From 2d14cb4e141b4797b06159d7088ed3b1b3d6e314 Mon Sep 17 00:00:00 2001 From: MaddoScientisto Date: Sat, 18 Apr 2026 10:57:58 +0200 Subject: [PATCH] docks and stacks --- ...lamiunsorriso-83-149-164-4.instructions.md | 40 ++++++++ stacks/faceai.yml | 58 ++++++++++++ stacks/forgejo-runner.yml | 27 ++++++ stacks/forgejo.yml | 20 ++++ stacks/php-nginx.yml | 35 +++++++ stacks/web-blazor.yml | 13 +++ sync/www-deploy-manifest.md | 91 +++++++++++++++++-- 7 files changed, 275 insertions(+), 9 deletions(-) create mode 100644 stacks/faceai.yml create mode 100644 stacks/forgejo-runner.yml create mode 100644 stacks/forgejo.yml create mode 100644 stacks/php-nginx.yml create mode 100644 stacks/web-blazor.yml diff --git a/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md b/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md index 0d5a6c5f..73899d1f 100644 --- a/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md +++ b/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md @@ -40,7 +40,39 @@ ssh -tt -i C:\Users\Maddo\.ssh\id_rsa -p 410 marco@83.149.164.4 "sudo tcsh -c 'c - The remote login shell behaves as `tcsh`. - POSIX shell constructs like `for ...; do ...; done` fail unless you explicitly run them through `sh -c`. - The server `sh` does not support `-l`, so use `sh -c`, not `sh -lc`. +- `tcsh` treats redirection and pipelines differently from POSIX shells; commands like `find ... 2>/dev/null | head` can fail with `Ambiguous output redirect` unless the whole payload runs under `sh -c`. +- Prefer one remote command per SSH invocation when doing reconnaissance. Complex commands with pipes, grouped expressions, or escaped parentheses are much more likely to break under PowerShell-to-SSH-to-`tcsh` quoting. +- If PowerShell shows the continuation prompt `? >`, the command was malformed locally before SSH executed it. Cancel it and rerun a simpler command instead of trying to answer the prompt. - If `sudo` reports that a terminal is required, reconnect with `-tt`. +- When running remote commands from PowerShell, quoting can break if the command contains both nested quotes and file paths with spaces. +- For read-only verification commands from PowerShell, prefer `ssh ... --% ` so the remote command is passed verbatim. +- For `promote-file.sh` calls that target paths with spaces, prefer a local PowerShell loop that passes the full remote command as a single SSH argument instead of building one long nested quoted command. +- If repeated SSH commands start cancelling or interleaving poorly in the same terminal, rerun them sequentially instead of in parallel. + +## Mail Template Runtime Notes + +- The server contains multiple `mailMessage` trees: + - Live web root: `/home/sites/regalamiunsorriso/www/mailMessage` + - Staging copy: `/home/marco/regalamiunsorriso/incoming/www/mailMessage` + - Older duplicate trees: `/home/sites/regalamiunsorriso/wwwLang/mailMessage` and `/home/sites/regalamiunsorriso/wwwOld/www/mailMessage` +- During the 2026-04-16 reconnaissance, representative checksums differed between `www/mailMessage` and `wwwLang/mailMessage`, so they are not interchangeable copies. +- The Java application configuration lives under `/home/sites/regalamiunsorriso/rus/WEB-INF`. +- `web.xml` defines the main application DB connection as `dbDriver=3`, `database=//localhost/pg`, `user=root`, `password=root`. +- `truckservice.properties` defines a second DB connection as `dbDriver=3`, `dbName=//localhost/truckservice`, `user=root`, `password=root`. +- In this codebase, `dbDriver=3` maps to MySQL Connector/J, not to a legacy non-MySQL driver. +- `dbcomuni.properties`, `rus.properties`, and `truckservice.properties` all set `USE_PARM_HT=true`, which means runtime values are expected to come from the application `Parm` store. +- In code, `DBAdapter.getDocBase()` resolves to `getParm("DOCBASE").getTesto()`, and mail-template lookups use `Parm` values such as `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, and `MAIL_MSG_PATH_MAILER`. +- In code, `Parm.findByCodice()` reads from `PARM` with `select A.* from PARM AS A where A.codice='...'`, so the live `PARM` table is the authoritative lookup point for these values. +- `pg_src/com/ablia/pg/Users.java` seeds defaults for `MAIL_MSG_RINNOVO` as `mailMessage/rinnovoMsg.html` and `MAIL_MSG_COUPON_OMAGGIO` as `mailMessage/couponOmaggioMsg.html` when the parameters are missing. +- Because of that indirection, changing files under a `mailMessage` directory is not sufficient proof that outbound mail content will change. The effective `DOCBASE` and mail-template parameter values must also be checked in the live `Parm` data. +- For mail-template reconnaissance, avoid recursing into `/mnt/da1/foto` via the `RUS` symlink unless the task explicitly concerns photo storage. It adds permission noise and did not help identify the email-template source. +- Read-only DB access notes from 2026-04-16: + - The host has PHP CLI at `/usr/local/bin/php` with both `mysqli` and `pdo_mysql` enabled. + - A piped PHP script over SSH is a reliable way to run read-only DB probes without creating files on the server. + - `mysqli('localhost', ...)` fails with `No such file or directory`, which indicates PHP tries a Unix socket path that is not present or not configured. + - `mysqli('127.0.0.1', ...)` fails with `Connection refused`, and `sockstat` showed no listener on port `3306` and no visible MySQL Unix socket under `/var/run`, `/tmp`, or `/usr/local/var`. + - No `mysql` or `mariadb` client binary was found in the shell path. + - Result: the app configuration clearly points at MySQL, but direct DB access from the current shell remains unresolved and must be revalidated before relying on live SQL queries. ## MCP Limitation @@ -93,6 +125,13 @@ Run: ssh -tt -i C:\Users\Maddo\.ssh\id_rsa -p 410 marco@83.149.164.4 "sudo tcsh -c '/home/marco/promote-file.sh [metadata-source]'" ``` +If the source or destination path contains spaces, prefer this PowerShell pattern so SSH receives the remote command as one argument: + +```powershell +$remote = "sudo tcsh -c \"/home/marco/promote-file.sh '' '' [metadata-source]\"" +& ssh -tt -i 'C:\Users\Maddo\.ssh\id_rsa' -p 410 'marco@83.149.164.4' $remote +``` + Behavior of `promote-file.sh`: - If the destination already exists, it copies the file and restores that destination file's original owner, group, and mode. @@ -116,6 +155,7 @@ After staging or promotion, verify with: - `ls -l` for owner, group, and visible mode - `stat -f` for exact metadata - `cksum` to compare staged and live file contents +- From PowerShell, prefer `ssh ... --% ls -l ...`, `ssh ... --% stat -f ...`, and `ssh ... --% cksum ...` for verification commands that include quoted paths. Run verification commands separately if a parallel terminal run becomes unreliable. diff --git a/stacks/faceai.yml b/stacks/faceai.yml new file mode 100644 index 00000000..9d232667 --- /dev/null +++ b/stacks/faceai.yml @@ -0,0 +1,58 @@ +services: + faceai: + image: forgejo.maddoscientisto.net/maddo/faceai-client:latest + container_name: regalami-faceai + restart: unless-stopped + command: sh -c "mkdir -p /data/logs && npm run start >> /data/logs/backend.log 2>&1" + environment: + NODE_ENV: production + PORT: 3001 + FACEAI_FRONTEND_URL: https://ai.regalamiunsorriso.it + FACEAI_PUBLIC_BASE_URL: https://ai.regalamiunsorriso.it + FACEAI_LEGACY_RETURN_URL: https://www.regalamiunsorriso.it/faceai_return.php + FACEAI_SHARED_SECRET: disagio-spaghetti-science-lol-boh + FACEAI_SESSION_COOKIE: rus_faceai_session + FACEAI_REDIS_URL: redis://redis:6379 + FACEAI_QUEUE_NAME: faceai-searches + FACEAI_RUNTIME_ROOT: /data/runtime + FACEAI_UPLOAD_ROOT: /data/runtime/uploads + FACEAI_LOG_ROOT: /data/logs + FACEAI_PKL_ROOT: /data/pkl + FACEAI_ENABLE_LOCAL_LEGACY_STATIC: 0 + volumes: + - /var/docker/faceai/runtime:/data/runtime + - /var/docker/faceai/logs:/data/logs + - /mnt/nas12/nas2/RUS:/data/pkl:ro + ports: + - "127.0.0.1:3001:3001" + depends_on: + - redis + + processor: + image: forgejo.maddoscientisto.net/maddo/faceai-client:latest + container_name: regalami-faceai-processor + restart: unless-stopped + command: sh -c "mkdir -p /data/logs && npm run start:processor >> /data/logs/processor.log 2>&1" + environment: + NODE_ENV: production + FACEAI_REDIS_URL: redis://redis:6379 + FACEAI_QUEUE_NAME: faceai-searches + FACEAI_RUNTIME_ROOT: /data/runtime + FACEAI_LOG_ROOT: /data/logs + FACEAI_PKL_ROOT: /data/pkl + FACEAI_MATCHER_BINARY: /opt/face-recognition/face_matcher + FACEAI_WORKER_CONCURRENCY: 2 + FACEAI_WORKER_TIMEOUT_MS: 300000 + volumes: + - /var/docker/faceai/runtime:/data/runtime + - /var/docker/faceai/logs:/data/logs + - /mnt/nas12/nas2/RUS:/data/pkl:ro + - /var/docker/faceai/bin/Face_Recognition_Unix:/opt/face-recognition:ro + depends_on: + - redis + + redis: + image: redis:7-alpine + container_name: regalami-faceai-redis + restart: unless-stopped + command: redis-server --appendonly no \ No newline at end of file diff --git a/stacks/forgejo-runner.yml b/stacks/forgejo-runner.yml new file mode 100644 index 00000000..cc96c873 --- /dev/null +++ b/stacks/forgejo-runner.yml @@ -0,0 +1,27 @@ +version: '3.8' + +services: + forgejo-docker-in-docker: + image: docker:dind + container_name: 'forgejo-docker-in-docker' + privileged: true + command: ['dockerd', '-H', 'tcp://0.0.0.0:2375', '--tls=false'] + restart: 'unless-stopped' + + forgejo-runner: + image: 'data.forgejo.org/forgejo/runner:11' + links: + - forgejo-docker-in-docker + depends_on: + forgejo-docker-in-docker: + condition: service_started + container_name: 'forgejo-runner' + environment: + DOCKER_HOST: tcp://forgejo-docker-in-docker:2375 + # User without root privileges, but with access to `./data`. + user: 1001:1001 + volumes: + - /var/docker/forgejo-runner/data/:/data + restart: 'unless-stopped' + #command: '/bin/sh -c "while : ; do sleep 1 ; done ;"' + command: '/bin/sh -c "sleep 5; forgejo-runner daemon"' \ No newline at end of file diff --git a/stacks/forgejo.yml b/stacks/forgejo.yml new file mode 100644 index 00000000..94fb78a0 --- /dev/null +++ b/stacks/forgejo.yml @@ -0,0 +1,20 @@ +networks: + forgejo: + external: false + +services: + server: + image: codeberg.org/forgejo/forgejo:14 + container_name: forgejo + environment: + - USER_UID=1000 + - USER_GID=1000 + restart: always + networks: + - forgejo + volumes: + - /var/docker/forgejo:/data + - /etc/localtime:/etc/localtime:ro + ports: + - '3000:3000' + - '222:22' \ No newline at end of file diff --git a/stacks/php-nginx.yml b/stacks/php-nginx.yml new file mode 100644 index 00000000..76852630 --- /dev/null +++ b/stacks/php-nginx.yml @@ -0,0 +1,35 @@ +name: php-nginx +services: + php-nginx: + cpu_shares: 90 + command: [] + container_name: php-nginx + deploy: + resources: + limits: + memory: 3776M + environment: + - HOME=/root + - PGID=1000 + - PUID=1000 + - TZ=UTC + - WEBHOME=/var/www/html + hostname: php-nginx + image: shinsenter/phpfpm-nginx:latest + labels: + icon: https://cdn.jsdelivr.net/gh/Cp0204/CasaOS-AppStore-Play@main/Apps/php-nginx/icon.png + ports: + - target: 80 + published: "8002" + protocol: tcp + restart: unless-stopped + volumes: + - type: bind + source: /var/www/html + target: /var/www/html + bind: + create_host_path: true + devices: [] + cap_add: [] + network_mode: bridge + privileged: false diff --git a/stacks/web-blazor.yml b/stacks/web-blazor.yml new file mode 100644 index 00000000..6d8f3525 --- /dev/null +++ b/stacks/web-blazor.yml @@ -0,0 +1,13 @@ +version: '3.8' + +services: + maddoscientisto-web: + image: forgejo.maddoscientisto.net/maddo/maddoscientisto-web:latest + ports: + - "8002:80" + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "curl -fsS http://127.0.0.1/ || exit 1"] + interval: 30s + timeout: 5s + retries: 3 \ No newline at end of file diff --git a/sync/www-deploy-manifest.md b/sync/www-deploy-manifest.md index 696c5505..0e19933b 100644 --- a/sync/www-deploy-manifest.md +++ b/sync/www-deploy-manifest.md @@ -1,6 +1,6 @@ # WWW Deployment Manifest -This document lists the files under `www/` in the current FaceAI feature-flag rollout that should be copied to the remote staging path: +This document lists the files under `www/` in the current deployment set that should be copied to the remote staging path: `/home/marco/regalamiunsorriso/incoming/www` @@ -14,12 +14,14 @@ All files in this rollout are deployed from the current working tree. ## Updated Files -- `www/_js/rus-ecom-240621.js` -- `www/faceai_config.php` -- `www/faceai_handoff.php` -- `www/faceai_simulator_view.php` -- `www/fotoCR-en.jsp` -- `www/fotoCR.jsp` +- `www/mailMessage/noMorePic.html` +- `www/mailMessage/noMorePic.txt` +- `www/mailMessage/noMorePicCc.html` +- `www/mailMessage/noMorePicScad.html` +- `www/mailMessage/noMorePicScad.txt` +- `www/mailMessage/perScadereMsg.html` +- `www/mailMessage/userMsg_itCC - Copy.html` +- `www/mailMessage/userMsg_itCC.html` ## Remote Copy Target @@ -27,7 +29,7 @@ All files in this rollout are deployed from the current working tree. - Remote host: `marco@83.149.164.4:410` - Remote staging path: `/home/marco/regalamiunsorriso/incoming/www` - Remote live path: `/home/sites/regalamiunsorriso/www` -- Total files in this manifest: `6` +- Total files in this manifest: `8` ## Transfer Method @@ -44,4 +46,75 @@ All files in this rollout are deployed from the current working tree. - The remote login shell behaves as `tcsh`, so POSIX shell loops fail unless run through `sh -c`. - The server `sh` does not support `-l`, so use `sh -c`, not `sh -lc`. -- Direct SSH plus tar works reliably on this host; MCP SSH was previously unreliable and is avoided. \ No newline at end of file +- Direct SSH plus tar works reliably on this host; MCP SSH was previously unreliable and is avoided. +- PowerShell quoting can break remote helper commands for paths with spaces; using `ssh ... --%` passes verification commands through cleanly. +- Direct remote use of `2>/dev/null`, pipelines, and escaped parentheses can still fail under `tcsh` with `Ambiguous output redirect`; for read-only investigation, prefer small single-purpose SSH commands or wrap the full payload in remote `sh -c`. +- If PowerShell shows the continuation prompt `? >`, the quoting failed locally before the command reached the server. Cancel it and rerun a simpler command. + +## Mail Template Reconnaissance + +Read-only investigation on `83.149.164.4` on 2026-04-16 found that mail content is not determined only by the files in `www/mailMessage`. + +### Mail Template Directories Found On Server + +- Live rollout target: `/home/sites/regalamiunsorriso/www/mailMessage` +- Staging copy: `/home/marco/regalamiunsorriso/incoming/www/mailMessage` +- Older duplicate tree: `/home/sites/regalamiunsorriso/wwwLang/mailMessage` +- Archived duplicate tree: `/home/sites/regalamiunsorriso/wwwOld/www/mailMessage` + +Representative checksum comparisons confirmed that `www/mailMessage` and `wwwLang/mailMessage` currently differ: + +- `noMorePic.html`: live `2188047161 3645`, `wwwLang` `2803737061 3775` +- `userMsg_itCC.html`: live `324589227 5628`, `wwwLang` `429470199 4921` + +### Runtime Resolution Path + +- The Java application lives under `/home/sites/regalamiunsorriso/rus/WEB-INF`. +- Local source code shows `DBAdapter.getDocBase()` returns `getParm("DOCBASE").getTesto()`. +- Local source code shows `Parm.findByCodice()` executes `select A.* from PARM AS A where A.codice='...'`. +- Local source code also shows the mail templates are located through `Parm` values such as `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, and `MAIL_MSG_PATH_MAILER`. +- Local `pg_src/com/ablia/pg/Users.java` seeds default values for `MAIL_MSG_RINNOVO` as `mailMessage/rinnovoMsg.html` and `MAIL_MSG_COUPON_OMAGGIO` as `mailMessage/couponOmaggioMsg.html`. +- On the live server, `/home/sites/regalamiunsorriso/rus/WEB-INF/classes/dbcomuni.properties`, `rus.properties`, and `truckservice.properties` all contain `USE_PARM_HT=true`, which indicates the application expects runtime values from the `Parm` store. + +Implication: +Changing a file in `www/mailMessage` is not enough to guarantee a changed outbound message. The live `Parm` data determines at least: + +- the effective `DOCBASE` +- which mail template filename is used for each message type +- the generic mailer template root via `MAIL_MSG_PATH_MAILER` + +If reports say old messages are still being sent, the next thing to verify is the live `Parm` row values for `DOCBASE`, `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, `MAIL_MSG_PATH_MAILER`, and any related per-feature mail parameters. + +### Useful Live App Configuration + +- Main webapp DB connection from `rus/WEB-INF/web.xml`: + - `dbDriver=3` + - `database=//localhost/pg` + - `user=root` + - `password=root` +- Secondary app properties from `rus/WEB-INF/classes/truckservice.properties`: + - `dbDriver=3` + - `dbName=//localhost/truckservice` + - `user=root` + - `password=root` +- Local source code in `DriversJdbc.java` maps `dbDriver=3` to MySQL Connector/J (`jdbc:mysql`). +- Tomcat is running under `jsvc` and is listening on `*:8080` with AJP on `127.0.0.1:8009`. + +### Read-Only DB Access Attempts + +- The host has PHP CLI at `/usr/local/bin/php` with `mysqli`, `mysqlnd`, `PDO`, and `pdo_mysql` enabled. +- No `mysql` or `mariadb` client binary was found in the shell path. +- A read-only PHP probe over SSH is viable by piping a local script into remote PHP: + - This worked for plain PHP execution and is the safest known way to attempt SQL reads without creating files on the server. +- Live connection attempts behaved as follows: + - `mysqli('localhost', 'root', 'root', 'pg')` failed with `No such file or directory`. + - `mysqli('127.0.0.1', 'root', 'root', 'pg')` failed with `Connection refused`. +- `sockstat -4 -l` showed no listener on MySQL port `3306`. +- `sockstat -u -l` and targeted socket checks did not reveal a visible MySQL Unix socket under `/var/run`, `/tmp`, `/usr/local/var`, or `/var/db/mysql`. +- Current conclusion: the application configuration indicates MySQL, but direct SQL access from the current shell is not yet available. The webapp may rely on a non-obvious socket path, a jailed/internal service path, or a runtime environment not exposed to the `marco` shell. + +### Recon Scope Notes + +- The `RUS` entry under `/home/sites/regalamiunsorriso` is a symlink to `/mnt/da1/foto`. +- That tree appears to be photo/archive storage and produced permission noise during reconnaissance. +- It was not needed to identify the email-template resolution path and should be ignored for future mail-template investigations unless the task explicitly involves media storage. \ No newline at end of file