From 4ed726b9b1ce934cc57ce932cc7c5f3c8bbbae19 Mon Sep 17 00:00:00 2001 From: "Lockszmith (runtipi@kateryna)" Date: Fri, 13 Dec 2024 10:19:56 -0500 Subject: [PATCH 1/3] added `runtipictl shell` --- _bin/runtipictl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/_bin/runtipictl b/_bin/runtipictl index 102d0ef..6c871ab 100755 --- a/_bin/runtipictl +++ b/_bin/runtipictl @@ -6,6 +6,12 @@ jlmkr () { JAIL_UID=${JAIL_UID:-${UID}} +jlmkr-shell() { + if jlmkr exec runtipi true; then + jlmkr shell --uid "${JAIL_UID}" runtipi + fi +} + jlmkr-exec () { local set_x=" set -x; pwd; id; " [ -z "$QUIET" ] || set_x="" @@ -83,6 +89,9 @@ case "${1}" in _ERROR_MSG="ERROR: failed to invoke a command inside the runtipi jail and can't start the jail." \ runtipi-cli start --env-file user-config/.env.local --no-permissions ;; + shell) + jlmkr-shell + ;; exec) jlmkr-exec "${@:2}" ;; @@ -124,6 +133,7 @@ case "${1}" in "" "" "" \ "misc." "" ""\ "" "exec" "execute within the shell, START_DIR env applies" \ + "" "shell" "enter an insteractive shell" \ "" "" "" \ "" "setup" "setup runtipictl in user's .local/bin dir" From df961389c86461855477b1b18529a9569d21bb58 Mon Sep 17 00:00:00 2001 From: "Lockszmith (runtipi@kateryna)" Date: Fri, 13 Dec 2024 10:20:09 -0500 Subject: [PATCH 2/3] added checkver.sh draft --- _bin/checkver.sh | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100755 _bin/checkver.sh diff --git a/_bin/checkver.sh b/_bin/checkver.sh new file mode 100755 index 0000000..ebcfe5e --- /dev/null +++ b/_bin/checkver.sh @@ -0,0 +1,49 @@ +#! /usr/bin/env bash +SCRIPT_DIR=${SCRIPT_DIR:-"$( cd -- "$( dirname -- "$0" )" &> /dev/null && pwd )"} + +# Function to compare semantic versions +compare_major_version() { + local major_version1=$(echo $1 | cut -d. -f1) + local major_version2=$(echo $2 | cut -d. -f1) + + if [[ "$major_version1" == "$major_version2" ]]; then + return 0 + else + return 1 + fi +} + +# Get Current Version of Runtipi +runtipi_path=${RUNTIPI_DIR:-"$(cd -- "${SCRIPT_DIR}/../.." &> /dev/null && pwd )"} +[ -r "$runtipi_path/VERSION" ] || runtipi_path=${RUNTIPI_DIR:-"$(cd -- "${SCRIPT_DIR}/../../_" &> /dev/null && pwd )"} +current_version=$(cat "$runtipi_path/VERSION") + +# Get the latest release information from GitHub API +latest_release=$(curl -sL \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + https://api.github.com/repos/runtipi/runtipi/releases/latest) + +# Extract the tag name from the release information +tag_name=$(echo "$latest_release" | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4) + +printf 'current: %-10s online: %-10s\n' "$current_version" "$tag_name" >&2 +# Compare major version numbers +compare_major_version "$tag_name" "$current_version" +# major_version_match=$? +# +# # Check if major versions are the same and if the latest release is newer than the current version +# if [[ $major_version_match -eq 0 ]] && [[ "$tag_name" > "$current_version" ]]; then +# echo "A new release is available: $tag_name" +# cd $runtipi_path +# echo "Backing up current version" +# if [ ! -d "$runtipi_path/backups" ]; then +# mkdir -p $runtipi_path/backups +# fi +# tar -czvf runtipi-backup-$current_version.tar.gz --exclude=media --exclude=backups * +# mv runtipi-backup-$current_version.tar.gz $runtipi_path/backups +# echo "Starting update" +# echo $runtipi_path/runtipi-cli update latest +# else +# echo "No new release found or major version mismatch" +# fi From 303a03518a8e9e3fe90676b640904e1fdbfa741a Mon Sep 17 00:00:00 2001 From: "Lockszmith (runtipi@kateryna)" Date: Fri, 13 Dec 2024 10:24:05 -0500 Subject: [PATCH 3/3] dynamic traefik configuration improvements turned out that --providers.file.directory cli switch didn't override the file settings, and so, remapping the /etc/traefik dirs was a better approach. --- .gitignore | 4 +- _traefik.dynamic/dynamic/kasm-workspaces.yml | 42 ------------------- _traefik.dynamic/dynamic/kateryna_apps.yml | 29 ------------- _traefik/dynamic/http.yml | 4 ++ .../dynamic/mw.fwd-auth-sysmgr.yml | 0 _traefik/dynamic/mw.lan-only.yml | 8 ++++ .../dynamic/mw.secureHeaders.yml | 15 ------- .../ha.yml => _traefik/dynamic/rt.ha.yml | 0 _traefik/dynamic/tls.yml | 9 ++++ {_traefik.dynamic => _traefik}/traefik.yml | 18 +++++--- tipi-compose.yml | 25 +++++++++-- 11 files changed, 57 insertions(+), 97 deletions(-) delete mode 100644 _traefik.dynamic/dynamic/kasm-workspaces.yml delete mode 100644 _traefik.dynamic/dynamic/kateryna_apps.yml create mode 100644 _traefik/dynamic/http.yml rename _traefik.dynamic/dynamic/fwd-auth-sysmgr.yml => _traefik/dynamic/mw.fwd-auth-sysmgr.yml (100%) create mode 100644 _traefik/dynamic/mw.lan-only.yml rename _traefik.dynamic/dynamic/dynamic.yml => _traefik/dynamic/mw.secureHeaders.yml (63%) rename _traefik.dynamic/dynamic/ha.yml => _traefik/dynamic/rt.ha.yml (100%) create mode 100644 _traefik/dynamic/tls.yml rename {_traefik.dynamic => _traefik}/traefik.yml (57%) diff --git a/.gitignore b/.gitignore index 03e9ceb..c4cc9af 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ .env.local -_traefik.dynamic/tls -_traefik.dynamic/shared/acme.json +_traefik/tls +_traefik/shared **/app.env ddns-updater/config.json diff --git a/_traefik.dynamic/dynamic/kasm-workspaces.yml b/_traefik.dynamic/dynamic/kasm-workspaces.yml deleted file mode 100644 index 3d478bb..0000000 --- a/_traefik.dynamic/dynamic/kasm-workspaces.yml +++ /dev/null @@ -1,42 +0,0 @@ -# http routing section -http: - routers: - # Define a connection between requests and services - "to-kasm-main": - rule: "Host(`k.szk.li`)" - entrypoints: - - websecure - # # If the rule matches, applies the middleware - middlewares: - - authentik_sysmgr - # - test-user - # If the rule matches, forward to the whoami service (declared below) - service: kasm-main - tls: - certresolver: myresolver - - # Define a connection between requests and services - "to-kasm-setup": - rule: "Host(`ksetup.szk.li`)" - entrypoints: - - websecure - # # If the rule matches, applies the middleware - middlewares: - - authentik_sysmgr - # - test-user - # If the rule matches, forward to the whoami service (declared below) - service: kasm-setup - tls: - certresolver: myresolver - - - services: - # Define how to reach an existing service on our infrastructure - kasm-main: - loadBalancer: - servers: - - url: "https://kasm-workspaces:8744" - kasm-setup: - loadBalancer: - servers: - - url: "https://kasm-workspaces:8743" diff --git a/_traefik.dynamic/dynamic/kateryna_apps.yml b/_traefik.dynamic/dynamic/kateryna_apps.yml deleted file mode 100644 index aaf1d10..0000000 --- a/_traefik.dynamic/dynamic/kateryna_apps.yml +++ /dev/null @@ -1,29 +0,0 @@ -# http routing section -http: - routers: - to-kateryna: - rule: "Host(`kateryna.szk.li`) - || Host(`kateryna.lksz.me`) - || Host(`m.lksz.me`) - || Host(`auth.lksz.me`) - || Host(`sync.lksz.me`) - || Host(`radarr.lksz.me`) - || Host(`sonarr.lksz.me`) - || Host(`prowlarr.lksz.me`) - || Host(`req.lksz.me`) - || Host(`jd.lksz.me`) - || Host(`nzb.lksz.me`) - || Host(`stats.player.lksz.me`) - " - entrypoints: - - websecure - service: kateryna-traefik - tls: - certresolver: myresolver - - services: - # Define how to reach an existing service on our infrastructure - kateryna-traefik: - loadBalancer: - servers: - - url: https://kateryna.lksz.me diff --git a/_traefik/dynamic/http.yml b/_traefik/dynamic/http.yml new file mode 100644 index 0000000..ef2bee2 --- /dev/null +++ b/_traefik/dynamic/http.yml @@ -0,0 +1,4 @@ +http: + serversTransports: + insecuretransport: + insecureSkipVerify: true diff --git a/_traefik.dynamic/dynamic/fwd-auth-sysmgr.yml b/_traefik/dynamic/mw.fwd-auth-sysmgr.yml similarity index 100% rename from _traefik.dynamic/dynamic/fwd-auth-sysmgr.yml rename to _traefik/dynamic/mw.fwd-auth-sysmgr.yml diff --git a/_traefik/dynamic/mw.lan-only.yml b/_traefik/dynamic/mw.lan-only.yml new file mode 100644 index 0000000..0cab8f0 --- /dev/null +++ b/_traefik/dynamic/mw.lan-only.yml @@ -0,0 +1,8 @@ +# Accepts request from defined IP +http: + middlewares: + lan-only: + ipWhiteList: + sourceRange: + - "127.0.0.1/32" + - "192.168.0.0/16" \ No newline at end of file diff --git a/_traefik.dynamic/dynamic/dynamic.yml b/_traefik/dynamic/mw.secureHeaders.yml similarity index 63% rename from _traefik.dynamic/dynamic/dynamic.yml rename to _traefik/dynamic/mw.secureHeaders.yml index 18769aa..3ca24bc 100644 --- a/_traefik.dynamic/dynamic/dynamic.yml +++ b/_traefik/dynamic/mw.secureHeaders.yml @@ -1,8 +1,4 @@ http: - serversTransports: - insecuretransport: - insecureSkipVerify: true - middlewares: secureHeaders: headers: @@ -18,14 +14,3 @@ http: permissionsPolicy: "camera=(), microphone=(), geolocation=()" customResponseHeaders: X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex" - -tls: - stores: - default: - defaultCertificate: - certFile: /etc/traefik/tls/cert.pem - keyFile: /etc/traefik/tls/key.pem - certificates: - - certFile: /etc/traefik/tls/cert.pem - keyFile: /etc/traefik/tls/key.pem - diff --git a/_traefik.dynamic/dynamic/ha.yml b/_traefik/dynamic/rt.ha.yml similarity index 100% rename from _traefik.dynamic/dynamic/ha.yml rename to _traefik/dynamic/rt.ha.yml diff --git a/_traefik/dynamic/tls.yml b/_traefik/dynamic/tls.yml new file mode 100644 index 0000000..39b4586 --- /dev/null +++ b/_traefik/dynamic/tls.yml @@ -0,0 +1,9 @@ +tls: + stores: + default: + defaultCertificate: + certFile: /etc/traefik/tls/cert.pem + keyFile: /etc/traefik/tls/key.pem + certificates: + - certFile: /etc/traefik/tls/cert.pem + keyFile: /etc/traefik/tls/key.pem diff --git a/_traefik.dynamic/traefik.yml b/_traefik/traefik.yml similarity index 57% rename from _traefik.dynamic/traefik.yml rename to _traefik/traefik.yml index 7c8216f..a1af91f 100644 --- a/_traefik.dynamic/traefik.yml +++ b/_traefik/traefik.yml @@ -4,7 +4,7 @@ api: providers: docker: - endpoint: 'unix:///var/run/docker.sock' + endpoint: "unix:///var/run/docker.sock" watch: true exposedByDefault: false file: @@ -31,12 +31,18 @@ entryPoints: - "172.16.0.0/12" certificatesResolvers: - httpresolver: + myresolver: acme: -# email: acme@thisprops.com + email: acme@thisprops.com storage: /shared/acme.json - httpChallenge: - entryPoint: web + # httpChallenge: + # entryPoint: web + #logging: true + dnsChallenge: + provider: cloudflare + resolvers: + - 1.1.1.1:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[0]=1.1.1.1:53 + - 8.8.8.8:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[1]=8.8.8.8:53 log: - level: ERROR + level: INFO diff --git a/tipi-compose.yml b/tipi-compose.yml index c25c122..b9b6d50 100644 --- a/tipi-compose.yml +++ b/tipi-compose.yml @@ -4,16 +4,35 @@ services: - 8080:8080 command: - '--providers.docker' - - '--providers.file.directory=/srv/runtipi/user-config/_traefik.dynamic' + - '--providers.file.directory=/etc/traefik/dynamic' - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}' - '--certificatesresolvers.myresolver.acme.storage=/shared/acme.json' - '--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare' + - "--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" + - '--log.level=INFO' environment: - CF_API_EMAIL: "${ACME_EMAIL}" - CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}" + CF_API_EMAIL: "${ACME_EMAIL:?}" + CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN:?}" networks: - tipi_main_network - tipi_internal_network + volumes: + - type: bind + source: ./traefik/shared + target: /shared + read_only: false + - type: bind + source: ./traefik + target: /etc/traefik + read_only: false + - type: bind + source: ./user-config/_traefik/dynamic/ + target: /etc/traefik/dynamic/ + read_only: true + - type: bind + source: ./user-config/_traefik/traefik.yml + target: /etc/traefik/traefik.yml + read_only: true networks: tipi_internal_network: