update
This commit is contained in:
parent
a0e674c3e5
commit
82c3f2bb2e
@ -60,10 +60,10 @@ fi
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
if "$deploy" ; then
|
if "$deploy" ; then
|
||||||
[ -x deploy.sh ] && ./deploy.sh
|
[ -x deploy.sh ] && . deploy.sh
|
||||||
[ -x deploy_http.sh ] && sudo -u www-data bash -c ". '$DOCKER_DIR/.env' && . ./deploy_http.sh"
|
[ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh"
|
||||||
else
|
else
|
||||||
[ -x undeploy.sh ] && ./undeploy.sh
|
[ -x undeploy.sh ] && . undeploy.sh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
@ -15,7 +15,7 @@ action="$2"
|
|||||||
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
|
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
|
||||||
echo "Dummy cert generation"
|
echo "Dummy cert generation"
|
||||||
run mkdir -p "$dummy_cert_path"
|
run mkdir -p "$dummy_cert_path"
|
||||||
run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
|
run openssl req -x509 -newkey rsa:2048 -keyout "$http_certs_path/dummy/privkey.pem" -out "$http_certs_path/dummy/fullchain.pem" -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$action" = add ] ; then
|
if [ "$action" = add ] ; then
|
||||||
|
@ -5,15 +5,17 @@ set -euo pipefail
|
|||||||
|
|
||||||
JC_ENV=/etc/jeancloud.env
|
JC_ENV=/etc/jeancloud.env
|
||||||
|
|
||||||
certs_path=/etc/letsencrypt/live
|
dns_certs_path=/data/dnscerts.jean-cloud.org/certs/live
|
||||||
|
http_certs_path=/etc/letsencrypt/live
|
||||||
proxy_dir=/etc/nginx
|
proxy_dir=/etc/nginx
|
||||||
|
|
||||||
cat > "$JC_ENV" <<EOF
|
cat > "$JC_ENV" <<EOF
|
||||||
proxy_dir='$proxy_dir'
|
proxy_dir='$proxy_dir'
|
||||||
nginx_conf_path='$proxy_dir/sites-enabled'
|
nginx_conf_path='$proxy_dir/sites-enabled/'
|
||||||
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
|
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
|
||||||
certs_path='$certs_path'
|
dns_certs_path='$dns_certs_path'
|
||||||
dummy_cert_path='$certs_path/dummy'
|
http_certs_path='$http_certs_path'
|
||||||
|
dummy_cert_path='$http_certs_path/dummy'
|
||||||
servicefile=/docker/services.txt
|
servicefile=/docker/services.txt
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -25,5 +27,6 @@ for dir in /docker/* ; do
|
|||||||
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
|
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
|
||||||
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
|
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
|
||||||
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
|
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
|
||||||
line_in_file "JC_CERT='/data/dnscerts.jean-cloud.org/certs/live/$service'" "/docker/$service/.env"
|
line_in_file "JC_DNS_CERT='$dns_certs_path/$service'" "/docker/$service/.env"
|
||||||
|
line_in_file "JC_HTTP_CERT='$http_certs_path/$service'" "/docker/$service/.env"
|
||||||
done
|
done
|
||||||
|
@ -22,6 +22,10 @@ usage[N]="Clone to a Non-empty target. Existing files will be overwriten"
|
|||||||
varia[N]=nonempty_target
|
varia[N]=nonempty_target
|
||||||
nonempty_target=false
|
nonempty_target=false
|
||||||
|
|
||||||
|
usage[K]="Remote host key file (known_hosts) for ssh connections"
|
||||||
|
varia[K]=hostkeyfile
|
||||||
|
hostkeyfile=''
|
||||||
|
|
||||||
|
|
||||||
. driglibash-args
|
. driglibash-args
|
||||||
|
|
||||||
@ -32,12 +36,17 @@ if [ -n "$privkey" ] ; then
|
|||||||
ssh_opt="$ssh_opt -i $privkey"
|
ssh_opt="$ssh_opt -i $privkey"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -n "$hostkeyfile" ] ; then
|
||||||
|
ssh_opt="$ssh_opt -o 'UserKnownHostsFile $hostkeyfile'"
|
||||||
|
fi
|
||||||
|
|
||||||
repo="$1"
|
repo="$1"
|
||||||
if [ -z "$repo" ] ; then
|
if [ -z "$repo" ] ; then
|
||||||
die "$0: Empty repo given\n$summary"
|
die "$0: Empty repo given\n$summary"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cd "$dst"
|
run mkdir -p "$dst"
|
||||||
|
run cd "$dst"
|
||||||
|
|
||||||
if [ -d .git ] ; then
|
if [ -d .git ] ; then
|
||||||
run git fetch origin "$branch"
|
run git fetch origin "$branch"
|
||||||
|
31
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
Normal file → Executable file
31
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
Normal file → Executable file
@ -1,14 +1,35 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
. driglibash-base
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
. "$DOCKER_DIR/.env"
|
[ "$#" -ne 1 ] && die "Usage: $0 <hugo_directory>"
|
||||||
. "$DATA_DIR/.env"
|
dest_dir="$1"
|
||||||
|
[ -z "$dest_dir" ] && die "Arg 'hugo_directory' should not be empty."
|
||||||
|
|
||||||
|
|
||||||
|
# Get content from nextcloud
|
||||||
|
if [ -v NC_SHARE_LINK ] ; then
|
||||||
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
||||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
||||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
||||||
|
|
||||||
git_update.sh "$GIT_SOURCE_REPO"
|
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH"
|
||||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" -- webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
|
fi
|
||||||
hugo
|
|
||||||
|
|
||||||
|
# Go to website
|
||||||
|
cd "$dest_dir"
|
||||||
|
|
||||||
|
# Rename .attachement dirs created by nextcloud
|
||||||
|
while read filename ; do
|
||||||
|
oldname="$(basename "$filename")"
|
||||||
|
newname="${oldname:1}"
|
||||||
|
path="$(dirname "$filename")"
|
||||||
|
# And rename their references in md files
|
||||||
|
find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;
|
||||||
|
mv "$path/$oldname" "$path/$newname"
|
||||||
|
done < <(find -type d -name '.attachments.*')
|
||||||
|
|
||||||
|
# Build the website
|
||||||
|
hugo
|
||||||
|
@ -2,6 +2,10 @@
|
|||||||
# This script will run on new cert and on cron renew
|
# This script will run on new cert and on cron renew
|
||||||
# there is one cert by service
|
# there is one cert by service
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. /etc/jeancloud.env
|
||||||
|
|
||||||
# TODO make it an ansible script
|
# TODO make it an ansible script
|
||||||
# No
|
# No
|
||||||
|
|
||||||
@ -18,11 +22,8 @@ acmeroot=/var/www/letsencrypt
|
|||||||
# Création du répertoire
|
# Création du répertoire
|
||||||
mkdir -p "$acmeroot"
|
mkdir -p "$acmeroot"
|
||||||
|
|
||||||
# With trailing slash or it will be a prefix selector
|
|
||||||
#nginx_sites_dir="/etc/nginx/sites-enabled/"
|
|
||||||
nginx_sites_dir="/etc/nginx/sites-enabled/"
|
|
||||||
|
|
||||||
for file in "$nginx_sites_dir"* ; do
|
for file in "$nginx_conf_path"* ; do
|
||||||
if $verbose ; then
|
if $verbose ; then
|
||||||
echo '-------------------------'
|
echo '-------------------------'
|
||||||
echo "$file"
|
echo "$file"
|
||||||
@ -30,6 +31,11 @@ for file in "$nginx_sites_dir"* ; do
|
|||||||
|
|
||||||
service_name="$(basename "$file")"
|
service_name="$(basename "$file")"
|
||||||
|
|
||||||
|
if [ -d "$dns_certs_path/$service_name" ] ; then
|
||||||
|
echo "$service_name is handled by dnscerts"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
# Getting just the domain names
|
# Getting just the domain names
|
||||||
domains="$(extract_domain_nginx_conf.sh "$file")"
|
domains="$(extract_domain_nginx_conf.sh "$file")"
|
||||||
if [ -n "$domains" ] ; then
|
if [ -n "$domains" ] ; then
|
||||||
|
@ -1,11 +1,12 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
if [ "$#" -ne 1 ] ; then
|
if [ "$#" -ne 2 ] ; then
|
||||||
echo "Usage: $0 <service_name>" >&2
|
echo "Usage: $0 <service_name> <workdir>" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
service="$1"
|
service="$1"
|
||||||
|
workdir="$2"
|
||||||
|
|
||||||
nginxfile="/docker/$service/nginx_server.conf"
|
nginxfile="/docker/$service/nginx_server.conf"
|
||||||
if [ -f "$nginxfile" ] ; then
|
if [ -f "$nginxfile" ] ; then
|
||||||
@ -13,5 +14,5 @@ if [ -f "$nginxfile" ] ; then
|
|||||||
domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
|
domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
|
||||||
[ -z "$domains" ] && exit 0
|
[ -z "$domains" ] && exit 0
|
||||||
echo "--------------- -d $domains"
|
echo "--------------- -d $domains"
|
||||||
certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
|
certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$workdir/work" --logs-dir "$workdir/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
|
||||||
fi
|
fi
|
||||||
|
@ -41,7 +41,7 @@ while read line ; do
|
|||||||
[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
|
[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
|
||||||
|
|
||||||
# acme
|
# acme
|
||||||
"$here/acme-dns.sh" "$service"
|
"$here/acme-dns.sh" "$service" "$tmp"
|
||||||
|
|
||||||
# Replace dummy cert if letsencrypt failed
|
# Replace dummy cert if letsencrypt failed
|
||||||
[ "$?" -ne 0 ] && dummy_cert.sh "$service" add
|
[ "$?" -ne 0 ] && dummy_cert.sh "$service" add
|
||||||
|
@ -1,29 +1,8 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
set -a
|
||||||
. "$DATA_DIR/.env"
|
. "$DATA_DIR/.env"
|
||||||
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
set +a
|
||||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
|
||||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
|
||||||
|
|
||||||
# Get website files
|
|
||||||
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
||||||
|
hugo_rclone.sh "$HTTP_DIR"
|
||||||
# Get content from nextcloud
|
|
||||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$HTTP_DIR/$CLOUD_LOCAL_PATH"
|
|
||||||
|
|
||||||
# Go to website
|
|
||||||
cd "$HTTP_DIR"
|
|
||||||
|
|
||||||
# Rename .attachement dirs created by nextcloud
|
|
||||||
while read filename ; do
|
|
||||||
oldname="$(basename "$filename")"
|
|
||||||
newname="${oldname:1}"
|
|
||||||
path="$(dirname "$filename")"
|
|
||||||
# And rename their references in md files
|
|
||||||
find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;
|
|
||||||
mv "$path/$oldname" "$path/$newname"
|
|
||||||
done < <(find -type d -name '.attachments.*')
|
|
||||||
|
|
||||||
# Build the website
|
|
||||||
hugo
|
|
||||||
|
@ -1,49 +0,0 @@
|
|||||||
version: '3.1'
|
|
||||||
|
|
||||||
services:
|
|
||||||
|
|
||||||
wp:
|
|
||||||
image: wordpress:5.8-apache
|
|
||||||
restart: unless-stopped
|
|
||||||
env_file: /data/feministesucl34.jean-cloud.net/env
|
|
||||||
environment:
|
|
||||||
WORDPRESS_DB_HOST: db
|
|
||||||
WORDPRESS_DB_USER: wpdbuser
|
|
||||||
WORDPRESS_DB_NAME: wpdb
|
|
||||||
#WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );"
|
|
||||||
volumes:
|
|
||||||
- /data/feministesucl34.jean-cloud.net/wordpress:/var/www/html
|
|
||||||
- /data/feministesucl34.jean-cloud.net/static:/var/www/html/static
|
|
||||||
networks:
|
|
||||||
default:
|
|
||||||
ipv4_address: 172.29.9.100
|
|
||||||
deploy:
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpus: '0.50'
|
|
||||||
memory: 100M
|
|
||||||
db:
|
|
||||||
image: mariadb:10.4
|
|
||||||
restart: unless-stopped
|
|
||||||
env_file: /data/feministesucl34.jean-cloud.net/env
|
|
||||||
environment:
|
|
||||||
MYSQL_DATABASE: wpdb
|
|
||||||
MYSQL_USER: wpdbuser
|
|
||||||
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
|
|
||||||
volumes:
|
|
||||||
- /data/feministesucl34.jean-cloud.net/db:/var/lib/mysql
|
|
||||||
networks:
|
|
||||||
default:
|
|
||||||
ipv4_address: 172.29.9.101
|
|
||||||
deploy:
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpus: '0.50'
|
|
||||||
memory: 100M
|
|
||||||
|
|
||||||
networks:
|
|
||||||
default:
|
|
||||||
ipam:
|
|
||||||
config:
|
|
||||||
- subnet: 172.29.9.0/24
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
|
|
||||||
server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net;
|
|
||||||
location / {
|
|
||||||
client_max_body_size 2G;
|
|
||||||
#proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Forwarded-Proto https;
|
|
||||||
proxy_pass http://172.29.9.100;
|
|
||||||
proxy_redirect off;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
|
|
||||||
server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net feministesucl34.communisteslibertaires.org;
|
|
||||||
|
|
||||||
location = /wp-login.php {
|
|
||||||
return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /data/feministesucl34.jean-cloud.net/static;
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
}
|
|
@ -5,7 +5,7 @@ server {
|
|||||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
location / {
|
location / {
|
||||||
root $HTTP_DIR;
|
root $HTTP_DIR/public;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -5,7 +5,7 @@ server {
|
|||||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
location / {
|
location / {
|
||||||
root $HTTP_DIR;
|
root $HTTP_DIR/public;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem;
|
ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem;
|
ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem;
|
||||||
server_name inurbe.fr www.inurbe.fr;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
root /data/inurbe.fr;
|
root $DATA_DIR/public;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
12
services/mux.radiodemo.oma-radio.fr/.env
Normal file
12
services/mux.radiodemo.oma-radio.fr/.env
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
ENDPOINT=10.29.0.1
|
||||||
|
WEBSERVER=.105
|
||||||
|
MUX=.100
|
||||||
|
TELECOM=.101
|
||||||
|
NET=172.29.0
|
||||||
|
WEBSOCKET_PORT=2004
|
||||||
|
RADIO_HOST=mux.radiodemo.oma-radio.fr
|
||||||
|
MUX_SERVER_PORT=9004
|
||||||
|
TELECOM_SERVER_PORT=3494
|
||||||
|
SOUNDBASE_DIR=/data/mux.radiodemo.oma-radio.fr/core/radioDemo
|
||||||
|
OMA_DOCKER_VERSION=dev
|
||||||
|
ICECAST=.110
|
4
services/mux.radiodemo.oma-radio.fr/deploy.sh
Executable file
4
services/mux.radiodemo.oma-radio.fr/deploy.sh
Executable file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
mkdir -p "$DATA_DIR/pige"
|
||||||
|
chown 10000:10000 "$DATA_DIR/pige" -R
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
ambre_mux:
|
ambre_mux:
|
||||||
image: registry.gitlab.com/omaradio/core/moa-mux:$OMA_DOCKER_VERSION
|
image: registry.gitlab.com/omaradio/core/oma-mux:$OMA_DOCKER_VERSION
|
||||||
env_file: .env
|
env_file: .env
|
||||||
environment:
|
environment:
|
||||||
OMA_CONFIG_Client1Host: $NET.108
|
OMA_CONFIG_Client1Host: $NET.108
|
52
services/mux.radiodemo.oma-radio.fr/nginx_server.conf
Normal file
52
services/mux.radiodemo.oma-radio.fr/nginx_server.conf
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
|
server{
|
||||||
|
listen $WEBSOCKET_PORT ssl;
|
||||||
|
listen [::]:$WEBSOCKET_PORT ssl;
|
||||||
|
ssl_certificate $JC_DNS_CERT/fullchain.pem;
|
||||||
|
ssl_certificate_key $JC_DNS_CERT/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://172.29.0.105:9000;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_read_timeout 120s;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_name $JC_SERVICE;
|
||||||
|
ssl_certificate $JC_DNS_CERT/fullchain.pem;
|
||||||
|
ssl_certificate_key $JC_DNS_CERT/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
client_max_body_size 0;
|
||||||
|
proxy_pass http://$ENDPOINT;
|
||||||
|
proxy_set_header Host 'soundbase.radiodemo.oma-radio.fr';
|
||||||
|
proxy_set_header X-Forwarded-Host $JC_SERVICE;
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
location /direct.ogg {
|
||||||
|
client_max_body_size 0;
|
||||||
|
proxy_pass http://$NET$ICECAST:8000/direct.ogg;
|
||||||
|
}
|
||||||
|
location /direct.mp3 {
|
||||||
|
client_max_body_size 0;
|
||||||
|
proxy_pass http://$NET$ICECAST:8000/direct.mp3;
|
||||||
|
}
|
||||||
|
|
||||||
|
# TODO open some stat route
|
||||||
|
|
||||||
|
|
||||||
|
}
|
33
services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh
Executable file
33
services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh
Executable file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. .env
|
||||||
|
|
||||||
|
wgif="$1"
|
||||||
|
|
||||||
|
echo "
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = $(cat $DATA_DIR/privatekey)
|
||||||
|
Address = 10.29.0.254/32
|
||||||
|
ListenPort = 55820
|
||||||
|
|
||||||
|
# packet forwarding
|
||||||
|
PreUp = sysctl -w net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# port forwarding
|
||||||
|
#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
|
||||||
|
#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
|
||||||
|
|
||||||
|
#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
|
||||||
|
#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
|
||||||
|
|
||||||
|
# packet masquerading
|
||||||
|
#PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
|
||||||
|
#PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
|
||||||
|
|
||||||
|
# remote settings for the private server
|
||||||
|
[Peer]
|
||||||
|
PublicKey = 6/Mlxe9auEw/WQnC6QYNAYtSAo8jAEMhJ1wXaRNy4AE=
|
||||||
|
AllowedIPs = 10.29.0.0/24
|
||||||
|
"
|
@ -89,14 +89,19 @@ addbindline () {
|
|||||||
sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"
|
sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"
|
||||||
|
|
||||||
|
|
||||||
if [ -z "$shortname" ] ; then
|
# TODO check if name already existst with a different target
|
||||||
|
# Hard since we are resolving targets now…
|
||||||
|
|
||||||
# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
|
# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
|
||||||
|
# For performance reasons, we just put plain IP everywhere
|
||||||
|
# to put aliases in place of ip juste do the following if $shortname is empty:
|
||||||
|
#line_in_file "$shortname CNAME $target." "$bindfile"
|
||||||
while read line ; do
|
while read line ; do
|
||||||
|
if [ -n "$shortname" ] ; then
|
||||||
|
line="$(echo "$line" | sed "s/@/$shortname/")"
|
||||||
|
fi
|
||||||
line_in_file "$line" "$bindfile"
|
line_in_file "$line" "$bindfile"
|
||||||
done < <(fakeresolve "$target")
|
done < <(fakeresolve "$target")
|
||||||
else
|
|
||||||
line_in_file "$shortname CNAME $target." "$bindfile"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
list_template_db_files () {
|
list_template_db_files () {
|
||||||
|
@ -1,12 +1,2 @@
|
|||||||
ENDPOINT=10.29.0.1
|
GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
|
||||||
WEBSERVER=.105
|
RADIO_HOST=mux.radiodemo.oma-radio.fr
|
||||||
MUX=.100
|
|
||||||
TELECOM=.101
|
|
||||||
NET=172.29.0
|
|
||||||
WEBSOCKET_PORT=2004
|
|
||||||
RADIO_HOST=radiodemo.oma-radio.fr
|
|
||||||
MUX_SERVER_PORT=9004
|
|
||||||
TELECOM_SERVER_PORT=3494
|
|
||||||
SOUNDBASE_DIR=/data/radiodemo.oma-radio.fr/soundbase
|
|
||||||
OMA_DOCKER_VERSION=dev
|
|
||||||
ICECAST=.110
|
|
||||||
|
50
services/radiodemo.oma-radio.fr/nginx_server.conf
Normal file → Executable file
50
services/radiodemo.oma-radio.fr/nginx_server.conf
Normal file → Executable file
@ -1,38 +1,22 @@
|
|||||||
map $http_upgrade $connection_upgrade {
|
|
||||||
default upgrade;
|
|
||||||
'' close;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen $WEBSOCKET_PORT ssl;
|
listen 443 ssl http2;
|
||||||
listen [::]:$WEBSOCKET_PORT ssl;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
root $HTTP_DIR/public/;
|
||||||
|
|
||||||
|
# Security headers
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
add_header X-Frame-Options SAMEORIGIN always;
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||||
|
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
index index.html;
|
||||||
proxy_set_header Host $host;
|
try_files $uri $uri/ =404;
|
||||||
proxy_pass http://172.29.0.105:9000;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_read_timeout 120s;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
server_name $RADIO_HOST;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
client_max_body_size 0;
|
|
||||||
proxy_pass http://$ENDPOINT;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
||||||
|
@ -7,12 +7,13 @@ cousinades.jean-cloud.net max.jean-cloud.org
|
|||||||
deployer.jean-cloud.org shlago.jean-cloud.org
|
deployer.jean-cloud.org shlago.jean-cloud.org
|
||||||
etrevivant.net shlago.jean-cloud.org
|
etrevivant.net shlago.jean-cloud.org
|
||||||
feministesucl34.jean-cloud.net tetede.jean-cloud.org
|
feministesucl34.jean-cloud.net tetede.jean-cloud.org
|
||||||
|
feministesucl34.communisteslibertaires.org tetede.jean-cloud.org
|
||||||
feteducourt2020.jean-cloud.net shlago.jean-cloud.org
|
feteducourt2020.jean-cloud.net shlago.jean-cloud.org
|
||||||
feteducourt.jean-cloud.net shlago.jean-cloud.org
|
feteducourt.jean-cloud.net shlago.jean-cloud.org
|
||||||
git.jean-cloud.net vandamme.jean-cloud.org
|
git.jean-cloud.net vandamme.jean-cloud.org
|
||||||
grapes.chahut.jean-cloud.net max.jean-cloud.org
|
grapes.chahut.jean-cloud.net max.jean-cloud.org
|
||||||
gypsylyonfestival.com max.jean-cloud.org
|
gypsylyonfestival.com max.jean-cloud.org
|
||||||
inurbe.fr max.jean-cloud.org
|
inurbe.fr shlago.jean-cloud.org
|
||||||
jean-cloud.net shlago.jean-cloud.org
|
jean-cloud.net shlago.jean-cloud.org
|
||||||
leida.fr vandamme.jean-cloud.org
|
leida.fr vandamme.jean-cloud.org
|
||||||
dnscerts.jean-cloud.org max.jean-cloud.org
|
dnscerts.jean-cloud.org max.jean-cloud.org
|
||||||
@ -25,8 +26,9 @@ nuage.jean-cloud.net vandamme.jean-cloud.org
|
|||||||
pa1.studios.oma-radio.fr tetede.jean-cloud.org
|
pa1.studios.oma-radio.fr tetede.jean-cloud.org
|
||||||
paj.oma-radio.fr nougaro.jean-cloud.org
|
paj.oma-radio.fr nougaro.jean-cloud.org
|
||||||
quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
|
quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
|
||||||
radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
|
soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org
|
||||||
radiodemo.oma-radio.fr tetede.jean-cloud.org
|
radiodemo.oma-radio.fr shlago.jean-cloud.org
|
||||||
|
mux.radiodemo.oma-radio.fr raku.jean-cloud.org
|
||||||
radionimaitre.oma-radio.fr tetede.jean-cloud.org
|
radionimaitre.oma-radio.fr tetede.jean-cloud.org
|
||||||
raplacgr.jean-cloud.net tetede.jean-cloud.org
|
raplacgr.jean-cloud.net tetede.jean-cloud.org
|
||||||
rpnow.jean-cloud.net vandamme.jean-cloud.org
|
rpnow.jean-cloud.net vandamme.jean-cloud.org
|
||||||
|
@ -1,6 +1,5 @@
|
|||||||
NET=10.29.0
|
NET=10.29.0
|
||||||
TELECOM=.101
|
TELECOM=.101
|
||||||
MUX=.100
|
|
||||||
ICECAST=.110
|
ICECAST=.110
|
||||||
WEBSERVER=.105
|
WEBSERVER=.105
|
||||||
SYSTEM_API=.107
|
SYSTEM_API=.107
|
||||||
@ -13,12 +12,10 @@ RADIO_NAME_SIMPLE=radiodemo
|
|||||||
OMA_CONFIG_NomRadio=radiodemo
|
OMA_CONFIG_NomRadio=radiodemo
|
||||||
OMA_CONFIG_LogLevel=8
|
OMA_CONFIG_LogLevel=8
|
||||||
RADIO_NAME_PRETTY="Radio Démo"
|
RADIO_NAME_PRETTY="Radio Démo"
|
||||||
COMPOSE_NAME=radiodemo-backoma-radiofr
|
COMPOSE_NAME=soundbaseradiodemooma-radiofr
|
||||||
DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
|
DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
|
||||||
DOCKER_INSTANCES_SUFIX=-1
|
DOCKER_INSTANCES_SUFIX=-1
|
||||||
DATA_DIR=/home/data/radiodemo-back.oma-radio.fr
|
SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
|
||||||
SOUNDBASE_DIR=/home/data/radiodemo-back.oma-radio.fr/core/radioDemo
|
|
||||||
USE_SSL=true
|
USE_SSL=true
|
||||||
PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.5.0
|
|
||||||
MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
|
MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
|
||||||
RADIO_HOST=radiodemo.oma-radio.fr
|
RADIO_HOST=radiodemo.oma-radio.fr
|
3
services/soundbase.radiodemo.oma-radio.fr/deploy.sh
Executable file
3
services/soundbase.radiodemo.oma-radio.fr/deploy.sh
Executable file
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
|
@ -6,7 +6,7 @@ services:
|
|||||||
environment:
|
environment:
|
||||||
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
||||||
OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT
|
OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT
|
||||||
OMA_CONFIG_Client1Host: $RADIO_HOST
|
OMA_CONFIG_Client1Host: soundbase.radiodemo.osoundbase.radiodemo.oma-radio.fr
|
||||||
OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
|
OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
|
||||||
volumes:
|
volumes:
|
||||||
- $SOUNDBASE_DIR:/app/soundBase
|
- $SOUNDBASE_DIR:/app/soundBase
|
@ -25,24 +25,6 @@ server {
|
|||||||
add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
|
add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
|
||||||
|
|
||||||
|
|
||||||
location = /direct.ogg {
|
|
||||||
proxy_pass http://172.29.0.110:8000/direct.ogg;
|
|
||||||
# kill cache
|
|
||||||
add_header Last-Modified $date_gmt;
|
|
||||||
add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
|
|
||||||
if_modified_since off;
|
|
||||||
expires off;
|
|
||||||
etag off;
|
|
||||||
}
|
|
||||||
location = /direct.mp3 {
|
|
||||||
proxy_pass http://172.29.0.110:8000/direct.mp3;
|
|
||||||
# kill cache
|
|
||||||
add_header Last-Modified $date_gmt;
|
|
||||||
add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
|
|
||||||
if_modified_since off;
|
|
||||||
expires off;
|
|
||||||
etag off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location = /api { rewrite ^ /api/; }
|
location = /api { rewrite ^ /api/; }
|
||||||
location ~ /api/pigeindex(/.*) {
|
location ~ /api/pigeindex(/.*) {
|
||||||
@ -210,14 +192,4 @@ server {
|
|||||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
location = /favicon.ico {
|
|
||||||
return 301 /favicon.webp;
|
|
||||||
}
|
|
||||||
|
|
||||||
# for js, css, html — dynamic site, players
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
add_header Cache-Control 'public must-revalidate';
|
|
||||||
add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
|
|
||||||
}
|
|
||||||
}
|
}
|
20
services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh
Executable file
20
services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh
Executable file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. .env
|
||||||
|
|
||||||
|
[ -f "$DATA_DIR/radiodemo-soundbase.wgkey" ] || { echo 'No privatekey found' >&2 && exit 1 ; }
|
||||||
|
|
||||||
|
echo "
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = $(cat "$DATA_DIR/radiodemo-soundbase.wgkey")
|
||||||
|
Address = 10.29.0.1/32
|
||||||
|
ListenPort = 55820
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = iwIsUriF4CT/Jpu29VXlj43hT3bUjG67FeEgCTcQCVc=
|
||||||
|
AllowedIPs = 10.29.0.254/32
|
||||||
|
Endpoint = mux.radiodemo.oma-radio.fr:55820
|
||||||
|
PersistentKeepalive = 30
|
||||||
|
"
|
Loading…
Reference in New Issue
Block a user