docks and stacks

2026-04-18 10:57:58 +02:00 · 2026-04-18 10:57:58 +02:00 · 2d14cb4e14
commit 2d14cb4e14
parent 2a99947e47
7 changed files with 275 additions and 9 deletions
--- a/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md
+++ b/.github/instructions/regalamiunsorriso-83-149-164-4.instructions.md
@ -40,7 +40,39 @@ ssh -tt -i C:\Users\Maddo\.ssh\id_rsa -p 410 marco@83.149.164.4 "sudo tcsh -c 'c
 - The remote login shell behaves as `tcsh`.
 - POSIX shell constructs like `for ...; do ...; done` fail unless you explicitly run them through `sh -c`.
 - The server `sh` does not support `-l`, so use `sh -c`, not `sh -lc`.
 - `tcsh` treats redirection and pipelines differently from POSIX shells; commands like `find ... 2>/dev/null | head` can fail with `Ambiguous output redirect` unless the whole payload runs under `sh -c`.
 - Prefer one remote command per SSH invocation when doing reconnaissance. Complex commands with pipes, grouped expressions, or escaped parentheses are much more likely to break under PowerShell-to-SSH-to-`tcsh` quoting.
 - If PowerShell shows the continuation prompt `? >`, the command was malformed locally before SSH executed it. Cancel it and rerun a simpler command instead of trying to answer the prompt.
 - If `sudo` reports that a terminal is required, reconnect with `-tt`.
 - When running remote commands from PowerShell, quoting can break if the command contains both nested quotes and file paths with spaces.
 - For read-only verification commands from PowerShell, prefer `ssh ... --% <remote command>` so the remote command is passed verbatim.
 - For `promote-file.sh` calls that target paths with spaces, prefer a local PowerShell loop that passes the full remote command as a single SSH argument instead of building one long nested quoted command.
 - If repeated SSH commands start cancelling or interleaving poorly in the same terminal, rerun them sequentially instead of in parallel.
 ## Mail Template Runtime Notes
 - The server contains multiple `mailMessage` trees:
 	- Live web root: `/home/sites/regalamiunsorriso/www/mailMessage`
 	- Staging copy: `/home/marco/regalamiunsorriso/incoming/www/mailMessage`
 	- Older duplicate trees: `/home/sites/regalamiunsorriso/wwwLang/mailMessage` and `/home/sites/regalamiunsorriso/wwwOld/www/mailMessage`
 - During the 2026-04-16 reconnaissance, representative checksums differed between `www/mailMessage` and `wwwLang/mailMessage`, so they are not interchangeable copies.
 - The Java application configuration lives under `/home/sites/regalamiunsorriso/rus/WEB-INF`.
 - `web.xml` defines the main application DB connection as `dbDriver=3`, `database=//localhost/pg`, `user=root`, `password=root`.
 - `truckservice.properties` defines a second DB connection as `dbDriver=3`, `dbName=//localhost/truckservice`, `user=root`, `password=root`.
 - In this codebase, `dbDriver=3` maps to MySQL Connector/J, not to a legacy non-MySQL driver.
 - `dbcomuni.properties`, `rus.properties`, and `truckservice.properties` all set `USE_PARM_HT=true`, which means runtime values are expected to come from the application `Parm` store.
 - In code, `DBAdapter.getDocBase()` resolves to `getParm("DOCBASE").getTesto()`, and mail-template lookups use `Parm` values such as `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, and `MAIL_MSG_PATH_MAILER`.
 - In code, `Parm.findByCodice()` reads from `PARM` with `select A.* from PARM AS A where A.codice='...'`, so the live `PARM` table is the authoritative lookup point for these values.
 - `pg_src/com/ablia/pg/Users.java` seeds defaults for `MAIL_MSG_RINNOVO` as `mailMessage/rinnovoMsg.html` and `MAIL_MSG_COUPON_OMAGGIO` as `mailMessage/couponOmaggioMsg.html` when the parameters are missing.
 - Because of that indirection, changing files under a `mailMessage` directory is not sufficient proof that outbound mail content will change. The effective `DOCBASE` and mail-template parameter values must also be checked in the live `Parm` data.
 - For mail-template reconnaissance, avoid recursing into `/mnt/da1/foto` via the `RUS` symlink unless the task explicitly concerns photo storage. It adds permission noise and did not help identify the email-template source.
 - Read-only DB access notes from 2026-04-16:
 	- The host has PHP CLI at `/usr/local/bin/php` with both `mysqli` and `pdo_mysql` enabled.
 	- A piped PHP script over SSH is a reliable way to run read-only DB probes without creating files on the server.
 	- `mysqli('localhost', ...)` fails with `No such file or directory`, which indicates PHP tries a Unix socket path that is not present or not configured.
 	- `mysqli('127.0.0.1', ...)` fails with `Connection refused`, and `sockstat` showed no listener on port `3306` and no visible MySQL Unix socket under `/var/run`, `/tmp`, or `/usr/local/var`.
 	- No `mysql` or `mariadb` client binary was found in the shell path.
 	- Result: the app configuration clearly points at MySQL, but direct DB access from the current shell remains unresolved and must be revalidated before relying on live SQL queries.
 ## MCP Limitation
@ -93,6 +125,13 @@ Run:
 ssh -tt -i C:\Users\Maddo\.ssh\id_rsa -p 410 marco@83.149.164.4 "sudo tcsh -c '/home/marco/promote-file.sh <staged-path> <live-path> [metadata-source]'"
 ```
 If the source or destination path contains spaces, prefer this PowerShell pattern so SSH receives the remote command as one argument:
 ```powershell
 $remote = "sudo tcsh -c \"/home/marco/promote-file.sh '<staged-path>' '<live-path>' [metadata-source]\""
 & ssh -tt -i 'C:\Users\Maddo\.ssh\id_rsa' -p 410 'marco@83.149.164.4' $remote
 ```
 Behavior of `promote-file.sh`:
 - If the destination already exists, it copies the file and restores that destination file's original owner, group, and mode.
@ -116,6 +155,7 @@ After staging or promotion, verify with:
 - `ls -l` for owner, group, and visible mode
 - `stat -f` for exact metadata
 - `cksum` to compare staged and live file contents
 - From PowerShell, prefer `ssh ... --% ls -l ...`, `ssh ... --% stat -f ...`, and `ssh ... --% cksum ...` for verification commands that include quoted paths.
 Run verification commands separately if a parallel terminal run becomes unreliable.
--- a/stacks/faceai.yml
+++ b/stacks/faceai.yml
@ -0,0 +1,58 @@
 services:
  faceai:
    image: forgejo.maddoscientisto.net/maddo/faceai-client:latest
    container_name: regalami-faceai
    restart: unless-stopped
    command: sh -c "mkdir -p /data/logs && npm run start >> /data/logs/backend.log 2>&1"
    environment:
      NODE_ENV: production
      PORT: 3001
      FACEAI_FRONTEND_URL: https://ai.regalamiunsorriso.it
      FACEAI_PUBLIC_BASE_URL: https://ai.regalamiunsorriso.it
      FACEAI_LEGACY_RETURN_URL: https://www.regalamiunsorriso.it/faceai_return.php
      FACEAI_SHARED_SECRET: disagio-spaghetti-science-lol-boh
      FACEAI_SESSION_COOKIE: rus_faceai_session
      FACEAI_REDIS_URL: redis://redis:6379
      FACEAI_QUEUE_NAME: faceai-searches
      FACEAI_RUNTIME_ROOT: /data/runtime
      FACEAI_UPLOAD_ROOT: /data/runtime/uploads
      FACEAI_LOG_ROOT: /data/logs
      FACEAI_PKL_ROOT: /data/pkl
      FACEAI_ENABLE_LOCAL_LEGACY_STATIC: 0
    volumes:
      - /var/docker/faceai/runtime:/data/runtime
      - /var/docker/faceai/logs:/data/logs
      - /mnt/nas12/nas2/RUS:/data/pkl:ro
    ports:
      - "127.0.0.1:3001:3001"
    depends_on:
      - redis
  processor:
    image: forgejo.maddoscientisto.net/maddo/faceai-client:latest
    container_name: regalami-faceai-processor
    restart: unless-stopped
    command: sh -c "mkdir -p /data/logs && npm run start:processor >> /data/logs/processor.log 2>&1"
    environment:
      NODE_ENV: production
      FACEAI_REDIS_URL: redis://redis:6379
      FACEAI_QUEUE_NAME: faceai-searches
      FACEAI_RUNTIME_ROOT: /data/runtime
      FACEAI_LOG_ROOT: /data/logs
      FACEAI_PKL_ROOT: /data/pkl
      FACEAI_MATCHER_BINARY: /opt/face-recognition/face_matcher
      FACEAI_WORKER_CONCURRENCY: 2
      FACEAI_WORKER_TIMEOUT_MS: 300000
    volumes:
      - /var/docker/faceai/runtime:/data/runtime
      - /var/docker/faceai/logs:/data/logs
      - /mnt/nas12/nas2/RUS:/data/pkl:ro
      - /var/docker/faceai/bin/Face_Recognition_Unix:/opt/face-recognition:ro
    depends_on:
      - redis
  redis:
    image: redis:7-alpine
    container_name: regalami-faceai-redis
    restart: unless-stopped
    command: redis-server --appendonly no
--- a/stacks/forgejo-runner.yml
+++ b/stacks/forgejo-runner.yml
@ -0,0 +1,27 @@
 version: '3.8'
 services:
  forgejo-docker-in-docker:
    image: docker:dind
    container_name: 'forgejo-docker-in-docker'
    privileged: true
    command: ['dockerd', '-H', 'tcp://0.0.0.0:2375', '--tls=false']
    restart: 'unless-stopped'
  forgejo-runner:
    image: 'data.forgejo.org/forgejo/runner:11'
    links:
      - forgejo-docker-in-docker
    depends_on:
      forgejo-docker-in-docker:
        condition: service_started
    container_name: 'forgejo-runner'
    environment:
      DOCKER_HOST: tcp://forgejo-docker-in-docker:2375
    # User without root privileges, but with access to `./data`.
    user: 1001:1001
    volumes:
      - /var/docker/forgejo-runner/data/:/data
    restart: 'unless-stopped'
    #command: '/bin/sh -c "while : ; do sleep 1 ; done ;"'
    command: '/bin/sh -c "sleep 5; forgejo-runner daemon"'
--- a/stacks/forgejo.yml
+++ b/stacks/forgejo.yml
@ -0,0 +1,20 @@
 networks:
  forgejo:
    external: false
 services:
  server:
    image: codeberg.org/forgejo/forgejo:14
    container_name: forgejo
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always
    networks:
      - forgejo
    volumes:
      - /var/docker/forgejo:/data
      - /etc/localtime:/etc/localtime:ro
    ports:
      - '3000:3000'
      - '222:22'
--- a/stacks/php-nginx.yml
+++ b/stacks/php-nginx.yml
@ -0,0 +1,35 @@
 name: php-nginx
 services:
  php-nginx:
    cpu_shares: 90
    command: []
    container_name: php-nginx
    deploy:
      resources:
        limits:
          memory: 3776M
    environment:
      - HOME=/root
      - PGID=1000
      - PUID=1000
      - TZ=UTC
      - WEBHOME=/var/www/html
    hostname: php-nginx
    image: shinsenter/phpfpm-nginx:latest
    labels:
      icon: https://cdn.jsdelivr.net/gh/Cp0204/CasaOS-AppStore-Play@main/Apps/php-nginx/icon.png
    ports:
      - target: 80
        published: "8002"
        protocol: tcp
    restart: unless-stopped
    volumes:
      - type: bind
        source: /var/www/html
        target: /var/www/html
        bind:
          create_host_path: true
    devices: []
    cap_add: []
    network_mode: bridge
    privileged: false
--- a/stacks/web-blazor.yml
+++ b/stacks/web-blazor.yml
@ -0,0 +1,13 @@
 version: '3.8'
 services:
  maddoscientisto-web:
    image: forgejo.maddoscientisto.net/maddo/maddoscientisto-web:latest
    ports:
      - "8002:80"
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://127.0.0.1/ || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3
--- a/sync/www-deploy-manifest.md
+++ b/sync/www-deploy-manifest.md
@ -1,6 +1,6 @@
 # WWW Deployment Manifest
-This document lists the files under `www/` in the current FaceAI feature-flag rollout that should be copied to the remote staging path:
+This document lists the files under `www/` in the current deployment set that should be copied to the remote staging path:
 `/home/marco/regalamiunsorriso/incoming/www`
@ -14,12 +14,14 @@ All files in this rollout are deployed from the current working tree.
 ## Updated Files
- `www/_js/rus-ecom-240621.js`
+- `www/mailMessage/noMorePic.html`
- `www/faceai_config.php`
+- `www/mailMessage/noMorePic.txt`
- `www/faceai_handoff.php`
+- `www/mailMessage/noMorePicCc.html`
- `www/faceai_simulator_view.php`
+- `www/mailMessage/noMorePicScad.html`
- `www/fotoCR-en.jsp`
+- `www/mailMessage/noMorePicScad.txt`
- `www/fotoCR.jsp`
+- `www/mailMessage/perScadereMsg.html`
 - `www/mailMessage/userMsg_itCC - Copy.html`
 - `www/mailMessage/userMsg_itCC.html`
 ## Remote Copy Target
@ -27,7 +29,7 @@ All files in this rollout are deployed from the current working tree.
 - Remote host: `marco@83.149.164.4:410`
 - Remote staging path: `/home/marco/regalamiunsorriso/incoming/www`
 - Remote live path: `/home/sites/regalamiunsorriso/www`
- Total files in this manifest: `6`
+- Total files in this manifest: `8`
 ## Transfer Method
@ -44,4 +46,75 @@ All files in this rollout are deployed from the current working tree.
 - The remote login shell behaves as `tcsh`, so POSIX shell loops fail unless run through `sh -c`.
 - The server `sh` does not support `-l`, so use `sh -c`, not `sh -lc`.
- Direct SSH plus tar works reliably on this host; MCP SSH was previously unreliable and is avoided.
+- Direct SSH plus tar works reliably on this host; MCP SSH was previously unreliable and is avoided.
 - PowerShell quoting can break remote helper commands for paths with spaces; using `ssh ... --%` passes verification commands through cleanly.
 - Direct remote use of `2>/dev/null`, pipelines, and escaped parentheses can still fail under `tcsh` with `Ambiguous output redirect`; for read-only investigation, prefer small single-purpose SSH commands or wrap the full payload in remote `sh -c`.
 - If PowerShell shows the continuation prompt `? >`, the quoting failed locally before the command reached the server. Cancel it and rerun a simpler command.
 ## Mail Template Reconnaissance
 Read-only investigation on `83.149.164.4` on 2026-04-16 found that mail content is not determined only by the files in `www/mailMessage`.
 ### Mail Template Directories Found On Server
 - Live rollout target: `/home/sites/regalamiunsorriso/www/mailMessage`
 - Staging copy: `/home/marco/regalamiunsorriso/incoming/www/mailMessage`
 - Older duplicate tree: `/home/sites/regalamiunsorriso/wwwLang/mailMessage`
 - Archived duplicate tree: `/home/sites/regalamiunsorriso/wwwOld/www/mailMessage`
 Representative checksum comparisons confirmed that `www/mailMessage` and `wwwLang/mailMessage` currently differ:
 - `noMorePic.html`: live `2188047161 3645`, `wwwLang` `2803737061 3775`
 - `userMsg_itCC.html`: live `324589227 5628`, `wwwLang` `429470199 4921`
 ### Runtime Resolution Path
 - The Java application lives under `/home/sites/regalamiunsorriso/rus/WEB-INF`.
 - Local source code shows `DBAdapter.getDocBase()` returns `getParm("DOCBASE").getTesto()`.
 - Local source code shows `Parm.findByCodice()` executes `select A.* from PARM AS A where A.codice='...'`.
 - Local source code also shows the mail templates are located through `Parm` values such as `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, and `MAIL_MSG_PATH_MAILER`.
 - Local `pg_src/com/ablia/pg/Users.java` seeds default values for `MAIL_MSG_RINNOVO` as `mailMessage/rinnovoMsg.html` and `MAIL_MSG_COUPON_OMAGGIO` as `mailMessage/couponOmaggioMsg.html`.
 - On the live server, `/home/sites/regalamiunsorriso/rus/WEB-INF/classes/dbcomuni.properties`, `rus.properties`, and `truckservice.properties` all contain `USE_PARM_HT=true`, which indicates the application expects runtime values from the `Parm` store.
 Implication:
 Changing a file in `www/mailMessage` is not enough to guarantee a changed outbound message. The live `Parm` data determines at least:
 - the effective `DOCBASE`
 - which mail template filename is used for each message type
 - the generic mailer template root via `MAIL_MSG_PATH_MAILER`
 If reports say old messages are still being sent, the next thing to verify is the live `Parm` row values for `DOCBASE`, `MAIL_REG`, `MAIL_NO_MORE`, `MAIL_NO_MORE_SCAD`, `MAIL_MSG_PATH_MAILER`, and any related per-feature mail parameters.
 ### Useful Live App Configuration
 - Main webapp DB connection from `rus/WEB-INF/web.xml`:
 	- `dbDriver=3`
 	- `database=//localhost/pg`
 	- `user=root`
 	- `password=root`
 - Secondary app properties from `rus/WEB-INF/classes/truckservice.properties`:
 	- `dbDriver=3`
 	- `dbName=//localhost/truckservice`
 	- `user=root`
 	- `password=root`
 - Local source code in `DriversJdbc.java` maps `dbDriver=3` to MySQL Connector/J (`jdbc:mysql`).
 - Tomcat is running under `jsvc` and is listening on `*:8080` with AJP on `127.0.0.1:8009`.
 ### Read-Only DB Access Attempts
 - The host has PHP CLI at `/usr/local/bin/php` with `mysqli`, `mysqlnd`, `PDO`, and `pdo_mysql` enabled.
 - No `mysql` or `mariadb` client binary was found in the shell path.
 - A read-only PHP probe over SSH is viable by piping a local script into remote PHP:
 	- This worked for plain PHP execution and is the safest known way to attempt SQL reads without creating files on the server.
 - Live connection attempts behaved as follows:
 	- `mysqli('localhost', 'root', 'root', 'pg')` failed with `No such file or directory`.
 	- `mysqli('127.0.0.1', 'root', 'root', 'pg')` failed with `Connection refused`.
 - `sockstat -4 -l` showed no listener on MySQL port `3306`.
 - `sockstat -u -l` and targeted socket checks did not reveal a visible MySQL Unix socket under `/var/run`, `/tmp`, `/usr/local/var`, or `/var/db/mysql`.
 - Current conclusion: the application configuration indicates MySQL, but direct SQL access from the current shell is not yet available. The webapp may rely on a non-obvious socket path, a jailed/internal service path, or a runtime environment not exposed to the `marco` shell.
 ### Recon Scope Notes
 - The `RUS` entry under `/home/sites/regalamiunsorriso` is a symlink to `/mnt/da1/foto`.
 - That tree appears to be photo/archive storage and produced permission noise during reconnaissance.
 - It was not needed to identify the email-template resolution path and should be ignored for future mail-template investigations unless the task explicitly involves media storage.