big standardisation update
This commit is contained in:
parent
82c3f2bb2e
commit
813e4dd904
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,2 +1,3 @@
|
|||||||
installing/secrets
|
|
||||||
installing/temporary_mount_point
|
installing/temporary_mount_point
|
||||||
|
installing/secrets
|
||||||
|
provisioning/roles/deploy_all/files/secrets
|
||||||
|
@ -4,9 +4,7 @@ tetede.jean-cloud.org
|
|||||||
raku.jean-cloud.org
|
raku.jean-cloud.org
|
||||||
|
|
||||||
[servers]
|
[servers]
|
||||||
#nougaro.jean-cloud.org
|
nougaro.jean-cloud.org
|
||||||
#carcasse.jean-cloud.org
|
|
||||||
#benevoles.karnaval.fr
|
|
||||||
montbonnot.jean-cloud.org
|
montbonnot.jean-cloud.org
|
||||||
#blatte.jean-cloud.org
|
#blatte.jean-cloud.org
|
||||||
max.jean-cloud.org
|
max.jean-cloud.org
|
||||||
|
@ -60,7 +60,7 @@ fi
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
if "$deploy" ; then
|
if "$deploy" ; then
|
||||||
[ -x deploy.sh ] && . deploy.sh
|
[ -x deploy.sh ] && ./deploy.sh
|
||||||
[ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh"
|
[ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh"
|
||||||
else
|
else
|
||||||
[ -x undeploy.sh ] && . undeploy.sh
|
[ -x undeploy.sh ] && . undeploy.sh
|
||||||
@ -133,10 +133,8 @@ if [ -f "/docker/$service/nginx_server.conf" ] ; then
|
|||||||
|
|
||||||
section "Template nginx conf with vars from '.env' file"
|
section "Template nginx conf with vars from '.env' file"
|
||||||
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
|
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
|
||||||
fi
|
|
||||||
|
|
||||||
section "Add dummy cert if needed"
|
fi
|
||||||
dummy_cert.sh "$service" add
|
|
||||||
|
|
||||||
section "Testing nginx conf"
|
section "Testing nginx conf"
|
||||||
run nginx -t -c /etc/nginx/new_nginx.conf
|
run nginx -t -c /etc/nginx/new_nginx.conf
|
||||||
|
@ -38,7 +38,7 @@ section "Delete new conf directory (to start from scratch)"
|
|||||||
run rm -rf "$new_nginx_conf_path"
|
run rm -rf "$new_nginx_conf_path"
|
||||||
|
|
||||||
section "Create new conf file (for tests purposes)"
|
section "Create new conf file (for tests purposes)"
|
||||||
sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"
|
sed "s#$nginx_conf_path#$new_nginx_conf_path/#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"
|
||||||
|
|
||||||
section "Create proxy dir"
|
section "Create proxy dir"
|
||||||
run mkdir -p "$proxy_dir" /docker /data
|
run mkdir -p "$proxy_dir" /docker /data
|
||||||
|
@ -25,8 +25,12 @@ for dir in /docker/* ; do
|
|||||||
|
|
||||||
line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
|
line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
|
||||||
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
|
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
|
||||||
|
line_in_file "SECRET_DIR='/data/secrets/$service'" "/docker/$service/.env"
|
||||||
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
|
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
|
||||||
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
|
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
|
||||||
line_in_file "JC_DNS_CERT='$dns_certs_path/$service'" "/docker/$service/.env"
|
cert="$(findcert.sh "$service")" || true
|
||||||
line_in_file "JC_HTTP_CERT='$http_certs_path/$service'" "/docker/$service/.env"
|
if [ -n "$cert" ] ; then
|
||||||
|
line_in_file "JC_CERT='$cert'" "/docker/$service/.env"
|
||||||
|
fi
|
||||||
|
|
||||||
done
|
done
|
||||||
|
@ -15,7 +15,7 @@ if [ -v NC_SHARE_LINK ] ; then
|
|||||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
||||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
||||||
|
|
||||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH"
|
rclone sync --config=/notfound --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Go to website
|
# Go to website
|
||||||
|
@ -75,10 +75,8 @@ for file in "$nginx_conf_path"* ; do
|
|||||||
echo " ------------------------------------------"
|
echo " ------------------------------------------"
|
||||||
echo "$out"
|
echo "$out"
|
||||||
echo " ------------------------------------------"
|
echo " ------------------------------------------"
|
||||||
dummy_cert.sh "$service_name" add
|
|
||||||
else
|
else
|
||||||
echo "Unknown error : $result.\n$out"
|
echo "Unknown error : $result.\n$out"
|
||||||
dummy_cert.sh "$service_name" add
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -1,5 +1,13 @@
|
|||||||
---
|
---
|
||||||
# tasks file for deploy_all
|
# tasks file for deploy_all
|
||||||
|
|
||||||
|
- name: "Check for secrets volume. Fail if not found"
|
||||||
|
include: "{{ item }}"
|
||||||
|
with_first_found:
|
||||||
|
- files:
|
||||||
|
- secrets/mounted
|
||||||
|
|
||||||
|
|
||||||
- name: sync services dirs
|
- name: sync services dirs
|
||||||
ansible.posix.synchronize:
|
ansible.posix.synchronize:
|
||||||
src: ../services/
|
src: ../services/
|
||||||
@ -17,6 +25,13 @@
|
|||||||
- name: Gen env vars
|
- name: Gen env vars
|
||||||
command: gen_env.sh
|
command: gen_env.sh
|
||||||
|
|
||||||
|
- name: sync secrets
|
||||||
|
ansible.posix.synchronize:
|
||||||
|
src: secrets/
|
||||||
|
dest: /data/secrets
|
||||||
|
delete: true
|
||||||
|
archive: false
|
||||||
|
recursive: true
|
||||||
|
|
||||||
#- name: Add bind conf
|
#- name: Add bind conf
|
||||||
# ansible.posix.synchronize:
|
# ansible.posix.synchronize:
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
- name: Deploy specific services
|
- name: Deploy specific services
|
||||||
hosts: servers
|
hosts: servers
|
||||||
become: yes
|
become: no
|
||||||
gather_facts: no
|
gather_facts: no
|
||||||
roles:
|
roles:
|
||||||
- deploy_all
|
- deploy_all
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/amaglio.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/amaglio.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
|
||||||
server_name amaglio.fr www.amaglio.fr;
|
server_name amaglio.fr www.amaglio.fr;
|
||||||
# root /data/amaglio.fr/app;
|
# root /data/amaglio.fr/app;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name $JC_SERVICE benevoles.karnaval.fr;
|
server_name $JC_SERVICE benevoles.karnaval.fr;
|
||||||
|
|
||||||
root $DATA_DIR/assets;
|
root $DATA_DIR/assets;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
|
server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
|
||||||
location / {
|
location / {
|
||||||
auth_basic "Mot de passe !";
|
auth_basic "Mot de passe !";
|
||||||
@ -19,8 +19,8 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr;
|
server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr;
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 2G;
|
client_max_body_size 2G;
|
||||||
@ -17,8 +17,8 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name collectif-arthadie.fr www.collectif-arthadie.fr;
|
server_name collectif-arthadie.fr www.collectif-arthadie.fr;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr;
|
server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr;
|
||||||
location / {
|
location / {
|
||||||
auth_basic "Mot de passe !";
|
auth_basic "Mot de passe !";
|
||||||
@ -19,8 +19,8 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name compagnienouvelle.fr www.compagnienouvelle.fr;
|
server_name compagnienouvelle.fr www.compagnienouvelle.fr;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
chmod +x server.sh
|
|
@ -4,8 +4,8 @@ server {
|
|||||||
listen 443;
|
listen 443;
|
||||||
listen [::]:443;
|
listen [::]:443;
|
||||||
server_name $JC_SERVICE;
|
server_name $JC_SERVICE;
|
||||||
ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
location / {
|
location / {
|
||||||
limit_req zone=deployer_limit;
|
limit_req zone=deployer_limit;
|
||||||
include /etc/nginx/fastcgi_params;
|
include /etc/nginx/fastcgi_params;
|
||||||
|
@ -1,38 +1,26 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
# TODO js (dnssec is trusting google right now)
|
||||||
|
# fetch('https://dns.google/resolve?name=deployer.jean-cloud.org&cd=true&type=a').then(r => {r.json().then(j => {for (const i in j.Answer) {console.log(j.Answer[i].data)}})})
|
||||||
|
|
||||||
|
|
||||||
echo "Content-type: text/html"
|
echo "Content-type: text/html"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
|
service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
|
||||||
path="/docker/$service/deploy_http.sh"
|
deployer="/docker/$service/deploy_http.sh"
|
||||||
. /etc/jeancloud.env
|
. /etc/jeancloud.env
|
||||||
|
|
||||||
echo '<html><head><title>Rechargement d’un site web</title><meta charset="utf-8" /></head>'
|
if [ -z "$service" ] || [ ! -x "$deployer" ] ; then
|
||||||
echo '<body>'
|
echo "error"
|
||||||
echo "<h2>Rechargement d’un site web : $service</h2>"
|
else
|
||||||
echo "<h3> Résultat local</h3>"
|
set -a
|
||||||
if [ -x "$path" ] ; then
|
. "/docker/$service/.env"
|
||||||
echo "<pre>"
|
set +a
|
||||||
"$path"
|
"$deployer" 2>&1
|
||||||
ret="$?"
|
ret="$?"
|
||||||
echo "</pre>"
|
|
||||||
if [ "$ret" -ne 0 ] ; then
|
if [ "$ret" -ne 0 ] ; then
|
||||||
echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
|
echo 'Error'
|
||||||
else
|
else
|
||||||
while read ip ; do
|
|
||||||
echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
|
|
||||||
if [ "$?" -eq 0 ] ; then
|
|
||||||
echo "$ip ok"
|
|
||||||
else
|
|
||||||
echo "$ip ERREUR"
|
|
||||||
fi
|
|
||||||
done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
|
|
||||||
else
|
|
||||||
echo "<p>Échec. Contactez Jean-Cloud</p>"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo '</body>'
|
|
||||||
echo '</html>
|
|
||||||
|
|
||||||
|
@ -29,22 +29,17 @@ echo "For each service, read all possible domains"
|
|||||||
while read line ; do
|
while read line ; do
|
||||||
read -r service target < <(echo "$line")
|
read -r service target < <(echo "$line")
|
||||||
|
|
||||||
# Auto letsencrypt
|
|
||||||
[ "$target" = vandamme.jean-cloud.org ] && continue
|
|
||||||
|
|
||||||
# TODO remove
|
# TODO remove
|
||||||
#( [ "$service" = collectif-arthadie.fr ] || [[ "$service" == *oma-radio.fr ]] ) && continue
|
[ "$service" = collectif-arthadie.fr ] && continue
|
||||||
|
|
||||||
# remove dummy cert
|
# remove dummy cert
|
||||||
dummy_cert.sh "$service" remove
|
dummy_cert.sh "$service" remove || true
|
||||||
|
|
||||||
[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
|
[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
|
||||||
|
|
||||||
# acme
|
# acme
|
||||||
"$here/acme-dns.sh" "$service" "$tmp"
|
"$here/acme-dns.sh" "$service" "$tmp"
|
||||||
|
|
||||||
# Replace dummy cert if letsencrypt failed
|
|
||||||
[ "$?" -ne 0 ] && dummy_cert.sh "$service" add
|
|
||||||
done < "$servicefile"
|
done < "$servicefile"
|
||||||
|
|
||||||
echo "Push certs to other servers"
|
echo "Push certs to other servers"
|
||||||
@ -52,5 +47,5 @@ for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'des
|
|||||||
server="$srv.jean-cloud.org"
|
server="$srv.jean-cloud.org"
|
||||||
[ -n "$(grep "$server" /etc/hosts)" ] && continue
|
[ -n "$(grep "$server" /etc/hosts)" ] && continue
|
||||||
echo "-- $server"
|
echo "-- $server"
|
||||||
rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/"
|
rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/" || true
|
||||||
done
|
done
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
set -a
|
set -a
|
||||||
. "$DATA_DIR/.env"
|
. "$SECRET_DIR/.env"
|
||||||
set +a
|
set +a
|
||||||
|
|
||||||
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/git.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/git.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name git.jean-cloud.net www.git.jean-cloud.net;
|
server_name git.jean-cloud.net www.git.jean-cloud.net;
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 5G;
|
client_max_body_size 5G;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
|
||||||
server_name gmx-webmail.jean-cloud.net www.gmx-webmail.jean-cloud.net;
|
server_name gmx-webmail.jean-cloud.net www.gmx-webmail.jean-cloud.net;
|
||||||
# root /data/gmx-webmail.jean-cloud.net/app;
|
# root /data/gmx-webmail.jean-cloud.net/app;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name grapes.chahut.jean-cloud.net;
|
server_name grapes.chahut.jean-cloud.net;
|
||||||
root $HTTP_DIR;
|
root $HTTP_DIR;
|
||||||
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/gypsylyonfestival.com/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/gypsylyonfestival.com/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
#server_name gypsylyonfestival.com www.gypsylyonfestival.com;
|
#server_name gypsylyonfestival.com www.gypsylyonfestival.com;
|
||||||
server_name gypsy.jean-cloud.net;
|
server_name gypsy.jean-cloud.net;
|
||||||
root /data/gypsylyonfestival.com/output;
|
root /data/gypsylyonfestival.com/output;
|
||||||
|
1
services/inurbe.fr/.env
Normal file
1
services/inurbe.fr/.env
Normal file
@ -0,0 +1 @@
|
|||||||
|
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/inurbe"
|
4
services/inurbe.fr/deploy_http.sh
Executable file
4
services/inurbe.fr/deploy_http.sh
Executable file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
@ -1 +0,0 @@
|
|||||||
version: '3.1'
|
|
@ -6,7 +6,7 @@ server {
|
|||||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
root $DATA_DIR/public;
|
root $HTTP_DIR/public;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
version: '3'
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/karnaval.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/karnaval.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name karnaval.fr www.karnaval.fr;
|
server_name karnaval.fr www.karnaval.fr;
|
||||||
root $HTTP_DIR/;
|
root $HTTP_DIR/;
|
||||||
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/leida.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/leida.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name leida.fr www.leida.fr;
|
server_name leida.fr www.leida.fr;
|
||||||
location / {
|
location / {
|
||||||
root /data/leida.fr/public;
|
root /data/leida.fr/public;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
docker run -u 33 --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
docker run -u 33 --rm --env-file "$SECRET_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
||||||
|
@ -5,14 +5,13 @@ map $http_upgrade $connection_upgrade {
|
|||||||
|
|
||||||
server{
|
server{
|
||||||
listen $WEBSOCKET_PORT ssl;
|
listen $WEBSOCKET_PORT ssl;
|
||||||
listen [::]:$WEBSOCKET_PORT ssl;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate $JC_DNS_CERT/fullchain.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
ssl_certificate_key $JC_DNS_CERT/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_pass http://172.29.0.105:9000;
|
proxy_pass http://$NET$WEBSERVER:9000;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
@ -24,8 +23,8 @@ server {
|
|||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
listen [::]:443 ssl;
|
listen [::]:443 ssl;
|
||||||
server_name $JC_SERVICE;
|
server_name $JC_SERVICE;
|
||||||
ssl_certificate $JC_DNS_CERT/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key $JC_DNS_CERT/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 0;
|
client_max_body_size 0;
|
||||||
|
@ -28,7 +28,7 @@ primary_ips=""
|
|||||||
secondary_ips="37.65.119.74;"
|
secondary_ips="37.65.119.74;"
|
||||||
|
|
||||||
# NS name
|
# NS name
|
||||||
default_dns_name="shlago.jean-cloud.org."
|
default_dns_name="ns.jean-cloud.org."
|
||||||
|
|
||||||
CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'
|
CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'
|
||||||
|
|
||||||
|
@ -131,6 +131,12 @@ create_primary_files () {
|
|||||||
echo "@ NS $default_dns_name" >> "$new_db_file"
|
echo "@ NS $default_dns_name" >> "$new_db_file"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Add DS record
|
||||||
|
if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
|
||||||
|
echo ""
|
||||||
|
#dnssec-dsfromkey "$DATA_DIR/keys/K$domain"*.key | sed "s/${domain}./@/" >> "$new_db_file"
|
||||||
|
fi
|
||||||
|
|
||||||
# Populate named.conf.local
|
# Populate named.conf.local
|
||||||
cat >> "$debian_bind_confdir/named.conf.local" <<-EOF
|
cat >> "$debian_bind_confdir/named.conf.local" <<-EOF
|
||||||
zone "$domain" {
|
zone "$domain" {
|
||||||
|
@ -17,6 +17,6 @@ PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
|
|||||||
AllowedIPs = 10.100.1.253/32
|
AllowedIPs = 10.100.1.253/32
|
||||||
|
|
||||||
[Peer] # Passerelle
|
[Peer] # Passerelle
|
||||||
PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
|
PublicKey = unY6v95qus8ttJvmSlxqa+J8lKj+CCiRItZ3pFwyjyM=
|
||||||
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
|
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
|
||||||
"
|
"
|
||||||
|
@ -1,2 +1,4 @@
|
|||||||
GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
|
GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
|
||||||
RADIO_HOST=mux.radiodemo.oma-radio.fr
|
RADIO_HOST=mux.radiodemo.oma-radio.fr
|
||||||
|
USE_SSL=true
|
||||||
|
WEBSOCKET_PORT=2004
|
||||||
|
@ -8,7 +8,7 @@ server {
|
|||||||
|
|
||||||
# Security headers
|
# Security headers
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
|
#add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' 'https://static.jean-cloud.net/player-interface/*' ; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' 'https://static.jean-cloud.net/player-interface/*' 'https://cdn.jsdelivr.net/npm/*'; base-uri 'self'; form-action 'self';" always;
|
||||||
add_header X-Content-Type-Options "nosniff";
|
add_header X-Content-Type-Options "nosniff";
|
||||||
add_header X-Frame-Options SAMEORIGIN always;
|
add_header X-Frame-Options SAMEORIGIN always;
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net;
|
server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
@ -21,8 +21,8 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net;
|
server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
benevoles31.karnaval.fr max.jean-cloud.org
|
benevoles31.karnaval.fr max.jean-cloud.org
|
||||||
|
feministesucl34.communisteslibertaires.org none
|
||||||
chahut.jean-cloud.net max.jean-cloud.org
|
chahut.jean-cloud.net max.jean-cloud.org
|
||||||
collectif-arthadie.fr vandamme.jean-cloud.org
|
collectif-arthadie.fr vandamme.jean-cloud.org
|
||||||
compagnienouvelle.fr nougaro.jean-cloud.org
|
compagnienouvelle.fr nougaro.jean-cloud.org
|
||||||
@ -6,8 +7,6 @@ copaines.jean-cloud.net max.jean-cloud.org
|
|||||||
cousinades.jean-cloud.net max.jean-cloud.org
|
cousinades.jean-cloud.net max.jean-cloud.org
|
||||||
deployer.jean-cloud.org shlago.jean-cloud.org
|
deployer.jean-cloud.org shlago.jean-cloud.org
|
||||||
etrevivant.net shlago.jean-cloud.org
|
etrevivant.net shlago.jean-cloud.org
|
||||||
feministesucl34.jean-cloud.net tetede.jean-cloud.org
|
|
||||||
feministesucl34.communisteslibertaires.org tetede.jean-cloud.org
|
|
||||||
feteducourt2020.jean-cloud.net shlago.jean-cloud.org
|
feteducourt2020.jean-cloud.net shlago.jean-cloud.org
|
||||||
feteducourt.jean-cloud.net shlago.jean-cloud.org
|
feteducourt.jean-cloud.net shlago.jean-cloud.org
|
||||||
git.jean-cloud.net vandamme.jean-cloud.org
|
git.jean-cloud.net vandamme.jean-cloud.org
|
||||||
@ -26,8 +25,9 @@ nuage.jean-cloud.net vandamme.jean-cloud.org
|
|||||||
pa1.studios.oma-radio.fr tetede.jean-cloud.org
|
pa1.studios.oma-radio.fr tetede.jean-cloud.org
|
||||||
paj.oma-radio.fr nougaro.jean-cloud.org
|
paj.oma-radio.fr nougaro.jean-cloud.org
|
||||||
quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
|
quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
|
||||||
|
chiloe.eu shlago.jean-cloud.org
|
||||||
soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org
|
soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org
|
||||||
radiodemo.oma-radio.fr shlago.jean-cloud.org
|
radiodemo.oma-radio.fr raku.jean-cloud.org
|
||||||
mux.radiodemo.oma-radio.fr raku.jean-cloud.org
|
mux.radiodemo.oma-radio.fr raku.jean-cloud.org
|
||||||
radionimaitre.oma-radio.fr tetede.jean-cloud.org
|
radionimaitre.oma-radio.fr tetede.jean-cloud.org
|
||||||
raplacgr.jean-cloud.net tetede.jean-cloud.org
|
raplacgr.jean-cloud.net tetede.jean-cloud.org
|
||||||
|
Loading…
Reference in New Issue
Block a user