This commit is contained in:
Adrian Amaglio 2023-10-16 10:47:35 +02:00
parent a0e674c3e5
commit 82c3f2bb2e
31 changed files with 241 additions and 229 deletions

View File

@ -60,10 +60,10 @@ fi
############################################################################### ###############################################################################
if "$deploy" ; then if "$deploy" ; then
[ -x deploy.sh ] && ./deploy.sh [ -x deploy.sh ] && . deploy.sh
[ -x deploy_http.sh ] && sudo -u www-data bash -c ". '$DOCKER_DIR/.env' && . ./deploy_http.sh" [ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh"
else else
[ -x undeploy.sh ] && ./undeploy.sh [ -x undeploy.sh ] && . undeploy.sh
fi fi

View File

@ -15,7 +15,7 @@ action="$2"
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
echo "Dummy cert generation" echo "Dummy cert generation"
run mkdir -p "$dummy_cert_path" run mkdir -p "$dummy_cert_path"
run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net" run openssl req -x509 -newkey rsa:2048 -keyout "$http_certs_path/dummy/privkey.pem" -out "$http_certs_path/dummy/fullchain.pem" -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
fi fi
if [ "$action" = add ] ; then if [ "$action" = add ] ; then

View File

@ -5,15 +5,17 @@ set -euo pipefail
JC_ENV=/etc/jeancloud.env JC_ENV=/etc/jeancloud.env
certs_path=/etc/letsencrypt/live dns_certs_path=/data/dnscerts.jean-cloud.org/certs/live
http_certs_path=/etc/letsencrypt/live
proxy_dir=/etc/nginx proxy_dir=/etc/nginx
cat > "$JC_ENV" <<EOF cat > "$JC_ENV" <<EOF
proxy_dir='$proxy_dir' proxy_dir='$proxy_dir'
nginx_conf_path='$proxy_dir/sites-enabled' nginx_conf_path='$proxy_dir/sites-enabled/'
new_nginx_conf_path='$proxy_dir/new-sites-enabled' new_nginx_conf_path='$proxy_dir/new-sites-enabled'
certs_path='$certs_path' dns_certs_path='$dns_certs_path'
dummy_cert_path='$certs_path/dummy' http_certs_path='$http_certs_path'
dummy_cert_path='$http_certs_path/dummy'
servicefile=/docker/services.txt servicefile=/docker/services.txt
EOF EOF
@ -25,5 +27,6 @@ for dir in /docker/* ; do
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env" line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env" line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env" line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
line_in_file "JC_CERT='/data/dnscerts.jean-cloud.org/certs/live/$service'" "/docker/$service/.env" line_in_file "JC_DNS_CERT='$dns_certs_path/$service'" "/docker/$service/.env"
line_in_file "JC_HTTP_CERT='$http_certs_path/$service'" "/docker/$service/.env"
done done

View File

@ -22,6 +22,10 @@ usage[N]="Clone to a Non-empty target. Existing files will be overwriten"
varia[N]=nonempty_target varia[N]=nonempty_target
nonempty_target=false nonempty_target=false
usage[K]="Remote host key file (known_hosts) for ssh connections"
varia[K]=hostkeyfile
hostkeyfile=''
. driglibash-args . driglibash-args
@ -32,12 +36,17 @@ if [ -n "$privkey" ] ; then
ssh_opt="$ssh_opt -i $privkey" ssh_opt="$ssh_opt -i $privkey"
fi fi
if [ -n "$hostkeyfile" ] ; then
ssh_opt="$ssh_opt -o 'UserKnownHostsFile $hostkeyfile'"
fi
repo="$1" repo="$1"
if [ -z "$repo" ] ; then if [ -z "$repo" ] ; then
die "$0: Empty repo given\n$summary" die "$0: Empty repo given\n$summary"
fi fi
cd "$dst" run mkdir -p "$dst"
run cd "$dst"
if [ -d .git ] ; then if [ -d .git ] ; then
run git fetch origin "$branch" run git fetch origin "$branch"

31
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh Normal file → Executable file
View File

@ -1,14 +1,35 @@
#!/bin/bash #!/bin/bash
. driglibash-base
set -euo pipefail set -euo pipefail
. "$DOCKER_DIR/.env" [ "$#" -ne 1 ] && die "Usage: $0 <hugo_directory>"
. "$DATA_DIR/.env" dest_dir="$1"
[ -z "$dest_dir" ] && die "Arg 'hugo_directory' should not be empty."
# Get content from nextcloud
if [ -v NC_SHARE_LINK ] ; then
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')" webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')" webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")" webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
git_update.sh "$GIT_SOURCE_REPO" rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH"
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" -- webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH" fi
hugo
# Go to website
cd "$dest_dir"
# Rename .attachement dirs created by nextcloud
while read filename ; do
oldname="$(basename "$filename")"
newname="${oldname:1}"
path="$(dirname "$filename")"
# And rename their references in md files
find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;
mv "$path/$oldname" "$path/$newname"
done < <(find -type d -name '.attachments.*')
# Build the website
hugo

View File

@ -2,6 +2,10 @@
# This script will run on new cert and on cron renew # This script will run on new cert and on cron renew
# there is one cert by service # there is one cert by service
set -euo pipefail
. /etc/jeancloud.env
# TODO make it an ansible script # TODO make it an ansible script
# No # No
@ -18,11 +22,8 @@ acmeroot=/var/www/letsencrypt
# Création du répertoire # Création du répertoire
mkdir -p "$acmeroot" mkdir -p "$acmeroot"
# With trailing slash or it will be a prefix selector
#nginx_sites_dir="/etc/nginx/sites-enabled/"
nginx_sites_dir="/etc/nginx/sites-enabled/"
for file in "$nginx_sites_dir"* ; do for file in "$nginx_conf_path"* ; do
if $verbose ; then if $verbose ; then
echo '-------------------------' echo '-------------------------'
echo "$file" echo "$file"
@ -30,6 +31,11 @@ for file in "$nginx_sites_dir"* ; do
service_name="$(basename "$file")" service_name="$(basename "$file")"
if [ -d "$dns_certs_path/$service_name" ] ; then
echo "$service_name is handled by dnscerts"
continue
fi
# Getting just the domain names # Getting just the domain names
domains="$(extract_domain_nginx_conf.sh "$file")" domains="$(extract_domain_nginx_conf.sh "$file")"
if [ -n "$domains" ] ; then if [ -n "$domains" ] ; then

View File

@ -1,11 +1,12 @@
#!/bin/bash #!/bin/bash
if [ "$#" -ne 1 ] ; then if [ "$#" -ne 2 ] ; then
echo "Usage: $0 <service_name>" >&2 echo "Usage: $0 <service_name> <workdir>" >&2
exit 1 exit 1
fi fi
service="$1" service="$1"
workdir="$2"
nginxfile="/docker/$service/nginx_server.conf" nginxfile="/docker/$service/nginx_server.conf"
if [ -f "$nginxfile" ] ; then if [ -f "$nginxfile" ] ; then
@ -13,5 +14,5 @@ if [ -f "$nginxfile" ] ; then
domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )" domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
[ -z "$domains" ] && exit 0 [ -z "$domains" ] && exit 0
echo "--------------- -d $domains" echo "--------------- -d $domains"
certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$workdir/work" --logs-dir "$workdir/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
fi fi

View File

@ -41,7 +41,7 @@ while read line ; do
[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue [ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
# acme # acme
"$here/acme-dns.sh" "$service" "$here/acme-dns.sh" "$service" "$tmp"
# Replace dummy cert if letsencrypt failed # Replace dummy cert if letsencrypt failed
[ "$?" -ne 0 ] && dummy_cert.sh "$service" add [ "$?" -ne 0 ] && dummy_cert.sh "$service" add

View File

@ -1,29 +1,8 @@
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
set -a
. "$DATA_DIR/.env" . "$DATA_DIR/.env"
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')" set +a
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
# Get website files
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
hugo_rclone.sh "$HTTP_DIR"
# Get content from nextcloud
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$HTTP_DIR/$CLOUD_LOCAL_PATH"
# Go to website
cd "$HTTP_DIR"
# Rename .attachement dirs created by nextcloud
while read filename ; do
oldname="$(basename "$filename")"
newname="${oldname:1}"
path="$(dirname "$filename")"
# And rename their references in md files
find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;
mv "$path/$oldname" "$path/$newname"
done < <(find -type d -name '.attachments.*')
# Build the website
hugo

View File

@ -1,49 +0,0 @@
version: '3.1'
services:
wp:
image: wordpress:5.8-apache
restart: unless-stopped
env_file: /data/feministesucl34.jean-cloud.net/env
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_USER: wpdbuser
WORDPRESS_DB_NAME: wpdb
#WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );"
volumes:
- /data/feministesucl34.jean-cloud.net/wordpress:/var/www/html
- /data/feministesucl34.jean-cloud.net/static:/var/www/html/static
networks:
default:
ipv4_address: 172.29.9.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
image: mariadb:10.4
restart: unless-stopped
env_file: /data/feministesucl34.jean-cloud.net/env
environment:
MYSQL_DATABASE: wpdb
MYSQL_USER: wpdbuser
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- /data/feministesucl34.jean-cloud.net/db:/var/lib/mysql
networks:
default:
ipv4_address: 172.29.9.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.9.0/24

View File

@ -1,32 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net;
location / {
client_max_body_size 2G;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://172.29.9.100;
proxy_redirect off;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net feministesucl34.communisteslibertaires.org;
location = /wp-login.php {
return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
}
location / {
root /data/feministesucl34.jean-cloud.net/static;
try_files $uri $uri/ =404;
}
}

View File

@ -5,7 +5,7 @@ server {
ssl_certificate_key $JC_CERT/privkey.pem; ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE; server_name $JC_SERVICE www.$JC_SERVICE;
location / { location / {
root $HTTP_DIR; root $HTTP_DIR/public;
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
} }

View File

@ -5,7 +5,7 @@ server {
ssl_certificate_key $JC_CERT/privkey.pem; ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE; server_name $JC_SERVICE www.$JC_SERVICE;
location / { location / {
root $HTTP_DIR; root $HTTP_DIR/public;
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
} }

View File

@ -1,12 +1,12 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem; ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem; ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem;
server_name inurbe.fr www.inurbe.fr; server_name $JC_SERVICE www.$JC_SERVICE;
location / { location / {
root /data/inurbe.fr; root $DATA_DIR/public;
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
} }

View File

@ -0,0 +1,12 @@
ENDPOINT=10.29.0.1
WEBSERVER=.105
MUX=.100
TELECOM=.101
NET=172.29.0
WEBSOCKET_PORT=2004
RADIO_HOST=mux.radiodemo.oma-radio.fr
MUX_SERVER_PORT=9004
TELECOM_SERVER_PORT=3494
SOUNDBASE_DIR=/data/mux.radiodemo.oma-radio.fr/core/radioDemo
OMA_DOCKER_VERSION=dev
ICECAST=.110

View File

@ -0,0 +1,4 @@
#!/bin/bash
mkdir -p "$DATA_DIR/pige"
chown 10000:10000 "$DATA_DIR/pige" -R

View File

@ -1,7 +1,7 @@
version: '3' version: '3'
services: services:
ambre_mux: ambre_mux:
image: registry.gitlab.com/omaradio/core/moa-mux:$OMA_DOCKER_VERSION image: registry.gitlab.com/omaradio/core/oma-mux:$OMA_DOCKER_VERSION
env_file: .env env_file: .env
environment: environment:
OMA_CONFIG_Client1Host: $NET.108 OMA_CONFIG_Client1Host: $NET.108

View File

@ -0,0 +1,52 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server{
listen $WEBSOCKET_PORT ssl;
listen [::]:$WEBSOCKET_PORT ssl;
ssl_certificate $JC_DNS_CERT/fullchain.pem;
ssl_certificate_key $JC_DNS_CERT/privkey.pem;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://172.29.0.105:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 120s;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name $JC_SERVICE;
ssl_certificate $JC_DNS_CERT/fullchain.pem;
ssl_certificate_key $JC_DNS_CERT/privkey.pem;
location / {
client_max_body_size 0;
proxy_pass http://$ENDPOINT;
proxy_set_header Host 'soundbase.radiodemo.oma-radio.fr';
proxy_set_header X-Forwarded-Host $JC_SERVICE;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /direct.ogg {
client_max_body_size 0;
proxy_pass http://$NET$ICECAST:8000/direct.ogg;
}
location /direct.mp3 {
client_max_body_size 0;
proxy_pass http://$NET$ICECAST:8000/direct.mp3;
}
# TODO open some stat route
}

View File

@ -0,0 +1,33 @@
#!/bin/bash
set -euo pipefail
. .env
wgif="$1"
echo "
[Interface]
PrivateKey = $(cat $DATA_DIR/privatekey)
Address = 10.29.0.254/32
ListenPort = 55820
# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# port forwarding
#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
# packet masquerading
#PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
#PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
# remote settings for the private server
[Peer]
PublicKey = 6/Mlxe9auEw/WQnC6QYNAYtSAo8jAEMhJ1wXaRNy4AE=
AllowedIPs = 10.29.0.0/24
"

View File

@ -89,14 +89,19 @@ addbindline () {
sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local" sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"
if [ -z "$shortname" ] ; then # TODO check if name already existst with a different target
# Hard since we are resolving targets now…
# CNAME are forbiden for empty shortnames, so we must resolve the target IPs # CNAME are forbiden for empty shortnames, so we must resolve the target IPs
# For performance reasons, we just put plain IP everywhere
# to put aliases in place of ip juste do the following if $shortname is empty:
#line_in_file "$shortname CNAME $target." "$bindfile"
while read line ; do while read line ; do
if [ -n "$shortname" ] ; then
line="$(echo "$line" | sed "s/@/$shortname/")"
fi
line_in_file "$line" "$bindfile" line_in_file "$line" "$bindfile"
done < <(fakeresolve "$target") done < <(fakeresolve "$target")
else
line_in_file "$shortname CNAME $target." "$bindfile"
fi
} }
list_template_db_files () { list_template_db_files () {

View File

@ -1,12 +1,2 @@
ENDPOINT=10.29.0.1 GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
WEBSERVER=.105 RADIO_HOST=mux.radiodemo.oma-radio.fr
MUX=.100
TELECOM=.101
NET=172.29.0
WEBSOCKET_PORT=2004
RADIO_HOST=radiodemo.oma-radio.fr
MUX_SERVER_PORT=9004
TELECOM_SERVER_PORT=3494
SOUNDBASE_DIR=/data/radiodemo.oma-radio.fr/soundbase
OMA_DOCKER_VERSION=dev
ICECAST=.110

50
services/radiodemo.oma-radio.fr/nginx_server.conf Normal file → Executable file
View File

@ -1,38 +1,22 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server { server {
listen $WEBSOCKET_PORT ssl; listen 443 ssl http2;
listen [::]:$WEBSOCKET_PORT ssl; listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem; ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem; ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
root $HTTP_DIR/public/;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
location / { location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; index index.html;
proxy_set_header Host $host; try_files $uri $uri/ =404;
proxy_pass http://172.29.0.105:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 120s;
} }
} }
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name $RADIO_HOST;
ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
location / {
client_max_body_size 0;
proxy_pass http://$ENDPOINT;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}

View File

@ -7,12 +7,13 @@ cousinades.jean-cloud.net max.jean-cloud.org
deployer.jean-cloud.org shlago.jean-cloud.org deployer.jean-cloud.org shlago.jean-cloud.org
etrevivant.net shlago.jean-cloud.org etrevivant.net shlago.jean-cloud.org
feministesucl34.jean-cloud.net tetede.jean-cloud.org feministesucl34.jean-cloud.net tetede.jean-cloud.org
feministesucl34.communisteslibertaires.org tetede.jean-cloud.org
feteducourt2020.jean-cloud.net shlago.jean-cloud.org feteducourt2020.jean-cloud.net shlago.jean-cloud.org
feteducourt.jean-cloud.net shlago.jean-cloud.org feteducourt.jean-cloud.net shlago.jean-cloud.org
git.jean-cloud.net vandamme.jean-cloud.org git.jean-cloud.net vandamme.jean-cloud.org
grapes.chahut.jean-cloud.net max.jean-cloud.org grapes.chahut.jean-cloud.net max.jean-cloud.org
gypsylyonfestival.com max.jean-cloud.org gypsylyonfestival.com max.jean-cloud.org
inurbe.fr max.jean-cloud.org inurbe.fr shlago.jean-cloud.org
jean-cloud.net shlago.jean-cloud.org jean-cloud.net shlago.jean-cloud.org
leida.fr vandamme.jean-cloud.org leida.fr vandamme.jean-cloud.org
dnscerts.jean-cloud.org max.jean-cloud.org dnscerts.jean-cloud.org max.jean-cloud.org
@ -25,8 +26,9 @@ nuage.jean-cloud.net vandamme.jean-cloud.org
pa1.studios.oma-radio.fr tetede.jean-cloud.org pa1.studios.oma-radio.fr tetede.jean-cloud.org
paj.oma-radio.fr nougaro.jean-cloud.org paj.oma-radio.fr nougaro.jean-cloud.org
quadrille-elsa.jean-cloud.net shlago.jean-cloud.org quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org
radiodemo.oma-radio.fr tetede.jean-cloud.org radiodemo.oma-radio.fr shlago.jean-cloud.org
mux.radiodemo.oma-radio.fr raku.jean-cloud.org
radionimaitre.oma-radio.fr tetede.jean-cloud.org radionimaitre.oma-radio.fr tetede.jean-cloud.org
raplacgr.jean-cloud.net tetede.jean-cloud.org raplacgr.jean-cloud.net tetede.jean-cloud.org
rpnow.jean-cloud.net vandamme.jean-cloud.org rpnow.jean-cloud.net vandamme.jean-cloud.org

View File

@ -1,6 +1,5 @@
NET=10.29.0 NET=10.29.0
TELECOM=.101 TELECOM=.101
MUX=.100
ICECAST=.110 ICECAST=.110
WEBSERVER=.105 WEBSERVER=.105
SYSTEM_API=.107 SYSTEM_API=.107
@ -13,12 +12,10 @@ RADIO_NAME_SIMPLE=radiodemo
OMA_CONFIG_NomRadio=radiodemo OMA_CONFIG_NomRadio=radiodemo
OMA_CONFIG_LogLevel=8 OMA_CONFIG_LogLevel=8
RADIO_NAME_PRETTY="Radio Démo" RADIO_NAME_PRETTY="Radio Démo"
COMPOSE_NAME=radiodemo-backoma-radiofr COMPOSE_NAME=soundbaseradiodemooma-radiofr
DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr- DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
DOCKER_INSTANCES_SUFIX=-1 DOCKER_INSTANCES_SUFIX=-1
DATA_DIR=/home/data/radiodemo-back.oma-radio.fr SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
SOUNDBASE_DIR=/home/data/radiodemo-back.oma-radio.fr/core/radioDemo
USE_SSL=true USE_SSL=true
PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.5.0
MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1 MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
RADIO_HOST=radiodemo.oma-radio.fr RADIO_HOST=radiodemo.oma-radio.fr

View File

@ -0,0 +1,3 @@
#!/bin/bash
git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git

View File

@ -6,7 +6,7 @@ services:
environment: environment:
OMA_CONFIG_TelecommandeHost: $RADIO_HOST OMA_CONFIG_TelecommandeHost: $RADIO_HOST
OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT
OMA_CONFIG_Client1Host: $RADIO_HOST OMA_CONFIG_Client1Host: soundbase.radiodemo.osoundbase.radiodemo.oma-radio.fr
OMA_CONFIG_Client1Port: $MUX_SERVER_PORT OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
volumes: volumes:
- $SOUNDBASE_DIR:/app/soundBase - $SOUNDBASE_DIR:/app/soundBase

View File

@ -25,24 +25,6 @@ server {
add_header Access-Control-Allow-Origin https://radio.karnaval.fr; add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
location = /direct.ogg {
proxy_pass http://172.29.0.110:8000/direct.ogg;
# kill cache
add_header Last-Modified $date_gmt;
add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
}
location = /direct.mp3 {
proxy_pass http://172.29.0.110:8000/direct.mp3;
# kill cache
add_header Last-Modified $date_gmt;
add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
}
location = /api { rewrite ^ /api/; } location = /api { rewrite ^ /api/; }
location ~ /api/pigeindex(/.*) { location ~ /api/pigeindex(/.*) {
@ -210,14 +192,4 @@ server {
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
location = /favicon.ico {
return 301 /favicon.webp;
}
# for js, css, html — dynamic site, players
location / {
try_files $uri $uri/ =404;
add_header Cache-Control 'public must-revalidate';
add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
}
} }

View File

@ -0,0 +1,20 @@
#!/bin/bash
set -euo pipefail
. .env
[ -f "$DATA_DIR/radiodemo-soundbase.wgkey" ] || { echo 'No privatekey found' >&2 && exit 1 ; }
echo "
[Interface]
PrivateKey = $(cat "$DATA_DIR/radiodemo-soundbase.wgkey")
Address = 10.29.0.1/32
ListenPort = 55820
[Peer]
PublicKey = iwIsUriF4CT/Jpu29VXlj43hT3bUjG67FeEgCTcQCVc=
AllowedIPs = 10.29.0.254/32
Endpoint = mux.radiodemo.oma-radio.fr:55820
PersistentKeepalive = 30
"