here we go again

.github/renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

.github/workflows/release.yml

@@ -0,0 +1,60 @@
+name: build-and-release
+on:
+  push:
+    branches:
+      - unstable
+      - main
+    tags:
+      - v*
+  pull_request:
+    branches:
+    - main
+    - unstable
+permissions:
+  contents: read
+jobs:
+  release:
+    # description: "Builds all the Notifiarr client binaries and packages for a release."
+    if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/unstable' || github.ref == 'refs/heads/main'
+    outputs:
+      version: ${{ steps.release.outputs.version }}
+    name: Make Release Assets
+    runs-on: ubuntu-latest
+    env:
+      GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # we need the whole thing so we can count commits.
+          fetch-depth: '0'
+      - name: make-release
+        id: release
+        run: |
+          sudo apt install -y fakeroot zip debsigs gnupg jq 
+          sudo gem install --no-document fpm
+          echo "${GPG_SIGNING_KEY}" | gpg --import -
+          bash build.sh
+          mkdir release
+          mv *.deb release
+      - name: upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: release
+          path: release
+
+  deploy-nonpublic-packagecloud:
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: release
+    name: Deploy Nonpublic PackageCloud
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download release files
+        uses: actions/download-artifact@v4
+        with:
+          name: release
+      - uses: golift/upload-packagecloud@v1.1
+        with:
+          userrepo: golift/nonpublic
+          apitoken: ${{ secrets.PACKAGECLOUD_TOKEN }}
+          packages: .
+          debdists: ubuntu/focal

.gitignore

@@ -0,0 +1 @@
+*.deb

README.md

@@ -1,2 +1,34 @@
-# forest
-Tunnel Forest Package
+# Notifiarr Forest
+
+This is where you'll find the scripts and github action that create the forest package(s) for Notifiarr.
+
+There's nothing very useful in this repo for the public. 
+The forest is simply a web of proxies running [Mulery](https://github.com/golift/mulery).
+
+## System Package
+
+GitHub Actions runs the [build.sh](build.sh) script which turns the [root/](root/) folder into a deb package and uploads it to package cloud.
+
+- The package installs a few dependencies such as `docker-compose`.
+- Also installed is a user named `abc` with an [authorized_keys ssh](root/home/abc/.ssh/authorized_keys)
+    file and a [sudoers](root/etc/sudoers.d/workers) entry that allows the website to restart things.
+- Telegraf is also [partially configured](root/etc/telegraf/telegraf.d/notifiarr.conf) during package installation.
+  You need to install an output plugin.
+
+## Use
+
+Then run the included install script. Like this:
+```bash
+curl -sL https://raw.githubusercontent.com/Notifiarr/forest/main/install.sh | sudo bash
+```
+
+In addition to installing the [notifiarr-forest](https://packagecloud.io/app/golift/nonpublic/search?q=notifiarr-forest)
+package, the [install.sh](install.sh) script installs and configures:
+
+- [Notifiarr Client](https://github.com/Notifiarr/notifiarr)
+
+
+# License
+
+- This software is Copyright 2024 Notifiarr, LLC.
+- Read the [license](LICENSE) if you intend to make copies.

after-install.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# This is the postinst deb package script. It runs after the package contents are installed.
+
+set -e
+
+if [ -d /etc/dockwatch ]; then
+  chown -R abc:root /etc/dockwatch
+fi

before-install.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# This is the preinst deb package script. It runs before the package is installed.
+
+set -e
+
+# Make a user and group for this app, but only if it does not already exist.
+groupadd --force --non-unique --gid 1003 abc
+id abc >/dev/null 2>&1 || \
+  useradd --non-unique --create-home --uid 1003 --gid 1003 --groups users,docker abc

before-remove.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# This is the prerm deb package script. It runs before the package is removed.
+
+if [ "$1" = "upgrade" ] || [ "$1" = "1" ] ; then
+  exit 0
+fi
+
+cd /etc/mulery && docker-compose down

build.sh

@@ -0,0 +1,58 @@
+# GitHub Actions runs this script to build a deb package.
+# You can run this locally, you just need to gem install fpm.
+# See the release.yml workflow file for a command to do that.
+
+##
+DESC="Official Forest for Notifiarr.com"
+LICENSE="GPLv2"
+MAINT="David Newhall II <captain at golift dot io>"
+SOURCE_URL="https://github.com/Notifiarr/forest"
+VENDOR="Go Lift <code@golift.io>"
+#
+DATE="$(date -u +%Y-%m-%dT%H:%M:00Z)"
+VERSION=$(git describe --abbrev=0 --tags $(git rev-list --tags --max-count=1) 2>/dev/null | tr -d v)
+[ "$VERSION" != "" ] || VERSION=development
+# This produces a 0 in some environments (like Homebrew), but it's only used for packages.
+ITERATION=$(git rev-list --count --all || echo 0)
+COMMIT="$(git rev-parse --short HEAD || echo 0)"
+GIT_BRANCH="$(git rev-parse --abbrev-ref HEAD || echo unknown)"
+BRANCH="${GIT_BRANCH:-${GITHUB_REF_NAME}}"
+#
+SIGNING_KEY=B93DD66EF98E54E2EAE025BA0166AD34ABC5A57C
+PACKAGE_NAME="notifiarr-forest"
+##
+
+read -r -d '' DEPENDS <<- DEPENDS
+    --depends docker-compose
+    --depends software-properties-common
+    --depends sudo
+    --depends cron
+    --depends telegraf
+DEPENDS
+
+read -r -d '' PACKAGE_ARGS <<- PACKAGE_ARGS
+    --after-install after-install.sh
+    --before-install before-install.sh
+    --before-remove before-remove.sh
+    --deb-no-default-config-files
+    --description='${DESC}'
+    --iteration ${ITERATION}
+    --license ${LICENSE}
+    --maintainer='${MAINT}'
+    --name ${PACKAGE_NAME}
+    --url ${SOURCE_URL}
+    --vendor='${VENDOR}'
+PACKAGE_ARGS
+
+mkdir -p root/var/log/mulery root/etc/mulery/keys
+
+rm -f ${PACKAGE_NAME}_${VERSION}-${ITERATION}_amd64.deb
+echo fpm -s dir -t deb ${PACKAGE_ARGS} ${DEPENDS} -a amd64 -v ${VERSION} -C root/
+eval fpm -s dir -t deb ${PACKAGE_ARGS} ${DEPENDS} -a amd64 -v ${VERSION} -C root/
+echo
+ls -l
+
+# Sign the package if the signing key is in the gpg keychain.
+if gpg --list-keys 2>/dev/null | grep -q "${SIGNING_KEY}" ; then
+    debsigs --default-key="${SIGNING_KEY}" --sign=origin ${PACKAGE_NAME}_${VERSION}-${ITERATION}_amd64.deb
+fi

install.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# This is the entry point for setting up a worker. Download and run this script on a fresh Ubuntu 22.04 server.
+# Make sure the new server has access to the NFS /share (see below). It's safe to run this more than once; in case you forgot.
+
+read -p "Notifiarr.com API Key:" APIKEY
+echo "DN_API_KEY=$APIKEY" | sudo tee /etc/default/notifiarr > /dev/null
+
+curl -s https://golift.io/repo.sh | sudo bash -s - notifiarr
+
+echo "Adding Nonpublic Golift APT repo"
+curl -sL https://packagecloud.io/golift/nonpublic/gpgkey | gpg --dearmor > /tmp/golift-nonpublic-keyring.gpg && \
+    sudo mv -f /tmp/golift-nonpublic-keyring.gpg /usr/share/keyrings/golift-nonpublic-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/golift-nonpublic-keyring.gpg] https://packagecloud.io/golift/nonpublic/ubuntu focal main" | \
+    sudo tee /etc/apt/sources.list.d/golift-nonpublic.list
+
+sudo apt update
+sudo apt install -y notifiarr-forest
+
+echo "Copying mulery.conf and running docker-compose up -d in /etc/mulery"
+
+scp safrica.notifiarr.com:/etc/mulery/mulery.conf /tmp && \
+    sed -i'' "s/safrica/$(hostname -s)/g" /tmp/mulery.conf && \
+    sudo cp /tmp/mulery.conf /etc/mulery/mulery.conf && \
+    cd /etc/mulery && \
+    sudo docker-compose up -d 

root/etc/cron.daily/apt-upgrade

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Keep everything up to date!
+# This crontab is part of the notifiarr-forest package.
+
+DEBIAN_FRONTEND=noninteractive
+LOGDIR="/var/log/apt-output"
+
+mkdir -p "${LOGDIR}"
+
+/usr/bin/apt update > "${LOGDIR}/update.log" 2>&1
+/usr/bin/apt upgrade -y > "${LOGDIR}/upgrade.log" 2>&1

root/etc/mulery/docker-compose.tml

@@ -0,0 +1,24 @@
+---
+services:
+  mulery:
+    image: ghcr.io/golift/mulery:main
+    container_name: mulery
+    volumes:
+      - /etc/mulery:/etc/mulery
+      - /var/log/mulery:/var/log/mulery
+    ports:
+      - 443:443
+    restart: unless-stopped
+  dockwatch:
+    container_name: dockwatch
+    image: ghcr.io/notifiarr/dockwatch:develop
+    ports:
+      - 9999:80/tcp
+    environment:
+      - PUID=1003
+      - PGID=121
+      - TZ=America/New_York
+    restart: unless-stopped
+    volumes:
+      - /etc/dockwatch/:/config
+      - /var/run/docker.sock:/var/run/docker.sock

root/etc/sudoers.d/abc

@@ -0,0 +1,8 @@
+# The manager container has access to run commands listed here.
+# Use DEBIAN_FRONTEND=noninteractive sudo -E for apt upgades.
+abc ALL=(root) NOPASSWD: /usr/bin/systemctl restart docker
+abc ALL=(root) NOPASSWD: /usr/bin/systemctl start docker
+abc ALL=(root) NOPASSWD: /usr/sbin/reboot
+abc ALL=(root) NOPASSWD: /usr/bin/apt update
+abc ALL=(root) NOPASSWD: /usr/bin/apt upgrade -y
+abc ALL=(root) NOPASSWD: /usr/bin/apt install -y notifiarr-forest

root/etc/telegraf/telegraf.d/notifiarr.conf

@@ -0,0 +1,47 @@
+# Custom telegraf config for Notifiarr worker server.
+[global_tags]
+
+[agent]
+    interval = "10s"
+    round_interval = true
+    metric_batch_size = 1000
+    metric_buffer_limit = 10000
+    collection_jitter = "0s"
+    flush_interval = "10s"
+    flush_jitter = "0s"
+    precision = "0s"
+    omit_hostname = false
+
+[[inputs.cpu]]
+    totalcpu = true
+
+[[inputs.disk]]
+    ignore_fs = ["tmpfs", "devtmpfs", "devfs", "iso9660", "overlay", "aufs", "squashfs"]
+
+[[inputs.diskio]]
+
+[[inputs.kernel]]
+
+[[inputs.mem]]
+
+[[inputs.processes]]
+
+[[inputs.swap]]
+
+[[inputs.system]]
+
+[[inputs.conntrack]]
+    dirs = ["/proc/sys/net/netfilter"]
+
+[[inputs.interrupts]]
+
+[[inputs.linux_sysctl_fs]]
+
+[[inputs.net]]
+
+[[inputs.netstat]]
+
+[[inputs.nstat]]
+    proc_net_netstat = "/proc/net/netstat"
+    proc_net_snmp = "/proc/net/snmp"
+    proc_net_snmp6 = "/proc/net/snmp6"

root/home/abc/.ssh/authorized_keys

@@ -0,0 +1,2 @@
+# This authorized ssh key gives the notifiarr manager access to the server.
+ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHW33s2kemAEYm1yqZ+FCEfis7q2Wyz4EzLSdiwKenZ7wqgzM7Q7yjMWY/vZEA22y6dKFol45TUYMXkoJvuIerKwwGjVPx6fdfWlIhMriCLgVfuOX0M6bN2rDeERrR28UyOPJ7LmG/Cd3hp5ws8qPweLqONUZZ7EAxxkh423qAt0P8Gkg== ABC2