migration: apoc

servers/apoc/README.md

@@ -0,0 +1 @@
+server configuration for `apoc`.

servers/apoc/docker-compose.d/README.md

@@ -0,0 +1 @@
+This folder houses all docker-compose files

servers/apoc/docker-compose.d/custom/nginx/Dockerfile

@@ -0,0 +1,13 @@
+FROM nginx:alpine
+
+RUN apk add \
+    certbot \
+    certbot-nginx
+
+COPY content /usr/share/nginx/html
+COPY conf.d/ /etc/nginx/conf.d/
+COPY nginx.conf /etc/nginx/nginx.conf
+
+COPY entrypoint.sh /entrypoint
+ENTRYPOINT [ "sh", "/entrypoint" ]
+CMD [ "nginx", "-g", "daemon off;" ]

servers/apoc/docker-compose.d/custom/nginx/conf.d/default.conf

@@ -0,0 +1,17 @@
+server {
+    listen 80;
+    server_name apoc.ixvd.net;
+
+    # SSL is managed by certbot, no need for a ssl listen; it will be generated automagically!
+
+    # default html page
+    location / {
+        root /usr/share/nginx/html;
+        index index.html index.htm;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+}

servers/apoc/docker-compose.d/custom/nginx/conf.d/git.conf

@@ -0,0 +1,15 @@
+server {
+    listen 80;
+    server_name git.ixvd.net;
+
+    location / {
+        proxy_pass http://git:3000;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        client_max_body_size 0;
+    }
+}

servers/apoc/docker-compose.d/custom/nginx/conf.d/keycloak.conf

@@ -0,0 +1,20 @@
+server {
+    listen 80;
+    server_name my.ixvd.net;
+
+    set_real_ip_from 0.0.0.0/0;
+    real_ip_header X-Real-IP;
+    real_ip_recursive on;
+
+    location / {
+        proxy_pass http://keycloak;
+
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port 443;
+    }
+
+};

servers/apoc/docker-compose.d/custom/nginx/conf.d/rainloop.conf

@@ -0,0 +1,8 @@
+server {
+    listen 80;
+    server_name mail.ixvd.net;
+
+    location / {
+        proxy_pass http://rainloop:8888$request_uri;
+    }
+}

servers/apoc/docker-compose.d/custom/nginx/content/index.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>Welcome to nginx!</title>
+    <style>
+        html {
+            color-scheme: light dark;
+        }
+
+        body {
+            width: 35em;
+            margin: 0 auto;
+            font-family: Tahoma, Verdana, Arial, sans-serif;
+        }
+    </style>
+</head>
+
+<body>
+    <h1>Welcome to apoc!</h1>
+</body>
+
+</html>

servers/apoc/docker-compose.d/custom/nginx/entrypoint.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+trap exit TERM
+
+if [ -n "${CERTBOT_DOMAINS}" ]; then
+    echo "registering..."
+    if ! certbot show_account; then
+        certbot register -n \
+            --agree-tos \
+            -m "${CERTBOT_EMAIL}"
+    fi
+
+    for d in $(echo "${CERTBOT_DOMAINS}" | sed 's/,/ /g'); do
+        echo "requesting for $d..."
+        certbot --nginx -n --keep -d "$d"
+    done
+
+    while :; do
+        echo "renewing domains..."
+        certbot --nginx --keep -n renew
+        sleep 12h &
+        wait $!
+    done &
+else
+    echo "skipping certbot due to no domains!"
+fi &
+
+exec "$@"

servers/apoc/docker-compose.d/custom/nginx/nginx.conf

@@ -0,0 +1,35 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    # docker resolver and quad9;
+    resolver 127.0.0.11 9.9.9.9 ipv6=off;
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

servers/apoc/docker-compose.d/docker-compose.dms.yml

@@ -0,0 +1,34 @@
+version: '2.2'
+
+services:
+  mailserver:
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest
+    container_name: mailserver
+    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
+    hostname: mail.ixvd.net
+    env_file: ../../env/mailserver.env
+    # More information about the mail-server ports:
+    # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
+    # To avoid conflicts with yaml base-60 float, DO NOT remove the quotation marks.
+    ports:
+      - "25:25"    # SMTP  (explicit TLS => STARTTLS)
+      - "143:143"  # IMAP4 (explicit TLS => STARTTLS)
+      - "465:465"  # ESMTP (implicit TLS)
+      - "587:587"  # ESMTP (explicit TLS => STARTTLS)
+      - "993:993"  # IMAP4 (implicit TLS)
+    volumes:
+      - /srv/mailserver/data:/var/mail/
+      - /srv/mailserver/config:/tmp/docker-mailserver/
+      - /srv/mailserver/other/state:/var/mail-state/
+      - /srv/mailserver/other/log/:/var/log/mail/
+      - /etc/localtime:/etc/localtime:ro
+      - /srv/certbot/data/live/mail.ixvd.net:/etc/letsencrypt/live/mail.ixvd.net
+    restart: always
+    stop_grace_period: 1m
+    # Uncomment if using `ENABLE_FAIL2BAN=1`:
+    # cap_add:
+    #   - NET_ADMIN
+    healthcheck:
+      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
+      timeout: 3s
+      retries: 0

servers/apoc/docker-compose.d/docker-compose.git.yml

@@ -0,0 +1,19 @@
+version: '2.2'
+services:
+  git:
+    image: codeberg.org/forgejo/forgejo:1.20
+    container_name: git # IMPORTANT FOR SSH
+    restart: always
+    privileged: true
+    environment:
+      USER_UID: 1000
+      USER_GID: 1002
+    volumes:
+      - /srv/gitea/data:/data/git
+      - /srv/gitea/config:/data/gitea
+      - /srv/gitea/other/ssh:/data/ssh
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    networks:
+      - proxy
+      - internal

servers/apoc/docker-compose.d/docker-compose.keycloak.yml

@@ -0,0 +1,36 @@
+version: '2.2'
+
+services:
+  keycloak:
+    build: custom/keycloak
+    command: start --optimized
+    env_file:
+      - /etc/ixvd/secrets/env/keycloak.env
+    depends_on:
+      - kcdb
+    environment:
+      KC_HOSTNAME: my.ixvd.net
+      KC_PROXY: edge
+      KC_HTTP_ENABLED: "true"
+      KC_HTTP_PORT: "80"
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://kcdb:5432/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: keycloak
+    networks:
+      - proxy
+      - keycloak
+
+  kcdb:
+    image: postgres:16
+    environment:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: keycloak
+      POSTGRES_DB: keycloak
+    volumes:
+      - /srv/keycloak/other/database:/var/lib/postgresql/data
+    networks:
+      - keycloak
+
+networks:
+  keycloak:

servers/apoc/docker-compose.d/docker-compose.rainloop.yml

@@ -0,0 +1,19 @@
+version: '2.2'
+
+services:
+  rainloop:
+    image: hardware/rainloop
+    container_name: rainloop
+    depends_on:
+      - mailserver
+    volumes:
+      - /srv/rainloop/data:/rainloop/data
+    networks:
+      - proxy
+      - internal
+
+networks:
+  proxy:
+    external: true
+  internal:
+    external: true

servers/apoc/docker-compose.d/docker-compose.yml

@@ -0,0 +1,26 @@
+# I'm very comfortable in this version, therefore it's the standard
+version: '2.2'
+
+services:
+  # default nginx setup
+  nginx:
+    build: custom/nginx
+    environment:
+      CERTBOT_EMAIL: "webmaster@ixvd.net"
+      CERTBOT_DOMAINS: "apoc.ixvd.net,mail.ixvd.net,git.ixvd.net,my.ixvd.net"
+    volumes:
+      - /srv/certbot/data:/etc/letsencrypt
+      - /srv/certbot/other/www:/var/www/certbot
+    ports:
+      - 80:80
+      - 443:443
+    networks:
+      - proxy
+
+# Here the default networks are defined
+networks:
+  proxy:
+    external: true
+  internal:
+    external: true
+  

servers/apoc/setup.d/00-setup-git.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if ! getent passwd git &>/dev/null; then
+    echo "creating git user..."
+    useradd -m git
+    usermod git -aG docker
+fi

servers/apoc/setup.d/10-apply-skel.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo "applying skel..."
+cp -r skel/. /
+
+echo "ensuring /home/git/docker-shell a+x..."
+chmod a+x /home/git/docker-shell

servers/apoc/skel/etc/ssh/sshd_config.d/git.conf

@@ -0,0 +1,3 @@
+Match User git
+  AuthorizedKeysCommandUser git
+  AuthorizedKeysCommand /usr/bin/docker exec -i git /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k 

servers/apoc/skel/home/git/docker-shell

@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/bin/docker exec -i --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@"