vps/util/admin

#!/bin/bash
#
# curlcheck: https://playterm.org
# curlcheck: https://electribrary.electribers.com 
# curlcheck: https://2wa.isvery.ninja 

disk(){
  space(){
	  df -h | awk '$6 ~ /^\/$/ {print $3" total used ("$5") of "$4}'
    #echo '-------'
    #ls /home | while read user; do du -hs /home/$user; done
  }
  "$@"
}

health(){
  echo "URL                             ONLINE SSL TIME"
  echo "-                               -      -   -"
  awk '/^# curlcheck: / {print $3}' $0 | while read url; do 
  printf "%s" "$url" | sed 's|.*://||g'
  curl -v -w 'Total: %{time_total}s\n' ${url} 2>&1 | \
  	awk '
  		BEGIN{
  		err="\033[5m\033[36;5;94m❌\033[0m"
  		ok="\033[1;36m♥\033[0m"
  		c["SSL"]=err
  		c["ONL"]=ok
  		c["TIM"]="?"  
  	}
  	/SSL certificate verify ok/ {c["SSL"]=ok  } 
  	/Could not resolve host:/   {c["ONL"]=err }
  	/^Total: /                  {c["TIM"]=$2  }
  	END { printf "\r\t\t\t\t"c["ONL"]"      "c["SSL"]"   "c["TIM"]"\n" }
  	'
  done
}

init(){
  grep ulimit /etc/profile || echo 'ulimit -n 65535 || true' >> /etc/profile # compensate alpine's low fd's
}

proxy(){
  install(){
    echo -e "\n[forwarded ports]" > .ports
    iptables -t nat -F # flush
    iptables -t nat -X # flush
    iptables -F        # flush
    ip6tables -F -t nat# flush
    ip6tables -F       # flush
    ip6tables -X       # flush
    ip6tables -t nat -F
    ip6tables -t nat -X
    ip_external=$(curl -s https://checkip.amazonaws.com)
    ipv6_external=$(ip addr | awk '/inet6.*scope global/ { print $2 }')
    # proxies
    proxyport(){
	printf "  %-5s => %-10s [%s]\n" $1 $2 $3 >> .ports
	iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $1 -j REDIRECT --to-ports $2
	#ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport $1 -j REDIRECT --to-ports $2
	#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport $1 -j REDIRECT --to-ports $2
	iptables -t nat -I OUTPUT -p tcp -d $ip_external --dport $1 -j REDIRECT --to-ports $2 # reverse ip
	#ip6tables -t nat -I OUTPUT -p tcp -d $ipv6_external --dport $1 -j REDIRECT --to-ports $2 # reverse ip
	ip6tables -A INPUT -p tcp --dport $1 -j ACCEPT
	ip6tables -A OUTPUT -p tcp --dport $1 -j ACCEPT
	#iptables -t nat -A POSTROUTING -p tcp --dport $2 -j MASQUERADE
	#iptables -t nat -A POSTROUTING -p tcp --dport $2 -j MASQUERADE
    }
    proxyport 80 8080 nginx-proxy-manager
    #proxyport 81 8181 nginx-proxy-manager
    proxyport 443 4443 nginx-proxy-manager
    #proxyport 993 9993 stalwart-mail
    #proxyport 25 2225 stalwart-mail
    #proxyport 465 4465 stalwart-mail
    #proxyport 587 5587 nodered
    #proxyport 25 5587 nodered

    # block port 3000 (nginx-proxy-manager exposes it)
    iptables -A INPUT -p tcp -d $ip_external --dport 3000 -j REJECT
    ip6tables -A INPUT -p tcp -d $ip_external --dport 3000 -j REJECT --reject-with icmp6-adm-unreach-3

    # block port 25
    #iptables -A INPUT -p tcp  -d $ip_external --dport 25 -j REJECT
    #ip6tables -A INPUT -p tcp -d $ip_external --dport 25-j REJECT

    # block irc 0.0.0.0:6667 port except for nodered docker 
    iptables -A INPUT -i lo -p tcp --dport 6667 -j ACCEPT
    iptables -A INPUT -s 10.0.2.2 -p tcp --dport 6667 -j ACCEPT
    iptables -A INPUT -p tcp --dport 6667 -j REJECT
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A INPUT -s fd00::/64 -p tcp --dport 6667 -j ACCEPT
    ip6tables -A INPUT -p tcp --dport 6667 -j REJECT

    # rateliming per ip
    #iptables --new-chain RATE-LIMIT
    #iptables --append RATE-LIMIT \
    #	    --match hashlimit \
    #	    --hashlimit-mode srcip \
    #	    --hashlimit-upto 50/sec \
    #	    --hashlimit-burst 20 \
    #	    --hashlimit-name conn_rate_limit \
    #	    --jump ACCEPT
    #iptables --append RATE-LIMIT --jump DROP
    rc-update add iptables
    rc-update add ip6tables
    /etc/init.d/iptables save
    /etc/init.d/ip6tables save
  }

  clear
  "$@"
  {
    iptables -t nat -L -n -v
    iptables -L
    ip6tables -L
  } | more
  cat .ports
}

logs(){
  tail -qf /home/2wa/nginx-proxy-manager/data/log/*.log | grep -v favicon | sed 's|\] \[.*|]|g'
}

backup(){
  cd /root
  echo "$(date) ./admin backup [start]" >> .cron.log
  BACKUP=backup-2wa.isvery.ninja.zip	
  crontab -l > crontab.root.txt
  apk list -i > alpine.packages.txt
  echo "$(su -c 'crontab -l' 2wa)" > crontab.2wa.txt
  nice -n 19 /usr/bin/ionice -c2 -n7 zip -r $BACKUP \
	  	    /root/admin /root/crontab.* /root/alpine*.txt /root/.ssh \
	  	    /home/2wa/.ssh /home/2wa/.config /home/2wa/nginx-proxy-manager/{app.sh,data,*.key} \
		    /home/2wa/weechat-redbean \
		    /home/2wa/invoiceninja \
		    /home/2wa/mailtrain \
		    /home/2wa/stalwart-mail \
		    /home/2wa/node-red \
		    /home/2wa/ntfy \
		    /home/2wa/portsleep* \
		    /home/2wa/tcgi* \
		    /home/2wa/stats \
		    -x '*.log.*' -x '*.weecha*' -x 'postfix/*' | awk '{ printf( "\r"$0 ) } END{ print ""}'
  ls -lah $BACKUP
  rclone copy $BACKUP stack:backup/. --progress
  echo "$(date) ./admin backup [stop]" >> /root/.cron.log
}

test -z $1 && { echo "Usage: "; grep '(){' $0; }
"$@"
🔧 master: work in progress [might break] 2026-03-05 14:02:37 +01:00			`#!/bin/bash`
			`#`
			`# curlcheck: https://playterm.org`
			`# curlcheck: https://electribrary.electribers.com`
			`# curlcheck: https://2wa.isvery.ninja`

			`disk(){`
			`space(){`
			`df -h \| awk '$6 ~ /^\/$/ {print $3" total used ("$5") of "$4}'`
			`#echo '-------'`
			`#ls /home \| while read user; do du -hs /home/$user; done`
			`}`
			`"$@"`
			`}`

			`health(){`
			`echo "URL ONLINE SSL TIME"`
			`echo "- - - -"`
			`awk '/^# curlcheck: / {print $3}' $0 \| while read url; do`
			`printf "%s" "$url" \| sed 's\|.*://\|\|g'`
			`curl -v -w 'Total: %{time_total}s\n' ${url} 2>&1 \| \`
			`awk '`
			`BEGIN{`
			`err="\033[5m\033[36;5;94m❌\033[0m"`
			`ok="\033[1;36m♥\033[0m"`
			`c["SSL"]=err`
			`c["ONL"]=ok`
			`c["TIM"]="?"`
			`}`
			`/SSL certificate verify ok/ {c["SSL"]=ok }`
			`/Could not resolve host:/ {c["ONL"]=err }`
			`/^Total: / {c["TIM"]=$2 }`
			`END { printf "\r\t\t\t\t"c["ONL"]" "c["SSL"]" "c["TIM"]"\n" }`
			`'`
			`done`
			`}`

			`init(){`
			`grep ulimit /etc/profile \|\| echo 'ulimit -n 65535 \|\| true' >> /etc/profile # compensate alpine's low fd's`
			`}`

			`proxy(){`
			`install(){`
			`echo -e "\n[forwarded ports]" > .ports`
			`iptables -t nat -F # flush`
			`iptables -t nat -X # flush`
			`iptables -F # flush`
			`ip6tables -F -t nat# flush`
			`ip6tables -F # flush`
			`ip6tables -X # flush`
			`ip6tables -t nat -F`
			`ip6tables -t nat -X`
			`ip_external=$(curl -s https://checkip.amazonaws.com)`
			`ipv6_external=$(ip addr \| awk '/inet6.*scope global/ { print $2 }')`
			`# proxies`
			`proxyport(){`
			`printf " %-5s => %-10s [%s]\n" $1 $2 $3 >> .ports`
			`iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $1 -j REDIRECT --to-ports $2`
			`#ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport $1 -j REDIRECT --to-ports $2`
			`#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport $1 -j REDIRECT --to-ports $2`
			`iptables -t nat -I OUTPUT -p tcp -d $ip_external --dport $1 -j REDIRECT --to-ports $2 # reverse ip`
			`#ip6tables -t nat -I OUTPUT -p tcp -d $ipv6_external --dport $1 -j REDIRECT --to-ports $2 # reverse ip`
			`ip6tables -A INPUT -p tcp --dport $1 -j ACCEPT`
			`ip6tables -A OUTPUT -p tcp --dport $1 -j ACCEPT`
			`#iptables -t nat -A POSTROUTING -p tcp --dport $2 -j MASQUERADE`
			`#iptables -t nat -A POSTROUTING -p tcp --dport $2 -j MASQUERADE`
			`}`
			`proxyport 80 8080 nginx-proxy-manager`
			`#proxyport 81 8181 nginx-proxy-manager`
			`proxyport 443 4443 nginx-proxy-manager`
			`#proxyport 993 9993 stalwart-mail`
			`#proxyport 25 2225 stalwart-mail`
			`#proxyport 465 4465 stalwart-mail`
			`#proxyport 587 5587 nodered`
			`#proxyport 25 5587 nodered`

			`# block port 3000 (nginx-proxy-manager exposes it)`
			`iptables -A INPUT -p tcp -d $ip_external --dport 3000 -j REJECT`
			`ip6tables -A INPUT -p tcp -d $ip_external --dport 3000 -j REJECT --reject-with icmp6-adm-unreach-3`

			`# block port 25`
			`#iptables -A INPUT -p tcp -d $ip_external --dport 25 -j REJECT`
			`#ip6tables -A INPUT -p tcp -d $ip_external --dport 25-j REJECT`

			`# block irc 0.0.0.0:6667 port except for nodered docker`
			`iptables -A INPUT -i lo -p tcp --dport 6667 -j ACCEPT`
			`iptables -A INPUT -s 10.0.2.2 -p tcp --dport 6667 -j ACCEPT`
			`iptables -A INPUT -p tcp --dport 6667 -j REJECT`
			`ip6tables -A INPUT -i lo -j ACCEPT`
			`ip6tables -A INPUT -s fd00::/64 -p tcp --dport 6667 -j ACCEPT`
			`ip6tables -A INPUT -p tcp --dport 6667 -j REJECT`

			`# rateliming per ip`
			`#iptables --new-chain RATE-LIMIT`
			`#iptables --append RATE-LIMIT \`
			`# --match hashlimit \`
			`# --hashlimit-mode srcip \`
			`# --hashlimit-upto 50/sec \`
			`# --hashlimit-burst 20 \`
			`# --hashlimit-name conn_rate_limit \`
			`# --jump ACCEPT`
			`#iptables --append RATE-LIMIT --jump DROP`
			`rc-update add iptables`
			`rc-update add ip6tables`
			`/etc/init.d/iptables save`
			`/etc/init.d/ip6tables save`
			`}`

			`clear`
			`"$@"`
			`{`
			`iptables -t nat -L -n -v`
			`iptables -L`
			`ip6tables -L`
			`} \| more`
			`cat .ports`
			`}`

			`logs(){`
			`tail -qf /home/2wa/nginx-proxy-manager/data/log/.log \| grep -v favicon \| sed 's\|\] \[.\|]\|g'`
			`}`

			`backup(){`
			`cd /root`
			`echo "$(date) ./admin backup [start]" >> .cron.log`
			`BACKUP=backup-2wa.isvery.ninja.zip`
			`crontab -l > crontab.root.txt`
			`apk list -i > alpine.packages.txt`
			`echo "$(su -c 'crontab -l' 2wa)" > crontab.2wa.txt`
			`nice -n 19 /usr/bin/ionice -c2 -n7 zip -r $BACKUP \`
			`/root/admin /root/crontab.* /root/alpine*.txt /root/.ssh \`
			`/home/2wa/.ssh /home/2wa/.config /home/2wa/nginx-proxy-manager/{app.sh,data,*.key} \`
			`/home/2wa/weechat-redbean \`
			`/home/2wa/invoiceninja \`
			`/home/2wa/mailtrain \`
			`/home/2wa/stalwart-mail \`
			`/home/2wa/node-red \`
			`/home/2wa/ntfy \`
			`/home/2wa/portsleep* \`
			`/home/2wa/tcgi* \`
			`/home/2wa/stats \`
			`-x '.log.' -x '.weecha' -x 'postfix/*' \| awk '{ printf( "\r"$0 ) } END{ print ""}'`
			`ls -lah $BACKUP`
			`rclone copy $BACKUP stack:backup/. --progress`
			`echo "$(date) ./admin backup [stop]" >> /root/.cron.log`
			`}`

			`test -z $1 && { echo "Usage: "; grep '(){' $0; }`
			`"$@"`