The Playground
Blueprint usage
take a deep breath, clear your mind, and open Spotify
Pre-requisite #0: A fresh start
Fill *-env for all (fml)
########################
# instance-env
export BACKUP_BUCKET='b2:the-bucket-name-goes-here' # Backblaze
export NOTIF_URL='https://ntfy.sh/the-topic-name-goes-here' # ntfy
export BASE_DOMAIN='knravish.me'
########################
# Some common stuff
export BUCKET_PATH="${BACKUP_BUCKET}/path/to/backup/in/object/storage"
export VOLUME_PATH="${HOME}/${USER}-data" # or wherever your service's data is
export PORT=<whatever> # your service's webserver
# PUID and PGID for running containers as non-root
PUID=$(id -u "$USER")
export PUID
PGID=$(id -g "$USER")
export PGID
########################
# Application specific stuff
# Just look it up bruh I can't be arsed
########################
# ok but WireGuard is a PITA
export UDP_PORT=<whatever>
export GUI_PORT=<whatever>
# shellcheck disable=SC2016
export PASSWORD_HASH=<whatever>
export WG_HOST="vpn.${BASE_DOMAIN}"
# hacky?
WG_DEVICE=$(ip route get 8.8.8.8 2>&1 | awk '{ printf "%s",$5;}')
export WG_DEVICE
Then
- run
file_transfers.ps1(assuming Windows host for now) - update DNS records as needed
Pre-requisite #1: Ports in VPC/VCN firewall rules
- allow all ICMP traffic for pinging (already open?)
- list of active listeners
*- equivalent to0.0.0.0, [::]%lo- loopbackenp0s6- name of the Internet-facing gateway interface of the hostForwarded- if port is open in the host's firewall (for VPS? if open in virtual network security rules)
| Address | Port | Protocol | Desc. | Forwarded? |
|---|---|---|---|---|
| ICMP | All ICMP traffic | O | ||
| * | 22 | TCP | SSH | O |
| 127.0.0.53%lo | 53 | TCP, UDP | systemd-resolved (stub? vestigial?) | X |
| 10.0.0.3%enp0s6 | 68 | UDP | DHCP | X |
| * | 80 | TCP | Nginx (HTTP) | O |
| * | 443 | TCP | Nginx (HTTPS) | O |
| 127.0.0.1 | 2368 | TCP | Ghost blog | X |
| 127.0.0.1 | 3456 | TCP | Vikunja | X |
| 127.0.0.1 | 5006 | TCP | Actual Budget | X |
| 127.0.0.1 | 5100 | TCP | Password Pusher (pwpush) | X |
| 127.0.0.1 | 8080 | TCP | Shlink | X |
| 127.0.0.1 | 9001 | TCP | Spotify Manager (that's us!) | X |
| 127.0.0.1 | 8081 | TCP | Stirling-PDF | X |
| 127.0.0.1 | 9091 | TCP | Authelia | X |
| 127.0.0.1 | 8384 | TCP | Syncthing (web GUI) | X |
| * | 21027 | UDP | Syncthing (discovery broadcasting) | O |
| * | 22000 | TCP, UDP | Syncthing (sync protocol; UDP is for QUIC) | O |
| * | 25565 | TCP | Minecraft server - Java edition, 1.20.4 | O |
| * | 51820 | UDP | WireGuard (VPN tunnel) | O |
| 127.0.0.1 | 51821 | TCP | WireGuard (web GUI) | X |
| 127.0.0.1 | 5230 | TCP | Usememos | X |
| 127.0.0.1 | 3000 | TCP | Homepage | X |
| * | 30000 | TCP | Foundry VTT | X |
| 127.0.0.1 | 3001 | TCP | Gitea | X |
Pre-requisite #2: Config the master script
- start with
instance-setup- reevaluate sudo perms... have given too much stuff too much permissions :)
- ensure ufw is disabled
- (Oracle VPS only) open iptables to all (
-I INPUT -j ACCEPTor something) - maybe use new pro token
- check email address too
Applications
Authelia
Actual
- PWA on mobile!
Ghost
- requires checks for ghost, cli, and node version updates
Minecraft
- version-locked 1.20.4
- backup of everything, including JAR file
Password Pusher
Shlink
- managed on shlink.io webapp
- API key for GUI management, else run command in container
Spotify Manager
- yippee!
- be conservative with dep. updates
Stirling-PDF
- guest creds are
'guest':'temppass3'
Wireguard/wg-easy
- access VPS services on its
10.0.0.3/24address
Tooling and config
bash
- place new aliases in
/etc/skelfile as well - do not place non-sensitive stuff in
/etc/environment cp -prfor recursive copying and without changing mode or access time
nginx
- current practice - place configs in
conf.d, change extension to not end in.conffor disabled sites- old practice -
sites-enabledsoft links tosites-availablefiles as needed
- old practice -
- serving some temporary files to share from /var/www/tmpfiles
- the build with added modules is fked up, ignore
rclone
- config is for Backblaze B2, 10GB total
- always log!!! and notify!!!
systemd
WantedByshould bedefault.targetfor user servicesmulti-user.targetfor system services
cron
- cron doesn't get the same env as a normal login/shell, so give it a minimal set of vars
- set
USERat the start of every user crontab - set
XDG_RUNTIME_DIRandDBUS_SESSION_BUS_ADDRESSfor users that run systemd user services - stagger cronjobs to avoid resource contention