the-nine-worlds/loki
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: the-nine-worlds:web-proxy
Branches Tags
the-nine-worlds:main
the-nine-worlds:web-proxy
...
pull from: the-nine-worlds:main
Branches Tags
the-nine-worlds:main
the-nine-worlds:web-proxy
This repository has been archived on 2023-02-05. You can view files and clone it, but cannot push or open issues or pull requests.

66 Commits
web-proxy ... main

Author SHA1 Message Date
Wojciech Kozlowski
c3798505a4 Fix duplicity install 2023-02-05 14:29:56 +01:00
Wojciech Kozlowski
62ebf39b21 Make sure containers from registry are pulled 2022-07-24 18:44:11 +02:00
Wojciech Kozlowski
81edda50bb Careful with nextcloud and gitlab versions 2022-07-24 18:44:11 +02:00
Wojciech Kozlowski
279eb606dd Another ignore fix after bullseye update 2022-01-29 23:33:57 +01:00
Wojciech Kozlowski
2dc7834068 Remove gitlab ssh config for github mirroring 2022-01-29 22:22:31 +01:00
Wojciech Kozlowski
f69aebb7e7 Fix ignores after update 2022-01-18 00:14:24 +01:00
Wojciech Kozlowski
fcb7534701 More logcheck ignores after bullseye update 2022-01-17 20:48:22 +01:00
Wojciech Kozlowski
fbcc0358fc Update logcheck ignore after bullseye update 2022-01-15 10:46:27 +01:00
Wojciech Kozlowski
7a1313d7f7 Use python3 for ansible 2022-01-15 10:46:19 +01:00
Wojciech Kozlowski
025eb9e413 Don't include sshd_config.d after bullseye update 2022-01-15 10:32:35 +01:00
Wojciech Kozlowski
dffc7745fd Upgrade to debian 11 bullseye 2022-01-14 21:34:48 +01:00
Wojciech Kozlowski
c1a7a55efa Lock mariadb version due to non-back compatible change 2021-08-08 10:14:32 +02:00
Wojciech Kozlowski
bb61cf57b0 Fix issue with bash interpreting numbers as octals 2020-11-15 21:51:24 +01:00
Wojciech Kozlowski
19ab178b75 Add TUD runner 2020-04-22 11:50:46 +01:00
Wojciech Kozlowski
646df1cd45 Run B2 backup only once per month 2020-04-10 13:29:40 +02:00
Wojciech Kozlowski
1bc2f20768 Add pi.wojciechkozlowski.eu config 2020-04-06 18:58:21 +01:00
Wojciech Kozlowski
1072118e50 Delete some more rkhunter config 2019-12-30 18:11:07 +00:00
Wojciech Kozlowski
d08a9594a6 Reduce time to keep B2 backups 2019-12-25 22:15:32 +01:00
Wojciech Kozlowski
e3b4209ea5 Update logcheck ignores 2019-12-25 17:24:06 +01:00
Wojciech Kozlowski
83a71c6c46 Update logcheck ignores 2019-12-24 18:25:55 +01:00
Wojciech Kozlowski
24141cdcb9 Fix test for using colours in stdout 2019-12-16 08:31:21 +01:00
Wojciech Kozlowski
1d22614029 Add a gitignore 2019-12-15 11:27:24 +00:00
Wojciech Kozlowski
2bdfa851ab Update certbot cron job for new certificates 2019-12-15 12:13:38 +01:00
Wojciech Kozlowski
64ac70f1d6 Regenerate certificates without wiki 2019-12-15 10:58:56 +00:00
Wojciech Kozlowski
ff2ce6dad9 Remove wiki 2019-12-15 10:18:10 +01:00
Wojciech Kozlowski
099b244f9e Fix check to see if backup directory exists 2019-12-15 09:18:12 +01:00
Wojciech Kozlowski
1123c1bd8c Nicer script formatting 2019-12-14 23:15:20 +01:00
Wojciech Kozlowski
0a6f06c5ac Remove rkhunter and chkrootkit configs 2019-12-14 23:04:40 +01:00
Wojciech Kozlowski
f1ee132038 Wrap up B2 setup 2019-12-14 23:04:28 +01:00
Wojciech Kozlowski
c353f45612 GPG passphrase must be an environment variable 2019-12-14 22:03:12 +00:00
Wojciech Kozlowski
494822a0bf Make B2 script executable 2019-12-14 16:57:53 +01:00
Wojciech Kozlowski
92970a673f Add a backblaze backup script 2019-12-14 16:51:01 +01:00
Wojciech Kozlowski
2c3c38f106 Update loki playbook 2019-12-14 14:12:35 +01:00
Wojciech Kozlowski
1c8bc92000 Reformatted external USB 2019-12-14 14:11:09 +01:00
Wojciech Kozlowski
2e9f03aec1 Change backup directory to external USB 2019-12-14 13:30:04 +01:00
Wojciech Kozlowski
bdb0412836 Actual TTY fix - don't run docker interactively 2019-12-14 13:15:15 +01:00
Wojciech Kozlowski
7b71fe70cc Handle non TTY in registry-cleaner script 2019-12-14 13:13:28 +01:00
Wojciech Kozlowski
8f02e4c9aa Update registry cleaner 2019-12-14 13:02:50 +01:00
Wojciech Kozlowski
43484bbb4b Fix fstrim logcheck regex 2019-12-02 08:13:39 +01:00
Wojciech Kozlowski
d911382099 Another small fix to user name regex 2019-11-30 21:56:28 +01:00
Wojciech Kozlowski
7a9128258a Fix user name regex for logcheck 2019-11-30 14:53:40 +01:00
Wojciech Kozlowski
5259e5a3ec Allow choice of container engine in Makefile 2019-11-30 12:42:10 +01:00
Wojciech Kozlowski
7dc1dd792f Update logcheck ignores 2019-11-30 12:41:37 +01:00
Wojciech Kozlowski
c9e55a5563 Split docker server setup from machine setup 2019-11-29 09:18:55 +01:00
Wojciech Kozlowski
52d7fa1897 Rename main to machine in prep for split 2019-11-29 09:13:24 +01:00
Wojciech Kozlowski
30c3da234c Remove rkhunter and chkrootkit in favour of unattended-upgrades 2019-11-29 09:12:27 +01:00
Wojciech Kozlowski
500ccfbaed Use template instead of copy for fstrim 2019-11-29 09:10:44 +01:00
Wojciech Kozlowski
30e8d9d31c Set X-Frame-Options for nextcloud 2019-11-14 23:01:14 +08:00
Wojciech Kozlowski
4f74256555 Fix missing semicolon 2019-11-14 22:50:26 +08:00
Wojciech Kozlowski
f1594392e1 Fix nginx security issue https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/ 2019-11-14 22:44:53 +08:00
Wojciech Kozlowski
e0bae63e76 loki config updates 2019-11-14 22:44:35 +08:00
Wojciech Kozlowski
a91be740fa Use systemctl in update script 2019-11-13 11:02:59 +08:00
Wojciech Kozlowski
af5e494ac6 Add an ignore to logcheck 2019-11-03 00:30:54 +01:00
Wojciech Kozlowski
b6bec6030e Update to buster and mount exfat USB 2019-11-03 00:30:54 +01:00
Wojciech Kozlowski
e9926f7a02 Use systemctl instead of service 2019-11-02 23:26:36 +00:00
Wojciech Kozlowski
44829e391e Update rkhunter config 2019-07-30 09:12:16 +01:00
Wojciech Kozlowski
f9ded87409 Refactor and restore function to backup script 2019-07-29 21:46:22 +01:00
Wojciech Kozlowski
fa7af91461 Add some helper scripts 2019-07-29 00:17:02 +01:00
Wojciech Kozlowski
c141ec1eb7 Add new html build 2019-07-28 18:52:37 +02:00
Wojciech Kozlowski
0caeafb3be Update static website container 2019-07-28 14:34:37 +02:00
Wojciech Kozlowski
6af4c22abd Remove shadowsocks 2019-07-28 11:02:11 +02:00
Wojciech Kozlowski
396f95b8f8 More 7.0 to 7.3 updates 2019-07-28 10:33:29 +02:00
Wojciech Kozlowski
e888412917 Use PHP 7.3 on Buster 2019-07-28 10:22:32 +02:00
Wojciech Kozlowski
0d446d3330 Update comment to inform about TLS issue in Docker 19.03+ 2019-07-28 10:22:06 +02:00
Wojciech Kozlowski
6a33868e3c Update permissions to cron.d script for certbot 2019-07-27 23:53:30 +02:00
Wojciech Kozlowski
80e919a794 Fix makefile 2019-04-19 13:08:34 +02:00
48 changed files with 924 additions and 1827 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.cred

10
.gitlab-ci.yml
View File

@ -19,16 +19,16 @@ after_script:
tags:
- docker
html:
extends: .builds
script:
- make html
proxy:
extends: .builds
script:
- make proxy
wiki:
extends: .builds
script:
- make wiki
nextcloud:
extends: .builds
script:

3
.gitmodules vendored
View File

@ -1,3 +0,0 @@
[submodule "html/html-wojciechkozlowski.eu"]
path = html/html-wojciechkozlowski.eu
url = https://github.com/Wojtek242/html-wojciechkozlowski.eu.git

113
Makefile
View File

@ -12,11 +12,18 @@ uninstall:
rm /lib/systemd/system/loki-server.service
systemctl daemon-reload
#------------------------------------------------------------------------------
# The container engine to use. Default to docker, but on Fedora must now use
# podman.
# ------------------------------------------------------------------------------
ENGINE = docker
# -----------------------------------------------------------------------------
# The container registry to use.
# -----------------------------------------------------------------------------
DOCKER_REGISTRY = registry.wojciechkozlowski.eu/wojtek/loki
REGISTRY = registry.wojciechkozlowski.eu/wojtek/loki
# -----------------------------------------------------------------------------
# Default target.
@ -24,117 +31,93 @@ DOCKER_REGISTRY = registry.wojciechkozlowski.eu/wojtek/loki
default: all
# -----------------------------------------------------------------------------
# html
# -----------------------------------------------------------------------------
HTML = $(REGISTRY)/html
html-clean:
$(ENGINE) rmi $(HTML) || /bin/true
html-build:
$(ENGINE) build -f html/Dockerfile -t $(HTML) ./html
html-push:
$(ENGINE) push $(HTML)
html-pull:
$(ENGINE) pull $(HTML)
html: html-clean html-build html-push
# -----------------------------------------------------------------------------
# proxy
# -----------------------------------------------------------------------------
PROXY = $(DOCKER_REGISTRY)/proxy
PROXY = $(REGISTRY)/proxy
proxy-clean:
docker rmi $(PROXY) || /bin/true
$(ENGINE) rmi $(PROXY) || /bin/true
proxy-build:
docker build -f proxy/Dockerfile -t $(PROXY) ./proxy
$(ENGINE) build -f proxy/Dockerfile -t $(PROXY) ./proxy
proxy-push:
docker push $(PROXY)
$(ENGINE) push $(PROXY)
proxy-pull:
docker pull $(PROXY)
$(ENGINE) pull $(PROXY)
proxy: proxy-clean proxy-build proxy-push
# -----------------------------------------------------------------------------
# wiki
# -----------------------------------------------------------------------------
WIKI = $(DOCKER_REGISTRY)/wiki
wiki-clean:
docker rmi $(WIKI) || /bin/true
wiki-build:
docker build -f dokuwiki/Dockerfile -t $(WIKI) ./dokuwiki
wiki-push:
docker push $(WIKI)
wiki-pull:
docker pull $(WIKI)
wiki: wiki-clean wiki-build wiki-push
# -----------------------------------------------------------------------------
# nextcloud
# -----------------------------------------------------------------------------
NEXTCLOUD = $(DOCKER_REGISTRY)/nextcloud
NEXTCLOUD = $(REGISTRY)/nextcloud
nextcloud-clean:
docker rmi $(NEXTCLOUD) || /bin/true
$(ENGINE) rmi $(NEXTCLOUD) || /bin/true
nextcloud-build:
docker build -f nextcloud/Dockerfile -t $(NEXTCLOUD) ./nextcloud
$(ENGINE) build -f nextcloud/Dockerfile -t $(NEXTCLOUD) ./nextcloud
nextcloud-push:
docker push $(NEXTCLOUD)
$(ENGINE) push $(NEXTCLOUD)
nextcloud-pull:
docker pull $(NEXTCLOUD)
$(ENGINE) pull $(NEXTCLOUD)
nextcloud: nextcloud-clean nextcloud-build nextcloud-push
#------------------------------------------------------------------------------
# Shadowsocks
#------------------------------------------------------------------------------
SHADOWSOCKS = $(DOCKER_REGISTRY)/shadowsocks
shadowsocks-clean:
docker rmi $(SHADOWSOCKS) || /bin/true
shadowsocks-build:
docker build -f shadowsocks/Dockerfile -t $(SHADOWSOCKS) ./shadowsocks
shadowsocks-push:
docker push $(SHADOWSOCKS)
shadowsocks-pull:
docker pull $(SHADOWSOCKS)
shadowsocks: shadowsocks-clean shadowsocks-build shadowsocks-push
# -----------------------------------------------------------------------------
# Collect targets.
# -----------------------------------------------------------------------------
clean-all:
docker container prune -f
docker image prune -a -f
$(ENGINE) container prune -f
$(ENGINE) image prune -a -f
clean-builds: \
html-clean \
proxy-clean \
wiki-clean \
nextcloud-clean \
shadowsocks-clean
nextcloud-clean
build-all: \
html-build \
proxy-build \
wiki-build \
nextcloud-build \
shadowsocks-build
nextcloud-build
push-all: \
html-push \
proxy-push \
wiki-push \
nextcloud-push \
shadowsocks-push
nextcloud-push
pull-all: \
html-pull \
proxy-pull \
wiki-pull \
nextcloud-pull \
shadowsocks-pull
nextcloud-pull
# -----------------------------------------------------------------------------
# Clean - build - push

10
ansible/README.rst
View File

@ -43,8 +43,14 @@ To provision the server
ansible-playbook --vault-id @prompt ssh.yml
3. Run the remaining setup
3. Set up the bare metal machine
::
ansible-playbook --vault-id @prompt main.yml
ansible-playbook --vault-id @prompt machine.yml
4. Install and start the dockerised ``loki`` server
::
ansible-playbook --vault-id @prompt loki.yml

10
ansible/b2.cred.j2 Normal file
View File

@ -0,0 +1,10 @@
#!/bin/sh
# Backblaze B2 configuration variables
B2_ACCOUNT="{{ b2_key_id }}"
B2_KEY="{{ b2_app_key }}"
B2_BUCKET="loki-backup"
# GPG key (last 8 characters)
GPG_KEY="{{ gpg_key_id }}"
GPG_PASSPHRASE="{{ gpg_passphrase }}"

2
ansible/etc/apt/apt.conf.d/20auto-upgrades.j2 Normal file
View File

@ -0,0 +1,2 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

164
ansible/etc/apt/apt.conf.d/50unattended-upgrades.j2 Normal file
View File

@ -0,0 +1,164 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "contrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
// "origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

3
ansible/etc/chkrootkit.conf.j2
View File

@ -1,3 +0,0 @@
RUN_DAILY="true"
RUN_DAILY_OPTS="-q"
DIFF_MODE="true"

34
ansible/etc/default/rkhunter.j2
View File

@ -1,34 +0,0 @@
# Defaults for rkhunter automatic tasks
# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter
#
# This is a POSIX shell fragment
#
# Set this to yes to enable rkhunter daily runs
# (default: false)
CRON_DAILY_RUN="yes"
# Set this to yes to enable rkhunter weekly database updates
# (default: false)
CRON_DB_UPDATE=""
# Set this to yes to enable reports of weekly database updates
# (default: false)
DB_UPDATE_EMAIL="false"
# Set this to the email address where reports and run output should be sent
# (default: root)
REPORT_EMAIL="root"
# Set this to yes to enable automatic database updates
# (default: false)
APT_AUTOGEN="false"
# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
# (default: 0)
NICE="0"
# Should daily check be run when running on battery
# powermgmt-base is required to detect if running on battery or on AC power
# (default: false)
RUN_CHECK_ON_BATTERY="false"

56
ansible/etc/logcheck/ignore.d.server/local-server.j2
View File

@ -1,6 +1,50 @@
^[[:alpha:]]{3} [ :[:digit:]]{11} {{ hostname }} docker-compose\[[0-9]+\]:
^[[:alpha:]]{3} [ :[:digit:]]{11} {{ hostname }} systemd\[[0-9]+\]: Listening on GnuPG network certificate management daemon.
^[[:alpha:]]{3} [ :[:digit:]]{11} {{ hostname }} systemd\[[0-9]+\]: Listening on GnuPG cryptographic agent
^[[:alpha:]]{3} [ :[:digit:]]{11} {{ hostname }} systemd\[[0-9]+\]: Closed GnuPG network certificate management daemon.
^[[:alpha:]]{3} [ :[:digit:]]{11} {{ hostname }} systemd\[[0-9]+\]: Closed GnuPG cryptographic agent
^[[:alpha:]]{3} [ :[:digit:]]{11} {{ hostname }} auditd\[[0-9]+\]: Audit daemon rotating log files
^[ :[:alnum:]]{15} {{ hostname }} docker-compose\[[0-9]+\]:
^[ :[:alnum:]]{15} {{ hostname }} kernel: \[[ .[:digit:]]+\] perf: interrupt took too long \([[:digit:]]+ > [[:digit:]]+\), lowering kernel.perf_event_max_sample_rate to [[:digit:]]+
^[ :[:alnum:]]{15} {{ hostname }} kernel: \[[ .[:digit:]]+\] Process accounting resumed
^[ :[:alnum:]]{15} {{ hostname }} rsyslogd: \[origin software=\"rsyslogd\" swVersion=\"[.[:digit:]]+\" x-pid=\"[[:digit:]]+\" x-info=\"https://www.rsyslog.com\"\] rsyslogd was HUPed
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: apt-daily.service: Succeeded.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: apt-daily-upgrade.service: Succeeded.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: systemd-tmpfiles-clean.service: Succeeded.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Listening on GnuPG network certificate management daemon.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Listening on GnuPG cryptographic agent
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Closed GnuPG network certificate management daemon.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Closed GnuPG cryptographic agent
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: run-docker-runtime\\x2drunc-moby
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Starting Daily man-db regeneration...
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: fstrim.service: Succeeded.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: man-db.service: Succeeded.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Started Daily man-db regeneration.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: logrotate.service: Succeeded.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: packagekit.service: Main process exited, code=killed, status=15/TERM
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: packagekit.service: Succeeded.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: acct.service: Succeeded.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Starting LSB: process and login accounting...
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Started LSB: process and login accounting.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Stopping LSB: process and login accounting...
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Stopped LSB: process and login accounting.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Finished system activity accounting tool.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Finished Generate a daily summary of process accounting.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Finished Cleanup of Temporary Directories.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: Finished Kernel process accounting.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: apt-daily.service: Consumed [[:digit:]]+.[[:digit:]]+s CPU time.
^[ :[:alnum:]]{15} {{ hostname }} systemd\[[0-9]+\]: apt-daily-upgrade.service: Consumed [[:digit:]]+.[[:digit:]]+s CPU time.
^[ :[:alnum:]]{15} {{ hostname }} accton\[[0-9]+\]: Turning on process accounting, file set to '/var/log/account/pacct'.
^[ :[:alnum:]]{15} {{ hostname }} accton\[[0-9]+\]: Turning off process accounting.
^[ :[:alnum:]]{15} {{ hostname }} accton\[[0-9]+\]: Done..
^[ :[:alnum:]]{15} {{ hostname }} auditd\[[0-9]+\]: Audit daemon rotating log files
^[ :[:alnum:]]{15} {{ hostname }} dbus-daemon\[[0-9]+\]: \[system\] Activating via systemd: service name='org.freedesktop.PackageKit' unit='packagekit.service' requested by '[:.[:digit:]]+' \(uid=0 pid=[[:digit:]]+ comm=\"/usr/bin/gdbus call --system --dest org.freedeskto\"\)
^[ :[:alnum:]]{15} {{ hostname }} dbus-daemon\[[0-9]+\]: \[system\] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' requested by '[:.[:digit:]]+' \(uid=0 pid=[[:digit:]]+ comm=\"/usr/lib/packagekit/packagekitd \"\)
^[ :[:alnum:]]{15} {{ hostname }} dbus-daemon\[[0-9]+\]: \[system\] Successfully activated service 'org.freedesktop.PackageKit'
^[ :[:alnum:]]{15} {{ hostname }} dbus-daemon\[[0-9]+\]: \[system\] Successfully activated service 'org.freedesktop.PolicyKit1'
^[ :[:alnum:]]{15} {{ hostname }} fstrim\[[0-9]+\]: /: [.[:digit:]]+ [KMG]iB \([[:digit:]]+ bytes\) trimmed on /dev/md[[:digit:]]
^[ :[:alnum:]]{15} {{ hostname }} PackageKit: daemon start
^[ :[:alnum:]]{15} {{ hostname }} PackageKit: daemon quit
^[ :[:alnum:]]{15} {{ hostname }} polkitd\[[0-9]+\]: started daemon version [.[:digit:]]+ using authority implementation `local' version `[.[:digit:]]+'
^[ :[:alnum:]]{15} {{ hostname }} runuser: pam_unix\(runuser:session\): session opened for user nobody by \(uid=0\)
^[ :[:alnum:]]{15} {{ hostname }} runuser: pam_unix\(runuser:session\): session closed for user nobody
^[ :[:alnum:]]{15} {{ hostname }} sshd\[[0-9]+\]: Invalid user [._'[:alnum:]-]+ from [.[:digit:]]+ port [[:digit:]]+
^[ :[:alnum:]]{15} {{ hostname }} sshd\[[0-9]+\]: Received disconnect from [.[:digit:]]+ port [:[:digit:]]+ Bye Bye \[preauth\]
^[ :[:alnum:]]{15} {{ hostname }} sshd\[[0-9]+\]: Disconnected from invalid user [._'[:alnum:]-]+ [.[:digit:]]+ port [[:digit:]]+ \[preauth\]
^[ :[:alnum:]]{15} {{ hostname }} sshd\[[0-9]+\]: Connection closed by [.[:digit:]]+ port [[:digit:]]+ \[preauth\]
^[ :[:alnum:]]{15} {{ hostname }} sshd\[[0-9]+\]: Connection reset by [.[:digit:]]+ port [[:digit:]]+ \[preauth\]
^[ :[:alnum:]]{15} {{ hostname }} sshd\[[0-9]+\]: Did not receive identification string from [.[:digit:]]+ port [[:digit:]]+

2
ansible/etc/nftables.conf.j2
View File

@ -18,7 +18,7 @@ table inet filter {
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
# activate the following line to accept common local services
tcp dport { 80, 443, {{ ssh_port }}, {{ gitlab_ssh_port }}, {{ shadowsocks_port }} } ct state new accept
tcp dport { 80, 443, {{ ssh_port }}, {{ gitlab_ssh_port }} } ct state new accept
# count and drop any other traffic
counter drop

1251
ansible/etc/rkhunter.conf.j2
View File

File diff suppressed because it is too large Load Diff

4
ansible/etc/ssh/sshd_config.j2
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@ -95,8 +95,6 @@ X11Forwarding no
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0

0
ansible/etc/systemd/system/fstrim.service → ansible/etc/systemd/system/fstrim.service.j2
View File

0
ansible/etc/systemd/system/fstrim.timer → ansible/etc/systemd/system/fstrim.timer.j2
View File

9
ansible/etc/systemd/system/loki-backup.service.j2 Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=Backup Loki server
[Service]
WorkingDirectory={{ loki_dir }}
Type=oneshot
ExecStartPre={{ loki_dir }}/registry-cleaner.sh
ExecStart={{ loki_dir }}/backup.sh -b
ExecStartPost={{ loki_dir }}/b2-backup.sh

10
ansible/etc/systemd/system/loki-backup.timer.j2 Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=Back up Loki once a week
[Timer]
OnCalendar=weekly
AccuracySec=1h
Persistent=true
[Install]
WantedBy=timers.target

2
loki-server.service → ansible/etc/systemd/system/loki-server.service.j2
View File

@ -3,7 +3,7 @@ Description=Dockerised web server
After=docker.service
[Service]
WorkingDirectory=/root/Loki
WorkingDirectory={{ loki_dir }}
Environment="COMPOSE_HTTP_TIMEOUT=300"
ExecStart=/usr/bin/docker-compose up
ExecStop=/usr/bin/docker-compose down

2
ansible/gitlab.cred.j2 Normal file
View File

@ -0,0 +1,2 @@
{{ gitlab_username }}
{{ gitlab_access_token }}

5
ansible/hosts
View File

@ -9,4 +9,7 @@
# appropriate entries to /etc/hosts.
[server]
loki
loki
[server:vars]
ansible_python_interpreter=/usr/bin/python3

130
ansible/loki.yml Normal file
View File

@ -0,0 +1,130 @@
---
- hosts: server
vars_files:
- secrets.yml
vars:
- debian_release: bullseye
tasks:
# -------------------------------------------------------------------------
# Docker CE.
# -------------------------------------------------------------------------
- name: Install packages to enable HTTPS repository
apt:
name:
- apt-transport-https
- ca-certificates
- curl
- gnupg2
- software-properties-common
- name: Add Docker GPG key
apt_key:
id: 0EBFCD88
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Add Docker repository
apt_repository:
repo: deb [arch=amd64] https://download.docker.com/linux/debian "{{ debian_release }}" stable
state: present
register: docker_repo
- name: Update apt cache
apt:
update_cache: yes
force_apt_get: yes
when: docker_repo is changed
- name: Install docker-ce and docker-compose
apt:
name:
- docker-ce
- docker-compose
# -------------------------------------------------------------------------
# Loki server.
# -------------------------------------------------------------------------
- name: Install git
apt:
name: git
- name: Clone Loki repo
git:
repo: https://github.com/Wojtek242/loki.git
dest: "{{ loki_dir }}"
update: no
register: loki_git
- name: Build containers locally
command: make build-all
args:
chdir: "{{ loki_dir }}"
when: loki_git is changed
- name: Add hosts file
template:
src: ./etc/hosts.j2
dest: /etc/hosts
mode: 0644
# -------------------------------------------------------------------------
# Loki server service.
# -------------------------------------------------------------------------
- name: Install Loki server
template:
src: ./etc/systemd/system/loki-server.service.j2
dest: /etc/systemd/system/loki-server.service
mode: 0644
- name: Enable and start Loki server
service:
name: loki-server
state: started
enabled: yes
# -------------------------------------------------------------------------
# Loki backup service.
# -------------------------------------------------------------------------
- name: Install duplicity
apt:
name:
- duplicity
- python3-b2sdk
- name: Create GitLab credentials file
template:
src: ./gitlab.cred.j2
dest: "{{ loki_dir }}/gitlab.cred"
mode: 0644
- name: Create B2 credentials file
template:
src: ./b2.cred.j2
dest: "{{ loki_dir }}/b2.cred"
mode: 0644
- name: Install Loki backup service
template:
src: ./etc/systemd/system/loki-backup.service.j2
dest: /etc/systemd/system/loki-backup.service
mode: 0644
- name: Install Loki backup timer
template:
src: ./etc/systemd/system/loki-backup.timer.j2
dest: /etc/systemd/system/loki-backup.timer
mode: 0644
- name: Enable and start Loki backup
service:
name: loki-backup.timer
state: started
enabled: yes

243
ansible/main.yml → ansible/machine.yml
View File

@ -4,10 +4,6 @@
vars_files:
- secrets.yml
vars:
- debian_release: stretch
- loki_dir: /srv/loki
tasks:
# -------------------------------------------------------------------------
@ -22,35 +18,43 @@
force_apt_get: yes
register: apt_update
# Once ansible 2.7 is available will be able to just use reboot module.
- block:
- name: Reboot
shell: "sleep 1 && reboot"
async: 1
poll: 0
- name: Wait for host to come back up
wait_for_connection:
connect_timeout: 20
sleep: 5
delay: 5
timeout: 300
- name: Reboot the machine
reboot:
when: apt_update is changed
# -------------------------------------------------------------------------
# Ensure unattended upgrades is installed.
# -------------------------------------------------------------------------
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
- name: Configure unattended-upgrades
template:
src: ./etc/apt/apt.conf.d/50unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades
mode: 0644
- name: Enable unattended-upgrades
template:
src: ./etc/apt/apt.conf.d/20auto-upgrades.j2
dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: 0644
# -------------------------------------------------------------------------
# Loki uses SSDs so use fstrim on a timer.
# -------------------------------------------------------------------------
- name: Copy fstrim service file
copy:
src: ./etc/systemd/system/fstrim.service
template:
src: ./etc/systemd/system/fstrim.service.j2
dest: /etc/systemd/system/fstrim.service
mode: 0644
- name: Copy fstrim timer file
copy:
src: ./etc/systemd/system/fstrim.timer
template:
src: ./etc/systemd/system/fstrim.timer.j2
dest: /etc/systemd/system/fstrim.timer
mode: 0644
@ -60,18 +64,31 @@
state: started
enabled: yes
# -------------------------------------------------------------------------
# Set up the USB flash drive.
# -------------------------------------------------------------------------
- name: Create USB mount directory
file:
path: /media/usb0
state: directory
- name: Ensure USB drive is auto-mounted
lineinfile:
line: "LABEL=Muninn /media/usb0 ext4 defaults 0 0"
dest: "/etc/fstab"
# -------------------------------------------------------------------------
# Apparmor.
# -------------------------------------------------------------------------
- name: Install apparmor, utilities, and profiles
apt:
name: "{{ item }}"
with_items:
- apparmor
- apparmor-utils
- apparmor-profiles
- apparmor-profiles-extra
name:
- apparmor
- apparmor-utils
- apparmor-profiles
- apparmor-profiles-extra
register: apparmor
- name: Ensure /etc/default/grub.d exists
@ -87,22 +104,12 @@
mode: 0644
register: apparmor_cfg
# Once ansible 2.7 is available will be able to just use reboot module.
- block:
- name: Update grub
command: update-grub
- name: Reboot
shell: "sleep 1 && reboot"
async: 1
poll: 0
- name: Wait for host to come back up
wait_for_connection:
connect_timeout: 20
sleep: 5
delay: 5
timeout: 300
- name: Reboot the machine
reboot:
when:
apparmor is changed or
@ -139,11 +146,10 @@
- name: Install postfix
apt:
name: "{{ item }}"
with_items:
- postfix
- ca-certificates
- libsasl2-modules
name:
- postfix
- ca-certificates
- libsasl2-modules
register: postfix
- name: Configure credentials
@ -232,10 +238,9 @@
- name: Install logcheck and logrotate
apt:
name: "{{ item }}"
with_items:
- logcheck
- logrotate
name:
- logcheck
- logrotate
- name: Configure logcheck
template:
@ -308,35 +313,6 @@
auditd is changed or
auditd_cfg is changed
# -------------------------------------------------------------------------
# Chkrootkit and Rkhunter.
# -------------------------------------------------------------------------
- name: Install rkhunter and chkrootkit
apt:
name: "{{ item }}"
with_items:
- rkhunter
- chkrootkit
- name: Configure rkhunter
template:
src: ./etc/rkhunter.conf.j2
dest: /etc/rkhunter.conf
mode: 0644
- name: Configure rkhunter
template:
src: ./etc/default/rkhunter.j2
dest: /etc/default/rkhunter
mode: 0644
- name: Configure chkrootkit
template:
src: ./etc/chkrootkit.conf.j2
dest: /etc/chkrootkit.conf
mode: 0644
# -------------------------------------------------------------------------
# Install sudo and user to group.
# -------------------------------------------------------------------------
@ -351,104 +327,6 @@
groups: sudo
append: yes
# -------------------------------------------------------------------------
# Docker CE.
# -------------------------------------------------------------------------
- name: Install packages to enable HTTPS repository
apt:
name: "{{ item }}"
with_items:
- apt-transport-https
- ca-certificates
- curl
- gnupg2
- software-properties-common
- name: Add Docker GPG key
apt_key:
id: 0EBFCD88
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Add Docker repository
apt_repository:
repo: deb [arch=amd64] https://download.docker.com/linux/debian "{{ debian_release }}" stable
state: present
register: docker_repo
- name: Update apt cache
apt:
update_cache: yes
force_apt_get: yes
when: docker_repo is changed
- name: Install docker-ce and docker-compose
apt:
name: "{{ item }}"
with_items:
- docker-ce
- docker-compose
# -------------------------------------------------------------------------
# Loki server.
# -------------------------------------------------------------------------
- name: Install git
apt:
name: git
- name: Clone Loki repo
git:
repo: https://github.com/Wojtek242/loki.git
dest: "{{ loki_dir }}"
register: loki_git
- block:
- name: Install Loki service
command: cp "{{ loki_dir }}"/loki-server.service /lib/systemd/system/
- name: Update service file
lineinfile:
path: /lib/systemd/system/loki-server.service
regexp: '^WorkingDirectory='
line: 'WorkingDirectory={{ loki_dir }}'
- name: Reload systemd daemon
systemd:
daemon_reload: yes
- block:
- name: Update
command: ./update.sh
args:
chdir: "{{ loki_dir }}"
rescue:
- debug:
msg: "Failed to pull containers from registry - will build locally"
- name: Build locally
command: make build-all
args:
chdir: "{{ loki_dir }}"
when: loki_git is changed
# Hosts file must be added after the first update as otherwise the initial
# container pull will always fail
- name: Add hosts file
template:
src: ./etc/hosts.j2
dest: /etc/hosts
mode: 0644
- name: Ensure service is started
service:
name: loki-server
state: started
enabled: yes
# -------------------------------------------------------------------------
# Set MotD.
# -------------------------------------------------------------------------
@ -468,16 +346,3 @@
src: ./root.bashrc
dest: /root/.bashrc
mode: 0644
# -------------------------------------------------------------------------
# Update rkhunter and chkrootkit databases.
# -------------------------------------------------------------------------
- name: Update rkhunter database
command: rkhunter --propupd
- name: Run chkrootkit
command: /etc/cron.daily/chkrootkit
- name: Update chkrootkit logs
command: cp -a /var/log/chkrootkit/log.today /var/log/chkrootkit/log.expected

4
ansible/python.yml
View File

@ -12,5 +12,5 @@
ansible_port: "{{ default_ssh_port }}"
tasks:
- name: Install python2
raw: apt-get -y install python
- name: Install python
raw: apt-get -y install python3 python3-pip python3-setuptools

14
ansible/secrets.def.yml
View File

@ -20,9 +20,6 @@ default_ssh_port:
# GitLab
gitlab_ssh_port:
# Shadowsocks
shadowsocks_port:
# Postfix
postfix_smtp_server:
postfix_smtp_port:
@ -36,3 +33,14 @@ fail2ban_sender:
# For /etc/hosts
domains:
# Loki setup
loki_dir:
gitlab_username:
gitlab_access_token:
# Backblaze setup
b2_key_id:
b2_app_key:
gpg_key_id:
gpg_passphrase:

82
b2-backup.sh Executable file
View File

@ -0,0 +1,82 @@
#!/bin/bash
set -ue
CYAN='\033[01;36m'
NC='\033[00m'
if [ ! -t 1 ]; then
CYAN=''
NC=''
fi
SCRIPT=$(readlink -f $0)
DIRNAME=$(dirname $SCRIPT)
# -----------------------------------------------------------------------------
# Run only if it's the first week of the month.
# -----------------------------------------------------------------------------
day_of_month=`date '+%d' | bc`
if (( $day_of_month > 7 ))
then
echo -e "${CYAN}[${SCRIPT}] No B2 backup this week ${NC}"
exit 0
fi
echo -e "${CYAN}[${SCRIPT}] Perform B2 backup ${NC}"
# -----------------------------------------------------------------------------
# Import all account and GPG variables.
# -----------------------------------------------------------------------------
source ./b2.cred
export PASSPHRASE=${GPG_PASSPHRASE}
# -----------------------------------------------------------------------------
# Local directory to backup.
# -----------------------------------------------------------------------------
LOCAL_DIR="/media/usb0/backup"
# -----------------------------------------------------------------------------
# Remove files older than 15 days.
# -----------------------------------------------------------------------------
echo -e "${CYAN}[${SCRIPT}] Remove files older than 32 days ${NC}"
duplicity remove-older-than 32D --force \
--encrypt-sign-key $GPG_KEY \
b2://${B2_ACCOUNT}:${B2_KEY}@${B2_BUCKET}
# -----------------------------------------------------------------------------
# Perform a full backup.
# -----------------------------------------------------------------------------
echo -e "${CYAN}[${SCRIPT}] Perform a full backup ${NC}"
duplicity full \
--encrypt-sign-key $GPG_KEY \
${LOCAL_DIR} b2://${B2_ACCOUNT}:${B2_KEY}@${B2_BUCKET}
# -----------------------------------------------------------------------------
# Clean up failures.
# -----------------------------------------------------------------------------
echo -e "${CYAN}[${SCRIPT}] Clean up failures ${NC}"
duplicity cleanup --force \
--encrypt-sign-key $GPG_KEY \
b2://${B2_ACCOUNT}:${B2_KEY}@${B2_BUCKET}
# -----------------------------------------------------------------------------
# Show collection status.
# -----------------------------------------------------------------------------
echo -e "${CYAN}[${SCRIPT}] Show collection status ${NC}"
duplicity collection-status \
--encrypt-sign-key $GPG_KEY \
b2://${B2_ACCOUNT}:${B2_KEY}@${B2_BUCKET}
# -----------------------------------------------------------------------------
# Unset the GPG passphrase.
# -----------------------------------------------------------------------------
unset PASSPHRASE

188
backup.sh Executable file
View File

@ -0,0 +1,188 @@
#!/bin/bash
set -e
RED='\033[01;31m'
GREEN='\033[01;32m'
YELLOW='\033[01;33m'
CYAN='\033[01;36m'
NC='\033[00m'
if [ ! -t 1 ]; then
RED=''
GREEN=''
YELLOW=''
CYAN=''
NC=''
fi
SCRIPT=$(readlink -f $0)
DIRNAME=$(dirname $SCRIPT)
BACKUP_DIR="/media/usb0/backup"
# -----------------------------------------------------------------------------
# Get the list of volumes.
# -----------------------------------------------------------------------------
function get_volumes {
# Find the line where "services:" start
services_line=$(grep -n services docker-compose.yml | \
awk '{split($0, a, ":"); print a[1]}')
# The volumes are listed between "volumes:" and "services:"
volume_list=$(head -n $services_line docker-compose.yml | \
awk '/volumes:/,/services:/')
# Split into array
IFS=':'; volumes=($volume_list); unset IFS;
# Trim whitespace
for ((i = 0; i < ${#volumes[@]}; i++)); do
volumes[$i]=$(echo -e "${volumes[$i]}" | tr -d '[:space:]')
done
# Verify that the first entry is "volumes" and the last "services"
if [ ${volumes[0]} != "volumes" ] || [ "${volumes[-1]}" != "services" ]
then
echo -e "${RED}Unexpected input${NC}" >&2
exit 1
fi
# Remove first and last entry - they will be "volumes" and " services"
let len=${#volumes[@]}-2
volumes=("${volumes[@]:1:$len}")
echo ${volumes[*]}
}
# -----------------------------------------------------------------------------
# Start the server.
# -----------------------------------------------------------------------------
function server_start {
echo -e "${CYAN}[${SCRIPT}] Restart loki-server ${NC}"
systemctl start loki-server
}
# -----------------------------------------------------------------------------
# Stop the server.
# -----------------------------------------------------------------------------
function server_stop {
echo -e "${CYAN}[${SCRIPT}] Stop loki-server ${NC}"
systemctl stop loki-server
}
# -----------------------------------------------------------------------------
# Back up volumes.
# -----------------------------------------------------------------------------
function backup {
volumes=$1
# Remove old backup directory
if [ -d ${BACKUP_DIR} ]; then
rm -f ${BACKUP_DIR}/*.tar
rmdir ${BACKUP_DIR}
fi
# Make sure directory exists
mkdir ${BACKUP_DIR}
for vol in "${volumes[@]}"
do
echo -e "${CYAN}[${SCRIPT}] Back up ${YELLOW}${vol}${CYAN} volume${NC}"
set -o xtrace
docker run --rm \
-v loki_${vol}:/opt/${vol} \
-v ${BACKUP_DIR}:/opt/backup \
debian:stable-slim \
bash -c "cd /opt/${vol} && tar cf /opt/backup/${vol}.tar ."
set +o xtrace
done
}
# -----------------------------------------------------------------------------
# Restore volumes.
# -----------------------------------------------------------------------------
function restore {
volumes=$1
for vol in "${volumes[@]}"
do
echo -e "${CYAN}[${SCRIPT}] Restore ${YELLOW}${vol}${CYAN} volume${NC}"
set -o xtrace
docker run --rm \
-v loki_${vol}:/opt/${vol} \
-v ${BACKUP_DIR}:/opt/backup \
debian:stable-slim \
bash -c "cd /opt/${vol} && tar xf /opt/backup/${vol}.tar"
set +o xtrace
done
}
# -----------------------------------------------------------------------------
# Main.
# -----------------------------------------------------------------------------
while getopts "br" option
do
case ${option} in
b )
echo -e "${CYAN}[${SCRIPT}] Extract list of volumes ${NC}"
volumes=($(get_volumes))
echo -e "${YELLOW}Volumes${NC}:"
for vol in "${volumes[@]}"
do
echo -e " - ${YELLOW}${vol} ${NC}"
done
server_stop
backup ${volumes}
server_start
exit 0
;;
r )
echo -e "${CYAN}[${SCRIPT}] Extract list of volumes ${NC}"
volumes=($(get_volumes))
echo -e "${YELLOW}Volumes${NC}:"
for vol in "${volumes[@]}"
do
echo -e " - ${YELLOW}${vol} ${NC}"
done
server_stop
restore ${volumes}
server_start
exit 0
;;
\? )
echo -e "${GREEN} Usage: backup.sh [-b|-r]${NC}"
exit 1
;;
esac
done
# If we get here then no options were triggered
echo -e "${GREEN} Usage: backup.sh [-b|-r]${NC}"

63
docker-compose.yml
View File

@ -1,7 +1,6 @@
version: '2'
volumes:
wiki:
nextcloud:
nextcloud_db:
gitlab_config:
@ -10,7 +9,8 @@ volumes:
letsencrypt:
runner_0_etc:
runner_0_home:
shadowsocks:
runner_tud_etc:
runner_tud_home:
services:
@ -20,30 +20,19 @@ services:
html:
container_name: html
image: nginx
volumes:
- ./html/html-wojciechkozlowski.eu/:/usr/share/nginx/html/
restart: always
# ---------------------------------------------------------------------------
# DokuWiki installation available at wiki.wojciechkozlowski.eu
# ---------------------------------------------------------------------------
wiki:
container_name: wiki
build: dokuwiki
image: registry.wojciechkozlowski.eu/wojtek/loki/wiki
volumes:
- wiki:/var/dokuwiki-storage
image: registry.wojciechkozlowski.eu/wojtek/loki/html
restart: always
# ---------------------------------------------------------------------------
# NextCloud installation available at cloud.wojciechkozlowski.eu
#
# Note about version lock:
# https://dba.stackexchange.com/questions/256427/unable-to-create-tables-with-row-format-compressed
# ---------------------------------------------------------------------------
nextcloud-db:
container_name: nextcloud-db
image: mariadb
image: mariadb:10.5
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- nextcloud_db:/var/lib/mysql
@ -56,7 +45,6 @@ services:
nextcloud-app:
container_name: nextcloud-app
build: nextcloud
image: registry.wojciechkozlowski.eu/wojtek/loki/nextcloud
links:
- nextcloud-db
@ -81,7 +69,7 @@ services:
gitlab:
container_name: gitlab
image: gitlab/gitlab-ce
image: gitlab/gitlab-ce:15.2.0-ce.0
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.wojciechkozlowski.eu'
@ -97,12 +85,17 @@ services:
- gitlab_config:/etc/gitlab
- gitlab_logs:/var/log/gitlab
- gitlab_data:/var/opt/gitlab
- ./gitlab/ssh_config:/etc/ssh/ssh_config
restart: always
# See https://docs.gitlab.com/ee/ci/docker/using_docker_build.html for how to
# register the runner for running docker-in-docker builds. Note the need to
# set docker-privileged.
# register the runner for running docker-in-docker builds.
#
# Note the need to set docker-privileged.
#
# https://gitlab.com/gitlab-org/gitlab-runner/issues/4501
# Since docker 19.03 also need to set the following in config.toml:
# [[runners]]
# environment = ["DOCKER_TLS_CERTDIR="]
runner-0:
container_name: runner-0
image: gitlab/gitlab-runner
@ -112,6 +105,14 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
restart: always
runner-tud:
container_name: runner-tud
image: gitlab/gitlab-runner
volumes:
- runner_tud_etc:/etc/gitlab-runner
- runner_tud_home:/home/gitlab-runner
- /var/run/docker.sock:/var/run/docker.sock
restart: always
# ---------------------------------------------------------------------------
# Reverse proxy served by Nginx.
@ -119,14 +120,12 @@ services:
proxy:
container_name: proxy
build: proxy
image: registry.wojciechkozlowski.eu/wojtek/loki/proxy
ports:
- 80:80
- 443:443
links:
- html
- wiki
- nextcloud
- gitlab
volumes:
@ -134,17 +133,3 @@ services:
- ./proxy/nginx-conf.d:/etc/nginx/conf.d:ro
- letsencrypt:/etc/letsencrypt
restart: always
# ---------------------------------------------------------------------------
# Shadowsocks server.
# ---------------------------------------------------------------------------
shadowsocks:
container_name: shadowsocks
build: shadowsocks
image: registry.wojciechkozlowski.eu/wojtek/loki/shadowsocks
ports:
- 7698:7698
volumes:
- shadowsocks:/var/shadowsocks
restart: always

52
dokuwiki/Dockerfile
View File

@ -1,52 +0,0 @@
FROM debian:stable-slim
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get -y upgrade
ENV HTML_PATH /usr/share/nginx/html
ENV DOKU_VOL /var/dokuwiki-storage
RUN apt-get -y install \
wget \
php7.0-fpm \
php7.0-xml \
nginx \
supervisor
RUN sed -i -e "s|cgi.fix_pathinfo=1|cgi.fix_pathinfo=0|g" /etc/php/7.0/fpm/php.ini && \
mkdir /run/php
RUN rm -rf /etc/nginx/sites-enabled/* && \
rm -rf /etc/nginx/conf.d
RUN rm -rf $HTML_PATH && \
mkdir $HTML_PATH && \
mkdir $DOKU_VOL && \
mkdir $DOKU_VOL/data && \
cd $HTML_PATH && \
wget https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz && \
tar xf dokuwiki-stable.tgz --strip 1 && \
rm dokuwiki-stable.tgz && \
chown -R www-data:www-data ./ && \
mv $HTML_PATH/data/pages $DOKU_VOL/data/pages && \
ln -s $DOKU_VOL/data/pages $HTML_PATH/data/pages && \
mv $HTML_PATH/data/meta $DOKU_VOL/data/meta && \
ln -s $DOKU_VOL/data/meta $HTML_PATH/data/meta && \
mv $HTML_PATH/data/media $DOKU_VOL/data/media && \
ln -s $DOKU_VOL/data/media $HTML_PATH/data/media && \
mv $HTML_PATH/data/media_attic $DOKU_VOL/data/media_attic && \
ln -s $DOKU_VOL/data/media_attic $HTML_PATH/data/media_attic && \
mv $HTML_PATH/data/media_meta $DOKU_VOL/data/media_meta && \
ln -s $DOKU_VOL/data/media_meta $HTML_PATH/data/media_meta && \
mv $HTML_PATH/data/attic $DOKU_VOL/data/attic && \
ln -s $DOKU_VOL/data/attic $HTML_PATH/data/attic && \
mv $HTML_PATH/conf $DOKU_VOL/conf && \
ln -s $DOKU_VOL/conf $HTML_PATH/conf
COPY nginx-conf.d /etc/nginx/conf.d
COPY supervisord.conf /etc/supervisord.conf
EXPOSE 80
VOLUME ["$DOKU_VOL"]
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

31
dokuwiki/nginx-conf.d/default.conf
View File

@ -1,31 +0,0 @@
server {
listen 80;
server_name wiki.wojciechkozlowski.eu;
root /usr/share/nginx/html;
index index.php index.html index.htm;
location / {
index doku.php;
try_files $uri $uri/ @dokuwiki;
}
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1 last;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /(data|conf|bin|inc)/ {
deny all;
}
}

23
dokuwiki/supervisord.conf
View File

@ -1,23 +0,0 @@
[supervisord]
nodaemon=true
[supervisorctl]
serverurl=unix:///var/run/supervisor.sock
[unix_http_server]
file=/var/run/supervisor.sock
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[program:php]
command=/usr/sbin/php-fpm7.0 --nodaemonize
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:nginx]
command=/usr/sbin/nginx -g "daemon off;"
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
redirect_stderr=true

60
gitlab/ssh_config
View File

@ -1,60 +0,0 @@
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host github.com
StrictHostKeyChecking no
IdentityFile /etc/gitlab/github-rsa
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no

24
html/Dockerfile Normal file
View File

@ -0,0 +1,24 @@
FROM nginx
# Update
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get -y upgrade
RUN \
# Install pre-requisites
apt-get -y install wget git && \
wget https://github.com/gohugoio/hugo/releases/download/v0.56.0/hugo_extended_0.56.0_Linux-64bit.deb && \
dpkg -i hugo_extended_0.56.0_Linux-64bit.deb && \
rm hugo_extended_0.56.0_Linux-64bit.deb && \
# Fetch the website code, build and deploy
git clone --recursive https://gitlab.wojciechkozlowski.eu/wojtek/wojciechkozlowski.eu.git && \
cd wojciechkozlowski.eu && \
hugo && \
cp -r public/* /usr/share/nginx/html && \
# Clean up
cd .. && \
rm -rf wojciechkozlowski.eu && \
apt-get -y purge hugo git wget && \
apt-get -y autoremove

1
html/html-wojciechkozlowski.eu

@ -1 +0,0 @@
Subproject commit 5cc100c9f65b002bbc43ffe7f75a6ea7ee246423

2
nextcloud/Dockerfile
View File

@ -1,4 +1,4 @@
FROM nextcloud:fpm
FROM nextcloud:24-fpm
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get -y upgrade

5
nextcloud/nginx.conf
View File

@ -44,6 +44,7 @@ http {
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy no-referrer;
root /var/www/html;
@ -84,7 +85,7 @@ http {
#pagespeed off;
location / {
rewrite ^ /index.php$request_uri;
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
@ -96,12 +97,14 @@ http {
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;

2
proxy/Dockerfile
View File

@ -15,6 +15,8 @@ RUN mkdir /etc/nginx/cert && openssl dhparam -out /etc/nginx/cert/dhparam.pem 20
COPY certbot.cron /etc/cron.d/certbot
COPY supervisord.conf /etc/supervisord.conf
RUN chmod go-wx /etc/cron.d/certbot
VOLUME ["/etc/letsencrypt"]
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

2
proxy/certbot.cron
View File

@ -8,4 +8,4 @@
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root perl -e 'sleep int(rand(3600))' && certbot -q renew
0 */12 * * * root perl -e 'sleep int(rand(3600))' && certbot -q renew --webroot-path /var/www/html

4
proxy/nginx-conf.d/cloud.wojciechkozlowski.eu.conf
View File

@ -16,6 +16,10 @@ server {
listen 443 ssl;
server_name cloud.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/chain.pem;
client_max_body_size 10G; # 0=unlimited - set max upload size
location / {

4
proxy/nginx-conf.d/gitlab.wojciechkozlowski.eu.conf
View File

@ -16,6 +16,10 @@ server {
listen 443 ssl;
server_name gitlab.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/gitlab.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gitlab.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/gitlab.wojciechkozlowski.eu/chain.pem;
client_max_body_size 10G; # 0=unlimited - set max upload size
location / {

10
proxy/nginx-conf.d/wiki.wojciechkozlowski.eu.conf → proxy/nginx-conf.d/pi.wojciechkozlowskie.eu.conf
View File

@ -1,6 +1,6 @@
server {
listen 80;
server_name wiki.wojciechkozlowski.eu;
server_name pi.wojciechkozlowski.eu;
location ^~ /.well-known {
allow all;
@ -14,13 +14,17 @@ server {
server {
listen 443 ssl;
server_name wiki.wojciechkozlowski.eu;
server_name pi.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/pi.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pi.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/pi.wojciechkozlowski.eu/chain.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://wiki;
proxy_pass http://192.168.2.210:3000;
}
error_page 500 502 503 504 /50x.html;

4
proxy/nginx-conf.d/registry.wojciechkozlowski.eu.conf
View File

@ -16,6 +16,10 @@ server {
listen 443 ssl;
server_name registry.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/registry.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/registry.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/registry.wojciechkozlowski.eu/chain.pem;
client_max_body_size 10G; # 0=unlimited - set max upload size
location / {

28
proxy/nginx-conf.d/wojciechkozlowski.eu.conf
View File

@ -14,7 +14,33 @@ server {
server {
listen 443 ssl;
server_name wojciechkozlowski.eu www.wojciechkozlowski.eu;
server_name wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/chain.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl;
server_name www.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;

12
proxy/nginx.conf
View File

@ -25,26 +25,18 @@ http {
#gzip on;
ssl_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wojciechkozlowski.eu/privkey.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/nginx/cert/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/chain.pem;
resolver 208.67.222.222 208.67.220.220;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/conf.d/*.conf;
}
}

35
registry-cleaner.sh Executable file
View File

@ -0,0 +1,35 @@
#!/bin/bash
set -e
CYAN='\033[01;36m'
NC='\033[00m'
if [ ! -t 1 ]; then
CYAN=''
NC=''
fi
SCRIPT=$(readlink -f $0)
DIRNAME=$(dirname $SCRIPT)
# -----------------------------------------------------------------------------
# Soft delete untagged images.
# -----------------------------------------------------------------------------
echo -e "${CYAN}[${SCRIPT}] Soft delete untagged images ${NC}"
install="pip3 install gitlab-registry-cleanup"
cleanup="gitlab-registry-cleanup -g https://gitlab.wojciechkozlowski.eu -r https://registry.wojciechkozlowski.eu -c /gitlab.cred"
docker run --rm --volumes-from gitlab \
-v ${DIRNAME}/gitlab.cred:/gitlab.cred \
python bash -c "${install} && ${cleanup}"
# -----------------------------------------------------------------------------
# Garbage collect and hard delete untagged images.
# -----------------------------------------------------------------------------
echo -e "${CYAN}[${SCRIPT}] Garbage collect untagged images ${NC}"
docker exec gitlab bash -c "gitlab-ctl registry-garbage-collect"

15
shadowsocks/Dockerfile
View File

@ -1,15 +0,0 @@
FROM debian:stable-slim
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get -y upgrade
RUN apt-get -y install shadowsocks
ENV SS_VOL /var/shadowsocks
RUN mkdir $SS_VOL
ADD config.json $SS_VOL
EXPOSE 7698
VOLUME ["$SS_VOL"]
CMD ["sh", "-c", "/usr/bin/ssserver -c $SS_VOL/config.json"]

18
shadowsocks/config.json
View File

@ -1,18 +0,0 @@
{
"server":"0.0.0.0",
"server_ipv6":"[::]",
"server_port":7698,
"local_address":"127.0.0.1",
"local_port":1080,
"password":"z",
"timeout":120,
"method":"aes-256-cfb",
"protocol":"$auth_sha1_v4_compatible",
"protocol_param":"",
"obfs":"http_simple_compatible",
"obfs_param":"",
"redirect":"",
"dns_ipv6":false,
"fast_open":false,
"workers":1
}

4
update.sh
View File

@ -23,7 +23,7 @@ docker-compose -f $DIRNAME/docker-compose.yml pull
echo -e "${CYAN}[${SCRIPT}] Stop the containers${NC}"
service loki-server stop
systemctl stop loki-server
# -----------------------------------------------------------------------------
# Start the containers.
@ -31,7 +31,7 @@ service loki-server stop
echo -e "${CYAN}[${SCRIPT}] Start the containers${NC}"
service loki-server start
systemctl start loki-server
# -----------------------------------------------------------------------------
# Remove untagged images.