fjeaj

2023-11-22 07:26:10 +00:00 · 2023-11-22 07:26:10 +00:00 · 6581fc1187
commit 6581fc1187
16 changed files with 452 additions and 0 deletions
--- a/maj.sh
+++ b/maj.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+
+
+services=(nginx-rp nginx-www vw)
+
+
+if [[ ! $(echo "${services[*]} all" | grep -P "\b$1\b" ) ]]; then
+	echo "Wrong argument."
+	exit 1
+fi
+
+
+rel_path="$(dirname "$0")"
+
+
+case "$1" in
+	vw|all)
+		sudo "$rel_path/vw/backup.sh" || exit 1
+		;;
+esac
+
+
+if [[ "$1" != "all" ]]; then
+	docker-compose -f "$rel_path/$1/docker-compose.yaml" pull
+	docker-compose -f "$rel_path/$1/docker-compose.yaml" up -d
+else
+	for service in "${services[@]}"; do
+		docker-compose -f "$rel_path/$service/docker-compose.yaml" pull
+		docker-compose -f "$rel_path/$service/docker-compose.yaml" up -d
+	done
+fi
--- a/nc/docker-compose.yaml
+++ b/nc/docker-compose.yaml
@ -0,0 +1,18 @@
+services:
+  nextcloud:
+    image: nextcloud/all-in-one:latest
+    restart: always
+    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
+    environment: # Is needed when using any of the options below
+      - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+    ports:
+      - 8080:8080
+    volumes:
+      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
+      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
+    
+volumes:
+  nextcloud_aio_mastercontainer:
+    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
--- a/nftables.conf
+++ b/nftables.conf
@ -0,0 +1,35 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+
+		iif lo accept
+		ct state established,related accept
+		ct state invalid drop
+
+		# Allow ICMP ping
+		icmp type echo-request limit rate 1/second accept
+		icmpv6 type echo-request limit rate 1/second accept
+				
+		# SSH
+		tcp dport 995 limit rate 10/minute accept
+
+		# HTTP
+		tcp dport { http, https } limit rate 5/second accept
+		# udp dport 443 limit rate 5/second accept
+	}
+
+	chain forward {
+		type filter hook forward priority 0; policy accept;
+
+		iif eth0 drop
+		oif eth0 drop
+	}
+	
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
--- a/nginx-rp/docker-compose.yaml
+++ b/nginx-rp/docker-compose.yaml
@ -0,0 +1,9 @@
+services:  
+  nginx-rp:
+    image: nginx:latest
+    restart: always
+    container_name: nginx-rp
+    network_mode: host
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf
+      - /etc/letsencrypt/archive/viyurz.fr:/etc/letsencrypt/archive/viyurz.fr
--- a/nginx-rp/nginx.conf
+++ b/nginx-rp/nginx.conf
@ -0,0 +1,182 @@
+worker_processes auto;
+worker_cpu_affinity auto;
+worker_rlimit_nofile 2048;
+
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	charset utf-8;
+	
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+
+	gzip off;
+	
+	# Hide NGINX version in error messages.
+	server_tokens off;
+	
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	# Logging
+	log_not_found on;
+	# access_log /var/log/nginx/access.log;
+	# error_log /var/log/nginx/error.log warn;
+
+	keepalive_timeout 65;
+	
+	ssl_certificate /etc/letsencrypt/archive/viyurz.fr/fullchain1.pem;
+	ssl_certificate_key /etc/letsencrypt/archive/viyurz.fr/privkey1.pem;
+	ssl_trusted_certificate /etc/letsencrypt/archive/viyurz.fr/chain1.pem;
+
+	# modern configuration
+	ssl_protocols TLSv1.3;
+
+	# intermediate configuration
+	# ssl_protocols TLSv1.2 TLSv1.3;
+	# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+	# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+	# ssl_dhparam /path/to/dhparam;
+
+    ssl_prefer_server_ciphers off;
+
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:MozSSL:10m;
+	ssl_session_tickets off;
+
+	# HSTS (ngx_http_headers_module is required)
+    add_header Strict-Transport-Security "max-age=31536000" always;
+	
+	add_header X-Robots-Tag "noindex, nofollow" always;
+	add_header Set-Cookie "Path=/; HttpOnly; Secure";
+
+	# OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+	resolver 1.1.1.1;
+	
+	proxy_set_header Host $host;
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-Port $server_port;
+	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-Proto $scheme;
+	proxy_set_header X-Forwarded-Scheme $scheme;
+	proxy_set_header Accept-Encoding "";
+
+	# Websocket
+	proxy_http_version 1.1;
+	proxy_set_header Upgrade $http_upgrade;
+	proxy_set_header Connection $connection_upgrade;
+
+	# The `upstream` directives ensure that you have a http/1.1 connection
+	# This enables the keepalive option and better performance
+	#
+	# Define the server IP and ports here.
+	upstream vaultwarden-default {
+		zone vaultwarden-default 64k;
+		server 127.0.0.1:8081;
+		keepalive 2;
+	}
+
+	# Needed to support websocket connections
+	# See: https://nginx.org/en/docs/http/websocket.html
+	# Instead of "close" as stated in the above link we send an empty value.
+	# Else all keepalive connections will not work.
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		''      "";
+	}
+
+	# Redirect HTTP to HTTPS
+	server {
+		listen 80 default_server;
+		listen [::]:80 default_server;
+
+		http2 on;
+        
+		server_name _;
+		
+	    return 308 https://$host$request_uri;
+	}
+
+	server {
+		listen 443 ssl default_server;
+		listen [::]:443 ssl default_server;
+
+		http2 on;
+
+		server_name _;
+		server_name_in_redirect off;
+		
+		return 404;
+	}
+
+	server {
+		listen 443 ssl;
+		listen [::]:443 ssl;
+
+		http2 on;
+
+		# http3 on;
+		# quic_retry on;
+		# add_header Alt-Svc 'h3=":$server_port"; ma=86400';
+		# listen 443 quic reuseport;
+		# listen [::]:443 quic reuseport;
+
+		server_name nc.viyurz.fr;
+
+		location / {
+			proxy_pass http://127.0.0.1:11000;
+
+			add_header Set-Cookie "Path=/; HttpOnly; Secure";
+
+			client_body_buffer_size 512k;
+			proxy_read_timeout 86400s;
+			client_max_body_size 0;
+		}
+	}
+
+	server {
+		listen 443 ssl;
+	    listen [::]:443 ssl;	
+		
+		http2 on;
+
+		server_name vw.viyurz.fr;
+
+		location / {
+			proxy_pass http://vaultwarden-default;
+
+	    	client_max_body_size 525M;
+		}
+	}
+
+	server {
+		listen 443 ssl;
+		listen [::]:443 ssl;
+
+		http2 on;
+
+		server_name www.viyurz.fr;
+
+		location / {
+			proxy_pass http://localhost:8082;
+		}
+	}
+
+	server {
+		listen 443 ssl;
+		listen [::]:443 ssl;
+
+		http2 on;
+
+		server_name viyurz.fr;
+
+		return 308 https://www.viyurz.fr$request_uri;
+	}
+}
--- a/nginx-www/docker-compose.yaml
+++ b/nginx-www/docker-compose.yaml
@ -0,0 +1,10 @@
+services:  
+  nginx-www:
+    image: nginx:latest
+    restart: always
+    container_name: nginx-www
+    ports:
+      - 8082:80
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf
+      - ./index:/mnt/index
--- a/nginx-www/index/ark.png
+++ b/nginx-www/index/ark.png
--- a/nginx-www/index/favicon.ico
+++ b/nginx-www/index/favicon.ico
--- a/nginx-www/index/index.css
+++ b/nginx-www/index/index.css
@ -0,0 +1,74 @@
+body {
+	font-weight: bold;
+	font-family: Arial;
+	text-align: center;
+	background-image: url("wallpaper.jpg");
+	background-position: -150px;
+	background-repeat: no-repeat;
+	background-size: cover;
+	min-height: 100vh;
+	margin: 0;
+}
+
+main {
+	display: flex;
+	flex-direction: column;
+	justify-content: center;
+	align-items: center;
+	min-height: 100vh;
+}
+
+a {
+	background: rgba(255, 255, 255, 0.5);
+	border: 2px solid white;
+	border-radius: 8px;
+	padding: 10px;
+	margin: 1.5vh;
+	width: 25vh;
+	height: 25vh;
+	display: flex;
+	flex-direction: column;
+	justify-content: space-between;
+	align-items: center;
+	transition: all .25s ease-in-out;
+	text-decoration: none;
+	color: black;
+}
+
+a:hover {
+	transform: scale(1.1);
+}
+
+img {
+	max-height: 20vh;
+	max-width: 20vh;
+}
+
+h5 {
+	position: absolute;
+	bottom: 10px;
+	right: 10px;
+	color: rgba(255, 255, 255, 0.5);
+	margin: 0;
+}
+
+@media only screen and (orientation: landscape) {
+	body {
+		background-position: center;
+	}
+	
+	main {
+		flex-direction: row;
+	}
+	
+	a {
+		margin: 1.5vw;
+		min-width: 15vw;
+		min-height: 15vw;
+	}
+
+	img {
+		max-height: 13vw;
+		max-width: 13vw;
+	}
+}
--- a/nginx-www/index/index.html
+++ b/nginx-www/index/index.html
@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html lang="fr">
+	<head>
+		<meta charset="UTF-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		<link rel="stylesheet" href="index.css" />
+		<title>Accueil - Viyurz.fr</title>
+	</head>
+	<body>
+		<main>
+			<a href="https://nc.viyurz.fr">
+				<img src="nextcloud.png" />
+				Nextcloud
+			</a>
+			<a href="https://vw.viyurz.fr">
+				<img src="vaultwarden.png" />
+				Vaultwarden
+			</a>
+			<!--
+			<a href='steam://connect/viyurz.fr:27015'>
+				<img src="ark.png" />
+				ARK: Survival Evolved
+			</a>
+			-->
+			<h5>...Azril...is the moon falling...?</h5>
+		</main>
+	</body>
+</html>
--- a/nginx-www/index/nextcloud.png
+++ b/nginx-www/index/nextcloud.png
--- a/nginx-www/index/vaultwarden.png
+++ b/nginx-www/index/vaultwarden.png
--- a/nginx-www/index/wallpaper.jpg
+++ b/nginx-www/index/wallpaper.jpg
--- a/nginx-www/nginx.conf
+++ b/nginx-www/nginx.conf
@ -0,0 +1,35 @@
+worker_processes auto;
+worker_cpu_affinity auto;
+worker_rlimit_nofile 2048;
+
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	charset utf-8;
+	
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+
+	gzip off;
+	
+	# Hide NGINX version in error messages.
+	server_tokens off;
+	
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	server {
+		listen 80 default_server;
+		listen [::]:80 default_server;
+
+		http2 on;
+        
+		server_name _;
+		
+	    root /mnt/index;
+	}
+}
--- a/vw/backup.sh
+++ b/vw/backup.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [[ $UID -ne 0 ]]; then
+	echo "Must be run as root."
+	exit 1
+fi
+
+backup_date="$(date '+%Y%m%d-%Hh%Mm')"
+vw_data='/mnt/vwdata'
+bak_folder="/mnt/backups/vwbackup"
+
+mkdir -p "$bak_folder"
+
+# Backup directement vers la storage box marche pas
+sqlite3 "$vw_data/db.sqlite3" ".backup '$vw_data/db-$backup_date.sqlite3'" && echo "Vaultwarden backup created successfully!"
+
+mv "$vw_data/db-$backup_date.sqlite3" "$bak_folder" && echo "Successfully moved backup to $bak_folder!"
--- a/vw/docker-compose.yaml
+++ b/vw/docker-compose.yaml
@ -0,0 +1,13 @@
+services:  
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: always
+    environment:
+      - DOMAIN=https://vw.viyurz.fr  # Your domain; vaultwarden needs to know it's https to work properly with attachments
+      - SIGNUPS_ALLOWED=false
+      - INVITATIONS_ALLOWED=false
+    ports:
+      - 8081:80
+    volumes:
+      - /mnt/vwdata:/data