feat: vsftpd

gitea/compose.yaml

@@ -15,23 +15,18 @@ services:
   db:
     image: docker.io/postgres:15
     restart: unless-stopped
-    volumes:
-      - db:/var/lib/postgresql/data/
     environment:
       - POSTGRES_DB=$POSTGRES_DB
       - POSTGRES_USER=$POSTGRES_USER
       - POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+    volumes:
+      - db:/var/lib/postgresql/data/
 
   gitea:
     image: docker.io/gitea/gitea:1.21-rootless
     restart: unless-stopped
     ports:
       - "$SSH_PORT:2222"
-    volumes:
-      - data:/var/lib/gitea/
-      - config:/etc/gitea/
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
     environment:
       - POSTGRES_HOST=db
       - GITEA__database__DB_TYPE=postgres
@@ -39,6 +34,11 @@ services:
       - GITEA__database__NAME=$POSTGRES_DB
       - GITEA__database__USER=$POSTGRES_USER
       - GITEA__database__PASSWD=$POSTGRES_PASSWORD
+    volumes:
+      - data:/var/lib/gitea/
+      - config:/etc/gitea/
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
     networks:
       - nginx
       - default

matrix/compose.yaml

@@ -16,13 +16,13 @@ services:
   db:
     image: docker.io/postgres:15
     restart: unless-stopped
-    volumes:
-      - db:/var/lib/postgresql/data/
     environment:
       - POSTGRES_DB
       - POSTGRES_USER
       - POSTGRES_PASSWORD
       - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - db:/var/lib/postgresql/data/
 
   redis:
     image: docker.io/redis:latest
@@ -41,9 +41,6 @@ services:
   synapse:
     image: docker.io/matrixdotorg/synapse:latest
     restart: unless-stopped
-    volumes:
-      - synapse_config:/config/
-      - synapse_data:/data/
     environment:
       - SYNAPSE_SERVER_NAME=$MATRIX_BASE_URL
       - SYNAPSE_CONFIG_DIR=/config
@@ -52,6 +49,9 @@ services:
       - GID=$PGID
       - COTURN_BASE_URL
       - AUTH_SECRET
+    volumes:
+      - synapse_config:/config/
+      - synapse_data:/data/
     networks:
       - nginx
       - default

nextcloud/compose.yaml

@@ -15,12 +15,12 @@ services:
   db:
     image: docker.io/postgres:15
     restart: unless-stopped
-    volumes:
-      - db:/var/lib/postgresql/data/
     environment:
       - POSTGRES_DB
       - POSTGRES_USER
       - POSTGRES_PASSWORD
+    volumes:
+      - db:/var/lib/postgresql/data/
 
   redis:
     image: docker.io/redis:latest
@@ -31,12 +31,6 @@ services:
   nextcloud:
     build: .
     restart: unless-stopped
-    volumes:
-      - nextcloud:/var/www/html/
-      - apps:/var/www/html/custom_apps/
-      - config:/var/www/html/config/
-      - data:/var/www/html/data/
-      - $MEDIA_PATH:/media/
     env_file:
       - .env
     environment:
@@ -44,6 +38,12 @@ services:
       - REDIS_HOST=redis
       - TRUSTED_PROXIES=nextcloud
       - OVERWRITEPROTOCOL=https
+    volumes:
+      - nextcloud:/var/www/html/
+      - apps:/var/www/html/custom_apps/
+      - config:/var/www/html/config/
+      - data:/var/www/html/data/
+      - $MEDIA_PATH:/media/
     networks:
       - nginx
       - default

searxng/compose.yaml

@@ -21,11 +21,12 @@ services:
   searxng:
     image: docker.io/searxng/searxng:latest
     restart: unless-stopped
-    volumes:
-      - ./config/:/etc/searxng/
     environment:
       - SEARXNG_SECRET
       - SEARXNG_REDIS_URL=redis://redis
+    volumes:
+      - ./config/limiter.toml:/etc/searxng/limiter.toml:ro
+      - ./config/settings.yml:/etc/searxng/settings.yml:ro
     networks:
       - default
       - nginx

searxng/config/settings.yml

@@ -11,7 +11,7 @@ general:
   # mailto:contact@example.com
   contact_url: false
   # record stats
-  enable_metrics: false
+  enable_metrics: true
 
 brand:
   new_issue_url: https://github.com/searxng/searxng/issues/new
@@ -19,6 +19,12 @@ brand:
   public_instances: https://searx.space
   wiki_url: https://github.com/searxng/searxng/wiki
   issue_url: https://github.com/searxng/searxng/issues
+  # custom:
+  #   maintainer: "Jon Doe"
+  #   # Custom entries in the footer: [title]: [link]
+  #   links:
+  #     Uptime: https://uptime.searxng.org/history/darmarit-org
+  #     About: "https://searxng.org"
 
 search:
   # Filter results. 0: None, 1: Moderate, 2: Strict
@@ -67,7 +73,7 @@ server:
   # public URL of the instance, to ensure correct inbound links. Is overwritten
   # by ${SEARXNG_URL}.
   base_url: false  # "http://example.com/location"
-  limiter: false  # rate limit the number of request on the instance, block some bots
+  limiter: true   # rate limit the number of request on the instance, block some bots
   public_instance: false  # enable features designed only for public instances
 
   # If your instance owns a /etc/searxng/settings.yml file, then set the following
@@ -90,7 +96,7 @@ server:
 redis:
   # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}.
   # https://docs.searxng.org/admin/settings/settings_redis.html#settings-redis
-  url: false
+  url: redis://redis
 
 ui:
   # Custom static path - leave it blank if you didn't change
@@ -181,7 +187,7 @@ outgoing:
   #
   # Extra seconds to add in order to account for the time taken by the proxy
   #
-  #  extra_proxy_timeout: 10.0
+  #  extra_proxy_timeout: 10
   #
   # uncomment below section only if you have more than one network interface
   # which can be the source of outgoing search requests
@@ -348,6 +354,11 @@ engines:
     shortcut: arx
     timeout: 4.0
 
+  - name: ask
+    engine: ask
+    shortcut: ask
+    disabled: true
+
   # tmp suspended:  dh key too small
   # - name: base
   #   engine: base
@@ -1135,6 +1146,17 @@ engines:
   #   collection: 'reviews'  # name of the db collection
   #   key: 'name'  # key in the collection to search for
 
+  - name: mozhi
+    engine: mozhi
+    base_url:
+      - https://mozhi.aryak.me
+      - https://translate.bus-hit.me
+      - https://nyc1.mz.ggtyler.dev
+    # mozhi_engine: google - see https://mozhi.aryak.me for supported engines
+    timeout: 4.0
+    shortcut: mz
+    disabled: true
+
   - name: mwmbl
     engine: mwmbl
     # api_url: https://api.mwmbl.org
@@ -1321,6 +1343,31 @@ engines:
     url: https://thepiratebay.org/
     timeout: 3.0
 
+  - name: pixiv
+    shortcut: pv
+    engine: pixiv
+    disabled: true
+    inactive: true
+    pixiv_image_proxies:
+      - pximg.example.org
+      # A proxy is required to load the images. Hosting an image proxy server
+      # for Pixiv:
+      #    --> https://codeberg.org/VnPower/PixivFE/wiki/Hosting-an-image-proxy-server-for-Pixiv
+      # Proxies from public instances.  Ask the public instances owners if they
+      # agree to receive traffic from SearXNG!
+      #    --> https://codeberg.org/VnPower/PixivFE#instances
+      #    --> https://github.com/searxng/searxng/pull/3192#issuecomment-1941095047
+      # image proxy of https://pixiv.cat
+      # - https://i.pixiv.cat
+      # image proxy of https://www.pixiv.pics
+      # - https://pximg.cocomi.eu.org
+      # image proxy of https://pixivfe.exozy.me
+      # - https://pximg.exozy.me
+      # image proxy of https://pixivfe.ducks.party
+      # - https://pixiv.ducks.party
+      # image proxy of https://pixiv.perennialte.ch
+      # - https://pximg.perennialte.ch
+
   - name: podcastindex
     engine: podcastindex
     shortcut: podcast
@@ -1683,7 +1730,13 @@ engines:
   - name: unsplash
     engine: unsplash
     shortcut: us
+
+  - name: yandex music
+    engine: yandex_music
+    shortcut: ydm
     disabled: true
+    # https://yandex.com/support/music/access.html
+    inactive: true
 
   - name: yahoo
     engine: yahoo
@@ -2021,6 +2074,13 @@ engines:
     categories: videos
     disabled: true
 
+  - name: livespace
+    engine: livespace
+    shortcut: ls
+    categories: videos
+    disabled: true
+    timeout: 5.0
+
   - name: wordnik
     engine: wordnik
     shortcut: def

vsftpd/.env

@@ -0,0 +1,7 @@
+BASE_URL=ftp.
+EMAIL=
+
+FILES=./files/
+
+PUID=1000
+PGID=1000

vsftpd/Dockerfile

@@ -0,0 +1,10 @@
+FROM docker.io/debian:12-slim
+RUN apt-get update                                \
+    && apt-get install -y --no-install-recommends \
+        vsftpd                                    \
+    && rm -rf /var/lib/apt/lists/*
+COPY entrypoint.sh /usr/local/bin/
+COPY vsftpd.conf /etc/
+VOLUME /files/
+ENTRYPOINT ["entrypoint.sh"]
+CMD ["vsftpd"]

vsftpd/compose.yaml

@@ -0,0 +1,30 @@
+---
+services:
+  install_site:
+    build: install_site
+    environment:
+      - BASE_URL
+      - EMAIL
+    volumes:
+      - certs:/etc/letsencrypt/
+      - certbotroot:/var/www/certbot/
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  vsftpd:
+    build: .
+    restart: unless-stopped
+    ports:
+      - "20:20"
+      - "21:21"
+      - "989:989"
+      - "990:990"
+    user: "$PUID:$PGID"
+    volumes:
+      - "$FILES:/files/"
+      - certs:/etc/letsencrypt/:ro
+
+volumes:
+  certs:
+    external: true
+  certbotroot:
+    external: true

vsftpd/entrypoint.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed -i "s \$BASE_URL $BASE_URL " /etc/vsftpd.conf
+exec "$@"

vsftpd/install_site

@@ -0,0 +1 @@
+../_nginx/install_site

vsftpd/vsftpd.conf

@@ -0,0 +1,155 @@
+# Example config file /etc/vsftpd.conf
+#
+# The default compiled in settings are fairly paranoid. This sample file
+# loosens things up a bit, to make the ftp daemon more usable.
+# Please see vsftpd.conf.5 for all compiled in defaults.
+#
+# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
+# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
+# capabilities.
+#
+#
+# Run standalone?  vsftpd can run either from an inetd or as a standalone
+# daemon started from an initscript.
+listen=YES
+#
+# This directive enables listening on IPv6 sockets. By default, listening
+# on the IPv6 "any" address (::) will accept connections from both IPv6
+# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
+# sockets. If you want that (perhaps because you want to listen on specific
+# addresses) then you must run two copies of vsftpd with two configuration
+# files.
+listen_ipv6=YES
+#
+# Allow anonymous FTP? (Disabled by default).
+anonymous_enable=NO
+#
+# Uncomment this to allow local users to log in.
+local_enable=YES
+#
+# Uncomment this to enable any form of FTP write command.
+#write_enable=YES
+#
+# Default umask for local users is 077. You may wish to change this to 022,
+# if your users expect that (022 is used by most other ftpd's)
+#local_umask=022
+#
+# Uncomment this to allow the anonymous FTP user to upload files. This only
+# has an effect if the above global write enable is activated. Also, you will
+# obviously need to create a directory writable by the FTP user.
+#anon_upload_enable=YES
+#
+# Uncomment this if you want the anonymous FTP user to be able to create
+# new directories.
+#anon_mkdir_write_enable=YES
+#
+# Activate directory messages - messages given to remote users when they
+# go into a certain directory.
+dirmessage_enable=YES
+#
+# If enabled, vsftpd will display directory listings with the time
+# in  your  local  time  zone.  The default is to display GMT. The
+# times returned by the MDTM FTP command are also affected by this
+# option.
+use_localtime=NO
+#
+# Activate logging of uploads/downloads.
+xferlog_enable=YES
+#
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
+connect_from_port_20=YES
+#
+# If you want, you can arrange for uploaded anonymous files to be owned by
+# a different user. Note! Using "root" for uploaded files is not
+# recommended!
+#chown_uploads=YES
+#chown_username=whoever
+#
+# You may override where the log file goes if you like. The default is shown
+# below.
+#xferlog_file=/var/log/vsftpd.log
+#
+# If you want, you can have your log file in standard ftpd xferlog format.
+# Note that the default log file location is /var/log/xferlog in this case.
+#xferlog_std_format=YES
+#
+# You may change the default value for timing out an idle session.
+#idle_session_timeout=600
+#
+# You may change the default value for timing out a data connection.
+#data_connection_timeout=120
+#
+# It is recommended that you define on your system a unique user which the
+# ftp server can use as a totally isolated and unprivileged user.
+#nopriv_user=ftpsecure
+#
+# Enable this and the server will recognise asynchronous ABOR requests. Not
+# recommended for security (the code is non-trivial). Not enabling it,
+# however, may confuse older FTP clients.
+#async_abor_enable=YES
+#
+# By default the server will pretend to allow ASCII mode but in fact ignore
+# the request. Turn on the below options to have the server actually do ASCII
+# mangling on files when in ASCII mode.
+# Beware that on some FTP servers, ASCII support allows a denial of service
+# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
+# predicted this attack and has always been safe, reporting the size of the
+# raw file.
+# ASCII mangling is a horrible feature of the protocol.
+#ascii_upload_enable=YES
+#ascii_download_enable=YES
+#
+# You may fully customise the login banner string:
+#ftpd_banner=Welcome to blah FTP service.
+#
+# You may specify a file of disallowed anonymous e-mail addresses. Apparently
+# useful for combatting certain DoS attacks.
+#deny_email_enable=YES
+# (default follows)
+#banned_email_file=/etc/vsftpd.banned_emails
+#
+# You may restrict local users to their home directories.  See the FAQ for
+# the possible risks in this before using chroot_local_user or
+# chroot_list_enable below.
+#chroot_local_user=YES
+#
+# You may specify an explicit list of local users to chroot() to their home
+# directory. If chroot_local_user is YES, then this list becomes a list of
+# users to NOT chroot().
+# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
+# the user does not have write access to the top level directory within the
+# chroot)
+#chroot_local_user=YES
+#chroot_list_enable=YES
+# (default follows)
+#chroot_list_file=/etc/vsftpd.chroot_list
+#
+# You may activate the "-R" option to the builtin ls. This is disabled by
+# default to avoid remote users being able to cause excessive I/O on large
+# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+# the presence of the "-R" option, so there is a strong case for enabling it.
+#ls_recurse_enable=YES
+#
+# Customization
+#
+# Some of vsftpd's settings don't fit the filesystem layout by
+# default.
+#
+# This option should be the name of a directory which is empty.  Also, the
+# directory should not be writable by the ftp user. This directory is used
+# as a secure chroot() jail at times vsftpd does not require filesystem
+# access.
+secure_chroot_dir=/var/run/vsftpd/empty
+#
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd
+#
+# This option specifies the location of the RSA certificate to use for SSL
+# encrypted connections.
+rsa_cert_file=/etc/letsencrypt/live/$BASE_URL/fullchain.pem
+rsa_private_key_file=/etc/letsencrypt/live/$BASE_URL/privkey.pem
+ssl_enable=YES
+
+#
+# Uncomment this to indicate that vsftpd use a utf8 filesystem.
+utf8_filesystem=YES

woodpecker/compose.yaml

@@ -15,13 +15,13 @@ services:
   woodpecker-server:
     image: docker.io/woodpeckerci/woodpecker-server:v2.0.0
     restart: unless-stopped
-    volumes:
-      - server-data:/var/lib/woodpecker/
     env_file:
       - .env
     environment:
       - WOODPECKER_OPEN=true
       - WOODPECKER_HOST=https://$BASE_URL
+    volumes:
+      - server-data:/var/lib/woodpecker/
     networks:
       - nginx
       - default
@@ -30,12 +30,12 @@ services:
     image: docker.io/woodpeckerci/woodpecker-agent:v2.0.0
     restart: unless-stopped
     command: agent
-    volumes:
-      - agent-config:/etc/woodpecker/
-      - /var/run/docker.sock:/var/run/docker.sock
     environment:
       - WOODPECKER_SERVER=woodpecker-server:9000
       - WOODPECKER_AGENT_SECRET
+    volumes:
+      - agent-config:/etc/woodpecker/
+      - /var/run/docker.sock:/var/run/docker.sock
     depends_on:
       - woodpecker-server