adrian/jean-cloud-services
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

inital commit (end)

Browse Source
This commit is contained in:
Adrian Amaglio 2023-04-24 12:30:17 +02:00
parent ca56c39651
commit 0a0fa0b9f1
33 changed files with 426 additions and 1128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
provisioning/group_vars/borg-client/.borgexclude Normal file
View File

@ -0,0 +1 @@
/data/borg/repos

19
provisioning/group_vars/borg-client/TODO.txt Normal file
View File

@ -0,0 +1,19 @@
Ansible :
- Manage ssh (public) keys
- create a borg-specific .ssh conf folder in /data/borg/.ssh
- run borg with BORG_RSH="/bin/ssh -F configfile"
- create borg users everywhere
- set up cron job
- update the /data/borg/config/borg-conf.env with new hosts ?
Docker :
- something, probably.
DONE
manage multiple backup hosts (stop overwriting the conf', dumbie)
- could be done neatly with a yml conf file
- maybe also check around ~/.ssh/ssh_config if it could be done ?
Quickfix : use the same passphrase for a repo on each of its locations (hosts)

186
provisioning/group_vars/borg-client/borg-backup.sh Executable file
View File

@ -0,0 +1,186 @@
#!/bin/bash
# borg-backup.sh
# Script to run regularly to backup a Jean-Cloud machine
#
# This will create a separate borg repo for every item in the BORG_REPOS variable
# And in each location specified in the BORG_HOSTS variable
# Use the file borg-conf.env to set these.
#
# If it finds an item in the BORG_REPOS that isn't yet a borg repository on one
# of the BORG_HOSTS, it will init a new repo there.
#
# Dependencies:
# packages: borg > 1.4
# scripts: /usr[/local]/bin/driglibash-base
# files: /data/borg/config/borg-conf.env
# /data/borg/config/.borgexclude
# Cheatsheet:
# ${#array[@]} number of elements in array
# ${array[@]} each element in array (separate words)
# ${array[i]} i-th element in array
if test -s /usr/local/bin/driglibash-base -a -r /usr/local/bin/driglibash-base ; then
. /usr/local/bin/driglibash-base
elif test -s /usr/bin/driglibash-base -a -r /usr/bin/driglibash-base ; then
. /usr/bin/driglibash-base
else
die "Could'nt source driglibash. See https://github.com/adrian-amaglio/driglibash/"
fi
BORG_ENV="/data/borg/config/borg-conf.env";
test -s "$BORG_ENV" && test -r "$BORG_ENV" || die "Couldn't find \"$BORG_ENV\" configuration file!"
. "$BORG_ENV"
mkdir -p "$BORG_BASE_DIR" "$BORG_CACHE_DIR" "$BORG_CONFIG_DIR" "$BORG_TMPDIR" "$BORG_SECURITY_DIR" "$BORG_SECURITY_DIR/passphrases" "$BORG_SECURITY_DIR/repokeys"
function init_repo() {
# args :
# $1 : host (local path or ssh where the borg repo is stored)
# $2 : path (local dir(s) to be saved in the repo)
# $3 : name of the repo on (remote) host
# $4 : unique alias to identiy the host
test "$verbosity" -gt 0 && echo "init_repo( $1 \\ $2 \\ $3)"
mkdir -p "$BORG_SECURITY_DIR/passphrases/$4/"
mkdir -p "$BORG_SECURITY_DIR/repokeys/$4/"
#create passphrase
LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 128 > "$BORG_SECURITY_DIR/passphrases/$4/$3"
export BORG_PASSPHRASE=$(cat "$BORG_SECURITY_DIR/passphrases/$4/$3")
#init repo
test "$verbosity" -gt 1 && echo "borg init ${verbosity:+"--progress"} --make-parent-dirs -e repokey "$1/$3""
test "$verbosity" -gt 3 && read -p " Continue ?"
run borg init ${verbosity:+"--progress"} --make-parent-dirs -e repokey "$1/$3"
#create first entry
test "$verbosity" -gt 1 && echo "borg create ${verbosity:+"--progress"} ${BORG_EXCLUDE_FILE:+"--exclude-from $BORG_EXCLUDE_FILE"} "$1/$3"::"init-$(date +%Y-%m-%d_%H-%M-%S)" "$2""
test "$verbosity" -gt 3 && read -p " Continue ?"
run borg create ${verbosity:+"--progress"} ${BORG_EXCLUDE_FILE:+--exclude-from "$BORG_EXCLUDE_FILE"} "$1/$3"::"init-$(date +%Y-%m-%d_%H-%M-%S)" "$2"
#export repokey in case of repo catastrophic loss
test "$verbosity" -gt 1 && echo "borg key export "$1/$3" "$BORG_SECURITY_DIR/repokeys/$3""
test "$verbosity" -gt 3 && read -p " Continue ?"
run borg key export "$1/$3" "$BORG_SECURITY_DIR/repokeys/$4/$3"
#TODO These keys should be backuped somewhere
}
for alias in "${!host_mode[@]}" ; do
# Begin parameter validation
test -n "${host_repo_dir["$alias"]}" && test -d "${host_repo_dir[$alias]}" || pathchk -p -P "${host_repo_dir["$alias"]}" 2>/dev/null && mkdir -p "${host_repo_dir[$alias]}" || die "Config error! Host $alias : "${host_repo_dir["$alias"]}" isn't a valid repo dir."
if test "${host_mode[$alias]}" = "local" ; then
host="${host_repo_dir[$alias]}"
elif test "${host_mode[$alias]}" = "ssh" ; then
test -n "${host_user["$alias"]}" && echo "${host_user["$alias"]}" | grep -q -E "^[a-z_][a-z0-9_-]*$" || die "Config error! Host $alias : ${host_user["$alias"]} isn't a valid username."
test -z ${host_host["$alias"]} && die "Config error! Host $alias : you must provide a host in ssh mode!"
check_host=false
# IPv4 regexp
echo ${host_host["$alias"]} | grep -q -E "^([0-2]?[0-9]{1,2}\.){3}[0-2]?[0-9]{1,2}$" && check_host=true
# IPv6 regexp
echo ${host_host["$alias"]} | grep -q -E "^(((([a-f]|[0-9]){1,4})|:):){6}([a-f]|[0-9]){1,4}$" && check_host=true
# URL regexp
echo ${host_host["$alias"]} | grep -q -E "^[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*\.[a-z]{2,5}$" && check_host=true
test "$check_host" = true || die "Config error! Host $alias : ${host_host["$alias"]} isn't a valid host (expected IPv4, IPv6 or URL)."
test -n "${host_port["$alias"]}" && test "${host_port["$alias"]}" -gt 2>/dev/null 0 && test "${host_port["$alias"]}" -le 65536 || die "Config error! Host $alias : "${host_port["$alias"]}" isn't a valid port."
# End parameter validation
# Parameter expansion lvl: I was not ready for this.
host="ssh://${host_user["$alias"]:+${host_user["$alias"]}@}\
${host_host["$alias"]:+${host_host["$alias"]}}\
${host_port["$alias"]:+:${host_port["$alias"]}}\
${host_repo_dir["$alias"]:+${host_repo_dir["$alias"]}}"
# super-secret-back-door
elif test "${host_mode[$alias]}" = "iknowwhatimdoing" ; then
host="${host_host["$alias"]}"
else
die "Config error! Host $alias : unrecognized mode ${host_mode[$alias]}"
fi
test "$verbosity" -gt 0 && section "$alias: $host"
for repo in "${local_repos[@]}" ; do
test "$verbosity" -gt 0 && section "$repo"
# we use a python-like name for the repo:
reponame=$(echo "$repo" | tr "/" ".")
#Check that the repo exists (we could be backuping a new service)
check_repo_exists=false;
if test "${host_mode[$alias]}" = "ssh" ; then
export BORG_PASSPHRASE=$(cat "$BORG_SECURITY_DIR/passphrases/$alias/$reponame") && borg list "$host/$reponame" > /dev/null && check_repo_exists=true || "Could'nt open repo $reponame at host $host. Creating it."
fi
test "${host_mode[$alias]}" = "local" && test -d "$host/$reponame" && test -s "$host/$reponame/README" && grep -q "This is a Borg Backup repository." "$host/$reponame/README" && check_repo_exists=true
#TODO: this doesn't check if a distant repo exists
if $check_repo_exists = true ; then
#it's okay, repo exists, start the normal backup
test -s "$BORG_SECURITY_DIR/passphrases/$alias/$reponame" && export BORG_PASSPHRASE=$(cat "$BORG_SECURITY_DIR/passphrases/$alias/$reponame") || die "Couldn't get passphrase for repo $alias/$repo from file: $BORG_SECURITY_DIR/passphrases/$alias/$reponame"
test $verbosity -gt 1 && echo "borg create ${verbosity:+"--progress"} ${BORG_EXCLUDE_FILE:+--exclude-from "$BORG_EXCLUDE_FILE"} --compression obfuscate,115,auto,zstd,20 "$host/$reponame"::"$reponame-$(date +%Y-%m-%d_%H-%M-%S)" "$repo""
test $verbosity -gt 3 && read -p " Continue ?"
run borg create ${verbosity:+"--progress"} ${BORG_EXCLUDE_FILE:+--exclude-from "$BORG_EXCLUDE_FILE"} --compression obfuscate,115,auto,zstd,20 "$host/$reponame"::"$reponame-$(date +%Y-%m-%d_%H-%M-%S)" "$repo"
#TODO Check that zstd lvl 20 compression is not too cpu-intensive, could be reduced (or use lz4) (see borg help benchmark)
# Global retention parameters
hourly=${BORG_KEEP_HOURLY[all]:+"--keep-hourly=${BORG_KEEP_HOURLY[all]} "}
daily=${BORG_KEEP_DAILY[all]:+"--keep-daily=${BORG_KEEP_DAILY[all]} "}
weekly=${BORG_KEEP_WEEKLY[all]:+"--keep-weekly=${BORG_KEEP_WEEKLY[all]} "}
monthly=${BORG_KEEP_MONTHLY[all]:+"--keep-monthly=${BORG_KEEP_MONTHLY[all]} "}
yearly=${BORG_KEEP_YEARLY[all]:+"--keep-yearly=${BORG_KEEP_YEARLY[all]} "}
test $verbosity -gt 2 && echo "Global retention policy : $hourly $daily $weekly $monthly $yearly"
# Per-host retention parameters
test -n "${BORG_KEEP_HOURLY["$alias"]}" && hourly="--keep-hourly=${BORG_KEEP_HOURLY["$alias"]}"
test -n "${BORG_KEEP_DAILY["$alias"]}" && daily="--keep-daily=${BORG_KEEP_DAILY["$alias"]}"
test -n "${BORG_KEEP_WEEKLY["$alias"]}" && weekly="--keep-weekly=${BORG_KEEP_WEEKLY["$alias"]}"
test -n "${BORG_KEEP_MONTHLY["$alias"]}" && monthly="--keep-monthly=${BORG_KEEP_MONTHLY["$alias"]}"
test -n "${BORG_KEEP_YEARLY["$alias"]}" && yearly="--keep-yearly=${BORG_KEEP_YEARLY["$alias"]}"
test $verbosity -gt 2 && echo "$alias retention policy : $hourly $daily $weekly $monthly $yearly"
test $verbosity -gt 1 && echo "borg prune ${verbosity:+"--progress"} --list --glob-archives \"$reponame*\" $hourly $daily $weekly $monthly $yearly \"$host/$reponame\""
test $verbosity -gt 3 && read -p " Continue ?"
run borg prune ${verbosity:+"--progress"} --list --glob-archives \"$reponame*\" $hourly $daily $weekly $monthly $yearly "$host/$reponame"
else
#If repo doesn't exist, create it
init_repo "$host" "$repo" "$reponame" "$alias"
fi
done
done

59
provisioning/group_vars/borg-client/borg-conf.env Normal file
View File

@ -0,0 +1,59 @@
verbosity=3
# Borg Configuration
BORG_BASE_DIR=/data/borg
BORG_CACHE_DIR=$BORG_BASE_DIR/cache
BORG_CONFIG_DIR=$BORG_BASE_DIR/config
BORG_TMPDIR=$BORG_BASE_DIR/tmp
BORG_SECURITY_DIR=$BORG_BASE_DIR/security
# Jean-Cloud configuration:
# Where are backups saved
BORG_HOSTS=(\
/data/borg/repos \
ssh://root@tetede.jean-cloud.net:45985/data/borg/repos \
#ssh://borg@tetede.jean-cloud.net:4646/data/borg/repos \
)
# Local backuped dirs
local_repos=($(ls -d /data/*)) #NO TRAILING SLASHES PLEASE
# Hosts configuration
# # Sample host configuration
# host_mode[alias]=local|ssh
# host_repo_dir[alias]=/path/to/repo
# # Params below this line are specific to ssh hosts
# host_host[alias]=borg.example.org|123.456.789 # TODO There are regexps to chek for valid IPv4 and IPv6, but not URL yet.
# host_port[alias]=22
# host_user[alias]=borg-distant-user
declare -A host_mode host_repo_dir host_host host_port host_user host_repo_dir
# host: tetede
host_mode[tetede]=ssh
host_host[tetede]=tetede.jean-cloud.net
host_port[tetede]=45985
host_user[tetede]=root
host_repo_dir[tetede]=/data/borg/repos
# host : localhost
host_mode[localhost]=local
host_repo_dir[localhost]=/data/borg/repos
declare -A BORG_KEEP_HOURLY BORG_KEEP_DAILY BORG_KEEP_WEEKLY BORG_KEEP_MONTHLY BORG_KEEP_YEARLY
# Global retention configuration (comment a line to deactivate it, do not set it to 0)
#BORG_KEEP_HOURLY[all]=1
BORG_KEEP_DAILY[all]=4
BORG_KEEP_WEEKLY[all]=2
BORG_KEEP_MONTHLY[all]=2
#BORG_KEEP_YEARLY[all]=1
# Per-host retention configuration (comment a line to deactivate it, do not set it to 0)
#BORG_KEEP_HOURLY[alias]=1
#BORG_KEEP_DAILY[alias]=4
#BORG_KEEP_WEEKLY[alias]=2
#BORG_KEEP_MONTHLY[alias]=2
BORG_KEEP_YEARLY[localhost]=1

4
provisioning/playbook.yml
View File

@ -1,6 +1,6 @@
- name: server
hosts: servers
become: yes
become: no
gather_facts: no
roles:
# Ansible prerequisites
@ -8,7 +8,7 @@
- name: server
hosts: servers
become: yes
#become: yes
#gather_facts: no
roles:
# Ansible prerequisites

155
provisioning/roles/jean-cloud-common/files/bin/deployer.sh
View File

@ -1,155 +0,0 @@
#!/bin/bash
driglibash_run_retry=true
. driglibash-base
set -euo pipefail
###############################################################################
# Variables
###############################################################################
proxy_dir="/etc/nginx"
nginx_conf_path="$proxy_dir/sites-enabled"
new_nginx_conf_path="$proxy_dir/new-sites-enabled"
certs_path="/etc/letsencrypt/live"
dummy_cert_path="$certs_path/dummy"
###############################################################################
# Helpers
###############################################################################
# Returns the public IP4 address of a domain name
function ipof {
resolv.sh "$1"
}
# Path to this directory
here="$(where 'follow_links')"
# Ip4 address
my_ip="$(ipof "$(cat /etc/hostname)")"
[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
###############################################################################
# Nginx preparation
###############################################################################
driglibash_section_prefix="[Prepare nginx] "
section "Delete new conf directory (to recover)"
run rm -rf "$new_nginx_conf_path"
section "Create new conf file (for tests purposes)"
sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"
section "Create proxy dir"
run mkdir -p "$proxy_dir" /docker /data
run chown root:root /docker
run chown root:root /data
run chmod 755 /docker
run chmod 755 /data
section "Check dummy cert exists "
#TODO check if expired
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
echo "Dummy cert generation"
run mkdir -p "$dummy_cert_path"
run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
fi
section "Create new conf directory"
run mkdir -p "$new_nginx_conf_path"
###############################################################################
# Deploy services
###############################################################################
for dir in /docker/* ; do
service="$(basename "$dir")"
# Ignore _ prefixed directories
[ "${service::1}" == '_' ] && continue
docker_service="$(echo "$service" | tr '.' '_')"
driglibash_section_prefix="[$service] "
cd "/docker/$service"
# Is service meant to be on this server?
ip="$(ipof "$service")"
[ -z "$ip" ] && yell "No IP found for $service" && continue
if [ "$ip" != "$my_ip" ] ; then
if [ -n "$(docker ps | grep "$docker_service")" ] ; then
section "--------------------"
section "Removing service"
docker-compose down --rmi all --remove-orphans
fi
continue
fi
# If there is a docker-compose file and it has services in it
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
section "-------------------- $service"
section "Logging to registry"
# XXX Login to docker registry
section "Pulling images"
run docker-compose pull
section "Starting service"
run docker-compose up -d --remove-orphans
fi
# If there is a nginx conf file
if [ -f "/docker/$service/nginx_server.conf" ] ; then
section "Copy nginx conf"
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
if [ -f "/docker/$service/.env" ] ; then
section "Template nginx conf with vars from '.env' file"
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
fi
fi
# Do we need dummy cert?
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
section "Testing nginx conf"
run nginx -t -c /etc/nginx/new_nginx.conf
done
###############################################################################
# Nginx restart
###############################################################################
driglibash_section_prefix="[Restart nginx] "
section "Test if nginx conf is ok"
run nginx -t -c "$proxy_dir/new_nginx.conf"
section "Update nginx conf"
run rm -rf "$nginx_conf_path"
run mv "$new_nginx_conf_path" "$nginx_conf_path"
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
section "Test nginx conf to be sure"
run nginx -t
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
section "Start nginx"
run nginx
else
section "Reload nginx"
run nginx -s reload
fi
clean

90
provisioning/roles/jean-cloud-common/files/bin/driglibash-args
View File

@ -1,90 +0,0 @@
#!/bin/bash
###############################################################################
# https://github.com/adrianamaglio/driglibash-arg
###############################################################################
# Usage :
#
# version="alpha nightly 0.0.1 pre-release unstable"
# summary="$0 [options] <device>"
#
# usage[t]="Start qemu after the installation"
# varia[t]=tst
# tst=false
#
# usage[i]="Install the provided package. Not implemented"
# varia[i]=install
# declare -a install
#
# usage[k]="Keep the temporar mountpoints"
# varia[k]=keep
# keep=false
#
# usage[e]="bash command file to execute in the chroot. - to read from stdin"
# varia[e]=execute
# declare -a execute
. driglibash-base
#TODO keep order usage options
# Print usage and exit in error
usage() {
yell "Version: $version"
yell "Usage: $summary"
yell "Parameters:"
yell " -h print this help, version and exit."
for key in "${!usage[@]}" ; do
if [ "$(driglibash_arg_type "$key")" == "single_value" ] ; then
name="${varia[$key]}"
default=" (default : ${!name})"
else
default=
fi
yell " -$key ${usage[$key]}$default"
done
exit 0
}
# Guess the variable type
# Boolean, list or string
driglibash_arg_type() {
if [ $# -ne 1 ] ; then
die "Bad driglibash_arg_type usage";
fi
name="${varia[$1]}"
if [ "$name" == "" ] ; then die "Variable name is empty for key $1" ; fi
if [ "${!name}" == "false" ] ; then
echo "boolean"
elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then
echo "array"
else
echo "single_value"
fi
}
# Generate getopts string #
getopts_string=":h"
for key in ${!usage[@]} ; do
needs_parameter=
if [ "$(driglibash_arg_type "$key")" != "boolean" ] ; then needs_parameter=":" ; fi
getopts_string="$getopts_string$key$needs_parameter"
done
# Loop throught options #
while getopts "$getopts_string" opt; do
case $opt in
h) usage;;
:) die "Option -$OPTARG requires an argument.";;
\?) die "Invalid option: -$OPTARG";;
*)
name="${varia[$opt]}"
if [ "${!name}" == "false" ] ; then eval $name=true
elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then safe="${!name} $OPTARG" ; eval $name=\$safe
else eval $name=\$OPTARG
fi;;
esac
done ; shift $((OPTIND-1))

179
provisioning/roles/jean-cloud-common/files/bin/driglibash-base
View File

@ -1,179 +0,0 @@
###############################################################################
# Driglibash pack 1
# Usual helper functions for bash scripts
# https://github.com/adrianamaglio/driglibash
###############################################################################
# Set to true to make a pause at each step
driglibash_step_by_step=false
# Set to watever you want to have a prefix
driglibash_section_prefix=""
trap 'die "Received sigint"' INT
# Output on standard error output
yell() {
echo >&2 -e "$@"
}
# Output first parameter, second parameter times
repeat() {
printf "$1"'%.s' $(eval "echo {1.."$(($2))"}")
}
# Output a "section title" to visually separate different script part
# TODO local variables
# TODO fixed place left aligned
section(){
text="$driglibash_section_prefix$1"
if [ -n "$text" ] ; then
len="${#text}"
max_len="$(($(tput cols)-2))"
if [ "$len" -ge "$max_len" ] ; then
right=5
left=5
else
left="$((($max_len - $len)/2))"
right="$left"
fi
else
left=80
right=0
fi
# If the character number was rounded down
if [ "$(($left + $right + $len +1 ))" -eq "$max_len" ] ; then
left="$(($left+ 1))"
fi
repeat '=' "$left"
if [ "$right" -ge 1 ] ; then
echo -n " $text "
repeat '=' "$right"
echo
fi
if "$driglibash_step_by_step" ; then
echo "Press enter to proceed"
read
fi
}
alias step=section
# Print an error, clean and exit
die() {
yell "$@"
clean
exit 1
}
# Exit on error if not root
root_or_die() {
if [ "$UID" -ne 0 ] ; then
die "You need to be root"
fi
}
# Execute a command and die if it returns with error #
run() {
while true ; do
"$@"
code=$?
if [ "$code" -ne 0 ] ; then
yell "command [$*] failed with exit code '$code'"
if [ -n "$driglibash_run_retry" ] ; then
echo "Retry ? Retry (y), skip the command (s) or exit script(n) [Y/s/n] ?"
read answer
if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then
continue
elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then
return "$code"
fi
fi
die "Aborting"
else
break
fi
done
}
# Execute a commad in background and return its pid
start(){
"$@" &
pid=$!
clean pre "kill $pid"
return $pid
}
# Clean exit #
# Record command lines passed as argument and execute them all when called without args #
# One argument = One command #
# TODO append or prepend according to arg
declare -a driglibash_clean_actions
clean() {
if [ "$#" -eq 0 ] ; then
echo "Cleaning"
for action in "${driglibash_clean_actions[@]}" ; do
echo "driglibash_clean> $action"
$action
done
elif [ "$#" -eq 1 ] ; then
driglibash_clean_actions+=("$1")
elif [ "$#" -eq 2 ] ; then
case "$1" in
"pre")
declare -a tmp
tmp=("${driglibash_clean_actions[@]}")
driglibash_clean_actions=("$2")
driglibash_clean_actions+=("${tmp[@]}")
;;
"post")
driglibash_clean_actions+=("$2")
;;
"del")
for i in "${!driglibash_clean_actions[@]}" ; do
if [ "$2" = "${driglibash_clean_actions[$i]}" ] ; then
unset driglibash_clean_actions[$i]
break
fi
done
;;
*)
die "driglibash_clean: action '$1' not supported"
esac
else
die "driglibash_clean : Bad clean usage, receveid more than two args"
fi
}
# tells where your executable is (absolute path). Follow simlinks if any argument provided
where() {
if [ -z "$1" ] ; then
echo "$( cd -P "$( dirname "$1" )" && pwd )"
else
SOURCE="$0"
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
SOURCE="$(readlink "$SOURCE")"
[[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
echo $DIR
fi
}
# Add the line $1 in file $2 if not present
line_in_file() {
if [ "$#" -ne 2 ] ; then die "Bad usage of 'line_in_file'. Got '$#' parameters : '$@'" ; fi
if [ -z "$1" ] ; then die "Line arg is emtpy in 'line_in_file'" ; fi
line="$1"
if [ -z "$2" ] ; then die "File arg is emtpy in 'line_in_file'" ; fi
file="$2"
if [ ! -f "$file" ] ; then run touch "$file" ; fi
grep -q -x -F "$line" "$file" || echo "$line" >> "$file"
}

105
provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh
View File

@ -1,105 +0,0 @@
#!/bin/bash
# This script will run on new cert and on cron renew
# there is one cert by service
# TODO make it an ansible script
# No
# Les arguments du pauvre
if [ "$#" -eq 1 ] && [ "$1" = '-v' ] ; then
verbose=true
else
verbose=false
fi
# Variable
acmeroot=/var/www/letsencrypt
# Création du répertoire
mkdir -p "$acmeroot"
# With trailing slash or it will be a prefix selector
#nginx_sites_dir="/etc/nginx/sites-enabled/"
nginx_sites_dir="/etc/nginx/sites-enabled/"
for file in "$nginx_sites_dir"* ; do
if $verbose ; then
echo '-------------------------'
echo "$file"
fi
service_name="$(basename "$file")"
# Getting just the domain names
domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)"
if [ -n "$domains" ] ; then
# If using dummy cert, disabling it
if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then
rm -r "/etc/letsencrypt/live/$service_name"
fi
# removing duplicates
domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')"
echo "$domains"
# adding -d before every domain
domains="-d $(echo $domains | sed 's/ / -d /g')"
# Run certbot
command="certbot certonly -n --expand --agree-tos --webroot -w "$acmeroot" --email contact@jean-cloud.org --cert-name "$(basename $file)" $domains"
if $verbose ; then
echo $command
fi
out="$($command 2>&1)"
result="$?"
if [ "$result" -eq 0 ] && [[ "$out" = *"Certificate not yet due for renewal; no action taken."* ]]; then
echo "Cert still valid"
elif [ "$result" -eq 0 ] ; then
echo "Cert renewed or obtained"
#new_cert="$(echo "$out" | grep -oE '/etc/letsencrypt/live/.*/fullchain.pem')"
#echo "'$new_cert'"
#new_cert_dir="$(dirname "$out")"
#echo "'$new_cert_dir'"
#if [ -d "$new_cert_dir" ] ; then
# echo "New cert dir : '$new_cert_dir'"
# echo "cp '$new_cert_dir/*' '/data/proxy/certs/'"
#else
# echo "Error parsiong dir name"
#fi
elif [ "$result" -eq 1 ] ; then
echo "Cert failed"
echo " ------------------------------------------"
echo "$out"
echo " ------------------------------------------"
else
echo "Unknown error : $result.\n$out"
fi
fi
done
ls /etc/letsencrypt/live/*000* &> /dev/null
if [ "$?" -eq 0 ] ; then
echo " ---------------------------------------------------------------------------------------------"
echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…"
echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*"
echo " ---------------------------------------------------------------------------------------------"
fi
nginx -t
code="$?"
if [ "$code" -ne 0 ] ; then
echo "Nginx test error, cant reloat it"
exit 1
fi
nginx -s reload
code="$?"
if [ "$code" -ne 0 ] ; then
echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!"
exit 1
fi
echo "Done. No error detected."

2
provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh
View File

@ -1,2 +0,0 @@
#!/bin/sh
docker inspect -f $'{{.Name}}\t{{.GraphDriver.Data.MergedDir}}' $(docker ps -aq)

61
provisioning/roles/jean-cloud-common/files/bin/resolv.sh
View File

@ -1,61 +0,0 @@
#!/bin/bash
set -euo pipefail
########################### Helpers ###########################################
function yell {
echo "$@" >&2
}
function die {
yell "$@"
exit 1
}
function say {
if "$verbose" ; then
yell "$@"
fi
}
########################### Options ###########################################
verbose=false
if [ "$1" = '-v' ] ; then
verbose=true
shift
fi
########################### arguments ##########################################
if [ "$#" -ne 1 ] ; then
die "Usage: $0 [options] <domain_name>
options : -v verbose"
fi
name="$1"
########################### script ############################################
while true ; do
if "$verbose" ; then
say "Querying $name"
fi
while read line ; do
if [[ "$line" = *"is an alias for "* ]] ; then
name="$(echo "$line" | cut -d ' ' -f 6)"
break
elif [[ "$line" = *" has address "* ]] ; then
echo "$line" | cut -d ' ' -f 4
exit 0
elif [[ "$line" = *" not found: "* ]] ; then
exit 0
elif [[ "$line" = *" has no A record" ]] ; then
exit 0
else
say "unmatched: $line"
fi
done <<< "$(host -W 2 -t A "$name" localhost)"
done

8
provisioning/roles/jean-cloud-common/files/bin/template.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
if [ "$#" -ne 1 ] ; then
echo "Usage: $0 <env_file>" >&2
echo "This script read env_file variables and replace theire occurences in stdin" >&2
exit 1
fi
bash -c 'set -a && . '"$1"' && envsubst "$(cat '"$1"' | grep -o ^.*= | sed "s/=//" | sed "s/^/$/")"'

22
provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr
View File

@ -1,22 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.dahus.net. (
2023041900 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ IN MX 10 mail.amaglio.fr.
mail IN A 91.216.107.37
imap IN CNAME mail.amaglio.fr.
pop IN CNAME mail.amaglio.fr.
smtp IN CNAME mail.amaglio.fr.

30
provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr
View File

@ -1,30 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2020031104 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
collectif-arthadie.fr. IN CAA 0 issue "letsencrypt.org"
collectif-arthadie.fr. IN CAA 0 issuewild ";"
wordpress IN CNAME vandamme.jean-cloud.net.
www.wordpress IN CNAME vandamme.jean-cloud.net.
www IN CNAME vandamme.jean-cloud.net.
www.wordpress.collectif-arthadie.fr IN CAA 0 issue "letsencrypt.org"
www.wordpress.collectif-arthadie.fr IN CAA 0 issuewild ";"

16
provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr
View File

@ -1,16 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 172.104.154.21
@ IN AAAA 2a01:7e01::f03c:92ff:fecf:e815

30
provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com
View File

@ -1,30 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023020400 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.195.40.128
@ IN AAAA 2001:41d0:701:1100::31f
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
tetede IN A 51.255.33.248
tetede IN AAAA 2001:41d0:701:1100::31f

19
provisioning/roles/jean-cloud-common/files/bind/db.hid
View File

@ -1,19 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023040300 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
radiodemo IN CNAME montbonnot.jean-cloud.net

15
provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr
View File

@ -1,15 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

148
provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net
View File

@ -1,148 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
;mail IN CNAME vandamme
webmail IN CNAME vandamme
vimbadmin IN CNAME vandamme
www IN CNAME vandamme
; Naming nodes
vandamme IN A 51.255.33.248
local-adrian IN A 193.33.56.94
francois IN A 54.38.189.153
nougaro IN A 172.104.154.21
nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815
tetede IN AAAA 2001:41d0:701:1100::31f
tetede IN A 51.195.40.128
carcasse IN A 109.18.84.200
carcasse IN AAAA 2a02:8434:1633:df01:adf9:74c3:b444:262f
gigi IN A 51.77.156.235
gigi IN AAAA 2001:41d0:305:2100::10e1
max IN A 82.65.204.254
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
montbonnot IN A 188.114.97.2
montbonnot IN A 188.114.96.2
montbonnot IN AAAA 2a06:98c1:3120::2
montbonnot IN AAAA 2a06:98c1:3121::2
; Carcasse
dumbcluster IN A 109.18.84.200
dumbcluster IN AAAA 2a02:8434:1633:df01:226:2dff:fe11:56af
; Tetede
dumbcluster IN A 51.195.40.128
dumbcluster IN AAAA 2001:41d0:701:1100::31f
; services
team IN CNAME tetede
nuage IN CNAME vandamme
www.nuage IN CNAME vandamme
calc.nuage IN CNAME vandamme
pad.nuage IN CNAME vandamme
feteducourt IN CNAME vandamme
www.feteducourt IN CNAME vandamme
feteducourt2020 IN CNAME vandamme
www.feteducourt2020 IN CNAME vandamme
git IN CNAME vandamme
www.git IN CNAME vandamme
wiki-cgr IN CNAME vandamme
www.wiki-cgr IN CNAME vandamme
parsoid-wiki-cgr IN CNAME vandamme
www.parsoid-wiki-cgr IN CNAME vandamme
cousinades IN CNAME vandamme
www.cousinades IN CNAME vandamme
cousinadesi2 IN CNAME vandamme
www.cousinades2 IN CNAME vandamme
velov IN CNAME vandamme
www.velov IN CNAME vandamme
registry IN CNAME vandamme
www.registry IN CNAME vandamme
inurbe IN CNAME vandamme
www.inurbe IN CNAME vandamme
gmx-webmail IN CNAME vandamme
www.gmx-webmail IN CNAME vandamme
rpnow IN CNAME vandamme
www.rpnow IN CNAME vandamme
test.rpnow IN CNAME vandamme
www.test.rpnow IN CNAME vandamme
lalis IN CNAME vandamme
www.lalis IN CNAME vandamme
metamorphose IN CNAME vandamme
www.metamorphose IN CNAME vandamme
static IN CNAME vandamme
www.static IN CNAME vandamme
;educloud IN CNAME tetede
;www.educloud IN CNAME tetede
;educloud2 IN CNAME tetede
;www.educloud2 IN CNAME tetede
copaines IN CNAME tetede
www.copaines IN CNAME tetede
wordpress.copaines IN CNAME tetede
www.wordpress.copaines IN CNAME tetede
feministesucl34 IN CNAME tetede
www.feministesucl34 IN CNAME tetede
wordpress.feministesucl34 IN CNAME tetede
www.wordpress.feministesucl34 IN CNAME tetede
tracker IN CNAME tetede
raplacgr IN CNAME tetede
walou IN CNAME dumbcluster
nc-backup IN CNAME tetede
gypsy IN CNAME tetede
shlago.wireguard.jean-cloud.net IN CNAME teted

20
provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org
View File

@ -1,20 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2021060600 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
ns1 IN A 51.255.33.248

27
provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr
View File

@ -1,27 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023020700 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.178.80.171
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
benevoles IN A 51.178.80.171
benevoles31 IN A 51.178.80.171

15
provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr
View File

@ -1,15 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

15
provisioning/roles/jean-cloud-common/files/bind/db.leida.fr
View File

@ -1,15 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

15
provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr
View File

@ -1,15 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

58
provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr
View File

@ -1,58 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042200 ; Serial
604800 ; Refresh
7200 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ns1.jean-cloud.net.
@ IN NS ns5.he.net.
@ IN NS ns4.he.net.
@ IN NS ns3.he.net.
@ IN NS ns2.he.net.
@ IN A 51.255.33.248
@ IN MX 1 mx1.mail.ovh.net.
@ IN MX 5 mx2.mail.ovh.net.
@ IN MX 10 mx3.mail.ovh.net.
www IN CNAME vandamme.jean-cloud.net.
www.registry IN CNAME nougaro.jean-cloud.net.
registry IN CNAME nougaro.jean-cloud.net.
services IN CNAME nougaro.jean-cloud.net.
radionimaitre IN CNAME tetede.jean-cloud.net.
www.radionimaitre IN CNAME tetede.jean-cloud.net.
paj IN CNAME nougaro.jean-cloud.net.
www.paj IN CNAME nougaro.jean-cloud.net.
radiodemo IN CNAME tetede.jean-cloud.net.
radiodemo-back IN CNAME montbonnot.jean-cloud.net.
_autodiscover._tcp IN SRV 0 0 443 mailconfig.ovh.net.
_imaps._tcp IN SRV 0 0 993 ssl0.ovh.net.
_submission._tcp IN SRV 0 0 465 ssl0.ovh.net.
;autoconfig IN SRV mailconfig.ovh.net.
imap IN CNAME ssl0.ovh.net.
smtp IN CNAME ssl0.ovh.net.
mail IN CNAME ssl0.ovh.net.
pop3 IN CNAME ssl0.ovh.net.
stream.paj.ports IN TXT 9002
control.paj.ports IN TXT 9492
pa1.studios IN CNAME carcasse.jean-cloud.net.
montpellier1.studios IN CNAME tetede.jean-cloud.net.
npm IN CNAME vandamme.jean-cloud.net.
www.npm IN CNAME vandamme.jean-cloud.net.
static IN CNAME vandamme.jean-cloud.net.
www.static IN CNAME vandamme.jean-cloud.net.
discordbot IN CNAME vandamme.jean-cloud.net.
www.discordbot IN CNAME vandamme.jean-cloud.net.

78
provisioning/roles/jean-cloud-common/files/bind/named.conf.local
View File

@ -1,78 +0,0 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "oma-radio.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.oma-radio.fr";
};
zone "jean-cloud.net"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.jean-cloud.net";
};
zone "jean-cloud.org"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.jean-cloud.org";
};
zone "karnaval.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.karnaval.fr";
};
zone "amaglio.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.amaglio.fr";
};
zone "collectif-arthadie.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.collectif-arthadie.fr";
};
zone "gypsylyonfestival.com"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.gypsylyonfestival.com";
};
zone "hid"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.hid";
};
zone "compagnienouvelle.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.compagnienouvelle.fr";
};
zone "inurbe.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.inurbe.fr";
};
zone "lalis.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.lalis.fr";
};
zone "leida.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.leida.fr";
};
zone "metamorphosemagazine.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.metamorphosemagazine.fr";
};

18
provisioning/roles/jean-cloud-common/files/bind/named.conf.options
View File

@ -1,18 +0,0 @@
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
allow-update { none; };
allow-recursion { none; };
allow-recursion-on { none; };
recursion no;
notify yes;
allow-transfer {
none;
#216.218.133.2; 2001:470:600::2; //he.net
#172.104.154.21; 2a01:7e01::f03c:92ff:fecf:e815; // nougaro
};
};

29
provisioning/roles/sysadmins/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
provisioning/roles/sysadmins/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

38
provisioning/roles/sysadmins/files/git_key Normal file
View File

@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA32dBmidg3toPfxHT04AOVDB7LLbyfcQS2Jn/8XNL4K0ptfgXCwYn
L7CvWi8CmVgnWfnor4rCtCPxg8xr0NS6biuV6fFkNfg4zini8RDms+SjG39cCeQ5ZiqYWK
7spP+SK9OHs+w1+6sRRbmkSWxRIXpjDK6xqoPOQWDLJqFSd9xQFaO1CR9tR4BrS6i4UftB
ompDqeae5wkBjTLs42wv60pRFwrMyo4616RWidDchHF3ykNHT2A1rgmQfqgLsOYsgo45Bp
6ejsv7Q71oTdq7yh9rYHznlZug7COEqumuAWctgLawk4YKrmXppBhwrmAZgpvn461Fkb2r
nDvjwn4SoZbQPPOuVBn94/uZ7eh64uij8lESNWs0hIByDvESOD8Bs1oETZdQERy4uV1vCx
I23KYeBBG1rsPFAh0U+DDZuhJjR1KRfo96yJXIMSAx+2Nc/kgfaB1Q1h+b4mjC3koXqE1s
K5XtoEuXzr9ojWRAEp+0D9GvBQmbZs4WIjdw2+wNAAAFiGHhtNdh4bTXAAAAB3NzaC1yc2
EAAAGBAN9nQZonYN7aD38R09OADlQweyy28n3EEtiZ//FzS+CtKbX4FwsGJy+wr1ovAplY
J1n56K+KwrQj8YPMa9DUum4rlenxZDX4OM4p4vEQ5rPkoxt/XAnkOWYqmFiu7KT/kivTh7
PsNfurEUW5pElsUSF6YwyusaqDzkFgyyahUnfcUBWjtQkfbUeAa0uouFH7QaJqQ6nmnucJ
AY0y7ONsL+tKURcKzMqOOtekVonQ3IRxd8pDR09gNa4JkH6oC7DmLIKOOQaeno7L+0O9aE
3au8ofa2B855WboOwjhKrprgFnLYC2sJOGCq5l6aQYcK5gGYKb5+OtRZG9q5w748J+EqGW
0DzzrlQZ/eP7me3oeuLoo/JREjVrNISAcg7xEjg/AbNaBE2XUBEcuLldbwsSNtymHgQRta
7DxQIdFPgw2boSY0dSkX6PesiVyDEgMftjXP5IH2gdUNYfm+Jowt5KF6hNbCuV7aBLl86/
aI1kQBKftA/RrwUJm2bOFiI3cNvsDQAAAAMBAAEAAAGBANmSJE/PXgZrdIAaiqQGqO3RMY
TAv7VASeJtSNiLozAzNNYlwbtYyL0nY/9+nRdexSRZwQWFLE5oWwQzCCWfp9k31Y67Kw9s
qVYPcRe5kBVO7JMRHD/95vDbNvfXlFy1ElRgdF8EAycQ2YeAXsGrHfBu0xw83obkSvFdJT
yADGLzS4Nnph42XyUtqlFLBgfBnZBh0XgcRFFZcgtjt1VdveV2wTahrATxM9lkEWuy37CV
GUcA8ugZGO5gHjtbydcEsi6pqpqM3dzqUgYvP1B5/3EiFe8fDpmxYJ6sviT9ml7JVZcQur
z+UwV3+ADosNqX9375a8BKycPKjbWsaw06kF+NyHq9+5ULEZnWDd/FNYxmUKOEICJm83Ym
r27EtRBUbjWa8iRgkjA4x6cXRhtMuuHRowseSLlOfWVU6wgJsA6tupGUoZl1JgcIy4tCGT
nl6Bk+Lh13HrADUPDpEV+0qbwFESGdyYhPpwqCuoNpXcd6ax6iPJeRePVMgLlT3H+2AQAA
AMEA5/IohVYLNizy1qEDImqx5ZW9gwXveoheHPzj6L84OGMIepmS8HV3B/o8PfANL5qF0D
4PPEURyvrStqWa9/PktaBlsAfJky38U1XW+xtHQ9wOJ9dkusyadXpLnyjuHhJMogCkdgJ1
/N/8XI3X7YTCBc8Mm4+r40px809mWnsZJFLzKCuTo4Qit7BVtWlp4gwOh+sBkTbhZ71WQB
YkUFV7qBMB9MKYLVkRkTmjAyv0nzw9lGyMfiOCavCsmmbTVW8hAAAAwQDzVGv26H6ANM4g
K5T9PqUe0ShZRYmRZV/bg3jhO61LhZ9cmNvMAh+K43uhCpypX1RXfWVWKC4d4pRILov1Wu
Y3fltPbNomfIsvXa9mroxDuBC/Fc1NAHhogiOvtmCiud1eBGACoOL34tTp+iohC7/HxLds
hAJ5SvoU7xcH5kx8zBNrbMfRBcKdMv1F25tyFhKIa4gphXKikwasFJsEtaZX/2KvNKj2n2
59wvTQzc93ws0UgUJdzxPFRJJTqOElREEAAADBAOsJN0LgbC1D49+tC6MZyma6qg4zBUKY
/kyZSdRdooROtuoRxnIL88l8GkbaAA/ozPhKEMO8tOLiaLVrmrZv7YHGeUYHiZZYXJX1ea
+m4QjSTGyj+rAfoIzNshXUQ42CIa+diMPCml7V4/iXkxm2KHlBWqsnS1P9bjP+s7FluKC6
2xaYrWy6DYluKECnS2FI2tUSSIky+iD2bUNAeBCeCflYX19kuqGQ0166egRmPXRZckzdz9
oJ3ABVQr4eKyNEzQAAAA5pbHlhQGFzdXMteDUzcwECAw==
-----END OPENSSH PRIVATE KEY-----

1
provisioning/roles/sysadmins/files/git_key.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfZ0GaJ2De2g9/EdPTgA5UMHsstvJ9xBLYmf/xc0vgrSm1+BcLBicvsK9aLwKZWCdZ+eivisK0I/GDzGvQ1LpuK5Xp8WQ1+DjOKeLxEOaz5KMbf1wJ5DlmKphYruyk/5Ir04ez7DX7qxFFuaRJbFEhemMMrrGqg85BYMsmoVJ33FAVo7UJH21HgGtLqLhR+0GiakOp5p7nCQGNMuzjbC/rSlEXCszKjjrXpFaJ0NyEcXfKQ0dPYDWuCZB+qAuw5iyCjjkGnp6Oy/tDvWhN2rvKH2tgfOeVm6DsI4Sq6a4BZy2AtrCThgquZemkGHCuYBmCm+fjrUWRvaucO+PCfhKhltA8865UGf3j+5nt6Hri6KPyURI1azSEgHIO8RI4PwGzWgRNl1ARHLi5XW8LEjbcph4EEbWuw8UCHRT4MNm6EmNHUpF+j3rIlcgxIDH7Y1z+SB9oHVDWH5viaMLeSheoTWwrle2gS5fOv2iNZEASn7QP0a8FCZtmzhYiN3Db7A0= adrian@amaglio.fr

38
provisioning/roles/sysadmins/tasks/main.yml Normal file
View File

@ -0,0 +1,38 @@
---
# tasks file for sysadmin
bloc:
- name: add user
user:
name: "{{ item.username }}"
uid: "{{ item.uid }}" # Why ask for a specific UID?
home: "{{ item.home }}"
group: "{{ item.username }}"
groups: "{{ item.groups }}"
state: present
- name: create ssh dir
file:
path: "{{ item.home }}/.ssh"
owner: "{{item.username}}"
mode: '0700'
state: directory
- name: add git ssh server in authorized_keys
ansible.builtin.known_hosts:
path: "{{item.home}}/.ssh/known_hosts"
name: "[git.jean-cloud.net]:22529"
key: "[git.jean-cloud.net]:22529,[51.255.33.248]:22529 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBD5wYpMhqZ1DDgVKyX5tutlM8BHu2evhVsi2/5mpuqVYZU8LjI9oTVs6rxIV7FlgtHlPDpad5pTIk//bJxFGdA="
# key: "{{ lookup('ansible.builtin.file', 'files/git_key.pub') }}"
state: present
- name: Set authorized key
ansible.posix.authorized_key:
user: "{{ item.username }}"
state: present
key: "{{ item.public_ssh_key }}"
with_items: "{{sysadmin}}"

15
provisioning/roles/sysadmins/vars/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
# vars file for sysadmin-adrian
sysadmin:
ad:
username: ad
full_name: Adrian Amaglio
home: /home/ad
groups: sudo sysdamins
ssh_public_key: ???
pn:
username: pn
full_name: Pieds-Nus
home: /home/pn
groups: sudo sysadmins
ssh_public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKqcuQ41Wt0mmMXd1MZ0godzu63c08/zJdLfBGzoGIoZEOW5CRIWqVCR7BhjpaN+kBLqReCJDwwBNJy0W0LQcNPG0l5MwDnWHWxenKAOLpTuER5NTlrbdVjPaCQ7D0oM1UY+LYn4YCDxdm76Ygvc1eAChjsKiQXO3mItFgav9lvx7owmuCE/IV/gKHW6KAJPdmprXBv7AQaRX2qy4qCZ6CRZ/q8sVb3njpzFhVUs4IcTgs15IUVTlukSHg7YoaaPN8nOhoQaZu81uKvKQGtqKso29I+PGRNHglFZ6q+7Lzbx2/tqN+D4J9pBWVr3UKYfOtqYqRMehudvdD+ngj+5D1jggPpOE+ferhae9LlPTf+IIJK3KMZroi67lUYoCMh5VmbpMDTaYMskAwmf4npwjl+By+HHb4zIReSWz2tngevYu7kkCaFAy5w0/2jHPN6ApM/qC9tOFNdcJmIwK+6hVdYUM55jJwXRaZFkWSESEP2U5u2OvnRYGfDmgrcEuBjjc= pieds-nus@jean-cloud"