commit 84bb7e33c88fe1ea2d13e15749ba5eefd27b6d79 Author: Mathieu Strypsteen Date: Wed Nov 22 21:12:36 2023 +0100 Initial commit diff --git a/container-config/act-runner/config.yaml b/container-config/act-runner/config.yaml new file mode 100644 index 0000000..8ff9397 --- /dev/null +++ b/container-config/act-runner/config.yaml @@ -0,0 +1,3 @@ +container: + docker_host: '-' + options: --oom-score-adj=200 diff --git a/container-config/nginx/mime.types b/container-config/nginx/mime.types new file mode 100644 index 0000000..745f5ac --- /dev/null +++ b/container-config/nginx/mime.types @@ -0,0 +1,5 @@ +types { + application/javascript js; + text/css css; + text/html html; +} diff --git a/container-config/nginx/nginx.conf b/container-config/nginx/nginx.conf new file mode 100644 index 0000000..021d675 --- /dev/null +++ b/container-config/nginx/nginx.conf @@ -0,0 +1,38 @@ +pid /tmp/nginx.pid; + +http { + resolver 172.16.0.1; + types_hash_max_size 4096; + ssl_certificate /etc/certificates/fullchain.pem; + ssl_certificate_key /etc/certificates/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + charset utf-8; + http2 on; + gzip on; + include mime.types; + sendfile on; + tcp_nodelay on; + tcp_nopush on; + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 100M; + proxy_read_timeout 600; + proxy_send_timeout 600; + include sites/*; + server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + } + server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + location / { + return 404; + } + } +} +events { + worker_connections 1024; +} diff --git a/container-config/nginx/sites/kelder.zeus.ugent.be.conf b/container-config/nginx/sites/kelder.zeus.ugent.be.conf new file mode 100644 index 0000000..0ceb9a8 --- /dev/null +++ b/container-config/nginx/sites/kelder.zeus.ugent.be.conf @@ -0,0 +1,62 @@ +server { + listen 443 ssl; + # kelder.zeus.ugent.be irc.zeus.ugent.be zeusgw.ugent.be endymion.ugent.be + # all point to here + server_name kelder.zeus.ugent.be zeusgw.ugent.be; + + ############# + # LOCATIONS # + ############# + + rewrite ^/$ https://zeus.ugent.be/ permanent; + + # This uses https://github.com/vvidic/mjpeg-proxy to proxy MJPG cameras so only one stream + # per camera is opened + location ~ ^/camera/(.*)$ { + proxy_pass http://systemd-mjpeg-proxy.:8080/$1$is_args$args; + } + + location /webcam/cgi/ptdc.cgi { + add_header 'Access-Control-Allow-Origin' '*'; + try_files /tmp/freeze_camera @cammie_movement; + } + + location @cammie_movement { + # Cammie movement commands + proxy_pass http://10.0.0.7/cgi/ptdc.cgi$is_args$args; + expires off; + } + + # Slotmachien + location /lockbot { + proxy_pass http://10.0.1.5/; + } + + location /fingerprint { + proxy_pass http://10.0.1.15/; + } + + location /messages { + proxy_pass http://10.0.0.11:5000/messages; + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Headers' 'X-Username'; + } + + location /kelderapi/ { + proxy_pass http://10.0.0.8:5000/kelderapi/; + } + + location /socket.io/ { + proxy_redirect off; + proxy_pass_request_headers on; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_pass http://10.0.0.11:5000/socket.io/; + } +} + diff --git a/setup-tolkien.sh b/setup-tolkien.sh new file mode 100644 index 0000000..f3f9f47 --- /dev/null +++ b/setup-tolkien.sh @@ -0,0 +1,3 @@ +#!/bin/sh +set -e +cp -R tolkien/* / diff --git a/tolkien/etc/containers/containers.conf b/tolkien/etc/containers/containers.conf new file mode 100644 index 0000000..32fccf2 --- /dev/null +++ b/tolkien/etc/containers/containers.conf @@ -0,0 +1,2 @@ +[network] +default_subnet_pools = [{base = "172.16.0.0/24", size = 24}] diff --git a/tolkien/etc/containers/systemd/mjpeg-proxy.container b/tolkien/etc/containers/systemd/mjpeg-proxy.container new file mode 100644 index 0000000..8739146 --- /dev/null +++ b/tolkien/etc/containers/systemd/mjpeg-proxy.container @@ -0,0 +1,7 @@ +[Container] +Image=git.zeus.gent/sysadmin/mjpeg-proxy +Network=nginx.network +UserNS=auto +AutoUpdate=registry +[Install] +WantedBy=multi-user.target diff --git a/tolkien/etc/containers/systemd/nginx.container b/tolkien/etc/containers/systemd/nginx.container new file mode 100644 index 0000000..f21c02a --- /dev/null +++ b/tolkien/etc/containers/systemd/nginx.container @@ -0,0 +1,14 @@ +[Container] +Image=cgr.dev/chainguard/nginx:latest-dev +UserNS=auto +Network=nginx.network +Volume=/var/lib/configs/container-config/nginx:/etc/nginx:z,ro +Volume=/etc/certificates/private:/etc/certificates:z,ro +PublishPort=80:80 +PublishPort=[::]:80:80 +PublishPort=443:443 +PublishPort=[::]:443:443 +Sysctl=net.ipv4.ip_unprivileged_port_start=80 +AutoUpdate=registry +[Install] +WantedBy=multi-user.target diff --git a/tolkien/etc/containers/systemd/nginx.network b/tolkien/etc/containers/systemd/nginx.network new file mode 100644 index 0000000..75d15e6 --- /dev/null +++ b/tolkien/etc/containers/systemd/nginx.network @@ -0,0 +1,3 @@ +[Network] +IPv6=true +Options=isolate=true diff --git a/tolkien/etc/containers/systemd/users/1500/act-runner.container b/tolkien/etc/containers/systemd/users/1500/act-runner.container new file mode 100644 index 0000000..1a2b56e --- /dev/null +++ b/tolkien/etc/containers/systemd/users/1500/act-runner.container @@ -0,0 +1,17 @@ +[Unit] +Requires=podman-container.service +After=podman-container.service +[Container] +Image=docker.io/gitea/act_runner +LogDriver=none +Volume=podman.volume:/run/podman:z +Volume=/var/lib/configs/container-config/act-runner:/etc/act-runner:O +Volume=act-runner.volume:/data:U,Z +Environment=CONFIG_FILE=/etc/act-runner/config.yaml +Environment=GITEA_INSTANCE_URL=https://git.zeus.gent +Environment=GITEA_RUNNER_NAME=home +Environment=GITEA_RUNNER_LABELS=debian-12:docker://node:bookworm +Secret=GITEA_RUNNER_REGISTRATION_TOKEN,type=env +AutoUpdate=registry +[Install] +WantedBy=default.target diff --git a/tolkien/etc/containers/systemd/users/1500/act-runner.volume b/tolkien/etc/containers/systemd/users/1500/act-runner.volume new file mode 100644 index 0000000..e69de29 diff --git a/tolkien/etc/containers/systemd/users/1500/podman-container.container b/tolkien/etc/containers/systemd/users/1500/podman-container.container new file mode 100644 index 0000000..48f0945 --- /dev/null +++ b/tolkien/etc/containers/systemd/users/1500/podman-container.container @@ -0,0 +1,11 @@ +[Container] +Image=quay.io/containers/podman +Unmask=/proc/* +SecurityLabelDisable=true +User=1000 +AddDevice=/dev/net/tun +Exec=podman system service -t0 unix:///run/podman/podman.sock +Volume=podman.volume:/run/podman:U,z +AutoUpdate=registry +[Install] +WantedBy=default.target diff --git a/tolkien/etc/containers/systemd/users/1500/podman.volume b/tolkien/etc/containers/systemd/users/1500/podman.volume new file mode 100644 index 0000000..e69de29 diff --git a/tolkien/var/lib/systemd/linger/act-runner b/tolkien/var/lib/systemd/linger/act-runner new file mode 100644 index 0000000..e69de29