From b965b25546b22478baef59660943cefad286b73c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 21 Jul 2023 11:48:58 +0200 Subject: [PATCH 1/5] Fix links git.b12f.io -> git.pub.solar --- nextcloud/README.md | 2 +- terraform/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nextcloud/README.md b/nextcloud/README.md index 485c902..1a0f3a4 100644 --- a/nextcloud/README.md +++ b/nextcloud/README.md @@ -3,7 +3,7 @@ `nix flake --help` should give you some output, then we're good to go. ``` -git clone https://git.b12f.io/pub-solar/infra +git clone https://git.pub.solar/pub-solar/infra cd infra nix develop --command zsh ``` diff --git a/terraform/README.md b/terraform/README.md index ea82ea6..11fc323 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -3,7 +3,7 @@ `nix flake --help` should give you some output, then we're good to go. ``` -git clone https://git.b12f.io/pub-solar/infra +git clone https://git.pub.solar/pub-solar/infra cd infra nix develop --command zsh ``` From 873783ca771ee4340e9a489e9cf8d813979e4482 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 21 Jul 2023 11:49:31 +0200 Subject: [PATCH 2/5] flake: update devshell inputs, bump flake.lock --- flake.lock | 71 +++++++++++++++++++++++++++++++++++++++--------------- flake.nix | 3 +-- 2 files changed, 52 insertions(+), 22 deletions(-) diff --git a/flake.lock b/flake.lock index a220475..de4ab3f 100644 --- a/flake.lock +++ b/flake.lock @@ -2,19 +2,17 @@ "nodes": { "devshell": { "inputs": { - "flake-utils": [ - "flake-utils" - ], "nixpkgs": [ "nixpkgs" - ] + ], + "systems": "systems" }, "locked": { - "lastModified": 1667210711, - "narHash": "sha256-IoErjXZAkzYWHEpQqwu/DeRNJGFdR7X2OGbkhMqMrpw=", + "lastModified": 1683635384, + "narHash": "sha256-9goJTd05yOyD/McaMqZ4BUB8JW+mZMnZQJZ7VQ6C/Lw=", "owner": "numtide", "repo": "devshell", - "rev": "96a9dd12b8a447840cc246e17a47b81a4268bba7", + "rev": "5143ea68647c4cf5227e4ad2100db6671fc4c369", "type": "github" }, "original": { @@ -24,12 +22,15 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems_2" + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -40,11 +41,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1669542132, - "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", + "lastModified": 1684935479, + "narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a115bb9bd56831941be3776c8a94005867f316a7", + "rev": "f91ee3065de91a3531329a674a45ddcb3467a650", "type": "github" }, "original": { @@ -56,11 +57,11 @@ }, "nixpkgs-2205": { "locked": { - "lastModified": 1672580127, - "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=", + "lastModified": 1682600000, + "narHash": "sha256-ha4BehR1dh8EnXSoE1m/wyyYVvHI9txjW4w5/oxsW5Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0874168639713f547c05947c76124f78441ea46c", + "rev": "50fc86b75d2744e1ab3837ef74b53f103a9b55a0", "type": "github" }, "original": { @@ -79,6 +80,36 @@ "tritonshell-module": "tritonshell-module" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tritonshell-module": { "inputs": { "devshell": [ @@ -92,11 +123,11 @@ ] }, "locked": { - "lastModified": 1669581047, - "narHash": "sha256-qs2VUUCCkWlc+5KvP/Vh2ToLKMkCjAws47bVT6rilG8=", + "lastModified": 1684242426, + "narHash": "sha256-kvFD6WP6I1fK9DMCPpuRDZxsAGKpzXMMd2G5MYP42kU=", "ref": "main", - "rev": "341aa68b667a8fb9b77f8af319b7439e82c78793", - "revCount": 53, + "rev": "d227038987158fa894872868f25bbf911c9cb8d1", + "revCount": 61, "type": "git", "url": "https://git.greenbaum.cloud/dev/tritonshell" }, diff --git a/flake.nix b/flake.nix index 51e33d1..c95ac88 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,6 @@ flake-utils.url = "github:numtide/flake-utils"; devshell.url = "github:numtide/devshell"; - devshell.inputs.flake-utils.follows = "flake-utils"; devshell.inputs.nixpkgs.follows = "nixpkgs"; tritonshell-module.url = "git+https://git.greenbaum.cloud/dev/tritonshell?ref=main"; @@ -21,7 +20,7 @@ flake-utils.lib.simpleFlake { inherit self nixpkgs; name = "infra-project"; - preOverlays = [ devshell.overlay ]; + preOverlays = [ devshell.overlays.default ]; shell = { pkgs }: pkgs.devshell.mkShell { imports = [ tritonshell-module.devshellModules.x86_64-linux.tritonshell ]; From d91b216b4c7804b495ed456a594d6edcbcebe787 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 21 Jul 2023 11:50:44 +0200 Subject: [PATCH 3/5] mastodon: 4.1.2 -> 4.1.4, update docs with how to upgrade caddy and elasticsearch containers --- mastodon/README.md | 41 ++++++++++++++++++++++++++++++++++++- mastodon/docker-compose.yml | 33 ++++++++++++++--------------- 2 files changed, 57 insertions(+), 17 deletions(-) diff --git a/mastodon/README.md b/mastodon/README.md index 6c8bb07..cc2deb2 100644 --- a/mastodon/README.md +++ b/mastodon/README.md @@ -1,7 +1,7 @@ # pub.solar mastodon https://mastodon.pub.solar -### Upgrading +### Upgrading Mastodon This section assumes you edited `docker-compose.yml` and bumped the mastodon docker image version tag ``` @@ -53,6 +53,45 @@ docker rm \ blue-mastodon_sidekiq_($current_container_index - 1) ``` +### Upgrading Caddy +``` +mkdir -p certificates/acme-v02.api.letsencrypt.org-directory +docker cp --archive blue-mastodon_caddy_2:/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/files.pub.solar ./certificates/acme-v02.api.letsencrypt.org-directory/ +docker cp --archive blue-mastodon_caddy_2:/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mastodon.pub.solar ./certificates/acme-v02.api.letsencrypt.org-directory/ + +docker-compose --project-name blue-mastodon up \ + --scale caddy=2 \ + --no-recreate \ + --no-start + +docker cp --archive ./backups/certificates blue-mastodon_caddy_3:/data/caddy/certificates +docker start blue-mastodon_caddy_3 + +# Stop old caddy container +docker stop blue-mastodon_caddy_2 + +# Verify everything works fine, then remove the old caddy container +docker rm blue-mastodon_caddy_2 +``` + +### Upgrading Elasticsearch +Look for new releases on https://www.elastic.co/guide/en/elasticsearch/reference/7.17/es-release-notes.html +and edit the docker image tag accordingly. +``` +docker-compose --project-name blue-mastodon up \ + --scale elasticsearch=2 \ + --no-recreate \ + +# Stop old elasticsearch container +docker stop blue-mastodon_elasticsearch_2 + +docker exec -it blue-mastodon_web_15 bash +tootctl search deploy + +# Verify everything works fine, then remove the old caddy container +docker rm blue-mastodon_elasticsearch_2 +``` + Todos: - implement automatic backups, they are only done manually during upgrades at the moment - switch proxy from nginx-dehydrated to caddy - done diff --git a/mastodon/docker-compose.yml b/mastodon/docker-compose.yml index 12dc68c..24e3bb4 100644 --- a/mastodon/docker-compose.yml +++ b/mastodon/docker-compose.yml @@ -28,7 +28,7 @@ services: # - triton.cns.services=mastodon-proxy caddy: - image: caddy:2.5.1 + image: caddy:2.6.4 mem_limit: 256m restart: always environment: @@ -44,12 +44,16 @@ services: labels: - triton.cns.services=mastodon-proxy entrypoint: /bin/sh - command: >- - -c 'echo " + command: + - -c + - >- + echo " { email admins@pub.solar + servers { + protocols h1 h2 + } } - $$SITE_DOMAIN { @streaming { path /api/v1/streaming/* @@ -77,23 +81,21 @@ services: handle_errors { rewrite 500.html } - encode zstd gzip - header { Strict-Transport-Security "max-age=31536000" + # clickjacking protection + X-Frame-Options DENY } header /sw.js Cache-Control "public, max-age=0" header @cache_control Cache-Control "public, max-age=31536000, immutable" } - files.pub.solar { handle { rewrite * /s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon{uri}?download reverse_proxy { # backends / upstreams to https://link.tardigradeshare.io - # header manipulation # proxy to an HTTPS endpoint header_up Host {upstream_hostport} @@ -101,7 +103,6 @@ services: header_up Connection "" header_up Authorization "" # remove these header from the backends response - header_down -content-disposition header_down -Set-Cookie header_down -Access-Control-Allow-Origin header_down -Access-Control-Allow-Methods @@ -115,14 +116,14 @@ services: # add these header to the backends response # cache client side for 7 days header_down Cache-Control "public, max-age=604800" + header_down Access-Control-Allow-Origin "*" + header_down X-Content-Type-Options "nosniff" } } handle_errors { rewrite 500.html } - } - " | caddy run --adapter caddyfile --config -' - + }" | caddy run --adapter caddyfile --config - # using SmartOS native zone mastodon-redis, lx-brand redis crashes regularly, # upstream bug: https://github.com/redis/redis/issues/8861 @@ -135,7 +136,7 @@ services: # - triton.cns.services=mastodon-redis web: - image: tootsuite/mastodon:v4.1.2 + image: tootsuite/mastodon:v4.1.4 mem_limit: 1g restart: always env_file: .env.production @@ -148,7 +149,7 @@ services: - triton.cns.services=mastodon-web streaming: - image: tootsuite/mastodon:v4.1.2 + image: tootsuite/mastodon:v4.1.4 mem_limit: 1g restart: always env_file: .env.production @@ -161,7 +162,7 @@ services: - triton.cns.services=mastodon-streaming sidekiq: - image: tootsuite/mastodon:v4.1.2 + image: tootsuite/mastodon:v4.1.4 mem_limit: 1g restart: always env_file: .env.production @@ -171,7 +172,7 @@ services: - triton.cns.services=mastodon-sidekiq elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.17.9 + image: docker.elastic.co/elasticsearch/elasticsearch:7.17.11 mem_limit: 512m restart: always environment: From d78c5a88f9e7901c372ae6d6a238f1cc4208e06c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 21 Jul 2023 11:51:28 +0200 Subject: [PATCH 4/5] Add backups to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 73495bf..c179363 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ *.plan result .env +backups From a6d3dbb76de42d36425404214eaf374bbf9ae0c5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 21 Jul 2023 11:51:46 +0200 Subject: [PATCH 5/5] Init docs --- docs/deletion-request.md | 17 ++++++++++++++ docs/keycloak-reset-user-password.md | 33 ++++++++++++++++++++++++++++ docs/keycloak-update-realm.md | 19 ++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 docs/deletion-request.md create mode 100644 docs/keycloak-reset-user-password.md create mode 100644 docs/keycloak-update-realm.md diff --git a/docs/deletion-request.md b/docs/deletion-request.md new file mode 100644 index 0000000..42e65b2 --- /dev/null +++ b/docs/deletion-request.md @@ -0,0 +1,17 @@ +# Process for handling a deletion request + +### Keycloak +Required: +- auth.pub.solar ops user credentials +- SSH access to host flora-6 +``` +ssh barkeeper@flora-6.pub.solar + +sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops + +# Take note of user id in response from following command +sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar --query email= + +# Use user id from previous command, for example +sudo --user keycloak kcadm.sh delete --config /tmp/kcadm.config users/2ec6f173-3c10-4b82-9808-e2f2d393ff11 --realm pub.solar +``` diff --git a/docs/keycloak-reset-user-password.md b/docs/keycloak-reset-user-password.md new file mode 100644 index 0000000..b22bd01 --- /dev/null +++ b/docs/keycloak-reset-user-password.md @@ -0,0 +1,33 @@ +# Process for resetting keycloak user passwords + +### Keycloak +Required: +- auth.pub.solar ops user credentials +- SSH access to host flora-6 +``` +ssh barkeeper@flora-6.pub.solar + +mkdir /tmp/keycloak-credential-reset + +sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops + +sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar | jq --raw-output '.[] | .id' > /tmp/keycloak-credential-reset/all-uuids + +for UUID in $(cat /tmp/keycloak-credential-reset/all-uuids); do + sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users/$UUID/credentials --realm pub.solar > /tmp/keycloak-credential-reset/$UUID +done + +mkdir /tmp/keycloak-credential-reset/accounts-with-creds + +find /tmp/keycloak-credential-reset -type f -size +3c -exec mv '{}' /tmp/keycloak-credential-reset/accounts-with-creds/ \; + +rm -r /tmp/keycloak-credential-reset/accounts-with-creds/ + +find /tmp/keycloak-credential-reset/ -type f -exec basename '{}' \; > /tmp/keycloak-credential-reset/accounts-without-credentials + +vim /tmp/keycloak-credential-reset/accounts-without-credentials + +for UUID in $(cat /tmp/keycloak-credential-reset/accounts-without-credentials); do + sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/$UUID/reset-password --target-realm pub.solar --set type=password --set value=$(< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-32};echo;) --set temporary=true --no-merge +done +``` diff --git a/docs/keycloak-update-realm.md b/docs/keycloak-update-realm.md new file mode 100644 index 0000000..39f7af0 --- /dev/null +++ b/docs/keycloak-update-realm.md @@ -0,0 +1,19 @@ +# Process for updating a keycloak realm via CLI + +### Keycloak +Required: +- auth.pub.solar ops user credentials +- SSH access to host flora-6 +``` +ssh barkeeper@flora-6.pub.solar + +sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin + +sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar + +sudo -u keycloak kcadm.sh update --config /tmp/kcadm.config realms/pub.solar -s browserFlow='Webauthn Browser' + +sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar +``` + +Source: https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/