.github/workflows/deploy.yml

@@ -1,15 +1,11 @@
 name: deploy
-concurrency: fogtype.com
 on:
   push:
-    branches:
-      - main
+    branches: [main]
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - run: install -m 700 -d ~/.ssh
-      - run: install -m 600 <(echo '${{ secrets.DEPLOY_KEY }}') ~/.ssh/id_ed25519
-      - run: install -m 600 <(echo '${{ secrets.KNOWN_HOSTS }}') ~/.ssh/known_hosts
-      - run: make deploy
+      - run: install -m 600 <(echo '${{ secrets.DEPLOY_KEY }}') ~/.ssh/deploy_key
+      - run: ssh -i ~/.ssh/deploy_key -o 'StrictHostKeyChecking no' kou029w@fogtype.com 'sh -c "cd ~/fogtype.com && git pull --rebase && docker compose up --detach --remove-orphans"'

.gitignore

@@ -1,3 +0,0 @@
-.deploy_key
-.deploy_key.pub
-.known_hosts

Makefile

@@ -1,39 +0,0 @@
-REMOTE_USER := nebel
-REMOTE_HOST := fogtype.com
-
-.PHONY: help
-help:
-	@cat README.md
-
-.PHONY: deploy
-deploy:
-	ssh $(REMOTE_USER)@$(REMOTE_HOST) <$@
-
-.PHONY: install
-install: .deploy_key .known_hosts
-	ssh-copy-id -i .deploy_key.pub $(REMOTE_USER)@$(REMOTE_HOST)
-	scp install $(REMOTE_USER)@$(REMOTE_HOST):install
-	ssh -t $(REMOTE_USER)@$(REMOTE_HOST) '\
-		ssh-keygen -t ed25519; \
-		cat ~/.ssh/id_ed25519.pub; \
-		./install; \
-		rm install; \
-	'
-
-.deploy_key:
-	ssh-keygen -t ed25519 -C deploy_key -f $@
-
-.known_hosts:
-	ssh-keyscan -t ed25519 -H $(REMOTE_HOST) >$@
-
-.PHONY: keyrings
-keyrings: \
-	etc/apt/keyrings/docker-archive-keyring.gpg \
-	etc/apt/keyrings/tailscale-archive-keyring.gpg \
-
-etc/apt/keyrings/docker-archive-keyring.gpg:
-	curl -sSf --tlsv1.3 https://download.docker.com/linux/ubuntu/gpg \
-		| gpg --dearmor >$@
-
-etc/apt/keyrings/tailscale-archive-keyring.gpg:
-	curl -sSf --tlsv1.3 -o $@ https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg

README.md

@@ -1,19 +1,23 @@
 # Fogtype
 
-## Runner Registration
+## 前提
 
-```
-$ make install
+- Docker Compose
+- systemd
+- systemd-journald
+
+Git リポジトリを取得し、設定ファイルを配置
+
+```bash
+ssh kou029w@fogtype.com
+git clone git@github.com:kou029w/fogtype.com.git
+cd fogtype.com
+sudo install -m 644 {,/}etc/docker/daemon.json
+sudo systemctl restart docker
 ```
 
-secrets.DEPLOY_KEY
-: SSH identity file
-
-secrets.KNOWN_HOSTS
-: SSH known_hosts file
-
-## Deploy
+## 構築
 
-```
-$ make deploy
+```sh
+docker compose up -d
 ```

compose.yml

@@ -1,7 +1,7 @@
-name: fogtype
+name: keiunet
 services:
   https:
-    image: caddy:2.8.4-alpine@sha256:221bcf3be161b0d856bdb7bea76b42386d732d19348f79692404829532d83f4a
+    image: caddy:2.6.4-alpine@sha256:eefd3d61e9ee8f35e046f614982d9a970006e3943c6e5f09957a4048f4c80d35
     restart: unless-stopped
     ports:
       - "80:80"
@@ -15,8 +15,25 @@ services:
       - caddy_config:/config
     networks:
       - fogtype
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+  dns:
+    image: coredns/coredns:1.10.1@sha256:a0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e
+    restart: unless-stopped
+    expose: ["443"]
+    ports:
+      - "53:53/udp"
+      - "53:53/tcp"
+      - "853:853"
+      - "127.0.0.1:9153:9153"
+    volumes:
+      - ./etc/coredns:/etc/coredns
+      - caddy_data:/var/lib/caddy/data
+    command: "-conf /etc/coredns/Corefile"
+    networks:
+      - fogtype
   gts:
-    image: superseriousbusiness/gotosocial:0.16.0@sha256:54c0e2833f426b810861d8bc7b5633ca8119f2fa234a4ddaeb422519c04fca97
+    image: superseriousbusiness/gotosocial:0.8.1@sha256:074c70e3af44289af590dc663015c43b9c789d476d9e00c3565678f179e82e04
     restart: unless-stopped
     expose: ["8080"]
     environment:
@@ -31,38 +48,51 @@ services:
     command: "--config-path /etc/gotosocial/config.yaml"
     networks:
       - fogtype
-  maddy:
-    image: foxcpp/maddy:0.7.1@sha256:6ab538e2f28baf2324f7cb418c7f9476fd9c7e9fa9b14bc3aecf51a9f6962064
+  vikunja-api:
+    image: vikunja/api:0.20.4@sha256:0f8e00f99120ac677de0764b054e4402f7046077004ff5e26f9146adfaf8b0af
     restart: unless-stopped
-    ports:
-      - "25:25"
-      - "465:465"
-      - "993:993"
     environment:
-      MADDY_HOSTNAME: fogtype.com
-      MADDY_DOMAIN: fogtype.com
+      VIKUNJA_SERVICE_FRONTENDURL: https://task.fogtype.com/
+      VIKUNJA_SERVICE_ENABLEREGISTRATION: "false"
+      VIKUNJA_DATABASE_TYPE: sqlite
+      VIKUNJA_DATABASE_PATH: files/vikunja.db
     volumes:
-      - ./etc/maddy:/etc/maddy
-      - caddy_data:/var/lib/caddy/data:ro
-      - maddy_data:/data
-  headscale:
-    image: headscale/headscale:0.22.3@sha256:aadf29a875bb2ffdf6579869e5759935f7a64b9fd19fcea9d5385c5d7220dc7b
-    restart: unless-stopped
-    ports:
-      - "3478:3478/udp"
-      - "127.0.0.1:9200:9200"
-    volumes:
-      - ./etc/headscale:/etc/headscale
-      - headscale_data:/var/lib/headscale
+      - "vikunja_data:/app/vikunja/files"
     networks:
       - fogtype
-    command: headscale serve
+  vikunja-frontend:
+    image: vikunja/frontend:0.20.5@sha256:5aad76d28c5dd8f5f5f4e6d5ba3459138676d37e5f79747f53ce64a52ba78b56
+    restart: unless-stopped
+    networks:
+      - fogtype
+  mox:
+    image: r.xmox.nl/mox:v0.0.3-go1.20.3-alpine3.17.3@sha256:12f8a485d8a19cb31625da84d685897acf49568241d350fc6a0dc5e68dbc3cab
+    restart: on-failure
+    network_mode: host
+    environment:
+      MOX_DOCKER: "yes"
+    volumes:
+      - caddy_data:/var/lib/caddy/data:ro
+      - mox_data:/mox/data
+      - mox_config:/mox/config
+      - type: bind
+        source: ./etc/mox/config/mox.conf
+        target: /mox/config/mox.conf
+      - type: bind
+        source: ./etc/mox/config/domains.conf
+        target: /mox/config/domains.conf
+    healthcheck:
+      test: "netstat -nlt | grep ':25 '"
+      interval: "1s"
+      timeout: "1s"
+      retries: 10
 volumes:
   caddy_data:
   caddy_config:
   gotosocial_data:
-  maddy_data:
-  headscale_data:
+  vikunja_data:
+  mox_data:
+  mox_config:
 networks:
   fogtype:
     ipam:

deploy

@@ -1,9 +0,0 @@
-#!/bin/sh
-set -eu
-
-cd "${HOME}/${REMOTE_HOST:-fogtype.com}"
-
-git pull --rebase
-docker compose up --detach --remove-orphans
-
-cd -

etc/apt/apt.conf.d/99-tailscale

@@ -1 +0,0 @@
-Unattended-Upgrade::Allowed-Origins:: "Tailscale:*";

etc/apt/sources.list.d/docker.sources

@@ -1,5 +0,0 @@
-Types: deb
-URIs: https://download.docker.com/linux/ubuntu
-Suites: noble
-Components: stable
-Signed-By: /usr/share/keyrings/docker-archive-keyring.gpg

etc/apt/sources.list.d/tailscale.sources

@@ -1,5 +0,0 @@
-Types: deb
-URIs: https://pkgs.tailscale.com/stable/ubuntu
-Suites: noble
-Components: main
-Signed-By: /usr/share/keyrings/tailscale-archive-keyring.gpg

etc/caddy/Caddyfile

@@ -1,30 +1,30 @@
+keiu.net, www.keiu.net {
+	redir https://fogtype.com{uri} 308
+}
+read.keiu.net {
+	redir https://rad.fogtype.com{uri} 308
+}
 fogtype.com {
-	header /.well-known/nostr.json access-control-allow-origin *
-	@exists file
-	handle @exists {
+	handle /.well-known/nostr.json {
+		header access-control-allow-origin *
 		file_server
 	}
+	reverse_proxy /.well-known/mta-sts.txt host.docker.internal:8081
 	reverse_proxy http://gts:8080
 }
 www.fogtype.com {
 	redir https://fogtype.com{uri} 308
 }
-net.fogtype.com {
-	reverse_proxy headscale:8080
-}
-mta-sts.fogtype.com {
-	handle /.well-known/mta-sts.txt {
-		file_server
+dns.fogtype.com {
+	reverse_proxy /dns-query https://dns {
+		transport http {
+			tls_server_name dns.fogtype.com
+		}
 	}
-	redir / /.well-known/mta-sts.txt
 }
-openpgpkey.fogtype.com {
-	header access-control-allow-origin *
-	handle /.well-known/openpgpkey/* {
-		file_server
-	}
-	redir / /.well-known/openpgpkey/fogtype.com/hu/k5iarqu189w6rpg6immh6a3sdiyse3kp
-}
-git.fogtype.com {
-	reverse_proxy http://rho.fogtype.com:3000
+task.fogtype.com {
+	reverse_proxy /.well-known/* vikunja-api:3456
+	reverse_proxy /api/* vikunja-api:3456
+	reverse_proxy /dav/* vikunja-api:3456
+	reverse_proxy vikunja-frontend:80
 }

etc/coredns/Corefile

@@ -0,0 +1,12 @@
+https://. tls://. . {
+	tls /var/lib/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.fogtype.com/dns.fogtype.com.crt /var/lib/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.fogtype.com/dns.fogtype.com.key
+	reload
+	prometheus 0.0.0.0:9153
+	cache 10
+	hosts {
+		fallthrough
+	}
+	forward . tls://1.1.1.1 tls://1.0.0.1 {
+		tls_servername tls.cloudflare-dns.com
+	}
+}

etc/docker/daemon.json

@@ -1,3 +1,4 @@
 {
+  "live-restore": true,
   "log-driver": "journald"
 }

etc/headscale/config.yaml

@@ -1,18 +0,0 @@
-server_url: https://net.fogtype.com
-listen_addr: 0.0.0.0:8080
-metrics_listen_addr: 0.0.0.0:9200
-db_type: sqlite3
-db_path: /var/lib/headscale/db.sqlite
-private_key_path: /var/lib/headscale/private.key
-noise:
-  private_key_path: /var/lib/headscale/noise_private.key
-ip_prefixes:
-  - fd7a:115c:a1e0::/48
-  - 100.64.0.0/10
-derp:
-  server:
-    enabled: true
-    region_id: 999
-    region_code: "headscale"
-    region_name: "Headscale Embedded DERP"
-    stun_listen_addr: "0.0.0.0:3478"

etc/maddy/aliases

@@ -1 +0,0 @@
-postmaster@fogtype.com: nebel@fogtype.com

etc/mox/config/domains.conf

@@ -0,0 +1,45 @@
+Domains:
+	fogtype.com:
+		LocalpartCatchallSeparator: +
+		DKIM:
+			Selectors:
+				2023a:
+					Expiration: 72h
+					PrivateKeyFile: dkim/2023a._domainkey.fogtype.com.key.pkcs8.pem
+				2023b:
+					Expiration: 72h
+					PrivateKeyFile: dkim/2023b._domainkey.fogtype.com.key.pkcs8.pem
+			Sign:
+				- 2023a
+		DMARC:
+			Localpart: dmarc-reports
+			Account: nebel
+			Mailbox: DMARC
+		MTASTS:
+			PolicyID: 20230420T000000
+			Mode: enforce
+			MaxAge: 24h
+		TLSRPT:
+			Localpart: tls-reports
+			Account: nebel
+			Mailbox: TLSRPT
+Accounts:
+	nebel:
+		Domain: fogtype.com
+		Destinations:
+			nebel: nil
+		SubjectPass:
+			Period: 12h
+		RejectsMailbox: Rejects
+		AutomaticJunkFlags:
+			Enabled: true
+			JunkMailboxRegexp: ^(junk|spam)
+			NeutralMailboxRegexp: ^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects)
+		JunkFilter:
+			Threshold: 0.95
+			Params:
+				Onegrams: true
+				MaxPower: 0.01
+				TopWords: 10
+				IgnoreWords: 0.1
+				RareWords: 2

etc/mox/config/mox.conf

@@ -0,0 +1,39 @@
+DataDir: ../data
+LogLevel: info
+User: 1000
+Hostname: fogtype.com
+CheckUpdates: true
+AdminPasswordFile: adminpasswd
+Listeners:
+	internal:
+		IPs:
+			- 127.0.0.1
+		AccountHTTP:
+			Enabled: true
+			Port: 8080
+		AdminHTTP:
+			Enabled: true
+			Port: 8080
+		MetricsHTTP:
+			Enabled: true
+		MTASTSHTTPS:
+			Enabled: true
+			Port: 8081
+			NonTLS: true
+	public:
+		IPs:
+			- ::
+		TLS:
+			KeyCerts:
+				-
+					CertFile: /var/lib/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/fogtype.com/fogtype.com.crt
+					KeyFile: /var/lib/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/fogtype.com/fogtype.com.key
+		SMTP:
+			Enabled: true
+		Submissions:
+			Enabled: true
+		IMAPS:
+			Enabled: true
+Postmaster:
+	Account: nebel
+	Mailbox: Postmaster

install

@@ -1,32 +0,0 @@
-#!/bin/sh
-set -eu
-
-REPO=${REPO:-git@github.com:kou029w/fogtype.com.git}
-REMOTE_HOST=${REMOTE_HOST:-fogtype.com}
-PACKAGES="docker-ce docker-compose-plugin tailscale"
-
-eval "$(
-  apt-config shell APT_CONF_DIR Dir::Etc::parts/d
-  apt-config shell APT_SOURCES_DIR Dir::Etc::sourceparts/d
-)"
-
-sudo apt-get update -qq
-DEBIAN_FRONTEND=noninteractive sudo apt-get install -y -qq git rsync
-
-git clone "${REPO}" "${HOME}/${REMOTE_HOST}" ||
-  git -C "${HOME}/${REMOTE_HOST}" pull --rebase
-
-cd "${HOME}/${REMOTE_HOST}"
-
-sudo rsync -r etc/apt/keyrings/ /usr/share/keyrings/
-sudo rsync -r etc/apt/apt.conf.d/ "${APT_CONF_DIR}"
-sudo rsync -r etc/apt/sources.list.d/ "${APT_SOURCES_DIR}"
-sudo rsync -r etc/docker/ /etc/docker/
-
-cd -
-
-sudo apt-get update -qq
-# shellcheck disable=SC2086
-DEBIAN_FRONTEND=noninteractive sudo apt-get install -y -qq ${PACKAGES}
-
-sudo gpasswd -a "$(whoami)" docker

renovate.json

@@ -1,9 +1,10 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:best-practices",
+    "config:base",
     ":automergeAll",
     ":automergeBranch",
-    ":skipStatusChecks"
+    ":skipStatusChecks",
+    "docker:enableMajor",
+    "docker:pinDigests"
   ]
 }

srv/.well-known/atproto-did

@@ -1 +0,0 @@
-did:plc:q2jocvzp6nzybaodbajtkqy4

srv/.well-known/mta-sts.txt

@@ -1,4 +0,0 @@
-version: STSv1
-mode: enforce
-max_age: 86400
-mx: fogtype.com

srv/.well-known/openpgpkey/fogtype.com/policy

@@ -1 +0,0 @@
-# Policy flags for domain fogtype.com