immich: try add dns to reach pc for ML tasks

.sops.yaml

@@ -7,3 +7,7 @@
     age:
       - age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk  # me
       - age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73  # server
+  - path_regex: '(^|[\\/]).*\.sops\.conf$'
+    age:
+      - age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk  # me
+      - age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73  # server

hosts/home-morefine/docker/caddy/Caddyfile

@@ -38,7 +38,7 @@ drone.catmedved.com {
 }
 
 # F
-files.catmedved.com {
+filebrowser.catmedved.com {
     reverse_proxy http://filebrowser:80
     tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
 }
@@ -103,6 +103,12 @@ photo.catmedved.com {
     tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
 }
 
+# R
+recepies.catmedved.com {
+    reverse_proxy http://mealie:9000
+    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+}
+
 # S
 speedtest-minipc.catmedved.com {
     reverse_proxy http://speedtest-tracker:80

hosts/home-morefine/docker/filebrowser/docker-compose.yaml

@@ -7,8 +7,9 @@
     dns:
       - 192.168.1.131 # pi-hole
     volumes:
-      - '/:/srv'
+      - '/home/vk:/srv'
-      - '/srv/rundata/filebrowser/database/filebrowser.db:/database.db'
+      - '/srv/rundata/filebrowser/database/filebrowser.db:/database/database.db'
+      - '/srv/rundata/filebrowser/config:/config'
     #    - '/path/.filebrowser.json:/.filebrowser.json'
     #user: $(id -u vk):$(id -g vk)
     # ports:

hosts/home-morefine/docker/immich/docker-compose.yml

@@ -25,6 +25,7 @@ services:
       - .env
     environment:
       DB_PASSWORD_FILE: /run/secrets/DB_PASSWORD
+      REDIS_HOSTNAME: immich_redis
     ports:
       - '10.8.0.3:2283:2283'
     depends_on:
@@ -33,12 +34,14 @@ services:
     restart: always
     secrets:
       - DB_PASSWORD
-    #healthcheck:
+    healthcheck:
-    #  disable: false
+      disable: false
 
   immich-machine-learning:
     networks:
       - immich_internal
+    dns:
+      - 192.168.1.131 # pi-hole
     container_name: immich_machine_learning
     # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
     # Example tag: ${IMMICH_VERSION:-release}-cuda
@@ -51,14 +54,14 @@ services:
     env_file:
       - .env
     restart: always
-    #healthcheck:
+    healthcheck:
-    #  disable: false
+      disable: false
 
   redis:
+    container_name: immich_redis
+    image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
     networks:
       - immich_internal
-    container_name: immich_redis
-    image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
     healthcheck:
       test: redis-cli ping || exit 1
     restart: always
@@ -70,17 +73,19 @@ services:
       POSTGRES_USER: ${DB_USERNAME}
       POSTGRES_DB: ${DB_DATABASE_NAME}
       POSTGRES_INITDB_ARGS: '--data-checksums'
-    #healthcheck:
+    healthcheck:
-    #  test: [ "CMD-SHELL", "pg_isready -U ${DB_USERNAME} -d ${DB_DATABASE_NAME}" ]
+      test: ["CMD-SHELL", "pg_isready -U ${DB_USERNAME} -d ${DB_DATABASE_NAME} -h 127.0.0.1 || exit 1"]
-    #  interval: 30s
+      interval: 30s
-    #  timeout: 10s
+      timeout: 5s
-    #  retries: 3
+      retries: 5
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+      start_period: 40s
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
     networks:
       - immich_internal
     restart: always
     secrets:
       - DB_PASSWORD
+    shm_size: 256mb
     volumes:
       # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
       - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
@@ -93,4 +98,4 @@ networks:
 
 secrets:
   DB_PASSWORD:
-    file: /run/secrets/immich/DB_PASSWORD
+    file: /run/secrets/immich/DB_PASSWORD

hosts/home-morefine/docker/mealie/.env

@@ -0,0 +1,11 @@
+# apps user
+PUID=995
+PGID=995
+TZ=Europe/Minsk
+BASE_URL=https://recepies.catmedved.com
+ALLOW_SIGNUP=true
+
+SMTP_HOST=smtp.fastmail.com
+SMTP_PORT=587
+SMTP_FROM_NAME=Mealie
+SMTP_AUTH_STRATEGY=TLS

hosts/home-morefine/docker/mealie/docker-compose.yaml

@@ -0,0 +1,43 @@
+services:
+  mealie:
+    image: ghcr.io/mealie-recipes/mealie:v3.10.2
+    container_name: mealie
+    restart: unless-stopped
+    #    ports:
+    #        - "9000:9000"
+    networks:
+      - caddy_internal
+    dns:
+      - 192.168.1.131 # pi-hole
+    deploy:
+      resources:
+        limits:
+          memory: 2000M #
+    volumes:
+      - /srv/rundata/mealie/mealie_data:/app/data/
+    env_file:
+      - .env
+    environment:
+      SMTP_FROM_EMAIL_FILE: /run/secrets/SMTP_FROM_EMAIL
+      SMTP_USER_FILE: /run/secrets/SMTP_USER
+      SMTP_PASSWORD_FILE: /run/secrets/SMTP_PASSWORD
+      OPENAI_API_KEY_FILE: /run/secrets/OPENAI_API_KEY
+    secrets:
+      - SMTP_FROM_EMAIL
+      - SMTP_USER
+      - SMTP_PASSWORD
+      - OPENAI_API_KEY
+
+networks:
+  caddy_internal:
+    external: true
+
+secrets:
+  SMTP_FROM_EMAIL:
+    file: /run/secrets/mealie/SMTP_FROM_EMAIL
+  SMTP_USER:
+    file: /run/secrets/mealie/SMTP_USER
+  SMTP_PASSWORD:
+    file: /run/secrets/mealie/SMTP_PASSWORD
+  OPENAI_API_KEY:
+    file: /run/secrets/mealie/OPENAI_API_KEY

hosts/home-morefine/docker/mealie/secrets.sops.yaml

@@ -0,0 +1,28 @@
+OPENAI_API_KEY: ENC[AES256_GCM,data:je5aR2mmV+e87AcWwpr8AsdaubDSTZWcNmLbWSkKowz6shl6VFBY6F30HDq8ZpVmTZgxFYoXqolzp/NOOdfCpgK4feduMMB5/dV2y66SA7K4nI/iQrFhY9ynDTMCRkIJ+7YPIpH8NX0V5xM72OaB6ax2VYmfQXbBGt74FCqe4bNgy2QOZBhVEMPADi67oGsv0+bfUNtTMepvZqgSZEI5TD9A7gI=,iv:xiAU+uttRIYJ2VbRadRlDFa6Dh84GWmK6YY0N2lz/EU=,tag:us+Gqd8VIYFusIf0RpBJpQ==,type:str]
+SMTP_FROM_EMAIL: ENC[AES256_GCM,data:zAR1DkpDHKGUSbtr2SsdpM3te0g=,iv:8c+Oh041FRq3Pxol2V5y1NswDsaFu3jWra/av2nzcLo=,tag:JMKyrG0Pd/1avZUoz4EC0w==,type:str]
+SMTP_USER: ENC[AES256_GCM,data:Eu54STOpUBEhDsgOYg3HNDpf,iv:vuvqnZ0aZNbRbhaGEV97QmTcKfUGvgjuxU++KvZvtOk=,tag:XJf98vJ7hgRkFT16VhV50Q==,type:str]
+SMTP_PASSWORD: ENC[AES256_GCM,data:ojuqLrn21mGEsBwREJnHcw==,iv:f9hQi6rbLGMvlMF/eUHqnDh9i/vnF9PtWzI61PsuNK8=,tag:lzgJXXpxIY9YkbJLSZLv4w==,type:str]
+sops:
+    age:
+        - recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaWZCK2tCVEo5UnFZMUQy
+            VWRVN3ZaNzlsUGZnVjJ4Q0FoTE00VkFVYkdZClBTajFBYVhJZUlYdEdQRWFTY3Iy
+            Y1B4NmFUYkZJSmN6TzdlV25aMG1kYVEKLS0tIDRVRGJyRVBTYno2dG9nUzdTQTNw
+            bGl1YTE0NHl2dXhIbE1KQlptcWZKTlUKKiIh02s3ADYEf5QOtcVllU1jPga2R359
+            /IkK7PTWtrGh0334ChjPi8vsArDr661eSgMJQBT8cas+Z8LqbDmmJg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeFN3T0xzblJ1SXZLaUZl
+            Myt2cFpCdUdZZm13SjFNWlprSVBvaDdOMEVZCkRROHBOalRXMHpxNUh5QWtXK0VR
+            cWV5aldRaWt6Z3JLSjVvWnJTQlZMeFUKLS0tIHh3anRTYitVTGhvR0dXYkp6QWs5
+            eTM3eEhrYkJSc3IxVGJlSzJmOUd6bncK8q0pHj60nXdWdqUV10dv02nkTtGHyLpb
+            WyzjLLLE+fqxZFASi+e5sM7cbCdYf/pronruobSszy1uEVDftIRy5Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-13T14:46:23Z"
+    mac: ENC[AES256_GCM,data:a+jLfsDyuB98ORFFOYF8Zn+yo+PmyUvtsBpUrDEs35L2883D+EvD1vwk/FlsGU7IRk5TgTZS921X+hdVTjXPwfjbE1IBnCzaXzgbrfGZXWbhXiDKfh6/yys9xJfJJKEAARNBNVPDv5ilrO7tf/5awmnb72xaWvdViv8pLsXJBZo=,iv:DNEDTBC4xNXADasU7WzQ5Mu9uF0+bofw5uMj07fruV8=,tag:WaAnknCd5pJcO2dzawh18g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/home-morefine/docker/postgres/docker-compose.yml

@@ -0,0 +1,31 @@
+services:
+  postgres:
+    image: postgres:18
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+#      POSTGRES_PASSWORD_FILE: /run/secrets/POSTGRES_PASSWORD
+      POSTGRES_INITDB_ARGS: "--data-checksums --locale=C --encoding=UTF8 --auth-host=scram-sha-256"
+      POSTGRES_HOST_AUTH_METHOD: "scram-sha-256"
+      TZ: Europe/Minsk
+    networks:
+      - postgres
+    ports:
+      - "127.0.0.1:5432:5432"
+    volumes:
+      - /srv/postgres18:/var/lib/postgresql
+#    secrets:
+#      - POSTGRES_PASSWORD
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+#secrets:
+#  POSTGRES_PASSWORD:
+#    file: ./POSTGRES_PASSWORD
+
+networks:
+  postgres:
+    name: postgres

hosts/lab-by-02/docker/beszel/docker-compose.yaml

@@ -0,0 +1,25 @@
+services:
+  beszel-agent:
+    image: henrygd/beszel-agent
+    container_name: beszel-agent
+    restart: unless-stopped
+    network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./beszel_agent_data:/var/lib/beszel-agent
+      # monitor other disks / partitions by mounting a folder in /extra-filesystems
+      # - /mnt/disk/.beszel:/extra-filesystems/sda1:ro
+    environment:
+      LISTEN: 45876
+      HUB_URL: https://beszel.catmedved.com
+      KEY_FILE: /run/secrets/AGENT_KEY
+      TOKEN_FILE: /run/secrets/AGENT_TOKEN
+    secrets:
+      - KEY_FILE
+      - TOKEN_FILE
+
+secrets:
+  KEY_FILE:
+    file: /run/secrets/beszel/AGENT_KEY
+  TOKEN_FILE:
+    file: /run/secrets/beszel/AGENT_TOKEN

hosts/lab-by-02/docker/beszel/secrets.sops.yaml

@@ -0,0 +1,26 @@
+AGENT_KEY: ENC[AES256_GCM,data:21+ujbBL/qZU/D7DhykaAgL1tg5puAa3Unh+saeO8sC2ozgAEIhgw/ctd0Bcq86F3yzhMyiP7MEJuVPOzxcODWehFnYpxhzLqqBIBWb/1QY=,iv:GIvs2L/3OuIzyzAIkwasZ+IyIQOmFe6GJeJ68VBH8XM=,tag:CZUrhBbTffPcSt+W0pbOLA==,type:str]
+AGENT_TOKEN: ENC[AES256_GCM,data:K1QCpuyCT29VjdX0iBgLvsxu4jhAScCyNfka4EmYjxC9T2cR,iv:Cmo3rRUN3XNL3bFDuwaGeW0tlBCS61lG5XmCooNFXL0=,tag:k4doY+ymr3NasJg15hvvIg==,type:str]
+sops:
+    age:
+        - recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdEg3MlBQc0orTmFKZmh0
+            OTg4bXpNQzFJWmJwaUNmVk9uNVNobmgwZ0JvCnErN2U0R1dFWmRCRjc2ZGZkTDcr
+            dy9FYUNzTUwyQUpXSm9kclJKYW55QjgKLS0tIEZKQTBCcndIMnVQQXN2ZDFqNWZN
+            Zkc3bm1taDd1b2d1VWcrVmxUTDJFcEUKXpe1NE1zZ+qKyCXDDXgEi6uVZ5WATOnT
+            ZjSP3bzPJBRPqz3zxAcrgwOKLNKJlk6IiCVCTkorzfQMv4iCuUsLQA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdnpPa1YrZGNwUk5ReUlH
+            NjFuMk1QV1ZPM0d1TkFmRXFSVGtidEk2SEZRCklTdVhIL1dRRm9mdjg4SGZjenVo
+            dmxYZ2ZEaW1FeDQvNWFSOHJucjNHdmcKLS0tIDhvclZIMDlwajFqbW9DTHUwZHJJ
+            U1cyQzc3TlhybW43cS96QWxzYjlPcUkKB28IAAO5PpUlef8JnD8JvWxvdoToWOgA
+            LV3lhShJr+/CcT9o5Sxt9ijY5FNUDA/H8nVlECgoTfE0B9mmCiXL7g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-13T15:18:29Z"
+    mac: ENC[AES256_GCM,data:rYkCfNnsM6AWXnv/8dFGqCWf5wRVM6YS9ZnUjWuzRnlhuHnwMxPFxEoLeo445/dVkflBlnMeVKtkMZlM9byd3aWK4mcIiqxeZ+MTAjMt2jzqqj7Kf/j2BoCAazpJSkqqFCfCpp0IXPtWQPZTEz7Ki4ozZUeHa73+nZoqjNPDSC8=,iv:yn4atWog6/yYw1ZYlTK7eZdyUTv0d1D66B/9/QL0joo=,tag:fe50DGtkRM2HiZno8IIVSg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/lab-by-02/docker/caddy/Caddyfile

@@ -0,0 +1,34 @@
+{
+    email ulakar@fastmail.com
+    admin off
+}
+
+# B
+beszel.catmedved.com {
+    reverse_proxy http://10.8.0.3:8090
+}
+
+# G
+gameyfin.catmedved.com {
+    reverse_proxy http://10.8.0.3:8080
+}
+
+# M
+media.kladovka52.com {
+    reverse_proxy http://10.8.0.4:8096
+}
+
+music.catmedved.com {
+    reverse_proxy http://10.8.0.3:4533
+}
+
+# P
+photo.catmedved.com {
+    reverse_proxy http://10.8.0.3:2283
+}
+
+# V
+vpnwg.ulakar.com {
+    reverse_proxy localhost:51821
+}
+}

hosts/lab-by-02/docker/caddy/docker-compose.yml

@@ -0,0 +1,26 @@
+services:
+  caddy:
+    image: caddy:latest
+    container_name: caddy
+    restart: unless-stopped
+    #    networks:
+    #      - caddy
+    network_mode: "container:wgeasy"
+    #    ports:
+    #      - "80:80"
+    #      - "443:443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      - caddy_data:/data
+      - caddy_config:/config
+    environment:
+      - TZ=Europe/Minsk
+
+#networks:
+#  caddy:
+#    name: caddy
+#    external: false
+
+volumes:
+  caddy_data:
+  caddy_config:

hosts/lab-by-02/docker/wgeasy/docker-compose.yml

@@ -0,0 +1,45 @@
+services:
+  wg-easy:
+    environment:
+      #  Optional:
+      #  - PORT=80
+      #  - HOST="vpnwg.ulakar.com"
+      - INSECURE=false
+
+    image: ghcr.io/wg-easy/wg-easy:15
+    container_name: wgeasy
+    networks:
+      #      caddy:
+      wg:
+        ipv4_address: 10.42.42.42
+        ipv6_address: fdcc:ad94:bacf:61a3::2a
+    volumes:
+      - ./data:/etc/wireguard
+      - /lib/modules:/lib/modules:ro
+    ports:
+      - "51820:51820/udp"
+      - "80:80"
+      - "443:443"
+    #  - "51821:51821/tcp"
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv6.conf.all.forwarding=1
+      - net.ipv6.conf.default.forwarding=1
+
+networks:
+  #  caddy:
+  #    external: true
+  wg:
+    driver: bridge
+    enable_ipv6: true
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.42.42.0/24
+        - subnet: fdcc:ad94:bacf:61a3::/64

hosts/lab-by-02/docker/wgeasy/readme.md

@@ -0,0 +1,9 @@
+regular config path: `/etc/wireguard/wg0.conf`
+
+wgeasy adds row to match json with wg0 conf:
+
+`# Client: Name (Id)`
+
+Example:
+
+`# Client: Jalezze (4073b49a-ad08-4324-b4d0-bfe04d743fd3)`

hosts/lab-by-02/initial_setup.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+
+### ==== CONFIG ====
+NEW_USER="vk"
+NEW_USER_SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrWDR47Kc44jCeM+DK+2J1MZgPm6FlHc7LTkN0loeWea0EMCu3rtzSRV6OUIMsbh6038m77kNmsoP7XjfYOdHLTEdYZ87Y4kd6O0VUSW0ldDCtrmFZBy7rI7YAnAh1Hup0Q4DaimDHx2UWrrXxUxKcuPw2eJtbN7/yhq9nrdTkr1kP213geHIcs91d+g9UrGSU2eMS8wGm67VSEgIQSiOoGiY422JzDR57x3EmH3M4bDw0kQFAwguBM7LtBG0oX/Znd4EjAZNnkqaGGqdaxxld3sqzs8EjXIgkEfvwp7qX9tW5qyyA2j3syg/qj89FaLW/CRmIKqxIZnYaweL4e2MhvHWE8CaMws5N801YuTdyvyQZSUHgNCe5MR9f6FihgPBX9M0qDAHlZ0oUKq6ScIUqz+JpWL/NTcOLYMCnBoL+JDIyzkwBzlJpreq4MmC7bjL6hjw5K0ykA9S8Kk4Cuarfw9OwSk5LiL/bVy2CDBtBBIzFg9Hd0TanSERjRQrhh7s= vk@jalezze'
+HOSTNAME_FQDN="lab-by-02.ulakar.com"
+### ===================================
+
+if [[ "$(id -u)" -ne 0 ]]; then
+  echo "Run this script under root user" >&2
+  exit 1
+fi
+
+echo "== Update System =="
+apt-get update -y
+apt-get upgrade -y
+
+if [[ -n "$HOSTNAME_FQDN" ]]; then
+  echo "== Set hostname: $HOSTNAME_FQDN =="
+  hostnamectl set-hostname "$HOSTNAME_FQDN"
+fi
+
+echo "== Create user $NEW_USER =="
+if id "$NEW_USER" >/dev/null 2>&1; then
+  echo "User $NEW_USER already exists. Skip."
+else
+  adduser --disabled-password --gecos "" "$NEW_USER"
+fi
+
+echo "== Add $NEW_USER into sudo =="
+usermod -aG sudo "$NEW_USER"
+
+# allow sudo commands without password
+echo "$NEW_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$NEW_USER"
+sudo chmod 440 "/etc/sudoers.d/$NEW_USER"
+
+echo "== Setup SSH-key for $NEW_USER =="
+USER_HOME=$(getent passwd "$NEW_USER" | cut -d: -f6)
+mkdir -p "$USER_HOME/.ssh"
+chmod 700 "$USER_HOME/.ssh"
+
+AUTH_KEYS="$USER_HOME/.ssh/authorized_keys"
+touch "$AUTH_KEYS"
+grep -qxF "$NEW_USER_SSH_KEY" "$AUTH_KEYS" || echo "$NEW_USER_SSH_KEY" >> "$AUTH_KEYS"
+chmod 600 "$AUTH_KEYS"
+chown -R "$NEW_USER:$NEW_USER" "$USER_HOME/.ssh"
+
+echo "== Setup SSH =="
+
+cat >/etc/ssh/sshd_config.d/100-security.conf <<EOF
+PermitRootLogin no
+PasswordAuthentication no
+EOF
+
+echo "== Reload SSH daemon =="
+
+if systemctl reload ssh 2>/dev/null; then
+    echo "SSH reloaded via ssh.service"
+elif systemctl reload sshd 2>/dev/null; then
+    echo "SSH reloaded via sshd.service"
+else
+    echo "Warning: could not reload SSH daemon"
+fi
+
+echo "== Install base utilities =="
+apt-get install -y \
+  net-tools \
+  htop \
+  curl \
+  wget \
+  git \
+  vim \
+  gnupg \
+  ca-certificates \
+  lsb-release
+
+echo "== Finished. Check SSH for $NEW_USER =="

hosts/lab-by-02/install_base_utilities.sh

@@ -0,0 +1,13 @@
+echo "== Install base utilities =="
+apt-get install -y \
+  net-tools \
+  htop \
+  curl \
+  wget \
+  git \
+  vim \
+  gnupg \
+  ca-certificates \
+  lsb-release
+
+echo "== Finished install base utilities =="

hosts/lab-by-02/setup_docker.sh

@@ -0,0 +1,8 @@
+echo "== Docker: install from get.docker.com =="
+curl -fsSL https://get.docker.com | sh
+
+echo "== Docker: add $NEW_USER into docker group =="
+usermod -aG docker "$NEW_USER"
+systemctl enable --now docker
+
+echo "== Finished docker installation =="

hosts/lab-by-02/setup_fail2ban.sh

@@ -0,0 +1,4 @@
+echo "== Fail2ban =="
+apt-get install -y fail2ban
+systemctl enable --now fail2ban
+echo "== Fail2ban enabled =="

hosts/lab-by-02/setup_ufw.sh

@@ -0,0 +1,12 @@
+echo "== UFW =="
+apt-get install -y ufw
+
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow 22/tcp
+ufw allow 80/tcp
+ufw allow 443/tcp
+# enable with interactive = off
+echo "y" | ufw enable
+
+echo "== UFW enabled =="