Block AI bots

README.md

@@ -2,4 +2,5 @@
 
 How I put my very own personal servers online, for free.
 
-Details at [the blog post](http://ralsina.me/weblog/posts/the-cheapest-server.html)
+* The reverse proxy setup is in `reverse_proxy/`
+* The ansible playbooks to setup the actual server are in `provision-pinky`

nginx.conf

@@ -1,50 +0,0 @@
-server {
-  listen 8080;
-  listen [::]:8080;
-
-  server_name home.ralsina.me;
-
-  location / {
-      proxy_pass http://pinky.ralsina.github.beta.tailscale.net:8080;
-      proxy_set_header X-Forwarded-Host $http_host;
-  }
-  error_page 500 502 503 504 /custom_50x.html;
-  location = /custom_50x.html {
-      root /usr/share/nginx/html;
-      internal;
-  }
-}
-
-server {
-  listen 8080;
-  listen [::]:8080;
-
-  server_name git.ralsina.me;
-
-  location / {
-      proxy_pass http://pinky.ralsina.github.beta.tailscale.net:3000;
-      proxy_set_header X-Forwarded-Host $http_host;
-  }
-  error_page 403 404 500 502 503 504 /custom_50x.html;
-  location = /custom_50x.html {
-      root /usr/share/nginx/html;
-      internal;
-  }
-}
-
-server {
-  listen 8080;
-  listen [::]:8080;
-
-  server_name faas.ralsina.me;
-
-  location / {
-      proxy_pass http://pinky.ralsina.github.beta.tailscale.net:8082;
-      proxy_set_header X-Forwarded-Host $http_host;
-  }
-  error_page 403 404 500 502 503 504 /custom_50x.html;
-  location = /custom_50x.html {
-      root /usr/share/nginx/html;
-      internal;
-  }
-}

ralsina.me.txt

@@ -0,0 +1,59 @@
+;;
+;; Domain:     ralsina.me.
+;; Exported:   2024-08-20 14:42:21
+;;
+;; This file is intended for use for informational and archival
+;; purposes ONLY and MUST be edited before use on a production
+;; DNS server.  In particular, you must:
+;;   -- update the SOA record with the correct authoritative name server
+;;   -- update the SOA record with the contact e-mail address information
+;;   -- update the NS record(s) with the authoritative name servers for this domain.
+;;
+;; For further information, please consult the BIND documentation
+;; located on the following website:
+;;
+;; http://www.isc.org/
+;;
+;; And RFC 1035:
+;;
+;; http://www.ietf.org/rfc/rfc1035.txt
+;;
+;; Please note that we do NOT offer technical support for any use
+;; of this zone data, the BIND name server, or any other third-party
+;; DNS software.
+;;
+;; Use at your own risk.
+;; SOA Record
+ralsina.me	3600	IN	SOA	princess.ns.cloudflare.com. dns.cloudflare.com. 2047583154 10000 2400 604800 3600
+
+;; NS Records
+ralsina.me.	86400	IN	NS	princess.ns.cloudflare.com.
+ralsina.me.	86400	IN	NS	tim.ns.cloudflare.com.
+
+;; A Records
+direct.ralsina.me.	1	IN	A	192.241.197.159 ; Points to DigitalOcean VPS for nikola and others
+
+;; CAA Records
+ralsina.me.	1	IN	CAA	0 issuewild "pki.goog; cansignhttpexchanges=yes"
+ralsina.me.	1	IN	CAA	0 issuewild "letsencrypt.org"
+ralsina.me.	1	IN	CAA	0 issuewild "digicert.com; cansignhttpexchanges=yes"
+ralsina.me.	1	IN	CAA	0 issuewild "comodoca.com"
+ralsina.me.	1	IN	CAA	0 issue "pki.goog; cansignhttpexchanges=yes"
+ralsina.me.	1	IN	CAA	0 issue "letsencrypt.org"
+ralsina.me.	1	IN	CAA	0 issue "digicert.com; cansignhttpexchanges=yes"
+ralsina.me.	1	IN	CAA	0 issue "comodoca.com"
+
+;; CNAME Records
+_acme-challenge.ralsina.me.	1	IN	CNAME	ralsina.me.ydzmj.flydns.net.
+*.ralsina.me.	1	IN	CNAME	white-wave-7409.fly.dev.
+ralsina.me.	1	IN	CNAME	white-wave-7409.fly.dev.
+
+;; MX Records
+ralsina.me.	1	IN	MX	75 route2.mx.cloudflare.net.
+ralsina.me.	1	IN	MX	27 route3.mx.cloudflare.net.
+ralsina.me.	1	IN	MX	1 route1.mx.cloudflare.net.
+
+;; TXT Records
+_dmarc.ralsina.me.	1	IN	TXT	"v=DMARC1; p=none; rua=mailto:ralsina@netmanagers.com.ar,mailto:roberto.alsina@gmail.com,mailto:roberto@ralsina.me"
+ralsina.me.	1	IN	TXT	"v=spf1 include:_spf.mx.cloudflare.net ~all"
+ralsina.me.	1	IN	TXT	"google-site-verification=GLjctZfTmZSRp8wt7vx4ko-KaGlqT5hxfUTliYpX9V8"

reverse_proxy/Dockerfile

@@ -1,13 +1,13 @@
-FROM alpine:latest as builder
+FROM alpine:latest AS builder
 WORKDIR /app
 COPY . ./
 # This is where one could build the application code as well.
 
 
-FROM alpine:latest as tailscale
+FROM alpine:latest AS tailscale
 WORKDIR /app
 COPY . ./
-ENV TSFILE=tailscale_1.24.2_amd64.tgz
+ENV TSFILE=tailscale_1.86.2_amd64.tgz
 RUN wget https://pkgs.tailscale.com/stable/${TSFILE} && tar xzf ${TSFILE} --strip-components=1
 COPY . ./
 

reverse_proxy/README.md

@@ -0,0 +1,17 @@
+# Reverse Proxy setup
+
+How I put my very own personal servers online, for free.
+
+This sets up a reverse proxy using nginx on a VM in fly.io using
+tailscale to access the internal servers.
+
+Details at [the blog post](http://ralsina.me/weblog/posts/the-cheapest-server.html)
+
+When adding a new hostname, remember to create a cert for it using
+`flyctl certs create hostname`
+
+Every 90 days the tailscale auth key will expire and you need to set a new one as
+a secret.
+
+* Create the new one at https://login.tailscale.com/admin/settings/keys (MAKE IT REUSABLE)
+* Configure it using flyctl secrets set TAILSCALE_AUTHKEY={{PASTEKEYHERE}}

reverse_proxy/fly.toml

@@ -1,40 +1,39 @@
-# fly.toml file generated for white-wave-7409 on 2022-05-02T16:24:11-03:00
+# fly.toml app configuration file generated for white-wave-7409 on 2023-05-16T12:52:57-03:00
+#
+# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
+#
 
 app = "white-wave-7409"
-
+primary_region = "mia"
 kill_signal = "SIGINT"
-kill_timeout = 5
+kill_timeout = "5s"
-processes = []
+
+[experimental]
+  auto_rollback = true
 
 [deploy]
   strategy = "rolling"
 
-[env]
-
-[experimental]
-  allowed_public_ports = [8080]
-  auto_rollback = true
-
 [[services]]
-  internal_port = 8080
   protocol = "tcp"
+  internal_port = 8080
+  min_machines_running = 0
 
+  [[services.ports]]
+    port = 80
+    handlers = ["http"]
+    force_https = true
+
+  [[services.ports]]
+    port = 443
+    handlers = ["tls", "http"]
   [services.concurrency]
+    type = "connections"
     hard_limit = 25
     soft_limit = 20
-    type = "connections"
-
-  [[services.ports]]
-    force_https = true
-    handlers = ["http"]
-    port = 80
-
-  [[services.ports]]
-    handlers = ["tls", "http"]
-    port = "443"
 
   [[services.tcp_checks]]
-    grace_period = "1s"
     interval = "15s"
-    restart_limit = 0
     timeout = "2s"
+    grace_period = "1s"
+    restart_limit = 0

reverse_proxy/nginx.conf

@@ -0,0 +1,214 @@
+map $upstream_http_access_control_allow_origin $allow_origin {
+    '' "*";
+}
+
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name faaso-prod.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' $allow_origin;
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8888;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name grafito-demo.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' $allow_origin;
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:1112;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name code.ralsina.me;
+
+    location / {
+        proxy_pass http://mindy.tail20c16.ts.net:8088;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection upgrade;
+        proxy_set_header Accept-Encoding gzip;
+    }
+    error_page 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name home.ralsina.me;
+    server_name ralsina.me;
+    server_name faaso.ralsina.me;
+    server_name nicolino.ralsina.me;
+    server_name crycco.ralsina.me;
+    server_name nombres.ralsina.me;
+    server_name grafito.ralsina.me;
+    server_name tocry.ralsina.me;
+    server_name kv.ralsina.me;
+
+    if ($http_user_agent ~* "(AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT-User|ClaudeBot|Claude-Web|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|FriendlyCrawler|Google-Extended|GoogleOther|GPTBot|img2dataset|ImagesiftBot|magpie-crawler|Meltwater|omgili|omgilibot|peer39_crawler|peer39_crawler/1.0|PerplexityBot|PiplBot|scoop.it|Seekr|YouBot)") {
+        return 307 https://ash-speed.hetzner.com/10GB.bin;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8080;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+    }
+    error_page 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name links.ralsina.me;
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8086;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+    }
+    error_page 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name git.ralsina.me;
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:3000;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+    }
+    error_page 403 404 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name gotify.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:7777;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host $host;
+    }
+
+    location /stream {
+        proxy_pass http://rocky.tail20c16.ts.net:7777;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+    }
+
+    error_page 403 404 500 502 503 504 /custom_50x.html;
+    location = /custom_50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name faas.ralsina.me;
+
+    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Headers' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Allow' 'POST, GET, OPTIONS';
+
+    if ($request_method = 'OPTIONS' ) {
+        return 200;
+    }
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8082;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name snips.ralsina.me;
+
+    location / {
+        proxy_pass http://rocky.tail20c16.ts.net:8091	;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+
+server {
+    listen 8080;
+    listen [::]:8080;
+
+    server_name covers.ralsina.me;
+    return 301 https://ralsina.me/stories/covers/;
+}

rocky/README.md

@@ -0,0 +1,17 @@
+# Rocky server setup
+
+* Download latest debian image for the server
+* Burn SD, put `before.txt` in `config/`
+* Copy all this to `/root`
+* Fix ts key (see below)
+
+Boot server, reboot.
+
+* Run setup.sh
+
+
+Every 90 days the tailscale auth key will expire and you need to set a new one as
+a secret.
+
+* Create the new one at https://login.tailscale.com/admin/settings/keys (MAKE IT REUSABLE)
+* Put it in the setup.sh in the server

rocky/before.txt

@@ -0,0 +1,68 @@
+# ==============================
+# Radxa First Boot Configuration
+# ==============================
+
+# Allow config to continue even when some commands fail
+no_fail
+log "Running before.txt as first boot configuration"
+
+# Update generic hostname
+# Command:
+#   update_generic_hostname <generic hostname>
+update_generic_hostname rocky
+
+# Create default accounts
+# Commands:
+#   add_user <user name> <password>
+#   user_append_group <user name> <group>
+#
+add_user ralsina ralsina
+user_append_group ralsina sudo
+user_append_group ralsina audio
+user_append_group ralsina video
+user_append_group ralsina plugdev
+user_append_group ralsina render
+user_append_group ralsina gpio
+user_append_group ralsina i2c
+user_append_group ralsina spidev
+user_append_group ralsina pwm
+
+
+# Resize root partition at the filesystem level
+#
+resize_root
+
+# Disable services
+# Command:
+#   disable_service <systemd unit name>
+#
+disable_service smbd
+disable_service nmbd
+# Disable systemd-networkd due to systemd-networkd-wait-online blocking network.target
+# We use NetworkManger, so systemd-networkd can be safely disabled
+disable_service systemd-networkd
+
+# Generate unique hardware fingerprint
+#
+regenerate_ssh_hostkey
+
+# Configure locale
+# Command:
+#   update_locale <locale>
+#
+update_locale en_US.UTF-8
+
+# Connect to Wi-Fi
+# Command:
+#   connect_wi-fi <network name> [password]
+#
+connect_wi-fi Telecentro-4ad3 QMZHHDN2MZYV
+
+enable_service ssh
+enable_service ssh.socket
+
+# Remove first-boot package
+# Command:
+#   remove_packages <package names>
+#
+remove_packages rsetup-config-first-boot

rocky/local

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+mount UUID=721a0aaa-28cd-46b8-98ba-485bc719d680 /data
+systemctl start docker
+

rocky/local.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Startup
+After=network.target local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/etc/rc.local
+StandardOutput=journal
+StandardError=journal
+User=root

rocky/setup.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+set -e
+apt update
+apt upgrade
+
+apt install foot-terminfo btrfs-progs ca-certificates curl rsync
+
+mkdir ~/.ssh -p
+chmod 700 ~/.ssh
+echo 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvwFdqrGf0V44l/akfJP1oLMG5Ou9XCrEBUYXn22nPd/0osoXxfbiyFhgLJ6ZVV8fXxH4qhPhniDvUR7oLemjZqpNO3eizyzXoZ1GBqB7OBSM+99HHqYZkWDVM4RHh3U4GAqh/MPty9ALp82MlJwCH4JolV+ejFmm/dzO1A8gx12X5KbEjhCG0bRXGfQx0Xkhfdy5X1NGXsRa2Qq6y9WuoxeSTq6kQQHqlSnGHkvumEVjHLD57KTpO72nPXZ2NxZRHeCuhBXCv7FzCguzT9NEt8L7z+kX6E31Rav5dsxA3CKoDcCHqKYIE66qQ7ad8WNKzwYoG67l7MiCtlIdO7jUGw== ralsina@mont' > ~/.ssh/authorized_keys
+chmod 00 ~/.ssh/authorized_keys
+
+
+for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done
+
+curl -fsSL https://get.docker.com -o get-docker.sh
+sudo sh ./get-docker.sh --dry-run
+
+systemctl disable docker || true
+
+hostname rocky
+echo rocky > /etc/hostname
+
+curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up --auth-key=enter-tailscale-deploy-key-here
+
+tailscale up
+
+# Docker Engine for Linux installation script.
+
+# Add Docker's official GPG key:
+sudo install -m 0755 -d /etc/apt/keyrings
+sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
+sudo chmod a+r /etc/apt/keyrings/docker.asc
+# # Add the repository to Apt sources:
+echo \
+  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
+    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+      sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+      sudo apt-get update
+
+sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+systemctl disable docker
+systemctl stop docker
+
+mkdir /data
+mount UUID=721a0aaa-28cd-46b8-98ba-485bc719d680 /data
+docker network create faaso-net
+pushd /data/stacks
+for a in */
+do
+	cd $a
+	docker compose up -d
+	cd ..
+done
+popd
+
+
+cp local.service /etc/systemd/system/local.service
+cp local /etc/rc.local
+chmod +x /etc/rc.local
+systemctl daemon-reload
+
+reboot