From 82c3f2bb2ee3836ffcad0dfb6297ded5e1aa0ee6 Mon Sep 17 00:00:00 2001 From: Adrian Amaglio Date: Mon, 16 Oct 2023 10:47:35 +0200 Subject: [PATCH] update --- .../deploy_all/files/bin/deploy_service.sh | 6 +-- .../roles/deploy_all/files/bin/dummy_cert.sh | 2 +- .../roles/deploy_all/files/bin/gen_env.sh | 13 +++-- .../roles/deploy_all/files/bin/git_update.sh | 11 +++- .../roles/deploy_all/files/bin/hugo_rclone.sh | 37 ++++++++++--- .../roles/deploy_all/files/bin/letsencrypt.sh | 14 +++-- services/dnscerts.jean-cloud.org/acme-dns.sh | 7 +-- services/dnscerts.jean-cloud.org/run_as.sh | 2 +- services/etrevivant.net/deploy_http.sh | 27 ++-------- .../docker-compose.yml | 49 ----------------- .../nginx_server.conf | 32 ------------ .../nginx_server.conf | 2 +- .../nginx_server.conf | 2 +- services/inurbe.fr/nginx_server.conf | 8 +-- services/mux.radiodemo.oma-radio.fr/.env | 12 +++++ services/mux.radiodemo.oma-radio.fr/deploy.sh | 4 ++ .../docker-compose.yml | 2 +- .../liquidsoap.liq | 0 .../nginx_server.conf | 52 +++++++++++++++++++ .../radioking.liq | 0 .../wg-radiodemo.sh | 33 ++++++++++++ .../ns1.jean-cloud.org/helper_functions.sh | 21 +++++--- services/radiodemo.oma-radio.fr/.env | 14 +---- .../radiodemo.oma-radio.fr/nginx_server.conf | 52 +++++++------------ services/services.txt | 8 +-- .../.env | 7 +-- .../deploy.sh | 3 ++ .../docker-compose.yml | 2 +- .../generate_nat.sh | 0 .../nginx_server.conf | 28 ---------- .../wg-radiodemo.sh | 20 +++++++ 31 files changed, 241 insertions(+), 229 deletions(-) mode change 100644 => 100755 provisioning/roles/deploy_all/files/bin/hugo_rclone.sh delete mode 100644 services/feministesucl34.jean-cloud.net/docker-compose.yml delete mode 100755 services/feministesucl34.jean-cloud.net/nginx_server.conf create mode 100644 services/mux.radiodemo.oma-radio.fr/.env create mode 100755 services/mux.radiodemo.oma-radio.fr/deploy.sh rename services/{radiodemo.oma-radio.fr => mux.radiodemo.oma-radio.fr}/docker-compose.yml (97%) rename services/{radiodemo.oma-radio.fr => mux.radiodemo.oma-radio.fr}/liquidsoap.liq (100%) create mode 100644 services/mux.radiodemo.oma-radio.fr/nginx_server.conf rename services/{radiodemo-back.oma-radio.fr => mux.radiodemo.oma-radio.fr}/radioking.liq (100%) create mode 100755 services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh mode change 100644 => 100755 services/radiodemo.oma-radio.fr/nginx_server.conf rename services/{radiodemo-back.oma-radio.fr => soundbase.radiodemo.oma-radio.fr}/.env (67%) create mode 100755 services/soundbase.radiodemo.oma-radio.fr/deploy.sh rename services/{radiodemo-back.oma-radio.fr => soundbase.radiodemo.oma-radio.fr}/docker-compose.yml (97%) rename services/{radiodemo-back.oma-radio.fr => soundbase.radiodemo.oma-radio.fr}/generate_nat.sh (100%) rename services/{radiodemo-back.oma-radio.fr => soundbase.radiodemo.oma-radio.fr}/nginx_server.conf (87%) create mode 100755 services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh diff --git a/provisioning/roles/deploy_all/files/bin/deploy_service.sh b/provisioning/roles/deploy_all/files/bin/deploy_service.sh index f518bbc..337595b 100755 --- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh +++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh @@ -60,10 +60,10 @@ fi ############################################################################### if "$deploy" ; then - [ -x deploy.sh ] && ./deploy.sh - [ -x deploy_http.sh ] && sudo -u www-data bash -c ". '$DOCKER_DIR/.env' && . ./deploy_http.sh" + [ -x deploy.sh ] && . deploy.sh + [ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh" else - [ -x undeploy.sh ] && ./undeploy.sh + [ -x undeploy.sh ] && . undeploy.sh fi diff --git a/provisioning/roles/deploy_all/files/bin/dummy_cert.sh b/provisioning/roles/deploy_all/files/bin/dummy_cert.sh index 1fa9caa..541bd98 100755 --- a/provisioning/roles/deploy_all/files/bin/dummy_cert.sh +++ b/provisioning/roles/deploy_all/files/bin/dummy_cert.sh @@ -15,7 +15,7 @@ action="$2" if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then echo "Dummy cert generation" run mkdir -p "$dummy_cert_path" - run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net" + run openssl req -x509 -newkey rsa:2048 -keyout "$http_certs_path/dummy/privkey.pem" -out "$http_certs_path/dummy/fullchain.pem" -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net" fi if [ "$action" = add ] ; then diff --git a/provisioning/roles/deploy_all/files/bin/gen_env.sh b/provisioning/roles/deploy_all/files/bin/gen_env.sh index dcafd27..3d88fd7 100755 --- a/provisioning/roles/deploy_all/files/bin/gen_env.sh +++ b/provisioning/roles/deploy_all/files/bin/gen_env.sh @@ -5,15 +5,17 @@ set -euo pipefail JC_ENV=/etc/jeancloud.env -certs_path=/etc/letsencrypt/live +dns_certs_path=/data/dnscerts.jean-cloud.org/certs/live +http_certs_path=/etc/letsencrypt/live proxy_dir=/etc/nginx cat > "$JC_ENV" <" +dest_dir="$1" +[ -z "$dest_dir" ] && die "Arg 'hugo_directory' should not be empty." -webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')" -webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')" -webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")" -git_update.sh "$GIT_SOURCE_REPO" -rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" -- webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH" -hugo +# Get content from nextcloud +if [ -v NC_SHARE_LINK ] ; then + webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')" + webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')" + webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")" + rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH" +fi + +# Go to website +cd "$dest_dir" + +# Rename .attachement dirs created by nextcloud +while read filename ; do + oldname="$(basename "$filename")" + newname="${oldname:1}" + path="$(dirname "$filename")" + # And rename their references in md files + find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \; + mv "$path/$oldname" "$path/$newname" +done < <(find -type d -name '.attachments.*') + +# Build the website +hugo diff --git a/provisioning/roles/deploy_all/files/bin/letsencrypt.sh b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh index 8af02f9..41c7ed2 100755 --- a/provisioning/roles/deploy_all/files/bin/letsencrypt.sh +++ b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh @@ -2,6 +2,10 @@ # This script will run on new cert and on cron renew # there is one cert by service +set -euo pipefail + +. /etc/jeancloud.env + # TODO make it an ansible script # No @@ -18,17 +22,19 @@ acmeroot=/var/www/letsencrypt # Création du répertoire mkdir -p "$acmeroot" -# With trailing slash or it will be a prefix selector -#nginx_sites_dir="/etc/nginx/sites-enabled/" -nginx_sites_dir="/etc/nginx/sites-enabled/" -for file in "$nginx_sites_dir"* ; do +for file in "$nginx_conf_path"* ; do if $verbose ; then echo '-------------------------' echo "$file" fi service_name="$(basename "$file")" + + if [ -d "$dns_certs_path/$service_name" ] ; then + echo "$service_name is handled by dnscerts" + continue + fi # Getting just the domain names domains="$(extract_domain_nginx_conf.sh "$file")" diff --git a/services/dnscerts.jean-cloud.org/acme-dns.sh b/services/dnscerts.jean-cloud.org/acme-dns.sh index 1a3dae1..be40e37 100755 --- a/services/dnscerts.jean-cloud.org/acme-dns.sh +++ b/services/dnscerts.jean-cloud.org/acme-dns.sh @@ -1,11 +1,12 @@ #!/bin/bash -if [ "$#" -ne 1 ] ; then - echo "Usage: $0 " >&2 +if [ "$#" -ne 2 ] ; then + echo "Usage: $0 " >&2 exit 1 fi service="$1" +workdir="$2" nginxfile="/docker/$service/nginx_server.conf" if [ -f "$nginxfile" ] ; then @@ -13,5 +14,5 @@ if [ -f "$nginxfile" ] ; then domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )" [ -z "$domains" ] && exit 0 echo "--------------- -d $domains" - certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains + certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$workdir/work" --logs-dir "$workdir/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains fi diff --git a/services/dnscerts.jean-cloud.org/run_as.sh b/services/dnscerts.jean-cloud.org/run_as.sh index d55b5aa..4670883 100755 --- a/services/dnscerts.jean-cloud.org/run_as.sh +++ b/services/dnscerts.jean-cloud.org/run_as.sh @@ -41,7 +41,7 @@ while read line ; do [ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue # acme - "$here/acme-dns.sh" "$service" + "$here/acme-dns.sh" "$service" "$tmp" # Replace dummy cert if letsencrypt failed [ "$?" -ne 0 ] && dummy_cert.sh "$service" add diff --git a/services/etrevivant.net/deploy_http.sh b/services/etrevivant.net/deploy_http.sh index ff3fc0f..373d22c 100755 --- a/services/etrevivant.net/deploy_http.sh +++ b/services/etrevivant.net/deploy_http.sh @@ -1,29 +1,8 @@ #!/bin/bash set -euo pipefail - +set -a . "$DATA_DIR/.env" -webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')" -webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')" -webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")" +set +a -# Get website files git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" - -# Get content from nextcloud -rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$HTTP_DIR/$CLOUD_LOCAL_PATH" - -# Go to website -cd "$HTTP_DIR" - -# Rename .attachement dirs created by nextcloud -while read filename ; do - oldname="$(basename "$filename")" - newname="${oldname:1}" - path="$(dirname "$filename")" - # And rename their references in md files - find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \; - mv "$path/$oldname" "$path/$newname" -done < <(find -type d -name '.attachments.*') - -# Build the website -hugo +hugo_rclone.sh "$HTTP_DIR" diff --git a/services/feministesucl34.jean-cloud.net/docker-compose.yml b/services/feministesucl34.jean-cloud.net/docker-compose.yml deleted file mode 100644 index caefc4b..0000000 --- a/services/feministesucl34.jean-cloud.net/docker-compose.yml +++ /dev/null @@ -1,49 +0,0 @@ -version: '3.1' - -services: - - wp: - image: wordpress:5.8-apache - restart: unless-stopped - env_file: /data/feministesucl34.jean-cloud.net/env - environment: - WORDPRESS_DB_HOST: db - WORDPRESS_DB_USER: wpdbuser - WORDPRESS_DB_NAME: wpdb - #WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );" - volumes: - - /data/feministesucl34.jean-cloud.net/wordpress:/var/www/html - - /data/feministesucl34.jean-cloud.net/static:/var/www/html/static - networks: - default: - ipv4_address: 172.29.9.100 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M - db: - image: mariadb:10.4 - restart: unless-stopped - env_file: /data/feministesucl34.jean-cloud.net/env - environment: - MYSQL_DATABASE: wpdb - MYSQL_USER: wpdbuser - MYSQL_RANDOM_ROOT_PASSWORD: 'yes' - volumes: - - /data/feministesucl34.jean-cloud.net/db:/var/lib/mysql - networks: - default: - ipv4_address: 172.29.9.101 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M - -networks: - default: - ipam: - config: - - subnet: 172.29.9.0/24 - diff --git a/services/feministesucl34.jean-cloud.net/nginx_server.conf b/services/feministesucl34.jean-cloud.net/nginx_server.conf deleted file mode 100755 index 1420e66..0000000 --- a/services/feministesucl34.jean-cloud.net/nginx_server.conf +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem; - server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net; - location / { - client_max_body_size 2G; - #proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto https; - proxy_pass http://172.29.9.100; - proxy_redirect off; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem; - server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net feministesucl34.communisteslibertaires.org; - - location = /wp-login.php { - return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php; - } - - location / { - root /data/feministesucl34.jean-cloud.net/static; - try_files $uri $uri/ =404; - } -} diff --git a/services/feteducourt.jean-cloud.net/nginx_server.conf b/services/feteducourt.jean-cloud.net/nginx_server.conf index ee1b173..2783014 100755 --- a/services/feteducourt.jean-cloud.net/nginx_server.conf +++ b/services/feteducourt.jean-cloud.net/nginx_server.conf @@ -5,7 +5,7 @@ server { ssl_certificate_key $JC_CERT/privkey.pem; server_name $JC_SERVICE www.$JC_SERVICE; location / { - root $HTTP_DIR; + root $HTTP_DIR/public; try_files $uri $uri/ =404; } } diff --git a/services/feteducourt2020.jean-cloud.net/nginx_server.conf b/services/feteducourt2020.jean-cloud.net/nginx_server.conf index ee1b173..2783014 100755 --- a/services/feteducourt2020.jean-cloud.net/nginx_server.conf +++ b/services/feteducourt2020.jean-cloud.net/nginx_server.conf @@ -5,7 +5,7 @@ server { ssl_certificate_key $JC_CERT/privkey.pem; server_name $JC_SERVICE www.$JC_SERVICE; location / { - root $HTTP_DIR; + root $HTTP_DIR/public; try_files $uri $uri/ =404; } } diff --git a/services/inurbe.fr/nginx_server.conf b/services/inurbe.fr/nginx_server.conf index e4e65da..09418ef 100755 --- a/services/inurbe.fr/nginx_server.conf +++ b/services/inurbe.fr/nginx_server.conf @@ -1,12 +1,12 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem; - server_name inurbe.fr www.inurbe.fr; + ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem; + ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem; + server_name $JC_SERVICE www.$JC_SERVICE; location / { - root /data/inurbe.fr; + root $DATA_DIR/public; try_files $uri $uri/ =404; } } diff --git a/services/mux.radiodemo.oma-radio.fr/.env b/services/mux.radiodemo.oma-radio.fr/.env new file mode 100644 index 0000000..9fd5e23 --- /dev/null +++ b/services/mux.radiodemo.oma-radio.fr/.env @@ -0,0 +1,12 @@ +ENDPOINT=10.29.0.1 +WEBSERVER=.105 +MUX=.100 +TELECOM=.101 +NET=172.29.0 +WEBSOCKET_PORT=2004 +RADIO_HOST=mux.radiodemo.oma-radio.fr +MUX_SERVER_PORT=9004 +TELECOM_SERVER_PORT=3494 +SOUNDBASE_DIR=/data/mux.radiodemo.oma-radio.fr/core/radioDemo +OMA_DOCKER_VERSION=dev +ICECAST=.110 diff --git a/services/mux.radiodemo.oma-radio.fr/deploy.sh b/services/mux.radiodemo.oma-radio.fr/deploy.sh new file mode 100755 index 0000000..59caf4d --- /dev/null +++ b/services/mux.radiodemo.oma-radio.fr/deploy.sh @@ -0,0 +1,4 @@ +#!/bin/bash +mkdir -p "$DATA_DIR/pige" +chown 10000:10000 "$DATA_DIR/pige" -R + diff --git a/services/radiodemo.oma-radio.fr/docker-compose.yml b/services/mux.radiodemo.oma-radio.fr/docker-compose.yml similarity index 97% rename from services/radiodemo.oma-radio.fr/docker-compose.yml rename to services/mux.radiodemo.oma-radio.fr/docker-compose.yml index e1a4c7f..46fc3e3 100644 --- a/services/radiodemo.oma-radio.fr/docker-compose.yml +++ b/services/mux.radiodemo.oma-radio.fr/docker-compose.yml @@ -1,7 +1,7 @@ version: '3' services: ambre_mux: - image: registry.gitlab.com/omaradio/core/moa-mux:$OMA_DOCKER_VERSION + image: registry.gitlab.com/omaradio/core/oma-mux:$OMA_DOCKER_VERSION env_file: .env environment: OMA_CONFIG_Client1Host: $NET.108 diff --git a/services/radiodemo.oma-radio.fr/liquidsoap.liq b/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq similarity index 100% rename from services/radiodemo.oma-radio.fr/liquidsoap.liq rename to services/mux.radiodemo.oma-radio.fr/liquidsoap.liq diff --git a/services/mux.radiodemo.oma-radio.fr/nginx_server.conf b/services/mux.radiodemo.oma-radio.fr/nginx_server.conf new file mode 100644 index 0000000..a65c21a --- /dev/null +++ b/services/mux.radiodemo.oma-radio.fr/nginx_server.conf @@ -0,0 +1,52 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server{ + listen $WEBSOCKET_PORT ssl; + listen [::]:$WEBSOCKET_PORT ssl; + ssl_certificate $JC_DNS_CERT/fullchain.pem; + ssl_certificate_key $JC_DNS_CERT/privkey.pem; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_pass http://172.29.0.105:9000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 120s; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name $JC_SERVICE; + ssl_certificate $JC_DNS_CERT/fullchain.pem; + ssl_certificate_key $JC_DNS_CERT/privkey.pem; + + location / { + client_max_body_size 0; + proxy_pass http://$ENDPOINT; + proxy_set_header Host 'soundbase.radiodemo.oma-radio.fr'; + proxy_set_header X-Forwarded-Host $JC_SERVICE; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $remote_addr; + } + + + location /direct.ogg { + client_max_body_size 0; + proxy_pass http://$NET$ICECAST:8000/direct.ogg; + } + location /direct.mp3 { + client_max_body_size 0; + proxy_pass http://$NET$ICECAST:8000/direct.mp3; + } + + # TODO open some stat route + + +} diff --git a/services/radiodemo-back.oma-radio.fr/radioking.liq b/services/mux.radiodemo.oma-radio.fr/radioking.liq similarity index 100% rename from services/radiodemo-back.oma-radio.fr/radioking.liq rename to services/mux.radiodemo.oma-radio.fr/radioking.liq diff --git a/services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh b/services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh new file mode 100755 index 0000000..e3fa895 --- /dev/null +++ b/services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +set -euo pipefail + +. .env + +wgif="$1" + +echo " +[Interface] +PrivateKey = $(cat $DATA_DIR/privatekey) +Address = 10.29.0.254/32 +ListenPort = 55820 + +# packet forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 + +# port forwarding +#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT +#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT + +#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT +#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT + +# packet masquerading +#PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE +#PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE + +# remote settings for the private server +[Peer] +PublicKey = 6/Mlxe9auEw/WQnC6QYNAYtSAo8jAEMhJ1wXaRNy4AE= +AllowedIPs = 10.29.0.0/24 +" diff --git a/services/ns1.jean-cloud.org/helper_functions.sh b/services/ns1.jean-cloud.org/helper_functions.sh index 057c317..1db7c1c 100644 --- a/services/ns1.jean-cloud.org/helper_functions.sh +++ b/services/ns1.jean-cloud.org/helper_functions.sh @@ -89,14 +89,19 @@ addbindline () { sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local" - if [ -z "$shortname" ] ; then - # CNAME are forbiden for empty shortnames, so we must resolve the target IPs - while read line ; do - line_in_file "$line" "$bindfile" - done < <(fakeresolve "$target") - else - line_in_file "$shortname CNAME $target." "$bindfile" - fi + # TODO check if name already existst with a different target + # Hard since we are resolving targets now… + + # CNAME are forbiden for empty shortnames, so we must resolve the target IPs + # For performance reasons, we just put plain IP everywhere + # to put aliases in place of ip juste do the following if $shortname is empty: + #line_in_file "$shortname CNAME $target." "$bindfile" + while read line ; do + if [ -n "$shortname" ] ; then + line="$(echo "$line" | sed "s/@/$shortname/")" + fi + line_in_file "$line" "$bindfile" + done < <(fakeresolve "$target") } list_template_db_files () { diff --git a/services/radiodemo.oma-radio.fr/.env b/services/radiodemo.oma-radio.fr/.env index a80964a..1ea1b79 100644 --- a/services/radiodemo.oma-radio.fr/.env +++ b/services/radiodemo.oma-radio.fr/.env @@ -1,12 +1,2 @@ -ENDPOINT=10.29.0.1 -WEBSERVER=.105 -MUX=.100 -TELECOM=.101 -NET=172.29.0 -WEBSOCKET_PORT=2004 -RADIO_HOST=radiodemo.oma-radio.fr -MUX_SERVER_PORT=9004 -TELECOM_SERVER_PORT=3494 -SOUNDBASE_DIR=/data/radiodemo.oma-radio.fr/soundbase -OMA_DOCKER_VERSION=dev -ICECAST=.110 +GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git" +RADIO_HOST=mux.radiodemo.oma-radio.fr diff --git a/services/radiodemo.oma-radio.fr/nginx_server.conf b/services/radiodemo.oma-radio.fr/nginx_server.conf old mode 100644 new mode 100755 index 1c302fd..dba721b --- a/services/radiodemo.oma-radio.fr/nginx_server.conf +++ b/services/radiodemo.oma-radio.fr/nginx_server.conf @@ -1,38 +1,22 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -server{ - listen $WEBSOCKET_PORT ssl; - listen [::]:$WEBSOCKET_PORT ssl; - ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem; - - location / { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_pass http://172.29.0.105:9000; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 120s; - } -} - server { - listen 443 ssl; - listen [::]:443 ssl; - server_name $RADIO_HOST; - ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem; + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate $JC_CERT/fullchain.pem; + ssl_certificate_key $JC_CERT/privkey.pem; + server_name $JC_SERVICE www.$JC_SERVICE; + root $HTTP_DIR/public/; - location / { - client_max_body_size 0; - proxy_pass http://$ENDPOINT; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } + # Security headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; - + location / { + index index.html; + try_files $uri $uri/ =404; + } } diff --git a/services/services.txt b/services/services.txt index e5325ab..54d777c 100644 --- a/services/services.txt +++ b/services/services.txt @@ -7,12 +7,13 @@ cousinades.jean-cloud.net max.jean-cloud.org deployer.jean-cloud.org shlago.jean-cloud.org etrevivant.net shlago.jean-cloud.org feministesucl34.jean-cloud.net tetede.jean-cloud.org +feministesucl34.communisteslibertaires.org tetede.jean-cloud.org feteducourt2020.jean-cloud.net shlago.jean-cloud.org feteducourt.jean-cloud.net shlago.jean-cloud.org git.jean-cloud.net vandamme.jean-cloud.org grapes.chahut.jean-cloud.net max.jean-cloud.org gypsylyonfestival.com max.jean-cloud.org -inurbe.fr max.jean-cloud.org +inurbe.fr shlago.jean-cloud.org jean-cloud.net shlago.jean-cloud.org leida.fr vandamme.jean-cloud.org dnscerts.jean-cloud.org max.jean-cloud.org @@ -25,8 +26,9 @@ nuage.jean-cloud.net vandamme.jean-cloud.org pa1.studios.oma-radio.fr tetede.jean-cloud.org paj.oma-radio.fr nougaro.jean-cloud.org quadrille-elsa.jean-cloud.net shlago.jean-cloud.org -radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org -radiodemo.oma-radio.fr tetede.jean-cloud.org +soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org +radiodemo.oma-radio.fr shlago.jean-cloud.org +mux.radiodemo.oma-radio.fr raku.jean-cloud.org radionimaitre.oma-radio.fr tetede.jean-cloud.org raplacgr.jean-cloud.net tetede.jean-cloud.org rpnow.jean-cloud.net vandamme.jean-cloud.org diff --git a/services/radiodemo-back.oma-radio.fr/.env b/services/soundbase.radiodemo.oma-radio.fr/.env similarity index 67% rename from services/radiodemo-back.oma-radio.fr/.env rename to services/soundbase.radiodemo.oma-radio.fr/.env index a5f59fe..920997a 100644 --- a/services/radiodemo-back.oma-radio.fr/.env +++ b/services/soundbase.radiodemo.oma-radio.fr/.env @@ -1,6 +1,5 @@ NET=10.29.0 TELECOM=.101 -MUX=.100 ICECAST=.110 WEBSERVER=.105 SYSTEM_API=.107 @@ -13,12 +12,10 @@ RADIO_NAME_SIMPLE=radiodemo OMA_CONFIG_NomRadio=radiodemo OMA_CONFIG_LogLevel=8 RADIO_NAME_PRETTY="Radio Démo" -COMPOSE_NAME=radiodemo-backoma-radiofr +COMPOSE_NAME=soundbaseradiodemooma-radiofr DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr- DOCKER_INSTANCES_SUFIX=-1 -DATA_DIR=/home/data/radiodemo-back.oma-radio.fr -SOUNDBASE_DIR=/home/data/radiodemo-back.oma-radio.fr/core/radioDemo +SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo USE_SSL=true -PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.5.0 MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1 RADIO_HOST=radiodemo.oma-radio.fr diff --git a/services/soundbase.radiodemo.oma-radio.fr/deploy.sh b/services/soundbase.radiodemo.oma-radio.fr/deploy.sh new file mode 100755 index 0000000..7668904 --- /dev/null +++ b/services/soundbase.radiodemo.oma-radio.fr/deploy.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git diff --git a/services/radiodemo-back.oma-radio.fr/docker-compose.yml b/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml similarity index 97% rename from services/radiodemo-back.oma-radio.fr/docker-compose.yml rename to services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml index 1029050..94425ff 100644 --- a/services/radiodemo-back.oma-radio.fr/docker-compose.yml +++ b/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml @@ -6,7 +6,7 @@ services: environment: OMA_CONFIG_TelecommandeHost: $RADIO_HOST OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT - OMA_CONFIG_Client1Host: $RADIO_HOST + OMA_CONFIG_Client1Host: soundbase.radiodemo.osoundbase.radiodemo.oma-radio.fr OMA_CONFIG_Client1Port: $MUX_SERVER_PORT volumes: - $SOUNDBASE_DIR:/app/soundBase diff --git a/services/radiodemo-back.oma-radio.fr/generate_nat.sh b/services/soundbase.radiodemo.oma-radio.fr/generate_nat.sh similarity index 100% rename from services/radiodemo-back.oma-radio.fr/generate_nat.sh rename to services/soundbase.radiodemo.oma-radio.fr/generate_nat.sh diff --git a/services/radiodemo-back.oma-radio.fr/nginx_server.conf b/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf similarity index 87% rename from services/radiodemo-back.oma-radio.fr/nginx_server.conf rename to services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf index 08f0e21..834e508 100644 --- a/services/radiodemo-back.oma-radio.fr/nginx_server.conf +++ b/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf @@ -25,24 +25,6 @@ server { add_header Access-Control-Allow-Origin https://radio.karnaval.fr; - location = /direct.ogg { - proxy_pass http://172.29.0.110:8000/direct.ogg; - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } - location = /direct.mp3 { - proxy_pass http://172.29.0.110:8000/direct.mp3; - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } location = /api { rewrite ^ /api/; } location ~ /api/pigeindex(/.*) { @@ -210,14 +192,4 @@ server { auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; try_files $uri $uri/ =404; } - location = /favicon.ico { - return 301 /favicon.webp; - } - - # for js, css, html — dynamic site, players - location / { - try_files $uri $uri/ =404; - add_header Cache-Control 'public must-revalidate'; - add_header Access-Control-Allow-Origin https://radio.karnaval.fr; - } } diff --git a/services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh b/services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh new file mode 100755 index 0000000..a283bd3 --- /dev/null +++ b/services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +set -euo pipefail + +. .env + +[ -f "$DATA_DIR/radiodemo-soundbase.wgkey" ] || { echo 'No privatekey found' >&2 && exit 1 ; } + +echo " +[Interface] +PrivateKey = $(cat "$DATA_DIR/radiodemo-soundbase.wgkey") +Address = 10.29.0.1/32 +ListenPort = 55820 + +[Peer] +PublicKey = iwIsUriF4CT/Jpu29VXlj43hT3bUjG67FeEgCTcQCVc= +AllowedIPs = 10.29.0.254/32 +Endpoint = mux.radiodemo.oma-radio.fr:55820 +PersistentKeepalive = 30 +"