diff --git a/old_services/_monitoring/blackbox-targets.yml b/old_services/_monitoring/blackbox-targets.yml new file mode 100644 index 0000000..1ba0b96 --- /dev/null +++ b/old_services/_monitoring/blackbox-targets.yml @@ -0,0 +1,50 @@ +- targets: + - amaglio.fr + - www.amaglio.fr + - collectif-arthadie.fr + - www.collectif-arthadie.fr + - copaines.jean-cloud.net + - www.copaines.jean-cloud.net + - cousinades.jean-cloud.net + - www.cousinades.jean-cloud.net + - feteducourt2020.jean-cloud.net + - www.feteducourt2020.jean-cloud.net + - feteducourt.jean-cloud.net + - www.feteducourt.jean-cloud.net + - git.jean-cloud.net + - www.git.jean-cloud.net + - gmx-webmail.jean-cloud.net + - www.gmx-webmail.jean-cloud.net + - inurbe.fr + - www.inurbe.fr + - jean-cloud.net + - www.jean-cloud.net + - lalis.fr + - leida.fr + - www.leida.fr + - metamorphosemagazine.fr + - nuage.jean-cloud.net + - www.nuage.jean-cloud.net + - oma-radio.fr + - www.oma-radio.fr + - paj.oma-radio.fr + - www.paj.oma-radio.fr + - grafana.jean-cloud.net + - www.grafana.jean-cloud.net + - radionimaitre.oma-radio.fr + - www.radionimaitre.oma-radio.fr + - registry.oma-radio.fr + - rpnow.jean-cloud.net + - www.rpnow.jean-cloud.net + - test.rpnow.jean-cloud.net + - www.test.rpnow.jean-cloud.net + - static.oma-radio.fr + - www.static.oma-radio.fr + - static.jean-cloud.net + - www.static.jean-cloud.net + - velov.jean-cloud.net + - www.velov.jean-cloud.net + - wiki-cgr.jean-cloud.net + - www.wiki-cgr.jean-cloud.net + - parsoid-wiki-cgr.jean-cloud.net + - www.parsoid-wiki-cgr.jean-cloud.net diff --git a/old_services/_monitoring/create_monitoring_list.sh b/old_services/_monitoring/create_monitoring_list.sh new file mode 100755 index 0000000..8094a8d --- /dev/null +++ b/old_services/_monitoring/create_monitoring_list.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# Nginx configs +nginx_dir=/data/proxy/sites-enabled/ + +# The blackbox target file as it will be read by prometheus +blackbox=/data/$(cat /etc/hostname)/public/blackbox-targets.yml + + +echo '- targets:' > "$blackbox" + +for file in "$nginx_dir"/* ; do + echo '-------------------------' + file="$file" + if [ ! -f "$file" ] ; then continue ; fi + echo "$file" + + + service_name="$(basename "$file")" + + # Getting just the domain names + domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)" + if [ -n "$domains" ] ; then + + # removing duplicates + domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')" + for domain in $domains ; do + echo " - $domain" >> "$blackbox" + done + + fi +done + +ls /etc/letsencrypt/live/*000* &> /dev/null +if [ "$?" -eq 0 ] ; then + echo " ---------------------------------------------------------------------------------------------" + echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…" + echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*" + echo " ---------------------------------------------------------------------------------------------" +fi + + +docker exec -it proxy_reverse-proxy_1 nginx -t +code="$?" +if [ "$code" -ne 0 ] ; then + echo "Nginx test error, can’t reloat it" + exit 1 +fi + +docker exec -it proxy_reverse-proxy_1 nginx -s reload +code="$?" +if [ "$code" -ne 0 ] ; then + echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!" + exit 1 +fi +echo "Done. No error detected." diff --git a/old_services/_monitoring/docker-compose.yml b/old_services/_monitoring/docker-compose.yml new file mode 100644 index 0000000..68f9d2e --- /dev/null +++ b/old_services/_monitoring/docker-compose.yml @@ -0,0 +1,80 @@ +version: '3.7' +services: + prometheus: + restart: unless-stopped + image: prom/prometheus + volumes: + - /docker/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml + - /data/monitoring/blackbox-targets.yml:/etc/prometheus/blackbox-targets.yml + - type: bind + source: /data/monitoring/data + target: /prometheus + depends_on: + - cadvisor + networks: + default: + ipv4_address: 172.29.1.6 + + grafana: + restart: unless-stopped + image: grafana/grafana + volumes: + - /docker/monitoring/grafana.ini:/etc/grafana/grafana.ini + - /data/monitoring/grafana/data:/var/lib/grafana + networks: + default: + ipv4_address: 172.29.1.2 + + blackbox_exporter: + restart: unless-stopped + image: prom/blackbox-exporter + dns: 9.9.9.9 + restart: always + volumes: + - /data/monitoring/blackbox-targets.yml:/config/blackbox-config.yml + networks: + default: + ipv4_address: 172.29.1.3 + + #icecast_exporter: + # image: markuslindenberg/icecast_exporter + # command: -icecast.scrape-uri http://listen.oma-radio.fr/status-json.xsl + + cadvisor: + restart: unless-stopped + image: gcr.io/cadvisor/cadvisor:latest + container_name: cadvisor + ports: + - 8080:8080 + volumes: + - /:/rootfs:ro + - /var/run:/var/run:rw + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + depends_on: + - redis + networks: + default: + ipv4_address: 172.29.1.4 + redis: + image: redis:latest + networks: + default: + ipv4_address: 172.29.1.5 + + node-exporter: + restart: unless-stopped + image: quay.io/prometheus/node-exporter:latest + volumes: + - /:/rootfs:ro + command: + - '--path.rootfs=/rootfs' + networks: + default: + ipv4_address: 172.29.1.7 + +networks: + default: + ipam: + config: + - subnet: 172.29.1.0/24 diff --git a/old_services/_monitoring/grafana.ini b/old_services/_monitoring/grafana.ini new file mode 100644 index 0000000..b427e33 --- /dev/null +++ b/old_services/_monitoring/grafana.ini @@ -0,0 +1,13 @@ +[smtp] +enabled = true + +host = mail.gandi.net:587 +user = nepasrepondre@jean-cloud.org +# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" +password = ZMTX9B6VgsVvdbXSzC7Zp4ASj6DU6q22Zi7KnjXtGYHE7WmJBM3pkhW9Rcdx +;skip_verify = false +from_address = nepasrepondre@jean-cloud.org +from_name = Grafana +# EHLO identity in SMTP dialog (defaults to instance_name) +;ehlo_identity = dashboard.example.com + diff --git a/old_services/_monitoring/grafana_dashboards/alerts_server_status.json b/old_services/_monitoring/grafana_dashboards/alerts_server_status.json new file mode 100644 index 0000000..a4e400f --- /dev/null +++ b/old_services/_monitoring/grafana_dashboards/alerts_server_status.json @@ -0,0 +1,326 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Monitor and set alerts for all the pings to your servers using blackbox exporter and prometheus.", + "editable": true, + "gnetId": 5990, + "graphTooltip": 0, + "id": 3, + "iteration": 1629329153476, + "links": [], + "panels": [ + { + "alert": { + "alertRuleTags": {}, + "conditions": [ + { + "evaluator": { + "params": [ + 1 + ], + "type": "lt" + }, + "operator": { + "type": "and" + }, + "query": { + "params": [ + "A", + "5m", + "now" + ] + }, + "reducer": { + "params": [], + "type": "sum" + }, + "type": "query" + } + ], + "executionErrorState": "alerting", + "for": "0m", + "frequency": "60s", + "handler": 1, + "message": "Server does not respond to ping!", + "name": "Server Status alert", + "noDataState": "no_data", + "notifications": [] + }, + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "links": [] + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 8, + "w": 24, + "x": 0, + "y": 0 + }, + "hiddenSeries": false, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 0, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "probe_success{job=\"ping\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{instance}}", + "refId": "A" + } + ], + "thresholds": [ + { + "colorMode": "critical", + "fill": true, + "line": true, + "op": "lt", + "value": 1, + "visible": true + } + ], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Server Status", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "decimals": 0, + "format": "none", + "label": "OK", + "logBase": 1, + "max": "1", + "min": "0", + "show": true + }, + { + "decimals": null, + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "text": "NOK" + }, + "1": { + "text": "OK" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#d44a3a", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 1 + }, + { + "color": "#299c46", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 6, + "x": 0, + "y": 8 + }, + "id": 2, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "repeat": "node", + "repeatDirection": "h", + "targets": [ + { + "expr": "probe_success{instance=~\"$node\"}", + "format": "time_series", + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "$node", + "type": "stat" + } + ], + "schemaVersion": 30, + "style": "dark", + "tags": [ + "alerts", + "linux", + "windows" + ], + "templating": { + "list": [ + { + "allValue": null, + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "definition": "", + "description": null, + "error": null, + "hide": 0, + "includeAll": true, + "label": "node", + "multi": true, + "name": "node", + "options": [], + "query": { + "query": "label_values(probe_success{job=\"ping\"}, instance) ", + "refId": "Prometheus-node-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Alerts - Server Status", + "uid": "pbHjqZzmk", + "version": 3 +} diff --git a/old_services/_monitoring/grafana_dashboards/blackbox_overview.json b/old_services/_monitoring/grafana_dashboards/blackbox_overview.json new file mode 100644 index 0000000..11850a6 --- /dev/null +++ b/old_services/_monitoring/grafana_dashboards/blackbox_overview.json @@ -0,0 +1,903 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "Prometheus", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Fork of https://grafana.com/grafana/dashboards/5345 which uses 'instance' instead of 'target' label", + "editable": true, + "gnetId": 11175, + "graphTooltip": 0, + "id": 2, + "iteration": 1629329057681, + "links": [], + "panels": [ + { + "collapsed": false, + "datasource": null, + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 15, + "panels": [], + "repeat": "targets", + "title": "$targets UP/DOWN Status", + "type": "row" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "text": "DOWN" + }, + "1": { + "text": "UP" + } + }, + "type": "value" + }, + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#d44a3a", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 1 + }, + { + "color": "#299c46", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 2, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "repeat": null, + "repeatDirection": "h", + "targets": [ + { + "expr": "probe_success{instance=~\"$targets\"}", + "format": "time_series", + "interval": "$interval", + "intervalFactor": 1, + "refId": "A" + } + ], + "title": "$targets", + "type": "stat" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "text": "NO" + }, + "1": { + "text": "YES" + } + }, + "type": "value" + }, + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#d44a3a", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 0 + }, + { + "color": "#299c46", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 18, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "repeatDirection": "h", + "targets": [ + { + "expr": "probe_http_ssl{instance=~\"$targets\"}", + "format": "time_series", + "interval": "$interval", + "intervalFactor": 1, + "refId": "A" + } + ], + "title": "SSL", + "type": "stat" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 9, + "x": 6, + "y": 3 + }, + "hiddenSeries": false, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "probe_duration_seconds{instance=~\"$targets\"}", + "format": "time_series", + "interval": "$interval", + "intervalFactor": 1, + "legendFormat": "seconds", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Probe Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 9, + "x": 15, + "y": 3 + }, + "hiddenSeries": false, + "id": 21, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "probe_dns_lookup_time_seconds{instance=~\"$targets\"}", + "format": "time_series", + "interval": "$interval", + "intervalFactor": 1, + "legendFormat": "seconds", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "DNS Lookup", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 2, + "mappings": [ + { + "options": { + "0": { + "text": "NO" + }, + "1": { + "text": "YES" + } + }, + "type": "value" + }, + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#d44a3a", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 0 + }, + { + "color": "#299c46", + "value": 1209600 + } + ] + }, + "unit": "dtdurations" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 6, + "x": 0, + "y": 5 + }, + "id": 19, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "repeatDirection": "h", + "targets": [ + { + "expr": "probe_ssl_earliest_cert_expiry{instance=~\"$targets\"}-time()", + "format": "time_series", + "interval": "$interval", + "intervalFactor": 1, + "refId": "A" + } + ], + "title": "SSL Cert Expiry", + "type": "stat" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "0": { + "text": "NO" + }, + "1": { + "text": "YES" + } + }, + "type": "value" + }, + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#299c46", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 200 + }, + { + "color": "#d44a3a", + "value": 299 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 20, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "repeatDirection": "h", + "targets": [ + { + "expr": "probe_http_status_code{instance=~\"$targets\"}", + "format": "time_series", + "interval": "$interval", + "intervalFactor": 1, + "refId": "A" + } + ], + "title": "HTTP Status Code", + "type": "stat" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 23, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "targets": [ + { + "expr": "avg(probe_duration_seconds{instance=~\"$targets\"})", + "format": "time_series", + "interval": "$interval", + "intervalFactor": 1, + "refId": "A" + } + ], + "title": "Average Probe Duration", + "type": "stat" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 24, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "targets": [ + { + "expr": "avg(probe_dns_lookup_time_seconds{instance=~\"$targets\"})", + "format": "time_series", + "interval": "$interval", + "intervalFactor": 1, + "refId": "A" + } + ], + "title": "Average DNS Lookup", + "type": "stat" + } + ], + "refresh": "1m", + "schemaVersion": 30, + "style": "dark", + "tags": [ + "blackbox", + "prometheus" + ], + "templating": { + "list": [ + { + "auto": true, + "auto_count": 10, + "auto_min": "10s", + "current": { + "selected": false, + "text": "auto", + "value": "$__auto_interval_interval" + }, + "description": null, + "error": null, + "hide": 0, + "label": "Interval", + "name": "interval", + "options": [ + { + "selected": true, + "text": "auto", + "value": "$__auto_interval_interval" + }, + { + "selected": false, + "text": "5s", + "value": "5s" + }, + { + "selected": false, + "text": "10s", + "value": "10s" + }, + { + "selected": false, + "text": "30s", + "value": "30s" + }, + { + "selected": false, + "text": "1m", + "value": "1m" + }, + { + "selected": false, + "text": "10m", + "value": "10m" + }, + { + "selected": false, + "text": "30m", + "value": "30m" + }, + { + "selected": false, + "text": "1h", + "value": "1h" + }, + { + "selected": false, + "text": "6h", + "value": "6h" + }, + { + "selected": false, + "text": "12h", + "value": "12h" + }, + { + "selected": false, + "text": "1d", + "value": "1d" + }, + { + "selected": false, + "text": "7d", + "value": "7d" + }, + { + "selected": false, + "text": "14d", + "value": "14d" + }, + { + "selected": false, + "text": "30d", + "value": "30d" + } + ], + "query": "5s,10s,30s,1m,10m,30m,1h,6h,12h,1d,7d,14d,30d", + "refresh": 2, + "skipUrlSync": false, + "type": "interval" + }, + { + "allValue": null, + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "definition": "label_values(probe_success, instance)", + "description": null, + "error": null, + "hide": 0, + "includeAll": true, + "label": null, + "multi": true, + "name": "targets", + "options": [], + "query": { + "query": "label_values(probe_success, instance)", + "refId": "Prometheus-targets-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Blackbox Exporter Overview", + "uid": "xtkCtBkiz", + "version": 1 +} diff --git a/old_services/_monitoring/grafana_dashboards/cadvisor_node_exporter.json b/old_services/_monitoring/grafana_dashboards/cadvisor_node_exporter.json new file mode 100644 index 0000000..f1ec617 --- /dev/null +++ b/old_services/_monitoring/grafana_dashboards/cadvisor_node_exporter.json @@ -0,0 +1,2490 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Dashboard with details of the container metrics and host OS metrics.", + "editable": true, + "gnetId": 10566, + "graphTooltip": 1, + "id": 6, + "iteration": 1629329112111, + "links": [], + "panels": [ + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 0, + "y": 0 + }, + "id": 24, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "targets": [ + { + "expr": "time() - node_boot_time_seconds{instance=~\"$node\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "", + "refId": "A", + "step": 1800 + } + ], + "title": "Uptime", + "type": "stat" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 4, + "y": 0 + }, + "id": 31, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "targets": [ + { + "expr": "count(rate(container_last_seen{id=~\"/docker/.*\",instance=~\"$node\"}[5m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "refId": "A", + "step": 1800 + } + ], + "title": "Containers", + "type": "stat" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 1, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "max": 1, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgba(50, 172, 45, 0.97)", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 0.75 + }, + { + "color": "rgba(245, 54, 54, 0.9)", + "value": 0.9 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 8, + "y": 0 + }, + "id": 26, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.0.6", + "targets": [ + { + "expr": "min((node_filesystem_size_bytes{fstype=~\"xfs|ext4\",instance=~\"$node\"} - node_filesystem_free_bytes{fstype=~\"xfs|ext4\",instance=~\"$node\"} )/ node_filesystem_size_bytes{fstype=~\"xfs|ext4\",instance=~\"$node\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "/", + "refId": "A", + "step": 1800 + } + ], + "title": "Disk space /", + "type": "gauge" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgba(50, 172, 45, 0.97)", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 70 + }, + { + "color": "rgba(245, 54, 54, 0.9)", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 12, + "y": 0 + }, + "id": 25, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.0.6", + "targets": [ + { + "expr": "((node_memory_MemTotal_bytes{instance=~\"$node\"} - node_memory_MemAvailable_bytes{instance=~\"$node\"}) / node_memory_MemTotal_bytes{instance=~\"$node\"}) * 100", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "refId": "A", + "step": 1800 + } + ], + "title": "Memory", + "type": "gauge" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "max": 500000000, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgba(50, 172, 45, 0.97)", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 400000000 + }, + { + "color": "rgba(245, 54, 54, 0.9)" + } + ] + }, + "unit": "decbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 16, + "y": 0 + }, + "id": 30, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.0.6", + "targets": [ + { + "expr": "(node_memory_SwapTotal_bytes{instance=~'$node'} - node_memory_SwapFree_bytes{instance=~'$node'})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A", + "step": 1800 + } + ], + "title": "Swap", + "type": "gauge" + }, + { + "cacheTimeout": null, + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "rgb(69, 193, 31)", + "mode": "fixed" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgba(245, 54, 54, 0.9)", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 0.8 + }, + { + "color": "rgba(50, 172, 45, 0.97)", + "value": 0.9 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 20, + "y": 0 + }, + "id": 27, + "interval": null, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.0.6", + "targets": [ + { + "expr": "node_load1{instance=~\"$node\"} / count by(job, instance)(count by(job, instance, cpu)(node_cpu_seconds_total{instance=~\"$node\"}))", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "refId": "A", + "step": 1800 + }, + { + "expr": "sum(node_load1{instance=~\"$node\"}) by (instance) / count(node_cpu_seconds_total{mode=\"system\",instance=~\"$node\"}) by (instance) * 100", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Load1", + "refId": "B" + } + ], + "title": "Load1", + "type": "stat" + }, + { + "aliasColors": { + "SENT": "#BF1B00" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 4, + "x": 0, + "y": 4 + }, + "hiddenSeries": false, + "id": 19, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 1, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_network_receive_bytes_total{id=\"/\",instance=~\"$node\"}[5m])) by (id)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "RECEIVED", + "refId": "A", + "step": 600 + }, + { + "expr": "- sum(rate(container_network_transmit_bytes_total{id=\"/\",instance=~\"$node\"}[5m ])) by (id)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "SENT", + "refId": "B", + "step": 600 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Network Traffic", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": false, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "{id=\"/\",instance=\"cadvisor:8080\",job=\"prometheus\"}": "#BA43A9" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 4, + "x": 4, + "y": 4 + }, + "hiddenSeries": false, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_system_seconds_total[1m]))", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "a", + "refId": "B", + "step": 120 + }, + { + "expr": "sum(rate(container_cpu_system_seconds_total{name=~\".+\"}[1m]))", + "format": "time_series", + "hide": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "nur container", + "refId": "F", + "step": 10 + }, + { + "expr": "sum(rate(container_cpu_system_seconds_total{id=\"/\"}[1m]))", + "format": "time_series", + "hide": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "nur docker host", + "metric": "", + "refId": "A", + "step": 20 + }, + { + "expr": "sum(rate(process_cpu_seconds_total[$interval])) * 100", + "format": "time_series", + "hide": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "host", + "metric": "", + "refId": "C", + "step": 600 + }, + { + "expr": "sum(rate(container_cpu_system_seconds_total{name=~\".+\"}[1m])) + sum(rate(container_cpu_system_seconds_total{id=\"/\"}[1m])) + sum(rate(process_cpu_seconds_total[1m]))", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "", + "refId": "D", + "step": 120 + }, + { + "expr": "100 - (avg by (instance) (irate(node_cpu_seconds_total{instance=~\"$node\",mode=\"idle\"}[5m])) * 100)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU Usage", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": false, + "values": [] + }, + "yaxes": [ + { + "format": "percent", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "alert": { + "alertRuleTags": {}, + "conditions": [ + { + "evaluator": { + "params": [ + 1.25 + ], + "type": "gt" + }, + "query": { + "params": [ + "A", + "5m", + "now" + ] + }, + "reducer": { + "params": [], + "type": "avg" + }, + "type": "query" + } + ], + "executionErrorState": "alerting", + "for": "0m", + "frequency": "60s", + "handler": 1, + "name": "Panel Title alert", + "noDataState": "keep_state", + "notifications": [ + { + "id": 1 + } + ] + }, + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 0, + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 4, + "x": 8, + "y": 4 + }, + "hiddenSeries": false, + "id": 28, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "connected", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "node_load1{instance=~\"$node\"} / count by(job, instance)(count by(job, instance, cpu)(node_cpu_seconds_total{instance=~\"$node\"}))", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "refId": "A", + "step": 600 + }, + { + "expr": "sum(node_load1{instance=~\"$node\"}) by (instance) / count(node_cpu_seconds_total{mode=\"system\",instance=~\"$node\"}) by (instance) * 100", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "refId": "B" + } + ], + "thresholds": [ + { + "colorMode": "critical", + "fill": true, + "line": true, + "op": "gt", + "value": 1.25, + "visible": true + } + ], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Load 1", + "tooltip": { + "msResolution": false, + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": false, + "values": [] + }, + "yaxes": [ + { + "format": "percent", + "label": null, + "logBase": 1, + "max": "300", + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "alert": { + "conditions": [ + { + "evaluator": { + "params": [ + 250000000000 + ], + "type": "gt" + }, + "query": { + "params": [ + "A", + "5m", + "now" + ] + }, + "reducer": { + "params": [], + "type": "avg" + }, + "type": "query" + } + ], + "executionErrorState": "alerting", + "frequency": "60s", + "handler": 1, + "name": "Free/Used Disk Space alert", + "noDataState": "keep_state", + "notifications": [ + { + "id": 1 + } + ] + }, + "aliasColors": { + "Belegete Festplatte": "#BF1B00", + "Free Disk Space": "#7EB26D", + "Used Disk Space": "#7EB26D", + "{}": "#BF1B00" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 4, + "x": 12, + "y": 4 + }, + "hiddenSeries": false, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "Used Disk Space", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "node_filesystem_size_bytes{fstype=\"ext4\",instance=~\"$node\"} - node_filesystem_free_bytes{fstype=\"ext4\",instance=~\"$node\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Used Disk Space", + "refId": "A", + "step": 600 + } + ], + "thresholds": [ + { + "colorMode": "critical", + "fill": true, + "line": true, + "op": "gt", + "value": 250000000000, + "visible": true + } + ], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Used Disk Space /", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": false, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": "295279001600", + "min": 0, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "alert": { + "conditions": [ + { + "evaluator": { + "params": [ + 214748364800 + ], + "type": "gt" + }, + "query": { + "params": [ + "A", + "5m", + "now" + ] + }, + "reducer": { + "params": [], + "type": "avg" + }, + "type": "query" + } + ], + "executionErrorState": "alerting", + "frequency": "60s", + "handler": 1, + "name": "Available Memory alert", + "noDataState": "keep_state", + "notifications": [ + { + "id": 1 + } + ] + }, + "aliasColors": { + "Available Memory": "#7EB26D", + "Unavailable Memory": "#7EB26D" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 4, + "x": 16, + "y": 4 + }, + "hiddenSeries": false, + "id": 20, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "container_memory_rss{name=~\".+\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "D", + "step": 20 + }, + { + "expr": "sum(container_memory_rss{name=~\".+\"})", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "A", + "step": 20 + }, + { + "expr": "container_memory_usage_bytes{name=~\".+\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "B", + "step": 20 + }, + { + "expr": "container_memory_rss{id=\"/\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "C", + "step": 20 + }, + { + "expr": "sum(container_memory_rss)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "E", + "step": 20 + }, + { + "expr": "node_memory_Buffers", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "node_memory_Dirty", + "refId": "N", + "step": 30 + }, + { + "expr": "node_memory_MemFree", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "F", + "step": 20 + }, + { + "expr": "node_memory_MemAvailable", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "Available Memory", + "refId": "H", + "step": 20 + }, + { + "expr": "node_memory_MemTotal_bytes{instance=~\"$node\"} - node_memory_MemAvailable_bytes{instance=~\"$node\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "Unavailable Memory", + "refId": "G", + "step": 600 + }, + { + "expr": "node_memory_Inactive", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "I", + "step": 30 + }, + { + "expr": "node_memory_KernelStack", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "J", + "step": 30 + }, + { + "expr": "node_memory_Active", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "K", + "step": 30 + }, + { + "expr": "node_memory_MemTotal - (node_memory_Active + node_memory_MemFree + node_memory_Inactive)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "Unknown", + "refId": "L", + "step": 40 + }, + { + "expr": "node_memory_MemFree + node_memory_Inactive ", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "M", + "step": 30 + }, + { + "expr": "container_memory_rss{name=~\".+\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{__name__}}", + "refId": "O", + "step": 30 + }, + { + "expr": "node_memory_MemAvailable_bytes{instance=~\"$node\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Available memory", + "refId": "P", + "step": 40 + }, + { + "expr": "node_memory_MemFree_bytes{instance=~\"$node\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Free memory", + "refId": "Q" + }, + { + "expr": "node_memory_MemTotal_bytes{instance=~\"$node\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Total memory", + "refId": "R" + }, + { + "expr": "node_memory_MemTotal_bytes{instance=~\"$node\"}-(node_memory_Buffers_bytes{instance=~\"$node\"}+node_memory_Cached_bytes{instance=~\"$node\"}+node_memory_MemFree_bytes{instance=~\"$node\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Used memory", + "refId": "S" + } + ], + "thresholds": [ + { + "colorMode": "critical", + "fill": true, + "line": true, + "op": "gt", + "value": 214748364800, + "visible": true + } + ], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Available Memory", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": false, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": "269509197824", + "min": 0, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "IN on /sda": "#7EB26D", + "OUT on /sda": "#890F02" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 4, + "x": 20, + "y": 4 + }, + "hiddenSeries": false, + "id": 3, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "-sum(rate(node_disk_read_bytes_total{instance=~\"$node\"}[5m])) by (device)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "OUT on /{{device}}", + "metric": "node_disk_bytes_read", + "refId": "A", + "step": 600 + }, + { + "expr": "sum(rate(node_disk_written_bytes_total{instance=~\"$node\"}[5m])) by (device)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "IN on /{{device}}", + "metric": "", + "refId": "B", + "step": 600 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk I/O", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": false, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 10 + }, + "hiddenSeries": false, + "id": 8, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(container_network_receive_bytes_total{name!=\"\",instance=~\"$node\"}[5m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "A", + "step": 240 + }, + { + "expr": "sum(rate(container_network_transmit_bytes_total{instance=~\"$node\"}[5m])) by (name)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "", + "refId": "B", + "step": 10 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Received Network Traffic per Container", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 10 + }, + "hiddenSeries": false, + "id": 9, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_network_transmit_bytes_total{name!=\"\",instance=~\"$node\"}[5m])) by (name)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "A", + "step": 240 + }, + { + "expr": "rate(container_network_transmit_bytes_total{id=\"/\"}[$interval])", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "", + "refId": "B", + "step": 10 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Sent Network Traffic per Container", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": "", + "logBase": 10, + "max": 8, + "min": 0, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 0, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 8, + "w": 24, + "x": 0, + "y": 17 + }, + "hiddenSeries": false, + "id": 1, + "legend": { + "alignAsTable": true, + "avg": true, + "current": false, + "max": true, + "min": false, + "rightSide": true, + "show": true, + "sort": "avg", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{name=~\".+\",instance=~\"$node\"}[5m])) by (name) * 100", + "format": "time_series", + "hide": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "{{name}}", + "metric": "", + "refId": "F", + "step": 240 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU Usage per Container", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percent", + "label": "", + "logBase": 1, + "max": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "editable": true, + "error": false, + "fill": 3, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 7, + "w": 24, + "x": 0, + "y": 25 + }, + "hiddenSeries": false, + "id": 10, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "null as zero", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "sum(container_memory_rss{name!=\"\",instance=~\"$node\"}) by (name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "A", + "step": 240 + }, + { + "expr": "container_memory_usage_bytes{name=~\".+\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "B", + "step": 240 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "RSS Memory Usage per Container", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 7, + "w": 24, + "x": 0, + "y": 32 + }, + "hiddenSeries": false, + "id": 38, + "legend": { + "alignAsTable": true, + "avg": true, + "current": false, + "max": true, + "min": false, + "rightSide": true, + "show": true, + "sort": "avg", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "container_memory_usage_bytes{name!=\"\",instance=~\"$node\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "A", + "target": "" + }, + { + "expr": "container_spec_memory_limit_bytes{name!=\"\",instance=~\"$node\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "Limit {{name}}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Used Memory per Container", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "decimals": 1, + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": 1, + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 7, + "w": 24, + "x": 0, + "y": 39 + }, + "hiddenSeries": false, + "id": 40, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "container_memory_usage_bytes{name!=\"\",instance=~\"$node\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "A", + "target": "" + }, + { + "expr": "container_spec_memory_limit_bytes{name!=\"\",instance=~\"$node\"}-container_memory_usage_bytes{name!=\"\",instance=~\"$node\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Available Memory per Container", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "decimals": 1, + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": 1, + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 7, + "w": 24, + "x": 0, + "y": 46 + }, + "hiddenSeries": false, + "id": 39, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "8.0.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "container_memory_usage_bytes{name!=\"\",instance=~\"$node\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "Used {{name}}", + "refId": "A", + "target": "" + }, + { + "expr": "container_spec_memory_limit_bytes{name!=\"\",instance=~\"$node\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{name}}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Limit Memory per Container", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "decimals": 1, + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": 1, + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 53 + }, + "id": 42, + "links": [], + "pageSize": null, + "scroll": true, + "showHeader": true, + "sort": { + "col": 0, + "desc": true + }, + "styles": [ + { + "alias": "", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "__name__", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Used memory", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "bytes" + }, + { + "alias": "Available memory", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "bytes" + }, + { + "alias": "Limit memory", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "bytes" + }, + { + "alias": "", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "max(container_memory_usage_bytes{name!=\"\",instance=~\"$node\"}) by (name)", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + }, + { + "expr": "max(container_memory_max_usage_bytes{name!=\"\",instance=~\"$node\"}-container_memory_usage_bytes{name!=\"\",instance=~\"$node\"})by (name)", + "format": "table", + "instant": true, + "intervalFactor": 1, + "refId": "B" + }, + { + "expr": "max(container_memory_max_usage_bytes{name!=\"\",instance=~\"$node\"}) by (name)", + "format": "table", + "instant": true, + "intervalFactor": 1, + "refId": "C" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Memory usage per container", + "transform": "table", + "type": "table-old" + } + ], + "refresh": "5m", + "schemaVersion": 30, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "description": null, + "error": null, + "hide": 2, + "label": "datacenter", + "name": "datacenter", + "query": "IAD*", + "skipUrlSync": false, + "type": "constant" + }, + { + "allValue": null, + "current": { + "isNone": true, + "selected": false, + "text": "None", + "value": "" + }, + "datasource": "Prometheus", + "definition": "", + "description": null, + "error": null, + "hide": 0, + "includeAll": false, + "label": null, + "multi": false, + "name": "environment", + "options": [], + "query": { + "query": "label_values(cadvisor_version_info, env)", + "refId": "Prometheus-environment-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "definition": "", + "description": null, + "error": null, + "hide": 0, + "includeAll": true, + "label": "Job", + "multi": true, + "name": "job", + "options": [], + "query": { + "query": "label_values(cadvisor_version_info, job)", + "refId": "Prometheus-job-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 1, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "definition": "", + "description": null, + "error": null, + "hide": 0, + "includeAll": true, + "label": "Node", + "multi": true, + "name": "node", + "options": [], + "query": { + "query": "label_values(cadvisor_version_info{env=~\"$environment\",job=~\"$job\"}, instance)", + "refId": "Prometheus-node-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 1, + "tagValuesQuery": null, + "tagsQuery": null, + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Docker and OS metrics ( cadvisor, node_exporter )", + "uid": "Ss3q6hSZk", + "version": 6 +} diff --git a/old_services/_monitoring/installer.sh b/old_services/_monitoring/installer.sh new file mode 100755 index 0000000..91a95fc --- /dev/null +++ b/old_services/_monitoring/installer.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +if [ "$1" = "uninstall" ] ; then + echo "" +else # Installation procedure below + mkdir -p /data/monitoring/grafana /data/monitoring/data + chown 472:472 /data/monitoring/grafana -R + chown nobody:nogroup -R /data/monitoring/data +fi + + + diff --git a/old_services/_monitoring/nginx_server.conf b/old_services/_monitoring/nginx_server.conf new file mode 100644 index 0000000..dfd750d --- /dev/null +++ b/old_services/_monitoring/nginx_server.conf @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/monitoring/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/monitoring/privkey.pem; + + server_name grafana.jean-cloud.net www.grafana.jean-cloud.net; + + location / { + #if ($remote_addr != "193.33.56.94") { return 503; } + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + + proxy_pass http://172.29.1.2:3000/; + proxy_redirect off; + } +} diff --git a/old_services/_monitoring/prometheus.yml b/old_services/_monitoring/prometheus.yml new file mode 100644 index 0000000..4b25a97 --- /dev/null +++ b/old_services/_monitoring/prometheus.yml @@ -0,0 +1,97 @@ +# my global config +global: + scrape_interval: 60s + evaluation_interval: 60s + # scrape_timeout is set to the global default (10s). + + # Attach these labels to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + external_labels: + monitor: 'codelab-monitor' + +# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. +rule_files: + # - "first.rules" + # - "second.rules" + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'node-exporter' + metrics_path: /metrics + static_configs: + - targets: + - 'node-exporter:9100' + + #- job_name: 'docker-exporter' + # metrics_path: /docker + # basic_auth: + # username: zqNQF2oQDB2SvmkJzgW9HRpeR8RiVeiEBFShVrPrLWZR4KzYgZjasCWXuMc + # password: jznVqvRQVDSpCK2y22ZFSegXVUoErm7typxuhpC5DYdnvZ2yEsYD6JQ5o9orCFMi6tHMg6J2kmiLzuzy95nZmLApe6zEiYnQB7sUGEWXWuk9o + # file_sd_configs: + # - files: ['/etc/prometheus/nodes.yml'] + + #- job_name: 'docker-official' + # metrics_path: /docker-official + # basic_auth: + # username: zqNQF2oQDB2SvmkJzgW9HRpeR8RiVeiEBFShVrPrLWZR4KzYgZjasCWXuMc + # password: jznVqvRQVDSpCK2y22ZFSegXVUoErm7typxuhpC5DYdnvZ2yEsYD6JQ5o9orCFMi6tHMg6J2kmiLzuzy95nZmLApe6zEiYnQB7sUGEWXWuk9o + # file_sd_configs: + # - files: ['/etc/prometheus/nodes.yml'] + + - job_name: cadvisor + scrape_interval: 30s + static_configs: + - targets: + - cadvisor:8080 + + - job_name: 'ping' + metrics_path: /probe + params: + module: [http_2xx] + file_sd_configs: + - files: ['/etc/prometheus/blackbox-targets.yml'] + relabel_configs: + - source_labels: [__address__] + regex: (.*)(:80)? + target_label: __param_target + - source_labels: [__param_target] + regex: (.*) + target_label: instance + replacement: ${1} + - source_labels: [] + regex: .* + target_label: __address__ + replacement: blackbox_exporter:9115 + + - job_name: 'ssh_ping' + metrics_path: /probe + params: + module: [ssh_banner] + static_configs: + - targets: + - vandamme.jean-cloud.net + - tetede.jean-cloud.net + - carcasse.jean-cloud.net + - nougaro.jean-cloud.net + relabel_configs: + # Ensure port is 2222, pass as URL parameter + - source_labels: [__address__] + regex: (.*?)(:.*)? + replacement: ${1}:2222 + target_label: __param_target + # Make instance label the target + - source_labels: [__param_target] + target_label: instance + # Actually talk to the blackbox exporter though + - target_label: __address__ + replacement: 127.0.0.1:9115 + + #- job_name: 'icecast' + # static_configs: + # - targets: ['icecast_exporter:9146'] + diff --git a/old_services/discordbot.oma-radio.fr/docker-compose.yml b/old_services/discordbot.oma-radio.fr/docker-compose.yml new file mode 100644 index 0000000..d688b10 --- /dev/null +++ b/old_services/discordbot.oma-radio.fr/docker-compose.yml @@ -0,0 +1,8 @@ +version: '3' +services: + bot: + image: registry.oma-radio.fr/discord-bot:3.0.0 + env_file: + - /data/discordbot.oma-radio.fr/environ + restart: unless-stopped + diff --git a/old_services/educbot.jean-cloud.net/docker-compose.yml b/old_services/educbot.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..a7cb3c9 --- /dev/null +++ b/old_services/educbot.jean-cloud.net/docker-compose.yml @@ -0,0 +1,11 @@ +version: '3' +services: + bot: + image: jeancloud/educbot:1.0 + environment: + WS_PORT: 8080 + EXT_WS_PORT: 7878 + DISCORD_TOKEN: NjkxOTUzMDQzMDcxMzAzNzIy.Xnnhng.pYBFO2ogooVs2AyYz8Pk6AKhMoo + BOT_USERNAME: Educ-Bot + restart: unless-stopped + diff --git a/old_services/educbot.jean-cloud.net/nginx_server.conf b/old_services/educbot.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..cc40cc5 --- /dev/null +++ b/old_services/educbot.jean-cloud.net/nginx_server.conf @@ -0,0 +1,33 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server{ + listen 7878 ssl; + listen [::]:7878 ssl; + ssl_certificate /etc/letsencrypt/live/educbot.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/educbot.jean-cloud.net/privkey.pem; + + location / { + proxy_pass http://bot.educbotjean-cloudnet.docker:8080; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_read_timeout 120s; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/educbot.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/educbot.jean-cloud.net/privkey.pem; + server_name educbot.jean-cloud.net www.educbot.jean-cloud.net; + root /data/educbot.jean-cloud.net/public; + + location / { + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/old_services/educloud.jean-cloud.net/docker-compose.yml b/old_services/educloud.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..7c5dbbf --- /dev/null +++ b/old_services/educloud.jean-cloud.net/docker-compose.yml @@ -0,0 +1,40 @@ +version: '3' +services: + db: + image: postgres:11-alpine + restart: unless-stopped + volumes: + - /data/educloud.jean-cloud.net/db:/var/lib/postgresql/data + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=toDEzbjoTLBCugi9MrDMq9hYAtVEPCLwcDeUJ6ofvqEWqmNEm7YvjNBHnKa + + nextcloud1: + image: nextcloud:20-fpm-alpine + restart: unless-stopped + volumes: + - /data/educloud.jean-cloud.net/app1:/var/www/html + environment: + - POSTGRES_HOST=db + - POSTGRES_DB=nextcloud1 + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=toDEzbjoTLBCugi9MrDMq9hYAtVEPCLwcDeUJ6ofvqEWqmNEm7YvjNBHnKa + - NEXTCLOUD_ADMIN_USER=admin + - NEXTCLOUD_ADMIN_PASSWORD=toDEzbjoTLBCugi9MrDMq9hYAtVEPCLwcDeUJ6ofvqEWqmNEm7YvjNBHnKa + depends_on: + - db + + nextcloud2: + image: nextcloud:20-fpm-alpine + restart: unless-stopped + volumes: + - /data/educloud.jean-cloud.net/app2:/var/www/html + environment: + - POSTGRES_HOST=db + - POSTGRES_DB=nextcloud2 + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=toDEzbjoTLBCugi9MrDMq9hYAtVEPCLwcDeUJ6ofvqEWqmNEm7YvjNBHnKa + - NEXTCLOUD_ADMIN_USER=admin + - NEXTCLOUD_ADMIN_PASSWORD=toDEzbjoTLBCugi9MrDMq9hYAtVEPCLwcDeUJ6ofvqEWqmNEm7YvjNBHnKa + depends_on: + - db diff --git a/old_services/educloud.jean-cloud.net/nginx_server.conf b/old_services/educloud.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..6a85b7d --- /dev/null +++ b/old_services/educloud.jean-cloud.net/nginx_server.conf @@ -0,0 +1,193 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/educloud.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/educloud.jean-cloud.net/privkey.pem; + server_name educloud.jean-cloud.net www.educloud.jean-cloud.net; + + root /data/educloud.jean-cloud.net/app1; + + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; + add_header X-Frame-Options "SAMEORIGIN"; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + #location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + # fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass nextcloud1.educloudjean-cloudnet.docker:9000; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~ \.(?:css|js|woff2?|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/educloud.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/educloud.jean-cloud.net/privkey.pem; + server_name educloud2.jean-cloud.net www.educloud2.jean-cloud.net; + + root /data/educloud.jean-cloud.net/app2; + + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; + add_header X-Frame-Options "SAMEORIGIN"; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + #location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + # fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass nextcloud2.educloudjean-cloudnet.docker:9000; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~ \.(?:css|js|woff2?|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } +} diff --git a/old_services/educloud.jean-cloud.net/readme.md b/old_services/educloud.jean-cloud.net/readme.md new file mode 100755 index 0000000..99d4a06 --- /dev/null +++ b/old_services/educloud.jean-cloud.net/readme.md @@ -0,0 +1,18 @@ + +mdp admin +C’est cool de laisser un client qui possède toute l’instance choisir son mdp mais on va le mettre dans le dockerfile nous-même pour une instance partagée. + +dockerfile +c’est con de faire tourner un apache pour rien, on va configurer nginx pour qu’il travaille avec le conteneur fpm. +Les images de nextcloud sont toutes cassées… Il faut faire gaffe en les manipulant. (ça a l’air mieux avec la v16) + +Utiliser l’app theming pour customiser un peu tout ça… + + +## Procédure de mise à jour +- Sauvegarde des data + db +- Maintenance mode on +- save data & db (quicker) +- upgrade +- test +- Maintenance mode off or fix or rollback diff --git a/old_services/garradin.jean-cloud.net/docker-compose.yml b/old_services/garradin.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..14c5f6d --- /dev/null +++ b/old_services/garradin.jean-cloud.net/docker-compose.yml @@ -0,0 +1,7 @@ +version: '3.5' + +services: + php: + image: php:7.2-fpm-alpine + volumes: + - /data/garradin.jean-cloud.net/garradin-0.9.8.1:/usr/src/app diff --git a/old_services/garradin.jean-cloud.net/nginx_server.conf b/old_services/garradin.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..f661040 --- /dev/null +++ b/old_services/garradin.jean-cloud.net/nginx_server.conf @@ -0,0 +1,27 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/garradin.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/garradin.jean-cloud.net/privkey.pem; + server_name garradin.jean-cloud.net www.garradin.jean-cloud.net; + + root /data/garradin.jean-cloud.net/garradin-0.9.8.1/www; + + location / { + index index.php /_route.php; + try_files $uri $uri/ index.php /index.php$is_args$args; + } + location ~ \.php$ { + include fastcgi_params; + fastcgi_pass php.garradinjean-cloudnet.docker:9000; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTP_HOST $host; + fastcgi_param DOCUMENT_ROOT /usr/src/app/www; + } +} + + + diff --git a/old_services/git-cd.jean-cloud.net/docker-compose.yml b/old_services/git-cd.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..bf942c4 --- /dev/null +++ b/old_services/git-cd.jean-cloud.net/docker-compose.yml @@ -0,0 +1,17 @@ +version: '3' +services: + app: + image: registry.jean-cloud.net/git-cd + environment: + MONGO_HOST: db + CREATE_HOOK_PASS: aZgL2Xee2x8hAx55dB8eBBKvDD6kcPnKAp5tBhV5vbv44cCyhMRd64nZPh2fHWgwvDCBZtvguNHG5tuCe9TiUiWZ2fdPtZYdKSSL6aZwhBjQm + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /data:/data # for docker-compose + depends_on: + - db + + db: + image: mongo:4.2 + volumes: + - /data/git-ca.jean-cloud.net/db:/data/db diff --git a/old_services/git-cd.jean-cloud.net/nginx_server.conf b/old_services/git-cd.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..1747082 --- /dev/null +++ b/old_services/git-cd.jean-cloud.net/nginx_server.conf @@ -0,0 +1,12 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/git-cd.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git-cd.jean-cloud.net/privkey.pem; + server_name git-cd.jean-cloud.net www.git-cd.jean-cloud.net; + + location / { + proxy_pass http://app.git-cdjean-cloudnet.docker; + } +} + diff --git a/old_services/latex.jean-cloud.net/Dockerfile b/old_services/latex.jean-cloud.net/Dockerfile new file mode 100755 index 0000000..abe6452 --- /dev/null +++ b/old_services/latex.jean-cloud.net/Dockerfile @@ -0,0 +1,6 @@ +FROM sharelatex/sharelatex + +RUN apt update +RUN apt install -y texlive-full + +COPY ./enable_glossary_latexmk /var/www/.latexmkrc diff --git a/old_services/latex.jean-cloud.net/docker-compose.yml b/old_services/latex.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..ecd32ee --- /dev/null +++ b/old_services/latex.jean-cloud.net/docker-compose.yml @@ -0,0 +1,60 @@ +# To create users: +# cd /var/www/sharelatex +# grunt user:create-admin + +version: '3' +services: + latex_jean-cloud_net: + restart: unless-stopped + image: sharelatex/sharelatex + #image: jeancloud/sharelatex:full + #build: . + depends_on: + - mongo + - redis + privileged: true + networks: + - default + - ingress + volumes: + - /data/latex.jean-cloud.net/sharelatex:/var/lib/sharelatex + environment: + SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex + SHARELATEX_REDIS_HOST: redis + SHARELATEX_APP_NAME: latex.jean-cloud.net + + ## Set for SSL via nginx-proxy + #VIRTUAL_HOST: 103.112.212.22 + + SHARELATEX_SITE_URL: https://latex.jean-cloud.net + SHARELATEX_NAV_TITLE: L'editeur latex de jean-cloud + # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png + SHARELATEX_ADMIN_EMAIL: contact@jean-cloud.org + + SHARELATEX_LEFT_FOOTER: '[{"text": "Editeur latex en ligne ShareLaTeX 2016"},{"text": "Heberge par jean-cloud, CGU"} ]' + # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]' + + SHARELATEX_EMAIL_FROM_ADDRESS: "nepasrepondre@jean-cloud.org" + SHARELATEX_EMAIL_SMTP_HOST: "mail.gandi.net" + SHARELATEX_EMAIL_SMTP_PORT: "465" + SHARELATEX_EMAIL_SMTP_SECURE: "true" + SHARELATEX_EMAIL_SMTP_USER: "nepasrepondre@jean-cloud.org" + SHARELATEX_EMAIL_SMTP_PASS: "" + SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: "true" + SHARELATEX_EMAIL_SMTP_IGNORE_TLS: "false" + SHARELATEX_CUSTOM_EMAIL_FOOTER: '
Jean-Cloud
' + + mongo: + restart: unless-stopped + image: mongo + volumes: + - /data/latex.jean-cloud.net/mongo:/data/db + + redis: + restart: unless-stopped + image: redis + volumes: + - /data/latex.jean-cloud.net/redis:/data +networks: + ingress: + external: true diff --git a/old_services/latex.jean-cloud.net/enable_glossary_latexmk b/old_services/latex.jean-cloud.net/enable_glossary_latexmk new file mode 100755 index 0000000..16bc358 --- /dev/null +++ b/old_services/latex.jean-cloud.net/enable_glossary_latexmk @@ -0,0 +1,15 @@ +add_cus_dep('glo', 'gls', 0, 'run_makeglossaries'); +add_cus_dep('acn', 'acr', 0, 'run_makeglossaries'); + +sub run_makeglossaries { + if ( $silent ) { + system "makeglossaries -q '$_[0]'"; + } + else { + system "makeglossaries '$_[0]'"; + }; +} + +push @generated_exts, 'glo', 'gls', 'glg'; +push @generated_exts, 'acn', 'acr', 'alg'; +$clean_ext .= ' %R.ist %R.xdy'; diff --git a/old_services/latex.jean-cloud.net/nginx_server.conf b/old_services/latex.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..0220580 --- /dev/null +++ b/old_services/latex.jean-cloud.net/nginx_server.conf @@ -0,0 +1,12 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/latex.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/latex.jean-cloud.net/privkey.pem; + server_name latex.jean-cloud.net www.latex.jean-cloud.net git.latex.jean-cloud.net www.git.latex.jean-cloud.net; + location / { + client_max_body_size 10M; + proxy_pass http://latex_jean-cloud_net; + } +} + diff --git a/old_services/latex.jean-cloud.net/todos b/old_services/latex.jean-cloud.net/todos new file mode 100755 index 0000000..6c6402a --- /dev/null +++ b/old_services/latex.jean-cloud.net/todos @@ -0,0 +1 @@ +Faire une image docker parce que là c’est le bordel… diff --git a/old_services/node_metrics/docker-compose.yml b/old_services/node_metrics/docker-compose.yml new file mode 100644 index 0000000..61fad53 --- /dev/null +++ b/old_services/node_metrics/docker-compose.yml @@ -0,0 +1,39 @@ +version: '3' +services: + + # Port 9100 + node-exporter: + image: quay.io/prometheus/node-exporter + volumes: + #- /:/host:ro,rslave # C’est vraiment un peu nul + - /proc:/host/proc:ro,rslave + - /sys:/host/sys:ro,rslave + - /dev:/host/dev:ro,rslave + #command: ["path.rootfs=/host"] + networks: + - ingress + + # Port 8081 + docker-exporter: + image: cdewitt/docker-stats-exporter + networks: + - ingress + volumes: + - /var/run/docker.sock:/var/run/docker.sock # Pas besoin vu qu’on a le reste et que USE_PSEUDO_FILES est à True. BEN SI………… + - /sys/fs/cgroup:/rootfs/sys/fs/cgroup:ro + - /proc:/rootfs/proc:ro + environment: + PROC_DIRECTORY: /rootfs/proc + CGROUP_DIRECTORY: /rootfs/sys/fs/cgroup + USE_PSEUDO_FILES: "True" + + docker-metrics-proxy: + image: nginx + volumes: + - /var/run/docker-metrics.sock:/var/run/docker-metrics.sock + + +networks: + ingress: + external: true + diff --git a/old_services/node_metrics/nginx_server.conf b/old_services/node_metrics/nginx_server.conf new file mode 100755 index 0000000..d09c40c --- /dev/null +++ b/old_services/node_metrics/nginx_server.conf @@ -0,0 +1,29 @@ +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + ssl_certificate /etc/letsencrypt/live/node_metrics/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/node_metrics/privkey.pem; + server_name vandamme.jean-cloud.net www.vandamme.jean-cloud.net; + + location /node { + proxy_pass http://node-exporter:9100/metrics; + auth_basic "Restricted area"; + auth_basic_user_file /data/node_metrics/htpasswd; + } + + location /docker { + proxy_pass http://docker-exporter:8081/metrics; + auth_basic "Restricted area"; + auth_basic_user_file /data/node_metrics/htpasswd; + } + + location /docker-official { + proxy_pass http://unix:/var/run/docker-metrics.sock:/metrics; + auth_basic "Restricted area"; + auth_basic_user_file /data/node_metrics/htpasswd; + } + + location / { + proxy_pass https://jean-cloud.net/404; + } +} diff --git a/old_services/nsslave.jean-cloud.net/docker-compose.yml b/old_services/nsslave.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..b6a7f9d --- /dev/null +++ b/old_services/nsslave.jean-cloud.net/docker-compose.yml @@ -0,0 +1,9 @@ +version: '3' +services: + dns: + image: resystit/bind9 + ports: + - 53:53/tcp + - 53:53/udp + volumes: + - /data/nsslave.jean-cloud.org:/etc/bind diff --git a/old_services/pybox.jean-cloud.net/docker-compose.yml b/old_services/pybox.jean-cloud.net/docker-compose.yml new file mode 100644 index 0000000..fd41bbe --- /dev/null +++ b/old_services/pybox.jean-cloud.net/docker-compose.yml @@ -0,0 +1,11 @@ +version: '3' +services: + app: + image: jeancloud/pythonsandbox:latest + volumes: + - /data/pybox.jean-cloud.net/config:/app/config + - /data/pybox.jean-cloud.net/production_eleves:/app/python_app/modules + ports: + - "22045:22" + restart: "unless-stopped" + diff --git a/old_services/pybox.jean-cloud.net/nginx_server.conf b/old_services/pybox.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..659aec9 --- /dev/null +++ b/old_services/pybox.jean-cloud.net/nginx_server.conf @@ -0,0 +1,16 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/pybox.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/pybox.jean-cloud.net/privkey.pem; + server_name pybox.jean-cloud.net www.pybox.jean-cloud.net; + + location / { + proxy_pass http://app.pyboxjean-cloudnet.docker; + client_max_body_size 0; + proxy_connect_timeout 6000; + proxy_send_timeout 6000; + proxy_read_timeout 6000; + send_timeout 6000; + } +} diff --git a/old_services/radiodemo.oma-radio.fr.classic/.env b/old_services/radiodemo.oma-radio.fr.classic/.env new file mode 100644 index 0000000..b127338 --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/.env @@ -0,0 +1,25 @@ +NET=172.29.0 +TELECOM=.101 +MUX=.100 +ICECAST=.110 +WEBSERVER=.105 +SYSTEM_API=.107 +TZ=Europe/Paris +OMA_DOCKER_VERSION=dev +WEBSOCKET_PORT=2004 +WEBSOCKET_CLEAR_PORT=4004 +TELECOM_SERVER_PORT=3494 +MUX_SERVER_PORT=9004 +RADIO_NAME_SIMPLE=radiodemo +OMA_CONFIG_NomRadio=radiodemo +OMA_CONFIG_LogLevel=8 +RADIO_NAME_PRETTY="Radio Démo" +RADIO_HOST=radiodemo.oma-radio.fr +COMPOSE_NAME=radiodemooma-radiofr +DOCKER_INSTANCES_PREFIX=radiodemooma-radiofr- +DOCKER_INSTANCES_SUFIX=-1 +DATA_DIR=/data/radiodemo.oma-radio.fr +SOUNDBASE_DIR=/data/radiodemo.oma-radio.fr/core/radioDemo +USE_SSL=true +PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.5.0 +MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1 diff --git a/old_services/radiodemo.oma-radio.fr.classic/docker-compose.yml b/old_services/radiodemo.oma-radio.fr.classic/docker-compose.yml new file mode 100644 index 0000000..ec26da1 --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/docker-compose.yml @@ -0,0 +1,233 @@ +version: '3' +services: + ambre_mux: + image: registry.oma-radio.fr/mux:$OMA_DOCKER_VERSION + env_file: .env + environment: + OMA_CONFIG_Client1Host: $NET$ICECAST + OMA_CONFIG_TelecommandeHost: $NET$TELECOM + volumes: + - $SOUNDBASE_DIR/pige:/app/pige + ports: + - $MUX_SERVER_PORT:9000 + restart: unless-stopped + networks: + default: + ipv4_address: $NET$MUX + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + + saphir_telecom_server: + image: registry.oma-radio.fr/telecom-server:$OMA_DOCKER_VERSION + env_file: .env + ports: + - $TELECOM_SERVER_PORT:3490 + restart: unless-stopped + networks: + default: + ipv4_address: $NET$TELECOM + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + anthracite_jukebox: + image: registry.oma-radio.fr/jukebox:$OMA_DOCKER_VERSION + env_file: .env + environment: + OMA_CONFIG_TelecommandeHost: $NET$TELECOM + OMA_CONFIG_Client1Host: $NET$MUX + volumes: + - $SOUNDBASE_DIR:/app/soundBase + - $DATA_DIR/secours-jingle.wavM:/app/secours/secours-jingle.wavM + restart: unless-stopped + networks: + default: + ipv4_address: $NET.102 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + azurite_jukebox_simulator: + image: registry.oma-radio.fr/jukebox-simulator:$OMA_DOCKER_VERSION + env_file: .env + environment: + OMA_CONFIG_TelecommandeHost: $NET$TELECOM + volumes: + - $SOUNDBASE_DIR:/app/soundBase + restart: unless-stopped + networks: + default: + ipv4_address: $NET.103 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + # aventurine_transcode: + # image: registry.oma-radio.fr/transcode:$OMA_DOCKER_VERSION + # env_file: .env + # restart: unless-stopped + + + agate_importer: + image: registry.oma-radio.fr/baseimport:$OMA_DOCKER_VERSION + env_file: .env + environment: + OMA_CONFIG_TelecommandeHost: $NET$TELECOM + volumes: + - $SOUNDBASE_DIR:/app/soundBase + restart: unless-stopped + networks: + default: + ipv4_address: $NET.104 + deploy: + resources: + limits: + cpus: '0.50' + memory: 500M + + amarante_webserver: + image: registry.oma-radio.fr/webserver:$OMA_DOCKER_VERSION + env_file: .env + environment: + OMA_CONFIG_TelecommandeHost: $NET$TELECOM + OMA_CONFIG_PigeTxtLoadFic: off + restart: unless-stopped + ports: + - $WEBSOCKET_CLEAR_PORT:9000 + volumes: + - $SOUNDBASE_DIR:/soundbase + networks: + default: + ipv4_address: $NET$WEBSERVER + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + rubis_base_mg: + image: registry.oma-radio.fr/base-mg:$OMA_DOCKER_VERSION + env_file: .env + environment: + OMA_CONFIG_TelecommandeHost: $NET$TELECOM + restart: unless-stopped + volumes: + - $SOUNDBASE_DIR:/soundbase + networks: + default: + ipv4_address: $NET.106 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + + system_api: + image: registry.oma-radio.fr/system-api:dev + env_file: .env + environment: + OMA_CONFIG_TelecommandeHost: $NET$TELECOM + UID: 33 + SOUNDBASE_PATH: /soundbase + MOUNT: /api + CONFIG_PATH: /config + restart: unless-stopped + volumes: + - /tmp/uwsgi/$RADIO_HOST:/tmp/uwsgi + - /var/run/docker.sock:/var/run/docker.sock + - $SOUNDBASE_DIR:/soundbase + networks: + default: + ipv4_address: $NET.107 + deploy: + resources: + limits: + cpus: '0.50' + memory: 500M + + transcode: + image: registry.oma-radio.fr/liquidsoap:1.3.7 + env_file: .env + volumes: + - ./transcode.liq:/transcode.liq + command: /transcode.liq + restart: unless-stopped + networks: + default: + ipv4_address: $NET.108 + + #radioking: + # image: registry.oma-radio.fr/liquidsoap:1.3.7 + # env_file: .env + # volumes: + # - ./radioking.liq:/radioking.liq + # command: /radioking.liq + # restart: unless-stopped + # networks: + # default: + # ipv4_address: $NET.111 + + #ammolite_mp3_addon: + # image: registry.oma-radio.fr/mp3addon:$OMA_DOCKER_VERSION + # env_file: .env + # environment: + # OMA_CONFIG_TelecommandeHost: $NET.101 + # OMA_CONFIG_PigePrefix: /opt + # restart: unless-stopped + # volumes: + # - $SOUNDBASE_DIR:/app/soundbase + # networks: + # default: + # ipv4_address: $NET.109 + # deploy: + # resources: + # limits: + # cpus: '0.05' + + # doxy: + # image: qnib/doxy + # volumes: + # - /tmp/radiodemo.oma-radio.fr/doxy:/tmp/doxy + # - /data/radiodemo.oma-radio.fr/doxy.pattern:/etc/doxy.pattern + # - /var/run/docker.sock:/var/run/docker.sock + # environment: + # DOXY_PROXY_SOCKET: /tmp/doxy/doxy.sock + + icecast: + image: registry.oma-radio.fr/icecast:alpine-2.4.0 + restart: unless-stopped + environment: + # echo -n "source:pass" | base64 + ICECAST_SOURCE_PASSWORD: JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f + ICECAST_ADMIN_PASSWORD: STh5LrPMvp876KPoajCPEUpehE98JPqZ6sEixSnzJ42CR2MdyPMBYfzjGpbAzajNgw8jsuLh + ICECAST_RELAY_PASSWORD: r2LgmDocgyYh7DqhSsey8tM99wxdViTpLtyi9tcWHtokC73QnC6kQLRRb58VUy5FXYnStRsG + ICECAST_ADMIN_USERNAME: admin + ICECAST_ADMIN_EMAIL: contact@oma-radio.fr + ICECAST_LOCATION: Rhône-Alpes + TZ: Europe/Paris + healthcheck: + test: "wget http://localhost:8000/direct.ogg -O - -t 1 -T 3 -S --spider 2>&1 | grep '200 OK' && wget http://localhost:8000/direct.mp3 -O - -t 1 -T 3 -S --spider 2>&1 | grep '200 OK'" + interval: 5m0s + timeout: 10s + retries: 3 + start_period: 1m0s + networks: + default: + ipv4_address: $NET$ICECAST + +networks: + default: + ipam: + config: + - subnet: $NET.0/24 diff --git a/old_services/radiodemo.oma-radio.fr.classic/generate_nat.sh b/old_services/radiodemo.oma-radio.fr.classic/generate_nat.sh new file mode 100755 index 0000000..d692df8 --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/generate_nat.sh @@ -0,0 +1,20 @@ +function extract_ports_from_compose { + if [ "$#" -ne 1 ] ; then + echo "function extract_ports_from_dockerfile needs 1 parameter : docker-compose file" >&2 + exit 1 + fi + ports=false + while read line ; do + if [ "$line" = 'ports:' ] ; then + ports=true + elif "$ports" ; then + if [[ "$line" != -* ]] ; then + ports=false + else + echo $line | tr -d ' ' | tail -c +2 + fi + fi + done < docker-compose.yml +} + +extract_ports_from_compose docker-compose.yml | ../_deployer/template.sh .env diff --git a/old_services/radiodemo.oma-radio.fr.classic/icecast.liq b/old_services/radiodemo.oma-radio.fr.classic/icecast.liq new file mode 100644 index 0000000..d7c1077 --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/icecast.liq @@ -0,0 +1,29 @@ +#!/usr/bin/liquidsoap + +# Mux +input1 = mksafe(input.harbor("direct.ogg",port=8000,password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f")) + +# Direct mp3 +output.icecast( + %mp3(bitrate=128, samplerate=22050, stereo=false), + mount="/direct.mp3", + host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f", + input1) + +# Radioking +#output.icecast( +# %mp3(bitrate=128, samplerate=22050, stereo=false), +# mount="/test355", +# host="live.radioking.com", port=80, user="", password="", +# input) + +# Direct ogg +output.icecast( + %vorbis(samplerate=44100, channels=1, quality=0.2), + mount="/direct.ogg", + host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f", + input1) + +# Pige +output.file(%vorbis(samplerate=44100, channels=1, quality=0.2), '/archives/%Y-%m-%d-%Y-%m-%d-%H_%M_%S.%s.ogg', input1, reopen_when={0s}, reopen_delay=60.0) + diff --git a/old_services/radiodemo.oma-radio.fr.classic/installer.sh b/old_services/radiodemo.oma-radio.fr.classic/installer.sh new file mode 100755 index 0000000..1390742 --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/installer.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +. /bin/driglibash-base + + +if [ "$1" = "uninstall" ] ; then + echo "Uninstalling" + +else # Installation procedure below + echo "Installing" + if [ -L /data/soundbase.oma-radio.fr/data/radiodemo ] ; then + run ln -s /data/soundbase.oma-radio.fr/data/radiodemo /data/radiodemo.oma-radio.fr/soundbase + fi +fi + + + diff --git a/old_services/radiodemo.oma-radio.fr.classic/nginx_server.conf b/old_services/radiodemo.oma-radio.fr.classic/nginx_server.conf new file mode 100644 index 0000000..821fea9 --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/nginx_server.conf @@ -0,0 +1,244 @@ +# Parameters: +# radio name +# file path +# ws port (local) +# wss port (open) +# upload service port +# ssl certs location + +# TODO +# /speedtest-down returns random data +# can use : openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > randomfile.bin +# /speedtest-up just eat everything it can + + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server{ + listen $WEBSOCKET_PORT ssl; + listen [::]:$WEBSOCKET_PORT ssl; + ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_pass http://localhost:$WEBSOCKET_CLEAR_PORT; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 120s; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name $RADIO_HOST; + ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem; + + root $SOUNDBASE_DIR/website; + index index.html; + add_header Access-Control-Allow-Origin https://radio.karnaval.fr; + + + location = /direct.ogg { + proxy_pass http://172.29.0.110:8000/direct.ogg; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + location = /direct.mp3 { + proxy_pass http://172.29.0.110:8000/direct.mp3; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + + location = /api { rewrite ^ /api/; } + location ~ /api/pigeindex(/.*) { + include uwsgi_params; + uwsgi_param PATH_INFO "/pigeindex$1"; + uwsgi_param SCRIPT_NAME /api; + uwsgi_pass unix:/tmp/uwsgi/$RADIO_HOST/uwsgi-api.sock; + client_max_body_size 0; + uwsgi_connect_timeout 6000; + uwsgi_send_timeout 6000; + uwsgi_read_timeout 6000; + send_timeout 6000; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + add_header Access-Control-Allow-Origin https://radio.karnaval.fr; + if_modified_since off; + expires off; + etag off; + + } + location ~ /api(/.*) { + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; + include uwsgi_params; + uwsgi_param PATH_INFO "$1"; + uwsgi_param SCRIPT_NAME /api; + uwsgi_pass unix:/tmp/uwsgi/$RADIO_HOST/uwsgi-api.sock; + client_max_body_size 0; + proxy_connect_timeout 6000; + proxy_send_timeout 60000; + proxy_read_timeout 6000; + send_timeout 6000; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + add_header Access-Control-Allow-Origin https://radio.karnaval.fr; + if_modified_since off; + expires off; + etag off; + } + + location /pige{ + alias $SOUNDBASE_DIR/pige; + try_files $uri $uri/ =404; + } + location /pigeMp3{ + alias $SOUNDBASE_DIR/pigeMp3; + try_files $uri $uri/ =404; + } + location /png { + alias $SOUNDBASE_DIR/png; + try_files $uri $uri/ =404; + } + location /webpL { + alias $SOUNDBASE_DIR/webpL; + try_files $uri $uri/ =404; + } + location /webpH { + alias $SOUNDBASE_DIR/webpH; + try_files $uri $uri/ =404; + } + location /ogg { + alias $SOUNDBASE_DIR/ogg; + try_files $uri $uri/ =404; + } + location /txt { + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + add_header Access-Control-Allow-Origin https://radio.karnaval.fr; + if_modified_since off; + expires off; + etag off; + alias $SOUNDBASE_DIR/txt; + try_files $uri $uri/ =404; + } + location /wavM { + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + alias $SOUNDBASE_DIR/wavM; + try_files $uri $uri/ =404; + } + location /import { + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + alias $SOUNDBASE_DIR/import; + try_files $uri $uri/ =404; + } + location /export { + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + alias $SOUNDBASE_DIR/export; + try_files $uri $uri/ =404; + } + location /wav { + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + alias $SOUNDBASE_DIR/wav; + try_files $uri $uri/ =404; + } + location /fiches { + alias $SOUNDBASE_DIR/fiches; + try_files $uri $uri/ =404; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + add_header Access-Control-Allow-Origin https://radio.karnaval.fr; + if_modified_since off; + expires off; + etag off; + + } + location /prg { + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + alias $SOUNDBASE_DIR/prg; + try_files $uri $uri/ =404; + } + location /listes { + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + alias $SOUNDBASE_DIR/listes; + try_files $uri $uri/ =404; + } + location /statique { + alias $SOUNDBASE_DIR/statique; + try_files $uri $uri/ =404; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + add_header Access-Control-Allow-Origin https://radio.karnaval.fr; + if_modified_since off; + expires off; + etag off; + } + + # Admin interface + location /manager { + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; + try_files $uri $uri/ =404; + } + location = /favicon.ico { + return 301 /favicon.webp; + } + + # for js, css, html — dynamic site, players + location / { + try_files $uri $uri/ =404; + add_header Cache-Control 'public must-revalidate'; + add_header Access-Control-Allow-Origin https://radio.karnaval.fr; + } +} diff --git a/old_services/radiodemo.oma-radio.fr.classic/pige.liq b/old_services/radiodemo.oma-radio.fr.classic/pige.liq new file mode 100644 index 0000000..324b535 --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/pige.liq @@ -0,0 +1,11 @@ +#!/usr/bin/liquidsoap + +input = mksafe(input.http("https://radiodemo.oma-radio.fr/direct.ogg")) +#blank = single("/secours.ogg") +#input = fallback(track_sensitive=false, [input, blank]) +#output.icecast( +# %mp3(bitrate=128, samplerate=22050, stereo=false), +# mount="/direct.mp3", +# host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f", +# input) +output.file(%vorbis(samplerate=44100, channels=1, quality=0.5), '/archive/%Y-%m-%d/%Y-%m-%d-%H_%M_%S.mp3', input, reopen_when={0s}) diff --git a/old_services/radiodemo.oma-radio.fr.classic/radioking.liq b/old_services/radiodemo.oma-radio.fr.classic/radioking.liq new file mode 100644 index 0000000..2bd23f4 --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/radioking.liq @@ -0,0 +1,7 @@ +input = mksafe(input.http("http://172.29.0.110:8000/direct.mp3")) +output.icecast( + %mp3(bitrate=128, samplerate=22050, stereo=false), + mount="/test355", + host="live.radioking.com", port=80, user="test_test29", password="S9tx3VBhl", + input) + diff --git a/old_services/radiodemo.oma-radio.fr.classic/transcode.liq b/old_services/radiodemo.oma-radio.fr.classic/transcode.liq new file mode 100644 index 0000000..11befca --- /dev/null +++ b/old_services/radiodemo.oma-radio.fr.classic/transcode.liq @@ -0,0 +1,11 @@ +#!/usr/bin/liquidsoap + +input = mksafe(input.http("http://icecast:8000/direct.ogg")) +#blank = single("/secours.ogg") +#input = fallback(track_sensitive=false, [input, blank]) +output.icecast( + %mp3(bitrate=128, samplerate=22050, stereo=false), + mount="/direct.mp3", + host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f", + input) + diff --git a/old_services/team.jean-cloud.net/.env b/old_services/team.jean-cloud.net/.env new file mode 100644 index 0000000..283fd8b --- /dev/null +++ b/old_services/team.jean-cloud.net/.env @@ -0,0 +1,33 @@ +DATA_DIR=/data/team.jean-cloud.net +subnet=172.29.18 + +# Domain of service +DOMAIN=team.jean-cloud.net + +# Container settings +## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'. +## A list of these tz database names can be looked up at Wikipedia +## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +TZ=Europe/Paris + +## Bleve index (inside the container) +MM_BLEVESETTINGS_INDEXDIR=/mattermost/bleve-indexes + +## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use +## it if you know what you're doing. +## See https://github.com/mattermost/docker/issues/18 +MATTERMOST_CONTAINER_READONLY=false + +## The app port is only relevant for using Mattermost without the nginx container as reverse proxy. This is not meant +## to be used with the internal HTTP server exposed but rather in case one wants to host several services on one host +## or for using it behind another existing reverse proxy. +APP_PORT=8065 + +## Configuration settings for Mattermost. Documentation on the variables and the settings itself can be found at +## https://docs.mattermost.com/administration/config-settings.html +## Keep in mind that variables set here will take precedence over the same setting in config.json. This includes +## the system console as well and settings set with env variables will be greyed out. + +## Example settings (any additional setting added here also needs to be introduced in the docker-compose.yml) +MM_SERVICESETTINGS_SITEURL=https://${DOMAIN} + diff --git a/old_services/team.jean-cloud.net/docker-compose.yml b/old_services/team.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..66aa95b --- /dev/null +++ b/old_services/team.jean-cloud.net/docker-compose.yml @@ -0,0 +1,56 @@ +version: '3' +services: + db: + image: postgres:11-alpine + restart: unless-stopped + volumes: + - "$DATA_DIR/db:/var/lib/postgresql/data" + env_file: + - .env + - "$DATA_DIR/.env" + networks: + default: + ipv4_address: $subnet.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + mattermost: + ports: + - 8443:8443/udp + image: mattermost/mattermost-team-edition:7.10 + volumes: + - "$DATA_DIR/app:/var/www/html" + environment: + - $DATA_DIR/app/config:/mattermost/config:rw + - $DATA_DIR/app/data:/mattermost/data:rw + - $DATA_DIR/app/plugins:/mattermost/plugins:rw + - $DATA_DIR/app/client_plugins:/mattermost/client/plugins:rw + - $DATA_DIR/app/bleve-indexes:/mattermost/bleve-indexes:rw + env_file: + - .env + - "$DATA_DIR/.env" + tmpfs: + - /tmp + depends_on: + - db + security_opt: + - no-new-privileges:true + restart: unless-stopped + networks: + default: + ipv4_address: $subnet.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 1000M + + +networks: + default: + ipam: + config: + - subnet: $subnet.0/24 diff --git a/old_services/team.jean-cloud.net/maintenance.sh b/old_services/team.jean-cloud.net/maintenance.sh new file mode 100644 index 0000000..b496f1e --- /dev/null +++ b/old_services/team.jean-cloud.net/maintenance.sh @@ -0,0 +1 @@ +docker-compose exec -u www-data nextcloud php occ maintenance:mode --on diff --git a/old_services/team.jean-cloud.net/nginx_server.conf b/old_services/team.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..1537fc5 --- /dev/null +++ b/old_services/team.jean-cloud.net/nginx_server.conf @@ -0,0 +1,76 @@ +# inspiré de +# https://github.com/mattermost/docker/blob/main/nginx/conf.d/default.conf + +# proxy cache +proxy_cache_path /var/cache/mmcache levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off; + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/team.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/team.jean-cloud.net/privkey.pem; + server_name team.jean-cloud.net; + + limit_req zone=defaultlimit burst=500 nodelay; + + ## security headers + # https://securityheaders.com/ + # https://scotthelme.co.uk/tag/security-headers/ + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=63072000" always; + add_header Permissions-Policy "interest-cohort=()"; + + # disable Google bots from indexing this site + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + + location ~ /api/v[0-9]+/(users/)?websocket$ { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + client_max_body_size 50M; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header Early-Data $ssl_early_data; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + client_body_timeout 60; + send_timeout 300; + lingering_timeout 5; + proxy_connect_timeout 90; + proxy_send_timeout 300; + proxy_read_timeout 90s; + proxy_http_version 1.1; + proxy_pass http://$subnet.100:8065; + } + + location / { + client_max_body_size 50M; + proxy_set_header Connection ""; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header Early-Data $ssl_early_data; + proxy_buffers 256 16k; + proxy_buffer_size 16k; + proxy_read_timeout 600s; + proxy_cache mattermost_cache; + proxy_cache_revalidate on; + proxy_cache_min_uses 2; + proxy_cache_use_stale timeout; + proxy_cache_lock on; + proxy_http_version 1.1; + proxy_pass http://$subnet.100:8065; + } + +} diff --git a/old_services/team.jean-cloud.net/readme.md b/old_services/team.jean-cloud.net/readme.md new file mode 100755 index 0000000..99d4a06 --- /dev/null +++ b/old_services/team.jean-cloud.net/readme.md @@ -0,0 +1,18 @@ + +mdp admin +C’est cool de laisser un client qui possède toute l’instance choisir son mdp mais on va le mettre dans le dockerfile nous-même pour une instance partagée. + +dockerfile +c’est con de faire tourner un apache pour rien, on va configurer nginx pour qu’il travaille avec le conteneur fpm. +Les images de nextcloud sont toutes cassées… Il faut faire gaffe en les manipulant. (ça a l’air mieux avec la v16) + +Utiliser l’app theming pour customiser un peu tout ça… + + +## Procédure de mise à jour +- Sauvegarde des data + db +- Maintenance mode on +- save data & db (quicker) +- upgrade +- test +- Maintenance mode off or fix or rollback diff --git a/old_services/tracker.jean-cloud.net/docker-compose.yml b/old_services/tracker.jean-cloud.net/docker-compose.yml new file mode 100644 index 0000000..6baf2d3 --- /dev/null +++ b/old_services/tracker.jean-cloud.net/docker-compose.yml @@ -0,0 +1,7 @@ +version: '3' +services: + tracker: + image: lednerb/opentracker-docker + ports: + - 6969:1337/udp + - 6969:1337 diff --git a/old_services/wordpress.inurbe.fr/docker-compose.yml b/old_services/wordpress.inurbe.fr/docker-compose.yml new file mode 100644 index 0000000..49c68e5 --- /dev/null +++ b/old_services/wordpress.inurbe.fr/docker-compose.yml @@ -0,0 +1,50 @@ +version: '3.1' + +services: + + wp: + image: wordpress:5.4-apache + restart: unless-stopped + environment: + WORDPRESS_DB_HOST: db + WORDPRESS_DB_USER: wpdbuser + WORDPRESS_DB_PASSWORD: 7VPD3XEMzMjPrySpVwmfdmoYZG4rsxX556WzhQHjmzGdViiFPd9D9tjfXaHDCbdZzMPVvrNcW2wxdtfGFMfTwfiFPXjX6XSzxgMFKoXtEnTKaKjmJrKGn6QcNoo7 + WORDPRESS_DB_NAME: wpdb + #WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://collectif-arthadie.fr/wordpress' ); define( 'WP_SITEURL', 'https://collectif-arthadie.fr/wordpress' );" + volumes: + - /data/inurbe.fr/wordpress:/var/www/html + - /data/inurbe.fr/static:/var/www/html/static + networks: + default: + ipv4_address: 172.16.15.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + db: + image: mariadb:10.4 + restart: unless-stopped + environment: + MYSQL_DATABASE: wpdb + MYSQL_USER: wpdbuser + MYSQL_PASSWORD: 7VPD3XEMzMjPrySpVwmfdmoYZG4rsxX556WzhQHjmzGdViiFPd9D9tjfXaHDCbdZzMPVvrNcW2wxdtfGFMfTwfiFPXjX6XSzxgMFKoXtEnTKaKjmJrKGn6QcNoo7 + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - /data/inurbe.fr/db:/var/lib/mysql + networks: + default: + ipv4_address: 172.16.15.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.16.15.0/24 + diff --git a/old_services/wordpress.inurbe.fr/nginx_server.conf b/old_services/wordpress.inurbe.fr/nginx_server.conf new file mode 100755 index 0000000..8e4124f --- /dev/null +++ b/old_services/wordpress.inurbe.fr/nginx_server.conf @@ -0,0 +1,16 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem; + server_name wordpress.inurbe.fr www.wordpress.inurbe.fr; + location / { + client_max_body_size 2G; + #proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + proxy_pass http://172.16.15.100; + proxy_redirect off; + } +} + diff --git a/provisioning/inventory.ini b/provisioning/inventory.ini index fcc7755..05f71bc 100644 --- a/provisioning/inventory.ini +++ b/provisioning/inventory.ini @@ -10,3 +10,4 @@ montbonnot.jean-cloud.org max.jean-cloud.org tetede.jean-cloud.org raku.jean-cloud.org +#vandamme.jean-cloud.org diff --git a/provisioning/roles/deploy_all/files/bin/Makefile b/provisioning/roles/deploy_all/files/bin/Makefile new file mode 100644 index 0000000..dd4fc55 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/Makefile @@ -0,0 +1,5 @@ + +all: deploy_as compose_logs + +deploy_as: deploy_as.c +compose_logs: compose_logs.c diff --git a/provisioning/roles/deploy_all/files/bin/compose_logs b/provisioning/roles/deploy_all/files/bin/compose_logs new file mode 100755 index 0000000..7935d47 Binary files /dev/null and b/provisioning/roles/deploy_all/files/bin/compose_logs differ diff --git a/provisioning/roles/deploy_all/files/bin/compose_logs.c b/provisioning/roles/deploy_all/files/bin/compose_logs.c new file mode 100644 index 0000000..3bc1728 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/compose_logs.c @@ -0,0 +1,116 @@ +#include +#include +#include +#include +#include +#include + +#define VALID_CHARS "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_" +#define COMPOSE "/usr/local/bin/docker-compose" + +/* Just check only allowed chars are present */ +int validate (char *s) { + for (int i=0; i |list \n"); +} + +int is_line_in_file (char* l, char* filename) { + FILE * fp; + char * line = NULL; + size_t len = 0; + ssize_t read; + + fp = fopen(filename, "r"); + if (fp == NULL) { + return 1; + } + + while ((read = getline(&line, &len, fp)) != -1) { + if (line[len-1] == '\n') { + line[len-1] = '\0'; + } + printf("Retrieved line of length %zu:\n", read); + printf("len(l)=%zu\n", strlen(l)); + printf("mdr %d\n", '\n'); + for (int i=0; i +#include +#include +#include +#include +#include +#include + +/* Valid chars in service name */ +#define VALID_CHARS "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_" +#define DEPLOY_AS_SH "/usr/local/bin/deploy_user.sh" + +/* Translate username to uid/gid */ +struct passwd * getUid(char *name) { + struct passwd *p; + if ((p = getpwnam(name)) == NULL) { + printf("Error: User '%s' not found.\n", name); + exit(1); + } + return p; +} + + +/* Run deploy as user */ +int runServiceDeployment(char *service) { + /* Set uid and gid */ + struct passwd *p = getUid(service); + setgid(p->pw_gid); + setuid(p->pw_uid); + + + /* Check if executable exists */ + if ( access( DEPLOY_AS_SH, F_OK ) == -1 ) { + printf("No such file: %s\n", DEPLOY_AS_SH); + exit(1); + } + + /* Stat executable */ + struct stat sb; + if (stat(DEPLOY_AS_SH, &sb) != 0) { + printf("cant stat file: %s\n", DEPLOY_AS_SH); + exit(1); + } + + /* Test if file is executable */ + if ( ! (sb.st_mode & S_IXUSR )) { + printf("Not executable: %s\n", DEPLOY_AS_SH); + exit(1); + } + + /* Test if regular file */ + if (! S_ISREG(sb.st_mode)) { + printf("Not a regular file: %s\n", DEPLOY_AS_SH); + exit(1); + } + + /* Execute DEPLOY_AS_SH */ + if (execl("/bin/bash", "--noediting", "--noprofile", "--norc", "--", DEPLOY_AS_SH, service, (char *)NULL) == -1) { + printf("Error exec %s\n", DEPLOY_AS_SH); + printf("%s\n", strerror(errno)); + exit(1); + } + return 0; +} + + +/* Just check only allowed chars are present */ +int validate (char *s) { + for (int i=0; i\n",argv[0]); + exit(1); + } + + if (validate(argv[1]) != 0) { + printf("Bad service name\n"); + exit(1); + } + runServiceDeployment(argv[1]); + return 0; +} + + diff --git a/provisioning/roles/deploy_all/files/bin/deploy_service.sh b/provisioning/roles/deploy_all/files/bin/deploy_service.sh index c7c7791..feac873 100755 --- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh +++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh @@ -29,7 +29,9 @@ if [ ! -d "$new_nginx_conf_path" ] ; then die "Can’t deploy service in degraded state. $new_nginx_conf_path dir is missing, please run deployall.sh first" fi -IFS=';' read uid username _ server < <(grep ";$service;" /docker/services.csv) +IFS=';' read id username _ server < <(grep ";$service;" /docker/services.csv) + +uid=$(($services_uid_start + $id)) docker_service="$(echo "$service" | tr '.' '_')" driglibash_section_prefix="[$service] " @@ -48,8 +50,13 @@ cd "/docker/$service" if "$deploy" ; then run mkdir -p "$DATA_DIR" "$HTTP_DIR" - # Try running podman as non-root first… + run chown $uid "$DATA_DIR" + run chmod 751 "$DATA_DIR" run chown $uid:www-data -R "$HTTP_DIR" + if [ -d "$SECRET_DIR" ] ; then + run chown $uid "$SECRET_DIR" -R + run chmod 751 "$SECRET_DIR" -R + fi else [ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR" fi @@ -158,12 +165,7 @@ if [ "$noreload" == false ] ; then fi section "Cleaning" -if [ -z "$(ls -A "$DATA_DIR")" ] ; then - run rmdir "$DATA_DIR" -fi -if [ -z "$(ls -A "$HTTP_DIR")" ] ; then - run rmdir "$HTTP_DIR" -fi +rmdir "$DATA_DIR" "$HTTP_DIR" 2>/dev/null || true clean exit "$returncode" diff --git a/provisioning/roles/deploy_all/files/bin/deploy_user.sh b/provisioning/roles/deploy_all/files/bin/deploy_user.sh index 1be510c..496bd3d 100755 --- a/provisioning/roles/deploy_all/files/bin/deploy_user.sh +++ b/provisioning/roles/deploy_all/files/bin/deploy_user.sh @@ -1,5 +1,4 @@ #!/bin/bash - set -euo pipefail if [ "$#" -ne 1 ] || [ -z "$1" ] ; then @@ -10,17 +9,25 @@ fi service="$1" user_file="/docker/$service/deploy_user.sh" -env_file="/docker/$service/.env" if [ ! -f "$user_file" ] ; then echo "No such file: $user_file" exit 1 fi -if [ -f "$env_file" ] ; then - set -a - source "$env_file" - set +a -fi +unset XDG_RUNTIME_DIR DBUS_SESSION_BUS_ADDRESS -"$user_file" +# Source env_files +env_files="/docker/$service/.env /data/secrets/$service/.env /data/$service/.env" +set -a +export HOME="/data/$service/" +for file in $env_files ; do + if [ -f "$file" ] ; then + . "$file" + fi +done +set +a + +# Source/exec the user deploy file +cd "/docker/$service" +. "$user_file" diff --git a/provisioning/roles/deploy_all/files/bin/deployall.sh b/provisioning/roles/deploy_all/files/bin/deployall.sh index 4a06b17..c8e2f66 100755 --- a/provisioning/roles/deploy_all/files/bin/deployall.sh +++ b/provisioning/roles/deploy_all/files/bin/deployall.sh @@ -57,18 +57,17 @@ run mkdir -p "$new_nginx_conf_path" section "Start docker" run systemctl start docker docker.socket -section "Deploy mandatory services" -deploy_service.sh deployer.jean-cloud.org noreload +#section "Deploy mandatory services" +#deploy_service.sh deployer.jean-cloud.org noreload # List of failed services failed="" -while read line ; do - read -r service target <<<$(echo "$line") +while IFS=';' read -r id username service target +do # Ignore _ and # prefixed services [ "${service::1}" == '_' ] && continue - [ "${service::1}" == '#' ] && continue echo -n "$service -> " [ ! -d "/docker/$service" ] && die "/docker/$service directory not found" @@ -78,11 +77,12 @@ while read line ; do echo "Deploying" deploy_service.sh "$service" "noreload" + if [ "$?" -ne 0 ] ; then failed="$failed $service" fi -done < <(grep -v '^[[:blank:]]*#' /docker/services.txt) +done < <(grep -v '^#' /docker/services.csv) restart_nginx.sh diff --git a/provisioning/roles/deploy_all/files/bin/gen_env.sh b/provisioning/roles/deploy_all/files/bin/gen_env.sh index 5e2f811..65c7f36 100755 --- a/provisioning/roles/deploy_all/files/bin/gen_env.sh +++ b/provisioning/roles/deploy_all/files/bin/gen_env.sh @@ -17,21 +17,26 @@ dns_certs_path='$dns_certs_path' http_certs_path='$http_certs_path' dummy_cert_path='$http_certs_path/dummy' servicefile=/docker/services.txt +services_uid_start=2000 EOF -for dir in /docker/* ; do - service="$(basename "$dir")" +while IFS=';' read -r id username service server +do + dir="/docker/$service" [ ! -d "$dir" ] && continue - line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env" - line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env" - line_in_file "SECRET_DIR='/data/secrets/$service'" "/docker/$service/.env" - line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env" - line_in_file "JC_SERVICE='$service'" "/docker/$service/.env" - line_in_file "HOME='/docker/$service'" "/docker/$service/.env" + line_in_file "HTTP_DIR='/srv/http/$service'" "$dir/.env" + line_in_file "DATA_DIR='/data/$service'" "$dir/.env" + line_in_file "SECRET_DIR='/data/secrets/$service'" "$dir/.env" + line_in_file "DOCKER_DIR='$dir'" "$dir/.env" + line_in_file "JC_SERVICE='$service'" "$dir/.env" + #line_in_file "HOME='/data/$service'" "$dir/.env" + line_in_file "NET='172.29.$id'" "$dir/.env" + line_in_file "USER='$username'" "$dir/.env" + cert="$(findcert.sh "$service")" || true if [ -n "$cert" ] ; then - line_in_file "JC_CERT='$cert'" "/docker/$service/.env" + line_in_file "JC_CERT='$cert'" "$dir/.env" fi -done +done < <(grep -v '^#' /docker/services.csv) diff --git a/provisioning/roles/deploy_all/files/bin/git_update.sh b/provisioning/roles/deploy_all/files/bin/git_update.sh index d5d1152..01d4584 100755 --- a/provisioning/roles/deploy_all/files/bin/git_update.sh +++ b/provisioning/roles/deploy_all/files/bin/git_update.sh @@ -26,6 +26,10 @@ usage[K]="Remote host key file (known_hosts) for ssh connections" varia[K]=hostkeyfile hostkeyfile='' +usage[H]="Use real home dir" +varia[H]=use_home +use_home=false + . driglibash-args @@ -45,6 +49,12 @@ if [ -z "$repo" ] ; then die "$0: Empty repo given\n$summary" fi +if [ ! $use_home ] ; then + set -a + export HOME=/dev/null + set +a +fi + run mkdir -p "$dst" run cd "$dst" diff --git a/provisioning/roles/deploy_all/files/bin/init.sh b/provisioning/roles/deploy_all/files/bin/init.sh index 1678fe2..0749a9f 100755 --- a/provisioning/roles/deploy_all/files/bin/init.sh +++ b/provisioning/roles/deploy_all/files/bin/init.sh @@ -1,13 +1,21 @@ #!/bin/bash -while IFS=';' read -r uid username service server +set -euo pipefail + +. /etc/jeancloud.env + +while IFS=';' read -r id username service server do home="/data/$service" + uid="$(( $services_uid_start + $id ))" if [ -z "$(grep "^$username:" /etc/passwd)" ] ; then - useradd -m -U -r -d "$home" "$username" + useradd -M -U -u $uid -d "$home" "$username" fi - - # Do not touch the group, it can be set to something useful - chown "$username" "$home" - chmod 770 "$home" done < <(grep -v '^#' /docker/services.csv) + +apt install -y make + +cd /usr/local/bin +make +chown root:root deploy_as +chmod u+s deploy_as diff --git a/provisioning/roles/deploy_all/files/bin/rclone_ncloud_publiclink.sh b/provisioning/roles/deploy_all/files/bin/rclone_ncloud_publiclink.sh index 2991894..11bf8e8 100755 --- a/provisioning/roles/deploy_all/files/bin/rclone_ncloud_publiclink.sh +++ b/provisioning/roles/deploy_all/files/bin/rclone_ncloud_publiclink.sh @@ -1,31 +1,59 @@ #!/bin/bash - -. driglibash-base - set -euo pipefail -[ "$#" -ne 1 ] && die "Usage: $0 " -dest_dir="$1" -[ -z "$dest_dir" ] && die "Arg 'dest_directory' should not be empty." +# Read all +# NC_SHARE_LINK_URL.* +# NC_SHARE_LINK_PASSWORD.* +# NC_SHARE_LINK_DESTINATION.* +# With .* equals +while IFS='=' read key value ; do + # suffix of sharer link + name="${key#NC_SHARE_LINK_URL}" + echo "Rcloning $name..." -# Get content from nextcloud -webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')" -webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')" -webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")" + password_varname="NC_SHARE_LINK_PASSWORD$name" + destination_varname="NC_SHARE_LINK_DESTINATION$name" -rclone sync --config=/notfound --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir" + # Empty by default + url="${!key}" + password="${!password_varname:-}" + destination="${!destination_varname:-}" -# Go to website -cd "$dest_dir" + # Ensure we have a link + if [ -z "$url" ] ; then + echo "env var NC_SHARE_LINK_URL$name is empty." + exit 1 + fi -# Rename .attachement dirs created by nextcloud -while read filename ; do - oldname="$(basename "$filename")" - newname="${oldname:1}" - path="$(dirname "$filename")" - # And rename their references in md files - find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \; - mv "$path/$oldname" "$path/$newname" -done < <(find -type d -name '.attachments.*') + # Ensure we have a destination + if [ -z "$destination" ] ; then + echo "env var NC_SHARE_LINK_DESTINATION$name is empty." + exit 1 + elif [ ! -d "$destination" ] ; then + mkdir "$destination" + fi + # Get content from nextcloud + webdav_url="$(echo "$url" | sed 's#/s/.*#/public.php/webdav/#')" + webdav_user="$(echo "$url" |sed 's#.*/s/##')" + webdav_pass="$(rclone obscure "$password")" + + rclone sync --config=/notfound --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$destination" + + # Go to website + cd "$destination" + + # Rename .attachement dirs created by nextcloud + while read filename ; do + oldname="$(basename "$filename")" + newname="${oldname:1}" + path="$(dirname "$filename")" + # And rename their references in md files + find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \; + mv "$path/$oldname" "$path/$newname" + done < <(find -type d -name '.attachments.*') + + cd - &>/dev/null + echo "Rcloning done!" +done < <(env | grep ^NC_SHARE_LINK_URL ) diff --git a/provisioning/roles/deploy_all/files/secrets.volume b/provisioning/roles/deploy_all/files/secrets.volume new file mode 100644 index 0000000..a0d9e46 Binary files /dev/null and b/provisioning/roles/deploy_all/files/secrets.volume differ diff --git a/provisioning/roles/deploy_all/tasks/main.yml b/provisioning/roles/deploy_all/tasks/main.yml index 50de626..2179a07 100644 --- a/provisioning/roles/deploy_all/tasks/main.yml +++ b/provisioning/roles/deploy_all/tasks/main.yml @@ -15,6 +15,7 @@ delete: true archive: false recursive: true + copy_links: true # This allows some bidouillage on the server - name: Add binaries @@ -32,6 +33,7 @@ delete: true archive: false recursive: true + copy_links: true # This allows some bidouillage on the server #- name: Add bind conf # ansible.posix.synchronize: diff --git a/readme.md b/readme.md index 04666e7..25fc675 100644 --- a/readme.md +++ b/readme.md @@ -1,5 +1,6 @@ # Services Jean-Cloud + ## Dossier installing Contient des scripts sh pour installer debian sur un disque dur. Qui ira ensuite se brancher dans un ordi :) @@ -13,6 +14,7 @@ Contient Les services à faire tourner. Chaque service qui tourne sur jean-cloud est composé : +- Un uid et username pour des questions de droits - `deploy.sh` d’un script d’installation - `docker-compose.yaml` d’un fichier docker-compose - `nginx_server.conf` d’un fichier de conf nginx diff --git a/services/_proxy/nginx.conf b/services/_proxy/nginx.conf index 35d138b..0b6725e 100755 --- a/services/_proxy/nginx.conf +++ b/services/_proxy/nginx.conf @@ -12,6 +12,7 @@ http { ## # Basic Settings ## + charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; @@ -34,11 +35,10 @@ http { ## # Logging Settings ## - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - log_format compression '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' + log_format main '$time_local $remote_addr $status $host $request $bytes_sent' '"$http_referer" "$http_user_agent" "$gzip_ratio"'; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log; ## # Gzip Settings diff --git a/services/amaglio.fr/docker-compose.yml b/services/amaglio.fr/docker-compose.yml deleted file mode 100755 index b912364..0000000 --- a/services/amaglio.fr/docker-compose.yml +++ /dev/null @@ -1,55 +0,0 @@ -version: '3' -services: - roundcube: - image: roundcube/roundcubemail:1.4.x-apache - restart: "unless-stopped" - depends_on: - - db - volumes: - - /data/amaglio.fr/app/plugins/enigma/home:/var/www/html/plugins/enigma/home - - /data/amaglio.fr/app/config/config.inc.php:/var/www/html/config/config.inc.php - - /data/amaglio.fr/app/enigma_pgp_homedir:/data/enigma_pgp_homedir - env_file: /data/amaglio.fr/env - environment: - ROUNDCUBEMAIL_DB_TYPE: pgsql - ROUNDCUBEMAIL_DB_HOST: db - ROUNDCUBEMAIL_DB_USER: postgres - ROUNDCUBEMAIL_DB_NAME: postgres - ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE: 25M - - # imap server - ROUNDCUBEMAIL_DEFAULT_HOST: ssl://mail20.lwspanel.com - ROUNDCUBEMAIL_DEFAULT_PORT: 993 - ROUNDCUBEMAIL_SMTP_SERVER: tls://mail20.lwspanel.com - ROUNDCUBEMAIL_SMTP_PORT: 587 - ROUNDCUBEMAIL_PLUGINS: archive,zipdownload,enigma,attachment_reminder - networks: - default: - ipv4_address: 172.29.5.100 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M - - db: - # https://hub.docker.com/_/postgres?tab=description - image: postgres:9.6-alpine - restart: "unless-stopped" - env_file: /data/amaglio.fr/env - volumes: - - /data/amaglio.fr/db:/var/lib/postgresql/data - networks: - default: - ipv4_address: 172.29.5.101 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M -networks: - default: - ipam: - config: - - subnet: 172.29.5.0/24 - diff --git a/services/amaglio.fr/nginx_server.conf b/services/amaglio.fr/nginx_server.conf deleted file mode 100755 index 33c705b..0000000 --- a/services/amaglio.fr/nginx_server.conf +++ /dev/null @@ -1,40 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate $JC_CERT/fullchain.pem; - ssl_certificate_key $JC_CERT/privkey.pem; - - server_name amaglio.fr www.amaglio.fr; -# root /data/amaglio.fr/app; -# - client_max_body_size 1024M; - charset utf-8; -# -# index index.php; -# -# location ~ ^/roundcube/(bin|SQL|config|temp|logs)/ { -# deny all; -# } -# -# location ~ /roundcube/\.(js|css|png|jpg|jpeg|gif|ico)$ { -# expires max; -# log_not_found off; -# } -# - location / { - proxy_pass http://172.29.5.100; - proxy_set_header Host $host; - - proxy_set_header X-Forwarded-For $remote_addr; - } -# -# location ~ \.php$ { -# fastcgi_split_path_info ^(.+\.php)(/.*)$; -# include fastcgi_params; -# fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; -# fastcgi_param PATH_INFO $fastcgi_path_info; -# fastcgi_pass amaglio.fr:9000; -# fastcgi_index index.php; -# } -} - diff --git a/services/benevoles31.karnaval.fr/docker-compose.yml b/services/benevoles31.karnaval.fr/docker-compose.yml index a0cc407..7a3325f 100755 --- a/services/benevoles31.karnaval.fr/docker-compose.yml +++ b/services/benevoles31.karnaval.fr/docker-compose.yml @@ -13,7 +13,7 @@ services: restart: unless-stopped networks: default: - ipv4_address: 172.16.17.100 + ipv4_address: $NET.100 #redis: # image: redis @@ -27,7 +27,7 @@ services: - $DATA_DIR/db:/var/lib/postgresql/data networks: default: - ipv4_address: 172.16.17.101 + ipv4_address: $NET.101 # app2: # image: jeancloud/site-benevole:dev-karna-debian # environment: @@ -41,7 +41,7 @@ services: # restart: unless-stopped # networks: # default: - # ipv4_address: 172.29.17.110 + # ipv4_address: $NET.110 # # db2: # image: postgres:9.6-alpine @@ -53,10 +53,10 @@ services: # - $DATA_DIR/db2:/var/lib/postgresql/data # networks: # default: - # ipv4_address: 172.29.17.111 + # ipv4_address: $NET.111 networks: default: ipam: config: - - subnet: 172.16.17.0/24 + - subnet: $NET.0/24 diff --git a/services/builder.rimarima.fr/.env b/services/builder.rimarima.fr/.env new file mode 100644 index 0000000..df5e283 --- /dev/null +++ b/services/builder.rimarima.fr/.env @@ -0,0 +1 @@ +GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/rimarima diff --git a/services/builder.rimarima.fr/deploy.sh b/services/builder.rimarima.fr/deploy.sh new file mode 100755 index 0000000..e32f87e --- /dev/null +++ b/services/builder.rimarima.fr/deploy.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +chown $UID:www-data "$SECRET_DIR/user.htpasswd" +chmod 740 "$SECRET_DIR/user.htpasswd" diff --git a/services/builder.rimarima.fr/deploy_http.sh b/services/builder.rimarima.fr/deploy_http.sh deleted file mode 100755 index ccfa05c..0000000 --- a/services/builder.rimarima.fr/deploy_http.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -set -euo pipefail -set -a -. "$SECRET_DIR/.env" -set +a - -git_update.sh -d "$HTTP_DIR" -b main "https://git.jean-cloud.net/adrian/rimarima" - -rclone_ncloud_publiclink.sh "$HTTP_DIR/content" - -podman build . -f hugobuilder.dockerfile -t $JC_SERVICE/builder -podman run --rm -v $HTTP_DIR:/srv $JC_SERVICE/builder diff --git a/services/builder.rimarima.fr/deploy_user.sh b/services/builder.rimarima.fr/deploy_user.sh new file mode 120000 index 0000000..e723ae7 --- /dev/null +++ b/services/builder.rimarima.fr/deploy_user.sh @@ -0,0 +1 @@ +../hugo/deploy_user.sh \ No newline at end of file diff --git a/services/builder.rimarima.fr/server.sh b/services/builder.rimarima.fr/server.sh index 72a57db..53f29c8 100755 --- a/services/builder.rimarima.fr/server.sh +++ b/services/builder.rimarima.fr/server.sh @@ -3,14 +3,10 @@ echo "Content-type: text/html" echo "" +. .env + action="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')" -set -a -. .env -set +a - -"./deploy_http.sh" 2>&1 -ret="$?" -if [ "$ret" -ne 0 ] ; then - echo 'Error' -fi +echo '
'
+deploy_as "$JC_SERVICE"
+echo '
' diff --git a/services/chahut.jean-cloud.net/docker-compose.yml b/services/chahut.jean-cloud.net/docker-compose.yml index bc7e303..b960be4 100644 --- a/services/chahut.jean-cloud.net/docker-compose.yml +++ b/services/chahut.jean-cloud.net/docker-compose.yml @@ -11,7 +11,7 @@ services: - /srv/http/$JC_SERVICE:/var/www/html/static networks: default: - ipv4_address: 172.29.18.100 + ipv4_address: $NET.100 deploy: resources: limits: @@ -26,16 +26,16 @@ services: - $DATA_DIR/db:/var/lib/mysql networks: default: - ipv4_address: 172.29.18.101 + ipv4_address: $NET.101 deploy: resources: limits: cpus: '0.50' - memory: 100M + memory: 300M networks: default: ipam: config: - - subnet: 172.29.18.0/24 + - subnet: $NET.0/24 diff --git a/services/chahut.jean-cloud.net/nginx_server.conf b/services/chahut.jean-cloud.net/nginx_server.conf index 2778731..a26e2c7 100755 --- a/services/chahut.jean-cloud.net/nginx_server.conf +++ b/services/chahut.jean-cloud.net/nginx_server.conf @@ -11,7 +11,7 @@ server { #proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; - proxy_pass http://172.29.18.100; + proxy_pass http://$NET.100; proxy_redirect off; } } diff --git a/services/chiloe.eu/deploy_http.sh b/services/chiloe.eu/deploy_user.sh similarity index 80% rename from services/chiloe.eu/deploy_http.sh rename to services/chiloe.eu/deploy_user.sh index f465dc5..95cbff8 100755 --- a/services/chiloe.eu/deploy_http.sh +++ b/services/chiloe.eu/deploy_user.sh @@ -1,5 +1,3 @@ #!/bin/bash -set -euo pipefail -. "$SECRET_DIR/.env" rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user chiloeRO --sftp-port 2929 --sftp-pass "$SFTP_PASS" :sftp:/public/ "$HTTP_DIR" diff --git a/services/coldcms.chahut.jean-cloud.net/docker-compose.yml b/services/coldcms.chahut.jean-cloud.net/docker-compose.yml index bf16a85..75b2e3a 100644 --- a/services/coldcms.chahut.jean-cloud.net/docker-compose.yml +++ b/services/coldcms.chahut.jean-cloud.net/docker-compose.yml @@ -17,7 +17,7 @@ services: restart: unless-stopped networks: default: - ipv4_address: 172.29.20.100 + ipv4_address: $NET.100 deploy: resources: limits: @@ -29,4 +29,4 @@ networks: default: ipam: config: - - subnet: 172.29.20.0/24 + - subnet: $NET.0/24 diff --git a/services/coldcms.chahut.jean-cloud.net/nginx_server.conf b/services/coldcms.chahut.jean-cloud.net/nginx_server.conf index 9f4b926..ddee107 100644 --- a/services/coldcms.chahut.jean-cloud.net/nginx_server.conf +++ b/services/coldcms.chahut.jean-cloud.net/nginx_server.conf @@ -27,7 +27,7 @@ server { location @uwsgi_backend { - uwsgi_pass 172.29.20.100:8000; + uwsgi_pass $NET.100:8000; include uwsgi_params; client_max_body_size 20m; } @@ -47,7 +47,7 @@ server { } location /admin/ { - uwsgi_pass 172.29.20.100:8000; + uwsgi_pass $NET.100:8000; include uwsgi_params; client_max_body_size 20m; } diff --git a/services/collectif-arthadie.fr/docker-compose.yml b/services/collectif-arthadie.fr/docker-compose.yml index cfcf1ad..2e66266 100644 --- a/services/collectif-arthadie.fr/docker-compose.yml +++ b/services/collectif-arthadie.fr/docker-compose.yml @@ -15,7 +15,7 @@ services: - /data/collectif-arthadie.fr/static:/var/www/html/static networks: default: - ipv4_address: 172.29.6.100 + ipv4_address: $NET.100 deploy: resources: limits: @@ -34,16 +34,16 @@ services: - /data/collectif-arthadie.fr/db:/var/lib/mysql networks: default: - ipv4_address: 172.29.6.101 + ipv4_address: $NET.101 deploy: resources: limits: cpus: '0.50' - memory: 100M + memory: 300M networks: default: ipam: config: - - subnet: 172.29.6.0/24 + - subnet: $NET.0/24 diff --git a/services/collectif-arthadie.fr/nginx_server.conf b/services/collectif-arthadie.fr/nginx_server.conf index 9b03cbd..7fa4114 100755 --- a/services/collectif-arthadie.fr/nginx_server.conf +++ b/services/collectif-arthadie.fr/nginx_server.conf @@ -9,7 +9,7 @@ server { #proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; - proxy_pass http://172.29.6.100; + proxy_pass http://$NET.100; proxy_redirect off; } } diff --git a/services/compagnienouvelle.fr/docker-compose.yml b/services/compagnienouvelle.fr/docker-compose.yml index 3ee2d38..c599ae5 100644 --- a/services/compagnienouvelle.fr/docker-compose.yml +++ b/services/compagnienouvelle.fr/docker-compose.yml @@ -13,7 +13,7 @@ services: - $DATA_DIR/static:/var/www/html/static networks: default: - ipv4_address: 172.29.7.100 + ipv4_address: $NET.100 deploy: resources: limits: @@ -28,16 +28,16 @@ services: - $DATA_DIR/db:/var/lib/mysql networks: default: - ipv4_address: 172.29.7.101 + ipv4_address: $NET.101 deploy: resources: limits: cpus: '0.50' - memory: 100M + memory: 300M networks: default: ipam: config: - - subnet: 172.29.7.0/24 + - subnet: $NET.0/24 diff --git a/services/compagnienouvelle.fr/nginx_server.conf b/services/compagnienouvelle.fr/nginx_server.conf index a1d97ee..5aa70dd 100755 --- a/services/compagnienouvelle.fr/nginx_server.conf +++ b/services/compagnienouvelle.fr/nginx_server.conf @@ -11,7 +11,7 @@ server { #proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; - proxy_pass http://172.29.7.100; + proxy_pass http://$NET.100; proxy_redirect off; } } diff --git a/services/copaines.jean-cloud.net/deploy.sh b/services/copaines.jean-cloud.net/deploy.sh new file mode 100755 index 0000000..819f1e1 --- /dev/null +++ b/services/copaines.jean-cloud.net/deploy.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +chmod 700 "$SECRET_DIR/sftp.sshprivkey" diff --git a/services/copaines.jean-cloud.net/deploy_http.sh b/services/copaines.jean-cloud.net/deploy_user.sh similarity index 95% rename from services/copaines.jean-cloud.net/deploy_http.sh rename to services/copaines.jean-cloud.net/deploy_user.sh index 163fc93..33f0bcd 100755 --- a/services/copaines.jean-cloud.net/deploy_http.sh +++ b/services/copaines.jean-cloud.net/deploy_user.sh @@ -1,3 +1,5 @@ #!/bin/bash +mkdir -p ~/.ssh echo '[sftp.jean-cloud.net]:2929 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5WLG4HbhHMWZySQkCOfMyJ8HAojyJJ66prhn/WSh1T6vyi/oWuodhN5fzIenEpKrmIzXLLfFa8Q9YuEYmcwNGp0FrTnATDYLABL530DBsCQzA5S+fLecY0iLHEkluuJCcX2+cNpu7ytzgbEzHFDRDkd6RgI1cBL5smCnbxfrJSvfLR0VvihQJNZKPYEFHxt9euGkHhKilwbXa4VEtfY8GfMK18dGlM+K2nRu4G+ckoNzx9K2RdwAqUyj1WFLrS+FYY8EbHlffWf4WES32tSeyd6z3rF0jFoN83ojZ0nPfcch10tWklfRc2RcoItde9p0bR/Cgz2SI1nZT9EcBhrpqGkucLsx/xvcxXd/puQDe9svBq1vgWRuub7e6Q40v8Lhl5dTGJutKLWbCg9udonaUIR/LudSnSgEGrDoz/Yjx8Iytj9+tLj9C+rRASfUnHnTRjsVKJG3Ofx+YHhWs0gLJcV06EvM+PBgZOCnegcPrssi0OE+I5HtDixTkaBNQPHXfKcGqlSEPRmqEuwsvdcv7vOfWJn1ufmKpoaLXWPrX+U4gZYSMHrhieqdcieT8wSu/YJa8gBM5qkK1WMOYxwYzLU5q9H4g9sJfFqk14cvQk47Tb+nTLlFoYZvunATBAxQuNuMo8+scu0BuIqinB5SjO6bwF3nJUCigs8BTmo95Pw==' >> ~/.ssh/known_hosts +chmod 700 ~/.ssh/known_hosts scp -i "$SECRET_DIR/sftp.sshprivkey" -rP 2929 copaines@sftp.jean-cloud.net:public/* "$HTTP_DIR" diff --git a/services/cousinades.jean-cloud.net/docker-compose.yml b/services/cousinades.jean-cloud.net/docker-compose.yml index fea7e24..d939f66 100755 --- a/services/cousinades.jean-cloud.net/docker-compose.yml +++ b/services/cousinades.jean-cloud.net/docker-compose.yml @@ -7,7 +7,7 @@ services: restart: unless-stopped networks: default: - ipv4_address: 172.29.4.100 + ipv4_address: $NET.100 deploy: resources: limits: @@ -21,7 +21,7 @@ services: - /data/cousinades.jean-cloud.net/db:/var/lib/postgresql/data networks: default: - ipv4_address: 172.29.4.101 + ipv4_address: $NET.101 deploy: resources: limits: @@ -32,4 +32,4 @@ networks: default: ipam: config: - - subnet: 172.29.4.0/24 + - subnet: $NET.0/24 diff --git a/services/cousinades.jean-cloud.net/nginx_server.conf b/services/cousinades.jean-cloud.net/nginx_server.conf index 11fe749..b61d4ad 100755 --- a/services/cousinades.jean-cloud.net/nginx_server.conf +++ b/services/cousinades.jean-cloud.net/nginx_server.conf @@ -16,7 +16,7 @@ server { location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 172.29.4.100:9000; + fastcgi_pass $NET.100:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; diff --git a/services/dnscerts.jean-cloud.org/run_as.sh b/services/dnscerts.jean-cloud.org/run_as.sh index 65eb84a..95499da 100755 --- a/services/dnscerts.jean-cloud.org/run_as.sh +++ b/services/dnscerts.jean-cloud.org/run_as.sh @@ -14,8 +14,8 @@ set +a # Test secret presence [ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1 -export tmp="$(mktemp -d)" -mkdir -p "$tmp/{work,logs}" +export workdir="$(mktemp -d)" +mkdir -p "$workdir/{work,logs}" # If there is some args, populate a fake service file if [ "$#" -ge 1 ] && [ -n "$1" ] ; then @@ -25,6 +25,9 @@ if [ "$#" -ge 1 ] && [ -n "$1" ] ; then done fi +echo "Renew existing certs" +certbot renew --config-dir "$DATA_DIR/certs" --logs-dir "$workdir/logs" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" --work-dir "$workdir" + echo "For each service, read all possible domains" while read line ; do read -r service target < <(echo "$line") @@ -35,15 +38,18 @@ while read line ; do # remove dummy cert dummy_cert.sh "$service" remove || true - [ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue + if [ -d "$DATA_DIR/certs/live/$service" ] ; then + #echo "Already exists, thats a job for renew : $service" + continue + fi # acme - "$here/acme-dns.sh" "$service" "$tmp" + "$here/acme-dns.sh" "$service" "$workdir" done < "$servicefile" echo "Push certs to other servers" -for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') ; do +for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') vandamme nougaro ; do server="$srv.jean-cloud.org" [ -n "$(grep "$server" /etc/hosts)" ] && continue echo "-- $server" diff --git a/services/etrevivant.net/.env b/services/etrevivant.net/.env index 817b5e9..a948b14 100644 --- a/services/etrevivant.net/.env +++ b/services/etrevivant.net/.env @@ -1,2 +1,2 @@ GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant" -CLOUD_LOCAL_PATH=content +GIT_SOURCE_BRANCH=master diff --git a/services/etrevivant.net/deploy.sh b/services/etrevivant.net/deploy.sh new file mode 120000 index 0000000..e8adfae --- /dev/null +++ b/services/etrevivant.net/deploy.sh @@ -0,0 +1 @@ +../hugo/deploy.sh \ No newline at end of file diff --git a/services/etrevivant.net/deploy_http.sh b/services/etrevivant.net/deploy_http.sh deleted file mode 100755 index 275cb44..0000000 --- a/services/etrevivant.net/deploy_http.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -set -euo pipefail -set -a -. "$SECRET_DIR/.env" -set +a - -git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" -hugo_rclone.sh "$HTTP_DIR" diff --git a/services/etrevivant.net/deploy_user.sh b/services/etrevivant.net/deploy_user.sh new file mode 120000 index 0000000..e723ae7 --- /dev/null +++ b/services/etrevivant.net/deploy_user.sh @@ -0,0 +1 @@ +../hugo/deploy_user.sh \ No newline at end of file diff --git a/services/etrevivant.net/nginx_server.conf b/services/etrevivant.net/nginx_server.conf deleted file mode 100755 index dba721b..0000000 --- a/services/etrevivant.net/nginx_server.conf +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate $JC_CERT/fullchain.pem; - ssl_certificate_key $JC_CERT/privkey.pem; - server_name $JC_SERVICE www.$JC_SERVICE; - root $HTTP_DIR/public/; - - # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; - add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options SAMEORIGIN always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; - - location / { - index index.html; - try_files $uri $uri/ =404; - } -} diff --git a/services/etrevivant.net/nginx_server.conf b/services/etrevivant.net/nginx_server.conf new file mode 120000 index 0000000..8b62669 --- /dev/null +++ b/services/etrevivant.net/nginx_server.conf @@ -0,0 +1 @@ +../hugo/nginx_server.conf \ No newline at end of file diff --git a/services/feministesucl34.communisteslibertaires.org/deploy_http.sh b/services/feministesucl34.communisteslibertaires.org/deploy_user.sh similarity index 100% rename from services/feministesucl34.communisteslibertaires.org/deploy_http.sh rename to services/feministesucl34.communisteslibertaires.org/deploy_user.sh diff --git a/services/feteducourt.jean-cloud.net/deploy_http.sh b/services/feteducourt.jean-cloud.net/deploy_user.sh similarity index 100% rename from services/feteducourt.jean-cloud.net/deploy_http.sh rename to services/feteducourt.jean-cloud.net/deploy_user.sh diff --git a/services/feteducourt2020.jean-cloud.net/deploy_http.sh b/services/feteducourt2020.jean-cloud.net/deploy_user.sh similarity index 100% rename from services/feteducourt2020.jean-cloud.net/deploy_http.sh rename to services/feteducourt2020.jean-cloud.net/deploy_user.sh diff --git a/services/git.jean-cloud.net/docker-compose.yml b/services/git.jean-cloud.net/docker-compose.yml index 1b7b615..aeca357 100755 --- a/services/git.jean-cloud.net/docker-compose.yml +++ b/services/git.jean-cloud.net/docker-compose.yml @@ -1,7 +1,7 @@ version: '3' services: gitea: - image: gitea/gitea:1.9.1 + image: gitea/gitea:1.21 depends_on: - db volumes: @@ -11,31 +11,23 @@ services: restart: unless-stopped networks: default: - ipv4_address: 172.29.10.100 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M - - + ipv4_address: $NET.100 db: - # https://hub.docker.com/_/postgres?tab=description - image: postgres:9.6-alpine + image: postgres:16-alpine volumes: - /data/git.jean-cloud.net/db:/var/lib/postgresql/data networks: default: - ipv4_address: 172.29.10.101 + ipv4_address: $NET.101 deploy: resources: limits: - cpus: '0.50' - memory: 100M + cpus: '1' + memory: 300M networks: default: ipam: config: - - subnet: 172.29.10.0/24 + - subnet: $NET.0/24 diff --git a/services/git.jean-cloud.net/nginx_server.conf b/services/git.jean-cloud.net/nginx_server.conf index adb9119..89a1592 100755 --- a/services/git.jean-cloud.net/nginx_server.conf +++ b/services/git.jean-cloud.net/nginx_server.conf @@ -3,10 +3,11 @@ server { listen [::]:443 ssl http2; ssl_certificate $JC_CERT/fullchain.pem; ssl_certificate_key $JC_CERT/privkey.pem; - server_name git.jean-cloud.net www.git.jean-cloud.net; + server_name $JC_SERVICE www.$JC_SERVICE; + limit_req zone=defaultlimit burst=20 nodelay; location / { client_max_body_size 5G; - proxy_pass http://172.29.10.100:3000; + proxy_pass http://$NET.100:3000; } } diff --git a/services/grapes.chahut.jean-cloud.net/.env b/services/grapes.chahut.jean-cloud.net/.env index 8820615..2438616 100644 --- a/services/grapes.chahut.jean-cloud.net/.env +++ b/services/grapes.chahut.jean-cloud.net/.env @@ -1,2 +1 @@ -JC_NET=172.29.19 GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs diff --git a/services/grapes.chahut.jean-cloud.net/deploy_http.sh b/services/grapes.chahut.jean-cloud.net/deploy_user.sh similarity index 100% rename from services/grapes.chahut.jean-cloud.net/deploy_http.sh rename to services/grapes.chahut.jean-cloud.net/deploy_user.sh diff --git a/services/grapes.chahut.jean-cloud.net/docker-compose.yml b/services/grapes.chahut.jean-cloud.net/docker-compose.yml index cf13358..f1a3a1c 100755 --- a/services/grapes.chahut.jean-cloud.net/docker-compose.yml +++ b/services/grapes.chahut.jean-cloud.net/docker-compose.yml @@ -6,7 +6,7 @@ services: - "$DATA_DIR:/usr/lib/json-server" networks: default: - ipv4_address: $JC_NET.100 + ipv4_address: $NET.100 deploy: resources: limits: @@ -16,4 +16,4 @@ networks: default: ipam: config: - - subnet: $JC_NET.0/24 + - subnet: $NET.0/24 diff --git a/services/grapes.chahut.jean-cloud.net/nginx_server.conf b/services/grapes.chahut.jean-cloud.net/nginx_server.conf index bd6891d..193e24f 100755 --- a/services/grapes.chahut.jean-cloud.net/nginx_server.conf +++ b/services/grapes.chahut.jean-cloud.net/nginx_server.conf @@ -28,7 +28,7 @@ server { location /projects { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; - proxy_pass http://$JC_NET.100:3000; + proxy_pass http://$NET.100:3000; proxy_redirect off; } diff --git a/services/gypsylyonfestival.com/deploy_http.sh b/services/gypsylyonfestival.com/deploy_user.sh similarity index 100% rename from services/gypsylyonfestival.com/deploy_http.sh rename to services/gypsylyonfestival.com/deploy_user.sh diff --git a/services/gypsylyonfestival.com/nginx_server.conf b/services/gypsylyonfestival.com/nginx_server.conf index c555598..7a1ddd6 100755 --- a/services/gypsylyonfestival.com/nginx_server.conf +++ b/services/gypsylyonfestival.com/nginx_server.conf @@ -3,8 +3,7 @@ server { listen [::]:443 ssl http2; ssl_certificate $JC_CERT/fullchain.pem; ssl_certificate_key $JC_CERT/privkey.pem; - #server_name gypsylyonfestival.com www.gypsylyonfestival.com; - server_name gypsy.jean-cloud.net; + server_name $JC_SERVICE; root $HTTP_DIR; # Security headers diff --git a/services/hugo/deploy.sh b/services/hugo/deploy.sh new file mode 100755 index 0000000..1c23910 --- /dev/null +++ b/services/hugo/deploy.sh @@ -0,0 +1,2 @@ +#!/bin/bash +apt install -y hugo diff --git a/services/hugo/deploy_user.sh b/services/hugo/deploy_user.sh new file mode 100755 index 0000000..da545fd --- /dev/null +++ b/services/hugo/deploy_user.sh @@ -0,0 +1,13 @@ +#!/bin/bash +set -euo pipefail + +# Update git repo +git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO" + +cd "$HTTP_DIR" + +# Get remote content files +rclone_ncloud_publiclink.sh + +# Build website +HUGO_CACHEDIR=/tmp/hugo_cache_$USER hugo diff --git a/services/hugo/nginx_server.conf b/services/hugo/nginx_server.conf new file mode 100755 index 0000000..85ce615 --- /dev/null +++ b/services/hugo/nginx_server.conf @@ -0,0 +1,24 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name $JC_SERVICE www.$JC_SERVICE; + root $HTTP_DIR/public; + + # Security headers + # We can create a file with the base security headers and include it. + # Will it be possible to overload them then ? + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; + + location / { + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/services/inurbe.fr/deploy_http.sh b/services/inurbe.fr/deploy_user.sh similarity index 100% rename from services/inurbe.fr/deploy_http.sh rename to services/inurbe.fr/deploy_user.sh diff --git a/services/jean-cloud.net/.env b/services/jean-cloud.net/.env new file mode 100644 index 0000000..7a87fd0 --- /dev/null +++ b/services/jean-cloud.net/.env @@ -0,0 +1 @@ +GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/jean-cloud_website diff --git a/services/jean-cloud.net/LINKS. DO NOT EDIT b/services/jean-cloud.net/LINKS. DO NOT EDIT new file mode 100644 index 0000000..e69de29 diff --git a/services/jean-cloud.net/deploy.sh b/services/jean-cloud.net/deploy.sh deleted file mode 100755 index 48f507e..0000000 --- a/services/jean-cloud.net/deploy.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -docker run -u 33 --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder diff --git a/services/jean-cloud.net/deploy.sh b/services/jean-cloud.net/deploy.sh new file mode 120000 index 0000000..7d8f3e3 --- /dev/null +++ b/services/jean-cloud.net/deploy.sh @@ -0,0 +1 @@ +../pelican/deploy.sh \ No newline at end of file diff --git a/services/jean-cloud.net/deploy_user.sh b/services/jean-cloud.net/deploy_user.sh new file mode 120000 index 0000000..580c68d --- /dev/null +++ b/services/jean-cloud.net/deploy_user.sh @@ -0,0 +1 @@ +../pelican/deploy_user.sh \ No newline at end of file diff --git a/services/jean-cloud.net/nginx_server.conf b/services/jean-cloud.net/nginx_server.conf deleted file mode 100755 index bb0505b..0000000 --- a/services/jean-cloud.net/nginx_server.conf +++ /dev/null @@ -1,33 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate $JC_CERT/fullchain.pem; - ssl_certificate_key $JC_CERT/privkey.pem; - server_name jean-cloud.net www.jean-cloud.net jean-cloud.org www.jean-cloud.org; - root $HTTP_DIR/output; - - # Security headers - # We can create a file with the base security headers and include it. - # Will it be possible to overload them then ? - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; - add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options SAMEORIGIN always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; - - location / { - index index.html; - try_files $uri $uri/ =404; - } - - error_page 503 /503.html; - location = /503.html { - internal; - } - - location = /503 { - return 503; - } -} diff --git a/services/jean-cloud.net/nginx_server.conf b/services/jean-cloud.net/nginx_server.conf new file mode 120000 index 0000000..b3e6a38 --- /dev/null +++ b/services/jean-cloud.net/nginx_server.conf @@ -0,0 +1 @@ +../pelican/nginx_server.conf \ No newline at end of file diff --git a/services/jean-cloud.org/.env b/services/jean-cloud.org/.env new file mode 100644 index 0000000..0309c34 --- /dev/null +++ b/services/jean-cloud.org/.env @@ -0,0 +1 @@ +DESTINATION=jean-cloud.net diff --git a/services/jean-cloud.org/LINKS. DO NOT EDIT b/services/jean-cloud.org/LINKS. DO NOT EDIT new file mode 100644 index 0000000..e69de29 diff --git a/services/jean-cloud.org/nginx_server.conf b/services/jean-cloud.org/nginx_server.conf new file mode 120000 index 0000000..96e018f --- /dev/null +++ b/services/jean-cloud.org/nginx_server.conf @@ -0,0 +1 @@ +../redirection/nginx_server.conf \ No newline at end of file diff --git a/services/lexicographe.jean-cloud.net/.env b/services/lexicographe.jean-cloud.net/.env new file mode 100644 index 0000000..238207a --- /dev/null +++ b/services/lexicographe.jean-cloud.net/.env @@ -0,0 +1 @@ +GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/lexicographe diff --git a/services/lexicographe.jean-cloud.net/LINKS. DO NOT EDIT b/services/lexicographe.jean-cloud.net/LINKS. DO NOT EDIT new file mode 100644 index 0000000..e69de29 diff --git a/services/lexicographe.jean-cloud.net/deploy.sh b/services/lexicographe.jean-cloud.net/deploy.sh deleted file mode 100755 index 14c0cfd..0000000 --- a/services/lexicographe.jean-cloud.net/deploy.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -set -euo pipefail - -docker run -u 33 --rm --env-file "$SECRET_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder diff --git a/services/lexicographe.jean-cloud.net/deploy.sh b/services/lexicographe.jean-cloud.net/deploy.sh new file mode 120000 index 0000000..7d8f3e3 --- /dev/null +++ b/services/lexicographe.jean-cloud.net/deploy.sh @@ -0,0 +1 @@ +../pelican/deploy.sh \ No newline at end of file diff --git a/services/lexicographe.jean-cloud.net/deploy_user.sh b/services/lexicographe.jean-cloud.net/deploy_user.sh new file mode 120000 index 0000000..580c68d --- /dev/null +++ b/services/lexicographe.jean-cloud.net/deploy_user.sh @@ -0,0 +1 @@ +../pelican/deploy_user.sh \ No newline at end of file diff --git a/services/lexicographe.jean-cloud.net/docker-compose.yml b/services/lexicographe.jean-cloud.net/docker-compose.yml deleted file mode 100755 index d077323..0000000 --- a/services/lexicographe.jean-cloud.net/docker-compose.yml +++ /dev/null @@ -1,2 +0,0 @@ -version: '3' - diff --git a/services/lexicographe.jean-cloud.net/nginx_server.conf b/services/lexicographe.jean-cloud.net/nginx_server.conf deleted file mode 100755 index cd00e3c..0000000 --- a/services/lexicographe.jean-cloud.net/nginx_server.conf +++ /dev/null @@ -1,24 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate $JC_CERT/fullchain.pem; - ssl_certificate_key $JC_CERT/privkey.pem; - server_name lexicographe.jean-cloud.net; - root $HTTP_DIR/output; - - # Security headers - # We can create a file with the base security headers and include it. - # Will it be possible to overload them then ? - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always; - add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options SAMEORIGIN always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; - - location / { - index index.html; - try_files $uri $uri/ =404; - } -} diff --git a/services/lexicographe.jean-cloud.net/nginx_server.conf b/services/lexicographe.jean-cloud.net/nginx_server.conf new file mode 120000 index 0000000..b3e6a38 --- /dev/null +++ b/services/lexicographe.jean-cloud.net/nginx_server.conf @@ -0,0 +1 @@ +../pelican/nginx_server.conf \ No newline at end of file diff --git a/services/metamorphosemagazine.fr/deploy_http.sh b/services/metamorphosemagazine.fr/deploy_user.sh similarity index 100% rename from services/metamorphosemagazine.fr/deploy_http.sh rename to services/metamorphosemagazine.fr/deploy_user.sh diff --git a/services/mux.radiodemo.oma-radio.fr/.env b/services/mux.radiodemo.oma-radio.fr/.env index 9fd5e23..56d8688 100644 --- a/services/mux.radiodemo.oma-radio.fr/.env +++ b/services/mux.radiodemo.oma-radio.fr/.env @@ -2,8 +2,8 @@ ENDPOINT=10.29.0.1 WEBSERVER=.105 MUX=.100 TELECOM=.101 -NET=172.29.0 -WEBSOCKET_PORT=2004 +SWEBSOCKET_PORT=2004 +WEBSOCKET_PORT=2204 RADIO_HOST=mux.radiodemo.oma-radio.fr MUX_SERVER_PORT=9004 TELECOM_SERVER_PORT=3494 diff --git a/services/mux.radiodemo.oma-radio.fr/deploy_user.sh b/services/mux.radiodemo.oma-radio.fr/deploy_user.sh new file mode 100755 index 0000000..a178430 --- /dev/null +++ b/services/mux.radiodemo.oma-radio.fr/deploy_user.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +if [ ! -e "$DATA_DIR/.env" ] ; then + cat > "$DATA_DIR/.env" <&1 | grep '200 OK' && wget http://localhost:8000/direct.mp3 -O - -t 1 -T 3 -S --spider 2>&1 | grep '200 OK'" - interval: 5m0s + interval: 1h0m0s timeout: 10s retries: 3 start_period: 1m0s diff --git a/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq b/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq index abdd4bf..fb68acd 100644 --- a/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq +++ b/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq @@ -49,13 +49,13 @@ end # Mux -input1 = mksafe(input.harbor("direct.ogg",port=8000,password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f")) +input1 = mksafe(input.harbor("direct.ogg",port=8000,password=getenv("LIQUIDSOAP_SOURCE_PASSWORD"))) # Direct mp3 output.icecast( %mp3(bitrate=128, samplerate=22050, stereo=false), mount="/direct.mp3", - host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f", + host="icecast", port=8000, password=getenv("ICECAST_SOURCE_PASSWORD"), input1) # Radioking @@ -69,7 +69,7 @@ output.icecast( output.icecast( %vorbis(samplerate=44100, channels=1, quality=0.2), mount="/direct.ogg", - host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f", + host="icecast", port=8000, password=getenv("ICECAST_SOURCE_PASSWORD"), input1) # Pige diff --git a/services/mux.radiodemo.oma-radio.fr/nginx_server.conf b/services/mux.radiodemo.oma-radio.fr/nginx_server.conf index b4b3a42..a882ae3 100644 --- a/services/mux.radiodemo.oma-radio.fr/nginx_server.conf +++ b/services/mux.radiodemo.oma-radio.fr/nginx_server.conf @@ -4,7 +4,7 @@ map $http_upgrade $connection_upgrade { } server{ - listen $WEBSOCKET_PORT ssl; + listen $SWEBSOCKET_PORT ssl; ssl_certificate $JC_CERT/fullchain.pem; ssl_certificate_key $JC_CERT/privkey.pem; @@ -28,11 +28,10 @@ server { location / { client_max_body_size 0; - proxy_pass http://$ENDPOINT; + proxy_pass http://$ENDPOINT/; proxy_set_header Host 'soundbase.radiodemo.oma-radio.fr'; - proxy_set_header X-Forwarded-Host $JC_SERVICE; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_redirect http://soundbase.radiodemo.oma-radio.fr https://$JC_SERVICE; + } @@ -45,7 +44,9 @@ server { proxy_pass http://$NET$ICECAST:8000/direct.mp3; } - # TODO open some stat route - - + location /logs/ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $DOCKER_DIR/server.sh; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } } diff --git a/services/nc-backup.jean-cloud.net/docker-compose.yml b/services/nc-backup.jean-cloud.net/docker-compose.yml index 2c31dbe..cd372e2 100755 --- a/services/nc-backup.jean-cloud.net/docker-compose.yml +++ b/services/nc-backup.jean-cloud.net/docker-compose.yml @@ -7,7 +7,7 @@ services: restart: unless-stopped networks: default: - ipv4_address: 172.29.16.100 + ipv4_address: $NET.100 deploy: resources: limits: @@ -19,4 +19,4 @@ networks: default: ipam: config: - - subnet: 172.29.16.0/24 + - subnet: $NET.0/24 diff --git a/services/ns1.jean-cloud.org/helper_functions.sh b/services/ns1.jean-cloud.org/helper_functions.sh index 0b95b6a..7d1c03c 100644 --- a/services/ns1.jean-cloud.org/helper_functions.sh +++ b/services/ns1.jean-cloud.org/helper_functions.sh @@ -21,7 +21,7 @@ prepare () { fi # Sync the git repo - run sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git' + run sudo -u bind git_update.sh -N -b main -i "$SECRET_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git' cd /etc/bind @@ -37,6 +37,7 @@ prepare () { restart () { echo 'Restart named' + rm /etc/bind/*.jnl || true systemctl restart named } @@ -126,8 +127,8 @@ create_primary_files () { serial="$(date '+%s')" sed -i "s/\(@ SOA [^(]*( \)[0-9]\+/\1$serial/" "$new_db_file" - # If no NS record in the db file - if [ -z "$(grep '[^;].*(IN)?.*NS' "$new_db_file")" ] ; then + # Add this dns server if not present + if [ -z "$(grep '[^;].*(IN)?.*NS.*$default_dns_name' "$new_db_file")" ] ; then echo "@ NS $default_dns_name" >> "$new_db_file" fi @@ -168,8 +169,8 @@ create_primary_files () { done echo 'Find every used domain and add them to bind db' - while read line ; do - read -r service target < <(echo "$line") + while IFS=';' read -r id username service target + do addbindline "$service" "$target" nginxfile="/docker/$service/nginx_server.conf" if [ -f "$nginxfile" ] ; then @@ -177,7 +178,7 @@ create_primary_files () { addbindline "$name" "$target" done fi - done <"$servicefile" + done < <(grep -v '^#' /docker/services.csv) } create_secondary_files () { diff --git a/services/nuage.jean-cloud.net/maintenance.sh b/services/nuage.jean-cloud.net/maintenance.sh new file mode 100644 index 0000000..b496f1e --- /dev/null +++ b/services/nuage.jean-cloud.net/maintenance.sh @@ -0,0 +1 @@ +docker-compose exec -u www-data nextcloud php occ maintenance:mode --on diff --git a/services/nuage.jean-cloud.net/nginx_server.conf b/services/nuage.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..8938387 --- /dev/null +++ b/services/nuage.jean-cloud.net/nginx_server.conf @@ -0,0 +1,219 @@ +# inspired from +# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html?highlight=nginx +# 2021 05 25 + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name $JC_SERVICE www.$JC_SERVICE; + + root $DATA_DIR/app; + + limit_req zone=defaultlimit burst=500 nodelay; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; + add_header X-Frame-Options "SAMEORIGIN"; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + return 404; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + return 404; + } + + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + + # TODO is it needed? Is it buggy? + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_param front_controller_active true; + fastcgi_pass $NET.100:9000; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } +} + + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + + +proxy_cache_path /var/www/cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m; +proxy_temp_path /var/www/cache/tmp; + +server { + listen 443 ssl; + large_client_header_buffers 32 64k; + root /usr/share/nginx/www; + index index.html index.htm; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name calc.nuage.jean-cloud.net; + + location ~* (\.(css|png|gif|svg|ico|txt)|static/.*\.js(on)?|manifest\.(appcache|webapp|json)|browserconfig\.xml)$ { + root /data/proxy/nuage.jean-cloud.net/ethercalc/; + expires 24h; + add_header Cache-Control public; + } + + location ~* "(?:[.]|/_/[^/]+/)(?:html|csv|csv\.json)$" { + proxy_pass http://$NET.102:8000; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_read_timeout 31536000; + proxy_buffers 32 64k; + proxy_buffer_size 128k; + add_header Strict-Transport-Security max-age=31536000; + include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf; + } + location / { + gzip on; + gzip_min_length 1000; + gzip_proxied any; + proxy_pass http://$NET.102:8000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_read_timeout 31536000; + proxy_set_header Connection $connection_upgrade; + # prevents 502 bad gateway error + proxy_buffers 32 64k; + proxy_buffer_size 128k; + add_header Strict-Transport-Security max-age=31536000; + include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name pad.nuage.jean-cloud.net; + + location / { + proxy_pass http://$NET.104:9001; + proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf + proxy_set_header Host $host; + proxy_pass_header Server; + + # Note you might want to pass these headers etc too. + #proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html + #proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP + proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + proxy_http_version 1.1; # recommended with keepalive connections + + # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/services/nuage.jean-cloud.net/readme.md b/services/nuage.jean-cloud.net/readme.md new file mode 100755 index 0000000..15c78bd --- /dev/null +++ b/services/nuage.jean-cloud.net/readme.md @@ -0,0 +1,15 @@ + +dockerfile +c’est con de faire tourner un apache pour rien, on va configurer nginx pour qu’il travaille avec le conteneur fpm. +Les images de nextcloud sont toutes cassées… Il faut faire gaffe en les manipulant. (ça a l’air mieux avec la v16) + +Utiliser l’app theming pour customiser un peu tout ça… + + +## Procédure de mise à jour +- Sauvegarde des data + db +- Maintenance mode on +- save data & db (quicker) +- upgrade +- test +- Maintenance mode off or fix or rollback diff --git a/services/oma-radio.fr/docker-compose.yml b/services/oma-radio.fr/docker-compose.yml deleted file mode 100755 index 6bdf591..0000000 --- a/services/oma-radio.fr/docker-compose.yml +++ /dev/null @@ -1 +0,0 @@ -version: '3' diff --git a/services/oma-radio.fr/nginx_server.conf b/services/oma-radio.fr/nginx_server.conf index 5a7753b..371a482 100755 --- a/services/oma-radio.fr/nginx_server.conf +++ b/services/oma-radio.fr/nginx_server.conf @@ -3,8 +3,8 @@ server { listen [::]:443 ssl http2; ssl_certificate $JC_CERT/fullchain.pem; ssl_certificate_key $JC_CERT/privkey.pem; - server_name oma-radio.fr www.oma-radio.fr; - root /data/oma-radio.fr; + server_name $JC_SERVICE www.$JC_SERVICE; + root $DATA_DIR; location / { index index.html; diff --git a/services/pa1.studios.oma-radio.fr/wg-pa1.sh b/services/pa1.studios.oma-radio.fr/wg-pa1.sh index 52b3f61..b3a9190 100755 --- a/services/pa1.studios.oma-radio.fr/wg-pa1.sh +++ b/services/pa1.studios.oma-radio.fr/wg-pa1.sh @@ -16,6 +16,10 @@ Address = 10.100.1.254/32 PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0= AllowedIPs = 10.100.1.253/32 +[Peer] # Nico +PublicKey = jsXBs8tZn1sWT73xx3DWEdGAWv6SjfQ2TAxX+8pL6mU= +AllowedIPs = 10.100.1.252/32 + [Peer] # Passerelle PublicKey = unY6v95qus8ttJvmSlxqa+J8lKj+CCiRItZ3pFwyjyM= AllowedIPs = 10.100.1.0/24,192.168.100.0/24 diff --git a/services/pelican/deploy.sh b/services/pelican/deploy.sh new file mode 100644 index 0000000..c1394bb --- /dev/null +++ b/services/pelican/deploy.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -euo pipefail +apt install -y virtualenv diff --git a/services/pelican/deploy_user.sh b/services/pelican/deploy_user.sh new file mode 100755 index 0000000..6466e45 --- /dev/null +++ b/services/pelican/deploy_user.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -euo pipefail + +# Update git repo +git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" + +cd "$HTTP_DIR" + +rclone_ncloud_publiclink.sh + +# Create and source venv +if [ ! -e venv ] ; then + virtualenv venv +fi +. venv/bin/activate + +# Install dependencies +pip3 install -r requirements.txt + +# Build website +make html + +# Old way of doing python stuff +#podman run -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican diff --git a/services/pelican/nginx_server.conf b/services/pelican/nginx_server.conf new file mode 100755 index 0000000..63034eb --- /dev/null +++ b/services/pelican/nginx_server.conf @@ -0,0 +1,24 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name $JC_SERVICE www.$JC_SERVICE; + root $HTTP_DIR/output; + + # Security headers + # We can create a file with the base security headers and include it. + # Will it be possible to overload them then ? + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; + + location / { + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/services/quadrille-elsa.jean-cloud.net/LINKS. DO NOT EDIT b/services/quadrille-elsa.jean-cloud.net/LINKS. DO NOT EDIT new file mode 100644 index 0000000..e69de29 diff --git a/services/quadrille-elsa.jean-cloud.net/deploy.sh b/services/quadrille-elsa.jean-cloud.net/deploy.sh new file mode 120000 index 0000000..e8adfae --- /dev/null +++ b/services/quadrille-elsa.jean-cloud.net/deploy.sh @@ -0,0 +1 @@ +../hugo/deploy.sh \ No newline at end of file diff --git a/services/quadrille-elsa.jean-cloud.net/deploy_http.sh b/services/quadrille-elsa.jean-cloud.net/deploy_http.sh deleted file mode 100755 index d1297b6..0000000 --- a/services/quadrille-elsa.jean-cloud.net/deploy_http.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -set -euo pipefail - -#. "$DATA_DIR/.env" -#webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')" -#webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')" -#webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")" - -#wget -qO- "https://github.com/zhaohuabing/hugo-theme-cleanwhite/archive/refs/tags/2.0.0.tar.gz" | tar xvz -C "$HTTP_DIR" - -git_update.sh -b main -d "$HTTP_DIR" "$GIT_SOURCE_REPO" - -#rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$HTTP_DIR/$CLOUD_LOCAL_PATH" - -cd "$HTTP_DIR" -hugo diff --git a/services/quadrille-elsa.jean-cloud.net/deploy_user.sh b/services/quadrille-elsa.jean-cloud.net/deploy_user.sh new file mode 120000 index 0000000..e723ae7 --- /dev/null +++ b/services/quadrille-elsa.jean-cloud.net/deploy_user.sh @@ -0,0 +1 @@ +../hugo/deploy_user.sh \ No newline at end of file diff --git a/services/quadrille-elsa.jean-cloud.net/nginx_server.conf b/services/quadrille-elsa.jean-cloud.net/nginx_server.conf deleted file mode 100755 index 8167448..0000000 --- a/services/quadrille-elsa.jean-cloud.net/nginx_server.conf +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate $JC_CERT/fullchain.pem; - ssl_certificate_key $JC_CERT/privkey.pem; - server_name $JC_SERVICE; - root $HTTP_DIR/public/; - - # Security headers -# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; -# add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; -# add_header X-Content-Type-Options "nosniff"; -# add_header X-Frame-Options SAMEORIGIN always; -# add_header X-XSS-Protection "1; mode=block" always; -# add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; - - location / { - index index.html; - try_files $uri $uri/ =404; - } -} diff --git a/services/quadrille-elsa.jean-cloud.net/nginx_server.conf b/services/quadrille-elsa.jean-cloud.net/nginx_server.conf new file mode 120000 index 0000000..8b62669 --- /dev/null +++ b/services/quadrille-elsa.jean-cloud.net/nginx_server.conf @@ -0,0 +1 @@ +../hugo/nginx_server.conf \ No newline at end of file diff --git a/services/radiodemo.oma-radio.fr/deploy_http.sh b/services/radiodemo.oma-radio.fr/deploy_http.sh deleted file mode 100755 index 0cb10cc..0000000 --- a/services/radiodemo.oma-radio.fr/deploy_http.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -set -euo pipefail - -git_update.sh -b main -d "$HTTP_DIR" -K "$DOCKER_DIR/.known_hosts" -i "$DATA_DIR/website" "$GIT_SOURCE_REPO" -hugo_rclone.sh "$HTTP_DIR" diff --git a/services/radiodemo.oma-radio.fr/deploy_user.sh b/services/radiodemo.oma-radio.fr/deploy_user.sh new file mode 120000 index 0000000..e723ae7 --- /dev/null +++ b/services/radiodemo.oma-radio.fr/deploy_user.sh @@ -0,0 +1 @@ +../hugo/deploy_user.sh \ No newline at end of file diff --git a/services/radiodemo.oma-radio.fr/nginx_server.conf b/services/radiodemo.oma-radio.fr/nginx_server.conf index 4af5081..032bdd5 100755 --- a/services/radiodemo.oma-radio.fr/nginx_server.conf +++ b/services/radiodemo.oma-radio.fr/nginx_server.conf @@ -19,4 +19,8 @@ server { index index.html; try_files $uri $uri/ =404; } + + location /manager { + return 301 $scheme://mux.$JC_SERVICE/manager; + } } diff --git a/services/redirection/nginx_server.conf b/services/redirection/nginx_server.conf new file mode 100755 index 0000000..67e9a54 --- /dev/null +++ b/services/redirection/nginx_server.conf @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name $JC_SERVICE www.$JC_SERVICE; + + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; + + location / { + return 301 $scheme://$DESTINATION$request_uri; + } +} diff --git a/services/rimarima.fr/.env b/services/rimarima.fr/.env index ea9d2d0..9aadbff 100644 --- a/services/rimarima.fr/.env +++ b/services/rimarima.fr/.env @@ -1,2 +1 @@ GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/rimarima" -CLOUD_LOCAL_PATH=content diff --git a/services/rimarima.fr/LINKS. DO NOT EDIT b/services/rimarima.fr/LINKS. DO NOT EDIT new file mode 100644 index 0000000..e69de29 diff --git a/services/rimarima.fr/deploy.sh b/services/rimarima.fr/deploy.sh new file mode 120000 index 0000000..e8adfae --- /dev/null +++ b/services/rimarima.fr/deploy.sh @@ -0,0 +1 @@ +../hugo/deploy.sh \ No newline at end of file diff --git a/services/rimarima.fr/deploy_http.sh b/services/rimarima.fr/deploy_http.sh deleted file mode 100755 index 97b0ccf..0000000 --- a/services/rimarima.fr/deploy_http.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -set -euo pipefail -set -a -. "$SECRET_DIR/.env" -set +a - -git_update.sh -d "$HTTP_DIR" -b main "$GIT_SOURCE_REPO" -hugo_rclone.sh "$HTTP_DIR" diff --git a/services/rimarima.fr/deploy_user.sh b/services/rimarima.fr/deploy_user.sh new file mode 120000 index 0000000..e723ae7 --- /dev/null +++ b/services/rimarima.fr/deploy_user.sh @@ -0,0 +1 @@ +../hugo/deploy_user.sh \ No newline at end of file diff --git a/services/rimarima.fr/nginx_server.conf b/services/rimarima.fr/nginx_server.conf deleted file mode 100755 index dba721b..0000000 --- a/services/rimarima.fr/nginx_server.conf +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate $JC_CERT/fullchain.pem; - ssl_certificate_key $JC_CERT/privkey.pem; - server_name $JC_SERVICE www.$JC_SERVICE; - root $HTTP_DIR/public/; - - # Security headers - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; - add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options SAMEORIGIN always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; - - location / { - index index.html; - try_files $uri $uri/ =404; - } -} diff --git a/services/rimarima.fr/nginx_server.conf b/services/rimarima.fr/nginx_server.conf new file mode 120000 index 0000000..8b62669 --- /dev/null +++ b/services/rimarima.fr/nginx_server.conf @@ -0,0 +1 @@ +../hugo/nginx_server.conf \ No newline at end of file diff --git a/services/rpnow.jean-cloud.net/docker-compose.yml b/services/rpnow.jean-cloud.net/docker-compose.yml index ae04434..a88c3e1 100755 --- a/services/rpnow.jean-cloud.net/docker-compose.yml +++ b/services/rpnow.jean-cloud.net/docker-compose.yml @@ -3,9 +3,32 @@ services: rpnow: image: jeancloud/rpnow:1.0 volumes: - - /data/rpnow.jean-cloud.org/:/var/local/rpnow + - $DATA_DIR:/var/local/rpnow + networks: + default: + ipv4_address: $NET.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M test_rpnow: image: jeancloud/rpnow:dev volumes: - /data/test.rpnow.jean-cloud.org/:/var/local/rpnow + networks: + default: + ipv4_address: $NET.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: $NET.0/24 + diff --git a/services/rpnow.jean-cloud.net/nginx_server.conf b/services/rpnow.jean-cloud.net/nginx_server.conf index 24c2399..7488527 100755 --- a/services/rpnow.jean-cloud.net/nginx_server.conf +++ b/services/rpnow.jean-cloud.net/nginx_server.conf @@ -3,7 +3,7 @@ server { listen [::]:443 ssl http2; ssl_certificate $JC_CERT/fullchain.pem; ssl_certificate_key $JC_CERT/privkey.pem; - server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net; + server_name $JC_SERVICE www.$JC_SERVICE; location / { client_max_body_size 2G; @@ -14,7 +14,7 @@ server { proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; proxy_redirect off; - proxy_pass http://rpnow.rpnowjean-cloudnet.docker; + proxy_pass http://$NET.100; } } @@ -34,7 +34,7 @@ server { proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; proxy_redirect off; - proxy_pass http://test_rpnow.rpnowjean-cloudnet.docker; + proxy_pass http://$NET.101; } } diff --git a/services/services.csv b/services/services.csv new file mode 100644 index 0000000..3d3384e --- /dev/null +++ b/services/services.csv @@ -0,0 +1,45 @@ +# This is not real CSV. Do not put separator in a field, even escaped +# UID ; username ; service name ; server name +1;sftp.jean-cloud.net;sftp.jean-cloud.net;raku.jean-cloud.org +2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org +3;builder.rimarima.fr;builder.rimarima.fr;raku.jean-cloud.org +4;chahut.jean-cloud.net;chahut.jean-cloud.net;max.jean-cloud.org +5;chiloe.eu;chiloe.eu;shlago.jean-cloud.org +6;coldcms.chahut.jean-cloud.net;coldcms.chahut.jean-cloud.net;raku.jean-cloud.org +7;collectif-arthadie.fr;collectif-arthadie.fr;vandamme.jean-cloud.org +8;compagnienouvelle.fr;compagnienouvelle.fr;nougaro.jean-cloud.org +9;copaines.jean-cloud.net;copaines.jean-cloud.net;max.jean-cloud.org +11;deployer.jean-cloud.org;deployer.jean-cloud.org;shlago.jean-cloud.org +12;dnscerts.jean-cloud.org;dnscerts.jean-cloud.org;max.jean-cloud.org +13;etrevivant.net;etrevivant.net;shlago.jean-cloud.org +14;feministesucl34.communistesliber;feministesucl34.communisteslibertaires.org;none +15;feteducourt.jean-cloud.net;feteducourt.jean-cloud.net;shlago.jean-cloud.org +16;feteducourt2020.jean-cloud.net;feteducourt2020.jean-cloud.net;shlago.jean-cloud.org +17;git.jean-cloud.net;git.jean-cloud.net;vandamme.jean-cloud.org +18;grapes.chahut.jean-cloud.net;grapes.chahut.jean-cloud.net;max.jean-cloud.org +20;inurbe.fr;inurbe.fr;shlago.jean-cloud.org +21;jean-cloud.net;jean-cloud.net;shlago.jean-cloud.org +22;leida.fr;leida.fr;vandamme.jean-cloud.org +23;lexicographe.jean-cloud.net;lexicographe.jean-cloud.net;shlago.jean-cloud.org +24;metamorphosemagazine.fr;metamorphosemagazine.fr;shlago.jean-cloud.org +25;mux.radiodemo.oma-radio.fr;mux.radiodemo.oma-radio.fr;raku.jean-cloud.org +26;nc-backup.jean-cloud.net;nc-backup.jean-cloud.net;raku.jean-cloud.org +27;ns.jean-cloud.org;ns.jean-cloud.org;shlago.jean-cloud.org +28;ns1.jean-cloud.org;ns1.jean-cloud.org;tetede.jean-cloud.org +29;nuage.jean-cloud.net;nuage.jean-cloud.net;vandamme.jean-cloud.org +30;oma-radio.fr;oma-radio.fr;vandamme.jean-cloud.org +31;pa1.studios.oma-radio.fr;pa1.studios.oma-radio.fr;tetede.jean-cloud.org +32;paj.oma-radio.fr;paj.oma-radio.fr;nougaro.jean-cloud.org +33;quadrille-elsa.jean-cloud.net;quadrille-elsa.jean-cloud.net;shlago.jean-cloud.org +34;radiodemo.oma-radio.fr;radiodemo.oma-radio.fr;raku.jean-cloud.org +35;radionimaitre.oma-radio.fr;radionimaitre.oma-radio.fr;tetede.jean-cloud.org +36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;tetede.jean-cloud.org +37;rimarima.fr;rimarima.fr;raku.jean-cloud.org +38;rpnow.jean-cloud.net;rpnow.jean-cloud.net;vandamme.jean-cloud.org +39;soundbase.radiodemo.oma-radio.fr;soundbase.radiodemo.oma-radio.fr;montbonnot.jean-cloud.org +40;static.jean-cloud.net;static.jean-cloud.net;vandamme.jean-cloud.org +41;velov.jean-cloud.net;velov.jean-cloud.net;shlago.jean-cloud.org +42;wiki-cgr.jean-cloud.net;wiki-cgr.jean-cloud.net;vandamme.jean-cloud.org +43;radio.karnaval.fr;radio.karnaval.fr;tetede.jean-cloud.org +44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;max.jean-cloud.org +45;jean-cloud.org;jean-cloud.org;shlago.jean-cloud.org diff --git a/services/services.txt b/services/services.txt deleted file mode 100644 index 9c068f9..0000000 --- a/services/services.txt +++ /dev/null @@ -1,42 +0,0 @@ -sftp.jean-cloud.net raku.jean-cloud.org -benevoles31.karnaval.fr max.jean-cloud.org -builder.rimarima.fr raku.jean-cloud.org -chahut.jean-cloud.net max.jean-cloud.org -chiloe.eu shlago.jean-cloud.org -coldcms.chahut.jean-cloud.net raku.jean-cloud.org -collectif-arthadie.fr vandamme.jean-cloud.org -compagnienouvelle.fr nougaro.jean-cloud.org -copaines.jean-cloud.net max.jean-cloud.org -deployer.jean-cloud.org shlago.jean-cloud.org -dnscerts.jean-cloud.org max.jean-cloud.org -etrevivant.net shlago.jean-cloud.org -feministesucl34.communisteslibertaires.org none -feteducourt.jean-cloud.net shlago.jean-cloud.org -feteducourt2020.jean-cloud.net shlago.jean-cloud.org -git.jean-cloud.net vandamme.jean-cloud.org -grapes.chahut.jean-cloud.net max.jean-cloud.org -gypsylyonfestival.com max.jean-cloud.org -inurbe.fr shlago.jean-cloud.org -jean-cloud.net shlago.jean-cloud.org -leida.fr vandamme.jean-cloud.org -lexicographe.jean-cloud.net shlago.jean-cloud.org -metamorphosemagazine.fr shlago.jean-cloud.org -mux.radiodemo.oma-radio.fr raku.jean-cloud.org -nc-backup.jean-cloud.net raku.jean-cloud.org -ns.jean-cloud.org shlago.jean-cloud.org -ns1.jean-cloud.org tetede.jean-cloud.org -nuage.jean-cloud.net vandamme.jean-cloud.org -oma-radio.fr vandamme.jean-cloud.org -pa1.studios.oma-radio.fr tetede.jean-cloud.org -paj.oma-radio.fr nougaro.jean-cloud.org -quadrille-elsa.jean-cloud.net shlago.jean-cloud.org -radiodemo.oma-radio.fr raku.jean-cloud.org -radionimaitre.oma-radio.fr tetede.jean-cloud.org -raplacgr.jean-cloud.net tetede.jean-cloud.org -rimarima.fr raku.jean-cloud.org -rpnow.jean-cloud.net vandamme.jean-cloud.org -soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org -static.jean-cloud.net vandamme.jean-cloud.org -velov.jean-cloud.net shlago.jean-cloud.org -wiki-cgr.jean-cloud.net vandamme.jean-cloud.org -radio.karnaval.fr tetede.jean-cloud.org diff --git a/services/sftp.jean-cloud.net/docker-compose.yml b/services/sftp.jean-cloud.net/docker-compose.yml index 0c01f9f..c8d4062 100644 --- a/services/sftp.jean-cloud.net/docker-compose.yml +++ b/services/sftp.jean-cloud.net/docker-compose.yml @@ -6,13 +6,12 @@ services: - $DATA_DIR/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key:ro - $DATA_DIR/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key:ro - $DATA_DIR/users.conf:/etc/sftp/users.conf:ro + - $DOCKER_DIR/init.sh:/etc/sftp.d/init.sh:ro - - $DATA_DIR/home/feministesucl34:/home/feministesucl34RO:ro - - $DATA_DIR/home/leida:/home/leida + - $DATA_DIR/home:/home + - $DATA_DIR/home/feministesucl34:/home/feministesucl34RO - $DATA_DIR/home/leida:/home/leidaRO - - $DATA_DIR/home/chiloe:/home/chiloe - $DATA_DIR/home/chiloe:/home/chiloeRO - - $DATA_DIR/home/collectifarthadie:/home/collectifarthadieRO:ro ports: - '2929:22' diff --git a/services/sftp.jean-cloud.net/init.sh b/services/sftp.jean-cloud.net/init.sh new file mode 100755 index 0000000..e668f07 --- /dev/null +++ b/services/sftp.jean-cloud.net/init.sh @@ -0,0 +1,2 @@ +#!/bin/bash +chmod o+x /home diff --git a/services/soundbase.radiodemo.oma-radio.fr/.env b/services/soundbase.radiodemo.oma-radio.fr/.env index 920997a..0605b79 100644 --- a/services/soundbase.radiodemo.oma-radio.fr/.env +++ b/services/soundbase.radiodemo.oma-radio.fr/.env @@ -7,15 +7,18 @@ TZ=Europe/Paris OMA_DOCKER_VERSION=dev WEBSOCKET_PORT=2004 TELECOM_SERVER_PORT=3494 +OMA_CONFIG_TelecommandeHost=mux.radiodemo.oma-radio.fr +OMA_CONFIG_TelecommandePort=3494 MUX_SERVER_PORT=9004 RADIO_NAME_SIMPLE=radiodemo OMA_CONFIG_NomRadio=radiodemo OMA_CONFIG_LogLevel=8 RADIO_NAME_PRETTY="Radio Démo" COMPOSE_NAME=soundbaseradiodemooma-radiofr -DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr- +DOCKER_INSTANCES_PREFIX=soundbaseradiodemooma-radiofr- DOCKER_INSTANCES_SUFIX=-1 SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo USE_SSL=true MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1 +PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.1.1 RADIO_HOST=radiodemo.oma-radio.fr diff --git a/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml b/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml index 94425ff..8fdf6ae 100644 --- a/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml +++ b/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml @@ -6,7 +6,7 @@ services: environment: OMA_CONFIG_TelecommandeHost: $RADIO_HOST OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT - OMA_CONFIG_Client1Host: soundbase.radiodemo.osoundbase.radiodemo.oma-radio.fr + OMA_CONFIG_Client1Host: mux.radiodemo.oma-radio.fr OMA_CONFIG_Client1Port: $MUX_SERVER_PORT volumes: - $SOUNDBASE_DIR:/app/soundBase diff --git a/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf b/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf index 834e508..1a63054 100644 --- a/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf +++ b/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf @@ -22,46 +22,22 @@ server { root $SOUNDBASE_DIR/website; index index.html; - add_header Access-Control-Allow-Origin https://radio.karnaval.fr; - - - location = /api { rewrite ^ /api/; } - location ~ /api/pigeindex(/.*) { + location ~ /api(/.*) { + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; include uwsgi_params; - uwsgi_param PATH_INFO "/pigeindex$1"; + uwsgi_param PATH_INFO "$1"; uwsgi_param SCRIPT_NAME /api; uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock; client_max_body_size 0; - uwsgi_connect_timeout 6000; - uwsgi_send_timeout 6000; - uwsgi_read_timeout 6000; + proxy_connect_timeout 6000; + proxy_send_timeout 60000; + proxy_read_timeout 6000; send_timeout 6000; # kill cache add_header Last-Modified $date_gmt; add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - - if_modified_since off; - expires off; - etag off; - - } - location ~ /api(/.*) { - auth_basic "Entrez votre identifiant et mot de passe"; - auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; - include uwsgi_params; - uwsgi_param PATH_INFO "$1"; - uwsgi_param SCRIPT_NAME /api; - uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock; - client_max_body_size 0; - proxy_connect_timeout 6000; - proxy_send_timeout 60000; - proxy_read_timeout 6000; - send_timeout 6000; - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - add_header Access-Control-Allow-Origin https://radio.karnaval.fr; if_modified_since off; expires off; etag off; @@ -71,10 +47,6 @@ server { alias $SOUNDBASE_DIR/pige; try_files $uri $uri/ =404; } - location /pigeMp3{ - alias $SOUNDBASE_DIR/pigeMp3; - try_files $uri $uri/ =404; - } location /png { alias $SOUNDBASE_DIR/png; try_files $uri $uri/ =404; @@ -92,98 +64,52 @@ server { try_files $uri $uri/ =404; } location /txt { - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - add_header Access-Control-Allow-Origin https://radio.karnaval.fr; - if_modified_since off; - expires off; - etag off; alias $SOUNDBASE_DIR/txt; try_files $uri $uri/ =404; } location /wavM { - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; alias $SOUNDBASE_DIR/wavM; try_files $uri $uri/ =404; } location /import { - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; alias $SOUNDBASE_DIR/import; try_files $uri $uri/ =404; } location /export { - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; alias $SOUNDBASE_DIR/export; try_files $uri $uri/ =404; } location /wav { - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; alias $SOUNDBASE_DIR/wav; try_files $uri $uri/ =404; } - location /fiches { - alias $SOUNDBASE_DIR/fiches; + location /fic { + alias $SOUNDBASE_DIR/fic; try_files $uri $uri/ =404; - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - add_header Access-Control-Allow-Origin https://radio.karnaval.fr; - if_modified_since off; - expires off; - etag off; - } location /prg { - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; alias $SOUNDBASE_DIR/prg; try_files $uri $uri/ =404; } - location /listes { - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - alias $SOUNDBASE_DIR/listes; + location /lst { + auth_basic "Entrez votre identifiant et mot de passe"; + auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; + alias $SOUNDBASE_DIR/lst; try_files $uri $uri/ =404; } location /statique { alias $SOUNDBASE_DIR/statique; try_files $uri $uri/ =404; - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - add_header Access-Control-Allow-Origin https://radio.karnaval.fr; - if_modified_since off; - expires off; - etag off; } # Admin interface diff --git a/services/velov.jean-cloud.net/deploy_http.sh b/services/velov.jean-cloud.net/deploy_user.sh similarity index 100% rename from services/velov.jean-cloud.net/deploy_http.sh rename to services/velov.jean-cloud.net/deploy_user.sh diff --git a/services/velov.jean-cloud.net/docker-compose.yml b/services/velov.jean-cloud.net/docker-compose.yml index b86ffc9..77a3f0f 100755 --- a/services/velov.jean-cloud.net/docker-compose.yml +++ b/services/velov.jean-cloud.net/docker-compose.yml @@ -7,7 +7,7 @@ services: restart: unless-stopped networks: default: - ipv4_address: 172.29.13.100 + ipv4_address: $NET.100 deploy: resources: limits: @@ -18,5 +18,5 @@ networks: default: ipam: config: - - subnet: 172.29.13.0/24 + - subnet: $NET.0/24 diff --git a/services/velov.jean-cloud.net/nginx_server.conf b/services/velov.jean-cloud.net/nginx_server.conf index a2024a1..28d01f8 100755 --- a/services/velov.jean-cloud.net/nginx_server.conf +++ b/services/velov.jean-cloud.net/nginx_server.conf @@ -14,7 +14,7 @@ server { location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 172.29.13.100:9000; + fastcgi_pass $NET.100:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; diff --git a/services/wiki-cgr.jean-cloud.net/docker-compose.yml b/services/wiki-cgr.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..bc5839e --- /dev/null +++ b/services/wiki-cgr.jean-cloud.net/docker-compose.yml @@ -0,0 +1,55 @@ +# Check that before updating +# https://www.mediawiki.net/wiki/Extension:VisualEditor#Setting_up_VisualEditor +version: '3' +services: + mediawiki: + image: mediawiki:1.35 + restart: unless-stopped + volumes: + - $DATA_DIR/images:/var/www/html/images + - $DATA_DIR/extensions-1.32:/var/www/html/extensions + - $DATA_DIR/LocalSettings.php:/var/www/html/LocalSettings.php + - $DATA_DIR/mylogo.png:/var/www/html/resources/assets/mylogo.png + networks: + default: + ipv4_address: $NET.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + parsoid: + image: thenets/parsoid:0.9 + restart: unless-stopped + environment: + - PARSOID_DOMAIN_wiki_cgr=http://wiki-cgr.jean-cloud.net/api.php + networks: + default: + ipv4_address: $NET.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + + db: + image: mariadb:10.4 + volumes: + - $DATA_DIR/db:/var/lib/mysql + networks: + default: + ipv4_address: $NET.102 + deploy: + resources: + limits: + cpus: '0.50' + memory: 300M + +networks: + default: + ipam: + config: + - subnet: $NET.0/24 + diff --git a/services/wiki-cgr.jean-cloud.net/nginx_server.conf b/services/wiki-cgr.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..b690e7c --- /dev/null +++ b/services/wiki-cgr.jean-cloud.net/nginx_server.conf @@ -0,0 +1,32 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name $JC_SERVICE www.$JC_SERVICE; + location / { + auth_basic "Cette page est protégée par un mot de passe"; + auth_basic_user_file $DATA_DIR/pass.txt; + + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_pass http://$NET.100; + proxy_redirect off; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name parsoid-wiki-cgr.jean-cloud.net www.parsoid-wiki-cgr.jean-cloud.net; + location / { + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_pass http://$NET.101:8000; + proxy_redirect off; + } +} diff --git a/services/wordpress.abc.jean-cloud.net/LINKS. DO NOT EDIT b/services/wordpress.abc.jean-cloud.net/LINKS. DO NOT EDIT new file mode 120000 index 0000000..90f441f --- /dev/null +++ b/services/wordpress.abc.jean-cloud.net/LINKS. DO NOT EDIT @@ -0,0 +1 @@ +../wordpress6/LINKS. DO NOT EDIT \ No newline at end of file diff --git a/services/wordpress.abc.jean-cloud.net/docker-compose.yml b/services/wordpress.abc.jean-cloud.net/docker-compose.yml new file mode 120000 index 0000000..92b63e9 --- /dev/null +++ b/services/wordpress.abc.jean-cloud.net/docker-compose.yml @@ -0,0 +1 @@ +../wordpress6/docker-compose.yml \ No newline at end of file diff --git a/services/wordpress.abc.jean-cloud.net/nginx_server.conf b/services/wordpress.abc.jean-cloud.net/nginx_server.conf new file mode 120000 index 0000000..482e9d5 --- /dev/null +++ b/services/wordpress.abc.jean-cloud.net/nginx_server.conf @@ -0,0 +1 @@ +../wordpress6/nginx_server.conf \ No newline at end of file diff --git a/services/wordpress.feministesucl34.jean-cloud.net/docker-compose.yml b/services/wordpress.feministesucl34.jean-cloud.net/docker-compose.yml deleted file mode 100644 index 908fcb4..0000000 --- a/services/wordpress.feministesucl34.jean-cloud.net/docker-compose.yml +++ /dev/null @@ -1,49 +0,0 @@ -version: '3.1' - -services: - - wp: - image: wordpress:5.8-apache - restart: unless-stopped - env_file: $DATA_DIR/env - environment: - WORDPRESS_DB_HOST: db - WORDPRESS_DB_USER: wpdbuser - WORDPRESS_DB_NAME: wpdb - #WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );" - volumes: - - $DATA_DIR/wordpress:/var/www/html - - $DATA_DIR/static:/var/www/html/static - networks: - default: - ipv4_address: 172.29.9.100 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M - db: - image: mariadb:10.4 - restart: unless-stopped - env_file: $DATA_DIR/env - environment: - MYSQL_DATABASE: wpdb - MYSQL_USER: wpdbuser - MYSQL_RANDOM_ROOT_PASSWORD: 'yes' - volumes: - - $DATA_DIR/db:/var/lib/mysql - networks: - default: - ipv4_address: 172.29.9.101 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M - -networks: - default: - ipam: - config: - - subnet: 172.29.9.0/24 - diff --git a/services/wordpress.feministesucl34.jean-cloud.net/nginx_server.conf b/services/wordpress.feministesucl34.jean-cloud.net/nginx_server.conf deleted file mode 100755 index 411a805..0000000 --- a/services/wordpress.feministesucl34.jean-cloud.net/nginx_server.conf +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate $JC_CERTS/fullchain.pem; - ssl_certificate_key $JC_CERTS/privkey.pem; - server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net; - location / { - client_max_body_size 2G; - #proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto https; - proxy_pass http://172.29.9.100; - proxy_redirect off; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate $JC_CERTS/fullchain.pem; - ssl_certificate_key $JC_CERTS/privkey.pem; - server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net; - - location = /wp-login.php { - return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php; - } - - location / { - root /data/feministesucl34.jean-cloud.net/static; - try_files $uri $uri/ =404; - } -} diff --git a/services/wordpress6/LINKS. DO NOT EDIT b/services/wordpress6/LINKS. DO NOT EDIT new file mode 100644 index 0000000..e69de29 diff --git a/services/wordpress6/docker-compose.yml b/services/wordpress6/docker-compose.yml new file mode 100644 index 0000000..67ad2c9 --- /dev/null +++ b/services/wordpress6/docker-compose.yml @@ -0,0 +1,43 @@ +version: '3' + +services: + + wp: + image: wordpress:6-apache + restart: unless-stopped + env_file: $DATA_DIR/wordpress.env + environment: + TZ: Europe/Paris + volumes: + - $DATA_DIR/wordpress:/var/www/html + networks: + default: + ipv4_address: $NET.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + db: + image: mariadb:11 + restart: unless-stopped + env_file: $DATA_DIR/wordpress.env + environment: + TZ: Europe/Paris + volumes: + - $DATA_DIR/db:/var/lib/mysql + networks: + default: + ipv4_address: $NET.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 300M #init is very hugry + +networks: + default: + ipam: + config: + - subnet: $NET.0/24 + diff --git a/services/wordpress6/nginx_server.conf b/services/wordpress6/nginx_server.conf new file mode 100755 index 0000000..c34c4a1 --- /dev/null +++ b/services/wordpress6/nginx_server.conf @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name $JC_SERVICE www.$JC_SERVICE; + location / { + auth_basic "Cette page est protégée par un mot de passe"; + auth_basic_user_file $DATA_DIR/pass.txt; + client_max_body_size 2G; + #proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + proxy_pass http://$NET.100; + proxy_redirect off; + } +} diff --git a/sites-enabled.vandamme/collectif-arthadie.fr b/sites-enabled.vandamme/collectif-arthadie.fr new file mode 100644 index 0000000..87ef11b --- /dev/null +++ b/sites-enabled.vandamme/collectif-arthadie.fr @@ -0,0 +1,28 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem; + server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr; + location / { + client_max_body_size 2G; + #proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + proxy_pass http://wp.collectif-arthadiefr.docker; + proxy_redirect off; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem; + server_name collectif-arthadie.fr www.collectif-arthadie.fr; + + location / { + root /data/collectif-arthadie.fr/static; + try_files $uri $uri/ =404; + } +} diff --git a/sites-enabled.vandamme/cousinades.jean-cloud.net b/sites-enabled.vandamme/cousinades.jean-cloud.net new file mode 100644 index 0000000..cdf4522 --- /dev/null +++ b/sites-enabled.vandamme/cousinades.jean-cloud.net @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/cousinades.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cousinades.jean-cloud.net/privkey.pem; + server_name cousinades.jean-cloud.net www.cousinades.jean-cloud.net; + + index index.php; + root /data/cousinades.jean-cloud.net/public; + + location / { + #auth_basic "Restricted"; + #auth_basic_user_file /data/cousinades.jean-cloud.net/private/passwords.txt; + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass app.cousinadesjean-cloudnet.docker:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } +} diff --git a/sites-enabled.vandamme/git.jean-cloud.net b/sites-enabled.vandamme/git.jean-cloud.net new file mode 100644 index 0000000..be7bd77 --- /dev/null +++ b/sites-enabled.vandamme/git.jean-cloud.net @@ -0,0 +1,12 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/git.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.jean-cloud.net/privkey.pem; + server_name git.jean-cloud.net www.git.jean-cloud.net; + location / { + client_max_body_size 5G; + proxy_pass http://gitea.gitjean-cloudnet.docker:3000; + } +} + diff --git a/sites-enabled.vandamme/inurbe.fr b/sites-enabled.vandamme/inurbe.fr new file mode 100644 index 0000000..c34693d --- /dev/null +++ b/sites-enabled.vandamme/inurbe.fr @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem; + server_name inurbe.fr www.inurbe.fr; + +location /.git { + deny all; + return 404; +} + + location / { + root /data/inurbe.fr; + try_files $uri $uri/ =404; + } +} diff --git a/sites-enabled.vandamme/leida.fr b/sites-enabled.vandamme/leida.fr new file mode 100644 index 0000000..1466b7e --- /dev/null +++ b/sites-enabled.vandamme/leida.fr @@ -0,0 +1,15 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/leida.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/leida.fr/privkey.pem; + server_name leida.fr www.leida.fr; + location / { + root /data/leida.fr/public; + index index.htm index.html; + try_files $uri $uri/ =404; + } + location ~ .php { + deny all; + } +} diff --git a/sites-enabled.vandamme/nuage.jean-cloud.net b/sites-enabled.vandamme/nuage.jean-cloud.net new file mode 100644 index 0000000..934d27b --- /dev/null +++ b/sites-enabled.vandamme/nuage.jean-cloud.net @@ -0,0 +1,220 @@ +# inspired from +# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html?highlight=nginx +# 2021 05 25 + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/fullchain.pem; + ssl_certificate_key /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/privkey.pem; + server_name nuage.jean-cloud.net www.nuage.jean-cloud.net; + + root /data/nuage.jean-cloud.net/app; + + limit_req zone=defaultlimit burst=500 nodelay; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; + add_header X-Frame-Options "SAMEORIGIN"; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + return 404; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + return 404; + } + + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + + # TODO is it needed? Is it buggy? + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_param front_controller_active true; + #fastcgi_pass 172.16.11.100:9000; + fastcgi_pass nextcloud.nuagejean-cloudnet.docker:9000; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } +} + + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + + +proxy_cache_path /var/www/cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m; +proxy_temp_path /var/www/cache/tmp; + +server { + listen 443 ssl; + large_client_header_buffers 32 64k; + root /usr/share/nginx/www; + index index.html index.htm; + ssl_certificate /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/fullchain.pem; + ssl_certificate_key /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/privkey.pem; + server_name calc.nuage.jean-cloud.net; + + location ~* (\.(css|png|gif|svg|ico|txt)|static/.*\.js(on)?|manifest\.(appcache|webapp|json)|browserconfig\.xml)$ { + root /data/proxy/nuage.jean-cloud.net/ethercalc/; + expires 24h; + add_header Cache-Control public; + } + + location ~* "(?:[.]|/_/[^/]+/)(?:html|csv|csv\.json)$" { + proxy_pass http://ethercalc.nuagejean-cloudnet.docker:8000; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_read_timeout 31536000; + proxy_buffers 32 64k; + proxy_buffer_size 128k; + add_header Strict-Transport-Security max-age=31536000; + include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf; + } + location / { + gzip on; + gzip_min_length 1000; + gzip_proxied any; + proxy_pass http://ethercalc.nuagejean-cloudnet.docker:8000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_read_timeout 31536000; + proxy_set_header Connection $connection_upgrade; + # prevents 502 bad gateway error + proxy_buffers 32 64k; + proxy_buffer_size 128k; + add_header Strict-Transport-Security max-age=31536000; + include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/fullchain.pem; + ssl_certificate_key /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/privkey.pem; + server_name pad.nuage.jean-cloud.net; + + location / { + proxy_pass http://etherpad.nuagejean-cloudnet.docker:9001; + proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf + proxy_set_header Host $host; + proxy_pass_header Server; + + # Note you might want to pass these headers etc too. + #proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html + #proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP + proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + proxy_http_version 1.1; # recommended with keepalive connections + + # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/sites-enabled.vandamme/oma-radio.fr b/sites-enabled.vandamme/oma-radio.fr new file mode 100644 index 0000000..694532b --- /dev/null +++ b/sites-enabled.vandamme/oma-radio.fr @@ -0,0 +1,13 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/oma-radio.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oma-radio.fr/privkey.pem; + server_name oma-radio.fr www.oma-radio.fr; + root /data/oma-radio.fr; + + location / { + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/sites-enabled.vandamme/proxy b/sites-enabled.vandamme/proxy new file mode 100644 index 0000000..a9979c0 --- /dev/null +++ b/sites-enabled.vandamme/proxy @@ -0,0 +1,17 @@ +server{ + listen 80 default_server; + listen [::]:80 default_server; + location '/.well-known/acme-challenge' { + root /var/www/letsencrypt; + default_type "text/plain"; + try_files $uri $uri/ =404; + } + + location / { + return 301 https://$host$request_uri; + } + + location = /basic_status { + stub_status; + } +} diff --git a/sites-enabled.vandamme/rpnow.jean-cloud.net b/sites-enabled.vandamme/rpnow.jean-cloud.net new file mode 100644 index 0000000..d8d0fc9 --- /dev/null +++ b/sites-enabled.vandamme/rpnow.jean-cloud.net @@ -0,0 +1,40 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem; + server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net; + + location / { + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + proxy_redirect off; + proxy_pass http://rpnow.rpnowjean-cloudnet.docker; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem; + server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net; + + location / { + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + proxy_redirect off; + proxy_pass http://test_rpnow.rpnowjean-cloudnet.docker; + } +} + diff --git a/sites-enabled.vandamme/static.jean-cloud.net b/sites-enabled.vandamme/static.jean-cloud.net new file mode 100644 index 0000000..a8d3a08 --- /dev/null +++ b/sites-enabled.vandamme/static.jean-cloud.net @@ -0,0 +1,15 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/static.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/static.jean-cloud.net/privkey.pem; + server_name static.oma-radio.fr www.static.oma-radio.fr static.jean-cloud.net www.static.jean-cloud.net; + root /data/static.jean-cloud.net/public/; + + location / { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET'; + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/sites-enabled.vandamme/wiki-cgr.jean-cloud.net b/sites-enabled.vandamme/wiki-cgr.jean-cloud.net new file mode 100644 index 0000000..1ba64f2 --- /dev/null +++ b/sites-enabled.vandamme/wiki-cgr.jean-cloud.net @@ -0,0 +1,30 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/wiki-cgr.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wiki-cgr.jean-cloud.net/privkey.pem; + server_name wiki-cgr.jean-cloud.net www.wiki-cgr.jean-cloud.net; + location / { + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_pass http://mediawiki.wiki-cgrjean-cloudnet.docker; + proxy_redirect off; + } +} + +# Is the parsoid mutualisable on all wikis ? +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/wiki-cgr.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wiki-cgr.jean-cloud.net/privkey.pem; + server_name parsoid-wiki-cgr.jean-cloud.net www.parsoid-wiki-cgr.jean-cloud.net; + location / { + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_pass http://parsoid.wiki-cgrjean-cloudnet.docker; + proxy_redirect off; + } +}