and again and again

2024-04-18 16:22:32 +02:00 · 2024-04-18 16:22:32 +02:00 · 38b20cf49d
commit 38b20cf49d
parent 815965501b
31 changed files with 90 additions and 141 deletions
--- a/installing/debootstrap_ordis_portables.sh
+++ b/installing/debootstrap_ordis_portables.sh
@ -88,6 +88,7 @@ install="$install linux-image-amd64 console-data grub2 locales vim openssh-serve
 debootstrap_done_marker="$mnt/etc/debootstrap_done"
 uefi_mountpoint=/boot/efi

+dependancies="cryptsetup locales openssh-server wireguard-tools grub2"
 ###############################################################################
 #                              Actual script
 ###############################################################################
@ -178,13 +179,12 @@ fi

 mount_misc

-
 section "Installing selected software"
 echo "$repos" >> "$mnt/etc/apt/sources.list"
 run chroot "$mnt" <<EOF
  export DEBIAN_FRONTEND=noninteractive
  apt-get update  -q -y 
-  apt-get install -q -y cryptsetup $install
+  apt-get install -q -y $install
 EOF
 # TODO watershed ?

--- a/provisioning/inventory.ini
+++ b/provisioning/inventory.ini
@ -10,5 +10,4 @@ montbonnot.jean-cloud.org
 max.jean-cloud.org
 tetede.jean-cloud.org
 raku.jean-cloud.org
-vandamme.jean-cloud.org
 izzo.jean-cloud.org
--- a/provisioning/roles/deploy_all/files/bin/rclone_ncloud_publiclink.sh
+++ b/provisioning/roles/deploy_all/files/bin/rclone_ncloud_publiclink.sh
@ -1,6 +1,5 @@
 #!/bin/bash
 set -euo pipefail
-
 # Read all
 # NC_SHARE_LINK_URL.*
 # NC_SHARE_LINK_PASSWORD.*
--- a/provisioning/roles/deploy_all/files/secrets.volume
+++ b/provisioning/roles/deploy_all/files/secrets.volume
--- a/services/accent.jean-cloud.net/docker-compose.yml
+++ b/services/accent.jean-cloud.net/docker-compose.yml
@ -1,40 +0,0 @@
-version: '3'
-services:
-  app:
-    image: mirego/accent:v1.19.12
-    depends_on:
-      - db
-    environment:
-      - DATABASE_URL=postgres://postgres@db:5432/accent_development
-    restart: "unless-stopped"
-    networks:
-      default:
-        ipv4_address: $NET.100
-    deploy:
-      resources:
-        limits:
-          cpus: '1'
-          memory: 200M
-
-  db:
-    image: postgres:10.3
-    environment:
-      - POSTGRES_DB=accent_development
-    volumes:
-      - $DATA_DIR/db:/var/lib/postgresql/data
-    restart: "unless-stopped"
-    networks:
-      default:
-        ipv4_address: $NET.101
-    deploy:
-      resources:
-        limits:
-          cpus: '1'
-          memory: 300M
-
-
-networks:
-  default:
-    ipam:
-      config:
-        - subnet: $NET.0/24
--- a/services/backup-borg-client/backup_list.sh
+++ b/services/backup-borg-client/backup_list.sh
@ -1 +0,0 @@
-#!/bin/bash
--- a/services/backup-borg-server/deploy_user.sh
+++ b/services/backup-borg-server/deploy_user.sh
@ -13,7 +13,7 @@ echo -n "" > ~/.ssh/authorized_keys
 chmod 600 ~/.ssh/authorized_keys

 # Foreach client
-for client in raku.jean-cloud.org vandamme.jean-cloud.org ; do
+for client in raku.jean-cloud.org izzo.jean-cloud.org ; do
 	# Generate key
 	clientkey="$(mktemp -d)"
 	ssh-keygen -q -N '' -t rsa -C 'Borg client ssh key' -f "$clientkey/id_rsa" <<<y 2>&1 >/dev/null
--- a/services/benevoles32.karnaval.fr/docker-compose.yml
+++ b/services/benevoles32.karnaval.fr/docker-compose.yml
@ -5,6 +5,8 @@ services:
    environment:
      UID: 33
      MOUNT: /
+    ports:
+      - "2229:2229"
    volumes:
      - /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
      - $DATA_DIR/app/assets:/usr/src/app/assets
--- a/services/dnscerts.jean-cloud.org/run.sh
+++ b/services/dnscerts.jean-cloud.org/run.sh
@ -1,8 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-. driglibash-base
-here="$(where)"
-
-sudo -u certs bash -c "$here/run_as.sh $@"
--- a/services/dnscerts.jean-cloud.org/run_as.sh
+++ b/services/dnscerts.jean-cloud.org/run_as.sh
@ -1,55 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-. driglibash-base
-here="$(where)"
-
-# For some variables
-. /etc/jeancloud.env
-set -a
-. "$here/.env"
-set +a
-
-# Test secret presence
-[ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1
-
-export workdir="$(mktemp -d)"
-mkdir -p "$workdir/{work,logs}"
-
-# If there is some args, populate a fake service file
-if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
-	servicefile="$(mktemp)"
-	for service in "$@" ; do
-		echo "$service _" >> "$servicefile"
-	done
-fi
-
-echo "Renew existing certs"
-certbot renew --config-dir "$DATA_DIR/certs" --logs-dir "$workdir/logs" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" --work-dir "$workdir"
-
-echo "For each service, read all possible domains"
-while IFS=';' read -r id username service target ; do
-	# TODO remove
-	 [ "$service" = collectif-arthadie.fr ]  && continue
-
-	# remove dummy cert
-	dummy_cert.sh "$service" remove || true
-
-	if [ -d "$DATA_DIR/certs/live/$service" ] ; then
-		#echo "Already exists, thats a job for renew : $service"
-		continue
-	fi
-
-	# acme
-	"$here/acme-dns.sh" "$service" "$workdir"
-
-done < <(grep -v '^#' "$servicefile")
-
-echo "Push certs to other servers"
-for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') vandamme nougaro ; do
-	server="$srv.jean-cloud.org"
-	[ -n "$(grep "$server" /etc/hosts)" ] && continue
-	echo "-- $server"
-	rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/" || true
-done
--- a/services/etrevivant.net/backup_list.sh
+++ b/services/etrevivant.net/backup_list.sh
@ -1 +0,0 @@
-#!/bin/bash
--- a/services/inurbe.fr/nginx_server.conf
+++ b/services/inurbe.fr/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem;
-  ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name $JC_SERVICE www.$JC_SERVICE;

  location /  {
--- a/services/lexicographe.jean-cloud.net/backup_list.sh
+++ b/services/lexicographe.jean-cloud.net/backup_list.sh
@ -1 +0,0 @@
-../pelican/backup_list.sh
--- a/services/metamorphosemagazine.fr/.env
+++ b/services/metamorphosemagazine.fr/.env
@ -1 +1,3 @@
 GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/metamorphose
+GIT_SOURCE_BRANCH=master
+
--- a/services/metamorphosemagazine.fr/deploy_user.sh
+++ b/services/metamorphosemagazine.fr/deploy_user.sh
@ -1,4 +1,5 @@
 #!/bin/bash
 set -euo pipefail

-git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
+git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
+
--- a/services/metamorphosemagazine.fr/docker-compose.yml
+++ b/services/metamorphosemagazine.fr/docker-compose.yml
@ -1 +0,0 @@
-version: '3'
--- a/services/mux.radiodemo.oma-radio.fr/backup_list.sh
+++ b/services/mux.radiodemo.oma-radio.fr/backup_list.sh
@ -1 +0,0 @@
-#!/bin/bash
--- a/services/mux.radiodemo.oma-radio.fr/docker-compose.yml
+++ b/services/mux.radiodemo.oma-radio.fr/docker-compose.yml
@ -73,6 +73,11 @@ services:
    networks:
      default:
        ipv4_address: $NET.108
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 300M

          #radioking:
          #  image: jeancloud/liquidsoap:1.3.7
--- a/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq
+++ b/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq
@ -49,7 +49,7 @@ end


 # Mux
-input1 = mksafe(input.harbor("direct.ogg",port=8000,password=getenv("LIQUIDSOAP_SOURCE_PASSWORD")))
+input1 = mksafe(input.harbor("direct.ogg",port=8000,password=getenv("ICECAST_SOURCE_PASSWORD")))

 # Direct mp3
 output.icecast(
--- a/services/ns.jean-cloud.org/deploy.sh
+++ b/services/ns.jean-cloud.org/deploy.sh
@ -9,7 +9,7 @@ set -a
 set +a

 # Do not run if primary exists
-[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0
+[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 1

 export keydir=""
 runthis secondary
--- a/services/ns1.jean-cloud.org/deploy.sh
+++ b/services/ns1.jean-cloud.org/deploy.sh
@ -55,6 +55,7 @@ runthis () {
 }

 main () {
+	aa-disable /etc/apparmor.d/usr.sbin.named
 	runthis primary
 }

--- a/services/ns1.jean-cloud.org/helper_functions.sh
+++ b/services/ns1.jean-cloud.org/helper_functions.sh
@ -21,7 +21,7 @@ prepare () {
 	fi
 	
 	echo 'Sync the git repo'
-	run sudo -u bind git_update.sh -N -b main -i "$SECRET_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
+	run sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
 	cd /etc/bind
 	
 	
@ -37,14 +37,15 @@ prepare () {

 restart () {
 	echo 'Check named conf'
-	run named-checkconf "$debian_bind_confdir/named.conf"
+	runS named-checkconf "$debian_bind_confdir/named.conf"
 	for db_file in $(list_db_files) ; do
-		domain="${db_file:3}"
+		domain="$(basename "$db_file")"
+		domain="${domain:3}"
 		run named-checkzone "$domain" "$db_file"
 	done

 	echo 'Restart named'
-	rm /etc/bind/*.jnl || true
+	rm /etc/bind/*.jnl &>/dev/null || true
 	systemctl restart named
 }

@ -139,15 +140,14 @@ create_primary_files () {
 		sed -i "s/\(@ SOA [^(]*( \)[0-9]\+/\1$serial/"  "$new_db_file"

 		# Add this dns server if not present
-		if [ -z "$(grep '[^;].*(IN)?.*NS.*$default_dns_name' "$new_db_file")" ] ; then
-			echo "@ NS $default_dns_name" >> "$new_db_file"
+		if ! grep -q '[^;].*(IN)?.*NS.*' "$new_db_file" ; then
+			cat default_ns >> "$new_db_file"
 		fi

 		# Add DS record
-		if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
-			echo ""
+		#if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
 			#dnssec-dsfromkey "$DATA_DIR/keys/K$domain"*.key | sed "s/${domain}./@/" >> "$new_db_file"
-		fi
+		#fi

 		# Populate named.conf.local
 		cat  >> "$debian_bind_confdir/named.conf.local" <<-EOF
--- a/services/nuage.jean-cloud.net/docker-compose.yml
+++ b/services/nuage.jean-cloud.net/docker-compose.yml
@ -87,6 +87,21 @@ services:
          cpus: '0.50'
          memory: 2000M

+  collabora:
+    image: collabora/code
+    environment:
+      - "dictionaries=fr"
+      - "server_name=office.nuage.jean-cloud.net"
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: $NET.106
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 2000M
+
 networks:
  default:
    ipam:
--- a/services/nuage.jean-cloud.net/nginx_server.conf
+++ b/services/nuage.jean-cloud.net/nginx_server.conf
@ -263,3 +263,29 @@ server {
        	proxy_set_header  Connection $connection_upgrade;
 	}
 }
+
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        ssl_certificate $JC_CERT/fullchain.pem;
+        ssl_certificate_key $JC_CERT/privkey.pem;
+        server_name office.nuage.jean-cloud.net;
+
+	location / {
+		proxy_pass http://$NET.106:9980;
+        	proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
+        	proxy_set_header   Host $host;
+        	proxy_pass_header  Server;
+
+        	# Note you might want to pass these headers etc too.
+        	#proxy_set_header    X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
+        	#proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
+        	proxy_set_header    X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+        	proxy_http_version  1.1; # recommended with keepalive connections
+
+        	# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
+        	proxy_set_header  Upgrade $http_upgrade;
+        	proxy_set_header  Connection $connection_upgrade;
+	}
+}
+
--- a/services/oma-radio.fr/backup_list.sh
+++ b/services/oma-radio.fr/backup_list.sh
@ -1 +0,0 @@
-#!/bin/bash
--- a/services/services.csv
+++ b/services/services.csv
@ -1,16 +1,16 @@
 # This is not real CSV. Do not put separator in a field, even escaped
 # ID ; username ; service name ; server name
 1;sftp.jean-cloud.net;sftp.jean-cloud.net;raku.jean-cloud.org
-2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org
+#2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org
 3;builder.rimarima.fr;builder.rimarima.fr;raku.jean-cloud.org
-4;chahut.jean-cloud.net;chahut.jean-cloud.net;max.jean-cloud.org
+#4;chahut.jean-cloud.net;chahut.jean-cloud.net;max.jean-cloud.org
 5;chiloe.eu;chiloe.eu;shlago.jean-cloud.org
 #6;coldcms.chahut.jean-cloud.net;coldcms.chahut.jean-cloud.net;raku.jean-cloud.org
-7;collectif-arthadie.fr;collectif-arthadie.fr;vandamme.jean-cloud.org
-8;compagnienouvelle.fr;compagnienouvelle.fr;nougaro.jean-cloud.org
-9;copaines.jean-cloud.net;copaines.jean-cloud.net;max.jean-cloud.org
+7;collectif-arthadie.fr;collectif-arthadie.fr;izzo.jean-cloud.org
+8;compagnienouvelle.fr;compagnienouvelle.fr;shlago.jean-cloud.org
+9;copaines.jean-cloud.net;copaines.jean-cloud.net;shlago.jean-cloud.org
 11;deployer.jean-cloud.org;deployer.jean-cloud.org;shlago.jean-cloud.org
-12;dnscerts.jean-cloud.org;dnscerts.jean-cloud.org;max.jean-cloud.org
+12;dnscerts.jean-cloud.org;dnscerts.jean-cloud.org;montbonnot.jean-cloud.org
 13;etrevivant.net;etrevivant.net;shlago.jean-cloud.org
 14;feministesucl34.communistesliber;feministesucl34.communisteslibertaires.org;none
 15;feteducourt.jean-cloud.net;feteducourt.jean-cloud.net;shlago.jean-cloud.org
@ -25,7 +25,7 @@
 25;mux.radiodemo.oma-radio.fr;mux.radiodemo.oma-radio.fr;raku.jean-cloud.org
 26;nc-backup.jean-cloud.net;nc-backup.jean-cloud.net;raku.jean-cloud.org
 27;ns.jean-cloud.org;ns.jean-cloud.org;shlago.jean-cloud.org
-28;ns1.jean-cloud.org;ns1.jean-cloud.org;tetede.jean-cloud.org
+28;ns1.jean-cloud.org;ns1.jean-cloud.org;izzo.jean-cloud.org
 29;nuage.jean-cloud.net;nuage.jean-cloud.net;izzo.jean-cloud.org
 30;oma-radio.fr;oma-radio.fr;izzo.jean-cloud.org
 31;pa1.studios.oma-radio.fr;pa1.studios.oma-radio.fr;tetede.jean-cloud.org
@ -33,7 +33,7 @@
 33;quadrille-elsa.jean-cloud.net;quadrille-elsa.jean-cloud.net;shlago.jean-cloud.org
 34;radiodemo.oma-radio.fr;radiodemo.oma-radio.fr;raku.jean-cloud.org
 35;radionimaitre.oma-radio.fr;radionimaitre.oma-radio.fr;tetede.jean-cloud.org
-36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;tetede.jean-cloud.org
+36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;izzo.jean-cloud.org
 37;rimarima.fr;rimarima.fr;raku.jean-cloud.org
 38;rpnow.jean-cloud.net;rpnow.jean-cloud.net;izzo.jean-cloud.org
 39;soundbase.radiodemo.oma-radio.fr;soundbase.radiodemo.oma-radio.fr;montbonnot.jean-cloud.org
@ -41,7 +41,7 @@
 41;velov.jean-cloud.net;velov.jean-cloud.net;shlago.jean-cloud.org
 42;wiki-cgr.jean-cloud.net;wiki-cgr.jean-cloud.net;izzo.jean-cloud.org
 43;radio.karnaval.fr;radio.karnaval.fr;tetede.jean-cloud.org
-44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;max.jean-cloud.org
+44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;raku.jean-cloud.org
 45;jean-cloud.org;jean-cloud.org;shlago.jean-cloud.org
 46;soundbase.paj.oma-radio.fr;soundbase.paj.oma-radio.fr;montbonnot.jean-cloud.org
 47;backup-borg-server;backup-borg-server;montbonnot.jean-cloud.org
@ -50,5 +50,6 @@
 50;monitoring.jean-cloud.net;monitoring.jean-cloud.net;montbonnot.jean-cloud.org
 51;benevoles32.karnaval.fr;benevoles32.karnaval.fr;izzo.jean-cloud.org
 52;nginx_exporter;nginx_exporter;shlago.jean-cloud.org
-53;benevoles.karnaval.fr;benevoles.karnaval.fr;izzo.jean-cloud.org
-54;accent.jean-cloud.net;accent.jean-cloud.net;raku.jean-cloud.org
+#54;accent.jean-cloud.net;accent.jean-cloud.net;raku.jean-cloud.org
+55;gaia.jean-cloud.net;gaia.jean-cloud.net;shlago.jean-cloud.org
+56;association-chahut.fr;association-chahut.fr;izzo.jean-cloud.org
--- a/services/sftp.jean-cloud.net/docker-compose.yml
+++ b/services/sftp.jean-cloud.net/docker-compose.yml
@ -11,6 +11,7 @@ services:
        - $DATA_DIR/home:/home
        - $DATA_DIR/home/leida/public:/home/leidaRO/public:ro
        - $DATA_DIR/home/chiloe/public:/home/chiloeRO/public:ro
+        - $DATA_DIR/home/compagnienouvelle.fr/public:/home/compagnienouvelle.frRO/public:ro
      ports:
        - '2929:22'

--- a/services/soundbase.radiodemo.oma-radio.fr/.env
+++ b/services/soundbase.radiodemo.oma-radio.fr/.env
@ -19,6 +19,6 @@ DOCKER_INSTANCES_PREFIX=soundbaseradiodemooma-radiofr-
 DOCKER_INSTANCES_SUFIX=-1
 SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
 USE_SSL=true
-MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
+MANAGER_VERSION=3.0.0
 PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.1.1
 RADIO_HOST=radiodemo.oma-radio.fr
--- a/services/soundbase.radiodemo.oma-radio.fr/deploy.sh
+++ b/services/soundbase.radiodemo.oma-radio.fr/deploy.sh
@ -1,3 +1,7 @@
 #!/bin/bash

-git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
+docker run --rm -i -v /srv/http/soundbase.radiodemo.oma-radio.fr:/app node:alpine sh <<EOF
+cd /app
+npm install --production omaradio-web-manager@~$MANAGER_VERSION
+npm update
+EOF
--- a/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml
+++ b/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml
@ -75,6 +75,7 @@ services:
  system_api:
    image: jeancloud/system-api:dev
    env_file: .env
+    environment:
      UID: 33
      SOUNDBASE_PATH: /soundbase
      MOUNT: /api
--- a/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf
@ -114,6 +114,7 @@ server {

 	# Admin interface
 	location  /manager {
+		alias $HTTP_DIR/node_modules/omaradio-web-manager/;
        auth_basic "Entrez votre identifiant et mot de passe";
        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
 		try_files $uri $uri/ =404;