xpk/collection.dockerfile
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: various update related to docker storage driver change from btrfs to xfs

Browse Source
This commit is contained in:
KF 2024-04-04 12:39:43 +08:00
parent a687dce107
commit 9c762dff59
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
60 changed files with 861 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -1 +1,8 @@
Collection of Dockerfiles Collection of Dockerfiles
## docker on macvlan
On Linux, docker macvlan driver can be used to simplify routing. To create a macvlan network:
```bash
docker network create -d macvlan --subnet=192.168.86.0/24 --ip-range=192.168.86.96/27 --gateway=192.168.86.1 -o parent=enp7s0f1 macvlan
```

2
alpine/dante/build.sh Executable file
View File

@ -0,0 +1,2 @@
export DOCKER_BUILDKIT=1
docker build --network host -t alpine/dante .

11
alpine/fpmredis/Dockerfile
View File

@ -1,9 +1,10 @@
FROM alpine:3.16 FROM alpine:latest
ENV container docker ENV container docker
RUN apk update; apk upgrade; apk add php81-gd php81-session php81-json php81-fpm php81-mysqlnd php81-mysqli php81-mbstring php81-xml php81-redis php81-curl php81-gmp bash php81-pdo_mysql php81-zip php81-dom php81-xmlwriter php81-xmlreader php81-ctype php81-simplexml php81-intl php81-iconv redis supervisor php81-opcache php81-posix php81-fileinfo php81-pecl-imagick php81-bcmath php81-pcntl php81-cli RUN apk update; apk upgrade; apk add php82-gd php82-session php82-json php82-fpm php82-mysqlnd php82-mysqli php82-mbstring php82-xml php82-redis php82-curl php82-gmp bash php82-pdo_mysql php82-zip php82-dom php82-xmlwriter php82-xmlreader php82-ctype php82-simplexml php82-intl php82-iconv redis supervisor php82-opcache php82-posix php82-fileinfo php82-pecl-imagick php82-bcmath php82-pcntl php82-cli php82-sysvsem php82-exif php82-sodium php82-bz2
COPY supervisord.conf /etc/supervisord.conf COPY supervisord.conf /etc/supervisord.conf
COPY fpm-www.conf /etc/php81/php-fpm.d/www.conf COPY fpm-www.conf /etc/php82/php-fpm.d/www.conf
RUN sed -i -e 's/^disable_functions.*/disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,eval,base64_decode/g' -e 's/^expose_php.*/expose_php=off/g' -e 's/^memory_limit.*/memory_limit=512M/g' -e 's/^session.save_handler.*/session.save_handler=redis/g' /etc/php81/php.ini COPY nc-upgrade.sh /var/www/nc-upgrade.sh
RUN echo 'session.save_path = "tcp://192.168.86.212:6379"' >> /etc/php81/php.ini RUN sed -i -e 's/^disable_functions.*/disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,eval,base64_decode/g' -e 's/^expose_php.*/expose_php=off/g' -e 's/^memory_limit.*/memory_limit=512M/g' -e 's/^session.save_handler.*/session.save_handler=redis/g' /etc/php82/php.ini
RUN echo 'session.save_path = "tcp://192.168.86.212:6379"' >> /etc/php82/php.ini
EXPOSE 9000 EXPOSE 9000
CMD ["/usr/bin/supervisord", "-n"] CMD ["/usr/bin/supervisord", "-n"]

3
alpine/fpmredis/build.sh
View File

@ -1 +1,2 @@
docker build --pull --network macvlan -t alpine/fpmredis . export DOCKER_BUILDKIT=1
docker build --pull --network host -t alpine/fpmredis .

17
alpine/fpmredis/nc-upgrade.sh Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
cp /etc/php81/php.ini /etc/php81/php.ini-orig
sed -i -e '/^disable_function/d' /etc/php81/php.ini
VERSION=$1
cd /var/www/nextcloud
cp nextcloud/config/config.php .
cp -ap nextcloud/data/ data/
apk add axel sudo
axel https://download.nextcloud.com/server/releases/nextcloud-$VERSION.zip
unzip -o -q nextcloud-$VERSION.zip
cp config.php nextcloud/config/
cp -ap data nextcloud/
chown -R xfs:xfs nextcloud
cd nextcloud
sudo -u xfs php81 occ upgrade
sudo -u xfs php81 occ maintenance:mode --off
cp /etc/php81/php.ini-orig /etc/php81/php.ini

1
alpine/fpmredis/restart.sh
View File

@ -1,3 +1,2 @@
docker ps -a | grep nextcloud-fpm | awk '{print $1}' | xargs docker rm -f docker ps -a | grep nextcloud-fpm | awk '{print $1}' | xargs docker rm -f
#docker run --name fpmredis -v /var/www/nextcloud:/var/www/nextcloud:rw -v/var/run/mysqld/mysqld.sock:/var/run/mysqld/mysqld.sock:rw -it -d -m 4g --restart=always alpine_fpm_redis
./start.sh ./start.sh

2
alpine/fpmredis/start.sh
View File

@ -1,3 +1,3 @@
docker run --cpus=2 --name nextcloud-fpm -v /var/www/nextcloud:/var/www/nextcloud:rw \ docker run --cpus=4 --name nextcloud-fpm -v /var/www/nextcloud:/var/www/nextcloud:rw \
-v /var/run/mysqld/mysqld.sock:/var/run/mysqld/mysqld.sock:rw \ -v /var/run/mysqld/mysqld.sock:/var/run/mysqld/mysqld.sock:rw \
-it -d -m 4g --net macvlan --ip 192.168.86.210 --restart=always alpine/fpmredis -it -d -m 4g --net macvlan --ip 192.168.86.210 --restart=always alpine/fpmredis

3
alpine/fpmredis/supervisord.conf
View File

@ -6,6 +6,7 @@ logfile=/var/log/supervisord.log ; (main log file;default $CWD/supervisord.log)
loglevel=error loglevel=error
logfile_maxbytes=10MB logfile_maxbytes=10MB
logfile_backups=7 logfile_backups=7
user=root
[rpcinterface:supervisor] [rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
@ -19,6 +20,6 @@ stderr_logfile = /var/log/supervisord-redis.err
stdout_logfile = /var/log/supervisord-redis.log stdout_logfile = /var/log/supervisord-redis.log
[program:phpfpm] [program:phpfpm]
command=/usr/sbin/php-fpm81 -c /etc/php81/php-fpm.conf -F command=/usr/sbin/php-fpm82 -c /etc/php82/php-fpm.conf -F
stderr_logfile = /var/log/supervisord-fpm.err stderr_logfile = /var/log/supervisord-fpm.err
stdout_logfile = /var/log/supervisord-fpm.log stdout_logfile = /var/log/supervisord-fpm.log

6
alpine/haproxy/Dockerfile Normal file
View File

@ -0,0 +1,6 @@
FROM alpine:latest
ENV container docker
RUN apk update; apk upgrade; apk add haproxy
COPY haproxy.cfg /etc/haproxy/haproxy.cfg
EXPOSE 41080
CMD [ "/usr/sbin/haproxy", "-f", "/etc/haproxy/haproxy.cfg", "-db" ]

2
alpine/haproxy/build.sh Executable file
View File

@ -0,0 +1,2 @@
export DOCKER_BUILDKIT=1
docker build --network host -t alpine/haproxy .

22
alpine/haproxy/haproxy.cfg Normal file
View File

@ -0,0 +1,22 @@
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode tcp
timeout client 10s
timeout connect 5s
timeout server 10s
frontend socks-front
bind *:41080
default_backend socks-back
backend socks-back
server appgate 192.168.86.22:9080 check
server gw2 192.168.86.2:11080 check backup

4
alpine/haproxy/restart-haproxy.sh Executable file
View File

@ -0,0 +1,4 @@
docker stop haproxy
docker rm haproxy
sleep 5
/my/container-config/alpine/haproxy/start-haproxy.sh

3
alpine/haproxy/start-haproxy.sh Executable file
View File

@ -0,0 +1,3 @@
# haproxy socks container
docker run --name haproxy \
--net macvlan --ip 192.168.86.208 -d --restart=always alpine/haproxy

9
alpine/keydb/Dockerfile
View File

@ -1,9 +0,0 @@
FROM alpine:latest
LABEL description="KeyDB"
LABEL maintainer="racken@one27.cf"
ENV container docker
RUN apk add bash tini redis
#RUN sed -i -e 's/^bind.*/bind 0.0.0.0/g' -e 's/^protected-mode.*/protected-mode no/g' -e 's/^timeout.*/timeout 60/g' -e 's/^\(logfile.*\)/## \1/g' /etc/redis.conf
RUN chown -R redis:redis /var/log/redis
USER redis
ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/redis-server", "/etc/redis.conf"]

8
alpine/nginx-with-volume/Dockerfile Normal file
View File

@ -0,0 +1,8 @@
FROM alpine:latest
ENV container docker
VOLUME /var/www
RUN apk update; apk upgrade; apk add nginx nginx-mod-http-dav-ext
RUN mkdir -p /run/nginx
COPY index.html /var/www/index.html
EXPOSE 80
CMD [ "/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf" ]

6
alpine/nginx-with-volume/README.md Normal file
View File

@ -0,0 +1,6 @@
# Revision notes
20191206: since 1.17.6, /var/www/nextcloud needs to be mounted. not sure why it worked before... also created xpknet and assigned static IP to containers. nginx is on 192.168.188.2 and fpm on 192.168.188.10
20191206: changed to macvlan. nginx is on 192.168.86.3 and fpm on 192.168.86.4
# General notes
dav is needed for enpass

2
alpine/nginx-with-volume/build.sh Executable file
View File

@ -0,0 +1,2 @@
export DOCKER_BUILDKIT=1
docker build --network host -t alpine/nginx-v .

5
alpine/nginx-with-volume/index.html Normal file
View File

@ -0,0 +1,5 @@
<p>
<br>
<center>
<a href=https://xpk.headdesk.me/mon>Go to observium</a>
</center>

254
alpine/nginx-with-volume/nginx.conf Normal file
View File

@ -0,0 +1,254 @@
user nginx;
worker_processes 2;
daemon off;
load_module "modules/ngx_http_dav_ext_module.so";
error_log /var/log/nginx/error-local.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 2000;
}
http {
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
client_max_body_size 200M;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain;
# caching
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=zone1:10m max_size=1G;
proxy_temp_path /tmp/nginx-proxy 1 2;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
log_format cached '$remote_addr '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $upstream_cache_status';
# Useragent ACL: works but ubuntu online accounts does not provide any useragent
#map $http_user_agent $useragent_acl {
# default deny;
# ~(Desktop|Chrome|Nextcloud-iOS|Nextcloud-android|mirall|Mozilla/5\.0|git|ansible-httpget|Go-http-client) allow;
#}
# _ _ _ _
# _ __ | |__ _ __ | |__ __ _ _ __ __| | | ___ _ __
# | '_ \| '_ \| '_ \ _____| '_ \ / _` | '_ \ / _` | |/ _ \ '__|
# | |_) | | | | |_) |_____| | | | (_| | | | | (_| | | __/ |
# | .__/|_| |_| .__/ |_| |_|\__,_|_| |_|\__,_|_|\___|_|
# |_| |_|
#
upstream php-handler {
server 192.168.86.210:9000;
#server unix:/var/run/php/php7.2-fpm.sock;
}
server {
listen 80 default_server;
# root /var/www/null;
root /var/www/letsencrypt;
# for letsencrypt / acme-tiny
location /.well-known {
try_files $uri $uri/ =404;
}
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
}
location / {
return 301 https://$host$request_uri;
}
# Useragent ACL
# if ($useragent_acl = deny) {
# return 403;
# }
# letsencrypt validation
#location /.well-known/acme-challenge/ {
# alias /var/www/letsencrypt/;
#}
#if ($http_x_forwarded_proto != "https") {
# return 301 https://$host$request_uri;
# }
}
server {
listen 443 ssl http2 default_server;
root /var/www;
# still need TLS1.2 for Lixil Jenkins git pull
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
ssl_certificate /home/ssl/xpk.headdesk.me.crt;
ssl_certificate_key /home/ssl/xpk.headdesk.me.key;
# filter out PROPFIND in access log
set $logme 1;
if ($request_method = PROPFIND) {
set $logme 0;
}
access_log /var/log/nginx/access.log cached if=$logme;
# Useragent ACL
# if ($useragent_acl = deny) {
# return 403;
#}
#location / {
# proxy_pass http://192.168.86.10:8080/;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header HTTP_X_FORWARDED_PROTO https;
# proxy_set_header Host $host;
# proxy_cache_bypass $http_pragma $http_authorization;
# }
# letsencrypt validation
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
}
fastcgi_hide_header X-Powered-By;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location /nextcloud/ {
rewrite ^ /nextcloud/index.php;
}
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ ^\/nextcloud.*\.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
}
location ~ ^\/nextcloud.*\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /nextcloud/index.php$request_uri;
}
location /git/ {
proxy_pass http://192.168.86.53:3000/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
# caching: do not enable, causes cross account caching!
# proxy_cache zone1;
# proxy_cache_valid 200 302 5m;
# proxy_cache_valid any 10m;
}
location /pad/ {
proxy_pass http://192.168.86.51:9001/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_cookie_path / "/pad; HTTPOnly; Secure";
proxy_cookie_flags express secure httponly;
}
location /jenkins/ {
proxy_pass http://192.168.86.55:8080/jenkins/;
proxy_redirect default;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
}
location /mon/ {
proxy_pass http://192.168.86.57/;
proxy_buffering off;
proxy_redirect default;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_cookie_path / "/mon; HTTPOnly; Secure";
proxy_cookie_flags express secure httponly;
}
location /enpass/ {
root /var/www;
auth_basic enpass;
auth_basic_user_file /var/www/enpass/.htpass;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:rw group:rw all:r;
create_full_put_path on;
autoindex on;
}
}
}

4
alpine/nginx-with-volume/restart-nginx.sh Executable file
View File

@ -0,0 +1,4 @@
docker stop nginx
docker rm nginx
sleep 5
/my/container-config/alpine/nginx/start-nginx.sh

14
alpine/nginx-with-volume/start-nginx.sh Executable file
View File

@ -0,0 +1,14 @@
# nginx container
docker run --name nginx -v /my/container-config/alpine/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
-m 2g -v /my/sites/ssl-cert:/home/ssl \
-v /var/www/nextcloud:/var/www/nextcloud:ro \
-v /var/www/enpass:/var/www/enpass:rw \
-v /var/www/letsencrypt:/var/www/letsencrypt:ro \
--net macvlan --ip 192.168.86.209 -d --restart=always alpine/nginx
# clearlinux/nginx
#docker run --name nginx -v /my/container-config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
#-v /etc/letsencrypt:/etc/letsencrypt:ro -m 2g \
#-v /var/www/nextcloud:/var/www/nextcloud:ro \
#--net macvlan --ip 192.168.86.3 -d --restart=always clearlinux/nginx

1
alpine/nginx/Dockerfile
View File

@ -2,5 +2,6 @@ FROM alpine:latest
ENV container docker ENV container docker
RUN apk update; apk upgrade; apk add nginx nginx-mod-http-dav-ext RUN apk update; apk upgrade; apk add nginx nginx-mod-http-dav-ext
RUN mkdir -p /run/nginx RUN mkdir -p /run/nginx
COPY index.html /var/www/index.html
EXPOSE 80 EXPOSE 80
CMD [ "/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf" ] CMD [ "/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf" ]

2
alpine/nginx/build.sh Executable file
View File

@ -0,0 +1,2 @@
export DOCKER_BUILDKIT=1
docker build --network host -t alpine/nginx .

5
alpine/nginx/index.html Normal file
View File

@ -0,0 +1,5 @@
<p>
<br>
<center>
<a href=https://xpk.headdesk.me/mon>Go to observium</a>
</center>

37
alpine/nginx/nginx.conf
View File

@ -60,28 +60,43 @@ http {
server { server {
listen 80 default_server; listen 80 default_server;
root /var/www/null; # root /var/www/null;
root /var/www/letsencrypt;
# for letsencrypt / acme-tiny
location /.well-known {
try_files $uri $uri/ =404;
}
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
}
location / {
return 301 https://$host$request_uri;
}
# Useragent ACL # Useragent ACL
# if ($useragent_acl = deny) { # if ($useragent_acl = deny) {
# return 403; # return 403;
# } # }
# letsencrypt validation # letsencrypt validation
location /.well-known/acme-challenge/ { #location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/; # alias /var/www/letsencrypt/;
} #}
if ($http_x_forwarded_proto != "https") { #if ($http_x_forwarded_proto != "https") {
return 301 https://$host$request_uri; # return 301 https://$host$request_uri;
} # }
} }
server { server {
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server;
root /var/www; root /var/www;
# still need TLS1.2 for Lixil Jenkins git pull
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_ecdh_curve secp521r1:secp384r1:prime256v1; ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
@ -90,7 +105,7 @@ http {
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen; add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer; add_header Referrer-Policy no-referrer;
@ -132,6 +147,7 @@ http {
location = /.well-known/caldav { location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav; return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
} }
location /nextcloud/ { location /nextcloud/ {
rewrite ^ /nextcloud/index.php; rewrite ^ /nextcloud/index.php;
} }
@ -168,7 +184,7 @@ http {
add_header Cache-Control "public, max-age=15778463"; add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen; add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer; add_header Referrer-Policy no-referrer;
@ -213,6 +229,7 @@ http {
location /mon/ { location /mon/ {
proxy_pass http://192.168.86.57/; proxy_pass http://192.168.86.57/;
proxy_buffering off;
proxy_redirect default; proxy_redirect default;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

7
alpine/redis/Dockerfile
View File

@ -1,7 +1,10 @@
FROM alpine:3.16 FROM alpine:latest
LABEL description="Redis for use with gitea" LABEL description="Redis for use with gitea"
LABEL maintainer="racken@one27.cf" LABEL maintainer="racken@one27.cf"
ENV container docker ENV container docker
RUN apk add bash tini redis RUN apk add bash tini redis
RUN sed -i -e 's/^bind.*/bind 0.0.0.0/g' -e 's/^protected-mode.*/protected-mode no/g' -e 's/^timeout.*/timeout 60/g' /etc/redis.conf #RUN addgroup -g 3000 ctnuser && adduser -u 3000 -G ctnuser -D ctnuser
RUN sed -i -e 's/^bind.*/bind 0.0.0.0/g' -e 's/^protected-mode.*/protected-mode no/g' -e 's/^timeout.*/timeout 60/g' -e 's/^\(logfile.*\)/## \1/g' /etc/redis.conf
RUN chown -R redis:redis /var/log/redis
USER redis
ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/redis-server", "/etc/redis.conf"] ENTRYPOINT ["/sbin/tini", "--", "/usr/bin/redis-server", "/etc/redis.conf"]

0
alpine/keydb/build.sh → alpine/redis/build.sh
View File

2
alpine/redis/restart.sh
View File

@ -1,2 +1,2 @@
docker rm -f redis docker rm -f redis
docker run -d --name redis --network macvlan --ip 192.168.86.212 alpine/redis docker run -d --name redis --network macvlan --ip 192.168.86.212 --restart=always alpine/redis

16
amazonlinux2/bea-deployer/Dockerfile Normal file
View File

@ -0,0 +1,16 @@
FROM amazonlinux
ENV container docker
RUN yum -q -y install unzip git screen jq wget python3-pip groff
RUN wget -q -O/tmp/awscli.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
RUN unzip -q /tmp/awscli.zip; ./aws/install
RUN wget -q -O/tmp/terraform125.zip https://releases.hashicorp.com/terraform/1.2.5/terraform_1.2.5_linux_amd64.zip
RUN unzip -qd /usr/local/bin /tmp/terraform125.zip
RUN pip3 install --user git-remote-codecommit
RUN mkdir -p /root/.terraform.d/plugin-cache
RUN echo 'plugin_cache_dir = "$HOME/.terraform.d/plugin-cache"' > ~/.terraformrc
RUN mkdir /root/terraform-root
RUN cd /root/terraform-root
COPY provider.tf /root/terraform-root/provider.tf
RUN cd /root/terraform-root; terraform init
ENV PS1 "deployer "
CMD ["/usr/bin/bash"]

17
amazonlinux2/bea-deployer/provider.tf Normal file
View File

@ -0,0 +1,17 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = "~> 1.2.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.75.2"
}
random = {
source = "hashicorp/random"
version = "3.3.2"
}
}
}

4
amzn2-awscli2/Dockerfile
View File

@ -4,6 +4,6 @@ LABEL description="awscli 2.0.9 on amzn2"
LABEL autobuild="jenkins @weekly" LABEL autobuild="jenkins @weekly"
ENV container docker ENV container docker
RUN /usr/bin/yum -y install unzip groff less jq RUN /usr/bin/yum -y install unzip groff less jq
RUN curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o /tmp/awscliv2.zip; cd /tmp; unzip awscliv2.zip; ./aws/install RUN curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o /tmp/awscliv2.zip; cd /tmp; unzip -qq awscliv2.zip; ./aws/install
ENV PS1 "awscli $ " ENV PS1 "awscli "
ENTRYPOINT ["/bin/bash"] ENTRYPOINT ["/bin/bash"]

0
centos8/observium/.dockerignore → centos8/observium.decrecated/.dockerignore
View File

0
centos8/observium/Dockerfile → centos8/observium.decrecated/Dockerfile
View File

0
centos8/observium/Dockerfile-freshinstall → centos8/observium.decrecated/Dockerfile-freshinstall
View File

0
centos8/observium/build.sh → centos8/observium.decrecated/build.sh
View File

0
centos8/observium/config.php → centos8/observium.decrecated/config.php
View File

0
centos8/observium/crontab → centos8/observium.decrecated/crontab
View File

0
centos8/observium/initialise.sh → centos8/observium.decrecated/initialise.sh
View File

0
centos8/observium/observium.ini → centos8/observium.decrecated/observium.ini
View File

0
centos8/observium/start.sh → centos8/observium.decrecated/start.sh
View File

0
centos8/observium/upgrade.md → centos8/observium.decrecated/upgrade.md
View File

11
debian/nginx-cloudflared/Dockerfile vendored Normal file
View File

@ -0,0 +1,11 @@
FROM debian:latest
ENV container docker
RUN apt update; apt install curl -y
RUN mkdir -p --mode=0755 /usr/share/keyrings
RUN curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
RUN echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main' | tee /etc/apt/sources.list.d/cloudflared.list
RUN apt update; apt install nginx cloudflared -y
#RUN mkdir -p /run/nginx
#COPY index.html /var/www/index.html
EXPOSE 80
CMD [ "/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf" ]

7
debian/nginx-cloudflared/README.md vendored Normal file
View File

@ -0,0 +1,7 @@
# Revision notes
20240402: based on alpine/nginx, trying to add cloudflared but this may cause problem for local access
20191206: since 1.17.6, /var/www/nextcloud needs to be mounted. not sure why it worked before... also created xpknet and assigned static IP to containers. nginx is on 192.168.188.2 and fpm on 192.168.188.10
20191206: changed to macvlan. nginx is on 192.168.86.3 and fpm on 192.168.86.4
# General notes
dav is needed for enpass

2
debian/nginx-cloudflared/build.sh vendored Executable file
View File

@ -0,0 +1,2 @@
export DOCKER_BUILDKIT=1
docker build --network host -t debian/nginx .

5
debian/nginx-cloudflared/index.html vendored Normal file
View File

@ -0,0 +1,5 @@
<p>
<br>
<center>
<a href=https://xpk.headdesk.me/mon>Go to observium</a>
</center>

254
debian/nginx-cloudflared/nginx.conf vendored Normal file
View File

@ -0,0 +1,254 @@
user nginx;
worker_processes 2;
daemon off;
load_module "modules/ngx_http_dav_ext_module.so";
error_log /var/log/nginx/error-local.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 2000;
}
http {
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
client_max_body_size 200M;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain;
# caching
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=zone1:10m max_size=1G;
proxy_temp_path /tmp/nginx-proxy 1 2;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
log_format cached '$remote_addr '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $upstream_cache_status';
# Useragent ACL: works but ubuntu online accounts does not provide any useragent
#map $http_user_agent $useragent_acl {
# default deny;
# ~(Desktop|Chrome|Nextcloud-iOS|Nextcloud-android|mirall|Mozilla/5\.0|git|ansible-httpget|Go-http-client) allow;
#}
# _ _ _ _
# _ __ | |__ _ __ | |__ __ _ _ __ __| | | ___ _ __
# | '_ \| '_ \| '_ \ _____| '_ \ / _` | '_ \ / _` | |/ _ \ '__|
# | |_) | | | | |_) |_____| | | | (_| | | | | (_| | | __/ |
# | .__/|_| |_| .__/ |_| |_|\__,_|_| |_|\__,_|_|\___|_|
# |_| |_|
#
upstream php-handler {
server 192.168.86.210:9000;
#server unix:/var/run/php/php7.2-fpm.sock;
}
server {
listen 80 default_server;
# root /var/www/null;
root /var/www/letsencrypt;
# for letsencrypt / acme-tiny
location /.well-known {
try_files $uri $uri/ =404;
}
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
}
location / {
return 301 https://$host$request_uri;
}
# Useragent ACL
# if ($useragent_acl = deny) {
# return 403;
# }
# letsencrypt validation
#location /.well-known/acme-challenge/ {
# alias /var/www/letsencrypt/;
#}
#if ($http_x_forwarded_proto != "https") {
# return 301 https://$host$request_uri;
# }
}
server {
listen 443 ssl http2 default_server;
root /var/www;
# still need TLS1.2 for Lixil Jenkins git pull
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
ssl_certificate /home/ssl/xpk.headdesk.me.crt;
ssl_certificate_key /home/ssl/xpk.headdesk.me.key;
# filter out PROPFIND in access log
set $logme 1;
if ($request_method = PROPFIND) {
set $logme 0;
}
access_log /var/log/nginx/access.log cached if=$logme;
# Useragent ACL
# if ($useragent_acl = deny) {
# return 403;
#}
#location / {
# proxy_pass http://192.168.86.10:8080/;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header HTTP_X_FORWARDED_PROTO https;
# proxy_set_header Host $host;
# proxy_cache_bypass $http_pragma $http_authorization;
# }
# letsencrypt validation
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/;
}
fastcgi_hide_header X-Powered-By;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location /nextcloud/ {
rewrite ^ /nextcloud/index.php;
}
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ ^\/nextcloud.*\.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
}
location ~ ^\/nextcloud.*\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /nextcloud/index.php$request_uri;
}
location /git/ {
proxy_pass http://192.168.86.53:3000/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
# caching: do not enable, causes cross account caching!
# proxy_cache zone1;
# proxy_cache_valid 200 302 5m;
# proxy_cache_valid any 10m;
}
location /pad/ {
proxy_pass http://192.168.86.51:9001/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_cookie_path / "/pad; HTTPOnly; Secure";
proxy_cookie_flags express secure httponly;
}
location /jenkins/ {
proxy_pass http://192.168.86.55:8080/jenkins/;
proxy_redirect default;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
}
location /mon/ {
proxy_pass http://192.168.86.57/;
proxy_buffering off;
proxy_redirect default;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_PROTO https;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_cookie_path / "/mon; HTTPOnly; Secure";
proxy_cookie_flags express secure httponly;
}
location /enpass/ {
root /var/www;
auth_basic enpass;
auth_basic_user_file /var/www/enpass/.htpass;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:rw group:rw all:r;
create_full_put_path on;
autoindex on;
}
}
}

4
debian/nginx-cloudflared/restart-nginx.sh vendored Executable file
View File

@ -0,0 +1,4 @@
docker stop nginx
docker rm nginx
sleep 5
/my/container-config/alpine/nginx/start-nginx.sh

5
debian/nginx-cloudflared/start-nginx.sh vendored Executable file
View File

@ -0,0 +1,5 @@
# nginx container
docker run --name nginxcf -v /my/container-config/alpine/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
-m 2g -v /var/www/nextcloud:/var/www/nextcloud:ro \
-v /var/www/enpass:/var/www/enpass:rw \
--net macvlan --ip 192.168.86.210 -d --restart=always debian/nginx

1
alpine/keydb/restart.sh → keydb/restart.sh
View File

@ -1,3 +1,2 @@
docker rm -f keydb docker rm -f keydb
# docker run -d --name redis --network macvlan --ip 192.168.86.212 --restart=always alpine/redis
docker run --name keydb -d --network macvlan --ip 192.168.86.212 --restart=always eqalpha/keydb keydb-server /etc/keydb/keydb.conf --server-threads 4 docker run --name keydb -d --network macvlan --ip 192.168.86.212 --restart=always eqalpha/keydb keydb-server /etc/keydb/keydb.conf --server-threads 4

8
rocky/awscli2/Dockerfile Normal file
View File

@ -0,0 +1,8 @@
FROM rockylinux:9
LABEL maintainer="racken@racker.tech"
LABEL description="awscli2 on rocky9"
ENV container docker
RUN /usr/bin/dnf -y install unzip jq git wget curl bind-utils
RUN curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o /tmp/awscliv2.zip; cd /tmp; unzip -qq awscliv2.zip; ./aws/install
ENV PS1 "awscli "
ENTRYPOINT ["/bin/bash"]

10
rocky/observium/Dockerfile
View File

@ -1,18 +1,18 @@
FROM rockylinux/rockylinux FROM rockylinux:9
LABEL description="Observium 19.8.10000 on RockyLinux" LABEL description="Observium 19.8.10000 on RockyLinux"
LABEL maintainer="xpk@headdesk.me" LABEL maintainer="xpk@headdesk.me"
LABEL notes="Initial user/pass = observium/observium. Mount /opt/observium and /var/lib/mysql on persistent storage." LABEL notes="Initial user/pass = observium/observium. Mount /opt/observium and /var/lib/mysql on persistent storage."
LABEL exposed-port="80" LABEL exposed-port="80"
ENV container docker ENV container docker
RUN dnf -y install epel-release RUN dnf -y install epel-release
RUN dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm #RUN dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
RUN dnf module enable php:remi-8.1 -y #RUN dnf module enable php:remi-8.1 -y
# RUN dnf -y install http://yum.opennms.org/repofiles/opennms-repo-stable-rhel7.noarch.rpm # RUN dnf -y install http://yum.opennms.org/repofiles/opennms-repo-stable-rhel7.noarch.rpm
#RUN dnf -y install wget httpd php php-opcache php-mysqlnd php-gd php-posix php-pear cronie net-snmp net-snmp-utils fping mariadb rrdtool ipmitool graphviz ImageMagick php-json python3-PyMySQL libsodium libsodium-devel php-devel make supervisor --nobest #RUN dnf -y install wget httpd php php-opcache php-mysqlnd php-gd php-posix php-pear cronie net-snmp net-snmp-utils fping mariadb rrdtool ipmitool graphviz ImageMagick php-json python3-PyMySQL libsodium libsodium-devel php-devel make supervisor --nobest
RUN dnf -y install wget httpd php php-opcache php-mysqlnd php-gd php-sodium php-posix php-pear cronie net-snmp net-snmp-utils fping mariadb rrdtool ipmitool graphviz ImageMagick php-json python3-PyMySQL libsodium php-devel supervisor --nobest RUN dnf -y install wget httpd php php-opcache php-mysqlnd php-gd php-sodium php-posix php-pear cronie net-snmp net-snmp-utils fping mariadb rrdtool ipmitool graphviz ImageMagick php-json python3-PyMySQL libsodium php-devel supervisor python-unversioned-command procps-ng iproute --nobest
#RUN mysql_install_db -u mysql #RUN mysql_install_db -u mysql
#RUN pecl install libsodium; echo "extension=sodium.so" > /etc/php.d/sodium.ini #RUN pecl install libsodium; echo "extension=sodium.so" > /etc/php.d/sodium.ini
RUN ln -s /usr/bin/python3 /usr/bin/python; mkdir -p /opt/observium /run/supervisor /run/php-fpm RUN mkdir -p /opt/observium /run/supervisor /run/php-fpm
WORKDIR /opt/observium WORKDIR /opt/observium
# RUN wget -qq -O- http://www.observium.org/observium-community-latest.tar.gz | tar zxf - --strip-components=1 # RUN wget -qq -O- http://www.observium.org/observium-community-latest.tar.gz | tar zxf - --strip-components=1
# for upgrade, see upgrade.md # for upgrade, see upgrade.md

29
rocky/observium/Dockerfile8 Normal file
View File

@ -0,0 +1,29 @@
FROM rockylinux/rockylinux
LABEL description="Observium 19.8.10000 on RockyLinux"
LABEL maintainer="xpk@headdesk.me"
LABEL notes="Initial user/pass = observium/observium. Mount /opt/observium and /var/lib/mysql on persistent storage."
LABEL exposed-port="80"
ENV container docker
RUN dnf -y install epel-release
RUN dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm
RUN dnf module enable php:remi-8.1 -y
# RUN dnf -y install http://yum.opennms.org/repofiles/opennms-repo-stable-rhel7.noarch.rpm
#RUN dnf -y install wget httpd php php-opcache php-mysqlnd php-gd php-posix php-pear cronie net-snmp net-snmp-utils fping mariadb rrdtool ipmitool graphviz ImageMagick php-json python3-PyMySQL libsodium libsodium-devel php-devel make supervisor --nobest
RUN dnf -y install wget httpd php php-opcache php-mysqlnd php-gd php-sodium php-posix php-pear cronie net-snmp net-snmp-utils fping mariadb rrdtool ipmitool graphviz ImageMagick php-json python3-PyMySQL libsodium php-devel supervisor --nobest
#RUN mysql_install_db -u mysql
#RUN pecl install libsodium; echo "extension=sodium.so" > /etc/php.d/sodium.ini
RUN alternatives --set python /usr/bin/python3 ; mkdir -p /opt/observium /run/supervisor /run/php-fpm
WORKDIR /opt/observium
# RUN wget -qq -O- http://www.observium.org/observium-community-latest.tar.gz | tar zxf - --strip-components=1
# for upgrade, see upgrade.md
COPY config.php /opt/observium/config.php
COPY observium.ini /etc/supervisord.d/observium.ini
COPY crontab /var/spool/cron/root
#RUN mkdir -p /opt/observium/rrd /opt/observium/logs; chown apache:apache /opt/observium/{rrd,logs}
RUN sed -i -e 's@/var/www/html@/opt/observium/html@g' -e 's/AllowOverride.*/AllowOverride All/g' /etc/httpd/conf/httpd.conf
#ADD initialise.sh /opt/observium/initialise.sh
#RUN chmod 755 /opt/observium/initialise.sh && /opt/observium/initialise.sh
# Add static route
# RUN ip route add 192.168.167.0/24 via 192.168.86.2
EXPOSE 80
CMD ["/usr/bin/supervisord", "-n"]

4
rocky/observium/build.sh
View File

@ -1 +1,3 @@
docker build -t rocky/observium --network macvlan . export DOCKER_BUILDKIT=1
docker build --network host -t rocky/observium .

2
rocky/observium/observium.ini
View File

@ -1,5 +1,5 @@
[program:httpd] [program:httpd]
command=/usr/sbin/apachectl -DFOREGROUND command=/usr/sbin/httpd -DFOREGROUND
autostart=true autostart=true
autorestart=true autorestart=true
killasgroup=true killasgroup=true

29
rocky/observium/observium8.ini Normal file
View File

@ -0,0 +1,29 @@
[program:httpd]
command=/usr/sbin/apachectl -DFOREGROUND
autostart=true
autorestart=true
killasgroup=true
stopasgroup=true
[program:phpfpm]
command=/usr/sbin/php-fpm -c /etc/php-fpm.conf -F
autostart=true
autorestart=true
#[program:mysql]
#command=/usr/bin/pidproxy /run/mariadb/mariadb.pid /usr/bin/mysqld_safe --pid-file=/run/mariadb/mariadb.pid
#autostart=true
#autorestart=true
[program:crond]
command=/usr/sbin/crond -nsp
autostart=true
autorestart=true
[program:staticroute]
command=/sbin/ip r a 192.168.167.0/24 via 192.168.86.2
autostart=true
autorestart=false
startretries=1
startsecs = 0

4
rocky/observium/start.sh
View File

@ -1,5 +1,5 @@
docker run -d --name observium --network macvlan --ip=192.168.86.57 \ docker run -d --name observium --network macvlan --ip=192.168.86.57 \
--cap-add NET_ADMIN --cpus=2 \ --cap-add NET_ADMIN --cpus=3 --memory=1500m \
-v /my/container-config/centos8/observium/app.data:/opt/observium \ -v /my/apps/observium:/opt/observium \
-e TZ=Asia/Hong_Kong \ -e TZ=Asia/Hong_Kong \
--restart=always rocky/observium --restart=always rocky/observium

6
rocky/observium/upgrade.md
View File

@ -1,3 +1,3 @@
# attach to container # See official upgrade steps
cd /opt/observium https://docs.observium.org/updating/
wget -qq -O- http://www.observium.org/observium-community-latest.tar.gz | tar zxf - --strip-components=1

9
ubuntu/mbk-deploy/Dockerfile Normal file
View File

@ -0,0 +1,9 @@
FROM ubuntu:jammy
ENV container docker
RUN apt -y update; apt -y install git curl bash openssh-client jq zip screen vim
COPY ibm-gft-developers /root/ibm-gft-developers
RUN mkdir /root/.ssh; chmod 700 /root/.ssh; chmod 400 /root/ibm-gft-developers
COPY ssh-config /root/.ssh/config
RUN curl -L https://raw.githubusercontent.com/warrensbox/terraform-switcher/release/install.sh | bash
ENV PS1="mbk.deploy "
ENTRYPOINT ["/usr/bin/bash"]

38
ubuntu/mbk-deploy/ibm-gft-developers Normal file
View File

@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA0+ZKW9GsTJGOrIjjRw3xYi8asPohgbhLsvHMXNo9wTdyVmn3A+Mr
ltM4o1Zr9KRsNX5aEj6W4bii6+iFyFg4BxLlgESWEy26QsVs9Vpmzkvu2Eb2zZjMw4PgL/
oj28NbkntM6E6DIBZx9DG90ya24ElcxxNpn+p+8vrY89oY8/vI4LA8KktQ32t/y2G4F57P
bBhz/shtNZmkpljojKQBfrKcSfZxS7/BZoCNtU1qPO1iiA6dOrpjPzsFviTR4HxJZp/hts
FNbStR2yGEpKuRU316lyoyl841gO5YYDQ/OOP3JykGPGd+aNuZ+cAqGPCo6mXMd5YxXdH8
YoLL9cGDr32O+vhcDCMgVGdTLuRK9Dz7Q5NSYITAfuHz5quLCP6RRf1mrgeZQ2Huej/e2g
HVMrt6gJUbMwNAYgnjPlYN0PxZNgxfFsZIiCFCEiBSjkTesfzJQr49nss5EeV6QAv5hHvi
lxa7wch+Mj2UZfGn15V2FJG8B4TSA7khjimVBRBXAAAFiBTCgukUwoLpAAAAB3NzaC1yc2
EAAAGBANPmSlvRrEyRjqyI40cN8WIvGrD6IYG4S7LxzFzaPcE3clZp9wPjK5bTOKNWa/Sk
bDV+WhI+luG4ouvohchYOAcS5YBElhMtukLFbPVaZs5L7thG9s2YzMOD4C/6I9vDW5J7TO
hOgyAWcfQxvdMmtuBJXMcTaZ/qfvL62PPaGPP7yOCwPCpLUN9rf8thuBeez2wYc/7IbTWZ
pKZY6IykAX6ynEn2cUu/wWaAjbVNajztYogOnTq6Yz87Bb4k0eB8SWaf4bbBTW0rUdshhK
SrkVN9epcqMpfONYDuWGA0Pzjj9ycpBjxnfmjbmfnAKhjwqOplzHeWMV3R/GKCy/XBg699
jvr4XAwjIFRnUy7kSvQ8+0OTUmCEwH7h8+ariwj+kUX9Zq4HmUNh7no/3toB1TK7eoCVGz
MDQGIJ4z5WDdD8WTYMXxbGSIghQhIgUo5E3rH8yUK+PZ7LORHlekAL+YR74pcWu8HIfjI9
lGXxp9eVdhSRvAeE0gO5IY4plQUQVwAAAAMBAAEAAAGBAJ9p6Rcarp0MBGIYuaODAc3z0g
jCpOKKW6jL8AsKxNrPc90+6u6pwOk/DqUTJzRtXlsAK5L+M1StKyR/UeZfOAdaV/4fmyfi
hvYkwMv0rtMUnSNof9Q82A9e7xIpBUEXv5R73mgGaO+C80fbBAwOXBZwGrRKDnSYXdk+jm
kl8w/apE0lSJ4o+zaaERJY+b4LY9DWtK1A66gfZpce3BSybc17Ycji9mkeYclTfUigbQRZ
Mn9ZP0AnaPLw3GkoGhzgYphyguuKxI9RPWOL4zcGpkQbDmhlVzza2cz5f0CO54D5rdGb3M
Upp54zHJRbIPu9LP6BOW6S00EBSIPTHlmBwSr0wpCdvv18u24phUZBngFDu7hbIplD4KRv
pI23qzF7dZbQDW2xyRJk24mAoFdHs+NNQupvZGevPqSoG//wfPSEa4/T2e/41EirYyLdsJ
5edUqvMyqGhCuz5l7CMGCW4VxUF5IhxDT+vgDN+9juKygsELvlO28asOZenu4+/OOvQQAA
AMEAsFGvbZR8YQndsYU4Uljm7nS98uTtMkwzgcaEAYzb6XRAT5+BegORWrEmO8PRBIqffz
4ic9D8eQY433x9EAokHnYmaqSQ7b7X5MEvJPSteVEhRJhA97AgHYFDEbDuHTSftEmfZ75k
zf3sRhqgHh0cE2rSeD1TAPzKZ+jQbFxnVoF5ha58KwryYkhnzf41/iUJNnx0TWDGy+eA9p
1pM+oUgI09QYBWCmJAcdxuszp4m1BCqyboHwSJH9qjUbhiktSuAAAAwQD9o92m2a//F6ga
DBHeF7rwn9KDI1NCDI3fTg+ZeRcSSVzXq1w0NQZZ7OUtzBU4JYcw6cqd/dQqhGfJcRnV+j
Al5n84EP3cy6QpPEM+o6rMkjZP/wT2HS46upwkFA0vS1vqJ8AzxGgrd4ttgihA4es3dKIe
hQDp8LdW3uNtGB7pxYYtBOHsjZBAnDVHSKQhrVn00uWEtcCFcA6hZmslYz/tHg7hPctrzR
/AMNRLBKZ5qzmqdycXVoXjVVnbDmiJqGMAAADBANXfATTC2mWykFl7GUmJrLWFICWz4YZt
q+kjRhtv46eoMSkEjBPgp8lXfiKaifruOkvKjmqVPTzVUccoXUdycypFSSOlCI7RmkTQKK
emP1sftw514Y9Bwv0p1Hi3A643bewGpLQBMac7sByWSLBC32pNauPQ+HpmngqtDVEoBGTc
MARr603uGFl3R/Orl1lyknDLBwp0aWX+ZnLHLH+vEffKOLLuy+nNFG1AkOHCPcWj0vL7mQ
cpRW7w5j8ZyWZIfQAAAA1rbkBpc20uem9vLmxvAQIDBA==
-----END OPENSSH PRIVATE KEY-----

3
ubuntu/mbk-deploy/ssh-config Normal file
View File

@ -0,0 +1,3 @@
Host git-codecommit.*.amazonaws.com
User APKAQKBPW4BVIC6WEBIG
IdentityFile /root/ibm-gft-developers