update

2023-10-16 10:47:35 +02:00 · 2023-10-16 10:47:35 +02:00 · 82c3f2bb2e
commit 82c3f2bb2e
parent a0e674c3e5
31 changed files with 241 additions and 229 deletions
--- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh
+++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh
@ -60,10 +60,10 @@ fi
 ###############################################################################

 if "$deploy" ; then
-	[ -x deploy.sh ] && ./deploy.sh
-	[ -x deploy_http.sh ] && sudo -u www-data bash -c ". '$DOCKER_DIR/.env' && . ./deploy_http.sh"
+	[ -x deploy.sh ] && . deploy.sh
+	[ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh"
 else
-	[ -x undeploy.sh ] && ./undeploy.sh
+	[ -x undeploy.sh ] && . undeploy.sh
 fi


--- a/provisioning/roles/deploy_all/files/bin/dummy_cert.sh
+++ b/provisioning/roles/deploy_all/files/bin/dummy_cert.sh
@ -15,7 +15,7 @@ action="$2"
 if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
    echo "Dummy cert generation"
    run mkdir -p "$dummy_cert_path"
-    run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
+    run openssl req -x509 -newkey rsa:2048 -keyout "$http_certs_path/dummy/privkey.pem" -out "$http_certs_path/dummy/fullchain.pem" -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
 fi

 if [ "$action" = add ] ; then
--- a/provisioning/roles/deploy_all/files/bin/gen_env.sh
+++ b/provisioning/roles/deploy_all/files/bin/gen_env.sh
@ -5,15 +5,17 @@ set -euo pipefail

 JC_ENV=/etc/jeancloud.env

-certs_path=/etc/letsencrypt/live
+dns_certs_path=/data/dnscerts.jean-cloud.org/certs/live
+http_certs_path=/etc/letsencrypt/live
 proxy_dir=/etc/nginx

 cat > "$JC_ENV" <<EOF
 proxy_dir='$proxy_dir'
-nginx_conf_path='$proxy_dir/sites-enabled'
+nginx_conf_path='$proxy_dir/sites-enabled/'
 new_nginx_conf_path='$proxy_dir/new-sites-enabled'
-certs_path='$certs_path'
-dummy_cert_path='$certs_path/dummy'
+dns_certs_path='$dns_certs_path'
+http_certs_path='$http_certs_path'
+dummy_cert_path='$http_certs_path/dummy'
 servicefile=/docker/services.txt
 EOF
 	
@ -25,5 +27,6 @@ for dir in /docker/* ; do
 	line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
 	line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
 	line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
-	line_in_file "JC_CERT='/data/dnscerts.jean-cloud.org/certs/live/$service'" "/docker/$service/.env"
+	line_in_file "JC_DNS_CERT='$dns_certs_path/$service'" "/docker/$service/.env"
+	line_in_file "JC_HTTP_CERT='$http_certs_path/$service'" "/docker/$service/.env"
 done
--- a/provisioning/roles/deploy_all/files/bin/git_update.sh
+++ b/provisioning/roles/deploy_all/files/bin/git_update.sh
@ -22,6 +22,10 @@ usage[N]="Clone to a Non-empty target. Existing files will be overwriten"
 varia[N]=nonempty_target
 nonempty_target=false

+usage[K]="Remote host key file (known_hosts) for ssh connections"
+varia[K]=hostkeyfile
+hostkeyfile=''
+

 . driglibash-args

@ -32,12 +36,17 @@ if [ -n "$privkey" ] ; then
 	ssh_opt="$ssh_opt -i $privkey"
 fi

+if [ -n "$hostkeyfile" ] ; then
+	ssh_opt="$ssh_opt -o 'UserKnownHostsFile $hostkeyfile'"
+fi
+
 repo="$1"
 if [ -z "$repo" ] ; then
 	die "$0: Empty repo given\n$summary"
 fi

-cd "$dst"
+run mkdir -p "$dst"
+run cd "$dst"

 if [ -d .git ] ; then
 	run git fetch origin "$branch"
--- a/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
+++ b/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
@ -1,14 +1,35 @@
 #!/bin/bash
+
+. driglibash-base
+
 set -euo pipefail

-. "$DOCKER_DIR/.env"
-. "$DATA_DIR/.env"
+[ "$#" -ne 1 ] && die "Usage: $0 <hugo_directory>"
+dest_dir="$1"
+[ -z "$dest_dir" ] && die "Arg 'hugo_directory' should not be empty."

-webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"    
-webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"    
-webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"    

-git_update.sh "$GIT_SOURCE_REPO"    
-rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --      webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
+# Get content from nextcloud
+if [ -v NC_SHARE_LINK ] ; then
+	webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
+	webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
+	webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
+
+	rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH"
+fi
+
+# Go to website
+cd "$dest_dir"
+
+# Rename .attachement dirs created by nextcloud
+while read filename ; do    
+    oldname="$(basename "$filename")"    
+    newname="${oldname:1}"    
+    path="$(dirname "$filename")"    
+    # And rename their references in md files  
+    find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;    
+    mv "$path/$oldname" "$path/$newname"    
+done < <(find -type d -name '.attachments.*')
+
+# Build the website
 hugo
-
--- a/provisioning/roles/deploy_all/files/bin/letsencrypt.sh
+++ b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh
@ -2,6 +2,10 @@
 # This script will run on new cert and on cron renew
 # there is one cert by service

+set -euo pipefail
+
+. /etc/jeancloud.env
+
 # TODO make it an ansible script
 # No

@ -18,11 +22,8 @@ acmeroot=/var/www/letsencrypt
 # Création du répertoire
 mkdir -p "$acmeroot"

-# With trailing slash or it will be a prefix selector
-#nginx_sites_dir="/etc/nginx/sites-enabled/"
-nginx_sites_dir="/etc/nginx/sites-enabled/"

-for file in "$nginx_sites_dir"* ; do
+for file in "$nginx_conf_path"* ; do
  if $verbose ; then
    echo '-------------------------'
    echo "$file"
@ -30,6 +31,11 @@ for file in "$nginx_sites_dir"* ; do

  service_name="$(basename "$file")"

+  if [ -d "$dns_certs_path/$service_name" ] ; then
+	  echo "$service_name is handled by dnscerts"
+	  continue
+  fi
+    
  # Getting just the domain names
  domains="$(extract_domain_nginx_conf.sh "$file")"
  if [ -n "$domains" ] ; then
--- a/services/dnscerts.jean-cloud.org/acme-dns.sh
+++ b/services/dnscerts.jean-cloud.org/acme-dns.sh
@ -1,11 +1,12 @@
 #!/bin/bash

-if [ "$#" -ne 1 ] ; then
-	echo "Usage: $0 <service_name>" >&2
+if [ "$#" -ne 2 ] ; then
+	echo "Usage: $0 <service_name> <workdir>" >&2
 	exit 1
 fi

 service="$1"
+workdir="$2"

 nginxfile="/docker/$service/nginx_server.conf"
 if [ -f "$nginxfile" ] ; then    
@ -13,5 +14,5 @@ if [ -f "$nginxfile" ] ; then
 	domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
 	[ -z "$domains" ] && exit 0
 	echo "--------------- -d $domains"
-	certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
+	certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$workdir/work" --logs-dir "$workdir/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
 fi
--- a/services/dnscerts.jean-cloud.org/run_as.sh
+++ b/services/dnscerts.jean-cloud.org/run_as.sh
@ -41,7 +41,7 @@ while read line ; do
 	[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue

 	# acme
-	"$here/acme-dns.sh" "$service"
+	"$here/acme-dns.sh" "$service" "$tmp"

 	# Replace dummy cert if letsencrypt failed
 	[ "$?" -ne 0 ] && dummy_cert.sh "$service" add
--- a/services/etrevivant.net/deploy_http.sh
+++ b/services/etrevivant.net/deploy_http.sh
@ -1,29 +1,8 @@
 #!/bin/bash
 set -euo pipefail
-
+set -a
 . "$DATA_DIR/.env"
-webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
-webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
-webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
+set +a

-# Get website files
 git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
-
-# Get content from nextcloud
-rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$HTTP_DIR/$CLOUD_LOCAL_PATH"
-
-# Go to website
-cd "$HTTP_DIR"
-
-# Rename .attachement dirs created by nextcloud
-while read filename ; do    
-    oldname="$(basename "$filename")"    
-    newname="${oldname:1}"    
-    path="$(dirname "$filename")"    
-    # And rename their references in md files  
-    find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;    
-    mv "$path/$oldname" "$path/$newname"    
-done < <(find -type d -name '.attachments.*')
-
-# Build the website
-hugo
+hugo_rclone.sh "$HTTP_DIR"
--- a/services/feministesucl34.jean-cloud.net/docker-compose.yml
+++ b/services/feministesucl34.jean-cloud.net/docker-compose.yml
@ -1,49 +0,0 @@
-version: '3.1'
-
-services:
-
-  wp:
-    image: wordpress:5.8-apache
-    restart: unless-stopped
-    env_file: /data/feministesucl34.jean-cloud.net/env
-    environment:
-      WORDPRESS_DB_HOST: db
-      WORDPRESS_DB_USER: wpdbuser
-      WORDPRESS_DB_NAME: wpdb
-      #WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );"
-    volumes:
-      - /data/feministesucl34.jean-cloud.net/wordpress:/var/www/html
-      - /data/feministesucl34.jean-cloud.net/static:/var/www/html/static
-    networks:
-      default:
-        ipv4_address: 172.29.9.100
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 100M
-  db:
-    image: mariadb:10.4
-    restart: unless-stopped
-    env_file: /data/feministesucl34.jean-cloud.net/env
-    environment:
-      MYSQL_DATABASE: wpdb
-      MYSQL_USER: wpdbuser
-      MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
-    volumes:
-      - /data/feministesucl34.jean-cloud.net/db:/var/lib/mysql
-    networks:
-      default:
-        ipv4_address: 172.29.9.101
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 100M
-
-networks:
-  default:
-    ipam:
-      config:
-        - subnet: 172.29.9.0/24
-
--- a/services/feministesucl34.jean-cloud.net/nginx_server.conf
+++ b/services/feministesucl34.jean-cloud.net/nginx_server.conf
@ -1,32 +0,0 @@
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
-  server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net;
-  location  / {
-    client_max_body_size 2G;
-    #proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Forwarded-Proto https;
-    proxy_pass http://172.29.9.100;
-    proxy_redirect off;
-  }
-}
-
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
-  server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net feministesucl34.communisteslibertaires.org;
-
-  location = /wp-login.php {
-    return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
-  }
-
-  location /  {
-    root /data/feministesucl34.jean-cloud.net/static;
-    try_files $uri $uri/ =404;
-  }
-}
--- a/services/feteducourt.jean-cloud.net/nginx_server.conf
+++ b/services/feteducourt.jean-cloud.net/nginx_server.conf
@ -5,7 +5,7 @@ server {
  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name $JC_SERVICE www.$JC_SERVICE;
  location / {
-    root $HTTP_DIR;
+    root $HTTP_DIR/public;
    try_files $uri $uri/ =404;
  }
 }
--- a/services/feteducourt2020.jean-cloud.net/nginx_server.conf
+++ b/services/feteducourt2020.jean-cloud.net/nginx_server.conf
@ -5,7 +5,7 @@ server {
  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name $JC_SERVICE www.$JC_SERVICE;
  location / {
-    root $HTTP_DIR;
+    root $HTTP_DIR/public;
    try_files $uri $uri/ =404;
  }
 }
--- a/services/inurbe.fr/nginx_server.conf
+++ b/services/inurbe.fr/nginx_server.conf
@ -1,12 +1,12 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem;
-  server_name inurbe.fr www.inurbe.fr;
+  ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem;
+  ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;

  location /  {
-    root /data/inurbe.fr;
+    root $DATA_DIR/public;
    try_files $uri $uri/ =404;
  }
 }
--- a/services/mux.radiodemo.oma-radio.fr/.env
+++ b/services/mux.radiodemo.oma-radio.fr/.env
@ -0,0 +1,12 @@
+ENDPOINT=10.29.0.1
+WEBSERVER=.105
+MUX=.100
+TELECOM=.101
+NET=172.29.0
+WEBSOCKET_PORT=2004
+RADIO_HOST=mux.radiodemo.oma-radio.fr
+MUX_SERVER_PORT=9004
+TELECOM_SERVER_PORT=3494
+SOUNDBASE_DIR=/data/mux.radiodemo.oma-radio.fr/core/radioDemo
+OMA_DOCKER_VERSION=dev
+ICECAST=.110
--- a/services/mux.radiodemo.oma-radio.fr/deploy.sh
+++ b/services/mux.radiodemo.oma-radio.fr/deploy.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+mkdir -p "$DATA_DIR/pige"
+chown 10000:10000 "$DATA_DIR/pige" -R
+
--- a/services/mux.radiodemo.oma-radio.fr/docker-compose.yml
+++ b/services/mux.radiodemo.oma-radio.fr/docker-compose.yml
@ -1,7 +1,7 @@
 version: '3'
 services:
  ambre_mux:
-    image: registry.gitlab.com/omaradio/core/moa-mux:$OMA_DOCKER_VERSION
+    image: registry.gitlab.com/omaradio/core/oma-mux:$OMA_DOCKER_VERSION
    env_file: .env
    environment:
      OMA_CONFIG_Client1Host: $NET.108
--- a/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq
+++ b/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq
--- a/services/mux.radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/mux.radiodemo.oma-radio.fr/nginx_server.conf
@ -0,0 +1,52 @@
+map $http_upgrade $connection_upgrade {
+       default upgrade;
+       '' close;
+}
+
+server{
+	listen $WEBSOCKET_PORT ssl;
+	listen [::]:$WEBSOCKET_PORT ssl;
+	ssl_certificate     $JC_DNS_CERT/fullchain.pem;
+    ssl_certificate_key $JC_DNS_CERT/privkey.pem;
+
+	location / {
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host $host;
+            proxy_pass http://172.29.0.105:9000;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+	        proxy_read_timeout 120s;
+	}
+}
+
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	server_name $JC_SERVICE;
+	ssl_certificate     $JC_DNS_CERT/fullchain.pem;
+    ssl_certificate_key $JC_DNS_CERT/privkey.pem;
+
+    location / {
+        client_max_body_size 0;
+        proxy_pass http://$ENDPOINT;
+        proxy_set_header Host 'soundbase.radiodemo.oma-radio.fr';
+		proxy_set_header X-Forwarded-Host $JC_SERVICE;
+		proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+
+
+	location /direct.ogg {
+		client_max_body_size 0;
+		proxy_pass http://$NET$ICECAST:8000/direct.ogg;
+	}
+	location /direct.mp3 {
+		client_max_body_size 0;
+		proxy_pass http://$NET$ICECAST:8000/direct.mp3;
+	}
+
+	# TODO open some stat route
+
+	
+}
--- a/services/radiodemo-back.oma-radio.fr/radioking.liq
+++ b/services/radiodemo-back.oma-radio.fr/radioking.liq
--- a/services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh
+++ b/services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh
@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. .env
+
+wgif="$1"
+
+echo "
+[Interface]
+PrivateKey = $(cat $DATA_DIR/privatekey)
+Address = 10.29.0.254/32
+ListenPort = 55820
+
+# packet forwarding
+PreUp = sysctl -w net.ipv4.ip_forward=1
+
+# port forwarding
+#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
+#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
+
+#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
+#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
+
+# packet masquerading
+#PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
+#PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
+
+# remote settings for the private server
+[Peer]
+PublicKey = 6/Mlxe9auEw/WQnC6QYNAYtSAo8jAEMhJ1wXaRNy4AE=
+AllowedIPs = 10.29.0.0/24
+"
--- a/services/ns1.jean-cloud.org/helper_functions.sh
+++ b/services/ns1.jean-cloud.org/helper_functions.sh
@ -89,14 +89,19 @@ addbindline () {
 	sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"


-	if [ -z "$shortname" ] ; then
-		# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
-		while read line ; do
-			line_in_file "$line" "$bindfile"
-		done < <(fakeresolve "$target")
-	else
-		line_in_file "$shortname CNAME $target." "$bindfile"
-	fi
+	# TODO check if name already existst with a different target
+	# Hard since we are resolving targets now…
+
+	# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
+	# For performance reasons, we just put plain IP everywhere
+	# to put aliases in place of ip juste do the following if $shortname is empty:
+	#line_in_file "$shortname CNAME $target." "$bindfile"
+	while read line ; do
+		if [ -n "$shortname" ] ; then
+			line="$(echo "$line" | sed "s/@/$shortname/")"
+		fi
+		line_in_file "$line" "$bindfile"
+	done < <(fakeresolve "$target")
 }

 list_template_db_files () {
--- a/services/radiodemo.oma-radio.fr/.env
+++ b/services/radiodemo.oma-radio.fr/.env
@ -1,12 +1,2 @@
-ENDPOINT=10.29.0.1
-WEBSERVER=.105
-MUX=.100
-TELECOM=.101
-NET=172.29.0
-WEBSOCKET_PORT=2004
-RADIO_HOST=radiodemo.oma-radio.fr
-MUX_SERVER_PORT=9004
-TELECOM_SERVER_PORT=3494
-SOUNDBASE_DIR=/data/radiodemo.oma-radio.fr/soundbase
-OMA_DOCKER_VERSION=dev
-ICECAST=.110
+GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
+RADIO_HOST=mux.radiodemo.oma-radio.fr
--- a/services/radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/radiodemo.oma-radio.fr/nginx_server.conf
@ -1,38 +1,22 @@
-map $http_upgrade $connection_upgrade {
-       default upgrade;
-       '' close;
-}
-
-server{
-	listen $WEBSOCKET_PORT ssl;
-	listen [::]:$WEBSOCKET_PORT ssl;
-	ssl_certificate      /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
-
-	location / {
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header Host $host;
-            proxy_pass http://172.29.0.105:9000;
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
-	        proxy_read_timeout 120s;
-	}
-}
-
 server {
-	listen 443 ssl;
-	listen [::]:443 ssl;
-	server_name $RADIO_HOST;
-	ssl_certificate     /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
-
-	location / {
-		client_max_body_size 0;
-		proxy_pass http://$ENDPOINT;
-		proxy_set_header Host            $host;
-    	proxy_set_header X-Forwarded-For $remote_addr;
-	}
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR/public/;

+  # Security headers
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";

+  location / {
+          index index.html;
+          try_files $uri $uri/ =404;
+  }
 }
--- a/services/services.txt
+++ b/services/services.txt
@ -7,12 +7,13 @@ cousinades.jean-cloud.net max.jean-cloud.org
 deployer.jean-cloud.org shlago.jean-cloud.org
 etrevivant.net shlago.jean-cloud.org
 feministesucl34.jean-cloud.net tetede.jean-cloud.org
+feministesucl34.communisteslibertaires.org tetede.jean-cloud.org
 feteducourt2020.jean-cloud.net shlago.jean-cloud.org
 feteducourt.jean-cloud.net shlago.jean-cloud.org
 git.jean-cloud.net vandamme.jean-cloud.org
 grapes.chahut.jean-cloud.net max.jean-cloud.org
 gypsylyonfestival.com max.jean-cloud.org
-inurbe.fr max.jean-cloud.org
+inurbe.fr shlago.jean-cloud.org
 jean-cloud.net shlago.jean-cloud.org
 leida.fr vandamme.jean-cloud.org
 dnscerts.jean-cloud.org max.jean-cloud.org
@ -25,8 +26,9 @@ nuage.jean-cloud.net vandamme.jean-cloud.org
 pa1.studios.oma-radio.fr tetede.jean-cloud.org
 paj.oma-radio.fr nougaro.jean-cloud.org
 quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
-radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
-radiodemo.oma-radio.fr tetede.jean-cloud.org
+soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org
+radiodemo.oma-radio.fr shlago.jean-cloud.org
+mux.radiodemo.oma-radio.fr raku.jean-cloud.org
 radionimaitre.oma-radio.fr tetede.jean-cloud.org
 raplacgr.jean-cloud.net tetede.jean-cloud.org
 rpnow.jean-cloud.net vandamme.jean-cloud.org
--- a/services/soundbase.radiodemo.oma-radio.fr/.env
+++ b/services/soundbase.radiodemo.oma-radio.fr/.env
@ -1,6 +1,5 @@
 NET=10.29.0
 TELECOM=.101
-MUX=.100
 ICECAST=.110
 WEBSERVER=.105
 SYSTEM_API=.107
@ -13,12 +12,10 @@ RADIO_NAME_SIMPLE=radiodemo
 OMA_CONFIG_NomRadio=radiodemo
 OMA_CONFIG_LogLevel=8
 RADIO_NAME_PRETTY="Radio Démo"
-COMPOSE_NAME=radiodemo-backoma-radiofr
+COMPOSE_NAME=soundbaseradiodemooma-radiofr
 DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
 DOCKER_INSTANCES_SUFIX=-1
-DATA_DIR=/home/data/radiodemo-back.oma-radio.fr
-SOUNDBASE_DIR=/home/data/radiodemo-back.oma-radio.fr/core/radioDemo
+SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
 USE_SSL=true
-PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.5.0
 MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
 RADIO_HOST=radiodemo.oma-radio.fr
--- a/services/soundbase.radiodemo.oma-radio.fr/deploy.sh
+++ b/services/soundbase.radiodemo.oma-radio.fr/deploy.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
--- a/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml
+++ b/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml
@ -6,7 +6,7 @@ services:
    environment:
      OMA_CONFIG_TelecommandeHost: $RADIO_HOST
      OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT
-      OMA_CONFIG_Client1Host: $RADIO_HOST
+      OMA_CONFIG_Client1Host: soundbase.radiodemo.osoundbase.radiodemo.oma-radio.fr
      OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
    volumes:
      - $SOUNDBASE_DIR:/app/soundBase
--- a/services/soundbase.radiodemo.oma-radio.fr/generate_nat.sh
+++ b/services/soundbase.radiodemo.oma-radio.fr/generate_nat.sh
--- a/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf
@ -25,24 +25,6 @@ server {
        add_header Access-Control-Allow-Origin https://radio.karnaval.fr;


-	location = /direct.ogg {
-		proxy_pass http://172.29.0.110:8000/direct.ogg;
-		# kill cache
-        add_header Last-Modified $date_gmt;
-        add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-        if_modified_since off;
-        expires off;
-        etag off;
-	}
-	location = /direct.mp3 {
-		proxy_pass http://172.29.0.110:8000/direct.mp3;
-		# kill cache
-        add_header Last-Modified $date_gmt;
-        add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-        if_modified_since off;
-        expires off;
-        etag off;
-	}

    location = /api { rewrite ^ /api/; }
    location ~ /api/pigeindex(/.*) {
@ -210,14 +192,4 @@ server {
        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
 		try_files $uri $uri/ =404;
    }
-	location = /favicon.ico {
-		return 301 /favicon.webp;
-    }
-
-	# for js, css, html — dynamic site, players
-	location  / {
-		try_files $uri $uri/ =404;
-		add_header Cache-Control 'public must-revalidate';
-        	add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
-	}
 }
--- a/services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh
+++ b/services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh
@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. .env
+
+[ -f "$DATA_DIR/radiodemo-soundbase.wgkey" ] || { echo 'No privatekey found' >&2 && exit 1 ; }
+
+echo "
+[Interface]
+PrivateKey = $(cat "$DATA_DIR/radiodemo-soundbase.wgkey")
+Address = 10.29.0.1/32
+ListenPort = 55820
+
+[Peer]
+PublicKey = iwIsUriF4CT/Jpu29VXlj43hT3bUjG67FeEgCTcQCVc=
+AllowedIPs = 10.29.0.254/32
+Endpoint = mux.radiodemo.oma-radio.fr:55820
+PersistentKeepalive = 30
+"