[orbis] Weekly backup 2026-06-09 — 52 files changed, 2700 insertions(+)

This commit is contained in:
DO Server Backup
2026-06-09 03:53:55 +00:00
parent 5b1f83b1ea
commit 34e2485b9a
52 changed files with 2700 additions and 0 deletions
+48
View File
@@ -0,0 +1,48 @@
# DO Server Infrastructure
DigitalOcean server at 165.22.1.228 (CyberPanel / OpenLiteSpeed).
## Directory Structure
- `cron/` — Root crontab (CyberPanel + JARVIS entries)
- `systemd/` — Custom systemd service units
- `agent/` — JARVIS agent config template
## Deploy workflow
1. Edit code in site repos (myronblair/*)
2. `git push origin main`
3. On server: `cd /home/<site>/public_html && git pull origin main`
## JARVIS agent install
```bash
cp agent/config.json /opt/jarvis-agent/config.json
systemctl enable jarvis-agent
systemctl start jarvis-agent
```
## Cloudflare Rocket Loader — IMPORTANT
JARVIS (and all sites) sit behind Cloudflare with **Rocket Loader enabled**.
Rocket Loader does two things that break JavaScript login forms:
1. Changes `<script>` tag `type` to a fake value, deferring execution.
2. Injects `if (!window.__cfRLUnblockHandlers) return false;` into **every**
`onclick=`, `onkeydown=`, and other inline HTML event attributes,
blocking them until Rocket Loader finishes loading.
### Rules for any page with JavaScript that must run immediately:
- Add `data-cfasync="false"` to ALL `<script>` tags.
- **Never use inline event handler attributes** (`onclick=`, `onkeydown=`, etc.)
on HTML elements — Rocket Loader will block them.
- Attach all event listeners via `addEventListener()` in JavaScript.
- Use `XMLHttpRequest` instead of `fetch()` for auth calls (more compatible).
- Put scripts **after** their target DOM elements (end of body), not in `<head>`,
so the elements exist when the script runs without needing DOMContentLoaded.
### Current login implementation (jarvis repo: public_html/login.html)
Standalone `/login.html` page handles all auth. `index.html` redirects to
`/login.html` if no `jarvis_token` in sessionStorage.
- Script is at end of body, after elements, with `data-cfasync="false"`
- All handlers attached via `addEventListener` — no inline attributes
- Uses XHR (not fetch) to POST to `/api/auth`
+8
View File
@@ -0,0 +1,8 @@
{
"server_url": "https://165.22.1.228",
"host_header": "jarvis.orbishosting.com",
"registration_key": "REPLACE_WITH_AGENT_REGISTRATION_KEY",
"agent_type": "linux",
"heartbeat_interval": 10,
"metrics_interval": 30
}
+26
View File
@@ -0,0 +1,26 @@
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/findBWUsage.py >/dev/null 2>&1
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/postfixSenderPolicy/client.py hourlyCleanup >/dev/null 2>&1
0 0 1 * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/postfixSenderPolicy/client.py monthlyCleanup >/dev/null 2>&1
0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/upgradeCritical.py >/dev/null 2>&1
0 0 * * 4 /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/renew.py >/dev/null 2>&1
7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
0 0 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py Daily
0 0 * * 0 /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py Weekly
*/30 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '30 Minutes'
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '1 Hour'
0 */6 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '6 Hours'
0 */12 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '12 Hours'
0 1 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '1 Day'
0 0 */3 * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '3 Days'
0 0 * * 0 /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '1 Week'
*/3 * * * * if ! find /home/*/public_html/ -maxdepth 2 -type f -newer /usr/local/lsws/cgid -name '.htaccess' -exec false {} +; then systemctl restart lsws; fi
09,39 * * * * /usr/local/CyberCP/bin/cleansessions >/dev/null 2>&1
* * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/manage.py run_scheduled_scans >/usr/local/lscp/logs/scheduled_scans.log 2>&1
*/5 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/pdnsHealthCheck.py >/dev/null 2>&1
*/3 * * * * /usr/local/lsws/lsphp85/bin/lsphp /home/jarvis.orbishosting.com/api/endpoints/facts_collector.php >> /home/jarvis.orbishosting.com/logs/cron.log 2>&1
*/5 * * * * /usr/local/lsws/lsphp85/bin/lsphp /home/jarvis.orbishosting.com/api/endpoints/stats_cache.php >> /home/jarvis.orbishosting.com/logs/cron.log 2>&1
+75
View File
@@ -0,0 +1,75 @@
# FusionPBX Custom Configs (134.209.72.226)
## Yealink T48S Provisioning — Critical Fixes
### Problem: BLF buttons never applied from provisioning
Root cause: nginx rewrite for `{mac}.boot` stripped the `file=` param, so FusionPBX
served the full 122KB config as a boot file. Yealink ignores DSS keys in .boot files —
they only apply from .cfg files.
### Fix 1: nginx rewrite (in /etc/nginx/sites-enabled/fusionpbx)
OLD: rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.boot)$" /app/provision/index.php?mac=$1;
NEW: rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.boot)$" /app/provision/index.php?mac=$1&file=%7b%24mac%7d.boot;
### Fix 2: {$mac}.boot template
Created: /var/www/fusionpbx/resources/templates/provision/yealink/t48s/{$mac}.boot
Content: boot file with includes pointing to y000000000065.cfg and {$mac}.cfg
Phone flow: {mac}.boot (164 bytes) → y000000000065.cfg → {mac}.cfg (full config applied)
### Fix 3: y000000000065.cfg template changes
- features.auto_linekeys.enable = 0 (prevents phone overriding BLF keys)
### Fix 4: All y000000000000.boot templates
- overwrite_mode = 1 (forces re-provision on every reboot, default was 0)
### Fix 5: External sofia profile
- manage-presence = passive (not true — BLF SUBSCRIBEs delegate to internal profile)
- Fix: UPDATE v_sip_profile_settings SET value='passive' WHERE profile=external AND name='manage-presence'
- Then delete /var/cache/fusionpbx/FusionPBX.configuration.sofia.conf and reload sofia
## Device Profile "yealink" (UUID 2c68fe07-b29a-4429-a3c2-7ce9010c69ff)
| Key | Type | Value | Label | Notes |
|-----|------|-------|-------|-------|
| 1 | 16 (BLF) | 1000 | Myron 1000 | |
| 2 | 16 (BLF) | 1001 | Tommy 1001 | |
| 3 | 16 (BLF) | 1002 | Myron Vanguard | |
| 4 | 12 | 1003 | PC Slingshot | |
| 5 | 12 | 1004 | Epic Travel | |
| 6 | 12 | 1005 | Toms Java | |
| 7 | 13 (Speed Dial) | *5901 | Park 5901 | Press during call=park, idle=retrieve |
| 8 | 13 (Speed Dial) | *5902 | Park 5902 | |
| 9 | 13 (Speed Dial) | *5903 | Park 5903 | |
| 11 | 16 (BLF) | *724 | Page All | |
Park buttons use Speed Dial (type=13) not BLF — BLF for park requires mod_presence
which is not installed. Speed Dial works: press during call parks it, press idle retrieves.
## BLF Type Reference (Yealink T48S firmware 66.86.x, FusionPBX)
- type=16 = BLF (requires pickup_value field in template)
- type=13 = Speed Dial
- type=12 = (user-defined)
- type=1 = Line
## Provisioning URL
- Server: https://fusion.orbishosting.com/app/provision/
- Auth: provision-master / Joker1974!!! (Digest)
- After factory reset: must re-enter manually via Menu > Settings > Advanced > Auto Provision
- Firmware 66.86.0.15: requires power cycle after "Update Now" to register
## fail2ban Whitelist (/etc/fail2ban/jail.local)
- 107.178.2.130 (office)
- 97.154.109.245 (home WAN)
## Phones
- Ext 1000 (Myron): MAC 805ec0350477, firmware 66.86.0.15, IP 10.48.200.2
- Ext 1001 (Tommy): MAC 805e0c150c4f, firmware 66.86.0.160, IP 10.48.200.43
## IVR Audio
- /var/lib/freeswitch/recordings/134.209.72.226/ivr_menu.wav
- American male voice (Festival TTS), 27s, 8kHz 16-bit mono PCM
## mod_presence
- NOT installed — FreeSWITCH built from source at /usr/src/freeswitch-1.11/
- Basic extension BLF works via manage-presence=true on internal sofia profile
- Park slot BLF would require mod_presence — workaround: Speed Dial buttons
+10
View File
@@ -0,0 +1,10 @@
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 107.178.2.130 97.154.109.245
[ssh]
enabled = true
port = 22
protocol = ssh
filter = sshd
logpath = /var/log/auth.log
action = iptables-allports[name=sshd, protocol=all]
@@ -0,0 +1,9 @@
# In /etc/nginx/sites-enabled/fusionpbx
# Critical fix: pass file= param so FusionPBX returns a boot file (not full config)
# Phone ignores DSS/BLF keys when received in a .boot file — must come from .cfg
# CORRECT:
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.boot)$" /app/provision/index.php?mac=$1&file=%7b%24mac%7d.boot;
# WRONG (original — serves full 122KB config as .boot, phone ignores linekeys):
# rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.boot)$" /app/provision/index.php?mac=$1;
@@ -0,0 +1,7 @@
#!version:1.0.0.1
## The header above must appear as-is in the first line
include:config "y000000000065.cfg"
include:config "{$mac}.cfg"
overwrite_mode = 1
@@ -0,0 +1,7 @@
#!version:1.0.0.1
## The header above must appear as-is in the first line
include:config "y000000000065.cfg"
include:config "{$mac}.cfg"
overwrite_mode = 1
+19
View File
@@ -0,0 +1,19 @@
[Unit]
Description=The DigitalOcean Monitoring Agent
After=network-online.target
Wants=network-online.target
[Service]
User=do-agent
ExecStart=/opt/digitalocean/bin/do-agent --syslog
Restart=always
OOMScoreAdjust=-900
SyslogIdentifier=DigitalOceanAgent
PrivateTmp=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
[Install]
WantedBy=multi-user.target
+19
View File
@@ -0,0 +1,19 @@
[Unit]
Description=The DigitalOcean Droplet Agent
After=network-online.target
Wants=network-online.target
[Service]
User=root
Environment=TERM=xterm-256color
ExecStart=/opt/digitalocean/bin/droplet-agent
Restart=always
RestartSec=10
TimeoutStopSec=90
KillMode=process
OOMScoreAdjust=-900
SyslogIdentifier=DropletAgent
[Install]
WantedBy=multi-user.target
+14
View File
@@ -0,0 +1,14 @@
[Unit]
Description=FastAPI SSH Web Terminal Server
After=network.target
[Service]
Type=simple
WorkingDirectory=/usr/local/CyberCP
ExecStart=/usr/local/CyberCP/bin/python3 -m uvicorn fastapi_ssh_server:app --host 0.0.0.0 --port 8888 --ssl-keyfile=/usr/local/lscp/conf/key.pem --ssl-certfile=/usr/local/lscp/conf/cert.pem
Restart=on-failure
User=root
Group=root
[Install]
WantedBy=multi-user.target
+14
View File
@@ -0,0 +1,14 @@
[Unit]
Description=JARVIS Agent
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/python3 /usr/local/bin/jarvis-agent.py
Restart=always
RestartSec=30
User=root
[Install]
WantedBy=multi-user.target