17 changed files with 341 additions and 178 deletions
@@ -1,6 +1,8 @@
 gitea
 .env
 pmb-pf
 stump
 kavita
 venv
 zapp.db
 db/bu
@@ -19,15 +19,18 @@ Install? PROBABLY NOT, this runs entirely in alpine and would be nice to isolate
 ### Admin general:
-    usermod -aG docker finn
+- `usermod -aG docker finn`
 - edit `/etc/systemd/journald.conf`
 - set or append `SystemMaxUse=500M`
 ### Admin firewall:
-
+```
    ufw default deny incoming
    ufw default allow outgoing
    ufw allow "OpenSSH"
    ufw allow "WWW Full"
    ufw enable
 ```
 ### Admin dns:
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.4
-FROM python:3.12-slim-bookworm AS builder
+FROM python:3-slim-bookworm AS builder
 # Second line optional/debug/qol
 RUN apt update && apt install -y \
@@ -1,28 +1,28 @@
-alembic==1.13.2
+alembic
-blinker==1.8.2
+blinker
-click==8.1.7
+click
-dnspython==2.6.1
+dnspython
-email_validator==2.2.0
+email_validator
-Flask==3.0.3
+Flask
-Flask-Login==0.6.3
+Flask-Login
-Flask-Mail==0.10.0
+Flask-Mail
-Flask-Migrate==4.0.7
+Flask-Migrate
-Flask-SQLAlchemy==3.1.1
+Flask-SQLAlchemy
-Flask-WTF==1.2.1
+Flask-WTF
-greenlet==3.0.3
+greenlet
-idna==3.7
+idna
-itsdangerous==2.2.0
+itsdangerous
-Jinja2==3.1.4
+Jinja2
-Mako==1.3.5
+Mako
-mariadb==1.1.10
+mariadb
-MarkupSafe==2.1.5
+MarkupSafe
-packaging==24.1
+packaging
-pillow==10.4.0
+pillow
-pydenticon==0.3.1
+pydenticon
-PyJWT==2.9.0
+PyJWT
-python-dotenv==1.0.1
+python-dotenv
-SQLAlchemy==2.0.31
+SQLAlchemy
-typing_extensions==4.12.2
+typing_extensions
-uWSGI==2.0.26
+uWSGI
-Werkzeug==3.0.3
+Werkzeug
-WTForms==3.1.2
+WTForms
@@ -0,0 +1,28 @@
 alembic==1.13.2
 blinker==1.8.2
 click==8.1.7
 dnspython==2.6.1
 email_validator==2.2.0
 Flask==3.0.3
 Flask-Login==0.6.3
 Flask-Mail==0.10.0
 Flask-Migrate==4.0.7
 Flask-SQLAlchemy==3.1.1
 Flask-WTF==1.2.1
 greenlet==3.0.3
 idna==3.7
 itsdangerous==2.2.0
 Jinja2==3.1.4
 Mako==1.3.5
 mariadb==1.1.10
 MarkupSafe==2.1.5
 packaging==24.1
 pillow==10.4.0
 pydenticon==0.3.1
 PyJWT==2.9.0
 python-dotenv==1.0.1
 SQLAlchemy==2.0.31
 typing_extensions==4.12.2
 uWSGI==2.0.28
 Werkzeug==3.0.3
 WTForms==3.1.2
@@ -31,7 +31,7 @@ services:
    #tty: true
    restart: always
    # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
-    command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
+    #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "--buffer-size", "16384", "--limit-as", "2048", "-w", "microblog:app"]
    container_name: backend
    environment:
      - MYSQL_USER=flasku
@@ -138,6 +138,34 @@ services:
    networks:
      - backnet
  stump:
    image: aaronleopold/stump
    #image: aaronleopold/stump:nightly
    container_name: stump
    # Replace my paths (prior to the colons) with your own
    volumes:
      - ./stump:/config
      #- /mnt/hub/rocky-remote/st/rockybookshare/:/rocky-remote
      #- /mnt/hub/rocky-remote/st/briebookshare/:/rocky-redundant
      #- /mnt/hub/brie-remote/st/bookshare:/brie-remote
      - /home/armbian/mnt/gouda/st/data/:/bookshare/gouda
      - /home/armbian/mnt/rocky/st/data/:/bookshare/rocky
    #ports:
    #  - 10801:10801
    environment:
      - PUID=1000
      - PGID=1000
      - STUMP_ENABLE_UPLOAD=true
      - ENABLE_KOREADER_SYNC=true
      - ENABLE_OPDS_PROGRESSION=true
      - STUMP_MAX_SCANNER_CONCURRENCY=2
      - STUMP_MAX_THUMBNAIL_CONCURRENCY=1
      - STUMP_VERBOSITY=1
    restart: unless-stopped
    networks:
      - frontnet
      - backnet
  sshtun:
    build:
      context: sshtun
@@ -0,0 +1,5 @@
 rclone ls :sftp: \
  --sftp-host=localhost \
  --sftp-port=11111 \
  --sftp-user=armbian \
  --sftp-key-file=/home/armbian/.ssh/armbian-brie-202604
@@ -0,0 +1,72 @@
 # Global options
 {
 	# Disable auto HTTPS since we're using existing certificates
 	auto_https off
 }
 # HTTP to HTTPS redirect
 :80 {
 	redir https://{host}{uri} permanent
 }
 # Main domain - oily.dad and www.oily.dad
 oily.dad, www.oily.dad {
 	# Root directory (not strictly needed for reverse proxy)
 	root * /var/www/html
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Onion-Location header
 	header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion{path}
 	# Reverse proxy to backend
 	reverse_proxy http://backend:8000 {
 		# Preserve original host header
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
 	}
 }
 # Subdomain for Gitea - gut.oily.dad
 gut.oily.dad {
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Reverse proxy to Gitea
 	reverse_proxy http://gitea:3000 {
 		# WebSocket support for Gitea
 		header_up Connection {>Connection}
 		header_up Upgrade {>Upgrade}
 		# Preserve original headers
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
 	}
 }
 # Subdomain for Stump - stump.oily.dad
 stump.oily.dad {
 	# kavita supports gzip seems to work with stump
 	encode gzip
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Reverse proxy to Stump
 	reverse_proxy http://stump:10801 {
 	#reverse_proxy http://kavita:5000 {
 		# WebSocket support for Stump (if needed)
 		header_up Connection {>Connection}
 		header_up Upgrade {>Upgrade}
 		# Preserve original headers
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
 	}
 }
@@ -0,0 +1,65 @@
 # Global options
 {
 	# Disable auto HTTPS since we're using existing certificates
 	auto_https off
 }
 # HTTP to HTTPS redirect
 :80 {
 	redir https://{host}{uri} permanent
 }
 # Main domain - oily.dad and www.oily.dad
 oily.dad, www.oily.dad {
 	# Root directory (not strictly needed for reverse proxy)
 	root * /var/www/html
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Onion-Location header
 	header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion{path}
 	# Reverse proxy to backend
 	reverse_proxy http://backend:8000 {
 		# Preserve original host header
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
 	}
 }
 # Subdomain for Gitea - gut.oily.dad
 gut.oily.dad {
 	# Root directory (not strictly needed for reverse proxy)
 	root * /var/www/html
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Reverse proxy to Gitea
 	reverse_proxy http://gitea:3000 {
 		# WebSocket support for Gitea
 		header_up Connection {>Connection}
 		header_up Upgrade {>Upgrade}
 		# Preserve original headers
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
 	}
 }
 # Subdomain for Stump (comics/books) - book.oily.dad
 book.oily.dad {
 	# Root directory (not strictly needed for reverse proxy)
 	root * /var/www/html
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Reverse proxy to Stump
 	#reverse_proxy http://stump:10801 {
 	reverse_proxy http://kavita:5000
 }
@@ -0,0 +1,74 @@
 # Global options
 {
 	# Disable auto HTTPS since we're using existing certificates
 	auto_https off
 }
 # HTTP to HTTPS redirect
 :80 {
 	redir https://{host}{uri} permanent
 }
 # Main domain - oily.dad and www.oily.dad
 oily.dad, www.oily.dad {
 	# Root directory (not strictly needed for reverse proxy)
 	root * /var/www/html
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Onion-Location header
 	header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion{path}
 	# Reverse proxy to backend
 	reverse_proxy http://backend:8000 {
 		# Preserve original host header
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
 	}
 }
 # Subdomain for Gitea - gut.oily.dad
 gut.oily.dad {
 	# Root directory (not strictly needed for reverse proxy)
 	root * /var/www/html
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Reverse proxy to Gitea
 	reverse_proxy http://gitea:3000 {
 		# WebSocket support for Gitea
 		header_up Connection {>Connection}
 		header_up Upgrade {>Upgrade}
 		# Preserve original headers
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
 	}
 }
 # Subdomain for Stump (comics/books) - book.oily.dad
 book.oily.dad {
 	# Root directory (not strictly needed for reverse proxy)
 	root * /var/www/html
 	# Use existing SSL certificates
 	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
 	# Reverse proxy to Stump
 	#reverse_proxy http://stump:10801 {
 	reverse_proxy http://kavita:5000 {
 		# WebSocket support for Stump (if needed)
 		header_up Connection {>Connection}
 		header_up Upgrade {>Upgrade}
 		# Preserve original headers
 		header_up Host {host}
 		header_up X-Real-IP {remote}
 		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
 	}
 }
@@ -1,2 +1,10 @@
-FROM nginx:alpine
+FROM caddy:alpine
-COPY conf /etc/nginx/conf.d/default.conf
+
 # Copy Caddyfile configuration
 COPY Caddyfile /etc/caddy/Caddyfile
 # Create directory for www root
 RUN mkdir -p /var/www/html
 # Caddy runs as non-root user by default
 # Ports 80 and 443 are exposed by the base image
@@ -1,12 +0,0 @@
 server {
    listen       80;
    server_name  localhost;
    location / {
        proxy_pass   http://backend:8000;
    }
    location /gutty{
        proxy_pass   http://gitea:3000;
    }
 }
@@ -1,53 +0,0 @@
 #server {
 #    listen       80;
 #    server_name  localhost;
 #    location / {
 #        proxy_pass   http://backend:8000;
 #    }
 # always redirect to https
 server {
 	listen 80 default_server;
 	server_name _;
 	return 301 https://$host$request_uri;
 }
 server {
 	listen 443 ssl http2;
 	# use the certificates
 	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
 	server_name oily.dad www.oily.dad;
 	root /var/www/html;
 	index index.php index.html index.htm;
 	add_header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion$request_uri;
 	location / {
 		proxy_pass http://backend:8000/;
 	}
 }
 server {
 	listen 443 ssl http2;
 	# use the certificates
 	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
 	server_name gut.oily.dad;
 	root /var/www/html;
 	index index.php index.html index.htm;
 	location / {
 		client_max_body_size 512M;
 	        #proxy_pass http://localhost:3000;
 	        proxy_set_header Connection $http_connection;
        	proxy_set_header Upgrade $http_upgrade;
 	        proxy_set_header Host $host;
 	        proxy_set_header X-Real-IP $remote_addr;
 	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	        proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_pass http://gitea:3000/;
 	}
 }
@@ -1,17 +0,0 @@
 server {
    listen       80;
    server_name  localhost;
    location / {
        client_max_body_size 512M;
        #proxy_pass http://localhost:3000;
        proxy_pass http://gitea:3000;
        proxy_set_header Connection $http_connection;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
 } 
@@ -1,53 +0,0 @@
 #server {
 #    listen       80;
 #    server_name  localhost;
 #    location / {
 #        proxy_pass   http://backend:8000;
 #    }
 # always redirect to https
 server {
 	listen 80 default_server;
 	server_name _;
 	return 301 https://$host$request_uri;
 }
 server {
 	listen 443 ssl http2;
 	# use the certificates
 	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
 	server_name oily.dad www.oily.dad;
 	root /var/www/html;
 	index index.php index.html index.htm;
 	add_header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion$request_uri;
 	location / {
 		proxy_pass http://backend:8000/;
 	}
 }
 server {
 	listen 443 ssl http2;
 	# use the certificates
 	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
 	server_name gut.oily.dad;
 	root /var/www/html;
 	index index.php index.html index.htm;
 	location / {
 		client_max_body_size 512M;
 	        #proxy_pass http://localhost:3000;
 	        proxy_set_header Connection $http_connection;
        	proxy_set_header Upgrade $http_upgrade;
 	        proxy_set_header Host $host;
 	        proxy_set_header X-Real-IP $remote_addr;
 	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	        proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_pass http://gitea:3000/;
 	}
 }
@@ -1,15 +1,20 @@
-FROM debian:12-slim
+FROM debian:13-slim
-RUN apt update && apt install -y openssh-server socat
+RUN apt update
 RUN apt install -y \
 	openssh-server \
 	socat
-RUN adduser --disabled-password --gecos "" finn
+RUN adduser --disabled-password --gecos "" armbian
-RUN mkdir /home/finn/.ssh
+# ssh:
-
+RUN mkdir /home/armbian/.ssh
-# only one pubkey -- wildcard to conceal filename
+# only one pubkey -- wildcard just to conceal filename
-COPY ./oilykey/*.pub /home/finn/.ssh/authorized_keys
+COPY ./oilykey/*.pub /home/armbian/.ssh/authorized_keys
-
+COPY ./oilykey/* /home/armbian/.ssh/
-RUN mkdir /var/run/sshd
+RUN chown -R armbian:armbian /home/armbian/.ssh/
 RUN chmod 600 /home/armbian/.ssh/*
 #RUN mkdir /var/run/sshd
 RUN echo "PermitRootLogin no" >> /etc/ssh/sshd_config
 RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
@@ -0,0 +1,8 @@
 rclone mount :sftp: /armbian/briemount \
  --sftp-host=localhost \
  --sftp-port=11111 \
  --sftp-user=armbian \
  --sftp-key-file=/home/armbian/.ssh/armbian-brie-202604 \
  --vfs-cache-mode off \
  --allow-other \
  --daemon