libre-chip/server-setup
3
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

switch to upstream docker -- hopefully fixes ipv6 source address issues

Browse source
This commit is contained in:
Jacob Lifshay 2024-07-14 03:27:19 -07:00
parent a8f3a2fad8
commit 92bb25d2f0
Signed by: programmerjake
SSH key fingerprint: SHA256:B1iRVvUJkvd7upMIiMqn6OyxvD2SgJkAH3ZnUOj6z+c
5 changed files with 28 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docker-compose.yml
View file

@ -28,6 +28,8 @@ services:
links: links:
- forgejo - forgejo
- mail - mail
networks:
- net_with_ipv6
labels: labels:
- "com.centurylinklabs.watchtower.enable=true" - "com.centurylinklabs.watchtower.enable=true"
forgejo: forgejo:
@ -48,6 +50,8 @@ services:
- "127.0.0.1:2222:22" - "127.0.0.1:2222:22"
links: links:
- mail:mail.${BASE_DOMAIN_NAME} - mail:mail.${BASE_DOMAIN_NAME}
networks:
- net_with_ipv6
labels: labels:
- "com.centurylinklabs.watchtower.enable=true" - "com.centurylinklabs.watchtower.enable=true"
mail: mail:
@ -68,5 +72,12 @@ services:
- /etc/letsencrypt:/etc/letsencrypt:ro - /etc/letsencrypt:/etc/letsencrypt:ro
- /etc/ssl/certs:/etc/ssl/certs:ro - /etc/ssl/certs:/etc/ssl/certs:ro
- /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro - /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro
networks:
- net_with_ipv6
# labels: # labels:
# - "com.centurylinklabs.watchtower.enable=true" # - "com.centurylinklabs.watchtower.enable=true"
networks:
net_with_ipv6:
attachable: true
enable_ipv6: true

19
setup.sh
View file

@ -123,13 +123,22 @@ if [[ "$(id -u)" != 0 ]]; then
fatal "must be ran as root" fatal "must be ran as root"
fi fi
apt-get remove -y -q docker.io docker-doc docker-compose podman-docker containerd runc
mkdir -p /var/lib/stalwart-mail mkdir -p /var/lib/stalwart-mail
apt-get update -y -q apt-get update -y -q
apt-get install jq gettext-base diffutils -y -q apt-get install ca-certificates curl jq gettext-base diffutils -y -q
# force using overlay2 driver so btrfs snapshots will snapshot the entire system and not miss all the docker stuff # force using overlay2 driver so btrfs snapshots will snapshot the entire system and not miss all the docker stuff
mkdir -p /etc/docker mkdir -p /etc/docker
write_config --src templates/etc/docker/daemon.json --dest /etc/docker/daemon.json write_config --src templates/etc/docker/daemon.json --dest /etc/docker/daemon.json
apt-get install certbot docker-compose docker.io sudo openssl crudini git ssl-cert curl -y -q write_config --src templates/etc/apt/sources.list.d/docker.list \
--dest /etc/apt/sources.list.d/docker.list \
--var dpkg_arch="$(dpkg --print-architecture)" \
--var VERSION_CODENAME="$(. /etc/os-release && echo "$VERSION_CODENAME")"
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
apt-get update -y -q
apt-get install certbot docker-ce docker-ce-cli containerd.io docker-compose-plugin sudo openssl crudini git ssl-cert -y -q
if ((${#test_ca_list[@]})); then if ((${#test_ca_list[@]})); then
install -m 644 "${test_ca_list[0]}" /usr/local/share/ca-certificates/test-root.crt install -m 644 "${test_ca_list[0]}" /usr/local/share/ca-certificates/test-root.crt
install -m 644 "${test_ca_list[1]}" /usr/local/share/ca-certificates/test-root2.crt install -m 644 "${test_ca_list[1]}" /usr/local/share/ca-certificates/test-root2.crt
@ -207,7 +216,7 @@ for _ in {0..30}; do
done done
echo "server up" echo "server up"
certbot_args=(certonly -n --email "postmaster@$BASE_DOMAIN_NAME" "--server=$ACME_SERVER_URL" --cert-name server --agree-tos --webroot --webroot-path /var/www) certbot_args=(certonly -n --email "postmaster@$BASE_DOMAIN_NAME" "--server=$ACME_SERVER_URL" --cert-name server --agree-tos --webroot --webroot-path /var/www)
certbot_args+=(--disable-hook-validation --post-hook "cd '$wd' && docker-compose -p server restart") certbot_args+=(--disable-hook-validation --post-hook "cd '$wd' && docker compose -p server restart")
for subdomain in "${subdomains[@]}"; do for subdomain in "${subdomains[@]}"; do
if [[ -n "$subdomain" ]]; then if [[ -n "$subdomain" ]]; then
subdomain+=. subdomain+=.
@ -218,7 +227,7 @@ done
retry_if_failed certbot "${certbot_args[@]}" retry_if_failed certbot "${certbot_args[@]}"
trap EXIT trap EXIT
docker stop "$nginx_container" docker stop "$nginx_container"
DOCKER_BUILDKIT=1 docker-compose -p server up -d DOCKER_BUILDKIT=1 docker compose -p server up -d
sleep 10 sleep 10
if [[ -n "$mail_passwd_hash" ]]; then if [[ -n "$mail_passwd_hash" ]]; then
forgejo_smtp_passwd="$(crudini --get /etc/forgejo/app.ini mailer PASSWD)" forgejo_smtp_passwd="$(crudini --get /etc/forgejo/app.ini mailer PASSWD)"
@ -227,7 +236,7 @@ if [[ -n "$mail_passwd_hash" ]]; then
curl -u "admin:$mail_passwd" "https://mail.$BASE_DOMAIN_NAME/api/dkim" --data-binary '{"id":null,"algorithm":"Rsa","domain":"'"$BASE_DOMAIN_NAME"'","selector":null}' > /dev/null curl -u "admin:$mail_passwd" "https://mail.$BASE_DOMAIN_NAME/api/dkim" --data-binary '{"id":null,"algorithm":"Rsa","domain":"'"$BASE_DOMAIN_NAME"'","selector":null}' > /dev/null
stalwart-cli account create -d 'Admin Account' -i true -a "postmaster@$BASE_DOMAIN_NAME" 'admin' "$mail_passwd" stalwart-cli account create -d 'Admin Account' -i true -a "postmaster@$BASE_DOMAIN_NAME" 'admin' "$mail_passwd"
stalwart-cli account create -d 'Forgejo Server' -i false -a "forgejo@$BASE_DOMAIN_NAME" 'forgejo' "$forgejo_smtp_passwd" stalwart-cli account create -d 'Forgejo Server' -i false -a "forgejo@$BASE_DOMAIN_NAME" 'forgejo' "$forgejo_smtp_passwd"
add_postmaster=(docker-compose -p server exec -T -u git forgejo forgejo admin user create --admin --username postmaster --password "$mail_passwd" --email "postmaster@$BASE_DOMAIN_NAME") add_postmaster=(docker compose -p server exec -T -u git forgejo forgejo admin user create --admin --username postmaster --password "$mail_passwd" --email "postmaster@$BASE_DOMAIN_NAME")
retry_if_failed -q "${add_postmaster[@]}" retry_if_failed -q "${add_postmaster[@]}"
forum_smtp_passwd="$(sed 's/^ *DISCOURSE_SMTP_PASSWORD: "*\([^"]*\)"$/\1/p; d' < /var/discourse/containers/app.yml)" forum_smtp_passwd="$(sed 's/^ *DISCOURSE_SMTP_PASSWORD: "*\([^"]*\)"$/\1/p; d' < /var/discourse/containers/app.yml)"
[[ -n "$forum_smtp_passwd" ]] || fatal "can't parse smtp password out of /var/discourse/containers/app.yml" [[ -n "$forum_smtp_passwd" ]] || fatal "can't parse smtp password out of /var/discourse/containers/app.yml"

1
templates/etc/apt/sources.list.d/docker.list Normal file
View file

@ -0,0 +1 @@
deb [arch=$dpkg_arch signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $VERSION_CODENAME stable

37
templates/etc/docker/daemon.json
View file

@ -2,41 +2,6 @@
"storage-driver": "overlay2", "storage-driver": "overlay2",
"ipv6": true, "ipv6": true,
"fixed-cidr-v6": "fd57:d7e4:f221::/64", "fixed-cidr-v6": "fd57:d7e4:f221::/64",
"experimental": true,
"ip6tables": true, "ip6tables": true,
"userland-proxy": false, "userland-proxy": true
"default-address-pools": [
{
"base": "172.17.0.0/16",
"size": 16
},
{
"base": "172.18.0.0/16",
"size": 16
},
{
"base": "172.19.0.0/16",
"size": 16
},
{
"base": "172.20.0.0/14",
"size": 16
},
{
"base": "172.24.0.0/14",
"size": 16
},
{
"base": "172.28.0.0/14",
"size": 16
},
{
"base": "fd57:d7e4:f221:1::/64",
"size": 64
},
{
"base": "fd57:d7e4:f221:2::/64",
"size": 64
}
]
} }

2
templates/var/lib/stalwart-mail/cli.sh
View file

@ -1,5 +1,5 @@
mail_passwd="$mail_passwd" mail_passwd="$mail_passwd"
function stalwart-cli() function stalwart-cli()
{ {
(cd "$wd" && CREDENTIALS="admin:$mail_passwd" exec docker-compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "$@") (cd "$wd" && CREDENTIALS="admin:$mail_passwd" exec docker compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "$@")
} }