leftovers

2024-02-22 01:44:24 +01:00 · 2024-02-22 01:44:24 +01:00 · 66e0e9a4da
commit 66e0e9a4da
parent d75f851959
18 changed files with 331 additions and 0 deletions
--- a/services/accent.jean-cloud.net/docker-compose.yml
+++ b/services/accent.jean-cloud.net/docker-compose.yml
@ -0,0 +1,40 @@
+version: '3'
+services:
+  app:
+    image: mirego/accent:v1.19.12
+    depends_on:
+      - db
+    environment:
+      - DATABASE_URL=postgres://postgres@db:5432/accent_development
+    restart: "unless-stopped"
+    networks:
+      default:
+        ipv4_address: $NET.100
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 200M
+
+  db:
+    image: postgres:10.3
+    environment:
+      - POSTGRES_DB=accent_development
+    volumes:
+      - $DATA_DIR/db:/var/lib/postgresql/data
+    restart: "unless-stopped"
+    networks:
+      default:
+        ipv4_address: $NET.101
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 300M
+
+
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: $NET.0/24
--- a/services/backup-borg-client/backup_list.sh
+++ b/services/backup-borg-client/backup_list.sh
@ -0,0 +1 @@
+#!/bin/bash
--- a/services/backup-borg-client/deploy.sh
+++ b/services/backup-borg-client/deploy.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -euo pipefail
+
+pubkeyfile="/root/.ssh/authorized_keys"
+separator="# backup-borg-begin DO NOT EDIT UNDER THIS LINE"
+mkdir -p "$DATA_DIR/pubkeys" "$DATA_DIR/.ssh"
+
+# Create ssh key if not found
+if [ ! -e "$DATA_DIR/.ssh/borg-client" ] ; then
+    ssh-keygen -f "$DATA_DIR/.ssh/borg-client" -C "SSH key for backup trigger" -P ''
+fi
+
+# Remove separator and automated lines if found
+if [ -n "$(grep "$separator" "$pubkeyfile")" ] ; then
+	sed -i "/$separator/,//d" "$pubkeyfile"
+fi
+
+# Place separator back
+echo "$separator" >> "$pubkeyfile"
+
+# Foreach borg server key
+while read serverkey ; do
+	# Add authorized_keys line
+	echo "command=\"$DOCKER_DIR/script-sauvegarde.sh $serverkey\" $(cat "$DATA_DIR/pubkeys/$serverkey")" >> "$pubkeyfile"
+done < <(ls "$DATA_DIR/pubkeys")
--- a/services/backup-borg-client/script-sauvegarde.sh
+++ b/services/backup-borg-client/script-sauvegarde.sh
@ -0,0 +1,49 @@
+#!/bin/bash
+
+. "$( cd -P "$( dirname "$0" )" && pwd )/.env"
+
+server="$1"
+failed=""
+
+while IFS=';' read -r id username service target ; do
+	if [ ! -d "/data/$service" ] ; then
+		continue
+	fi
+
+	echo "   =   =   =====   =   =====   $service   =====   =   =====   =   =" 
+
+	# Create passfile if not exists
+	mkdir -p "$DATA_DIR/passphrase"
+	passfile="$DATA_DIR/passphrase/$service"
+	if [ ! -e "$passfile" ] ; then
+		LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 257 > "$passfile"
+	fi
+	
+	# Borg variables
+	export BORG_REPO="backup-borg-server@127.0.0.1:/data/backup-borg-server/backups/$(hostname)/$service"
+	export BORG_PASSPHRASE="$(cat "$passfile")"
+	RSH='ssh -o StrictHostKeyChecking=no -p 12345'
+	
+	# Get specific backup files
+	cd "/data/$service"
+	BACKUP_LIST="$(ls -A)"
+	if [ -x "/docker/$service/backup_list.sh" ] ; then
+		BACKUP_LIST="$(/docker/$service/backup_list.sh)"
+	fi
+	if [ -z "$BACKUP_LIST" ] ; then
+		continue
+	fi
+	echo "--------------> $BACKUP_LIST"
+	
+	borg init   --rsh "$RSH" --encryption repokey || true
+	borg create --rsh "$RSH" --list --filter=AMCE --stats --show-rc "::$(date +%Y%m%d%H%M)" $BACKUP_LIST
+	if [ "$?" -ne 0 ] ; then
+		failed="$failed $service"
+	fi
+
+done < <(grep -v '^#' /docker/services.csv)        
+
+if [ -n "$failed" ] ; then
+	echo "FAILED"
+	echo "$failed"
+fi
--- a/services/backup-borg-server/deploy_user.sh
+++ b/services/backup-borg-server/deploy_user.sh
@ -0,0 +1,39 @@
+#!/bin/bash
+
+sshkey=~/.ssh/borg-server
+backup_dir="$DATA_DIR/backups"
+
+mkdir -p ~/.ssh "$backup_dir"
+
+if [ ! -e "$sshkey" ] ; then
+	ssh-keygen -q -C 'Borg server ssh key' -N '' -t rsa  -f "$sshkey" <<<y 2>&1 >/dev/null
+fi
+
+echo -n "" > ~/.ssh/authorized_keys
+chmod 600 ~/.ssh/authorized_keys
+
+# Foreach client
+for client in raku.jean-cloud.org vandamme.jean-cloud.org ; do
+	# Generate key
+	clientkey="$(mktemp -d)"
+	ssh-keygen -q -N '' -t rsa -C 'Borg client ssh key' -f "$clientkey/id_rsa" <<<y 2>&1 >/dev/null
+	cat > ~/.ssh/authorized_keys <<EOF
+command="borg serve --append-only --restrict-to-path '$backup_dir/$client'",restrict $(cat "$clientkey/id_rsa.pub")
+EOF
+	
+	# Create needed directory
+	mkdir -p "$backup_dir/$client"
+
+	# Trigger the backup
+	eval $(ssh-agent) > /dev/null
+	ssh-add "$clientkey/id_rsa"
+	ssh -A -R localhost:12345:127.0.0.1:45985 "root@$client" -p 45985 -i "$sshkey"
+
+	# Clean
+	kill "${SSH_AGENT_PID}"
+	rm -r "$clientkey" ~/.ssh/authorized_keys
+done
+
+
+
+
--- a/services/chiloe.eu/.env
+++ b/services/chiloe.eu/.env
@ -0,0 +1 @@
+SFTP_USER="chiloeRO"
--- a/services/chiloe.eu/LINKS.
+++ b/services/chiloe.eu/LINKS.
--- a/services/chiloe.eu/deploy.sh
+++ b/services/chiloe.eu/deploy.sh
@ -0,0 +1 @@
+../sftp_jc/deploy.sh
--- a/services/copaines.jean-cloud.net/.env
+++ b/services/copaines.jean-cloud.net/.env
@ -0,0 +1 @@
+SFTP_USER="copaines"
--- a/services/copaines.jean-cloud.net/LINKS.
+++ b/services/copaines.jean-cloud.net/LINKS.
--- a/services/mux.radiodemo.oma-radio.fr/backup_list.sh
+++ b/services/mux.radiodemo.oma-radio.fr/backup_list.sh
@ -0,0 +1 @@
+#!/bin/bash
--- a/services/mux.radiodemo.oma-radio.fr/server.sh
+++ b/services/mux.radiodemo.oma-radio.fr/server.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+echo "Content-type: text/html"
+echo ""
+
+. .env
+
+
+instance=''
+since=''
+until=''
+
+action="$(echo "$QUERY_STRING" | tr -d '/\;!<>?#[]()"*.' | sed 's/&/\n/g')"
+
+while IFS='=' read key value ; do
+	case "$key" in
+		instance)
+			instance="$value"
+			;;
+		since)
+			since="$value"
+			;;
+		until)
+			until="$value"
+			;;
+		list)
+			docker-compose ps -a --format json
+			;;
+		*)
+			exit 1
+	esac
+done < <(echo "$action")
+
+[ -z "$instance" ] && exit 2
+[ -z "$since" ] && exit 3
+[ -z "$until" ] && exit 4
+
+echo docker-compose logs --since "$since" --until "$until" "$instance"
+if [ "$?" -ne 0 ] ; then
+	echo failed
+fi
+
--- a/services/raplacgr.jean-cloud.net/docker-compose.yml
+++ b/services/raplacgr.jean-cloud.net/docker-compose.yml
@ -0,0 +1,47 @@
+version: '3'
+services:
+  web:
+    image: jeancloud/rapla
+    environment:
+      MYSQL_DATABASE: rapla_db
+      MYSQL_USER: rapla_db_user
+      MYSQL_PASSWORD: aPxqhmqUvqNBVXEoIt9cSZTXgmtqzFdgbTHeUMNeT2iL9ch8rN0z0iIGIc2rpMQZfdk87OZ45k3mf99tbT
+      MYSQL_HOST: db
+    volumes:
+      - /docker/raplacgr.jean-cloud.net/server.xml:/usr/local/tomcat/conf/server.xml
+    depends_on:
+      - db
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: $NET.100
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 300M
+
+  db:
+    image: mysql:5.7
+    environment:
+      MYSQL_DATABASE: rapla_db
+      MYSQL_USER: rapla_db_user
+      MYSQL_PASSWORD: aPxqhmqUvqNBVXEoIt9cSZTXgmtqzFdgbTHeUMNeT2iL9ch8rN0z0iIGIc2rpMQZfdk87OZ45k3mf99tbT
+      MYSQL_RANDOM_ROOT_PASSWORD: yes
+    volumes:
+      - /data/raplacgr.jean-cloud.net/db:/var/lib/mysql
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: $NET.101
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 300M
+
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: $NET.0/24
--- a/services/raplacgr.jean-cloud.net/nginx_server.conf
+++ b/services/raplacgr.jean-cloud.net/nginx_server.conf
@ -0,0 +1,13 @@
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	server_name raplacgr.jean-cloud.net;
+	ssl_certificate     $JC_CERT/fullchain.pem;
+    ssl_certificate_key $JC_CERT/privkey.pem;
+
+	location / {
+		proxy_pass http://$NET.100:8080/;
+        proxy_set_header Host raplacgr.jean-cloud.net;
+        proxy_set_header X-Forwarded-Proto https;
+	}
+}
--- a/services/raplacgr.jean-cloud.net/server.xml
+++ b/services/raplacgr.jean-cloud.net/server.xml
@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Server port="8005" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!-- APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <GlobalNamingResources>
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <Service name="Catalina">
+
+        <Connector port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+	    redirectPort="8443"
+	    proxyName="raplacgr.jean-cloud.net"
+               proxyPort="443"/>
+        <Engine name="Catalina" defaultHost="localhost">
+
+
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
--- a/services/sftp_jc/deploy.sh
+++ b/services/sftp_jc/deploy.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+chmod 700 "$SECRET_DIR/sftp.sshprivkey"
--- a/services/sftp_jc/deploy_user.sh
+++ b/services/sftp_jc/deploy_user.sh
@ -0,0 +1,7 @@
+#!/bin/bash
+
+mkdir -p ~/.ssh
+echo '[sftp.jean-cloud.net]:2929 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5WLG4HbhHMWZySQkCOfMyJ8HAojyJJ66prhn/WSh1T6vyi/oWuodhN5fzIenEpKrmIzXLLfFa8Q9YuEYmcwNGp0FrTnATDYLABL530DBsCQzA5S+fLecY0iLHEkluuJCcX2+cNpu7ytzgbEzHFDRDkd6RgI1cBL5smCnbxfrJSvfLR0VvihQJNZKPYEFHxt9euGkHhKilwbXa4VEtfY8GfMK18dGlM+K2nRu4G+ckoNzx9K2RdwAqUyj1WFLrS+FYY8EbHlffWf4WES32tSeyd6z3rF0jFoN83ojZ0nPfcch10tWklfRc2RcoItde9p0bR/Cgz2SI1nZT9EcBhrpqGkucLsx/xvcxXd/puQDe9svBq1vgWRuub7e6Q40v8Lhl5dTGJutKLWbCg9udonaUIR/LudSnSgEGrDoz/Yjx8Iytj9+tLj9C+rRASfUnHnTRjsVKJG3Ofx+YHhWs0gLJcV06EvM+PBgZOCnegcPrssi0OE+I5HtDixTkaBNQPHXfKcGqlSEPRmqEuwsvdcv7vOfWJn1ufmKpoaLXWPrX+U4gZYSMHrhieqdcieT8wSu/YJa8gBM5qkK1WMOYxwYzLU5q9H4g9sJfFqk14cvQk47Tb+nTLlFoYZvunATBAxQuNuMo8+scu0BuIqinB5SjO6bwF3nJUCigs8BTmo95Pw==' > ~/.ssh/known_hosts
+chmod 700 ~/.ssh/known_hosts
+
+rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user "$SFTP_USER" --sftp-port 2929 --sftp-key-file "$SECRET_DIR/sftp.sshprivkey" --sftp-known-hosts-file ~/.ssh/known_hosts :sftp:/public/ "$HTTP_DIR"
--- a/services/sftp_jc/nginx_server.conf
+++ b/services/sftp_jc/nginx_server.conf
@ -0,0 +1,12 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+
+  location /  {
+    root $HTTP_DIR;
+    try_files $uri $uri/ =404;
+  }
+}