Update Forgejo to rootless image

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>

Makefile

@@ -11,17 +11,18 @@
 #//                                                          //
 #//////////////////////////////////////////////////////////////
 
-ADMIN_SERVICES := openssh 
-#uptime-kuma yacht
+ADMIN_SERVICES := openssh uptime-kuma
 #BLOG_SERVICES := wordpress
 #7DAYS_TO_DIE_SERVICES := 7daystodie_server 7daystodie_backup
 #MINECRAFT_SERVICES := minecraft_server minecraft_backup
 #SATISFACTORY_SERVICES := satisfactory_server satisfactory_backup
-#GIT_SERVICES := forgejo
+GIT_SERVICES := forgejo
 # forgejo-runner
 # gitea gitea-runner
 #IA_SERVICES := open-webui
-#SHARING_SERVICES := psitransfer picoshare privatebin projectsend jellyfin dufs syncthing
+SHARING_SERVICES := privatebin
+# jellyfin
+# psitransfer picoshare projectsend dufs syncthing
 TORRENTS_SERVICES := qbittorrent
 # transmission
 UTILS_SERVICES := it-tools omni-tools cyberchef

README.md

@@ -23,7 +23,6 @@ If you have any **questions** or **suggestions**, feel free to open an issue or
 - [x] it-tools and omni-tools (Tools for IT)
 - [x] Open-WebUI (Local chatGPT)
 - [x] Privatebin (Pastebin)
-- [x] Yacht (Web interface for managing docker containers)
 - [X] [Satisfactory](https://github.com/bensuperpc/docker-satisfactory)
 - [x] [7 days to die](https://github.com/bensuperpc/docker-7daystodie)
 - [x] [minecraft](https://github.com/bensuperpc/docker-minecraft-server)
@@ -114,11 +113,9 @@ And then, caddy will generate the certificate for you and renew it automatically
 | [it-tools.bensuperpc.org](https://it-tools.bensuperpc.org)         | Sub  | Tools for IT                                                 |
 | [omni-tools.bensuperpc.org](https://omni-tools.bensuperpc.org)     | Sub  | Tools for IT                                                 |
 | [privatebin.bensuperpc.org](https://privatebin.bensuperpc.org)     | Sub  | Pastebin                                                     |
-| [yacht.bensuperpc.org](https://yacht.bensuperpc.org)               | Sub  | Web interface for managing docker containers                 |
 | [projectsend.bensuperpc.org](https://projectsend.bensuperpc.org)   | Sub  | ProjectSend for file sharing                                 |
 | [picoshare.bensuperpc.org](https://picoshare.bensuperpc.org)       | Sub  | Picoshare for file sharing                                   |
 | [dufs.bensuperpc.org](https://dufs.bensuperpc.org)                 | Sub  | Dufs for file sharing                                        |
-| [public.bensuperpc.org](https://public.bensuperpc.org)             | Sub  | Caddy for file sharing                                       |
 | [memos.bensuperpc.org](https://memos.bensuperpc.org)               | Sub  | Caddy for file sharing                                       |
 | [stirlingpdf.bensuperpc.org](https://stirlingpdf.bensuperpc.org)   | Sub  | Stirling PDF tools                                           |
 
@@ -191,12 +188,6 @@ For [psitransfer.env](infrastructure/services/psitransfer/env/psitransfer.env) f
 PSITRANSFER_ADMIN_PASS=n9jLVNT9QUotTJTT91JqH4GyBTg9pvEn
 ```
 
-For [yacht.env](infrastructure/services/yacht/env/yacht.env) file, you need to change the secret key.
-
-```sh
-SECRET_KEY=UZvg9nbcGIJlPEB3uI39TAEWyFOz9nm8
-```
-
 For [projectsend_db.env](infrastructure/services/projectsend/env/projectsend_db.env) file, you need to change the password(s) and user for the database.
 
 ```sh
@@ -296,6 +287,14 @@ You can change the homepage config in these files:
 
 ### Forgejo
 
+Once the installation is complete, you need to set the installation lock:
+
+```sh
+FORGEJO__security__INSTALL_LOCK=true
+```
+
+### Forgejo Runner
+
 ```sh
 docker exec -it forgejo_runner /bin/bash
 ```
@@ -380,7 +379,6 @@ ssh -p 2222 admin@bensuperpc.org
 - [Privatebin](https://github.com/PrivateBin/PrivateBin)
 - [ghost](https://ghost.org)
 - [Homepage Tuto](https://belginux.com/installer-homepage-avec-docker/)
-- [Yacht](https://yacht.sh/)
 - [ProjectSend](https://www.projectsend.org/)
 - [Picoshare](https://github.com/mtlynch/picoshare)
 - [Dufs](https://github.com/sigoden/dufs)

infrastructure/docker-compose.yml

@@ -41,8 +41,6 @@ include:
   - services/transmission/docker-compose.transmission.yml
 # Uptime-kuma
   - services/uptime-kuma/docker-compose.uptime-kuma.yml
-# Yacht
-  - services/yacht/docker-compose.yacht.yml
 # open-webui
   - services/open-webui/docker-compose.open-webui.yml
 # Minecraft

infrastructure/services/caddy/config/website/main.caddy

@@ -16,12 +16,12 @@ www.{$MAIN_DOMAIN} {
 	redir https://www.{host}{uri} permanent
 }
 
-public.{$MAIN_DOMAIN} {
-	root * /public_data
-	file_server browse
-
-	header / {
-		Cache-Control "no-store"
-		import header_common
-	}
-}
+#public.{$MAIN_DOMAIN} {
+#	root * /public_data
+#	file_server browse
+#
+#	header / {
+#		Cache-Control "no-store"
+#		import header_common
+#	}
+#}

infrastructure/services/caddy/config/website/yacht.caddy

@@ -1,3 +0,0 @@
-yacht.{$MAIN_DOMAIN} {
-	reverse_proxy yacht:8000
-}

infrastructure/services/forgejo/docker-compose.forgejo.yml

@@ -1,7 +1,7 @@
 services:
   # forgejo
   forgejo:
-    image: codeberg.org/forgejo/forgejo:11-rootless
+    image: codeberg.org/forgejo/forgejo:12-rootless
     container_name: forgejo
     profiles:
       - forgejo
@@ -10,7 +10,7 @@ services:
       - database_forgejo
       - caddy
     ports:
-      - "22:22"
+      - "22:2222"
     env_file:
       - ./env/forgejo.env
     volumes:
@@ -20,6 +20,7 @@ services:
       - /etc/localtime:/etc/localtime:ro
     networks:
       - infra-network
+    user: ${PUID:-1000}:${PGID:-1000} 
     security_opt:
       - no-new-privileges:true
   

infrastructure/services/forgejo/env/forgejo.env

@@ -5,12 +5,12 @@ FORGEJO__database__HOST=database_forgejo:3306
 FORGEJO__database__NAME=forgejo
 FORGEJO__database__USER=bensuperpc
 FORGEJO__database__PASSWD=K7s5yoHknnEd7vsZoxb8I3dK9mjToF1j
-FORGEJO__APP_NAME=The Homelab Git
+FORGEJO__APP_NAME=Bensuperpc's Forgejo
 FORGEJO__APP_SLOGAN=Personal Code, Mirrors, and More
 FORGEJO__server__DOMAIN=git.bensuperpc.org
 FORGEJO__server__SSH_DOMAIN=git.bensuperpc.org
 FORGEJO__server__HTTP_PORT=3000
-FORGEJO__server__SSH_LISTEN_PORT=22
+FORGEJO__server__SSH_LISTEN_PORT=2222
 FORGEJO__server__SSH_PORT=22
 FORGEJO__server__ROOT_URL=https://git.bensuperpc.org
 FORGEJO__security__SECRET_KEY=ykcZt23an1E4lFHWvrCKdAyt16WAiK9c

infrastructure/services/homepage/config/services.yaml

@@ -64,12 +64,12 @@
         description: Dufs
         ping: dufs.bensuperpc.org
         container: dufs
-    - caddy:
-        icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/caddy.png
-        href: https://public.bensuperpc.org/
-        description: File browser
-        ping: public.bensuperpc.org
-        container: caddy
+#    - caddy:
+#        icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/caddy.png
+#        href: https://public.bensuperpc.org/
+#        description: File browser
+#        ping: public.bensuperpc.org
+#        container: caddy
 
 - Utils:
     - it-tools:
@@ -142,10 +142,4 @@
         description: Uptime Kuma
         ping: uptimekuma.bensuperpc.org
         container: uptime-kuma
-    - yacht:
-#        icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/yacht.png
-        href: https://yacht.bensuperpc.org/
-        description: Yacht
-        ping: yacht.bensuperpc.org
-        container: yacht
 

infrastructure/services/privatebin/config/conf.php

@@ -39,16 +39,29 @@ defaultformatter = "plaintext"
 ; (optional) set a syntax highlighting theme, as found in css/prettify/
 ; syntaxhighlightingtheme = "sons-of-obsidian"
 
-; size limit per paste or comment in bytes, defaults to 10 Mebibytes
-sizelimit = 10485760
+; size limit per document or comment in bytes, defaults to 10 Megabytes
+sizelimit = 10000000
 
-; template to include, default is "bootstrap" (tpl/bootstrap.php), also
-; available are "page" (tpl/page.php), the classic ZeroBin style and several
-; bootstrap variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
-; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page"
-; and finally "bootstrap-compact-page" - previews at:
+; by default PrivateBin use "bootstrap5" template (tpl/bootstrap5.php).
+; Optionally you can enable the template selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+templateselection = false
+
+; List of available for selection templates when "templateselection" option is enabled
+availabletemplates[] = "bootstrap5"
+availabletemplates[] = "bootstrap"
+availabletemplates[] = "bootstrap-page"
+availabletemplates[] = "bootstrap-dark"
+availabletemplates[] = "bootstrap-dark-page"
+availabletemplates[] = "bootstrap-compact"
+availabletemplates[] = "bootstrap-compact-page"
+
+; set the template your installs defaults to, defaults to "bootstrap5" (tpl/bootstrap5.php), also
+; bootstrap template (tpl/bootstrap.php) and it's variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
+; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page",
+; "bootstrap-compact-page" - previews at:
 ; https://privatebin.info/screenshots.html
-template = "bootstrap-dark"
+; template = "bootstrap5"
 
 ; (optional) info text to display
 ; use single, instead of double quotes for HTML attributes
@@ -66,17 +79,22 @@ languageselection = false
 ; if this is set and language selection is disabled, this will be the only language
 ; languagedefault = "en"
 
-; (optional) URL shortener address to offer after a new paste is created.
+; (optional) URL shortener address to offer after a new document is created.
 ; It is suggested to only use this with self-hosted shorteners as this will leak
-; the pastes encryption key.
+; the documents encryption key.
 ; urlshortener = "https://shortener.example.com/api?link="
 
-; (optional) Let users create a QR code for sharing the paste URL with one click.
-; It works both when a new paste is created and when you view a paste.
+; (optional) Whether to shorten the URL by default when a new document is created.
+; If set to true, the "Shorten URL" functionality will be automatically called.
+; This only works if the "urlshortener" option is set.
+; shortenbydefault = false
+
+; (optional) Let users create a QR code for sharing the document URL with one click.
+; It works both when a new document is created and when you view a document.
 ; qrcode = true
 
-; (optional) Let users send an email sharing the paste URL with one click.
-; It works both when a new paste is created and when you view a paste.
+; (optional) Let users send an email sharing the document URL with one click.
+; It works both when a new document is created and when you view a document.
 ; email = true
 
 ; (optional) IP based icons are a weak mechanism to detect if a comment was from
@@ -84,7 +102,7 @@ languageselection = false
 ; used to get the IP of a comment poster if the server salt is leaked and a
 ; SHA512 HMAC rainbow table is generated for all (relevant) IPs.
 ; Can be set to one these values:
-; "none" / "identicon" (default) / "jdenticon" / "vizhash".
+; "none" / "identicon" / "jdenticon" (default) / "vizhash".
 ; icon = "none"
 
 ; Content Security Policy headers allow a website to restrict what sources are
@@ -93,24 +111,21 @@ languageselection = false
 ; scripts or run your site behind certain DDoS-protection services.
 ; Check the documentation at https://content-security-policy.com/
 ; Notes:
-; - If you use any bootstrap theme, you can remove the allow-popups from the
-;   sandbox restrictions.
-; - If you use the bootstrap5 theme, you must change default-src to 'self' to
-;   enable display of the svg icons
 ; - By default this disallows to load images from third-party servers, e.g. when
-;   they are embedded in pastes. If you wish to allow that, you can adjust the
+;   they are embedded in documents. If you wish to allow that, you can adjust the
 ;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
 ;   for details.
-; - The 'unsafe-eval' is used in two cases; to check if the browser supports
-;   async functions and display an error if not and for Chrome to enable
-;   webassembly support (used for zlib compression). You can remove it if Chrome
-;   doesn't need to be supported and old browsers don't need to be warned.
-; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
-
-; stay compatible with PrivateBin Alpha 0.19, less secure
-; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
-; sha256 in HMAC for the deletion token
-; zerobincompatibility = false
+; - The 'wasm-unsafe-eval' is used to enable webassembly support (used for zlib
+;   compression). You can remove it if compression doesn't need to be supported.
+; - The 'unsafe-inline' style-src is used by Chrome when displaying PDF previews
+;   and can be omitted if attachment upload is disabled (which is the default).
+;   See https://issues.chromium.org/issues/343754409
+; - To allow displaying PDF previews in Firefox or Chrome, sandboxing must also
+;   get turned off. The following CSP allows PDF previews:
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; frame-src blob:; img-src 'self' data: blob:; media-src blob:; object-src blob:"
+;
+; The recommended and default used CSP is:
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; frame-src blob:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-modals allow-downloads"
 
 ; Enable or disable the warning message when the site is served over an insecure
 ; connection (insecure HTTP instead of HTTPS), defaults to true.
@@ -119,7 +134,7 @@ languageselection = false
 ; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
 ; httpwarning = true
 
-; Pick compression algorithm or disable it. Only applies to pastes/comments
+; Pick compression algorithm or disable it. Only applies to documents & comments
 ; created after changing the setting.
 ; Can be set to one these values: "none" / "zlib" (default).
 ; compression = "zlib"
@@ -160,9 +175,9 @@ limit = 10
 ; exempted = "1.2.3.4,10.10.10/24"
 
 ; (optional) If you want only some source IP addresses (v4 or v6) or subnets
-; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
+; (CIDR) to be allowed to create documents, set these here. Invalid IPs will be
 ; ignored. If multiple values are to be exempted, the list needs to be comma
-; separated. Leave unset to allow anyone to create pastes.
+; separated. Leave unset to allow anyone to create documents.
 ; creators = "1.2.3.4,10.10.10/24"
 
 ; (optional) if your website runs behind a reverse proxy or load balancer,
@@ -170,12 +185,12 @@ limit = 10
 ; header = "X_FORWARDED_FOR"
 
 [purge]
-; minimum time limit between two purgings of expired pastes, it is only
-; triggered when pastes are created
-; Set this to 0 to run a purge every time a paste is created.
+; minimum time limit between two purgings of expired documents, it is only
+; checked when documents get created
+; Set this to 0 to run a purge every time a document is created.
 limit = 300
 
-; maximum amount of expired pastes to delete in one purge
+; maximum amount of expired documents to delete in one purge
 ; Set this to 0 to disable purging. Set it higher, if you are running a large
 ; site
 batchsize = 10
@@ -259,7 +274,7 @@ dir = PATH "data"
 ;version = "latest"
 ;bucket = "my-bucket"
 
-[yourls]
+;[yourls]
 ; When using YOURLS as a "urlshortener" config item:
 ; - By default, "urlshortener" will point to the YOURLS API URL, with or without
 ;   credentials, and will be visible in public on the PrivateBin web page.
@@ -280,4 +295,4 @@ dir = PATH "data"
 ; Subresource integrity (SRI) hashes used in template files. Uncomment and set
 ; these for all js files used. See:
 ; https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-i-have-changed-some-javascript-files
-;privatebin.js = sha512-[…]
+;js/privatebin.js = "sha512-[…]"

infrastructure/services/yacht/docker-compose.yacht.yml

@@ -1,23 +0,0 @@
-services:
-  # yacht
-  yacht:
-    image: selfhostedpro/yacht:latest
-    container_name: yacht
-    profiles:
-      - yacht
-    restart: on-failure:5
-    depends_on:
-      - caddy
-    env_file:
-      - ./env/yacht.env
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - yacht_config:/config
-    networks:
-      - infra-network
-    security_opt:
-      - no-new-privileges:true
-
-volumes:
-  yacht_config:
-    name: yacht_config

infrastructure/services/yacht/env/yacht.env

@@ -1,3 +0,0 @@
-ADMIN_EMAIL=bensuperpc@gmail.com
-SECRET_KEY=UZvg9nbcGIJlPEB3uI39TAEWyFOz9nm8
-#DATABASE_URL=postgresql://user:password@postgresserver/db

tools/docker_volumes_export.sh

@@ -37,7 +37,6 @@ volumes=(
     stirlingpdf_config
     uptimekuma_data
 #    private_data
-    yacht_config
     transmission_watch
     privatebin_data
     psitransfer_data