/briemount \
--sftp-host=localhost \
--sftp-port=11111 \
--sftp-user=armbian \
--sftp-key-file=/home/armbian/.ssh/armbian-brie-202604 \
--vfs-cache-mode off \
--allow-other \
--daemon