diff --git a/provisioning/group_vars/borg-client/.borgexclude b/provisioning/group_vars/borg-client/.borgexclude new file mode 100644 index 0000000..4eae80c --- /dev/null +++ b/provisioning/group_vars/borg-client/.borgexclude @@ -0,0 +1 @@ +/data/borg/repos diff --git a/provisioning/group_vars/borg-client/TODO.txt b/provisioning/group_vars/borg-client/TODO.txt new file mode 100644 index 0000000..a4e735b --- /dev/null +++ b/provisioning/group_vars/borg-client/TODO.txt @@ -0,0 +1,19 @@ + +Ansible : + - Manage ssh (public) keys + - create a borg-specific .ssh conf folder in /data/borg/.ssh + - run borg with BORG_RSH="/bin/ssh -F configfile" + - create borg users everywhere + - set up cron job + - update the /data/borg/config/borg-conf.env with new hosts ? + +Docker : + - something, probably. + +DONE +manage multiple backup hosts (stop overwriting the conf', dumbie) + - could be done neatly with a yml conf file + - maybe also check around ~/.ssh/ssh_config if it could be done ? + +Quickfix : use the same passphrase for a repo on each of its locations (hosts) + diff --git a/provisioning/group_vars/borg-client/borg-backup.sh b/provisioning/group_vars/borg-client/borg-backup.sh new file mode 100755 index 0000000..9efd34f --- /dev/null +++ b/provisioning/group_vars/borg-client/borg-backup.sh @@ -0,0 +1,186 @@ +#!/bin/bash + +# borg-backup.sh +# Script to run regularly to backup a Jean-Cloud machine +# +# This will create a separate borg repo for every item in the BORG_REPOS variable +# And in each location specified in the BORG_HOSTS variable +# Use the file borg-conf.env to set these. +# +# If it finds an item in the BORG_REPOS that isn't yet a borg repository on one +# of the BORG_HOSTS, it will init a new repo there. +# +# Dependencies: +# packages: borg > 1.4 +# scripts: /usr[/local]/bin/driglibash-base +# files: /data/borg/config/borg-conf.env +# /data/borg/config/.borgexclude + +# Cheatsheet: +# ${#array[@]} number of elements in array +# ${array[@]} each element in array (separate words) +# ${array[i]} i-th element in array + + +if test -s /usr/local/bin/driglibash-base -a -r /usr/local/bin/driglibash-base ; then + . /usr/local/bin/driglibash-base +elif test -s /usr/bin/driglibash-base -a -r /usr/bin/driglibash-base ; then + . /usr/bin/driglibash-base +else + die "Could'nt source driglibash. See https://github.com/adrian-amaglio/driglibash/" +fi + +BORG_ENV="/data/borg/config/borg-conf.env"; + +test -s "$BORG_ENV" && test -r "$BORG_ENV" || die "Couldn't find \"$BORG_ENV\" configuration file!" +. "$BORG_ENV" + +mkdir -p "$BORG_BASE_DIR" "$BORG_CACHE_DIR" "$BORG_CONFIG_DIR" "$BORG_TMPDIR" "$BORG_SECURITY_DIR" "$BORG_SECURITY_DIR/passphrases" "$BORG_SECURITY_DIR/repokeys" + +function init_repo() { + # args : + # $1 : host (local path or ssh where the borg repo is stored) + # $2 : path (local dir(s) to be saved in the repo) + # $3 : name of the repo on (remote) host + # $4 : unique alias to identiy the host + + test "$verbosity" -gt 0 && echo "init_repo( $1 \\ $2 \\ $3)" + + mkdir -p "$BORG_SECURITY_DIR/passphrases/$4/" + mkdir -p "$BORG_SECURITY_DIR/repokeys/$4/" + + #create passphrase + LC_ALL=C tr -dc A-Za-z0-9 "$BORG_SECURITY_DIR/passphrases/$4/$3" + + export BORG_PASSPHRASE=$(cat "$BORG_SECURITY_DIR/passphrases/$4/$3") + + #init repo + + test "$verbosity" -gt 1 && echo "borg init ${verbosity:+"--progress"} --make-parent-dirs -e repokey "$1/$3"" + test "$verbosity" -gt 3 && read -p " Continue ?" + + run borg init ${verbosity:+"--progress"} --make-parent-dirs -e repokey "$1/$3" + + #create first entry + + test "$verbosity" -gt 1 && echo "borg create ${verbosity:+"--progress"} ${BORG_EXCLUDE_FILE:+"--exclude-from $BORG_EXCLUDE_FILE"} "$1/$3"::"init-$(date +%Y-%m-%d_%H-%M-%S)" "$2"" + test "$verbosity" -gt 3 && read -p " Continue ?" + + run borg create ${verbosity:+"--progress"} ${BORG_EXCLUDE_FILE:+--exclude-from "$BORG_EXCLUDE_FILE"} "$1/$3"::"init-$(date +%Y-%m-%d_%H-%M-%S)" "$2" + + #export repokey in case of repo catastrophic loss + + test "$verbosity" -gt 1 && echo "borg key export "$1/$3" "$BORG_SECURITY_DIR/repokeys/$3"" + test "$verbosity" -gt 3 && read -p " Continue ?" + + run borg key export "$1/$3" "$BORG_SECURITY_DIR/repokeys/$4/$3" +#TODO These keys should be backuped somewhere + +} + + +for alias in "${!host_mode[@]}" ; do + + # Begin parameter validation + + test -n "${host_repo_dir["$alias"]}" && test -d "${host_repo_dir[$alias]}" || pathchk -p -P "${host_repo_dir["$alias"]}" 2>/dev/null && mkdir -p "${host_repo_dir[$alias]}" || die "Config error! Host $alias : "${host_repo_dir["$alias"]}" isn't a valid repo dir." + + if test "${host_mode[$alias]}" = "local" ; then + + host="${host_repo_dir[$alias]}" + + elif test "${host_mode[$alias]}" = "ssh" ; then + + test -n "${host_user["$alias"]}" && echo "${host_user["$alias"]}" | grep -q -E "^[a-z_][a-z0-9_-]*$" || die "Config error! Host $alias : ${host_user["$alias"]} isn't a valid username." + + test -z ${host_host["$alias"]} && die "Config error! Host $alias : you must provide a host in ssh mode!" + check_host=false + # IPv4 regexp + echo ${host_host["$alias"]} | grep -q -E "^([0-2]?[0-9]{1,2}\.){3}[0-2]?[0-9]{1,2}$" && check_host=true + # IPv6 regexp + echo ${host_host["$alias"]} | grep -q -E "^(((([a-f]|[0-9]){1,4})|:):){6}([a-f]|[0-9]){1,4}$" && check_host=true + # URL regexp + echo ${host_host["$alias"]} | grep -q -E "^[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*\.[a-z]{2,5}$" && check_host=true + + test "$check_host" = true || die "Config error! Host $alias : ${host_host["$alias"]} isn't a valid host (expected IPv4, IPv6 or URL)." + + test -n "${host_port["$alias"]}" && test "${host_port["$alias"]}" -gt 2>/dev/null 0 && test "${host_port["$alias"]}" -le 65536 || die "Config error! Host $alias : "${host_port["$alias"]}" isn't a valid port." + + # End parameter validation + + # Parameter expansion lvl: I was not ready for this. +host="ssh://${host_user["$alias"]:+${host_user["$alias"]}@}\ +${host_host["$alias"]:+${host_host["$alias"]}}\ +${host_port["$alias"]:+:${host_port["$alias"]}}\ +${host_repo_dir["$alias"]:+${host_repo_dir["$alias"]}}" + + # super-secret-back-door + elif test "${host_mode[$alias]}" = "iknowwhatimdoing" ; then + host="${host_host["$alias"]}" + + else + + die "Config error! Host $alias : unrecognized mode ${host_mode[$alias]}" + + fi + + test "$verbosity" -gt 0 && section "$alias: $host" + + for repo in "${local_repos[@]}" ; do + + test "$verbosity" -gt 0 && section "$repo" + + # we use a python-like name for the repo: + reponame=$(echo "$repo" | tr "/" ".") + + #Check that the repo exists (we could be backuping a new service) + + check_repo_exists=false; + + if test "${host_mode[$alias]}" = "ssh" ; then + export BORG_PASSPHRASE=$(cat "$BORG_SECURITY_DIR/passphrases/$alias/$reponame") && borg list "$host/$reponame" > /dev/null && check_repo_exists=true || "Could'nt open repo $reponame at host $host. Creating it." + fi + + test "${host_mode[$alias]}" = "local" && test -d "$host/$reponame" && test -s "$host/$reponame/README" && grep -q "This is a Borg Backup repository." "$host/$reponame/README" && check_repo_exists=true +#TODO: this doesn't check if a distant repo exists + + if $check_repo_exists = true ; then + + #it's okay, repo exists, start the normal backup + test -s "$BORG_SECURITY_DIR/passphrases/$alias/$reponame" && export BORG_PASSPHRASE=$(cat "$BORG_SECURITY_DIR/passphrases/$alias/$reponame") || die "Couldn't get passphrase for repo $alias/$repo from file: $BORG_SECURITY_DIR/passphrases/$alias/$reponame" + + test $verbosity -gt 1 && echo "borg create ${verbosity:+"--progress"} ${BORG_EXCLUDE_FILE:+--exclude-from "$BORG_EXCLUDE_FILE"} --compression obfuscate,115,auto,zstd,20 "$host/$reponame"::"$reponame-$(date +%Y-%m-%d_%H-%M-%S)" "$repo"" + test $verbosity -gt 3 && read -p " Continue ?" + + run borg create ${verbosity:+"--progress"} ${BORG_EXCLUDE_FILE:+--exclude-from "$BORG_EXCLUDE_FILE"} --compression obfuscate,115,auto,zstd,20 "$host/$reponame"::"$reponame-$(date +%Y-%m-%d_%H-%M-%S)" "$repo" +#TODO Check that zstd lvl 20 compression is not too cpu-intensive, could be reduced (or use lz4) (see borg help benchmark) + + # Global retention parameters + hourly=${BORG_KEEP_HOURLY[all]:+"--keep-hourly=${BORG_KEEP_HOURLY[all]} "} + daily=${BORG_KEEP_DAILY[all]:+"--keep-daily=${BORG_KEEP_DAILY[all]} "} + weekly=${BORG_KEEP_WEEKLY[all]:+"--keep-weekly=${BORG_KEEP_WEEKLY[all]} "} + monthly=${BORG_KEEP_MONTHLY[all]:+"--keep-monthly=${BORG_KEEP_MONTHLY[all]} "} + yearly=${BORG_KEEP_YEARLY[all]:+"--keep-yearly=${BORG_KEEP_YEARLY[all]} "} + test $verbosity -gt 2 && echo "Global retention policy : $hourly $daily $weekly $monthly $yearly" + + # Per-host retention parameters + test -n "${BORG_KEEP_HOURLY["$alias"]}" && hourly="--keep-hourly=${BORG_KEEP_HOURLY["$alias"]}" + test -n "${BORG_KEEP_DAILY["$alias"]}" && daily="--keep-daily=${BORG_KEEP_DAILY["$alias"]}" + test -n "${BORG_KEEP_WEEKLY["$alias"]}" && weekly="--keep-weekly=${BORG_KEEP_WEEKLY["$alias"]}" + test -n "${BORG_KEEP_MONTHLY["$alias"]}" && monthly="--keep-monthly=${BORG_KEEP_MONTHLY["$alias"]}" + test -n "${BORG_KEEP_YEARLY["$alias"]}" && yearly="--keep-yearly=${BORG_KEEP_YEARLY["$alias"]}" + test $verbosity -gt 2 && echo "$alias retention policy : $hourly $daily $weekly $monthly $yearly" + + test $verbosity -gt 1 && echo "borg prune ${verbosity:+"--progress"} --list --glob-archives \"$reponame*\" $hourly $daily $weekly $monthly $yearly \"$host/$reponame\"" + test $verbosity -gt 3 && read -p " Continue ?" + + run borg prune ${verbosity:+"--progress"} --list --glob-archives \"$reponame*\" $hourly $daily $weekly $monthly $yearly "$host/$reponame" + + else + + #If repo doesn't exist, create it + init_repo "$host" "$repo" "$reponame" "$alias" + + fi + done +done diff --git a/provisioning/group_vars/borg-client/borg-conf.env b/provisioning/group_vars/borg-client/borg-conf.env new file mode 100644 index 0000000..27d5c21 --- /dev/null +++ b/provisioning/group_vars/borg-client/borg-conf.env @@ -0,0 +1,59 @@ +verbosity=3 + + # Borg Configuration +BORG_BASE_DIR=/data/borg +BORG_CACHE_DIR=$BORG_BASE_DIR/cache +BORG_CONFIG_DIR=$BORG_BASE_DIR/config +BORG_TMPDIR=$BORG_BASE_DIR/tmp +BORG_SECURITY_DIR=$BORG_BASE_DIR/security + + # Jean-Cloud configuration: + # Where are backups saved +BORG_HOSTS=(\ +/data/borg/repos \ +ssh://root@tetede.jean-cloud.net:45985/data/borg/repos \ +#ssh://borg@tetede.jean-cloud.net:4646/data/borg/repos \ +) + + + # Local backuped dirs +local_repos=($(ls -d /data/*)) #NO TRAILING SLASHES PLEASE + + # Hosts configuration + +# # Sample host configuration +# host_mode[alias]=local|ssh +# host_repo_dir[alias]=/path/to/repo +# # Params below this line are specific to ssh hosts +# host_host[alias]=borg.example.org|123.456.789 # TODO There are regexps to chek for valid IPv4 and IPv6, but not URL yet. +# host_port[alias]=22 +# host_user[alias]=borg-distant-user + +declare -A host_mode host_repo_dir host_host host_port host_user host_repo_dir + + # host: tetede +host_mode[tetede]=ssh +host_host[tetede]=tetede.jean-cloud.net +host_port[tetede]=45985 +host_user[tetede]=root +host_repo_dir[tetede]=/data/borg/repos + + # host : localhost +host_mode[localhost]=local +host_repo_dir[localhost]=/data/borg/repos + +declare -A BORG_KEEP_HOURLY BORG_KEEP_DAILY BORG_KEEP_WEEKLY BORG_KEEP_MONTHLY BORG_KEEP_YEARLY + + # Global retention configuration (comment a line to deactivate it, do not set it to 0) +#BORG_KEEP_HOURLY[all]=1 +BORG_KEEP_DAILY[all]=4 +BORG_KEEP_WEEKLY[all]=2 +BORG_KEEP_MONTHLY[all]=2 +#BORG_KEEP_YEARLY[all]=1 + + # Per-host retention configuration (comment a line to deactivate it, do not set it to 0) +#BORG_KEEP_HOURLY[alias]=1 +#BORG_KEEP_DAILY[alias]=4 +#BORG_KEEP_WEEKLY[alias]=2 +#BORG_KEEP_MONTHLY[alias]=2 +BORG_KEEP_YEARLY[localhost]=1 diff --git a/provisioning/playbook.yml b/provisioning/playbook.yml index 6f4daa7..cb2a8be 100755 --- a/provisioning/playbook.yml +++ b/provisioning/playbook.yml @@ -1,6 +1,6 @@ - name: server hosts: servers - become: yes + become: no gather_facts: no roles: # Ansible prerequisites @@ -8,7 +8,7 @@ - name: server hosts: servers - become: yes + #become: yes #gather_facts: no roles: # Ansible prerequisites diff --git a/provisioning/roles/jean-cloud-common/files/bin/deployer.sh b/provisioning/roles/jean-cloud-common/files/bin/deployer.sh deleted file mode 100755 index 5d58577..0000000 --- a/provisioning/roles/jean-cloud-common/files/bin/deployer.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/bash - -driglibash_run_retry=true -. driglibash-base -set -euo pipefail - -############################################################################### -# Variables -############################################################################### - -proxy_dir="/etc/nginx" -nginx_conf_path="$proxy_dir/sites-enabled" -new_nginx_conf_path="$proxy_dir/new-sites-enabled" - -certs_path="/etc/letsencrypt/live" -dummy_cert_path="$certs_path/dummy" - -############################################################################### -# Helpers -############################################################################### - -# Returns the public IP4 address of a domain name -function ipof { - resolv.sh "$1" -} - -# Path to this directory -here="$(where 'follow_links')" - -# Ip4 address -my_ip="$(ipof "$(cat /etc/hostname)")" -[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1 - - -############################################################################### -# Nginx preparation -############################################################################### - -driglibash_section_prefix="[Prepare nginx] " -section "Delete new conf directory (to recover)" -run rm -rf "$new_nginx_conf_path" - -section "Create new conf file (for tests purposes)" -sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf" - -section "Create proxy dir" -run mkdir -p "$proxy_dir" /docker /data -run chown root:root /docker -run chown root:root /data -run chmod 755 /docker -run chmod 755 /data - -section "Check dummy cert exists " -#TODO check if expired -if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then - echo "Dummy cert generation" - run mkdir -p "$dummy_cert_path" - run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net" -fi - -section "Create new conf directory" -run mkdir -p "$new_nginx_conf_path" - -############################################################################### -# Deploy services -############################################################################### - -for dir in /docker/* ; do - service="$(basename "$dir")" - - # Ignore _ prefixed directories - [ "${service::1}" == '_' ] && continue - - docker_service="$(echo "$service" | tr '.' '_')" - driglibash_section_prefix="[$service] " - cd "/docker/$service" - - # Is service meant to be on this server? - ip="$(ipof "$service")" - [ -z "$ip" ] && yell "No IP found for $service" && continue - - if [ "$ip" != "$my_ip" ] ; then - if [ -n "$(docker ps | grep "$docker_service")" ] ; then - section "--------------------" - section "Removing service" - docker-compose down --rmi all --remove-orphans - fi - continue - fi - - # If there is a docker-compose file and it has services in it - if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then - section "-------------------- $service" - section "Logging to registry" - # XXX Login to docker registry - - section "Pulling images" - run docker-compose pull - - section "Starting service" - run docker-compose up -d --remove-orphans - fi - - # If there is a nginx conf file - if [ -f "/docker/$service/nginx_server.conf" ] ; then - section "Copy nginx conf" - run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service" - - if [ -f "/docker/$service/.env" ] ; then - section "Template nginx conf with vars from '.env' file" - run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service" - fi - fi - - # Do we need dummy cert? - if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then - section "Create cert dir" - run mkdir -p "$certs_path/$service" - - section "Link dummy to cert" - run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service" - run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service" - fi - - section "Testing nginx conf" - run nginx -t -c /etc/nginx/new_nginx.conf - -done - -############################################################################### -# Nginx restart -############################################################################### - -driglibash_section_prefix="[Restart nginx] " - -section "Test if nginx conf is ok" -run nginx -t -c "$proxy_dir/new_nginx.conf" - -section "Update nginx conf" -run rm -rf "$nginx_conf_path" -run mv "$new_nginx_conf_path" "$nginx_conf_path" -run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf" - -section "Test nginx conf to be sure" -run nginx -t - -if [ -z "$(cat /var/run/nginx.pid)" ] ; then - section "Start nginx" - run nginx -else - section "Reload nginx" - run nginx -s reload -fi - -clean diff --git a/provisioning/roles/jean-cloud-common/files/bin/driglibash-args b/provisioning/roles/jean-cloud-common/files/bin/driglibash-args deleted file mode 100755 index 1cfec48..0000000 --- a/provisioning/roles/jean-cloud-common/files/bin/driglibash-args +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/bash - -############################################################################### -# https://github.com/adrianamaglio/driglibash-arg -############################################################################### - - -# Usage : -# -# version="alpha nightly 0.0.1 pre-release unstable" -# summary="$0 [options] " -# -# usage[t]="Start qemu after the installation" -# varia[t]=tst -# tst=false -# -# usage[i]="Install the provided package. Not implemented" -# varia[i]=install -# declare -a install -# -# usage[k]="Keep the temporar mountpoints" -# varia[k]=keep -# keep=false -# -# usage[e]="bash command file to execute in the chroot. - to read from stdin" -# varia[e]=execute -# declare -a execute - -. driglibash-base - -#TODO keep order usage options -# Print usage and exit in error -usage() { - yell "Version: $version" - yell "Usage: $summary" - yell "Parameters:" - yell " -h print this help, version and exit." - for key in "${!usage[@]}" ; do - if [ "$(driglibash_arg_type "$key")" == "single_value" ] ; then - name="${varia[$key]}" - default=" (default : ${!name})" - else - default= - fi - yell " -$key ${usage[$key]}$default" - done - exit 0 -} - -# Guess the variable type -# Boolean, list or string -driglibash_arg_type() { - if [ $# -ne 1 ] ; then - die "Bad driglibash_arg_type usage"; - fi - - name="${varia[$1]}" - if [ "$name" == "" ] ; then die "Variable name is empty for key $1" ; fi - if [ "${!name}" == "false" ] ; then - echo "boolean" - elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then - echo "array" - else - echo "single_value" - fi -} - -# Generate getopts string # -getopts_string=":h" -for key in ${!usage[@]} ; do - needs_parameter= - if [ "$(driglibash_arg_type "$key")" != "boolean" ] ; then needs_parameter=":" ; fi - getopts_string="$getopts_string$key$needs_parameter" -done - -# Loop throught options # -while getopts "$getopts_string" opt; do - case $opt in - h) usage;; - :) die "Option -$OPTARG requires an argument.";; - \?) die "Invalid option: -$OPTARG";; - *) - name="${varia[$opt]}" - if [ "${!name}" == "false" ] ; then eval $name=true - elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then safe="${!name} $OPTARG" ; eval $name=\$safe - else eval $name=\$OPTARG - fi;; - esac -done ; shift $((OPTIND-1)) - diff --git a/provisioning/roles/jean-cloud-common/files/bin/driglibash-base b/provisioning/roles/jean-cloud-common/files/bin/driglibash-base deleted file mode 100755 index d588596..0000000 --- a/provisioning/roles/jean-cloud-common/files/bin/driglibash-base +++ /dev/null @@ -1,179 +0,0 @@ -############################################################################### -# Driglibash pack 1 -# Usual helper functions for bash scripts -# https://github.com/adrianamaglio/driglibash -############################################################################### - -# Set to true to make a pause at each step -driglibash_step_by_step=false - -# Set to watever you want to have a prefix -driglibash_section_prefix="" - - -trap 'die "Received sigint"' INT - -# Output on standard error output -yell() { - echo >&2 -e "$@" -} - -# Output first parameter, second parameter times -repeat() { - printf "$1"'%.s' $(eval "echo {1.."$(($2))"}") -} - -# Output a "section title" to visually separate different script part -# TODO local variables -# TODO fixed place left aligned -section(){ - text="$driglibash_section_prefix$1" - if [ -n "$text" ] ; then - len="${#text}" - max_len="$(($(tput cols)-2))" - if [ "$len" -ge "$max_len" ] ; then - right=5 - left=5 - else - left="$((($max_len - $len)/2))" - right="$left" - fi - else - left=80 - right=0 - fi - - # If the character number was rounded down - if [ "$(($left + $right + $len +1 ))" -eq "$max_len" ] ; then - left="$(($left+ 1))" - fi - - repeat '=' "$left" - if [ "$right" -ge 1 ] ; then - echo -n " $text " - repeat '=' "$right" - echo - fi - - if "$driglibash_step_by_step" ; then - echo "Press enter to proceed" - read - fi -} -alias step=section - -# Print an error, clean and exit -die() { - yell "$@" - clean - exit 1 -} - -# Exit on error if not root -root_or_die() { - if [ "$UID" -ne 0 ] ; then - die "You need to be root" - fi -} - -# Execute a command and die if it returns with error # -run() { - while true ; do - "$@" - code=$? - if [ "$code" -ne 0 ] ; then - yell "command [$*] failed with exit code '$code'" - if [ -n "$driglibash_run_retry" ] ; then - echo "Retry ? Retry (y), skip the command (s) or exit script(n) [Y/s/n] ?" - read answer - if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then - continue - elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then - return "$code" - fi - fi - die "Aborting" - else - break - fi - done -} - - -# Execute a commad in background and return its pid -start(){ - "$@" & - pid=$! - clean pre "kill $pid" - return $pid -} - -# Clean exit # -# Record command lines passed as argument and execute them all when called without args # -# One argument = One command # -# TODO append or prepend according to arg -declare -a driglibash_clean_actions -clean() { - if [ "$#" -eq 0 ] ; then - echo "Cleaning" - for action in "${driglibash_clean_actions[@]}" ; do - echo "driglibash_clean> $action" - $action - done - elif [ "$#" -eq 1 ] ; then - driglibash_clean_actions+=("$1") - elif [ "$#" -eq 2 ] ; then - case "$1" in - "pre") - declare -a tmp - tmp=("${driglibash_clean_actions[@]}") - driglibash_clean_actions=("$2") - driglibash_clean_actions+=("${tmp[@]}") - ;; - "post") - driglibash_clean_actions+=("$2") - ;; - "del") - for i in "${!driglibash_clean_actions[@]}" ; do - if [ "$2" = "${driglibash_clean_actions[$i]}" ] ; then - unset driglibash_clean_actions[$i] - break - fi - done - ;; - *) - die "driglibash_clean: action '$1' not supported" - esac - else - die "driglibash_clean : Bad clean usage, receveid more than two args" - fi -} - -# tells where your executable is (absolute path). Follow simlinks if any argument provided -where() { - if [ -z "$1" ] ; then - echo "$( cd -P "$( dirname "$1" )" && pwd )" - else - SOURCE="$0" - while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink - DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" - SOURCE="$(readlink "$SOURCE")" - [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located - done - DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" - - echo $DIR - fi -} - -# Add the line $1 in file $2 if not present -line_in_file() { - if [ "$#" -ne 2 ] ; then die "Bad usage of 'line_in_file'. Got '$#' parameters : '$@'" ; fi - if [ -z "$1" ] ; then die "Line arg is emtpy in 'line_in_file'" ; fi - line="$1" - if [ -z "$2" ] ; then die "File arg is emtpy in 'line_in_file'" ; fi - file="$2" - if [ ! -f "$file" ] ; then run touch "$file" ; fi - - grep -q -x -F "$line" "$file" || echo "$line" >> "$file" -} diff --git a/provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh b/provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh deleted file mode 100755 index 9d90bd5..0000000 --- a/provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh +++ /dev/null @@ -1,105 +0,0 @@ -#!/bin/bash -# This script will run on new cert and on cron renew -# there is one cert by service - -# TODO make it an ansible script -# No - -# Les arguments du pauvre -if [ "$#" -eq 1 ] && [ "$1" = '-v' ] ; then - verbose=true -else - verbose=false -fi - -# Variable -acmeroot=/var/www/letsencrypt - -# Création du répertoire -mkdir -p "$acmeroot" - -# With trailing slash or it will be a prefix selector -#nginx_sites_dir="/etc/nginx/sites-enabled/" -nginx_sites_dir="/etc/nginx/sites-enabled/" - -for file in "$nginx_sites_dir"* ; do - if $verbose ; then - echo '-------------------------' - echo "$file" - fi - - service_name="$(basename "$file")" - - # Getting just the domain names - domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)" - if [ -n "$domains" ] ; then - # If using dummy cert, disabling it - if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then - rm -r "/etc/letsencrypt/live/$service_name" - fi - - # removing duplicates - domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')" - echo "$domains" - - # adding -d before every domain - domains="-d $(echo $domains | sed 's/ / -d /g')" - - # Run certbot - command="certbot certonly -n --expand --agree-tos --webroot -w "$acmeroot" --email contact@jean-cloud.org --cert-name "$(basename $file)" $domains" - if $verbose ; then - echo $command - fi - out="$($command 2>&1)" - result="$?" - - if [ "$result" -eq 0 ] && [[ "$out" = *"Certificate not yet due for renewal; no action taken."* ]]; then - echo "Cert still valid" - elif [ "$result" -eq 0 ] ; then - echo "Cert renewed or obtained" - #new_cert="$(echo "$out" | grep -oE '/etc/letsencrypt/live/.*/fullchain.pem')" - #echo "'$new_cert'" - #new_cert_dir="$(dirname "$out")" - #echo "'$new_cert_dir'" - - #if [ -d "$new_cert_dir" ] ; then - # echo "New cert dir : '$new_cert_dir'" - # echo "cp '$new_cert_dir/*' '/data/proxy/certs/'" - #else - # echo "Error parsiong dir name" - #fi - - elif [ "$result" -eq 1 ] ; then - echo "Cert failed" - echo " ------------------------------------------" - echo "$out" - echo " ------------------------------------------" - else - echo "Unknown error : $result.\n$out" - fi - fi -done - -ls /etc/letsencrypt/live/*000* &> /dev/null -if [ "$?" -eq 0 ] ; then - echo " ---------------------------------------------------------------------------------------------" - echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…" - echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*" - echo " ---------------------------------------------------------------------------------------------" -fi - - -nginx -t -code="$?" -if [ "$code" -ne 0 ] ; then - echo "Nginx test error, can’t reloat it" - exit 1 -fi - -nginx -s reload -code="$?" -if [ "$code" -ne 0 ] ; then - echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!" - exit 1 -fi -echo "Done. No error detected." diff --git a/provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh b/provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh deleted file mode 100644 index 36d5fd6..0000000 --- a/provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -docker inspect -f $'{{.Name}}\t{{.GraphDriver.Data.MergedDir}}' $(docker ps -aq) diff --git a/provisioning/roles/jean-cloud-common/files/bin/resolv.sh b/provisioning/roles/jean-cloud-common/files/bin/resolv.sh deleted file mode 100755 index 562e126..0000000 --- a/provisioning/roles/jean-cloud-common/files/bin/resolv.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -########################### Helpers ########################################### - -function yell { - echo "$@" >&2 -} - -function die { - yell "$@" - exit 1 -} - -function say { - if "$verbose" ; then - yell "$@" - fi -} - -########################### Options ########################################### - -verbose=false -if [ "$1" = '-v' ] ; then - verbose=true - shift -fi - -########################### arguments ########################################## - -if [ "$#" -ne 1 ] ; then - die "Usage: $0 [options] - options : -v verbose" -fi - -name="$1" - -########################### script ############################################ - -while true ; do - if "$verbose" ; then - say "Querying $name" - fi - while read line ; do - if [[ "$line" = *"is an alias for "* ]] ; then - name="$(echo "$line" | cut -d ' ' -f 6)" - break - elif [[ "$line" = *" has address "* ]] ; then - echo "$line" | cut -d ' ' -f 4 - exit 0 - elif [[ "$line" = *" not found: "* ]] ; then - exit 0 - elif [[ "$line" = *" has no A record" ]] ; then - exit 0 - else - say "unmatched: $line" - fi - done <<< "$(host -W 2 -t A "$name" localhost)" -done - diff --git a/provisioning/roles/jean-cloud-common/files/bin/template.sh b/provisioning/roles/jean-cloud-common/files/bin/template.sh deleted file mode 100755 index 4071401..0000000 --- a/provisioning/roles/jean-cloud-common/files/bin/template.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -if [ "$#" -ne 1 ] ; then - echo "Usage: $0 " >&2 - echo "This script read env_file variables and replace theire occurences in stdin" >&2 - exit 1 -fi - -bash -c 'set -a && . '"$1"' && envsubst "$(cat '"$1"' | grep -o ^.*= | sed "s/=//" | sed "s/^/$/")"' diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr b/provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr deleted file mode 100644 index eedb24f..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr +++ /dev/null @@ -1,22 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.dahus.net. ( - 2023041900 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. -@ IN A 51.255.33.248 - -@ IN MX 10 mail.amaglio.fr. - -mail IN A 91.216.107.37 -imap IN CNAME mail.amaglio.fr. -pop IN CNAME mail.amaglio.fr. -smtp IN CNAME mail.amaglio.fr. - diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr b/provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr deleted file mode 100644 index ebb5877..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr +++ /dev/null @@ -1,30 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2020031104 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 - -@ 10800 IN MX 10 spool.mail.gandi.net. -@ 10800 IN MX 50 fb.mail.gandi.net. -@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" - -collectif-arthadie.fr. IN CAA 0 issue "letsencrypt.org" -collectif-arthadie.fr. IN CAA 0 issuewild ";" - -wordpress IN CNAME vandamme.jean-cloud.net. -www.wordpress IN CNAME vandamme.jean-cloud.net. -www IN CNAME vandamme.jean-cloud.net. - -www.wordpress.collectif-arthadie.fr IN CAA 0 issue "letsencrypt.org" -www.wordpress.collectif-arthadie.fr IN CAA 0 issuewild ";" diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr b/provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr deleted file mode 100644 index 1462ebf..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr +++ /dev/null @@ -1,16 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 172.104.154.21 -@ IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com b/provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com deleted file mode 100644 index a7c86a2..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com +++ /dev/null @@ -1,30 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023020400 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. -@ IN NS ns1.he.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.195.40.128 -@ IN AAAA 2001:41d0:701:1100::31f - - - -; Resolving nameserver -ns1 IN A 51.255.33.248 -ns2 IN A 172.104.154.21 - -tetede IN A 51.255.33.248 -tetede IN AAAA 2001:41d0:701:1100::31f - - diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.hid b/provisioning/roles/jean-cloud-common/files/bind/db.hid deleted file mode 100644 index ae7cbf8..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.hid +++ /dev/null @@ -1,19 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023040300 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. - - -; Resolving nameserver -ns1 IN A 51.255.33.248 -ns2 IN A 172.104.154.21 - -radiodemo IN CNAME montbonnot.jean-cloud.net - diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr b/provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr deleted file mode 100644 index 35317e7..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net b/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net deleted file mode 100644 index 270ace7..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net +++ /dev/null @@ -1,148 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. -@ IN NS ns1.he.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 - -@ 10800 IN MX 10 spool.mail.gandi.net. -@ 10800 IN MX 50 fb.mail.gandi.net. -@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" - - -; Resolving nameserver -ns1 IN A 51.255.33.248 -ns2 IN A 172.104.154.21 - -;mail IN CNAME vandamme -webmail IN CNAME vandamme -vimbadmin IN CNAME vandamme - -www IN CNAME vandamme - -; Naming nodes -vandamme IN A 51.255.33.248 - -local-adrian IN A 193.33.56.94 - -francois IN A 54.38.189.153 - -nougaro IN A 172.104.154.21 -nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 - -tetede IN AAAA 2001:41d0:701:1100::31f -tetede IN A 51.195.40.128 - -carcasse IN A 109.18.84.200 -carcasse IN AAAA 2a02:8434:1633:df01:adf9:74c3:b444:262f - -gigi IN A 51.77.156.235 -gigi IN AAAA 2001:41d0:305:2100::10e1 - -max IN A 82.65.204.254 -max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97 - -montbonnot IN A 188.114.97.2 -montbonnot IN A 188.114.96.2 -montbonnot IN AAAA 2a06:98c1:3120::2 -montbonnot IN AAAA 2a06:98c1:3121::2 - - -; Carcasse -dumbcluster IN A 109.18.84.200 -dumbcluster IN AAAA 2a02:8434:1633:df01:226:2dff:fe11:56af -; Tetede -dumbcluster IN A 51.195.40.128 -dumbcluster IN AAAA 2001:41d0:701:1100::31f - -; services -team IN CNAME tetede - -nuage IN CNAME vandamme -www.nuage IN CNAME vandamme -calc.nuage IN CNAME vandamme -pad.nuage IN CNAME vandamme - -feteducourt IN CNAME vandamme -www.feteducourt IN CNAME vandamme -feteducourt2020 IN CNAME vandamme -www.feteducourt2020 IN CNAME vandamme - -git IN CNAME vandamme -www.git IN CNAME vandamme - -wiki-cgr IN CNAME vandamme -www.wiki-cgr IN CNAME vandamme -parsoid-wiki-cgr IN CNAME vandamme -www.parsoid-wiki-cgr IN CNAME vandamme - -cousinades IN CNAME vandamme -www.cousinades IN CNAME vandamme - -cousinadesi2 IN CNAME vandamme -www.cousinades2 IN CNAME vandamme - -velov IN CNAME vandamme -www.velov IN CNAME vandamme - -registry IN CNAME vandamme -www.registry IN CNAME vandamme - -inurbe IN CNAME vandamme -www.inurbe IN CNAME vandamme - -gmx-webmail IN CNAME vandamme -www.gmx-webmail IN CNAME vandamme - -rpnow IN CNAME vandamme -www.rpnow IN CNAME vandamme -test.rpnow IN CNAME vandamme -www.test.rpnow IN CNAME vandamme - -lalis IN CNAME vandamme -www.lalis IN CNAME vandamme - -metamorphose IN CNAME vandamme -www.metamorphose IN CNAME vandamme - -static IN CNAME vandamme -www.static IN CNAME vandamme - -;educloud IN CNAME tetede -;www.educloud IN CNAME tetede -;educloud2 IN CNAME tetede -;www.educloud2 IN CNAME tetede - -copaines IN CNAME tetede -www.copaines IN CNAME tetede -wordpress.copaines IN CNAME tetede -www.wordpress.copaines IN CNAME tetede - -feministesucl34 IN CNAME tetede -www.feministesucl34 IN CNAME tetede -wordpress.feministesucl34 IN CNAME tetede -www.wordpress.feministesucl34 IN CNAME tetede - -tracker IN CNAME tetede - -raplacgr IN CNAME tetede - -walou IN CNAME dumbcluster - -nc-backup IN CNAME tetede - -gypsy IN CNAME tetede - -shlago.wireguard.jean-cloud.net IN CNAME teted diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org b/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org deleted file mode 100644 index 045c973..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org +++ /dev/null @@ -1,20 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2021060600 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. - - -@ IN A 51.255.33.248 - -@ 10800 IN MX 10 spool.mail.gandi.net. -@ 10800 IN MX 50 fb.mail.gandi.net. -@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" - -ns1 IN A 51.255.33.248 - diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr b/provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr deleted file mode 100644 index a620992..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr +++ /dev/null @@ -1,27 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023020700 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. -@ IN NS ns1.he.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.178.80.171 - - -; Resolving nameserver -ns1 IN A 51.255.33.248 -ns2 IN A 172.104.154.21 - -benevoles IN A 51.178.80.171 -benevoles31 IN A 51.178.80.171 - diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr b/provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr deleted file mode 100644 index 35317e7..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.leida.fr b/provisioning/roles/jean-cloud-common/files/bind/db.leida.fr deleted file mode 100644 index 35317e7..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.leida.fr +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr b/provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr deleted file mode 100644 index 35317e7..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr b/provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr deleted file mode 100644 index ada3e54..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr +++ /dev/null @@ -1,58 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042200 ; Serial - 604800 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns5.he.net. -@ IN NS ns4.he.net. -@ IN NS ns3.he.net. -@ IN NS ns2.he.net. - -@ IN A 51.255.33.248 - -@ IN MX 1 mx1.mail.ovh.net. -@ IN MX 5 mx2.mail.ovh.net. -@ IN MX 10 mx3.mail.ovh.net. - -www IN CNAME vandamme.jean-cloud.net. - -www.registry IN CNAME nougaro.jean-cloud.net. -registry IN CNAME nougaro.jean-cloud.net. -services IN CNAME nougaro.jean-cloud.net. - -radionimaitre IN CNAME tetede.jean-cloud.net. -www.radionimaitre IN CNAME tetede.jean-cloud.net. -paj IN CNAME nougaro.jean-cloud.net. -www.paj IN CNAME nougaro.jean-cloud.net. -radiodemo IN CNAME tetede.jean-cloud.net. -radiodemo-back IN CNAME montbonnot.jean-cloud.net. - - -_autodiscover._tcp IN SRV 0 0 443 mailconfig.ovh.net. -_imaps._tcp IN SRV 0 0 993 ssl0.ovh.net. -_submission._tcp IN SRV 0 0 465 ssl0.ovh.net. -;autoconfig IN SRV mailconfig.ovh.net. -imap IN CNAME ssl0.ovh.net. -smtp IN CNAME ssl0.ovh.net. -mail IN CNAME ssl0.ovh.net. -pop3 IN CNAME ssl0.ovh.net. - -stream.paj.ports IN TXT 9002 -control.paj.ports IN TXT 9492 - -pa1.studios IN CNAME carcasse.jean-cloud.net. -montpellier1.studios IN CNAME tetede.jean-cloud.net. - -npm IN CNAME vandamme.jean-cloud.net. -www.npm IN CNAME vandamme.jean-cloud.net. - -static IN CNAME vandamme.jean-cloud.net. -www.static IN CNAME vandamme.jean-cloud.net. - -discordbot IN CNAME vandamme.jean-cloud.net. -www.discordbot IN CNAME vandamme.jean-cloud.net. - diff --git a/provisioning/roles/jean-cloud-common/files/bind/named.conf.local b/provisioning/roles/jean-cloud-common/files/bind/named.conf.local deleted file mode 100644 index b4bcb9d..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/named.conf.local +++ /dev/null @@ -1,78 +0,0 @@ -// -// Do any local configuration here -// - -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; - - - -zone "oma-radio.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.oma-radio.fr"; -}; -zone "jean-cloud.net"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.jean-cloud.net"; -}; -zone "jean-cloud.org"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.jean-cloud.org"; -}; -zone "karnaval.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.karnaval.fr"; -}; -zone "amaglio.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.amaglio.fr"; -}; -zone "collectif-arthadie.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.collectif-arthadie.fr"; -}; -zone "gypsylyonfestival.com"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.gypsylyonfestival.com"; -}; -zone "hid"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.hid"; -}; -zone "compagnienouvelle.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.compagnienouvelle.fr"; -}; -zone "inurbe.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.inurbe.fr"; -}; -zone "lalis.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.lalis.fr"; -}; -zone "leida.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.leida.fr"; -}; -zone "metamorphosemagazine.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.metamorphosemagazine.fr"; -}; - - - diff --git a/provisioning/roles/jean-cloud-common/files/bind/named.conf.options b/provisioning/roles/jean-cloud-common/files/bind/named.conf.options deleted file mode 100644 index 19db25e..0000000 --- a/provisioning/roles/jean-cloud-common/files/bind/named.conf.options +++ /dev/null @@ -1,18 +0,0 @@ -options { - directory "/var/cache/bind"; - dnssec-validation auto; - - auth-nxdomain no; # conform to RFC1035 - listen-on { any; }; - listen-on-v6 { any; }; - allow-update { none; }; - allow-recursion { none; }; - allow-recursion-on { none; }; - recursion no; - notify yes; - allow-transfer { - none; - #216.218.133.2; 2001:470:600::2; //he.net - #172.104.154.21; 2a01:7e01::f03c:92ff:fecf:e815; // nougaro - }; -}; diff --git a/provisioning/roles/sysadmins/.travis.yml b/provisioning/roles/sysadmins/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/provisioning/roles/sysadmins/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/provisioning/roles/sysadmins/README.md b/provisioning/roles/sysadmins/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/provisioning/roles/sysadmins/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/provisioning/roles/sysadmins/files/git_key b/provisioning/roles/sysadmins/files/git_key new file mode 100644 index 0000000..dfc3c03 --- /dev/null +++ b/provisioning/roles/sysadmins/files/git_key @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEA32dBmidg3toPfxHT04AOVDB7LLbyfcQS2Jn/8XNL4K0ptfgXCwYn +L7CvWi8CmVgnWfnor4rCtCPxg8xr0NS6biuV6fFkNfg4zini8RDms+SjG39cCeQ5ZiqYWK +7spP+SK9OHs+w1+6sRRbmkSWxRIXpjDK6xqoPOQWDLJqFSd9xQFaO1CR9tR4BrS6i4UftB +ompDqeae5wkBjTLs42wv60pRFwrMyo4616RWidDchHF3ykNHT2A1rgmQfqgLsOYsgo45Bp +6ejsv7Q71oTdq7yh9rYHznlZug7COEqumuAWctgLawk4YKrmXppBhwrmAZgpvn461Fkb2r +nDvjwn4SoZbQPPOuVBn94/uZ7eh64uij8lESNWs0hIByDvESOD8Bs1oETZdQERy4uV1vCx +I23KYeBBG1rsPFAh0U+DDZuhJjR1KRfo96yJXIMSAx+2Nc/kgfaB1Q1h+b4mjC3koXqE1s +K5XtoEuXzr9ojWRAEp+0D9GvBQmbZs4WIjdw2+wNAAAFiGHhtNdh4bTXAAAAB3NzaC1yc2 +EAAAGBAN9nQZonYN7aD38R09OADlQweyy28n3EEtiZ//FzS+CtKbX4FwsGJy+wr1ovAplY +J1n56K+KwrQj8YPMa9DUum4rlenxZDX4OM4p4vEQ5rPkoxt/XAnkOWYqmFiu7KT/kivTh7 +PsNfurEUW5pElsUSF6YwyusaqDzkFgyyahUnfcUBWjtQkfbUeAa0uouFH7QaJqQ6nmnucJ +AY0y7ONsL+tKURcKzMqOOtekVonQ3IRxd8pDR09gNa4JkH6oC7DmLIKOOQaeno7L+0O9aE +3au8ofa2B855WboOwjhKrprgFnLYC2sJOGCq5l6aQYcK5gGYKb5+OtRZG9q5w748J+EqGW +0DzzrlQZ/eP7me3oeuLoo/JREjVrNISAcg7xEjg/AbNaBE2XUBEcuLldbwsSNtymHgQRta +7DxQIdFPgw2boSY0dSkX6PesiVyDEgMftjXP5IH2gdUNYfm+Jowt5KF6hNbCuV7aBLl86/ +aI1kQBKftA/RrwUJm2bOFiI3cNvsDQAAAAMBAAEAAAGBANmSJE/PXgZrdIAaiqQGqO3RMY +TAv7VASeJtSNiLozAzNNYlwbtYyL0nY/9+nRdexSRZwQWFLE5oWwQzCCWfp9k31Y67Kw9s +qVYPcRe5kBVO7JMRHD/95vDbNvfXlFy1ElRgdF8EAycQ2YeAXsGrHfBu0xw83obkSvFdJT +yADGLzS4Nnph42XyUtqlFLBgfBnZBh0XgcRFFZcgtjt1VdveV2wTahrATxM9lkEWuy37CV +GUcA8ugZGO5gHjtbydcEsi6pqpqM3dzqUgYvP1B5/3EiFe8fDpmxYJ6sviT9ml7JVZcQur +z+UwV3+ADosNqX9375a8BKycPKjbWsaw06kF+NyHq9+5ULEZnWDd/FNYxmUKOEICJm83Ym +r27EtRBUbjWa8iRgkjA4x6cXRhtMuuHRowseSLlOfWVU6wgJsA6tupGUoZl1JgcIy4tCGT +nl6Bk+Lh13HrADUPDpEV+0qbwFESGdyYhPpwqCuoNpXcd6ax6iPJeRePVMgLlT3H+2AQAA +AMEA5/IohVYLNizy1qEDImqx5ZW9gwXveoheHPzj6L84OGMIepmS8HV3B/o8PfANL5qF0D +4PPEURyvrStqWa9/PktaBlsAfJky38U1XW+xtHQ9wOJ9dkusyadXpLnyjuHhJMogCkdgJ1 +/N/8XI3X7YTCBc8Mm4+r40px809mWnsZJFLzKCuTo4Qit7BVtWlp4gwOh+sBkTbhZ71WQB +YkUFV7qBMB9MKYLVkRkTmjAyv0nzw9lGyMfiOCavCsmmbTVW8hAAAAwQDzVGv26H6ANM4g +K5T9PqUe0ShZRYmRZV/bg3jhO61LhZ9cmNvMAh+K43uhCpypX1RXfWVWKC4d4pRILov1Wu +Y3fltPbNomfIsvXa9mroxDuBC/Fc1NAHhogiOvtmCiud1eBGACoOL34tTp+iohC7/HxLds +hAJ5SvoU7xcH5kx8zBNrbMfRBcKdMv1F25tyFhKIa4gphXKikwasFJsEtaZX/2KvNKj2n2 +59wvTQzc93ws0UgUJdzxPFRJJTqOElREEAAADBAOsJN0LgbC1D49+tC6MZyma6qg4zBUKY +/kyZSdRdooROtuoRxnIL88l8GkbaAA/ozPhKEMO8tOLiaLVrmrZv7YHGeUYHiZZYXJX1ea ++m4QjSTGyj+rAfoIzNshXUQ42CIa+diMPCml7V4/iXkxm2KHlBWqsnS1P9bjP+s7FluKC6 +2xaYrWy6DYluKECnS2FI2tUSSIky+iD2bUNAeBCeCflYX19kuqGQ0166egRmPXRZckzdz9 +oJ3ABVQr4eKyNEzQAAAA5pbHlhQGFzdXMteDUzcwECAw== +-----END OPENSSH PRIVATE KEY----- diff --git a/provisioning/roles/sysadmins/files/git_key.pub b/provisioning/roles/sysadmins/files/git_key.pub new file mode 100644 index 0000000..0028895 --- /dev/null +++ b/provisioning/roles/sysadmins/files/git_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfZ0GaJ2De2g9/EdPTgA5UMHsstvJ9xBLYmf/xc0vgrSm1+BcLBicvsK9aLwKZWCdZ+eivisK0I/GDzGvQ1LpuK5Xp8WQ1+DjOKeLxEOaz5KMbf1wJ5DlmKphYruyk/5Ir04ez7DX7qxFFuaRJbFEhemMMrrGqg85BYMsmoVJ33FAVo7UJH21HgGtLqLhR+0GiakOp5p7nCQGNMuzjbC/rSlEXCszKjjrXpFaJ0NyEcXfKQ0dPYDWuCZB+qAuw5iyCjjkGnp6Oy/tDvWhN2rvKH2tgfOeVm6DsI4Sq6a4BZy2AtrCThgquZemkGHCuYBmCm+fjrUWRvaucO+PCfhKhltA8865UGf3j+5nt6Hri6KPyURI1azSEgHIO8RI4PwGzWgRNl1ARHLi5XW8LEjbcph4EEbWuw8UCHRT4MNm6EmNHUpF+j3rIlcgxIDH7Y1z+SB9oHVDWH5viaMLeSheoTWwrle2gS5fOv2iNZEASn7QP0a8FCZtmzhYiN3Db7A0= adrian@amaglio.fr diff --git a/provisioning/roles/sysadmins/tasks/main.yml b/provisioning/roles/sysadmins/tasks/main.yml new file mode 100644 index 0000000..7d68ec8 --- /dev/null +++ b/provisioning/roles/sysadmins/tasks/main.yml @@ -0,0 +1,38 @@ +--- +# tasks file for sysadmin +bloc: + +- name: add user + user: + name: "{{ item.username }}" + uid: "{{ item.uid }}" # Why ask for a specific UID? + home: "{{ item.home }}" + group: "{{ item.username }}" + groups: "{{ item.groups }}" + state: present + + +- name: create ssh dir + file: + path: "{{ item.home }}/.ssh" + owner: "{{item.username}}" + mode: '0700' + state: directory + +- name: add git ssh server in authorized_keys + ansible.builtin.known_hosts: + path: "{{item.home}}/.ssh/known_hosts" + name: "[git.jean-cloud.net]:22529" + key: "[git.jean-cloud.net]:22529,[51.255.33.248]:22529 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBD5wYpMhqZ1DDgVKyX5tutlM8BHu2evhVsi2/5mpuqVYZU8LjI9oTVs6rxIV7FlgtHlPDpad5pTIk//bJxFGdA=" +# key: "{{ lookup('ansible.builtin.file', 'files/git_key.pub') }}" + state: present + + +- name: Set authorized key + ansible.posix.authorized_key: + user: "{{ item.username }}" + state: present + key: "{{ item.public_ssh_key }}" + +with_items: "{{sysadmin}}" + diff --git a/provisioning/roles/sysadmins/vars/main.yml b/provisioning/roles/sysadmins/vars/main.yml new file mode 100644 index 0000000..f53d2df --- /dev/null +++ b/provisioning/roles/sysadmins/vars/main.yml @@ -0,0 +1,15 @@ +--- +# vars file for sysadmin-adrian +sysadmin: + ad: + username: ad + full_name: Adrian Amaglio + home: /home/ad + groups: sudo sysdamins + ssh_public_key: ??? + pn: + username: pn + full_name: Pieds-Nus + home: /home/pn + groups: sudo sysadmins + ssh_public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKqcuQ41Wt0mmMXd1MZ0godzu63c08/zJdLfBGzoGIoZEOW5CRIWqVCR7BhjpaN+kBLqReCJDwwBNJy0W0LQcNPG0l5MwDnWHWxenKAOLpTuER5NTlrbdVjPaCQ7D0oM1UY+LYn4YCDxdm76Ygvc1eAChjsKiQXO3mItFgav9lvx7owmuCE/IV/gKHW6KAJPdmprXBv7AQaRX2qy4qCZ6CRZ/q8sVb3njpzFhVUs4IcTgs15IUVTlukSHg7YoaaPN8nOhoQaZu81uKvKQGtqKso29I+PGRNHglFZ6q+7Lzbx2/tqN+D4J9pBWVr3UKYfOtqYqRMehudvdD+ngj+5D1jggPpOE+ferhae9LlPTf+IIJK3KMZroi67lUYoCMh5VmbpMDTaYMskAwmf4npwjl+By+HHb4zIReSWz2tngevYu7kkCaFAy5w0/2jHPN6ApM/qC9tOFNdcJmIwK+6hVdYUM55jJwXRaZFkWSESEP2U5u2OvnRYGfDmgrcEuBjjc= pieds-nus@jean-cloud"