Many web updates

2025-04-26 07:08:53 +02:00 · 2023-08-18 01:17:38 +02:00 · 2023-08-18 01:17:38 +02:00 · b9e6f7d6e2
commit b9e6f7d6e2
parent d139b218b9
11 changed files with 427 additions and 62 deletions
--- a/Server/Repo.Update.sh
+++ b/Server/Repo.Update.sh
@ -18,7 +18,9 @@ mkcd ./Root
 		cpfile "etc/systemd/system/$f.service"
 	done
 	CpItem etc/nginx/nginx.conf
 	CpSufx "etc/nginx/sites-available/*." conf old
 	CpItem etc/tor/torrc
 	CpSufx "Server/Scripts/Backup/*." sh cfg
 	CpItem Server/Scripts/OneShot.AfterBoot.sh
--- a/Server/Root/Server/Scripts/Backup/CloudBackup.sh
+++ b/Server/Root/Server/Scripts/Backup/CloudBackup.sh
@ -23,23 +23,27 @@ BackPathCrypt() {
 	ccencryptNow "./${Folder}${Ext}" "${Key}"
 }
 ServerBackupLimited(){
 	cd ./Server-Backup-Limited
-BackPathCrypt "Invidious-User" "${BackupKey_Git_Invidious}" ".7z"
+	#BackPathCrypt "Invidious-User" "${BackupKey_Git_Invidious}" ".7z"
 	#BackPathCrypt "wallabag-data" "${BackupKey_Git_wallabag}"
-BackPathCrypt "FreshRSS-data" "${BackupKey_Git_FreshRSS}"
+	BackPathCrypt FreshRSS "${BackupKey_Git_FreshRSS}"
 	#BackPathCrypt "FreshRSS-data" "${BackupKey_Git_FreshRSS}"
 	#BackPathCrypt "shiori-data" "${BackupKey_Git_Shiori}"
 	# "${BackupKey_Git_aria2}" ".7z"
 	GitPush
 	cd ..
 }
 ArticlesBackupPrivate(){
 	cd ./Articles-Backup-Private
 	EchoExec rm -rf ./shiori-data
 	EchoExec cp -rp "../shiori-data/Latest.d" "./shiori-data"
 	GitPush
 	cd ..
 }
-exit
+SpaccBbsBackup(){
 	cd ./SpaccBBS-Backup-phpBB-2023
 	EchoExec rm -rf ./SpaccBBS || true
 	EchoExec cp -rp ../SpaccBBS/Latest.d ./SpaccBBS
@ -52,7 +56,9 @@ for File in \
 	done
 	GitPush
 	cd ..
 }
 SpaccBbsBackup(){
 	McServer="SpaccCraft"
 	McEdition="Beta-1.7.3"
 	McGit="spacccraft-b1.7.3-backup4"
@ -66,7 +72,12 @@ then
 		cp -r "./${McEdition}/Latest.d" "${DestPath}/${McEdition}"
 		GitPullPushPath "${DestPath}"
 	fi
 }
 ServerBackupLimited
 ArticlesBackupPrivate
 SpaccBbsBackup
 SpaccCraftBackup
 GitPullPushPath "/Cloud/Repos/Personal-Game-Saves"
 #GitPullPushPath "/media/Disk/Configs"
--- a/Server/Root/Server/Scripts/Backup/ServerDataBackup.sh
+++ b/Server/Root/Server/Scripts/Backup/ServerDataBackup.sh
@ -23,9 +23,10 @@ SimpleBackup(){
 }
 #SimpleBackup "wallabag-data"
-SimpleBackup "FreshRSS-data"
+#SimpleBackup "FreshRSS-data"
 SimpleBackup FreshRSS www
-SimpleBackup "shiori-data" "Shiori"
+SimpleBackup shiori-data Shiori
 rm -v ./shiori-data/Latest.d/archive/* || true
 SimpleBackup SpaccBBS www
--- a/Server/Root/etc/nginx/nginx.conf
+++ b/Server/Root/etc/nginx/nginx.conf
@ -0,0 +1,92 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 events {
 	worker_connections 768;
 	# multi_accept on;
 }
 http {
 	upstream php {
 		server unix:/var/run/php/php7.4-fpm.sock;
 	}
 	##
 	# Basic Settings
 	##
 	sendfile on;
 	tcp_nopush on;
 	types_hash_max_size 2048;
 	# server_tokens off;
 	server_names_hash_bucket_size 128;
 	map_hash_bucket_size 128;
 	# server_name_in_redirect off;
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 	##
 	# SSL Settings
 	##
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
 	ssl_prefer_server_ciphers on;
 	##
 	# Logging Settings
 	##
 	access_log /var/log/nginx/access.log;
 	error_log /var/log/nginx/error.log;
 	##
 	# Gzip Settings
 	##
 	gzip on;
 	# gzip_vary on;
 	# gzip_proxied any;
 	# gzip_comp_level 6;
 	# gzip_buffers 16 8k;
 	# gzip_http_version 1.1;
 	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 	##
 	# Virtual Host Configs
 	##
 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;
 	client_max_body_size 8M;
 	more_clear_headers  "Server";
 	more_clear_headers  "server";
 }
 #mail {
 #	# See sample authentication script at:
 #	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
 #
 #	# auth_http localhost/auth.php;
 #	# pop3_capabilities "TOP" "USER";
 #	# imap_capabilities "IMAP4rev1" "UIDPLUS";
 #
 #	server {
 #		listen     localhost:110;
 #		protocol   pop3;
 #		proxy      on;
 #	}
 #
 #	server {
 #		listen     localhost:143;
 #		protocol   imap;
 #		proxy      on;
 #	}
 #}
--- a/Server/Root/etc/nginx/sites-available/SpaccBBS.conf
+++ b/Server/Root/etc/nginx/sites-available/SpaccBBS.conf
@ -1,11 +1,12 @@
-upstream php {
+map $http_host $SpaccBbsMap {
-	server unix:/var/run/php/php7.4-fpm.sock;
+	'bbs.spacc.eu.org' '1';
 	'bbs.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion' '2';
 }
 server {
 	listen 80;
 	listen 443 ssl;
-	server_name bbs.spacc.eu.org;
+	server_name bbs.spacc.eu.org bbs.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion;
 	ssl_certificate /etc/letsencrypt/live/bbs.spacc.eu.org/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/bbs.spacc.eu.org/privkey.pem;
 	ssl_prefer_server_ciphers on;
@ -72,4 +73,30 @@ server {
 		deny all;
 		internal;
 	}
 	location /wap {
 		rewrite ^ $scheme://$host/?style=4 redirect;
 	}
 	location /lite {
 		rewrite ^ $scheme://$host/wap redirect;
 	}
 	#if ($SpaccBbsMap = '1') {
 	#	location /wwwroot {
 	#		rewrite ^(.*) $scheme://hlb0.octt.eu.org/$request_uri redirect;
 	#	}
 	#}
 	#if ($SpaccBbsMap = '2') {
 	#	location /wwwroot {
 	#		rewrite ^(.*) $scheme://octt.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion/$request_uri redirect;
 	#	}
 	#}
 	location /wwwroot {
 		if ($SpaccBbsMap = '1') {
 			rewrite ^(.*) $scheme://hlb0.octt.eu.org/$request_uri redirect;
 		}
 		if ($SpaccBbsMap = '2') {
 			rewrite ^(.*) $scheme://octt.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion/$request_uri redirect;
 		}
 	}
 }
--- a/Server/Root/etc/nginx/sites-available/articles.conf
+++ b/Server/Root/etc/nginx/sites-available/articles.conf
@ -1,6 +1,7 @@
 server {
 	listen 80;
 	listen 443 ssl;
-	server_name articles.octt.eu.org;
+	server_name articles.octt.eu.org articles.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion;
 	ssl_certificate /etc/letsencrypt/live/articles.octt.eu.org/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/articles.octt.eu.org/privkey.pem;
 	ssl_prefer_server_ciphers on;
@ -16,8 +17,9 @@ server {
 }
 server {
 	listen 80;
 	listen 443 ssl;
-	server_name ShioriFeed.octt.eu.org;
+	server_name ShioriFeed.octt.eu.org ShioriFeed.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion;
 	ssl_certificate /etc/letsencrypt/live/shiorifeed.octt.eu.org/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/shiorifeed.octt.eu.org/privkey.pem;
 	ssl_prefer_server_ciphers on;
--- a/Server/Root/etc/nginx/sites-available/feeds.conf
+++ b/Server/Root/etc/nginx/sites-available/feeds.conf
@ -1,17 +1,48 @@
 server {
 	listen 80;
 	listen 443 ssl;
-	server_name feeds.octt.eu.org;
+	server_name feeds.octt.eu.org feeds.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion;
 	ssl_certificate /etc/letsencrypt/live/feeds.octt.eu.org/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/feeds.octt.eu.org/privkey.pem;
 	ssl_prefer_server_ciphers on;
 	#location / {
 	#	proxy_http_version 1.1;
 	#	proxy_pass http://localhost:8017;
 	#	proxy_set_header X-Real-IP $remote_addr;
 	#	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	#	proxy_set_header X-Forwarded-Proto $scheme;
 	#	proxy_set_header Upgrade $http_upgrade;
 	#	proxy_set_header Connection "upgrade";
 	#	sub_filter '</body>' '<script> function ForceUpdateFeeds(){ var Count = 0; Array.from(document.querySelectorAll(atob("KltpZF49ImZfIl0uaXRlbS5mZWVk"))).forEach(function(El){ Count++; fetch(location.origin + "/i/?c=feed&a=actualize&id=" + El.id.split("_")[1]); }); setTimeout(function(){ location.reload(); }, Count * 4000); }; </script></body>';
 	#	sub_filter '<a id="actualize"' '<a class="btn" href="#" title="Force update feeds" onclick="javascript:ForceUpdateFeeds();">Force update feeds</a><a id="actualize"';
 	#	sub_filter_once on;
 	#}
 	root /Server/www/FreshRSS/p;
 	index index.php index.html index.htm;
 	# nginx log files
 	access_log /var/log/nginx/FreshRSS.access.log;
 	error_log /var/log/nginx/FreshRSS.error.log;
 	# php files handling
 	# this regex is mandatory because of the API
 	location ~ ^.+?\.php(/.*)?$ {
 		fastcgi_pass php;
 		fastcgi_split_path_info ^(.+\.php)(/.*)$;
 		# By default, the variable PATH_INFO is not set under PHP-FPM
 		# But FreshRSS API greader.php need it. If you have a “Bad Request” error, double check this var!
 		# NOTE: the separate $path_info variable is required. For more details, see:
 		# https://trac.nginx.org/nginx/ticket/321
 		set $path_info $fastcgi_path_info;
 		fastcgi_param PATH_INFO $path_info;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 	}
 	location / {
-		proxy_http_version 1.1;
+		try_files $uri $uri/ index.php;
 		proxy_pass http://localhost:8017;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "upgrade";
 		sub_filter '</body>' '<script> function ForceUpdateFeeds(){ var Count = 0; Array.from(document.querySelectorAll(atob("KltpZF49ImZfIl0uaXRlbS5mZWVk"))).forEach(function(El){ Count++; fetch(location.origin + "/i/?c=feed&a=actualize&id=" + El.id.split("_")[1]); }); setTimeout(function(){ location.reload(); }, Count * 4000); }; </script></body>';
 		sub_filter '<a id="actualize"' '<a class="btn" href="#" title="Force update feeds" onclick="javascript:ForceUpdateFeeds();">Force update feeds</a><a id="actualize"';
 		sub_filter_once on;
--- a/Server/Root/etc/nginx/sites-available/root.conf
+++ b/Server/Root/etc/nginx/sites-available/root.conf
@ -33,6 +33,7 @@ server {
 	ssl_prefer_server_ciphers on;
 	error_page 403 = /404.html;
 	error_page 404 = /404.html;
 	location / {
 		root /Server/www/root;
 		if ($request_uri ~ ^([^.\?]*[^/])$) {
@ -45,6 +46,7 @@ server {
 		#error_page 404 = /404.html;
 		#rewrite  ^/(\?.*)?$ index.html$1 permanent;
 	}
 	location /Drive/ {
 		root /Server/www;
 		autoindex on;
@ -65,6 +67,7 @@ server {
 		sub_filter '<h1>Index of /Drive/' '<h1>Index of <a href="/Drive/">/Drive</a>/';
 		sub_filter_once off;
 	}
 	location /Drive/Telegram/ {
 		rewrite ^/Drive/Telegram/(.*)$ /$1 break;
 		proxy_http_version 1.1;
@ -81,4 +84,8 @@ server {
 		sub_filter '<source src="/' '<source src="/Drive/Telegram/';
 		sub_filter_once off;
 	}
 	location /wwwroot/ {
 		rewrite ^/wwwroot/(.*)$ /$1 permanent;
 	}
 }
--- a/Server/Root/etc/systemd/system/diycron.service
+++ b/Server/Root/etc/systemd/system/diycron.service
@ -6,8 +6,8 @@ StartLimitIntervalSec=0
 Type=simple
 Restart=always
 RestartSec=10
-CPUQuota=90%
+#CPUQuota=90%
-MemoryMax=400M
+#MemoryMax=400M
 User=root
 ExecStart=sh -c "cat /var/log/diycron.log >> /var/log/diycron.log.old; sh /etc/diycron > /var/log/diycron.log"
 [Install]
--- a/Server/Root/etc/tor/torrc
+++ b/Server/Root/etc/tor/torrc
@ -0,0 +1,192 @@
 ## Configuration file for a typical Tor user
 ## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
 ## (may or may not work for much older or much newer versions of Tor.)
 ##
 ## Lines that begin with "## " try to explain what's going on. Lines
 ## that begin with just "#" are disabled commands: you can enable them
 ## by removing the "#" symbol.
 ##
 ## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
 ## for more options you can use in this file.
 ##
 ## Tor will look for this file in various places based on your platform:
 ## https://www.torproject.org/docs/faq#torrc
 ## Tor opens a socks proxy on port 9050 by default -- even if you don't
 ## configure one below. Set "SocksPort 0" if you plan to run Tor only
 ## as a relay, and not make any local application connections yourself.
 #SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
 #SocksPort 192.168.0.1:9100 # Bind to this address:port too.
 ## Entry policies to allow/deny SOCKS requests based on IP address.
 ## First entry that matches wins. If no SocksPolicy is set, we accept
 ## all (and only) requests that reach a SocksPort. Untrusted users who
 ## can access your SocksPort may be able to learn about the connections
 ## you make.
 #SocksPolicy accept 192.168.0.0/16
 #SocksPolicy reject *
 ## Logs go to stdout at level "notice" unless redirected by something
 ## else, like one of the below lines. You can have as many Log lines as
 ## you want.
 ##
 ## We advise using "notice" in most cases, since anything more verbose
 ## may provide sensitive information to an attacker who obtains the logs.
 ##
 ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
 #Log notice file /var/log/tor/notices.log
 ## Send every possible message to /var/log/tor/debug.log
 #Log debug file /var/log/tor/debug.log
 ## Use the system log instead of Tor's logfiles
 #Log notice syslog
 ## To send all messages to stderr:
 #Log debug stderr
 ## Uncomment this to start the process in the background... or use
 ## --runasdaemon 1 on the command line. This is ignored on Windows;
 ## see the FAQ entry if you want Tor to run as an NT service.
 #RunAsDaemon 1
 ## The directory for keeping all the keys/etc. By default, we store
 ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
 #DataDirectory /var/lib/tor
 ## The port on which Tor will listen for local connections from Tor
 ## controller applications, as documented in control-spec.txt.
 #ControlPort 9051
 ## If you enable the controlport, be sure to enable one of these
 ## authentication methods, to prevent attackers from accessing it.
 #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
 #CookieAuthentication 1
 ############### This section is just for location-hidden services ###
 ## Once you have configured a hidden service, you can look at the
 ## contents of the file ".../hidden_service/hostname" for the address
 ## to tell people.
 ##
 ## HiddenServicePort x y:z says to redirect requests on port x to the
 ## address y:z.
 HiddenServiceDir /var/lib/tor/HiddenServices/spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad/
 HiddenServicePort 80 127.0.0.1:80
 #HiddenServiceDir /var/lib/tor/other_hidden_service/
 #HiddenServicePort 80 127.0.0.1:80
 #HiddenServicePort 22 127.0.0.1:22
 ################ This section is just for relays #####################
 #
 ## See https://www.torproject.org/docs/tor-doc-relay for details.
 ## Required: what port to advertise for incoming Tor connections.
 #ORPort 9001
 ## If you want to listen on a port other than the one advertised in
 ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
 ## follows.  You'll need to do ipchains or other port forwarding
 ## yourself to make this work.
 #ORPort 443 NoListen
 #ORPort 127.0.0.1:9090 NoAdvertise
 ## The IP address or full DNS name for incoming connections to your
 ## relay. Leave commented out and Tor will guess.
 #Address noname.example.com
 ## If you have multiple network interfaces, you can specify one for
 ## outgoing traffic to use.
 # OutboundBindAddress 10.0.0.5
 ## A handle for your relay, so people don't have to refer to it by key.
 #Nickname ididnteditheconfig
 ## Define these to limit how much relayed traffic you will allow. Your
 ## own traffic is still unthrottled. Note that RelayBandwidthRate must
 ## be at least 20 KB.
 ## Note that units for these config options are bytes per second, not bits
 ## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
 #RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
 #RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
 ## Use these to restrict the maximum traffic per day, week, or month.
 ## Note that this threshold applies separately to sent and received bytes,
 ## not to their sum: setting "4 GB" may allow up to 8 GB total before
 ## hibernating.
 ##
 ## Set a maximum of 4 gigabytes each way per period.
 #AccountingMax 4 GB
 ## Each period starts daily at midnight (AccountingMax is per day)
 #AccountingStart day 00:00
 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax
 ## is per month)
 #AccountingStart month 3 15:00
 ## Administrative contact information for this relay or bridge. This line
 ## can be used to contact you if your relay or bridge is misconfigured or
 ## something else goes wrong. Note that we archive and publish all
 ## descriptors containing these lines and that Google indexes them, so
 ## spammers might also collect them. You may want to obscure the fact that
 ## it's an email address and/or generate a new address for this purpose.
 #ContactInfo Random Person <nobody AT example dot com>
 ## You might also include your PGP or GPG fingerprint if you have one:
 #ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
 ## Uncomment this to mirror directory information for others. Please do
 ## if you have enough bandwidth.
 #DirPort 9030 # what port to advertise for directory connections
 ## If you want to listen on a port other than the one advertised in
 ## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
 ## follows.  below too. You'll need to do ipchains or other port
 ## forwarding yourself to make this work.
 #DirPort 80 NoListen
 #DirPort 127.0.0.1:9091 NoAdvertise
 ## Uncomment to return an arbitrary blob of html on your DirPort. Now you
 ## can explain what Tor is if anybody wonders why your IP address is
 ## contacting them. See contrib/tor-exit-notice.html in Tor's source
 ## distribution for a sample.
 #DirPortFrontPage /etc/tor/tor-exit-notice.html
 ## Uncomment this if you run more than one Tor relay, and add the identity
 ## key fingerprint of each Tor relay you control, even if they're on
 ## different networks. You declare it here so Tor clients can avoid
 ## using more than one of your relays in a single circuit. See
 ## https://www.torproject.org/docs/faq#MultipleRelays
 ## However, you should never include a bridge's fingerprint here, as it would
 ## break its concealability and potentionally reveal its IP/TCP address.
 #MyFamily $keyid,$keyid,...
 ## A comma-separated list of exit policies. They're considered first
 ## to last, and the first match wins. If you want to _replace_
 ## the default exit policy, end this with either a reject *:* or an
 ## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
 ## default exit policy. Leave commented to just use the default, which is
 ## described in the man page or at
 ## https://www.torproject.org/documentation.html
 ##
 ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
 ## for issues you might encounter if you use the default exit policy.
 ##
 ## If certain IPs and ports are blocked externally, e.g. by your firewall,
 ## you should update your exit policy to reflect this -- otherwise Tor
 ## users will be told that those destinations are down.
 ##
 ## For security, by default Tor rejects connections to private (local)
 ## networks, including to your public IP address. See the man page entry
 ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
 ##
 #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
 #ExitPolicy accept *:119 # accept nntp as well as default exit policy
 #ExitPolicy reject *:* # no exits allowed
 ## Bridge relays (or "bridges") are Tor relays that aren't listed in the
 ## main directory. Since there is no complete public list of them, even an
 ## ISP that filters connections to all the known Tor relays probably
 ## won't be able to block all the bridges. Also, websites won't treat you
 ## differently because they won't know you're running Tor. If you can
 ## be a real relay, please do; but if not, be a bridge!
 #BridgeRelay 1
 ## By default, Tor will advertise your bridge to users through various
 ## mechanisms like https://bridges.torproject.org/. If you want to run
 ## a private bridge, for example because you'll give out your bridge
 ## address manually to your friends, uncomment this line:
 #PublishServerDescriptor 0