From 792c7245b6c12ba3ab49bc154e95c5edf981538d Mon Sep 17 00:00:00 2001
From: Mario Alegre <mario@git.alemor.org>
Date: Fri, 5 Jun 2020 14:33:21 -0500
Subject: [PATCH] changes to mailsrv

---
 TODO.md                                       | 15 ++++
 install.sh                                    |  4 -
 src/debian/assets/bash.bashrc                 |  3 +-
 src/mailsrv/Containerfile                     | 13 +++-
 src/mailsrv/assets/bin/mkvirt                 | 28 ++++---
 .../assets/dovecot/conf.d/10-auth.conf        |  2 +-
 .../assets/dovecot/conf.d/10-master.conf      |  2 +-
 src/mailsrv/assets/mkvirtual.service          | 12 +++
 src/mailsrv/assets/postfix/main.cf            |  2 +-
 src/mailsrv/assets/postfix/master.cf          | 14 +---
 src/minecraft_bedrock/Containerfile           | 77 +++++++++++++++++++
 src/minecraft_bedrock/docs/resources.md       |  1 +
 src/nextcloud/Systemdfile                     |  2 +
 src/nextcloud/docs/Deploy.md                  | 29 +------
 14 files changed, 143 insertions(+), 61 deletions(-)
 create mode 100644 TODO.md
 create mode 100644 src/mailsrv/assets/mkvirtual.service
 create mode 100644 src/minecraft_bedrock/Containerfile
 create mode 100644 src/minecraft_bedrock/docs/resources.md

diff --git a/TODO.md b/TODO.md
new file mode 100644
index 0000000..8e64adc
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,15 @@
+# To Do
+
+- set up bash autocompletion for `pdm-` scripts
+  - https://stackoverflow.com/questions/11173447/how-can-i-set-up-autocompletion-for-git-commands
+  - https://askubuntu.com/questions/68175/how-to-create-script-with-auto-complete
+  - https://www.gnu.org/software/bash/manual/bash.html#Programmable-Completion
+  - https://debian-administration.org/article/316/An_introduction_to_bash_completion_part_1
+  - https://github.com/scop/bash-completion/blob/master/README.md
+- make container mounts point to /srv/vol
+- build script: separate params and build file
+  - allow overriding of install args 
+	- `-o` flag? pass comma-separated list of overrides?
+  - also interactive?
+- allow arbitrary flags for launch & build?
+- make install script set kernel params for rootless?
diff --git a/install.sh b/install.sh
index 6b8d29c..dca393d 100755
--- a/install.sh
+++ b/install.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 
-# Variables
-myusr=containers
-myuid=60000
-
 # Main
 set -e
 
diff --git a/src/debian/assets/bash.bashrc b/src/debian/assets/bash.bashrc
index ceaa0f3..4ca3e5d 100644
--- a/src/debian/assets/bash.bashrc
+++ b/src/debian/assets/bash.bashrc
@@ -81,5 +81,6 @@ if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-no
 	}
 fi
 
+alias ls='ls --color=auto'
 alias dir='ls -lFAh'
-alias rsyn='rsync -vaSH'
+alias rsy='rsync -vaSH'
diff --git a/src/mailsrv/Containerfile b/src/mailsrv/Containerfile
index 0396bad..27f34e9 100644
--- a/src/mailsrv/Containerfile
+++ b/src/mailsrv/Containerfile
@@ -35,6 +35,16 @@ RUN addgroup --gid ${FILESUID:?} vmail && \
 # copy our custom scripts
 COPY assets/bin /usr/local/bin
 
+###
+### mkvirtual
+###
+
+# copy mkvirtual service
+COPY assets/mkvirtual.service /etc/systemd/system/
+
+# enable service
+RUN systemctl enable mkvirtual.service
+
 ###
 ### Postfix
 ###
@@ -42,9 +52,6 @@ COPY assets/bin /usr/local/bin
 # copy postfix config
 COPY assets/postfix /etc/postfix
 
-# copy service override config
-COPY assets/override-postfix.service /etc/systemd/system/postfix.service.d/override.conf
-
 ###
 ### Dovecot
 ###
diff --git a/src/mailsrv/assets/bin/mkvirt b/src/mailsrv/assets/bin/mkvirt
index ae7b96e..607f1ef 100755
--- a/src/mailsrv/assets/bin/mkvirt
+++ b/src/mailsrv/assets/bin/mkvirt
@@ -1,25 +1,31 @@
 #!/bin/sh
 
+# fail immediately if any command fails
 set -e
 
-# copy users passwd-file to /etc/dovecot and set appropriate permissions
+### Users ###
+
+# copy users db to dovecot config
 cp /vol/db/users /etc/dovecot/users
 chown dovecot:dovecot /etc/dovecot/users
 
+# copy users db to postfix config, but without passwords
+cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./' > /etc/postfix/users
+postmap /etc/postfix/users
+
+### Aliases ###
+
 # make self-referential users list
 # this is needed for the reject_sender_login_mismatch restriction to work,
 # otherwise users cannot send emails as their own address
-cd /vol/db/aliases.d
+mkdir -p /vol/db/aliases_out.d
+cd /vol/db/aliases_out.d
 echo "# This file is autogenerated by mkvirt. Don't edit it manually." > self.list
 cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1\@brbytes.org \1\n\1\@mail.brbytes.org \1/' >> self.list
 
+# copy aliases to postifx config
 cd /etc/postfix
-
-# do users
-cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./' > users
-postmap users
-
-# do aliases
-cat /vol/db/aliases.d/*.list > aliases
-postmap aliases
-
+cat /vol/db/aliases_out.d/*.list > aliases_out
+postmap aliases_out
+cat /vol/db/aliases_in.d/*.list > aliases_in
+postmap aliases_in
diff --git a/src/mailsrv/assets/dovecot/conf.d/10-auth.conf b/src/mailsrv/assets/dovecot/conf.d/10-auth.conf
index 2d91916..8ce5cbc 100644
--- a/src/mailsrv/assets/dovecot/conf.d/10-auth.conf
+++ b/src/mailsrv/assets/dovecot/conf.d/10-auth.conf
@@ -121,7 +121,7 @@ passdb {
   driver = passwd-file
   # username_format: Set to '%u' to look up full usernames. If you want to enable
   # user@domain logins but have only user in the file, set to %n instead.
-  args = username_format=%n /vol/db/users
+  args = username_format=%n /etc/dovecot/users
 }
 
 userdb {
diff --git a/src/mailsrv/assets/dovecot/conf.d/10-master.conf b/src/mailsrv/assets/dovecot/conf.d/10-master.conf
index 5c1d952..fe5165c 100644
--- a/src/mailsrv/assets/dovecot/conf.d/10-master.conf
+++ b/src/mailsrv/assets/dovecot/conf.d/10-master.conf
@@ -109,7 +109,7 @@ service auth {
   }
 
   # Auth process is run as this user.
-  user = vmail
+  #user = $default_internal_user
 }
 
 service auth-worker {
diff --git a/src/mailsrv/assets/mkvirtual.service b/src/mailsrv/assets/mkvirtual.service
new file mode 100644
index 0000000..3cafeed
--- /dev/null
+++ b/src/mailsrv/assets/mkvirtual.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Mail server virtual users startup script
+After=network-online.target local-fs.target
+Before=postfix.service dovecot.service
+
+[Service]
+Type=oneshot
+#RemainAfterExit=yes
+ExecStart="/usr/local/bin/mkvirt"
+
+[Install]
+WantedBy=multi-user.target
diff --git a/src/mailsrv/assets/postfix/main.cf b/src/mailsrv/assets/postfix/main.cf
index 6dd6d05..9e1d182 100644
--- a/src/mailsrv/assets/postfix/main.cf
+++ b/src/mailsrv/assets/postfix/main.cf
@@ -28,7 +28,7 @@ mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
 # get list of valid users from here instead of /etc/passwd
 local_recipient_maps = hash:/etc/postfix/users
 # get list of user aliases from this file
-virtual_alias_maps = hash:/etc/postfix/aliases
+virtual_alias_maps = hash:/etc/postfix/aliases_in
 # Address tag delimiter. If an email is sent to ${user}${delimiter}*,
 # the email is sent to ${user} if that address is not already explicitly defined.
 recipient_delimiter = -
diff --git a/src/mailsrv/assets/postfix/master.cf b/src/mailsrv/assets/postfix/master.cf
index 4c84df1..9f516ed 100644
--- a/src/mailsrv/assets/postfix/master.cf
+++ b/src/mailsrv/assets/postfix/master.cf
@@ -16,19 +16,9 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-  -o smtpd_sender_login_maps=hash:/etc/postfix/aliases
+  -o smtpd_sender_login_maps=hash:/etc/postfix/aliases_out
   -o smtpd_sender_restrictions=reject_sender_login_mismatch
-#smtps     inet  n       -       y       -       -       smtpd
-#  -o syslog_name=postfix/smtps
-#  -o smtpd_tls_wrappermode=yes
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_reject_unlisted_recipient=no
-#  -o smtpd_client_restrictions=$mua_client_restrictions
-#  -o smtpd_helo_restrictions=$mua_helo_restrictions
-#  -o smtpd_sender_restrictions=$mua_sender_restrictions
-#  -o smtpd_recipient_restrictions=
-#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
+
 # Local services
 # ==========================================================================
 pickup    unix  n       -       y       60      1       pickup
diff --git a/src/minecraft_bedrock/Containerfile b/src/minecraft_bedrock/Containerfile
new file mode 100644
index 0000000..fbed82f
--- /dev/null
+++ b/src/minecraft_bedrock/Containerfile
@@ -0,0 +1,77 @@
+###
+### Build Variables
+###
+FROM localhost/debian:latest
+
+# deploy options
+# -p (port) and -v (volume) both go host:container
+LABEL deployopts="\
+-p 19132:19132/udp \
+-p 19133:19133/udp \
+-v /srv/vol/minecraft_bedrock/backup:/vol/backup"
+
+# Build variables
+# uid that the files owner user should have
+ARG FILESUID=5000
+
+###
+### General Setup
+###
+
+# install packages we want
+RUN apt update -y && apt install -y libcurl4
+
+# create minecraft server user with file owner UID
+RUN addgroup --gid $FILESUID mcadmin && \
+    adduser mcadmin --ingroup mcadmin --uid $FILESUID --disabled-password --gecos "Minecraft Server Admin" --shell /usr/sbin/nologin && \
+    rm /home/mcadmin/.bashrc
+
+###
+### Minecraft
+###
+
+# download Minecraft Bedrock dedicated server
+RUN url=$(wget -q https://www.minecraft.net/en-us/download/server/bedrock/ -O - | grep -Eo 'https://[^ ]+bin-linux/bedrock-server-[^ ]+\.zip' | head -n 1) && \
+    wget $url && \
+    unzip $(basename $url) && \
+    rm $(basename $url)
+
+###
+### Gitea
+###
+
+# dowload gitea
+RUN wget https://dl.gitea.io/gitea/${giteav}/gitea-${giteav}-linux-amd64 && \
+    mv gitea /usr/local/bin/gitea && \
+    chmod +x /usr/local/bin/gitea
+
+# make directories gitea needs
+RUN mkdir -p /var/lib/gitea/ && \
+    cd /var/lib/gitea/ && \
+    mkdir custom data log && \
+    chown -R gitea:gitea /var/lib/gitea/ && \
+    chmod -R 750 /var/lib/gitea/
+
+# copy gitea config template
+COPY assets/app.ini.esh /etc/gitea/
+# template config file
+RUN cd /etc/gitea/ && \
+    esh app.ini.esh > app.ini && \
+    rm app.ini.esh && \
+    chmod -R +r /etc/gitea/
+
+COPY assets/gitea.service /etc/systemd/system/
+
+###
+### Crontab
+###
+COPY assets/crontab /root/
+RUN crontab -u gitea /root/crontab
+
+###
+### Bugfix
+###
+
+# execute command to workaround bug in cron
+COPY bugfix/cronfix /root/
+RUN chmod +x /root/cronfix && /root/cronfix
diff --git a/src/minecraft_bedrock/docs/resources.md b/src/minecraft_bedrock/docs/resources.md
new file mode 100644
index 0000000..2012e1a
--- /dev/null
+++ b/src/minecraft_bedrock/docs/resources.md
@@ -0,0 +1 @@
+helper scripts & systemd units inspired by TapeWerm's MCscripts repo, available at https://github.com/TapeWerm/MCscripts
diff --git a/src/nextcloud/Systemdfile b/src/nextcloud/Systemdfile
index e062ce6..3794956 100644
--- a/src/nextcloud/Systemdfile
+++ b/src/nextcloud/Systemdfile
@@ -21,6 +21,8 @@ nc-occ db:convert-filecache-bigint
 nc-occ app:install calendar
 nc-occ app:install contacts
 nc-occ app:install notes
+nc-occ app:install bookmarks
+nc-occ app:install mail
 
 # disable apps we don't want
 nc-occ app:disable comments federation files_trashbin files_versions firstrunwizard recommendations support survey_client systemtags
diff --git a/src/nextcloud/docs/Deploy.md b/src/nextcloud/docs/Deploy.md
index 153df2b..ca81f62 100644
--- a/src/nextcloud/docs/Deploy.md
+++ b/src/nextcloud/docs/Deploy.md
@@ -8,40 +8,15 @@ Firstly, the `overcommit_memory` system setting being set to zero may cause Redi
 ```
 sysctl vm.overcommit_memory=1
 ```
-The setting can be made persistent through reboots by adding the line
-```
-vm.overcommit_memory = 1
-```
-to the bottom of your `/etc/sysctl.conf` file.
-
 Additionally, Redis has fairly serious latency issues with THP (Transparent Huge Pages) enabled, so it is best to disable it. Disable them by running:
 ```
 echo never > /sys/kernel/mm/transparent_hugepage/enabled
 ```
-This configuration is also not persistent through reboots. Redis recommends adding the command as a line to your `/etc/rc.local` file, but `rc.local` is deprecated, so we will instead create a systemd unit to disable THP at startup. Create a file `/etc/systemd/system/redis-disable-thp.service`, with the following contents:
-```
-[Unit]
-Description=Disable Transparent Huge Pages (THP) for Redis
-DefaultDependencies=no
-After=sysinit.target local-fs.target
-Before=lxd.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
-
-[Install]
-WantedBy=basic.target
-```
-Then enable the service by running:
-```
-systemctl enable redis-disable-thp
-```
+You can make these settings persistent accross reboots by adding them to the container start script in `/etc/containers/startup.sh`.
 
 ## Configure HAproxy
 
- Add the following directives to your HAproxy configuration:
+Add the following directives to your HAproxy configuration:
 ```
 frontend www
         bind :80