diff --git a/.gitignore b/.gitignore index e1fb98a..e7e7931 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ -installing/secrets installing/temporary_mount_point +installing/secrets +provisioning/roles/deploy_all/files/secrets diff --git a/provisioning/inventory.ini b/provisioning/inventory.ini index 62804fc..fcc7755 100644 --- a/provisioning/inventory.ini +++ b/provisioning/inventory.ini @@ -4,9 +4,7 @@ tetede.jean-cloud.org raku.jean-cloud.org [servers] -#nougaro.jean-cloud.org -#carcasse.jean-cloud.org -#benevoles.karnaval.fr +nougaro.jean-cloud.org montbonnot.jean-cloud.org #blatte.jean-cloud.org max.jean-cloud.org diff --git a/provisioning/roles/deploy_all/files/bin/deploy_service.sh b/provisioning/roles/deploy_all/files/bin/deploy_service.sh index 337595b..8beccc7 100755 --- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh +++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh @@ -60,7 +60,7 @@ fi ############################################################################### if "$deploy" ; then - [ -x deploy.sh ] && . deploy.sh + [ -x deploy.sh ] && ./deploy.sh [ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh" else [ -x undeploy.sh ] && . undeploy.sh @@ -133,10 +133,8 @@ if [ -f "/docker/$service/nginx_server.conf" ] ; then section "Template nginx conf with vars from '.env' file" run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service" -fi -section "Add dummy cert if needed" -dummy_cert.sh "$service" add +fi section "Testing nginx conf" run nginx -t -c /etc/nginx/new_nginx.conf diff --git a/provisioning/roles/deploy_all/files/bin/deployall.sh b/provisioning/roles/deploy_all/files/bin/deployall.sh index 1ecabde..b91b394 100755 --- a/provisioning/roles/deploy_all/files/bin/deployall.sh +++ b/provisioning/roles/deploy_all/files/bin/deployall.sh @@ -38,7 +38,7 @@ section "Delete new conf directory (to start from scratch)" run rm -rf "$new_nginx_conf_path" section "Create new conf file (for tests purposes)" -sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf" +sed "s#$nginx_conf_path#$new_nginx_conf_path/#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf" section "Create proxy dir" run mkdir -p "$proxy_dir" /docker /data diff --git a/provisioning/roles/deploy_all/files/bin/gen_env.sh b/provisioning/roles/deploy_all/files/bin/gen_env.sh index 3d88fd7..f5b48f3 100755 --- a/provisioning/roles/deploy_all/files/bin/gen_env.sh +++ b/provisioning/roles/deploy_all/files/bin/gen_env.sh @@ -25,8 +25,12 @@ for dir in /docker/* ; do line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env" line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env" + line_in_file "SECRET_DIR='/data/secrets/$service'" "/docker/$service/.env" line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env" line_in_file "JC_SERVICE='$service'" "/docker/$service/.env" - line_in_file "JC_DNS_CERT='$dns_certs_path/$service'" "/docker/$service/.env" - line_in_file "JC_HTTP_CERT='$http_certs_path/$service'" "/docker/$service/.env" + cert="$(findcert.sh "$service")" || true + if [ -n "$cert" ] ; then + line_in_file "JC_CERT='$cert'" "/docker/$service/.env" + fi + done diff --git a/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh b/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh index d628183..83bea86 100755 --- a/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh +++ b/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh @@ -15,7 +15,7 @@ if [ -v NC_SHARE_LINK ] ; then webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')" webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")" - rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH" + rclone sync --config=/notfound --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH" fi # Go to website diff --git a/provisioning/roles/deploy_all/files/bin/letsencrypt.sh b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh index 41c7ed2..2d085e4 100755 --- a/provisioning/roles/deploy_all/files/bin/letsencrypt.sh +++ b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh @@ -75,10 +75,8 @@ for file in "$nginx_conf_path"* ; do echo " ------------------------------------------" echo "$out" echo " ------------------------------------------" - dummy_cert.sh "$service_name" add else echo "Unknown error : $result.\n$out" - dummy_cert.sh "$service_name" add fi fi done diff --git a/provisioning/roles/deploy_all/tasks/main.yml b/provisioning/roles/deploy_all/tasks/main.yml index 3cf6a9c..50de626 100644 --- a/provisioning/roles/deploy_all/tasks/main.yml +++ b/provisioning/roles/deploy_all/tasks/main.yml @@ -1,5 +1,13 @@ --- # tasks file for deploy_all + +- name: "Check for secrets volume. Fail if not found" + include: "{{ item }}" + with_first_found: + - files: + - secrets/mounted + + - name: sync services dirs ansible.posix.synchronize: src: ../services/ @@ -17,6 +25,13 @@ - name: Gen env vars command: gen_env.sh +- name: sync secrets + ansible.posix.synchronize: + src: secrets/ + dest: /data/secrets + delete: true + archive: false + recursive: true #- name: Add bind conf # ansible.posix.synchronize: diff --git a/provisioning/services.yml b/provisioning/services.yml index 12202b5..07aaae8 100755 --- a/provisioning/services.yml +++ b/provisioning/services.yml @@ -3,7 +3,7 @@ - name: Deploy specific services hosts: servers - become: yes + become: no gather_facts: no roles: - deploy_all diff --git a/services/amaglio.fr/nginx_server.conf b/services/amaglio.fr/nginx_server.conf index c57a55c..33c705b 100755 --- a/services/amaglio.fr/nginx_server.conf +++ b/services/amaglio.fr/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/amaglio.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/amaglio.fr/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name amaglio.fr www.amaglio.fr; # root /data/amaglio.fr/app; diff --git a/services/benevoles31.karnaval.fr/nginx_server.conf b/services/benevoles31.karnaval.fr/nginx_server.conf index 3742ec2..9d6d7fe 100755 --- a/services/benevoles31.karnaval.fr/nginx_server.conf +++ b/services/benevoles31.karnaval.fr/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name $JC_SERVICE benevoles.karnaval.fr; root $DATA_DIR/assets; diff --git a/services/chahut.jean-cloud.net/nginx_server.conf b/services/chahut.jean-cloud.net/nginx_server.conf index 7440082..2778731 100755 --- a/services/chahut.jean-cloud.net/nginx_server.conf +++ b/services/chahut.jean-cloud.net/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE; location / { auth_basic "Mot de passe !"; @@ -19,8 +19,8 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name $JC_SERVICE www.$JC_SERVICE; location / { diff --git a/services/collectif-arthadie.fr/nginx_server.conf b/services/collectif-arthadie.fr/nginx_server.conf index 1c47de4..9b03cbd 100755 --- a/services/collectif-arthadie.fr/nginx_server.conf +++ b/services/collectif-arthadie.fr/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr; location / { client_max_body_size 2G; @@ -17,8 +17,8 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name collectif-arthadie.fr www.collectif-arthadie.fr; location / { diff --git a/services/compagnienouvelle.fr/nginx_server.conf b/services/compagnienouvelle.fr/nginx_server.conf index 89071b9..a1d97ee 100755 --- a/services/compagnienouvelle.fr/nginx_server.conf +++ b/services/compagnienouvelle.fr/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr; location / { auth_basic "Mot de passe !"; @@ -19,8 +19,8 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name compagnienouvelle.fr www.compagnienouvelle.fr; location / { diff --git a/services/deployer.jean-cloud.org/deploy.sh b/services/deployer.jean-cloud.org/deploy.sh deleted file mode 100644 index b910ecb..0000000 --- a/services/deployer.jean-cloud.org/deploy.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -chmod +x server.sh diff --git a/services/deployer.jean-cloud.org/nginx_server.conf b/services/deployer.jean-cloud.org/nginx_server.conf index 3f0c4b5..cc2a7e0 100644 --- a/services/deployer.jean-cloud.org/nginx_server.conf +++ b/services/deployer.jean-cloud.org/nginx_server.conf @@ -4,8 +4,8 @@ server { listen 443; listen [::]:443; server_name $JC_SERVICE; - ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; location / { limit_req zone=deployer_limit; include /etc/nginx/fastcgi_params; diff --git a/services/deployer.jean-cloud.org/server.sh b/services/deployer.jean-cloud.org/server.sh index fb45b81..dafa05f 100755 --- a/services/deployer.jean-cloud.org/server.sh +++ b/services/deployer.jean-cloud.org/server.sh @@ -1,38 +1,26 @@ #!/bin/bash + +# TODO js (dnssec is trusting google right now) +# fetch('https://dns.google/resolve?name=deployer.jean-cloud.org&cd=true&type=a').then(r => {r.json().then(j => {for (const i in j.Answer) {console.log(j.Answer[i].data)}})}) + + echo "Content-type: text/html" echo "" service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')" -path="/docker/$service/deploy_http.sh" +deployer="/docker/$service/deploy_http.sh" . /etc/jeancloud.env -echo 'Rechargement d’un site web' -echo '' -echo "

Rechargement d’un site web : $service

" -echo "

Résultat local

" -if [ -x "$path" ] ; then - echo "
"
-	"$path"
-	ret="$?"
-	echo "
" - if [ "$ret" -ne 0 ] ; then - echo '

Une erreur a été détectée. Contactez Jean-Cloud.

' - else - while read ip ; do - echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip" - if [ "$?" -eq 0 ] ; then - echo "$ip ok" - else - echo "$ip ERREUR" - fi - done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip") - fi - - echo '

Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !

' +if [ -z "$service" ] || [ ! -x "$deployer" ] ; then + echo "error" else - echo "

Échec. Contactez Jean-Cloud

" + set -a + . "/docker/$service/.env" + set +a + "$deployer" 2>&1 + ret="$?" + if [ "$ret" -ne 0 ] ; then + echo 'Error' + else fi -echo '' -echo ' - diff --git a/services/dnscerts.jean-cloud.org/run_as.sh b/services/dnscerts.jean-cloud.org/run_as.sh index 4670883..65eb84a 100755 --- a/services/dnscerts.jean-cloud.org/run_as.sh +++ b/services/dnscerts.jean-cloud.org/run_as.sh @@ -29,22 +29,17 @@ echo "For each service, read all possible domains" while read line ; do read -r service target < <(echo "$line") - # Auto letsencrypt - [ "$target" = vandamme.jean-cloud.org ] && continue - # TODO remove - #( [ "$service" = collectif-arthadie.fr ] || [[ "$service" == *oma-radio.fr ]] ) && continue + [ "$service" = collectif-arthadie.fr ] && continue # remove dummy cert - dummy_cert.sh "$service" remove + dummy_cert.sh "$service" remove || true [ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue # acme "$here/acme-dns.sh" "$service" "$tmp" - # Replace dummy cert if letsencrypt failed - [ "$?" -ne 0 ] && dummy_cert.sh "$service" add done < "$servicefile" echo "Push certs to other servers" @@ -52,5 +47,5 @@ for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'des server="$srv.jean-cloud.org" [ -n "$(grep "$server" /etc/hosts)" ] && continue echo "-- $server" - rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/" + rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/" || true done diff --git a/services/etrevivant.net/deploy_http.sh b/services/etrevivant.net/deploy_http.sh index 373d22c..275cb44 100755 --- a/services/etrevivant.net/deploy_http.sh +++ b/services/etrevivant.net/deploy_http.sh @@ -1,7 +1,7 @@ #!/bin/bash set -euo pipefail set -a -. "$DATA_DIR/.env" +. "$SECRET_DIR/.env" set +a git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" diff --git a/services/git.jean-cloud.net/nginx_server.conf b/services/git.jean-cloud.net/nginx_server.conf index 0108d1c..adb9119 100755 --- a/services/git.jean-cloud.net/nginx_server.conf +++ b/services/git.jean-cloud.net/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/git.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/git.jean-cloud.net/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name git.jean-cloud.net www.git.jean-cloud.net; location / { client_max_body_size 5G; diff --git a/services/gmx-webmail.jean-cloud.net/nginx_server.conf b/services/gmx-webmail.jean-cloud.net/nginx_server.conf index 3b61858..5dae9a7 100755 --- a/services/gmx-webmail.jean-cloud.net/nginx_server.conf +++ b/services/gmx-webmail.jean-cloud.net/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name gmx-webmail.jean-cloud.net www.gmx-webmail.jean-cloud.net; # root /data/gmx-webmail.jean-cloud.net/app; diff --git a/services/grapes.chahut.jean-cloud.net/nginx_server.conf b/services/grapes.chahut.jean-cloud.net/nginx_server.conf index 0e4f334..bd6891d 100755 --- a/services/grapes.chahut.jean-cloud.net/nginx_server.conf +++ b/services/grapes.chahut.jean-cloud.net/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name grapes.chahut.jean-cloud.net; root $HTTP_DIR; diff --git a/services/gypsylyonfestival.com/nginx_server.conf b/services/gypsylyonfestival.com/nginx_server.conf index 766c8ff..8235edc 100755 --- a/services/gypsylyonfestival.com/nginx_server.conf +++ b/services/gypsylyonfestival.com/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/gypsylyonfestival.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/gypsylyonfestival.com/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; #server_name gypsylyonfestival.com www.gypsylyonfestival.com; server_name gypsy.jean-cloud.net; root /data/gypsylyonfestival.com/output; diff --git a/services/inurbe.fr/.env b/services/inurbe.fr/.env new file mode 100644 index 0000000..28bdf28 --- /dev/null +++ b/services/inurbe.fr/.env @@ -0,0 +1 @@ +GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/inurbe" diff --git a/services/inurbe.fr/deploy_http.sh b/services/inurbe.fr/deploy_http.sh new file mode 100755 index 0000000..e0415ec --- /dev/null +++ b/services/inurbe.fr/deploy_http.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -euo pipefail + +git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" diff --git a/services/inurbe.fr/docker-compose.yml b/services/inurbe.fr/docker-compose.yml deleted file mode 100644 index 292963e..0000000 --- a/services/inurbe.fr/docker-compose.yml +++ /dev/null @@ -1 +0,0 @@ -version: '3.1' diff --git a/services/inurbe.fr/nginx_server.conf b/services/inurbe.fr/nginx_server.conf index 09418ef..498cd97 100755 --- a/services/inurbe.fr/nginx_server.conf +++ b/services/inurbe.fr/nginx_server.conf @@ -6,7 +6,7 @@ server { server_name $JC_SERVICE www.$JC_SERVICE; location / { - root $DATA_DIR/public; + root $HTTP_DIR/public; try_files $uri $uri/ =404; } } diff --git a/services/jean-cloud.net/docker-compose.yml b/services/jean-cloud.net/docker-compose.yml deleted file mode 100755 index d077323..0000000 --- a/services/jean-cloud.net/docker-compose.yml +++ /dev/null @@ -1,2 +0,0 @@ -version: '3' - diff --git a/services/karnaval.fr/nginx_server.conf b/services/karnaval.fr/nginx_server.conf index 3bd1d8f..eef5f33 100755 --- a/services/karnaval.fr/nginx_server.conf +++ b/services/karnaval.fr/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/karnaval.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/karnaval.fr/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name karnaval.fr www.karnaval.fr; root $HTTP_DIR/; diff --git a/services/leida.fr/nginx_server.conf b/services/leida.fr/nginx_server.conf index 1466b7e..c493a81 100755 --- a/services/leida.fr/nginx_server.conf +++ b/services/leida.fr/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/leida.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/leida.fr/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name leida.fr www.leida.fr; location / { root /data/leida.fr/public; diff --git a/services/lexicographe.jean-cloud.net/deploy.sh b/services/lexicographe.jean-cloud.net/deploy.sh index 56de35f..14c0cfd 100755 --- a/services/lexicographe.jean-cloud.net/deploy.sh +++ b/services/lexicographe.jean-cloud.net/deploy.sh @@ -1,4 +1,4 @@ #!/bin/bash set -euo pipefail -docker run -u 33 --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder +docker run -u 33 --rm --env-file "$SECRET_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder diff --git a/services/mux.radiodemo.oma-radio.fr/nginx_server.conf b/services/mux.radiodemo.oma-radio.fr/nginx_server.conf index a65c21a..b4b3a42 100644 --- a/services/mux.radiodemo.oma-radio.fr/nginx_server.conf +++ b/services/mux.radiodemo.oma-radio.fr/nginx_server.conf @@ -5,14 +5,13 @@ map $http_upgrade $connection_upgrade { server{ listen $WEBSOCKET_PORT ssl; - listen [::]:$WEBSOCKET_PORT ssl; - ssl_certificate $JC_DNS_CERT/fullchain.pem; - ssl_certificate_key $JC_DNS_CERT/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; - proxy_pass http://172.29.0.105:9000; + proxy_pass http://$NET$WEBSERVER:9000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -24,8 +23,8 @@ server { listen 443 ssl; listen [::]:443 ssl; server_name $JC_SERVICE; - ssl_certificate $JC_DNS_CERT/fullchain.pem; - ssl_certificate_key $JC_DNS_CERT/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; location / { client_max_body_size 0; diff --git a/services/ns1.jean-cloud.org/deploy.sh b/services/ns1.jean-cloud.org/deploy.sh index ad2fd0d..7fd4aad 100755 --- a/services/ns1.jean-cloud.org/deploy.sh +++ b/services/ns1.jean-cloud.org/deploy.sh @@ -28,7 +28,7 @@ primary_ips="" secondary_ips="37.65.119.74;" # NS name -default_dns_name="shlago.jean-cloud.org." +default_dns_name="ns.jean-cloud.org." CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"' diff --git a/services/ns1.jean-cloud.org/helper_functions.sh b/services/ns1.jean-cloud.org/helper_functions.sh index 1db7c1c..0b95b6a 100644 --- a/services/ns1.jean-cloud.org/helper_functions.sh +++ b/services/ns1.jean-cloud.org/helper_functions.sh @@ -131,6 +131,12 @@ create_primary_files () { echo "@ NS $default_dns_name" >> "$new_db_file" fi + # Add DS record + if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then + echo "" + #dnssec-dsfromkey "$DATA_DIR/keys/K$domain"*.key | sed "s/${domain}./@/" >> "$new_db_file" + fi + # Populate named.conf.local cat >> "$debian_bind_confdir/named.conf.local" <<-EOF zone "$domain" { diff --git a/services/pa1.studios.oma-radio.fr/wg-pa1.sh b/services/pa1.studios.oma-radio.fr/wg-pa1.sh index f5aafc5..52b3f61 100755 --- a/services/pa1.studios.oma-radio.fr/wg-pa1.sh +++ b/services/pa1.studios.oma-radio.fr/wg-pa1.sh @@ -17,6 +17,6 @@ PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0= AllowedIPs = 10.100.1.253/32 [Peer] # Passerelle -PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo= +PublicKey = unY6v95qus8ttJvmSlxqa+J8lKj+CCiRItZ3pFwyjyM= AllowedIPs = 10.100.1.0/24,192.168.100.0/24 " diff --git a/services/radiodemo.oma-radio.fr/.env b/services/radiodemo.oma-radio.fr/.env index 1ea1b79..6e58864 100644 --- a/services/radiodemo.oma-radio.fr/.env +++ b/services/radiodemo.oma-radio.fr/.env @@ -1,2 +1,4 @@ GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git" RADIO_HOST=mux.radiodemo.oma-radio.fr +USE_SSL=true +WEBSOCKET_PORT=2004 diff --git a/services/radiodemo.oma-radio.fr/nginx_server.conf b/services/radiodemo.oma-radio.fr/nginx_server.conf index dba721b..4af5081 100755 --- a/services/radiodemo.oma-radio.fr/nginx_server.conf +++ b/services/radiodemo.oma-radio.fr/nginx_server.conf @@ -8,7 +8,7 @@ server { # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; + #add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' 'https://static.jean-cloud.net/player-interface/*' ; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' 'https://static.jean-cloud.net/player-interface/*' 'https://cdn.jsdelivr.net/npm/*'; base-uri 'self'; form-action 'self';" always; add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options SAMEORIGIN always; add_header X-XSS-Protection "1; mode=block" always; diff --git a/services/rpnow.jean-cloud.net/nginx_server.conf b/services/rpnow.jean-cloud.net/nginx_server.conf index d8d0fc9..24c2399 100755 --- a/services/rpnow.jean-cloud.net/nginx_server.conf +++ b/services/rpnow.jean-cloud.net/nginx_server.conf @@ -1,8 +1,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net; location / { @@ -21,8 +21,8 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net; location / { diff --git a/services/services.txt b/services/services.txt index 54d777c..e6a9d69 100644 --- a/services/services.txt +++ b/services/services.txt @@ -1,4 +1,5 @@ benevoles31.karnaval.fr max.jean-cloud.org +feministesucl34.communisteslibertaires.org none chahut.jean-cloud.net max.jean-cloud.org collectif-arthadie.fr vandamme.jean-cloud.org compagnienouvelle.fr nougaro.jean-cloud.org @@ -6,8 +7,6 @@ copaines.jean-cloud.net max.jean-cloud.org cousinades.jean-cloud.net max.jean-cloud.org deployer.jean-cloud.org shlago.jean-cloud.org etrevivant.net shlago.jean-cloud.org -feministesucl34.jean-cloud.net tetede.jean-cloud.org -feministesucl34.communisteslibertaires.org tetede.jean-cloud.org feteducourt2020.jean-cloud.net shlago.jean-cloud.org feteducourt.jean-cloud.net shlago.jean-cloud.org git.jean-cloud.net vandamme.jean-cloud.org @@ -26,8 +25,9 @@ nuage.jean-cloud.net vandamme.jean-cloud.org pa1.studios.oma-radio.fr tetede.jean-cloud.org paj.oma-radio.fr nougaro.jean-cloud.org quadrille-elsa.jean-cloud.net shlago.jean-cloud.org +chiloe.eu shlago.jean-cloud.org soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org -radiodemo.oma-radio.fr shlago.jean-cloud.org +radiodemo.oma-radio.fr raku.jean-cloud.org mux.radiodemo.oma-radio.fr raku.jean-cloud.org radionimaitre.oma-radio.fr tetede.jean-cloud.org raplacgr.jean-cloud.net tetede.jean-cloud.org