jamie/dao_hades
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

syncing servers

Browse Source
This commit is contained in:
Jamie Albert
2025-12-07 17:31:31 +00:00
parent f6e60b144d
commit 9c3274881e
54 changed files with 5048 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.gitignore vendored
View File

@@ -3,5 +3,23 @@ cradle/home/.config/aerc/accounts.conf
cradle/home/.mbsyncrc
storage/harpocrates/*
storage/*
servers/*
in_progress/things_to_do
servers/hephaestus/docker/data
servers/hephaestus/docker/letsencrypt
servers/hestia/.ssh/*
servers/hestia/storage/*
servers/hestia/.config
servers/hestia/.local
servers/hestia/.ssh
servers/hestia/.terminfo
servers/hestia/dao/servers
servers/hestia/dao/storage
servers/hestia/dao/docker/data
servers/hestia/dao/docker/letsencrypt
servers/pan/.local
servers/pan/.ssh
servers/pan/.terminfo
servers/pan/.X.d
servers/pan/rtl8761bu
servers/pan/Tidal-Connect-Armv7
in_progress/things_to_do
servers/pan/.cifs.cred

44
servers/hephaestus/ark/usr/local/bin/backup.sh Executable file
View File

@@ -0,0 +1,44 @@
#!/bin/bash
# Set variables
backup=$(date +%Y%m%d%H%M)
RETENTION_DAYS=5
log_message() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}
log_message "Starting backup process..."
# Stop Docker
log_message "Stopping Docker services..."
cd /home/oc/dao/docker
docker compose down
## Baikal backup
log_message "Backing up Baikal database..."
cd /home/oc/dao/docker/data/baikal/Specific/db
[[ -f ./db.sqlite ]] && echo .dump | sqlite3 db.sqlite | gzip > "dumps/${backup}_baikal.sql.gz" && log_message "Baikal dumped"
# tar docker folder
log_message "Creating Docker tarball..."
cd /home/oc/dao
tar -cf "/tmp/${backup}_docker.tar.gz" docker/
# rclone upload
log_message "Uploading to remote storage..."
cd /tmp
rclone copy "${backup}_docker.tar.gz" vault:/system/backups/docker/
rm -f ${backup}_docker.tar.gz
# Clean up old backups (keep last 5 days)
log_message "Cleaning up old backups..."
rclone delete vault:/system/backups/docker/ --min-age ${RETENTION_DAYS}d
# Start Docker
log_message "Starting Docker services..."
cd /home/oc/dao/docker
docker compose up -d
log_message "Backup process completed."

62
servers/hephaestus/ark/usr/local/bin/cleanup.sh Executable file
View File

@@ -0,0 +1,62 @@
#!/bin/bash
# System Cleanup Script
# Run this script via cron to maintain system cleanliness
# Set variables
LOG_FILE="/var/log/system-cleanup.log"
DATE=$(date '+%Y-%m-%d %H:%M:%S')
# Function to log messages to both console and file
log_message() {
echo "[$DATE] $1" | tee -a "$LOG_FILE"
}
log_message "Starting system cleanup..."
# Docker System Cleanup
log_message "Cleaning up Docker system..."
docker system prune -a -f --volumes | while read -r line; do
log_message "Docker: $line"
done
# Clean up old Docker images not used in last 30 days
log_message "Removing unused Docker images older than 30 days..."
docker image prune -a -f --filter "until=720h" | while read -r line; do
log_message "Docker images: $line"
done
# System Package Cleanup
log_message "Cleaning up apt packages..."
apt-get autoremove -y | while read -r line; do
log_message "APT autoremove: $line"
done
apt-get autoclean -y | while read -r line; do
log_message "APT autoclean: $line"
done
# Clean up old logs (keep last 7 days)
log_message "Cleaning up old system logs..."
find /var/log -name "*.log" -type f -mtime +7 -delete 2>/dev/null
find /var/log -name "*.log.*" -type f -mtime +7 -delete 2>/dev/null
# Clean up journal logs (keep last 7 days)
log_message "Cleaning up journal logs..."
journalctl --vacuum-time=7d | while read -r line; do
log_message "Journal cleanup: $line"
done
# Clean up temporary files
log_message "Cleaning up temporary files..."
find /tmp -type f -atime +7 -delete 2>/dev/null
find /var/tmp -type f -atime +7 -delete 2>/dev/null
# Show disk usage after cleanup
log_message "Disk usage after cleanup:"
df -h | while read -r line; do
log_message "Disk: $line"
done
log_message "System cleanup completed."

76
servers/hephaestus/docker/.env Normal file
View File

@@ -0,0 +1,76 @@
# ---
# Baikal
# ---
BAIKAL_ADMIN_TOKEN="TTQH95LKDM9VQVZS"
BAIKAL_EMAIL="mail@do-bbs.com"
BAIKAL_HOST="dav.do-bbs.com"
BAIKAL_HC="https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"
# ---
# Calibre Web
# ---
CALIBRE_WEB_HOST="cwa.do-bbs.com"
CALIBRE_WEB_D_HOST="cwabd.do-bbs.com"
CALIBRE_WEB_HC="https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"
HARD_API="eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJkY292ZXIiLCJ2ZXJzaW9uIjoiOCIsImp0aSI6ImEwZmZkNDk1LWM1ODMtNGEwMS1iYjBkLWYyNTNlMTEwMjU5ZSIsImFwcGxpY2F0aW9uSWQiOjIsInN1YiI6IjUxMDU5IiwiYXVkIjoiMSIsImlkIjoiNTEwNTkiLCJsb2dnZWRJbiI6dHJ1ZSwiaWF0IjoxNzYwOTIzOTM3LCJleHAiOjE3OTI0NTk5MzcsImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS1yb2xlIjoidXNlciIsIlgtaGFzdXJhLXVzZXItaWQiOiI1MTA1OSJ9LCJ1c2VyIjp7ImlkIjo1MTA1OX19.26e1ZMA8p3ovr9d1wLJuZpXb72sTUXIjkEuoCrwPO90"
AA_KEY="5uWJKXVXJSpJhCvTo22XfVLVeMYEY#"
# ---
# Immich
# ---
IMMICH_HOST_DOMAIN=photos.do-bbs.com
UPLOAD_LOCATION=/mnt/athena/photos
DB_DATA_LOCATION=./data/immich/postgres
IMMICH_VERSION=release
DB_PASSWORD=poss8asdfhoNisdg97SDd!
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
IMMICH_HC=https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a
# ---
# Traefik
# ---
TRAEFIK_WEBMASTER="webmaster@flatmail.me"
# ---
# Obsidian
# ---
OBSIDIAN_DB_HOST="obsidiandb.do-bbs.com"
OBSIDIAN_DB_HC="https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"
OBSIDIAN_DB_USER=GelatoMadness
OBSIDIAN_DB_PASS=kangaroo-proof-breeze-tent-medal-oblige-require-good1
# ---
# Vaultwarden
# ---
VAULT_ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$OStJdThqUWRMbHUxSkVzM1pQbzAvMGk1bGxmK2wyRUJJM0t4K2xyNlI1TT0$KuXsTTUW0GJqOoaGWxP8W2u5AthQ5gmdjC/VzS5tDQI'
VAULT_HOST="vault.do-bbs.com"
# ---
# Gitea
# ---
DATA_PATH=/data
GITEA_VOLUME_LOCATION=./data/gitea
GITEA_HOSTNAME=gitea.do-bbs.com
GITEA_URL=https://gitea.do-bbs.com
GITEA_POSTGRES_IMAGE_TAG=postgres:latest
GITEA_IMAGE_TAG=gitea/gitea:latest
GITEA_DB_NAME=giteadb
GITEA_DB_USER=giteadbuser
GITEA_DB_PASSWORD=Dls8dnaPSmsgoA!
GITEA_ADMIN_USERNAME=giteaadmin
GITEA_ADMIN_PASSWORD=M8ajdl!lsmd3
GITEA_ADMIN_EMAIL=root@do-bbs.com
GITEA_SHELL_SSH_PORT=748
# Backup Variables
BACKUP_INIT_SLEEP=30m
BACKUP_INTERVAL=24h
POSTGRES_BACKUP_PRUNE_DAYS=7
DATA_BACKUP_PRUNE_DAYS=7
POSTGRES_BACKUPS_PATH=/srv/gitea-postgres/backups
DATA_BACKUPS_PATH=/srv/gitea-application-data/backups
POSTGRES_BACKUP_NAME=gitea-postgres-backup
DATA_BACKUP_NAME=gitea-application-data-backup

320
servers/hephaestus/docker/backup.compose.yml Normal file
View File

@@ -0,0 +1,320 @@
services:
traefik:
image: traefik:v3.2
container_name: traefik
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=webmaster@do-bbs.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog.filepath=/data/access.log"
- "--accesslog.format=json"
- --providers.file.filename=/dynamic.yml
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./data/traefik:/data
- ./dynamic.yml:/dynamic.yml:ro
- ./data/calibre/htpasswd.list:/htpasswd.list
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls=true"
restart: unless-stopped
dav:
image: ckulka/baikal:nginx
container_name: baikal
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from mail@do-bbs.com
user mail@do-bbs.com
password ${BAIKAL_ADMIN_TOKEN}
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.entrypoints=websecure"
- "traefik.http.routers.baikal.rule=Host(`dav.do-bbs.com`)"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=letsencrypt"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
# - ADMIN_TOKEN=${VAULT_ADMIN_TOKEN}
- ADMIN_TOKEN=IFdsg.ORGOTARON123nsl
- DOMAIN=https://vault.do-bbs.com
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
.env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`photos.do-bbs.com`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=letsencrypt"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
restart: always
obsidian_db:
image: couchdb:latest
container_name: couchdb-ols
env_file:
.env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.couchdb.rule=Host(`couchdb.do-bbs.com`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.tls=true"
- "traefik.http.routers.couchdb.tls.certresolver=letsencrypt"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${COUCHDB_USER}
- COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`cwa.do-bbs.com`)"
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
- "traefik.http.routers.cwa.tls=true"
- "traefik.http.routers.cwa.tls.certresolver=letsencrypt"
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
.env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`cwabd.do-bbs.com`)"
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
- "traefik.http.routers.cwabd.tls=true"
- "traefik.http.routers.cwabd.tls.certresolver=letsencrypt"
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
- internal
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
networks:
- internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data
networks:
external:
name: external
internal:
name: internal

38
servers/hephaestus/docker/baikal.yml Normal file
View File

@@ -0,0 +1,38 @@
services:
dav:
image: ckulka/baikal:nginx
container_name: baikal
env_file:
- path: .env
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from ${BAIKAL_EMAIL}
user ${BAIKAL_EMAIL}
password ${BAIKAL_ADMIN_TOKEN}
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.entrypoints=websecure"
- "traefik.http.routers.baikal.rule=Host(`${BAIKAL_HOST}`)"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=letsencrypt"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
healthcheck:
test: ["CMD", "curl", "-f", "${BAIKAL_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped

78
servers/hephaestus/docker/calibre_web.yml Normal file
View File

@@ -0,0 +1,78 @@
services:
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- path: .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`${CALIBRE_WEB_HOST}`)"
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
- "traefik.http.routers.cwa.tls=true"
- "traefik.http.routers.cwa.tls.certresolver=letsencrypt"
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "${CALIBRE_WEB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
- path: .env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`${CALIBRE_WEB_D_HOST}`)"
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
- "traefik.http.routers.cwabd.tls=true"
- "traefik.http.routers.cwabd.tls.certresolver=letsencrypt"
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
networks:
- external

20
servers/hephaestus/docker/compose.yml Normal file
View File

@@ -0,0 +1,20 @@
include:
- traefik.yml
- baikal.yml
- vaultwarden.yml
- immich.yml
- obsidian_db.yml
- calibre_web.yml
- gitea.yml
networks:
external:
name: external
internal:
name: internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data

4
servers/hephaestus/docker/dynamic.yml Normal file
View File

@@ -0,0 +1,4 @@
http:
serversTransports:
ignorecert:
insecureSkipVerify: true

109
servers/hephaestus/docker/gitea.yml Normal file
View File

@@ -0,0 +1,109 @@
services:
gitea_postgres:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_postgres
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres:/var/lib/postgresql
env_file:
- .env
environment:
POSTGRES_DB: ${GITEA_DB_NAME}
POSTGRES_USER: ${GITEA_DB_USER}
POSTGRES_PASSWORD: ${GITEA_DB_PASSWORD}
networks:
- internal
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "${GITEA_DB_NAME}", "-U", "${GITEA_DB_USER}" ]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
restart: unless-stopped
gitea:
image: ${GITEA_IMAGE_TAG}
container_name: gitea
volumes:
- ${GITEA_VOLUME_LOCATION}/data:/${DATA_PATH}
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
GITEA_DATABASE_HOST: postgres
GITEA_DATABASE_NAME: ${GITEA_DB_NAME}
GITEA_DATABASE_USERNAME: ${GITEA_DB_USER}
GITEA_DATABASE_PASSWORD: ${GITEA_DB_PASSWORD}
GITEA_ADMIN_USER: ${GITEA_ADMIN_USERNAME}
GITEA_ADMIN_PASSWORD: ${GITEA_ADMIN_PASSWORD}
GITEA_ADMIN_EMAIL: ${GITEA_ADMIN_EMAIL}
GITEA_RUN_MODE: prod
GITEA_DOMAIN: ${GITEA_HOSTNAME}
GITEA_SSH_DOMAIN: ${GITEA_HOSTNAME}
GITEA_ROOT_URL: ${GITEA_URL}
GITEA_HTTP_PORT: 3000
GITEA_SSH_PORT: ${GITEA_SHELL_SSH_PORT}
GITEA_SSH_LISTEN_PORT: 22
networks:
- external
- internal
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/"]
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`${GITEA_HOSTNAME}`)"
- "traefik.http.routers.gitea.service=gitea"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
- "traefik.http.services.gitea.loadbalancer.passhostheader=true"
- "traefik.http.middlewares.gitea.compress=true"
- "traefik.http.routers.gitea.middlewares=gitea"
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh"
- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
- "traefik.tcp.services.gitea-ssh.loadbalancer.server.port=22"
- "traefik.docker.network=external"
restart: unless-stopped
depends_on:
gitea_postgres:
condition: service_healthy
gitea_backups:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_backups
command: >-
sh -c 'sleep $BACKUP_INIT_SLEEP &&
while true; do
pg_dump -h postgres -p 5432 -d $GITEA_DB_NAME -U $GITEA_DB_USER | gzip > $POSTGRES_BACKUPS_PATH/$POSTGRES_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").gz &&
tar -zcpf $DATA_BACKUPS_PATH/$DATA_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").tar.gz $DATA_PATH &&
find $POSTGRES_BACKUPS_PATH -type f -mtime +$POSTGRES_BACKUP_PRUNE_DAYS | xargs rm -f &&
find $DATA_BACKUPS_PATH -type f -mtime +$DATA_BACKUP_PRUNE_DAYS | xargs rm -f;
sleep $BACKUP_INTERVAL; done'
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres_backup:/var/lib/postgresql/data
- ${GITEA_VOLUME_LOCATION}/data:${DATA_PATH}
- ${GITEA_VOLUME_LOCATION}/data_backup:${DATA_BACKUPS_PATH}
- ${GITEA_VOLUME_LOCATION}/database_backup:${POSTGRES_BACKUPS_PATH}
environment:
GITEA_DB_NAME: ${GITEA_DB_NAME}
GITEA_DB_USER: ${GITEA_DB_USER}
PGPASSWORD: ${GITEA_DB_PASSWORD}
BACKUP_INIT_SLEEP: ${BACKUP_INIT_SLEEP}
BACKUP_INTERVAL: ${BACKUP_INTERVAL}
POSTGRES_BACKUP_PRUNE_DAYS: ${POSTGRES_BACKUP_PRUNE_DAYS}
DATA_BACKUP_PRUNE_DAYS: ${DATA_BACKUP_PRUNE_DAYS}
POSTGRES_BACKUPS_PATH: ${POSTGRES_BACKUPS_PATH}
DATA_BACKUPS_PATH: ${DATA_BACKUPS_PATH}
DATA_PATH: ${DATA_PATH}
POSTGRES_BACKUP_NAME: ${POSTGRES_BACKUP_NAME}
DATA_BACKUP_NAME: ${DATA_BACKUP_NAME}
networks:
- internal
restart: unless-stopped
depends_on:
gitea_postgres:
condition: service_healthy

68
servers/hephaestus/docker/immich.yml Normal file
View File

@@ -0,0 +1,68 @@
services:
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
- path: .env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`${IMMICH_HOST_DOMAIN}`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=letsencrypt"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "${IMMICH_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
restart: always

36
servers/hephaestus/docker/obsidian_db.yml Normal file
View File

@@ -0,0 +1,36 @@
services:
obsidian_db:
image: couchdb:latest
container_name: obsidian_db
env_file:
- path: .env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.couchdb.rule=Host(`${OBSIDIAN_DB_HOST}`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.tls=true"
- "traefik.http.routers.couchdb.tls.certresolver=letsencrypt"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${OBSIDIAN_DB_USER}
- COUCHDB_PASSWORD=${OBSIDIAN_DB_PASS}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "${OBSIDIAN_DB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always

42
servers/hephaestus/docker/traefik.yml Normal file
View File

@@ -0,0 +1,42 @@
services:
traefik:
image: traefik:latest
container_name: traefik
env_file:
- path: .env
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# Add SSH entrypoint
- "--entrypoints.ssh.address=:748"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_WEBMASTER}"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog.filepath=/data/access.log"
- "--accesslog.format=json"
- --providers.file.filename=/dynamic.yml
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
- "748:748" # Add SSH port mapping
- "8080:8080"
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./data/traefik:/data
- ./dynamic.yml:/dynamic.yml:ro
- ./data/calibre/htpasswd.list:/htpasswd.list
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls=true"
restart: unless-stopped

52
servers/hephaestus/docker/vaultwarden.yml Normal file
View File

@@ -0,0 +1,52 @@
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
env_file:
- path: .env
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
# - ADMIN_TOKEN=${VAULT_ADMIN_TOKEN}
- DOMAIN=https://${VAULT_HOST}
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/

252
servers/hephaestus/homelab Normal file
View File

@@ -0,0 +1,252 @@
# Vaultwarden
server {
server_name vault.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/vault.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/vault.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Immich
server {
server_name photos.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large file uploads
client_max_body_size 50000M;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/photos.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/photos.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Gitea
server {
server_name gitea.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/gitea.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/gitea.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Baikal
server {
server_name dav.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
# WebDAV specific headers
proxy_set_header Destination $http_destination;
proxy_pass_header Authorization;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dav.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dav.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Obsidian/CouchDB
server {
server_name obsidiandb.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/obsidiandb.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/obsidiandb.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Calibre Web
server {
server_name cwa.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cwa.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cwa.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name cwabd.do-bbs.com;
location / {
proxy_pass http://10.10.10.2:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cwabd.do-bbs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cwabd.do-bbs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = vault.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name vault.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = photos.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name photos.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = gitea.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name gitea.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = dav.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name dav.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = obsidiandb.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name obsidiandb.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = cwa.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name cwa.do-bbs.com;
return 404; # managed by Certbot
}
server {
if ($host = cwabd.do-bbs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name cwabd.do-bbs.com;
return 404; # managed by Certbot
}

2000
servers/hestia/.bash_history Normal file
View File

File diff suppressed because it is too large Load Diff

7
servers/hestia/.bash_logout Normal file
View File

@@ -0,0 +1,7 @@
# ~/.bash_logout: executed by bash(1) when login shell exits.
# when leaving the console clear the screen to increase privacy
if [ "$SHLVL" = 1 ]; then
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi

114
servers/hestia/.bashrc Normal file
View File

@@ -0,0 +1,114 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
color_prompt=yes
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
. /usr/local/bin/prompt.sh

3
servers/hestia/.boot.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
sudo ethtool -K "${NETDEV}" rx-udp-gro-forwarding on rx-gro-list off

1
servers/hestia/.lesshst Normal file
View File

@@ -0,0 +1 @@
.less-history-file:

27
servers/hestia/.profile Normal file
View File

@@ -0,0 +1,27 @@
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/.local/bin:$PATH"
fi

2
servers/hestia/.selected_editor Normal file
View File

@@ -0,0 +1,2 @@
# Generated by /usr/bin/select-editor
SELECTED_EDITOR="/bin/nano"

0
servers/hestia/.sudo_as_admin_successful Normal file
View File

4
servers/hestia/.wget-hsts Normal file
View File

@@ -0,0 +1,4 @@
# HSTS 1.0 Known Hosts database for GNU Wget.
# Edit at your own risk.
# <hostname> <port> <incl. subdomains> <created> <max-age>
raw.githubusercontent.com 0 0 1763946027 31536000

76
servers/hestia/dao/docker/.env Normal file
View File

@@ -0,0 +1,76 @@
# ---
# Baikal
# ---
BAIKAL_ADMIN_TOKEN="TTQH95LKDM9VQVZS"
BAIKAL_EMAIL="mail@do-bbs.com"
BAIKAL_HOST="dav.do-bbs.com"
BAIKAL_HC="https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"
# ---
# Calibre Web
# ---
CALIBRE_WEB_HOST="cwa.do-bbs.com"
CALIBRE_WEB_D_HOST="cwabd.do-bbs.com"
CALIBRE_WEB_HC="https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"
HARD_API="eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJkY292ZXIiLCJ2ZXJzaW9uIjoiOCIsImp0aSI6ImEwZmZkNDk1LWM1ODMtNGEwMS1iYjBkLWYyNTNlMTEwMjU5ZSIsImFwcGxpY2F0aW9uSWQiOjIsInN1YiI6IjUxMDU5IiwiYXVkIjoiMSIsImlkIjoiNTEwNTkiLCJsb2dnZWRJbiI6dHJ1ZSwiaWF0IjoxNzYwOTIzOTM3LCJleHAiOjE3OTI0NTk5MzcsImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJ1c2VyIl0sIngtaGFzdXJhLWRlZmF1bHQtcm9sZSI6InVzZXIiLCJ4LWhhc3VyYS1yb2xlIjoidXNlciIsIlgtaGFzdXJhLXVzZXItaWQiOiI1MTA1OSJ9LCJ1c2VyIjp7ImlkIjo1MTA1OX19.26e1ZMA8p3ovr9d1wLJuZpXb72sTUXIjkEuoCrwPO90"
AA_KEY="5uWJKXVXJSpJhCvTo22XfVLVeMYEY#"
# ---
# Immich
# ---
IMMICH_HOST_DOMAIN=photos.do-bbs.com
UPLOAD_LOCATION=./data/immich/photos
DB_DATA_LOCATION=./data/immich/postgres
IMMICH_VERSION=release
DB_PASSWORD=poss8asdfhoNisdg97SDd!
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
IMMICH_HC=https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a
# ---
# Traefik
# ---
TRAEFIK_WEBMASTER="webmaster@flatmail.me"
# ---
# Obsidian
# ---
OBSIDIAN_DB_HOST="obsidiandb.do-bbs.com"
OBSIDIAN_DB_HC="https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"
OBSIDIAN_DB_USER=GelatoMadness
OBSIDIAN_DB_PASS=kangaroo-proof-breeze-tent-medal-oblige-require-good1
# ---
# Vaultwarden
# ---
VAULT_ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$OStJdThqUWRMbHUxSkVzM1pQbzAvMGk1bGxmK2wyRUJJM0t4K2xyNlI1TT0$KuXsTTUW0GJqOoaGWxP8W2u5AthQ5gmdjC/VzS5tDQI'
VAULT_HOST="vault.do-bbs.com"
# ---
# Gitea
# ---
DATA_PATH=/data
GITEA_VOLUME_LOCATION=./data/gitea
GITEA_HOSTNAME=gitea.do-bbs.com
GITEA_URL=https://gitea.do-bbs.com
GITEA_POSTGRES_IMAGE_TAG=postgres:latest
GITEA_IMAGE_TAG=gitea/gitea:latest
GITEA_DB_NAME=giteadb
GITEA_DB_USER=giteadbuser
GITEA_DB_PASSWORD=Dls8dnaPSmsgoA!
GITEA_ADMIN_USERNAME=giteaadmin
GITEA_ADMIN_PASSWORD=M8ajdl!lsmd3
GITEA_ADMIN_EMAIL=root@do-bbs.com
GITEA_SHELL_SSH_PORT=748
# Backup Variables
BACKUP_INIT_SLEEP=30m
BACKUP_INTERVAL=24h
POSTGRES_BACKUP_PRUNE_DAYS=7
DATA_BACKUP_PRUNE_DAYS=7
POSTGRES_BACKUPS_PATH=/srv/gitea-postgres/backups
DATA_BACKUPS_PATH=/srv/gitea-application-data/backups
POSTGRES_BACKUP_NAME=gitea-postgres-backup
DATA_BACKUP_NAME=gitea-application-data-backup

320
servers/hestia/dao/docker/backup.compose.yml Normal file
View File

@@ -0,0 +1,320 @@
services:
traefik:
image: traefik:v3.2
container_name: traefik
command:
- "--api.insecure=true"
- "--api.dashboard=true"
- "--api.debug=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=webmaster@do-bbs.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog.filepath=/data/access.log"
- "--accesslog.format=json"
- --providers.file.filename=/dynamic.yml
- --providers.file.watch=true
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./data/traefik:/data
- ./dynamic.yml:/dynamic.yml:ro
- ./data/calibre/htpasswd.list:/htpasswd.list
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.tls=true"
restart: unless-stopped
dav:
image: ckulka/baikal:nginx
container_name: baikal
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from mail@do-bbs.com
user mail@do-bbs.com
password ${BAIKAL_ADMIN_TOKEN}
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal.entrypoints=websecure"
- "traefik.http.routers.baikal.rule=Host(`dav.do-bbs.com`)"
- "traefik.http.routers.baikal.tls=true"
- "traefik.http.routers.baikal.tls.certresolver=letsencrypt"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/d15fee2e-17ad-42bb-a573-591f45d3532b"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
# - ADMIN_TOKEN=${VAULT_ADMIN_TOKEN}
- ADMIN_TOKEN=IFdsg.ORGOTARON123nsl
- DOMAIN=https://vault.do-bbs.com
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.tls=true
- traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`vault.do-bbs.com`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
.env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`photos.do-bbs.com`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=letsencrypt"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/583d761e-8899-4b15-be2c-d0a11f6c3f6a"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
restart: always
obsidian_db:
image: couchdb:latest
container_name: couchdb-ols
env_file:
.env
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.couchdb.rule=Host(`couchdb.do-bbs.com`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.tls=true"
- "traefik.http.routers.couchdb.tls.certresolver=letsencrypt"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${COUCHDB_USER}
- COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/abbaa192-dadc-4241-b1a5-b2e4dbb50735"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`cwa.do-bbs.com`)"
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
- "traefik.http.routers.cwa.tls=true"
- "traefik.http.routers.cwa.tls.certresolver=letsencrypt"
networks:
- external
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/313b09fb-f4c6-4fe8-b3d8-47929974c247"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
.env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`cwabd.do-bbs.com`)"
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
- "traefik.http.routers.cwabd.tls=true"
- "traefik.http.routers.cwabd.tls.certresolver=letsencrypt"
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
- internal
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
networks:
- internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data
networks:
external:
name: external
internal:
name: internal

45
servers/hestia/dao/docker/baikal.yml Normal file
View File

@@ -0,0 +1,45 @@
services:
dav:
image: ckulka/baikal:nginx
container_name: baikal
env_file:
- path: .env
environment:
MSMTPRC: |
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
account default
host smtp.protonmail.ch
port 587
from ${BAIKAL_EMAIL}
user ${BAIKAL_EMAIL}
password ${BAIKAL_ADMIN_TOKEN}
HTTPS: "on"
SERVER_PORT: "443"
networks:
- external
volumes:
- ./data/baikal/Specific:/var/www/baikal/Specific
- ./data/baikal/config:/var/www/baikal/config
- ./data/baikal/50-add-sharing-plugin.sh:/docker-entrypoint.d/50-add-sharing-plugin.sh
security_opt:
- no-new-privileges:true
labels:
- "traefik.enable=true"
- "traefik.http.routers.baikal-http.entrypoints=web"
- "traefik.http.routers.baikal-http.rule=Host(`${BAIKAL_HOST}`)"
- "traefik.http.routers.baikal-http.service=baikal"
- "traefik.http.routers.baikal-https.entrypoints=websecure"
- "traefik.http.routers.baikal-https.rule=Host(`${BAIKAL_HOST}`)"
- "traefik.http.services.baikal.loadbalancer.server.port=80"
- "traefik.http.middlewares.baikal-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.baikal-https.middlewares=baikal-headers"
healthcheck:
test: ["CMD", "curl", "-f", "${BAIKAL_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped

83
servers/hestia/dao/docker/calibre_web.yml Normal file
View File

@@ -0,0 +1,83 @@
services:
calibre_web:
image: crocodilestick/calibre-web-automated:dev
container_name: calibre-web-automated
env_file:
- path: .env
environment:
- PUID=33
- PGID=33
- TZ=UTC
- HARDCOVER_TOKEN=${HARD_API}
- NETWORK_SHARE_MODE=true
- CWA_PORT_OVERRIDE=8083
- DOCKER_MODS=lscr.io/linuxserver/mods:universal-calibre-v8.7.0
volumes:
- ./data/calibre-web/data:/config
- ./data/calibre-web/meta:/calibre-library
- /mnt/athena/books/library:/calibre-library/athena
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/plugins:/config/.config/calibre/plugins
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwa.rule=Host(`${CALIBRE_WEB_HOST}`)" # Fixed missing (
- "traefik.http.routers.cwa.entrypoints=websecure"
- "traefik.http.services.cwa.loadbalancer.server.port=8083"
networks:
- external
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD", "curl", "-f", "${CALIBRE_WEB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
calibre_web_downloader:
image: ghcr.io/calibrain/calibre-web-automated-book-downloader:latest
container_name: calibre-web-automated-book-downloader
env_file:
- path: .env
environment:
FLASK_PORT: 8084
FLASK_DEBUG: false
LOG_LEVEL: info
BOOK_LANGUAGE: en
USE_BOOK_TITLE: true
TZ: UTC
APP_ENV: prod
UID: 33
GID: 33
CWA_DB_PATH: /auth/app.db
INGEST_DIR: /cwa-book-ingest
MAX_CONCURRENT_DOWNLOADS: 3
DOWNLOAD_PROGRESS_UPDATE_INTERVAL: 5
AA_DONATOR_KEY: ${AA_KEY}
USE_CF_BYPASS: false
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.cwabd.rule=Host(`${CALIBRE_WEB_D_HOST}`)" # Fixed missing (
- "traefik.http.routers.cwabd.entrypoints=websecure"
- "traefik.http.services.cwabd.loadbalancer.server.port=8084"
# Removed tls and certresolver lines
volumes:
- ./data/calibre-web/ingest:/cwa-book-ingest
- ./data/calibre-web/data/app.db:/auth/app.db:ro
networks:
- external
security_opt:
- no-new-privileges:true
restart: unless-stopped
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
container_name: flaresolverr
networks:
- external
security_opt:
- no-new-privileges:true
restart: unless-stopped

20
servers/hestia/dao/docker/compose.yml Normal file
View File

@@ -0,0 +1,20 @@
include:
- traefik.yml
- baikal.yml
- vaultwarden.yml
- immich.yml
- obsidian_db.yml
- calibre_web.yml
- gitea.yml
networks:
external:
name: external
internal:
name: internal
volumes:
model-cache:
vaultwarden-rclone-data:
external: true
name: vaultwarden-rclone-data

4
servers/hestia/dao/docker/dynamic.yml Normal file
View File

@@ -0,0 +1,4 @@
http:
serversTransports:
ignorecert:
insecureSkipVerify: true

114
servers/hestia/dao/docker/gitea.yml Normal file
View File

@@ -0,0 +1,114 @@
services:
gitea_postgres:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_postgres
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres:/var/lib/postgresql
env_file:
- .env
environment:
POSTGRES_DB: ${GITEA_DB_NAME}
POSTGRES_USER: ${GITEA_DB_USER}
POSTGRES_PASSWORD: ${GITEA_DB_PASSWORD}
networks:
- internal
security_opt:
- no-new-privileges:true
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "${GITEA_DB_NAME}", "-U", "${GITEA_DB_USER}" ]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
restart: unless-stopped
gitea:
image: ${GITEA_IMAGE_TAG}
container_name: gitea
volumes:
- ${GITEA_VOLUME_LOCATION}/data:/${DATA_PATH}
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
GITEA_DATABASE_HOST: postgres
GITEA_DATABASE_NAME: ${GITEA_DB_NAME}
GITEA_DATABASE_USERNAME: ${GITEA_DB_USER}
GITEA_DATABASE_PASSWORD: ${GITEA_DB_PASSWORD}
GITEA_ADMIN_USER: ${GITEA_ADMIN_USERNAME}
GITEA_ADMIN_PASSWORD: ${GITEA_ADMIN_PASSWORD}
GITEA_ADMIN_EMAIL: ${GITEA_ADMIN_EMAIL}
GITEA_RUN_MODE: prod
GITEA_DOMAIN: ${GITEA_HOSTNAME}
GITEA_SSH_DOMAIN: ${GITEA_HOSTNAME}
GITEA_ROOT_URL: ${GITEA_URL}
GITEA_HTTP_PORT: 3000
GITEA_SSH_PORT: ${GITEA_SHELL_SSH_PORT}
GITEA_SSH_LISTEN_PORT: 22
networks:
- external
- internal
ports:
- "127.0.0.1:2222:22"
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/"]
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`${GITEA_HOSTNAME}`)"
- "traefik.http.routers.gitea.service=gitea"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.http.services.gitea.loadbalancer.passhostheader=true"
- "traefik.http.middlewares.gitea.compress=true"
- "traefik.http.routers.gitea.middlewares=gitea"
- "traefik.docker.network=external"
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.service=gitea-ssh"
- "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
- "traefik.tcp.services.gitea-ssh.loadbalancer.server.port=22"
depends_on:
gitea_postgres:
condition: service_healthy
gitea_backups:
image: ${GITEA_POSTGRES_IMAGE_TAG}
container_name: gitea_backups
command: >-
sh -c 'sleep $BACKUP_INIT_SLEEP &&
while true; do
pg_dump -h postgres -p 5432 -d $GITEA_DB_NAME -U $GITEA_DB_USER | gzip > $POSTGRES_BACKUPS_PATH/$POSTGRES_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").gz &&
tar -zcpf $DATA_BACKUPS_PATH/$DATA_BACKUP_NAME-$(date "+%Y-%m-%d_%H-%M").tar.gz $DATA_PATH &&
find $POSTGRES_BACKUPS_PATH -type f -mtime +$POSTGRES_BACKUP_PRUNE_DAYS | xargs rm -f &&
find $DATA_BACKUPS_PATH -type f -mtime +$DATA_BACKUP_PRUNE_DAYS | xargs rm -f;
sleep $BACKUP_INTERVAL; done'
volumes:
- ${GITEA_VOLUME_LOCATION}/postgres_backup:/var/lib/postgresql/data
- ${GITEA_VOLUME_LOCATION}/data:${DATA_PATH}
- ${GITEA_VOLUME_LOCATION}/data_backup:${DATA_BACKUPS_PATH}
- ${GITEA_VOLUME_LOCATION}/database_backup:${POSTGRES_BACKUPS_PATH}
environment:
GITEA_DB_NAME: ${GITEA_DB_NAME}
GITEA_DB_USER: ${GITEA_DB_USER}
PGPASSWORD: ${GITEA_DB_PASSWORD}
BACKUP_INIT_SLEEP: ${BACKUP_INIT_SLEEP}
BACKUP_INTERVAL: ${BACKUP_INTERVAL}
POSTGRES_BACKUP_PRUNE_DAYS: ${POSTGRES_BACKUP_PRUNE_DAYS}
DATA_BACKUP_PRUNE_DAYS: ${DATA_BACKUP_PRUNE_DAYS}
POSTGRES_BACKUPS_PATH: ${POSTGRES_BACKUPS_PATH}
DATA_BACKUPS_PATH: ${DATA_BACKUPS_PATH}
DATA_PATH: ${DATA_PATH}
POSTGRES_BACKUP_NAME: ${POSTGRES_BACKUP_NAME}
DATA_BACKUP_NAME: ${DATA_BACKUP_NAME}
networks:
- internal
security_opt:
- no-new-privileges:true
restart: unless-stopped
depends_on:
gitea_postgres:
condition: service_healthy

74
servers/hestia/dao/docker/immich.yml Normal file
View File

@@ -0,0 +1,74 @@
services:
immich_server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
env_file:
- path: .env
environment:
- REDIS_HOSTNAME=immich_redis
- DB_HOSTNAME=immich_database
networks:
- external
- internal
security_opt:
- no-new-privileges:true
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.immich.rule=Host(`${IMMICH_HOST_DOMAIN}`)"
- "traefik.http.routers.immich.entrypoints=websecure"
- "traefik.http.services.immich.loadbalancer.server.port=2283"
depends_on:
- immich_redis
- immich_database
healthcheck:
test: ["CMD", "curl", "-f", "${IMMICH_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always
immich_machine_learning:
container_name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
volumes:
- model-cache:/cache
env_file:
- .env
networks:
- internal
security_opt:
- no-new-privileges:true
restart: always
immich_redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
networks:
- internal
security_opt:
- no-new-privileges:true
restart: always
immich_database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
networks:
- internal
security_opt:
- no-new-privileges:true
restart: always

36
servers/hestia/dao/docker/obsidian_db.yml Normal file
View File

@@ -0,0 +1,36 @@
services:
obsidian_db:
image: couchdb:latest
container_name: obsidian_db
env_file:
- path: .env
labels:
- "traefik.enable=true"
- "traefik.docker.network=external"
- "traefik.http.routers.couchdb.rule=Host(`${OBSIDIAN_DB_HOST}`)"
- "traefik.http.routers.couchdb.entrypoints=websecure"
- "traefik.http.services.couchdb.loadbalancer.server.port=5984"
- "traefik.http.routers.couchdb.middlewares=obsidiancors"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
- "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
- "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
- "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
environment:
- COUCHDB_USER=${OBSIDIAN_DB_USER}
- COUCHDB_PASSWORD=${OBSIDIAN_DB_PASS}
volumes:
- ./data/couchdb/couchdb-data:/opt/couchdb/data
- ./data/couchdb/couchdb-etc:/opt/couchdb/etc/local.d
networks:
- external
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD", "curl", "-f", "${OBSIDIAN_DB_HC}"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: always

25
servers/hestia/dao/docker/traefik.yml Normal file
View File

@@ -0,0 +1,25 @@
# traefik.yml on home server
services:
traefik:
image: traefik:latest
container_name: traefik
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.ssh.address=:748" # ADD THIS LINE
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_WEBMASTER}"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
ports:
- "0.0.0.0:80:80" # Listen on ALL interfaces (including wg0)
- "0.0.0.0:443:443" # Listen on ALL interfaces
- "127.0.0.1:8080:8080" # Dashboard stays local only
- "0.0.0.0:748:748" # Explicit binding
networks:
- external
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
restart: unless-stopped

51
servers/hestia/dao/docker/vaultwarden.yml Normal file
View File

@@ -0,0 +1,51 @@
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
env_file:
- path: .env
environment:
- SIGNUPS_ALLOWED=false
- INVITES_ALLOWED=false
- DOMAIN=https://${VAULT_HOST}
- LOG_LEVEL=warn
- LOG_FILE=/data/vaultwarden.log
- TZ=Europe/London
networks:
- external
volumes:
- ./data/vaultwarden:/data
security_opt:
- no-new-privileges:true
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.routers.vaultwarden-https.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-https.entrypoints=websecure
- traefik.http.routers.vaultwarden-https.service=vaultwarden
- traefik.http.routers.vaultwarden-http.rule=Host(`${VAULT_HOST}`)
- traefik.http.routers.vaultwarden-http.entrypoints=web
- traefik.http.routers.vaultwarden-http.middlewares=redirect-https
- traefik.http.routers.vaultwarden-http.service=vaultwarden
- traefik.http.services.vaultwarden.loadbalancer.server.port=80
healthcheck:
test: ["CMD", "curl", "-f", "https://hc-ping.com/8d7c299a-9594-4f5b-bc1f-9d916ef530e6"]
interval: 3600s
timeout: 10s
retries: 5
start_period: 30s
restart: unless-stopped
vaultwarden_backup:
image: ttionya/vaultwarden-backup:latest
container_name: vaultwarden-backup
restart: always
environment:
RCLONE_REMOTE_DIR: '/system/backups/vaultwarden/'
PING_URL_WHEN_SUCCESS: 'https://hc-ping.com/c03ac1a9-076a-415b-a378-bca245118672'
labels:
- traefik.enable=false
volumes:
- ./data/vaultwarden:/bitwarden/data/
- vaultwarden-rclone-data:/config/

2
servers/hestia/dao/scripts/dim_screen.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/bash
echo 0 >> /sys/class/backlight/intel_backlight/brightness

203
servers/hestia/dao/scripts/mount.sh Executable file
View File

@@ -0,0 +1,203 @@
#!/usr/bin/env bash
set -euo pipefail
# shellcheck disable=1091
. /usr/local/share/dao/config/dao.conf
readonly LOG_PREFIX="[dao_am.service]"
readonly MAX_RETRIES=90
readonly RETRY_DELAY=2
# Configuration
declare -A RCLONE_MOUNTS=(
["koofr"]="${DAO_STORAGE_DIR}/koofr:false"
["koofr_vault"]="${DAO_STORAGE_DIR}/vault:true"
)
declare -A SSHFS_MOUNTS=(
["hephaestus"]="/home/oc/dao:/home/jamie/dao/servers/hephaestus"
["pan_lms"]="/home/tc:/home/jamie/dao/servers/pan"
)
# Options
readonly BASE_RCLONE_OPTS=(
--vfs-cache-mode writes
--cache-dir /tmp/rclone-cache
--dir-cache-time 5m
--poll-interval 1m
--timeout 1h
--low-level-retries 10
--retries 3
--vfs-cache-max-size 10G
--vfs-cache-max-age 24h
--buffer-size 256M
--transfers 8
--checkers 8
--allow-non-empty
--allow-other
--umask 000
)
readonly CRYPT_RCLONE_OPTS=(
--buffer-size 256M
--transfers 8
--vfs-read-ahead 256M
--vfs-read-chunk-size 128M
--vfs-read-chunk-size-limit 2G
)
readonly SSHFS_OPTS=(
-o allow_other
-o reconnect
-o ServerAliveInterval=30
-o ServerAliveCountMax=3
)
# Track mount attempts and failures
declare -A RCLONE_ATTEMPTS
declare -A SSHFS_ATTEMPTS
log() {
echo "${LOG_PREFIX} $*" >&2
}
is_mounted() {
local mount_point="$1"
grep -q " ${mount_point} " /proc/mounts
}
mount_rclone() {
local remote="$1" mount_point="$2" is_crypt="$3"
if is_mounted "$mount_point"; then
log "rclone $remote already mounted at $mount_point"
return 0
fi
local opts=("${BASE_RCLONE_OPTS[@]}")
[[ "$is_crypt" == "true" ]] && opts+=("${CRYPT_RCLONE_OPTS[@]}")
log "Mounting rclone: $remote -> $mount_point (attempt $((RCLONE_ATTEMPTS[$remote] + 1)))"
/usr/bin/rclone mount "$remote:" "$mount_point" "${opts[@]}" &
# Give it a moment to attempt the mount
sleep 2
if is_mounted "$mount_point"; then
log "Successfully mounted rclone: $remote"
return 0
else
log "Failed to mount rclone: $remote"
return 1
fi
}
mount_sshfs() {
local remote="$1" mount_point="$2"
if is_mounted "$mount_point"; then
log "sshfs $remote already mounted at $mount_point"
return 0
fi
log "Mounting sshfs: $remote -> $mount_point (attempt $((SSHFS_ATTEMPTS[$remote] + 1)))"
if /usr/bin/sshfs "$remote" "$mount_point" "${SSHFS_OPTS[@]}" 2>/dev/null; then
log "Successfully mounted sshfs: $remote"
return 0
else
log "Failed to mount sshfs: $remote"
return 1
fi
}
ensure_mounts() {
local failed_rclone=()
local failed_sshfs=()
# First pass: attempt all mounts
log "First pass: attempting all mounts"
# Handle rclone mounts
for remote in "${!RCLONE_MOUNTS[@]}"; do
IFS=':' read -r mount_point is_crypt <<<"${RCLONE_MOUNTS[$remote]}"
RCLONE_ATTEMPTS[$remote]=0
if ! mount_rclone "$remote" "$mount_point" "$is_crypt"; then
failed_rclone+=("$remote")
fi
done
# Handle sshfs mounts
for remote in "${!SSHFS_MOUNTS[@]}"; do
IFS=':' read -r remote_path mount_point <<<"${SSHFS_MOUNTS[$remote]}"
SSHFS_ATTEMPTS[$remote]=0
if ! mount_sshfs "${remote}:${remote_path}" "$mount_point"; then
failed_sshfs+=("$remote")
fi
done
# Retry failed mounts
while [[ ${#failed_rclone[@]} -gt 0 || ${#failed_sshfs[@]} -gt 0 ]]; do
log "Retrying failed mounts in ${RETRY_DELAY} seconds..."
sleep "$RETRY_DELAY"
# Clear failed arrays for this round
local current_failed_rclone=()
local current_failed_sshfs=()
# Retry rclone mounts
for remote in "${failed_rclone[@]}"; do
IFS=':' read -r mount_point is_crypt <<<"${RCLONE_MOUNTS[$remote]}"
RCLONE_ATTEMPTS[$remote]=$((RCLONE_ATTEMPTS[$remote] + 1))
if [[ ${RCLONE_ATTEMPTS[$remote]} -ge $MAX_RETRIES ]]; then
log "rclone $remote: reached max retries ($MAX_RETRIES), giving up"
continue
fi
if mount_rclone "$remote" "$mount_point" "$is_crypt"; then
log "rclone $remote: mount successful on retry"
else
current_failed_rclone+=("$remote")
fi
done
# Retry sshfs mounts
for remote in "${failed_sshfs[@]}"; do
IFS=':' read -r remote_path mount_point <<<"${SSHFS_MOUNTS[$remote]}"
SSHFS_ATTEMPTS[$remote]=$((SSHFS_ATTEMPTS[$remote] + 1))
if [[ ${SSHFS_ATTEMPTS[$remote]} -ge $MAX_RETRIES ]]; then
log "sshfs $remote: reached max retries ($MAX_RETRIES), giving up"
continue
fi
if mount_sshfs "${remote}:${remote_path}" "$mount_point"; then
log "sshfs $remote: mount successful on retry"
else
current_failed_sshfs+=("$remote")
fi
done
# Update failed arrays for next iteration
failed_rclone=("${current_failed_rclone[@]}")
failed_sshfs=("${current_failed_sshfs[@]}")
# If both arrays are empty, we're done
if [[ ${#failed_rclone[@]} -eq 0 && ${#failed_sshfs[@]} -eq 0 ]]; then
log "All mounts successful"
break
fi
done
}
main() {
log "Starting mount daemon"
ensure_mounts
log "Mount operations completed, sleeping"
while true; do
sleep 3600 # Sleep for an hour, then check again if needed
done
}
main "$@"

19
servers/hestia/dao/scripts/wg0_keepalive.sh Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
# Check if WireGuard tunnel is up, restart if down
PING=/bin/ping
SERVICE=/usr/bin/systemctl
tries=0
while [[ $tries -lt 3 ]]
do
if $PING -c 1 10.10.10.1 &> /dev/null
then
exit 0
fi
tries=$((tries+1))
sleep 2
done
# Failed 3 times, restart
$SERVICE restart wg-quick@wg0

40
servers/hestia/sh/cron.sh Executable file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
set -e
# Validate number of arguments
if [ "$#" -ne 3 ]; then
echo "Usage: $0 <job-name> <command> <frequency>"
exit 1
fi
JOB_NAME=$1
COMMAND=$2
FREQUENCY=$3
LOG_DIR="$HOME/.logs"
LOG_FILE="$LOG_DIR/$JOB_NAME.log"
# Ensure crontab for current user
if ! crontab -l &>/dev/null; then
echo "# Empty crontab created on $(date)" > /tmp/crontab$$
crontab /tmp/crontab$$
rm -f /tmp/crontab$$
echo "Crontab created"
fi
# Ensure log directory exists
mkdir -p "$LOG_DIR"
# Build entry
ENTRY="$FREQUENCY CRON=1 $COMMAND >> $LOG_FILE 2>&1 # $JOB_NAME"
# Check if there's an existing job with the same name
if crontab -l 2>/dev/null | grep -q "# $JOB_NAME$"; then
# Job exists, update it
(crontab -l 2>/dev/null | grep -v "# $JOB_NAME$"; echo "$ENTRY") | crontab -
echo "Updated cron job: $JOB_NAME"
else
# No job found, adding it
(crontab -l 2>/dev/null; echo $ENTRY) | crontab -
echo "Added new cron job: $JOB_NAME"
fi

46
servers/hestia/sh/update.sh Executable file
View File

@@ -0,0 +1,46 @@
#!/usr/bin/env bash
CUSTOM_LOCK="/tmp/update_script.lock"
if [ -n "$CRON" ] && ! sudo -n true 2>/dev/null; then
echo "This script requires passwordless sudo to run while in cron context."
exit 1
fi
cleanup() {
flock -u "$LOCK_FD"
exec {LOCK_FD}>&-
sudo rm -f "$CUSTOM_LOCK"
}
wait_for_locks() {
local LOCK
for LOCK in /var/lib/dpkg/lock-frontend /var/lib/apt/lists/lock /var/cache/apt/archives/lock; do
while sudo fuser $LOCK >/dev/null 2>&1; do
sleep 1
done
done
}
sudo touch "$CUSTOM_LOCK"
sudo chmod 666 "$CUSTOM_LOCK"
exec {LOCK_FD}>"$CUSTOM_LOCK" || exit 1
flock "$LOCK_FD" || exit 1
trap cleanup EXIT INT TERM
wait_for_locks
echo "Updating system..."
sudo apt-get -qq update -u -y --allow-releaseinfo-change
sudo apt-get -qq --fix-broken install
sudo dpkg --configure -a
sudo apt-get -qq full-upgrade -y
sudo apt-get -qq clean -y
sudo apt-get -qq --purge autoremove -y
sudo apt-get -qq autoclean -y
# sudo python3 -m pip install --upgrade pip > /dev/null 2>&1
echo "System update complete"

BIN
servers/pan/.alsaequal.bin Normal file
View File

Binary file not shown.

BIN
servers/pan/.alsaequal.bin.bt_W-King Normal file
View File

Binary file not shown.

BIN
servers/pan/.alsaequal.bin.bt_hades Normal file
View File

Binary file not shown.

6
servers/pan/.alsaequal.presets Normal file
View File

@@ -0,0 +1,6 @@
RESET="66 66 66 66 66 66 66 66 66 66"
Bass_Vibrant="66 69 69 68 66 66 69 66 74 68"
Tamed_Bass_Depth="63 68 66 69 66 66 71 66 74 69"
Sleep="58 63 61 64 66 66 71 66 74 69"
TREBLE="66 66 66 66 66 66 66 71 76 76"
BASS="76 76 71 66 66 66 66 66 66 66"

39
servers/pan/.ash_history Normal file
View File

@@ -0,0 +1,39 @@
wget -O - https://raw.githubusercontent.com/lovehifi/tidalconnect-picore/main/install.sh | sh
tce-remove ipv6-netfilter-5.15.35-pcpCore-v71.tcz
tce-ab
q
nano /etc/passwd
tce-load -wi nano
nano /etc/passwd
#exit
exit
sudo cp -r .terminfo /root/
nano /etc/passwd
sudo !!
sudo nano /etc/passwd
filetool.sh -b
sudo filetool.sh -b
pcp bu
cd Tidal-Connect-Armv7/
mv -f ../tidal_connect bin/
mv -f ../speaker_controller bin/
mv ../i* id_certificate/
mv -f id_certificate/ifi-pa-devs-get bin/
mv ../IfiAudio_* id_certificate/
nano tidal.sh
cd ../
nano .boot.sh
chmod +x .boot.sh
nano .boot.sh
nano .boot.sh
ifconfig
sudo pcp bu
./.boot.sh
nano .boot.sh
tce-load openssl
tce-load -wi openssl
tce-ab
./.boot.sh
nano .boot.sh
./.boot.sh
sudo pcp bu

50
servers/pan/.ashrc Normal file
View File

@@ -0,0 +1,50 @@
# ~/.ashrc: Executed by SHells.
#
. /etc/init.d/tc-functions
if [ -n "$DISPLAY" ]
then
`which editor >/dev/null` && EDITOR=editor || EDITOR=vi
else
EDITOR=vi
fi
export EDITOR
PS1='\[\033[01;32m\]\u@\h:\[\033[00m\]\[\033[01;34m\]\w\$\[\033[00m\] '
export PS1
TCEDEV="/dev/$(readlink /etc/sysconfig/tcedir | cut -d '/' -f3)"
TCEMNT="/mnt/$(readlink /etc/sysconfig/tcedir | cut -d '/' -f3)"
BOOTDEV=${TCEDEV%%?}1
BOOTMNT=${TCEMNT%%?}1
# Alias definitions.
#
alias df='df -h'
alias du='du -h'
alias ls='ls -p'
alias ll='ls -l'
alias la='ls -la'
# Avoid errors... use -f to skip confirmation.
alias cp='cp -i'
alias mv='mv -i'
alias rm='rm -i'
# Change directory to
alias ce="cd $TCEMNT/tce"
alias ceo="cd $TCEMNT/tce/optional"
alias c1="cd $BOOTMNT"
alias c2="cd $TCEMNT"
# Mount partition
alias m1="mount $BOOTMNT"
alias m2="mount $TCEMNT"
# Unmount partition
alias u1="umount $BOOTMNT"
alias u2="umount $TCEMNT"
# Edit config files
alias vicfg="vi $BOOTMNT/config.txt"
alias vicmd="vi $BOOTMNT/cmdline.txt"

119
servers/pan/.bash_history Normal file
View File

@@ -0,0 +1,119 @@
./.boot.sh
sudo ./.boot.sh
nano Tidal-Connect-Armv7/tidal.sh
sudo ./.boot.sh
nano .bashrc
pcp bu
exit
sudo ./.boot.sh
nano Tidal-Connect-Armv7/tidal.sh
sudo ./.boot.sh
sudo ./.boot.sh
nano Tidal-Connect-Armv7/tidal.sh
sudo ./.boot.sh
cd Tidal-Connect-Armv7/
bin/tidal_connect
sudo bin/tidal_connect
sudo pkill tidal_connect
sudo pkill tidal.sh
sudo pkill tidal.sh
sudo bin/tidal_connect
sudo ./tidal.sh
sudo ./tidal.sh start
nano ./tidal.sh
sudo ./tidal.sh start
cd ../
sudo su
nano Tidal-Connect-Armv7/tidal.sh
qq
exit
bluetoothctl
nano .boot.sh
git clone https://github.com/novaws/rtl8761bu
cd rtl8761bu/
ll
mv rtl8761bu/rtl8761b_mp_chip_bt40_fw_asic_rom_patch_new.dat /lib/firmware/rtl_bt/rtl8761bu_fw.bin
sudo mv rtl8761bu/rtl8761b_mp_chip_bt40_fw_asic_rom_patch_new.dat /lib/firmware/rtl_bt/rtl8761bu_fw.bin
sudo su
cd ../
git clone https://github.com/novaws/rtl8761bu
rm -rf rtl8761bu/
git clone https://github.com/novaws/rtl8761bu
cd rtl8761bu/
sudo su
exit
nano .boot.sh
nano .boot.sh
fieltool.sh -b
sudo filetool.sh -b
pcp bu
sudo pcp bu
sudo su
exit
sudo su
exit
ll
nano .boot.sh
sudo modprobe -r btusb
sudo modprobe btusb
hciconfig hci0 up && /usr/local/lib/bluetooth/bluetoothd &
lsusb
sudo su
cd /mnt
ls
sudo mount -t cifs //192.168.0.231/music /mnt/music -o guest,vers=3.0,uid=1000,gid=1000,iocharset=utf8,file_mode=0775,dir_mode=0775
mkdir music
sudo mkdir music
sudo su
sudo mount -t cifs //192.168.0.231/music /mnt/music -o guest,vers=3.0,uid=1000,gid=1000,iocharset=utf8,file_mode=0775,dir_mode=0775
cd music/
ls
rm -f test_music
sudo rm -f test_music
ls
ls -la
touch /mnt/music/test_from_pi && ls /mnt/music/test_from_pi && rm /mnt/music/test_from_pi
ls -la
sudo touch hi && ls && sudo rm hi
cd ../
sudo umount music/
sudo mount -t cifs //192.168.0.231/music /mnt/music -o guest,vers=3.0,uid=1000,gid=1000,file_mode=0666,dir_mode=0777,iocharset=utf8
touch /mnt/music/client_test && ls /mnt/music/client_test && rm /mnt/music/client_test
sudo umount music
ll
cd music/
ll
touch test
ll
ll
ll
ll
ll
ls -la
cat test
ls -la
mkdir pan/{playlist,music}
ll
mkdir -p pan/{playlist,music}
cd
nano .alsaequal.presets
nano .alsaequal.presets
nano .alsaequal.presets
nano .alsaequal.presets
cd /mnt/music/
ll
cd pan/
ll
mkdir -p information/{artwork,album_reviews,artist_photos,biographies,lyrics}
cd /var/log
ll
tail -f slimserver/server.log
pcp -h
pcp ll
cat /var/www/index.html
sudo su -
mkdir -p /mnt/music/pan/playlist/PlayLogSongLogs
sudo su-
sudo su
tail -f /var/log/pcp_squeezelite.log
sudo tail -f /var/log/pcp_squeezelite.log

2
servers/pan/.bashrc Normal file
View File

@@ -0,0 +1,2 @@
sudo cp -rf /home/tc/.terminfo /root/
source /usr/local/etc/bashrc

11
servers/pan/.boot.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
sudo modprobe -r btusb
sudo modprobe btusb
hciconfig hci0 up && /usr/local/lib/bluetooth/bluetoothd &
sudo pkill tidal.sh
sudo pkill tidal_connect
rm -f /tmp/tisoc-controller
sudo /usr/local/etc/init.d/avahi start
sudo /home/tc/Tidal-Connect-Armv7/tidal.sh start &

36
servers/pan/.profile Normal file
View File

@@ -0,0 +1,36 @@
# ~/.profile: Executed by Bourne-compatible login SHells.
#
# Path to personal scripts and executables (~/.local/bin).
[ -d "$HOME/.local/bin" ] || mkdir -p "$HOME/.local/bin"
export PATH=$HOME/.local/bin:$PATH
ONDEMAND=/etc/sysconfig/tcedir/ondemand
[ -d "$ONDEMAND" ] && export PATH=$PATH:"$ONDEMAND"
# Environment variables and prompt for Ash SHell
# or Bash. Default is a classic prompt.
#
PS1='\u@\h:\w\$ '
PAGER='less -EM'
MANPAGER='less -isR'
EDITOR=vi
export PS1 PAGER FILEMGR EDITOR MANPAGER
export BACKUP=1
[ "`id -un`" = "`cat /etc/sysconfig/tcuser`" ] && echo "$BACKUP" | sudo tee /etc/sysconfig/backup >/dev/null 2>&1
export FLWM_TITLEBAR_COLOR="58:7D:AA"
if [ -f "$HOME/.ashrc" ]; then
export ENV="$HOME/.ashrc"
. "$HOME/.ashrc"
fi
TERMTYPE=`/usr/bin/tty`
[ ${TERMTYPE:5:3} == "tty" ] && (
[ ! -f /etc/sysconfig/Xserver ] ||
[ -f /etc/sysconfig/text ] ||
[ -e /tmp/.X11-unix/X0 ] ||
startx
)

45
servers/pan/asound.conf Normal file
View File

@@ -0,0 +1,45 @@
# Optimized ALSA config for piCorePlayer - Syntax-fixed plug for format/resampling quality
pcm.!default {
type plug
slave.pcm "equal" # Routes to EQ chain (equal -> plugequal -> plugdefault -> hw:0,0)
ttable.0.0 1
ttable.1.1 1
rate 44100 # Default; auto-resamples sources (up to 192kHz) with dither for stable bass/highs
}
ctl.!default {
type hw
card 0
}
# Intermediate plug PCM for EQ compatibility/resampling (explicit format in slave)
pcm.plugdefault {
type plug
slave {
pcm "hw:0,0" # Direct to bcm2835 headphone jack (3.5mm)
rate 44100
format S16_LE # Native Pi format only here; dither reduces artifacts on conversion
}
}
# ALSA 10-band Equalizer (your working LADSPA - unchanged)
ctl.equal {
type equal;
controls "/home/tc/.alsaequal.bin"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.plugequal {
type equal;
slave.pcm "plugdefault";
controls "/home/tc/.alsaequal.bin"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.equal {
type plug;
slave.pcm plugequal;
ttable.0.0 1
ttable.1.1 1
}

68
servers/pan/asound.conf.bak Normal file
View File

@@ -0,0 +1,68 @@
# default - Generated by piCorePlayer
pcm.!default {
type hw
slave.pcm "hw:0,0"
}
pcm.pcpinput {
type plug
card 0
device 0
}
#---ALSA EQ Below--------
pcm.sound_device {
type hw
slave.pcm {
type hw
card
device 0
}
}
ctl.equal {
type equal;
controls "/home/tc/.alsaequal.bin"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.plugequal {
type equal;
slave.pcm "sound_device";
controls "/home/tc/.alsaequal.bin"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.equal {
type plug;
slave.pcm plugequal;
}
#Bluetooth bt_W-King - Generated by pCP
pcm.bt_W-King {
type plug
slave.pcm {
type bluealsa
service "org.bluealsa"
device F4:4E:FC:1A:52:ED
profile "a2dp"
}
}
ctl.equal_bt_W-King {
type equal;
controls "/home/tc/.alsaequal.bin.bt_W-King"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.plugequal_bt_W-King {
type equal;
slave.pcm "bt_W-King";
controls "/home/tc/.alsaequal.bin.bt_W-King"
library "/usr/local/lib/ladspa/caps.so"
}
pcm.equal_bt_W-King {
type plug;
slave.pcm plugequal_bt_W-King;
}

102
servers/pan/pcp-powerbutton.sh Executable file
View File

@@ -0,0 +1,102 @@
#!/bin/sh
#
# piCorePlayer Power Button Script - Used to shutdown pCP with a GPIO input.
#
# Defaults are for the Audiophonics power button
DEBUG=0
IN_LOW=0
PIN_IN=17
PIN_OUT=22
PUPDOWN="off"
PATH=/bin:/usr/bin:/usr/local/bin
usage() {
echo " usage: $0 [-i] [-o] [--low] [--help] [--debug]"
echo " -i GPIO input pin to shutdown pCP"
echo " -o GPIO output pin for successful pCP boot"
echo " --low Input is active low (and set pull up resistor)"
echo " --high Input is active high (and set pull down resistor)"
echo " --debug Script run as normal, but will not shutdown pCP"
echo " --help script usage"
echo ""
echo " Note: pin numbers are in BCM notation"
echo ""
exit 1
}
validate_pin(){
VAL=$(echo $1 | grep -o '[[:digit:]]*')
if [ "$VAL" != "" ]; then
if [ $VAL -le 31 ]; then
return 0
fi
fi
return 1
}
which pinctrl > /dev/null
if [ $? -ne 0 ]; then
if [ -f /etc/sysconfig/tcedir/optional/raspi-utils.tcz ]; then
tce-load -i raspi-utils.tcz
else
echo "Raspi-utils required for this command"
echo "Install using: pcp-load -w raspi-utils.tcz"
exit 1
fi
fi
O=$(getopt -al help,low,high,debug -- i:o:h "$@") || exit 1
eval set -- "$O"
[ "$1" = "--" ] && echo "No command line settings, Using defaults"; echo ""
while true; do
case "$1" in
-i) PIN_IN=$2; shift;;
-o) PIN_OUT=$2; shift;;
--debug) DEBUG=1;;
--low) IN_LOW=1; PUPDOWN="pu";;
--high) IN_LOW=0; PUPDOWN="pd";;
--help) usage;;
--) shift; break;;
-*) usage;;
*) break;;
esac
shift
done
echo "piCorePlayer Power button shutdown script starting..."
validate_pin $PIN_IN
if [ $? -ne 0 ]; then
echo "Error in Input Pin Assignment"
exit 1
fi
validate_pin $PIN_OUT
if [ $? -ne 0 ]; then
echo "Error in Output Pin Assignment"
exit 1
fi
echo "Asserting pins : "
echo -n "ShutDown : GPIO${PIN_IN}=in, "
[ ${IN_LOW} -eq 1 ] && echo "Low" || echo "High"
echo "BootOK : GPIO${PIN_OUT}=out, High"
sudo pinctrl set $PIN_IN ip $PUPDOWN
sudo pinctrl set $PIN_OUT op dh
[ $IN_LOW -eq 0 ] && IN_CHK="hi" || IN_CHK="lo"
while [ 1 ]; do
if [ "$(sudo /usr/local/bin/pinctrl get ${PIN_IN} | awk -F' ' '{print $5}')" = "$IN_CHK" ]; do
echo "piCorePlayer shutting down."
[ $DEBUG -eq 0 ] && exitcheck.sh shutdown
break
fi
/bin/sleep 1
done
exit 0

33
servers/pan/powerscript.sh Executable file
View File

@@ -0,0 +1,33 @@
#!/bin/sh
#========================================================================================
# Basic gpio script
#----------------------------------------------------------------------------------------
# squeezelite -S /home/tc/powerscript.sh
#
# squeezelite sets $1 to:
# 0: off
# 1: on
# 2: initialising
#----------------------------------------------------------------------------------------
# Version: 0.01 2016-03-03 GE
# Original.
# type tty at prompt to determine dev
#TERMINAL=/dev/console # boot console
TERMINAL=/dev/pts/0 # ssh window
case $1 in
2)
echo "$1: Initialising..." >$TERMINAL
;;
1)
echo "$1: turn on" >$TERMINAL
;;
0)
echo "$1: turn off" >$TERMINAL
;;
esac