pouloulou…

2023-09-13 10:46:02 +02:00 · 2023-09-13 10:46:02 +02:00 · 13a9891e71
commit 13a9891e71
parent f7ed1c51eb
25 changed files with 354 additions and 273 deletions
--- a/installing/debootstrap_ordis_portables.sh
+++ b/installing/debootstrap_ordis_portables.sh
@ -195,8 +195,14 @@ chroot_run locale-gen
 if [ -n "$data_device" ] ; then
-	section "Mounting data dir"
+	section "Mounting and encrypting data dir"
-	cryptsetup create --type plain dmcrypt-jeancloud "$data_device"	
+	run cryptsetup create --type plain dmcrypt-jeancloud "$data_device"	
 	run mkfs.ext4 dmcrypt-jeancloud
 	uuid="$(blkid | grep dmcrypt-jeancloud | grep -o 'UUID="[^"]\+"')"
 	if [ -z "$uuid" ] ; then
 		die "Error, unexpected empty uuid"
 	fi
 	line_in_file "$uuid	/data	ext4	rw,nofail	0	1" "$mnt/etc/fstab"
 fi
@ -210,15 +216,20 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
 run echo "$hostname" > "$mnt/etc/hostname"
 # Prenvent suspend on lid close
-line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
+line_in_file HandleLidSwitch=ignore "$mnt/etc/systemd/logind.conf"
-# Fix path and remove noisy beep
+# Inform futur scripts that /data is not mounted
 touch "$mnt/data/mounted"
 # Fix path
 run cat > "$mnt/root/.bashrc" <<EOF
 PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
 setterm -powerdown 0
 EOF
 # Be sure this fucking beep is gone
 echo 'set bell-style none' >> "$mnt/etc/inputrc"
-# TODO find a third method to kill this doomed beep
+# TODO find a second method to kill this doomed beep
 line_in_file '@reboot root shutdownscreen.sh' "$mnt/etc/crontab"
 # boot crypted
--- a/installing/notes
+++ b/installing/notes
@ -2,3 +2,6 @@ blatte :
 DO NOT REBOOT IT. it sometimes fails…
 -i 'firmware-amd-graphics firmware-realtek'
 raku :
 + ajouter nonfree dans les sources
 -i firmware-atheros
--- a/provisioning/inventory.ini
+++ b/provisioning/inventory.ini
@ -1,9 +1,14 @@
 [shlago]
 max.jean-cloud.org
 tetede.jean-cloud.org
 raku.jean-cloud.org
 [servers]
 #vandamme.jean-cloud.org
 #nougaro.jean-cloud.org
 #tetede.jean-cloud.org
 #carcasse.jean-cloud.org
 #benevoles.karnaval.fr
 #montbonnot.jean-cloud.org
 max.jean-cloud.org
 #blatte.jean-cloud.org
 max.jean-cloud.org
 tetede.jean-cloud.org
 raku.jean-cloud.org
--- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh
+++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh
@ -131,15 +131,8 @@ if [ -f "/docker/$service/nginx_server.conf" ] ; then
    run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
 fi
-# Do we need dummy cert?
+section "Add dummy cert if needed"
-if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
+dummy_cert.sh "$service" add
    section "Create cert dir"
    run mkdir -p "$certs_path/$service"
    section "Link dummy to cert"
    run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
    run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
 fi
 section "Testing nginx conf"
 run nginx -t -c /etc/nginx/new_nginx.conf
--- a/provisioning/roles/deploy_all/files/bin/deployall.sh
+++ b/provisioning/roles/deploy_all/files/bin/deployall.sh
@ -11,12 +11,9 @@ set -euo pipefail
 #                       Variables
 ###############################################################################
-export proxy_dir="/etc/nginx"
+set -a
-export nginx_conf_path="$proxy_dir/sites-enabled"
+. /etc/jeancloud.env
-export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
+set +a
 export certs_path="/etc/letsencrypt/live"
 export dummy_cert_path="$certs_path/dummy"
 ###############################################################################
 #                       Helpers
@ -50,14 +47,6 @@ run chown root:root /data
 run chmod 755 /docker
 run chmod 755 /data
 section "Check dummy cert exists "
 #TODO check if expired
 if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
    echo "Dummy cert generation"
    run mkdir -p "$dummy_cert_path"
    run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
 fi
 section "Create new conf directory"
 run mkdir -p "$new_nginx_conf_path"
--- a/provisioning/roles/deploy_all/files/bin/driglibash-base
+++ b/provisioning/roles/deploy_all/files/bin/driglibash-base
@ -150,8 +150,8 @@ clean() {
 # tells where your executable is (absolute path). Follow simlinks if any argument provided
 where() {
-  if [ -z "$1" ] ; then
+  if [ "$#" -lt 1 ] || [ -z "$1" ] ; then
-    echo "$( cd -P "$( dirname "$1" )" && pwd )"
+    echo "$( cd -P "$( dirname "$0" )" && pwd )"
  else
    SOURCE="$0"
    while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
--- a/provisioning/roles/deploy_all/files/bin/dummy_cert.sh
+++ b/provisioning/roles/deploy_all/files/bin/dummy_cert.sh
@ -0,0 +1,38 @@
 #!/bin/bash
 . driglibash-base
 . /etc/jeancloud.env
 if [ "$#" -ne 2 ] || [ -z "$1" ] || [ -z "$2" ] ; then
 	die "Usage: $0 <service-name> <action>"
 fi
 service="$1"
 action="$2"
 # Create dummy cert if needed
 #TODO check if expired
 if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
    echo "Dummy cert generation"
    run mkdir -p "$dummy_cert_path"
    run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
 fi
 if [ "$action" = add ] ; then
 	# Link letsencrypt dir to dummy cert dir if there is no cert
 	if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
 	    section "Create cert dir"
 	    run mkdir -p "$certs_path/$service"
 	    section "Link dummy to cert"
 	    run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
 	    run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
 	fi
 elif [ "$action" = remove ] ; then
 	# UNlink letsencrypt dir to dummy cert dir IF it is the dummy cert
    if [ "$(readlink "$certs_path/$service_name/fullchain.pem")" = "$dummy_cert_path/fullchain.pem" ] ; then
        rm -r "$certs_path/$service_name"
    fi
 else
 	die "$0: Unknown action '$action'"
 fi
--- a/provisioning/roles/deploy_all/files/bin/git_update.sh
+++ b/provisioning/roles/deploy_all/files/bin/git_update.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 declare -A usage
 declare -A varia
@ -17,6 +18,10 @@ usage[i]="privkey used to ssh pull"
 varia[i]=privkey
 privkey=''
 usage[N]="Clone to a Non-empty target. Existing files will be overwriten"
 varia[N]=nonempty_target
 nonempty_target=false
 . driglibash-args
@ -35,16 +40,32 @@ fi
 cd "$dst"
 if [ -d .git ] ; then
-	git fetch origin "$branch"
+	run git fetch origin "$branch"
-	git checkout --force -B "$branch" "origin/$branch"
+	run git checkout --force -B "$branch" "origin/$branch"
-    git reset --hard
+    run git reset --hard
-	git clean -qffdx
+	# Preserve existing files in some cases
-	git submodule update --init --recursive --force --recommend-shallow
+	if ! "$nonempty_target" ; then
-	git submodule foreach git fetch
+		git clean -qffdx
-	git submodule foreach git checkout --force -B "$branch" "origin/$branch"
+	fi
-	git submodule foreach git reset --hard
+	run git submodule update --init --recursive --force --recommend-shallow
-	git submodule foreach git clean -fdx
+	run git submodule foreach git fetch
 	run git submodule foreach git checkout --force HEAD
 	run git submodule foreach git reset --hard
 	run git submodule foreach git clean -fdx
 else
-    git clone -b "$branch" --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
+	clone_dst='.'
 	# To override an existing dir, we need to clone elsewhere first
 	if "$nonempty_target" ; then
 		clone_dst="$(mktemp -d)"
 	fi
    run git clone -b "$branch" --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" "$clone_dst"
 	# To override an existing dir, we then move everything to that dir
 	if "$nonempty_target" ; then
 		run mv "$clone_dst/"{*,.*} .
 		run rmdir "$clone_dst"
 	fi
 fi
--- a/provisioning/roles/deploy_all/files/bin/letsencrypt.sh
+++ b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh
@ -34,9 +34,7 @@ for file in "$nginx_sites_dir"* ; do
  domains="$(extract_domain_nginx_conf.sh "$file")"
  if [ -n "$domains" ] ; then
    # If using dummy cert, disabling it
-    if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then
+	dummy_cert.sh "$service_name" remove
        rm -r "/etc/letsencrypt/live/$service_name"
    fi
    echo "$domains"
    # adding -d before every domain
@ -71,8 +69,10 @@ for file in "$nginx_sites_dir"* ; do
      echo "     ------------------------------------------"
      echo "$out"
      echo "     ------------------------------------------"
 	  dummy_cert.sh "$service_name" add
    else
        echo "Unknown error : $result.\n$out"
 	    dummy_cert.sh "$service_name" add
    fi
  fi
 done
--- a/services/cousinades2.jean-cloud.net/Dockerfile
+++ b/services/cousinades2.jean-cloud.net/Dockerfile
@ -1,6 +0,0 @@
 FROM php:7.2-fpm-alpine
 #RUN apt-get update && apt-get install -y libpq-dev && docker-php-ext-install pdo pdo_pgsql
 RUN set -ex \
  && apk --no-cache add \
  postgresql-dev
 RUN docker-php-ext-install pdo_pgsql
--- a/services/cousinades2.jean-cloud.net/docker-compose.yml
+++ b/services/cousinades2.jean-cloud.net/docker-compose.yml
@ -1,35 +0,0 @@
 version: '3'
 services:
  app:
    build: .
    volumes:
      - /data/cousinades2.jean-cloud.net/public:/usr/src/app
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 172.29.8.101
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 100M
  db:
    image: postgres:9.6-alpine
    volumes:
      - /data/cousinades2.jean-cloud.net/db:/var/lib/postgresql/data
    networks:
      default:
        ipv4_address: 172.29.8.101
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 100M
 networks:
  default:
    ipam:
      config:
        - subnet: 172.29.8.0/24
--- a/services/cousinades2.jean-cloud.net/nginx_server.conf
+++ b/services/cousinades2.jean-cloud.net/nginx_server.conf
@ -1,25 +0,0 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/cousinades2.jean-cloud.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/cousinades2.jean-cloud.net/privkey.pem;
  server_name cousinades2.jean-cloud.net www.cousinades2.jean-cloud.net;
  index index.php;
  root /data/cousinades2.jean-cloud.net/public;
  location / {
    #auth_basic "Restricted";
    #auth_basic_user_file /data/cousinades2.jean-cloud.net/private/passwords.txt;
    try_files $uri $uri/ =404;
  }
  location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass 172.29.8.100:9000;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
  }
 }
--- a/services/feteducourt.jean-cloud.net/deploy_http.sh
+++ b/services/feteducourt.jean-cloud.net/deploy_http.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 set -euo pipefail
 git_update.sh -d "$HTTP_DIR" -b 2021 "https://git.jean-cloud.net/adrian/feteducourt-static.git"
--- a/services/feteducourt.jean-cloud.net/nginx_server.conf
+++ b/services/feteducourt.jean-cloud.net/nginx_server.conf
@ -1,20 +1,11 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/feteducourt.jean-cloud.net/fullchain.pem;
+  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/feteducourt.jean-cloud.net/privkey.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
-  server_name feteducourt.jean-cloud.net www.feteducourt.jean-cloud.net;
+  server_name $JC_SERVICE www.$JC_SERVICE;
  #location /static {
  #  alias /data/feteducourt.jean-cloud.net/app/static;
  #  try_files $uri $uri/ =404;
  #}
  #location / {
  #  proxy_pass http://app.feteducourtjean-cloudnet.docker;
  #  proxy_set_header Host $host;
  #}
  location / {
-    root /data/feteducourt.jean-cloud.net/static;
+    root $HTTP_DIR;
    try_files $uri $uri/ =404;
  }
 }
--- a/services/feteducourt2020.jean-cloud.net/deploy_http.sh
+++ b/services/feteducourt2020.jean-cloud.net/deploy_http.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 set -euo pipefail
 git_update.sh -d "$HTTP_DIR" -b 2020 "https://git.jean-cloud.net/adrian/feteducourt-static.git"
--- a/services/feteducourt2020.jean-cloud.net/nginx_server.conf
+++ b/services/feteducourt2020.jean-cloud.net/nginx_server.conf
@ -1,22 +1,11 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/fullchain.pem;
+  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/privkey.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
-  server_name feteducourt2020.jean-cloud.net www.feteducourt2020.jean-cloud.net;
+  server_name $JC_SERVICE www.$JC_SERVICE;
  #location /static {
  #  alias /data/feteducourt2020.jean-cloud.net/app/static;
  #  try_files $uri $uri/ =404;
  #}
  #location / {
  #  proxy_pass http://app.feteducourt2020jean-cloudnet.docker;
  #  proxy_set_header Host $host;
  #}
  location / {
-    root /data/feteducourt2020.jean-cloud.net/static;
+    root $HTTP_DIR;
    try_files $uri $uri/ =404;
  }
 }
--- a/services/metamorphosemagazine.fr/nginx_server.conf
+++ b/services/metamorphosemagazine.fr/nginx_server.conf
@ -3,7 +3,7 @@ server {
  listen [::]:443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/metamorphosemagazine.fr/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/metamorphosemagazine.fr/privkey.pem;
-  server_name metamorphosemagazine.fr;
+  server_name $JC_SERVICE www.$JC_SERVICE;
  location / {
          add_header Content-language fr;
          root $HTTP_DIR/src;
--- a/services/ns.jean-cloud.org/deploy.sh
+++ b/services/ns.jean-cloud.org/deploy.sh
@ -0,0 +1,13 @@
 #!/bin/bash
 set -euo pipefail
 cd ../ns1.jean-cloud.org
 . deploy.sh
 . .env
 # Do not run if primary exists
 [ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0
 export keydir=""
 run secondary
--- a/services/ns1.jean-cloud.org/deploy.sh
+++ b/services/ns1.jean-cloud.org/deploy.sh
@ -1,125 +1,56 @@
 #!/bin/bash
 . driglibash-base
 . "$(where)/helper_functions.sh"
 set -euo pipefail
 # Working variables
 debian_bind_workdir="/var/cache/bind"
 debian_bind_confdir="/etc/bind"
 keydir="$DATA_DIR/keys"
 # Install dependencies
 apt install -y bind9 &>/dev/null
 # Create Directories
 mkdir -p "$keydir"
 chown bind:bind "$keydir" -R
 chown bind:bind "$debian_bind_confdir" -R
 # Empty bind dir if it is not our git repo
 if [ ! -d "$debian_bind_confdir/.git" ] ; then
 	echo "lets delete $debian_bind_confdir"
 	rm -rf "$debian_bind_confdir/"{*,.*}
 fi
 # Sync the git repo
 sudo -u bind git_update.sh -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
 cd /etc/bind
 sudo -u bind git status
 ### Generate zones from service directory ###
 servicefile="/docker/services.txt"
 # Function that simulate a DNS resolve by reading bind zone file
 # Returns all the record line:
 # @ IN A X.X.X.X
 fakeresolve () {
 	if [ "$#" -ne 1 ] ; then
 		die "Usage: fakeresolve <name>"
 	fi
 	name="$1"
 	zonefile="$debian_bind_confdir/db.jean-cloud.org"
 	shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
 	grep -v -e  '^[[:space:]]*;' "$zonefile"  |grep -oP "^[[:space:]]*$shortname\K[[:space:]]*IN[[:space:]]*A{1,4}[[:space:]]*[\S;]+" | sed 's/^/@/'
 }
 # Function that add DNS record in the right file
 addbindline () {
 	if [ "$#" -ne 2 ] ; then
 		die "Usage: addbindline <name> <target_cname>"
 	fi
 	name="$1"
 	target="$2"
 	# extract the truc.com part
 	domain="$(echo "$name" | grep -o '[^\.]\+\.[^\.]\+$' || true)"	
 	[ -z "$domain" ] && return 0
 	# extract the subdomain part (www)
 	shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
 	# bind DB file
 	bindfile="$debian_bind_confdir/db.$domain"
 	if [ -z "$shortname" ] ; then
 		# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
 		while read line ; do
 			line_in_file "$line" "$bindfile"
 		done < <(fakeresolve "$target")
 	else
 		line_in_file "$shortname IN CNAME $target." "$bindfile"
 	fi
 	#XXX Add CAA records
 }
 autoconf_separator=";;; Autogeneration. Do not write under this line! ;;;"
 echo 'Prepare bind: Remove autogenerated part from bind conf files'
 sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/*
-echo 'Put the separator back'
+# File that contain "service target" lines
-for file in $( ls "$debian_bind_confdir"/db.* | grep -v '.signed$\|.jbk$\|.jnl$') ; do
+# With service a symbolic dns name and target an existing server hostname
-	echo "$autoconf_separator" >> "$file"
+servicefile="/docker/services.txt"
 done
-for file in "$debian_bind_confdir"/db.* ; do
+# The bind file containing server declarations
-	domain="$(basename "$file" | sed 's/db.//')"
+server_zone_file="template.db.jean-cloud.org"
-	# TODO fill header too?
+# Where you want your DNS keys stored
 keydir="$DATA_DIR/keys"
-	# If no NS record in the db file
+# IP of primary servers
-	if [ -z "$(grep '[^;].*IN.*NS' "$file")" ] ; then
+primary_ips=""
-		echo -e "@ IN NS ns.jean-cloud.org\n" >> "$file"
+
 # IP of secondary servers (for zone transfer)
 secondary_ips="37.65.119.74"
 # NS name
 default_dns_name="shlago.jean-cloud.org."
 run () {
 	if [ "$#" -ne 1 ] ; then
 		die "Usage: run <primary|secondary>"
 	fi
-	echo -n "
+	prepare
-zone '$domain' {
+	primary_ips="$primary_ips;$(fakeresolve_ip_list raku)"
-    allow-update { none; };
+	secondary_ips="$secondary_ips;$(fakeresolve_ip_list shlago)"
    type master;
    file \"$file\";
 };" >> "$debian_bind_confdir/named.conf.local"
 done
-echo 'Find every used domain and add them to bind db'
+	if [ "$1" = "primary" ] ; then
-while read line ; do
+		create_primary_files
-	read -r service target <<<$(echo "$line")
+	else
-	addbindline "$service" "$target"
+		create_secondary_files
 	nginxfile="/docker/$service/nginx_server.conf"
 	if [ -f "$nginxfile" ] ; then
 		for name in $(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env") ; do
 			addbindline "$name" "$target"
 		done
 	fi
 done <"$servicefile"
 	restart
 }
-echo 'Restart bind9'
+main () {
-systemctl restart bind9
+	run primary
 }
 # Do not execute main if script is sourced
 ! (return 0 2>/dev/null) && main "$@" || true # return 0 whatever happends
--- a/services/ns1.jean-cloud.org/helper_functions.sh
+++ b/services/ns1.jean-cloud.org/helper_functions.sh
@ -0,0 +1,162 @@
 set -euo pipefail
 fakeresolve_ip_list () {
 	if [ "$#" -ne 1 ] ; then
 		die "Usage: fakeresolve_ip_list <name>"
 	fi
 	grep -oP "^$1[[:space:]]+IN[[:space:]]+A{1,4}[[:space:]]+\K[^;\s]+" "$debian_bind_confdir/$server_zone_file" | tr '\n' ';'
 }
 prepare () {
 	# Install dependencies
 	apt install -y bind9 &>/dev/null
 	# Create Directories
 	if [ -n "$keydir" ] ; then
 		mkdir -p "$keydir"
 		chown bind:bind "$keydir" -R
 		chown bind:bind "$debian_bind_confdir" -R
 	fi
 	# Sync the git repo
 	sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
 	cd /etc/bind
 	echo 'Prepare bind: Remove autogenerated part from bind conf files'
 	sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/*
 	echo 'Put the separator back'
 	for file in $( ls "$debian_bind_confdir"/template.db.* | grep -v '.signed$\|.jbk$\|.jnl$') ; do
 		echo "$autoconf_separator" >> "$file"
 	done
 }
 restart () {
 	echo 'Restart bind9'
 	systemctl restart bind9
 }
 # Function that simulate a DNS resolve by reading bind zone file
 # Returns all the record line:
 # @ IN A X.X.X.X
 fakeresolve () {
 	if [ "$#" -ne 1 ] ; then
 		die "Usage: fakeresolve <name>"
 	fi
 	name="$1"
 	zonefile="$debian_bind_confdir/$server_zone_file"
 	# Split full name if there are dots
 	shortname="$name"
 	if [ -n "$(echo "$name" | grep -o '\.')" ] ; then
 		shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
 	fi
 	grep -v -e  '^[[:space:]]*;' "$zonefile"  |grep -oP "^[[:space:]]*$shortname\K[[:space:]]*IN[[:space:]]*A{1,4}[[:space:]]*[\S;]+" | sed 's/^/@/'
 }
 # Function that add DNS record in the right file
 addbindline () {
 	if [ "$#" -ne 2 ] ; then
 		die "Usage: addbindline <name> <target_cname>"
 	fi
 	name="$1"
 	target="$2"
 	# extract the truc.com part
 	domain="$(echo "$name" | grep -o '[^\.]\+\.[^\.]\+$' || true)"	
 	[ -z "$domain" ] && return 0
 	# extract the subdomain part (www)
 	shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
 	# bind DB file
 	bindfile="$debian_bind_confdir/db.$domain"
 	# Only append if db file exists
 	[ ! -f "$bindfile" ] && return 0
 	if [ -z "$shortname" ] ; then
 		# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
 		while read line ; do
 			line_in_file "$line" "$bindfile"
 		done < <(fakeresolve "$target")
 	else
 		line_in_file "$shortname IN CNAME $target." "$bindfile"
 	fi
 	#XXX Add CAA records
 }
 list_template_db_files () {
 	ls "$debian_bind_confdir"/template.db.*
 }
 create_primary_files () {
 	# Compact the default SOA
 	SOA="$(grep -o '^[^;]*' SOA | sed -z -e 's/[[:space:]]\{2,\}/ /g' -e 's/\n/\\n/')"
 	for file in $(list_template_db_files) ; do
 		domain="$(basename "$file" | sed 's/template.db.//')"
 		new_db_file="$(echo "$file" | sed 's/template.db./db./')"
 		# Set the default SOA if needed
 		sed "s/^;JC_AUTOSOA$/$SOA/" "$file" > "$new_db_file"
 		# If no NS record in the db file
 		if [ -z "$(grep '[^;].*IN.*NS' "$new_db_file")" ] ; then
 			echo "@ IN NS $default_dns_name" >> "$new_db_file"
 		fi
 		cat  >> "$debian_bind_confdir/named.conf.local" <<EOF
 zone "$domain" {
 	# https://kb.isc.org/docs/aa-00723
 	#allow-update { !{!{$secondary_ips};any;}; key update-key; };
 	allow-transfer { $secondary_ips };
 	also-notify { $secondary_ips };
 	notify yes;
    type master;
    file "$new_db_file";
 	dnssec-policy default;
 	inline-signing yes;
 	key-directory "$DATA_DIR/keys";
 };
 EOF
 	done
 	echo 'Find every used domain and add them to bind db'
 	while read line ; do
 		read -r service target < <(echo "$line")
 		addbindline "$service" "$target"
 		nginxfile="/docker/$service/nginx_server.conf"
 		if [ -f "$nginxfile" ] ; then
 			for name in $(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env") ; do
 				addbindline "$name" "$target"
 			done
 		fi
 	done <"$servicefile"
 }
 create_secondary_files () {
 	primary_ips="$(echo "$primary_ips" | sed 's/^;//')"
 	for file in "$debian_bind_confdir"/template.db.* ; do
 		file="$(echo "$file" | sed 's/template.db.//')"
 		domain="$(basename "$file")"
 		echo -n "
 zone \"$domain\" {
 	masters { $primary_ips };
    type slave;
    file \"$file\";
 };" >> "$debian_bind_confdir/named.conf.local"
 	done
 }
--- a/services/radiodemo-back.oma-radio.fr/.env
+++ b/services/radiodemo-back.oma-radio.fr/.env
@ -13,7 +13,6 @@ RADIO_NAME_SIMPLE=radiodemo
 OMA_CONFIG_NomRadio=radiodemo
 OMA_CONFIG_LogLevel=8
 RADIO_NAME_PRETTY="Radio Démo"
 RADIO_HOST=radiodemo.oma-radio.fr
 COMPOSE_NAME=radiodemo-backoma-radiofr
 DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
 DOCKER_INSTANCES_SUFIX=-1
--- a/services/radiodemo-back.oma-radio.fr/docker-compose.yml
+++ b/services/radiodemo-back.oma-radio.fr/docker-compose.yml
@ -142,7 +142,7 @@ services:
      CONFIG_PATH: /config
    restart: unless-stopped
    volumes:
-      - /tmp/uwsgi/$RADIO_HOST:/tmp/uwsgi
+      - /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
      - /var/run/docker.sock:/var/run/docker.sock
      - $SOUNDBASE_DIR:/soundbase
    networks:
--- a/services/radiodemo-back.oma-radio.fr/nginx_server.conf
+++ b/services/radiodemo-back.oma-radio.fr/nginx_server.conf
@ -18,7 +18,7 @@
 server {
 	listen 80;
 	listen [::]:80;
-	server_name $RADIO_HOST;
+	server_name $JC_SERVICE;
 	root $SOUNDBASE_DIR/website;
 	index index.html;
@ -49,7 +49,7 @@ server {
        include uwsgi_params;
        uwsgi_param PATH_INFO "/pigeindex$1";
        uwsgi_param SCRIPT_NAME /api;
-        uwsgi_pass unix:/tmp/uwsgi/$RADIO_HOST/uwsgi-api.sock;
+        uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock;
        client_max_body_size 0;
        uwsgi_connect_timeout       6000;
        uwsgi_send_timeout          6000;
@ -70,7 +70,7 @@ server {
            include uwsgi_params;
            uwsgi_param PATH_INFO "$1";
            uwsgi_param SCRIPT_NAME /api;
-            uwsgi_pass unix:/tmp/uwsgi/$RADIO_HOST/uwsgi-api.sock;
+            uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock;
            client_max_body_size 0;
            proxy_connect_timeout       6000;
            proxy_send_timeout          60000;
--- a/services/radiodemo.oma-radio.fr/wg-radiodemo.sh
+++ b/services/radiodemo.oma-radio.fr/wg-radiodemo.sh
@ -30,9 +30,4 @@ PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
 [Peer]
 PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
 AllowedIPs = 10.29.0.1/32,$NET.0/24
 # test separation PA
 [Peer]
 PublicKey = todo
 AllowedlIPs = 10.29.0.2
 "
--- a/services/services.txt
+++ b/services/services.txt
@ -1,34 +1,33 @@
 benevoles31.karnaval.fr max.jean-cloud.org
 chahut.jean-cloud.net max.jean-cloud.org
 collectif-arthadie.fr vandamme.jean-cloud.org
-compagnienouvelle.fr max.jean-cloud.org
+compagnienouvelle.fr nougaro.jean-cloud.org
 copaines.jean-cloud.net max.jean-cloud.org
 cousinades2.jean-cloud.net max.jean-cloud.org
 cousinades.jean-cloud.net max.jean-cloud.org
 deployer.jean-cloud.org shlago.jean-cloud.org
 etrevivant.net shlago.jean-cloud.org
 feministesucl34.jean-cloud.net tetede.jean-cloud.org
-feteducourt2020.jean-cloud.net tetede.jean-cloud.org
+feteducourt2020.jean-cloud.net shlago.jean-cloud.org
-feteducourt.jean-cloud.net tetede.jean-cloud.org
+feteducourt.jean-cloud.net shlago.jean-cloud.org
 git.jean-cloud.net vandamme.jean-cloud.org
 grapes.chahut.jean-cloud.net max.jean-cloud.org
 gypsylyonfestival.com max.jean-cloud.org
 metamorphosemagazine.fr shlago.jean-cloud.org
 inurbe.fr max.jean-cloud.org
 jean-cloud.net shlago.jean-cloud.org
 leida.fr vandamme.jean-cloud.org
 lexicographe.jean-cloud.net shlago.jean-cloud.org
 metamorphosemagazine.fr shlago.jean-cloud.org
 nc-backup.jean-cloud.net raku.jean-cloud.org
 pa1.studios.oma-radio.fr tetede.jean-cloud.org
 raplacgr.jean-cloud.net tetede.jean-cloud.org
 velov.jean-cloud.net shlago.jean-cloud.org
 radionimaitre.oma-radio.fr tetede.jean-cloud.org
 paj.oma-radio.fr nougaro.jean-cloud.org
 radiodemo.oma-radio.fr tetede.jean-cloud.org
 radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
 pa1.studios.oma-radio.fr tetede.joun-cloud.org
 leida.fr shlago.jean-cloud.org
 deployer.jean-cloud.org shlago.jean-cloud.org
 ns1.jean-cloud.org raku.jean-cloud.org
-git.jean-cloud.net vandamme.jean-cloud.org
+ns.jean-cloud.org shlago.jean-cloud.org
 nuage.jean-cloud.net vandamme.jean-cloud.org
 pa1.studios.oma-radio.fr tetede.jean-cloud.org
 paj.oma-radio.fr nougaro.jean-cloud.org
 radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
 radiodemo.oma-radio.fr tetede.jean-cloud.org
 radionimaitre.oma-radio.fr tetede.jean-cloud.org
 raplacgr.jean-cloud.net tetede.jean-cloud.org
 rpnow.jean-cloud.net vandamme.jean-cloud.org
 wiki-cgr.jean-cloud.net vandamme.jean-cloud.org
 _ssh vandamme.jean-cloud.org
 velov.jean-cloud.net shlago.jean-cloud.org
 wiki-cgr.jean-cloud.net vandamme.jean-cloud.org