mirror of
https://github.com/myronblair/do-server-config
synced 2026-06-30 17:50:59 -05:00
[orbis] Weekly backup 2026-06-09 — 52 files changed, 2700 insertions(+)
This commit is contained in:
@@ -0,0 +1,48 @@
|
||||
# DO Server Infrastructure
|
||||
|
||||
DigitalOcean server at 165.22.1.228 (CyberPanel / OpenLiteSpeed).
|
||||
|
||||
## Directory Structure
|
||||
- `cron/` — Root crontab (CyberPanel + JARVIS entries)
|
||||
- `systemd/` — Custom systemd service units
|
||||
- `agent/` — JARVIS agent config template
|
||||
|
||||
## Deploy workflow
|
||||
1. Edit code in site repos (myronblair/*)
|
||||
2. `git push origin main`
|
||||
3. On server: `cd /home/<site>/public_html && git pull origin main`
|
||||
|
||||
## JARVIS agent install
|
||||
```bash
|
||||
cp agent/config.json /opt/jarvis-agent/config.json
|
||||
systemctl enable jarvis-agent
|
||||
systemctl start jarvis-agent
|
||||
```
|
||||
|
||||
## Cloudflare Rocket Loader — IMPORTANT
|
||||
|
||||
JARVIS (and all sites) sit behind Cloudflare with **Rocket Loader enabled**.
|
||||
Rocket Loader does two things that break JavaScript login forms:
|
||||
|
||||
1. Changes `<script>` tag `type` to a fake value, deferring execution.
|
||||
2. Injects `if (!window.__cfRLUnblockHandlers) return false;` into **every**
|
||||
`onclick=`, `onkeydown=`, and other inline HTML event attributes,
|
||||
blocking them until Rocket Loader finishes loading.
|
||||
|
||||
### Rules for any page with JavaScript that must run immediately:
|
||||
|
||||
- Add `data-cfasync="false"` to ALL `<script>` tags.
|
||||
- **Never use inline event handler attributes** (`onclick=`, `onkeydown=`, etc.)
|
||||
on HTML elements — Rocket Loader will block them.
|
||||
- Attach all event listeners via `addEventListener()` in JavaScript.
|
||||
- Use `XMLHttpRequest` instead of `fetch()` for auth calls (more compatible).
|
||||
- Put scripts **after** their target DOM elements (end of body), not in `<head>`,
|
||||
so the elements exist when the script runs without needing DOMContentLoaded.
|
||||
|
||||
### Current login implementation (jarvis repo: public_html/login.html)
|
||||
|
||||
Standalone `/login.html` page handles all auth. `index.html` redirects to
|
||||
`/login.html` if no `jarvis_token` in sessionStorage.
|
||||
- Script is at end of body, after elements, with `data-cfasync="false"`
|
||||
- All handlers attached via `addEventListener` — no inline attributes
|
||||
- Uses XHR (not fetch) to POST to `/api/auth`
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"server_url": "https://165.22.1.228",
|
||||
"host_header": "jarvis.orbishosting.com",
|
||||
"registration_key": "REPLACE_WITH_AGENT_REGISTRATION_KEY",
|
||||
"agent_type": "linux",
|
||||
"heartbeat_interval": 10,
|
||||
"metrics_interval": 30
|
||||
}
|
||||
@@ -0,0 +1,26 @@
|
||||
|
||||
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/findBWUsage.py >/dev/null 2>&1
|
||||
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/postfixSenderPolicy/client.py hourlyCleanup >/dev/null 2>&1
|
||||
0 0 1 * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/postfixSenderPolicy/client.py monthlyCleanup >/dev/null 2>&1
|
||||
0 2 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/upgradeCritical.py >/dev/null 2>&1
|
||||
0 0 * * 4 /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/renew.py >/dev/null 2>&1
|
||||
7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
|
||||
0 0 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py Daily
|
||||
0 0 * * 0 /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py Weekly
|
||||
|
||||
*/30 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '30 Minutes'
|
||||
0 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '1 Hour'
|
||||
0 */6 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '6 Hours'
|
||||
0 */12 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '12 Hours'
|
||||
0 1 * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '1 Day'
|
||||
0 0 */3 * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '3 Days'
|
||||
0 0 * * 0 /usr/local/CyberCP/bin/python /usr/local/CyberCP/IncBackups/IncScheduler.py '1 Week'
|
||||
|
||||
*/3 * * * * if ! find /home/*/public_html/ -maxdepth 2 -type f -newer /usr/local/lsws/cgid -name '.htaccess' -exec false {} +; then systemctl restart lsws; fi
|
||||
09,39 * * * * /usr/local/CyberCP/bin/cleansessions >/dev/null 2>&1
|
||||
|
||||
* * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/manage.py run_scheduled_scans >/usr/local/lscp/logs/scheduled_scans.log 2>&1
|
||||
|
||||
*/5 * * * * /usr/local/CyberCP/bin/python /usr/local/CyberCP/plogical/pdnsHealthCheck.py >/dev/null 2>&1
|
||||
*/3 * * * * /usr/local/lsws/lsphp85/bin/lsphp /home/jarvis.orbishosting.com/api/endpoints/facts_collector.php >> /home/jarvis.orbishosting.com/logs/cron.log 2>&1
|
||||
*/5 * * * * /usr/local/lsws/lsphp85/bin/lsphp /home/jarvis.orbishosting.com/api/endpoints/stats_cache.php >> /home/jarvis.orbishosting.com/logs/cron.log 2>&1
|
||||
@@ -0,0 +1,75 @@
|
||||
# FusionPBX Custom Configs (134.209.72.226)
|
||||
|
||||
## Yealink T48S Provisioning — Critical Fixes
|
||||
|
||||
### Problem: BLF buttons never applied from provisioning
|
||||
Root cause: nginx rewrite for `{mac}.boot` stripped the `file=` param, so FusionPBX
|
||||
served the full 122KB config as a boot file. Yealink ignores DSS keys in .boot files —
|
||||
they only apply from .cfg files.
|
||||
|
||||
### Fix 1: nginx rewrite (in /etc/nginx/sites-enabled/fusionpbx)
|
||||
OLD: rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.boot)$" /app/provision/index.php?mac=$1;
|
||||
NEW: rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.boot)$" /app/provision/index.php?mac=$1&file=%7b%24mac%7d.boot;
|
||||
|
||||
### Fix 2: {$mac}.boot template
|
||||
Created: /var/www/fusionpbx/resources/templates/provision/yealink/t48s/{$mac}.boot
|
||||
Content: boot file with includes pointing to y000000000065.cfg and {$mac}.cfg
|
||||
Phone flow: {mac}.boot (164 bytes) → y000000000065.cfg → {mac}.cfg (full config applied)
|
||||
|
||||
### Fix 3: y000000000065.cfg template changes
|
||||
- features.auto_linekeys.enable = 0 (prevents phone overriding BLF keys)
|
||||
|
||||
### Fix 4: All y000000000000.boot templates
|
||||
- overwrite_mode = 1 (forces re-provision on every reboot, default was 0)
|
||||
|
||||
### Fix 5: External sofia profile
|
||||
- manage-presence = passive (not true — BLF SUBSCRIBEs delegate to internal profile)
|
||||
- Fix: UPDATE v_sip_profile_settings SET value='passive' WHERE profile=external AND name='manage-presence'
|
||||
- Then delete /var/cache/fusionpbx/FusionPBX.configuration.sofia.conf and reload sofia
|
||||
|
||||
## Device Profile "yealink" (UUID 2c68fe07-b29a-4429-a3c2-7ce9010c69ff)
|
||||
|
||||
| Key | Type | Value | Label | Notes |
|
||||
|-----|------|-------|-------|-------|
|
||||
| 1 | 16 (BLF) | 1000 | Myron 1000 | |
|
||||
| 2 | 16 (BLF) | 1001 | Tommy 1001 | |
|
||||
| 3 | 16 (BLF) | 1002 | Myron Vanguard | |
|
||||
| 4 | 12 | 1003 | PC Slingshot | |
|
||||
| 5 | 12 | 1004 | Epic Travel | |
|
||||
| 6 | 12 | 1005 | Toms Java | |
|
||||
| 7 | 13 (Speed Dial) | *5901 | Park 5901 | Press during call=park, idle=retrieve |
|
||||
| 8 | 13 (Speed Dial) | *5902 | Park 5902 | |
|
||||
| 9 | 13 (Speed Dial) | *5903 | Park 5903 | |
|
||||
| 11 | 16 (BLF) | *724 | Page All | |
|
||||
|
||||
Park buttons use Speed Dial (type=13) not BLF — BLF for park requires mod_presence
|
||||
which is not installed. Speed Dial works: press during call parks it, press idle retrieves.
|
||||
|
||||
## BLF Type Reference (Yealink T48S firmware 66.86.x, FusionPBX)
|
||||
- type=16 = BLF (requires pickup_value field in template)
|
||||
- type=13 = Speed Dial
|
||||
- type=12 = (user-defined)
|
||||
- type=1 = Line
|
||||
|
||||
## Provisioning URL
|
||||
- Server: https://fusion.orbishosting.com/app/provision/
|
||||
- Auth: provision-master / Joker1974!!! (Digest)
|
||||
- After factory reset: must re-enter manually via Menu > Settings > Advanced > Auto Provision
|
||||
- Firmware 66.86.0.15: requires power cycle after "Update Now" to register
|
||||
|
||||
## fail2ban Whitelist (/etc/fail2ban/jail.local)
|
||||
- 107.178.2.130 (office)
|
||||
- 97.154.109.245 (home WAN)
|
||||
|
||||
## Phones
|
||||
- Ext 1000 (Myron): MAC 805ec0350477, firmware 66.86.0.15, IP 10.48.200.2
|
||||
- Ext 1001 (Tommy): MAC 805e0c150c4f, firmware 66.86.0.160, IP 10.48.200.43
|
||||
|
||||
## IVR Audio
|
||||
- /var/lib/freeswitch/recordings/134.209.72.226/ivr_menu.wav
|
||||
- American male voice (Festival TTS), 27s, 8kHz 16-bit mono PCM
|
||||
|
||||
## mod_presence
|
||||
- NOT installed — FreeSWITCH built from source at /usr/src/freeswitch-1.11/
|
||||
- Basic extension BLF works via manage-presence=true on internal sofia profile
|
||||
- Park slot BLF would require mod_presence — workaround: Speed Dial buttons
|
||||
@@ -0,0 +1,10 @@
|
||||
[DEFAULT]
|
||||
ignoreip = 127.0.0.1/8 ::1 107.178.2.130 97.154.109.245
|
||||
|
||||
[ssh]
|
||||
enabled = true
|
||||
port = 22
|
||||
protocol = ssh
|
||||
filter = sshd
|
||||
logpath = /var/log/auth.log
|
||||
action = iptables-allports[name=sshd, protocol=all]
|
||||
@@ -0,0 +1,9 @@
|
||||
# In /etc/nginx/sites-enabled/fusionpbx
|
||||
# Critical fix: pass file= param so FusionPBX returns a boot file (not full config)
|
||||
# Phone ignores DSS/BLF keys when received in a .boot file — must come from .cfg
|
||||
|
||||
# CORRECT:
|
||||
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.boot)$" /app/provision/index.php?mac=$1&file=%7b%24mac%7d.boot;
|
||||
|
||||
# WRONG (original — serves full 122KB config as .boot, phone ignores linekeys):
|
||||
# rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.boot)$" /app/provision/index.php?mac=$1;
|
||||
@@ -0,0 +1,7 @@
|
||||
#!version:1.0.0.1
|
||||
## The header above must appear as-is in the first line
|
||||
|
||||
include:config "y000000000065.cfg"
|
||||
include:config "{$mac}.cfg"
|
||||
|
||||
overwrite_mode = 1
|
||||
@@ -0,0 +1,7 @@
|
||||
#!version:1.0.0.1
|
||||
## The header above must appear as-is in the first line
|
||||
|
||||
include:config "y000000000065.cfg"
|
||||
include:config "{$mac}.cfg"
|
||||
|
||||
overwrite_mode = 1
|
||||
@@ -0,0 +1,19 @@
|
||||
[Unit]
|
||||
Description=The DigitalOcean Monitoring Agent
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
User=do-agent
|
||||
ExecStart=/opt/digitalocean/bin/do-agent --syslog
|
||||
Restart=always
|
||||
|
||||
OOMScoreAdjust=-900
|
||||
SyslogIdentifier=DigitalOceanAgent
|
||||
PrivateTmp=yes
|
||||
ProtectSystem=full
|
||||
ProtectHome=yes
|
||||
NoNewPrivileges=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,19 @@
|
||||
[Unit]
|
||||
Description=The DigitalOcean Droplet Agent
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
Environment=TERM=xterm-256color
|
||||
ExecStart=/opt/digitalocean/bin/droplet-agent
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
TimeoutStopSec=90
|
||||
KillMode=process
|
||||
|
||||
OOMScoreAdjust=-900
|
||||
SyslogIdentifier=DropletAgent
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=FastAPI SSH Web Terminal Server
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
WorkingDirectory=/usr/local/CyberCP
|
||||
ExecStart=/usr/local/CyberCP/bin/python3 -m uvicorn fastapi_ssh_server:app --host 0.0.0.0 --port 8888 --ssl-keyfile=/usr/local/lscp/conf/key.pem --ssl-certfile=/usr/local/lscp/conf/cert.pem
|
||||
Restart=on-failure
|
||||
User=root
|
||||
Group=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=JARVIS Agent
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/python3 /usr/local/bin/jarvis-agent.py
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
User=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user