mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-30 18:51:22 +00:00
nginx-delay
This commit is contained in:
parent
e6592598c7
commit
4fff75b1ec
@ -1,5 +1,26 @@
|
|||||||
version: "3.7"
|
version: "3.7"
|
||||||
services:
|
services:
|
||||||
|
# EncFS for /onion and /everyone
|
||||||
|
sf-encfs:
|
||||||
|
build: encfs
|
||||||
|
image: sf-encfs
|
||||||
|
restart: ${SF_RESTART:-on-failure}
|
||||||
|
cap_add:
|
||||||
|
- SYS_ADMIN
|
||||||
|
security_opt:
|
||||||
|
- apparmor:unconfined
|
||||||
|
environment:
|
||||||
|
- SF_SEED
|
||||||
|
- SF_DEBUG
|
||||||
|
command: ["/mount.sh", "server"]
|
||||||
|
network_mode: none
|
||||||
|
devices:
|
||||||
|
- "/dev/fuse:/dev/fuse"
|
||||||
|
volumes:
|
||||||
|
- "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed"
|
||||||
|
- "${SF_BASEDIR:-.}/data/sf:/encfs/raw"
|
||||||
|
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/encfs/sec:shared"
|
||||||
|
|
||||||
dns-doh:
|
dns-doh:
|
||||||
image: crazymax/cloudflared
|
image: crazymax/cloudflared
|
||||||
restart: ${SF_RESTART:-on-failure}
|
restart: ${SF_RESTART:-on-failure}
|
||||||
@ -117,7 +138,7 @@ services:
|
|||||||
- SF_SEED
|
- SF_SEED
|
||||||
volumes:
|
volumes:
|
||||||
- "${SF_SHMDIR:-/dev/shm/sf}/run/gsnc:/sf/run/gsnc"
|
- "${SF_SHMDIR:-/dev/shm/sf}/run/gsnc:/sf/run/gsnc"
|
||||||
- "${SF_BASEDIR:-.}/config/etc/seed:/config/seed"
|
- "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed"
|
||||||
entrypoint: ["/sf-gsnc.sh", "172.20.0.110"]
|
entrypoint: ["/sf-gsnc.sh", "172.20.0.110"]
|
||||||
|
|
||||||
segfault:
|
segfault:
|
||||||
@ -151,36 +172,16 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- "${SF_BASEDIR:-.}/config/etc/ssh:/config/etc/ssh"
|
- "${SF_BASEDIR:-.}/config/etc/ssh:/config/etc/ssh"
|
||||||
- "${SF_BASEDIR:-.}/config/db:/config/db"
|
- "${SF_BASEDIR:-.}/config/db:/config/db"
|
||||||
- "${SF_BASEDIR:-.}/config/etc/seed:/config/seed"
|
- "${SF_BASEDIR:-.}/config/etc/seed:/config/etc/seed"
|
||||||
- "${SF_BASEDIR:-.}/config/etc/info:/config/etc/info:ro"
|
- "${SF_BASEDIR:-.}/config/etc/info:/config/etc/info:ro"
|
||||||
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/sec:slave"
|
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/sec:slave"
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||||
|
|
||||||
# EncFS for /onion and /everyone
|
|
||||||
sf-encfs:
|
|
||||||
build: encfs
|
|
||||||
image: sf-encfs
|
|
||||||
restart: ${SF_RESTART:-on-failure}
|
|
||||||
cap_add:
|
|
||||||
- SYS_ADMIN
|
|
||||||
security_opt:
|
|
||||||
- apparmor:unconfined
|
|
||||||
environment:
|
|
||||||
- SF_SEED
|
|
||||||
- SF_DEBUG
|
|
||||||
command: ["/mount.sh", "server"]
|
|
||||||
network_mode: none
|
|
||||||
devices:
|
|
||||||
- "/dev/fuse:/dev/fuse"
|
|
||||||
volumes:
|
|
||||||
- "${SF_BASEDIR:-.}/config/etc/seed:/config/seed"
|
|
||||||
- "${SF_BASEDIR:-.}/data/sf:/encfs/raw"
|
|
||||||
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec/sf:/encfs/sec:shared"
|
|
||||||
|
|
||||||
nginx:
|
nginx:
|
||||||
image: nginx
|
image: nginx
|
||||||
restart: ${SF_RESTART:-on-failure}
|
restart: ${SF_RESTART:-on-failure}
|
||||||
depends_on:
|
depends_on:
|
||||||
|
- dnsmasq # FIXME: This delays nginx until SHMDIR/encfs-sec/sf/onion-www is available
|
||||||
- sf-encfs
|
- sf-encfs
|
||||||
dns: 255.255.255.255
|
dns: 255.255.255.255
|
||||||
networks:
|
networks:
|
||||||
|
@ -22,10 +22,10 @@ _term()
|
|||||||
create_load_seed()
|
create_load_seed()
|
||||||
{
|
{
|
||||||
[[ -n $SF_SEED ]] && return
|
[[ -n $SF_SEED ]] && return
|
||||||
[[ ! -f "/config/seed/seed.txt" ]] && {
|
[[ ! -f "/config/etc/seed/seed.txt" ]] && {
|
||||||
head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
|
head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
|
||||||
}
|
}
|
||||||
SF_SEED="$(cat /config/seed/seed.txt)"
|
SF_SEED="$(cat /config/etc/seed/seed.txt)"
|
||||||
[[ -z $SF_SEED ]] && { echo -e >&2 "mount.sh: Failed to generated SF_SEED="; exit 254; }
|
[[ -z $SF_SEED ]] && { echo -e >&2 "mount.sh: Failed to generated SF_SEED="; exit 254; }
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -39,6 +39,10 @@ sf_server_init()
|
|||||||
ENCFS_SERVER_PASS=$(echo -n "EncFS-SERVER-PASS-${SF_SEED}" | sha512sum | base64 | tr -dc '[:alpha:]' | head -c 24)
|
ENCFS_SERVER_PASS=$(echo -n "EncFS-SERVER-PASS-${SF_SEED}" | sha512sum | base64 | tr -dc '[:alpha:]' | head -c 24)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# The server needs to be initialized differently. All instances are started
|
||||||
|
# from docker compose. Some are started before EncFS can mount the directory.
|
||||||
|
# NgingX is a good example. Thus Nginx needs to check unti IS-ENCRYPTED.TXT
|
||||||
|
# appears and exit otherwise.
|
||||||
sf_server()
|
sf_server()
|
||||||
{
|
{
|
||||||
sf_server_init
|
sf_server_init
|
||||||
@ -46,7 +50,14 @@ sf_server()
|
|||||||
echo "THIS-IS-NOT-ENCRYPTED *** DO NOT USE *** " >/encfs/sec/IS-NOT-ENCRYPTED.txt
|
echo "THIS-IS-NOT-ENCRYPTED *** DO NOT USE *** " >/encfs/sec/IS-NOT-ENCRYPTED.txt
|
||||||
encfs --standard -o nonempty -o allow_other -f --extpass="echo \"${ENCFS_SERVER_PASS}\"" "/encfs/raw" "/encfs/sec" -- -o noexec,noatime &
|
encfs --standard -o nonempty -o allow_other -f --extpass="echo \"${ENCFS_SERVER_PASS}\"" "/encfs/raw" "/encfs/sec" -- -o noexec,noatime &
|
||||||
cpid=$!
|
cpid=$!
|
||||||
wait $cpid # SIGTERM will wake us
|
|
||||||
|
# Give it 5 seconds and check if it is encrypted.
|
||||||
|
sleep 5
|
||||||
|
[[ ! -e /encfs/sec/IS-NOT-ENCRYPTED.txt ]] && {
|
||||||
|
# We are encrypted!
|
||||||
|
touch /encfs/sec/IS-ENCRYPTED.txt
|
||||||
|
wait $cpid # SIGTERM will wake us
|
||||||
|
}
|
||||||
# SIGTERM or wrong SF_SEED
|
# SIGTERM or wrong SF_SEED
|
||||||
echo -e "${CR}[$cpid] EncFS EXITED with $?..."
|
echo -e "${CR}[$cpid] EncFS EXITED with $?..."
|
||||||
|
|
||||||
|
@ -3,15 +3,15 @@
|
|||||||
create_load_seed()
|
create_load_seed()
|
||||||
{
|
{
|
||||||
[[ -n $SF_SEED ]] && return
|
[[ -n $SF_SEED ]] && return
|
||||||
[[ ! -f "/config/seed/seed.txt" ]] && {
|
[[ ! -f "/config/etc/seed/seed.txt" ]] && {
|
||||||
head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
|
head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
|
||||||
}
|
}
|
||||||
SF_SEED="$(cat /config/seed/seed.txt)"
|
SF_SEED="$(cat /config/etc/seed/seed.txt)"
|
||||||
[[ -z $SF_SEED ]] && { echo >&2 "Failed to generated SF_SEED="; exit 254; }
|
[[ -z $SF_SEED ]] && { echo >&2 "Failed to generated SF_SEED="; exit 254; }
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ ! -d /sf/run/gsnc ]] && { echo >&2 "Forgot -v \${SF_SHMDIR:-/dev/shm/sf}/run/gsnc:/sf/run/gsnc?"; sleep 5; exit 253; }
|
[[ ! -d /sf/run/gsnc ]] && { echo >&2 "Forgot -v \${SF_SHMDIR:-/dev/shm/sf}/run/gsnc:/sf/run/gsnc?"; sleep 5; exit 253; }
|
||||||
[[ ! -d /config/seed ]] && { echo >&2 "Forgot -v config/etc/seed:/config/seed?"; sleep 5; exit 252; }
|
[[ ! -d /config/etc/seed ]] && { echo >&2 "Forgot -v config/etc/seed:/config/etc/seed?"; sleep 5; exit 252; }
|
||||||
|
|
||||||
create_load_seed
|
create_load_seed
|
||||||
|
|
||||||
|
@ -6,7 +6,7 @@ CR="\e[1;31m" # red
|
|||||||
CN="\e[0m" # none
|
CN="\e[0m" # none
|
||||||
|
|
||||||
|
|
||||||
ERREXIT()
|
SLEEPEXIT()
|
||||||
{
|
{
|
||||||
local s
|
local s
|
||||||
local code
|
local code
|
||||||
@ -25,10 +25,10 @@ create_load_seed()
|
|||||||
{
|
{
|
||||||
[[ -n $SF_SEED ]] && return
|
[[ -n $SF_SEED ]] && return
|
||||||
[[ ! -f "/config/etc/seed/seed.txt" ]] && {
|
[[ ! -f "/config/etc/seed/seed.txt" ]] && {
|
||||||
head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
|
head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32 >/config/etc/seed/seed.txt || { echo >&2 "Can't create \${SF_BASEDIR}/config/etc/seed/seed.txt"; exit 255; }
|
||||||
}
|
}
|
||||||
SF_SEED="$(cat /config/etc/seed/seed.txt)"
|
SF_SEED="$(cat /config/etc/seed/seed.txt)"
|
||||||
[[ -z $SF_SEED ]] && ERREXIT 254 "Failed to generated SF_SEED="
|
[[ -z $SF_SEED ]] && SLEEPEXIT 254 5 "Failed to generated SF_SEED="
|
||||||
}
|
}
|
||||||
|
|
||||||
setup_sshd()
|
setup_sshd()
|
||||||
@ -54,7 +54,7 @@ setup_sshd()
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ -d /config/db ]] || ERREXIT 255 5 "${CR}Not found: /config/db${CN}. Try -v \${SF_BASEDIR}/config:/config,ro -v \${SF_BASEDIR}/config/db:/config/db"
|
[[ -d /config/db ]] || SLEEPEXIT 255 5 "${CR}Not found: /config/db${CN}. Try -v \${SF_BASEDIR}/config:/config,ro -v \${SF_BASEDIR}/config/db:/config/db"
|
||||||
|
|
||||||
create_load_seed
|
create_load_seed
|
||||||
|
|
||||||
@ -63,15 +63,15 @@ setup_sshd
|
|||||||
# This is the entry point for SF-HOST (e.g. host/Dockerfile)
|
# This is the entry point for SF-HOST (e.g. host/Dockerfile)
|
||||||
# Fix ownership if mounted from within vbox
|
# Fix ownership if mounted from within vbox
|
||||||
[[ -e /config/etc/ssh/ssh_host_rsa_key ]] || {
|
[[ -e /config/etc/ssh/ssh_host_rsa_key ]] || {
|
||||||
[[ ! -d "/config/etc/ssh" ]] && { mkdir -p "/config/etc/ssh" || ERREXIT 255 5; }
|
[[ ! -d "/config/etc/ssh" ]] && { mkdir -p "/config/etc/ssh" || SLEEPEXIT 255 5; }
|
||||||
|
|
||||||
ssh-keygen -A -f "/config" 2>&1 # Always return 0, even on failure.
|
ssh-keygen -A -f "/config" 2>&1 # Always return 0, even on failure.
|
||||||
[[ ! -f "/config/etc/ssh/ssh_host_rsa_key" ]] && ERREXIT 255 5
|
[[ ! -f "/config/etc/ssh/ssh_host_rsa_key" ]] && SLEEPEXIT 255 5
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ -e /config/etc/ssh/id_ed25519 ]] || {
|
[[ -e /config/etc/ssh/id_ed25519 ]] || {
|
||||||
ssh-keygen -q -t ed25519 -C "" -N "" -f /config/etc/ssh/id_ed25519 2>&1
|
ssh-keygen -q -t ed25519 -C "" -N "" -f /config/etc/ssh/id_ed25519 2>&1
|
||||||
[[ ! -f "/config/etc/ssh/id_ed25519" ]] && ERREXIT 255 5
|
[[ ! -f "/config/etc/ssh/id_ed25519" ]] && SLEEPEXIT 255 5
|
||||||
}
|
}
|
||||||
|
|
||||||
chmod 644 /config/etc/ssh/id_ed25519
|
chmod 644 /config/etc/ssh/id_ed25519
|
||||||
|
@ -247,6 +247,7 @@ if [[ "$(exec_errnull docker container inspect "encfs-${LID}" -f '{{.State.Statu
|
|||||||
--cpu-shares=256 \
|
--cpu-shares=256 \
|
||||||
--blkio-weight=10 \
|
--blkio-weight=10 \
|
||||||
--oom-score-adj=500 \
|
--oom-score-adj=500 \
|
||||||
|
--rm \
|
||||||
--name "encfs-${LID}" \
|
--name "encfs-${LID}" \
|
||||||
--cap-add SYS_ADMIN \
|
--cap-add SYS_ADMIN \
|
||||||
--device /dev/fuse \
|
--device /dev/fuse \
|
||||||
|
@ -112,7 +112,7 @@ init_config_run()
|
|||||||
[[ ! -d "${SF_BASEDIR}/config/etc/tc" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/tc\" \"${SF_BASEDIR}/config/etc\""
|
[[ ! -d "${SF_BASEDIR}/config/etc/tc" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/tc\" \"${SF_BASEDIR}/config/etc\""
|
||||||
|
|
||||||
# Copy info directory
|
# Copy info directory
|
||||||
[[ ! -d "${SF_BASEDIR}/config/etc/info" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/info\" \"${SF_BASEDIR}/config/info\""
|
[[ ! -d "${SF_BASEDIR}/config/etc/info" ]] && SUDO_SF "cp -r \"${SFI_SRCDIR}/config/etc/info\" \"${SF_BASEDIR}/config/etc\""
|
||||||
|
|
||||||
# Create Master-SEED
|
# Create Master-SEED
|
||||||
if [[ -z $SF_SEED ]]; then
|
if [[ -z $SF_SEED ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user