fixes from live installation

README.md

     sudo cryptsetup --verify-passphrase luksFormat /dev/sdX1 -c aes -s 256 -h sha256
     sudo cryptsetup luksOpen /dev/sdX1 volumes
     sudo mkfs -t ext4 -m 1 -O dir_index,sparse_super /dev/mapper/volumes
-    #mount -t auto /dev/mapper/volumes /media/volumes
+    sudo mkdir -p /media/volumes
+    #sudo mount -t auto /dev/mapper/volumes /media/volumes
 
     sudo dd if=/dev/urandom of=/root/volumes_luks_pwd bs=1024 count=4
     sudo chmod 0400 /root/volumes_luks_pwd

compose_parse.py

+#!/usr/bin/env python
+
+import sys
+import yaml
+
+DOCKER_COMPOSE_TEMPLATE = 'docker-compose.yml.template'
+DOCKER_COMPOSE = 'docker-compose.yml'
+
+def get_compose():
+    with open(DOCKER_COMPOSE_TEMPLATE, 'r') as stream:
+        try:
+            return yaml.load(stream)
+        except yaml.YAMLError as exc:
+            print(exc)
+
+def get_dependencies(stream, submodules):
+    result = submodules
+    for service in stream['services']:
+        if service not in submodules:
+            continue
+        if 'depends_on' in stream['services'][service]:
+            result = result + stream['services'][service]['depends_on']
+    return result
+def process_compose(stream, submodules):
+    result = stream
+    services = {}
+    for service in stream['services']:
+        if service in submodules:
+            services[service] = stream['services'][service]
+
+    result['services'] = services
+
+    return result
+
+def main(args):
+    s = get_compose()
+    computed_submodules = get_dependencies(s, ['haproxy'])
+    r2 = process_compose(s, computed_submodules)
+    print r2
+
+if __name__ == '__main__':
+    main(sys.argv[1:])

dependencies.dot

+digraph containers {
+nextcloud -> db
+nextcloud -> openldap
+nextcloud -> haproxy
+haproxy -> nextcloud
+gogs -> db
+gogs -> openldap
+gogs -> haproxy
+haproxy -> gitea
+mail -> openldap
+sftp
+}

dhs_start_on_boot.sh

+#!/bin/bash
+
+# Create file at /etc/systemd/system/dhs.service:
+# [Unit]
+# Description=Start Docker home server
+
+# [Service]
+# ExecStart=/usr/local/bin/dhs_start_on_boot.sh
+
+# [Install]
+# WantedBy=default.target
+
+DHS_PATH=$HOME/docker_home_server
+cd ${DHS_PATH}
+
+# clean previous containers
+for i in $(docker ps -a | grep Exited | grep dhs | cut -f 1 -d " "); do
+    docker rm $i;
+done;
+
+# start dhs
+docker-compose --compatibility -p dhs up -d
+
+# start kerberos
+#docker start kerberos_vol
+
+# wait (specially for Nextcloud)
+sleep 300
+
+# add DNS to pihole
+${DHS_PATH}/add_dns_entries_noswarm.sh
+# add users
+${DHS_PATH}/add_users_noswarm.sh
+# update Nextcloud apps
+${DHS_PATH}/nextcloud_apps_after_update_noswarm.sh

docker-compose.yml

     environment:
       FTLCONF_dns_listeningMode: 'all'
     ports:
+      #- "2053:53/tcp"
+      #- "2053:53/udp"
       - "53:53/tcp"
       - "53:53/udp"
       # - "67:67/udp" # for DHCP

images/email/Dockerfile

-FROM debian:stretch
+FROM debian:buster
 
 ENV DEBIAN_FRONTEND=noninteractive
 

images/haproxy/Dockerfile

-FROM debian:stretch
+FROM debian:buster
 
 RUN apt-get update && apt-get install -y haproxy cron certbot
 

images/haproxy/haproxy.cfg

 global
     maxconn 4096
+    # https://stackoverflow.com/a/50480260
+    # https://serverfault.com/a/984667
+    hard-stop-after 600s
     #tune.ssl.default-dh-param 2048
 
 defaults
     #acl gitea-acl ssl_fc_sni ${GITEA_URL}
     acl nextcloud-acl ssl_fc_sni_reg ^${NEXTCLOUD_SERVER_NAME}\.
     acl gitea-acl ssl_fc_sni_reg ^${GITEA_SERVER_NAME}\.
-    acl blog1-acl ssl_fc_sni_reg ^${BLOG_1_SERVER_NAME}\.
+    #acl blog1-acl ssl_fc_sni_reg ^${BLOG_1_SERVER_NAME}\.
     acl hauk-acl ssl_fc_sni_reg ^${HAUK_SERVER_NAME}\.
 
     use_backend letsencrypt-backend if letsencrypt-acl
     use_backend nextcloud if nextcloud-acl
     use_backend gitea if gitea-acl
-    use_backend blog1 if blog1-acl
+    #use_backend blog1 if blog1-acl
     use_backend hauk if hauk-acl
 
     default_backend nextcloud
     #redirect http to https
     #redirect scheme https if !{ ssl_fc }
 
+    # https://www.haproxy.com/de/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
+    # https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
+    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
+
     server nextcloud nextcloud:443 maxconn 32 check ssl verify none
 
 backend gitea
 
     server gitea gitea:2443 maxconn 32 check ssl verify none
 
-backend blog1
-    # https://forum.ghost.org/t/cant-get-full-site-ssl/12478/6
-    # https://blog.woodenstake.se/starting-a-blog-again/
-    option forwardfor
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request add-header X-Forwarded-Proto https if { ssl_fc }
-    server blog1 blog1:2368 maxconn 32
+#backend blog1
+#    # https://forum.ghost.org/t/cant-get-full-site-ssl/12478/6
+#    # https://blog.woodenstake.se/starting-a-blog-again/
+#    option forwardfor
+#    http-request set-header X-Forwarded-Port %[dst_port]
+#    http-request add-header X-Forwarded-Proto https if { ssl_fc }
+#    server blog1 blog1:2368 maxconn 32
 
 backend hauk
     server hauk hauk:80 maxconn 32
     use_backend nextcloud-insecure if is_nextcloud
     use_backend gitea-insecure if is_gitea
     use_backend hauk-insecure if is_hauk
-    default_backend pihole-insecure
+    #default_backend pihole-insecure
 
 backend nextcloud-insecure
+    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
     server nextcloud nextcloud:80 maxconn 32
 
 backend gitea-insecure
 backend hauk-insecure
     server hauk hauk:80 maxconn 32
 
-backend pihole-insecure
-    server pihole pihole:80 maxconn 32
+#backend pihole-insecure
+#    server pihole pihole:80 maxconn 32
 
 # LE Backend
 backend letsencrypt-backend

images/mariadb/Dockerfile

 # MariaDB Dockerfile
 
 # Pull base image.
-FROM debian:stretch
+FROM debian:buster
 
 ENV DEBIAN_FRONTEND=noninteractive
 

images/nextcloud/Dockerfile

 RUN \
     wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
     apt-get update && \
-    apt-get install -y wget bzip2 vim rsync mariadb-client cron sudo php-imagick php7.4-gmp php7.4-intl && \
+    apt-get install -y wget bzip2 vim rsync mariadb-client cron sudo php7.4-imagick php7.4-gmp php7.4-intl && \
     apt-get clean
 
 # Change upload-limits and -sizes

images/nextcloud/Dockerfile.template

 RUN \
     wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
     apt-get update && \
-    apt-get install -y wget bzip2 vim rsync mariadb-client cron sudo php-imagick php7.4-gmp php7.4-intl && \
+    apt-get install -y wget bzip2 vim rsync mariadb-client cron sudo php7.4-imagick php7.4-gmp php7.4-intl && \
     apt-get clean
 
 # Change upload-limits and -sizes

images/nextcloud/default

         fastcgi_param PATH_INFO $2;
         fastcgi_param HTTPS on;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+        fastcgi_param PHP_VALUE "memory_limit = 512M";
     }
 
     location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_index index.php;
+        fastcgi_param PHP_VALUE "memory_limit = 512M";
         include fastcgi_params;
     }
 

images/nextcloud/docker-entrypoint.sh

 cd /var/www/nextcloud
 # https://github.com/nextcloud/server/pull/18130#issuecomment-604518403
 sudo -u www-data rm -Rf /srv/nextcloud/data/admin
-sudo -u www-data php occ maintenance:install --database "mysql" --database-host ${DB_HOST} --database-name ${NEXTCLOUD_DB_NAME}  --database-user ${NEXTCLOUD_DB_USER} --database-pass ${NEXTCLOUD_DB_PWD} --admin-user "admin" --admin-pass ${NEXTCLOUD_ADMIN_PWD} --data-dir ${NEXTCLOUD_DATA_PATH}
+sudo -u www-data php occ maintenance:install --database "mysql" --database-host ${DB_HOST} --database-name ${NEXTCLOUD_DB_NAME}  --database-user ${NEXTCLOUD_DB_USER} --database-pass ${NEXTCLOUD_DB_PWD} --admin-user "admin" --admin-pass ${NEXTCLOUD_ADMIN_PWD} --data-dir ${NEXTCLOUD_DATA_PATH} | echo "maintenance:install gone!"
 check_result $? "Initializing Config"
 # Password salt and secret are used by Passman and must remain the same after
 # restarting of the instance, otherwise vaults would become inaccessible

images/nginx-php/Dockerfile

     sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 # update and install php
 RUN apt-get update && \
-    apt-get install -y php7.4 php7.4-fpm php-pear php7.4-common \
-    php7.4-mysql php7.4-cli php7.4-gd php7.4-curl php-apcu php7.4-opcache \
-    php7.4-mbstring php7.4-ldap php7.4-zip php7.4-intl && \
+    apt-get install -y --allow-unauthenticated \
+    php7.4 php7.4-fpm php-pear php7.4-common \
+    php7.4-mysql php7.4-cli php7.4-gd php7.4-curl php7.4-apcu php7.4-opcache \
+    php7.4-mbstring php7.4-ldap php7.4-zip php7.4-intl php7.4-imagick \
+    php7.4-bcmath php7.4-xml && \
     apt-get clean
 
 # overwrite the default-configuration with our own settings - enabling PHP

images/nginx-php/Dockerfile.template

     sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
 # update and install php
 RUN apt-get update && \
-    apt-get install -y php7.4 php7.4-fpm php-pear php7.4-common \
-    php7.4-mysql php7.4-cli php7.4-gd php7.4-curl php-apcu php7.4-opcache \
-    php7.4-mbstring php7.4-ldap php7.4-zip php7.4-intl && \
+    apt-get install -y --allow-unauthenticated \
+    php7.4 php7.4-fpm php-pear php7.4-common \
+    php7.4-mysql php7.4-cli php7.4-gd php7.4-curl php7.4-apcu php7.4-opcache \
+    php7.4-mbstring php7.4-ldap php7.4-zip php7.4-intl php7.4-imagick \
+    php7.4-bcmath php7.4-xml && \
     apt-get clean
 
 # overwrite the default-configuration with our own settings - enabling PHP

images/nginx-php/default

 
 	# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
 	#location /RequestDenied {
-	#	proxy_pass http://127.0.0.1:8080;    
+	#	proxy_pass http://127.0.0.1:8080;
 	#}
 
 	#error_page 404 /404.html;
 	#	fastcgi_split_path_info ^(.+\.php)(/.+)$;
 	#	# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
 	#
-	#	# With php7.0-cgi alone:
+	#	# With php7.4-cgi alone:
 	#	fastcgi_pass 127.0.0.1:9000;
-	#	# With php7.0-fpm:
-	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+	#	# With php7.4-fpm:
+	#	fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
 	#	fastcgi_index index.php;
 	#	include fastcgi_params;
 	#}
     location ~ \.php$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_index index.php;
+        fastcgi_param PHP_VALUE "memory_limit = 512M";
         include fastcgi_params;
     }
-                    
+
     # deny access to .htaccess files
     location ~ /\.ht {
         deny all;

images/openldap/Dockerfile

-FROM debian:stretch
+FROM debian:buster
 
 # Add openldap user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
 RUN groupadd -r openldap && useradd -r -g openldap -u 999 openldap

images/sftp/Dockerfile

-FROM debian:stretch
+FROM debian:buster
 
 # Install dependencies
 RUN apt-get update \

set_arch.sh

 case ${ARCH} in
     #'rpi') IMAGE='resin/raspberrypi3-debian:latest' ;;
     'rpi')
-        IMAGE='arm32v7/debian:stretch'
+        IMAGE='arm32v7/debian:buster'
         ARCH_PREFIX='rpi'
         GO_ARCH='armv6l'
         ;;
     'arm64')
-        IMAGE='arm64v7/debian:stretch'
+        IMAGE='arm64v7/debian:buster'
         ARCH_PREFIX='arm64'
         GO_ARCH='arm64'
         ;;
     'amd64')
-        IMAGE='debian:stretch'
+        IMAGE='debian:buster'
         ARCH_PREFIX='amd64'
         GO_ARCH='amd64'
         ;;