update
This commit is contained in:
parent
01c3e5374d
commit
88e8e2fc76
@ -2,13 +2,6 @@
|
||||
#
|
||||
bootstrap_user: root
|
||||
|
||||
# For jean-cloud docker services
|
||||
new_nginx_conf_path: '/data/proxy/new-sites-enabled'
|
||||
new_blackbox_hosts_path: '/data/prometheus/new-blackbox-targets.yml'
|
||||
blackbox_hosts_path: '/data/prometheus/blackbox-targets.yml'
|
||||
|
||||
remote_docker_login_registry: registry.jean-cloud.net
|
||||
|
||||
# sudo configuration
|
||||
# using geerlingguy security
|
||||
# https://galaxy.ansible.com/grog/sudo
|
||||
@ -21,31 +14,7 @@ remote_docker_login_registry: registry.jean-cloud.net
|
||||
# commands: ALL
|
||||
# nopasswd: yes
|
||||
|
||||
# Security geerlingguy
|
||||
security_ssh_port: 45985
|
||||
# IMPORTANT following values should be quoted. You can lock yourself out.
|
||||
security_ssh_password_authentication: "no"
|
||||
security_ssh_permit_root_login: "yes"
|
||||
security_ssh_usedns: "no"
|
||||
security_ssh_permit_empty_password: "no"
|
||||
security_ssh_challenge_response_auth: "no"
|
||||
security_ssh_gss_api_authentication: "no"
|
||||
security_ssh_x11_forwarding: "no"
|
||||
|
||||
# Auto upgrades
|
||||
security_autoupdate_enabled: true
|
||||
|
||||
# f2b
|
||||
security_fail2ban_enabled: false
|
||||
|
||||
#locales
|
||||
locales_default:
|
||||
lang: en_US.UTF-8
|
||||
lc_all: en_US.UTF-8
|
||||
|
||||
|
||||
# For unattended upgrade configuration
|
||||
unattended_upgrades_mail: contact@jean-cloud.org
|
||||
|
||||
# For ssh security
|
||||
# https://galaxy.ansible.com/dev-sec/ssh-hardening
|
||||
@ -102,9 +71,6 @@ shelldetector_cron_hour: '4'
|
||||
shelldetector_cron_minute: '00'
|
||||
|
||||
|
||||
# Timezone
|
||||
# https://galaxy.ansible.com/oefenweb/timezone
|
||||
timezone_zone: Europe/Paris
|
||||
|
||||
# NTP
|
||||
# https://galaxy.ansible.com/geerlingguy/ntp
|
||||
|
@ -28,7 +28,12 @@
|
||||
# Locales
|
||||
# TODO set locales date and currency
|
||||
#- alvistack.locales
|
||||
- oefenweb.locales
|
||||
- role: oefenweb.locales
|
||||
vars:
|
||||
locales_default:
|
||||
lang: en_US.UTF-8
|
||||
lc_all: en_US.UTF-8
|
||||
|
||||
|
||||
# Sys update. Playbook bien fait.
|
||||
- robertdebock.update
|
||||
@ -36,15 +41,23 @@
|
||||
# Manage sudoers
|
||||
#- GROG.sudo
|
||||
|
||||
# Unattended upgrades
|
||||
#- jnv.unattended-upgrades
|
||||
#- thorian93.unattended_upgrade
|
||||
#- racqspace.unattended_upgrades
|
||||
|
||||
# ssh security
|
||||
# using geerlingguy security
|
||||
#- dev-sec.ssh-hardening
|
||||
- geerlingguy.security
|
||||
- role: geerlingguy.security
|
||||
vars:
|
||||
security_ssh_port: 45985
|
||||
security_ssh_password_authentication: "no"
|
||||
security_ssh_permit_root_login: "yes"
|
||||
security_ssh_usedns: "no"
|
||||
security_ssh_permit_empty_password: "no"
|
||||
security_ssh_challenge_response_auth: "no"
|
||||
security_ssh_gss_api_authentication: "no"
|
||||
security_ssh_x11_forwarding: "no"
|
||||
security_autoupdate_enabled: true
|
||||
security_fail2ban_enabled: false
|
||||
|
||||
|
||||
# fail2ban
|
||||
#- oefenweb.fail2ban
|
||||
@ -62,13 +75,18 @@
|
||||
#- geerlingguy.clamav
|
||||
|
||||
# docker
|
||||
- geerlingguy.docker
|
||||
- role: geerlingguy.docker
|
||||
vars:
|
||||
docker_service_enabled: false
|
||||
|
||||
# timezone
|
||||
- oefenweb.timezone
|
||||
- role: oefenweb.timezone
|
||||
vars:
|
||||
timezone_zone: Europe/Paris
|
||||
|
||||
# ntp
|
||||
#- geerlingguy.ntp
|
||||
#TODO
|
||||
|
||||
# docker metrics proxy
|
||||
#- docker-metrics-proxy
|
||||
|
@ -8,6 +8,7 @@ set -euo pipefail
|
||||
|
||||
noreload=false
|
||||
deploy=true
|
||||
service=
|
||||
if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
|
||||
noreload=true
|
||||
elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then
|
||||
|
@ -10,6 +10,9 @@ driglibash_step_by_step=false
|
||||
# Set to watever you want to have a prefix
|
||||
driglibash_section_prefix=""
|
||||
|
||||
# set to retry failed commands
|
||||
driglibash_run_retry=
|
||||
|
||||
|
||||
trap 'die "Received sigint"' INT
|
||||
|
||||
@ -88,7 +91,7 @@ run() {
|
||||
if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then
|
||||
continue
|
||||
elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then
|
||||
return "$code"
|
||||
exit "$code"
|
||||
fi
|
||||
fi
|
||||
die "Aborting"
|
||||
|
@ -29,7 +29,7 @@
|
||||
ansible.builtin.user:
|
||||
name: certs
|
||||
shell: /bin/bash
|
||||
home: /data/letsencrypt.jean-cloud.org
|
||||
home: /data/dnscerts.jean-cloud.org
|
||||
|
||||
- name: Set authorized key, removing all the authorized keys already set
|
||||
ansible.posix.authorized_key:
|
||||
@ -108,12 +108,3 @@
|
||||
HISTTIMEFORMAT="%Y%m%d-%T "
|
||||
export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
|
||||
|
||||
|
||||
- name : Disable docker service
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: stopped
|
||||
enabled: false
|
||||
with_items:
|
||||
- docker
|
||||
- docker.socket
|
||||
|
@ -10,7 +10,7 @@ service="$1"
|
||||
nginxfile="/docker/$service/nginx_server.conf"
|
||||
if [ -f "$nginxfile" ] ; then
|
||||
nginxdomains="$(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env")"
|
||||
domains="$(echo "$service $nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
|
||||
domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
|
||||
[ -z "$domains" ] && exit 0
|
||||
echo "--------------- -d $domains"
|
||||
certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
|
@ -7,7 +7,9 @@ here="$(where)"
|
||||
|
||||
# For some variables
|
||||
. /etc/jeancloud.env
|
||||
set -a
|
||||
. "$here/.env"
|
||||
set +a
|
||||
|
||||
# Test secret presence
|
||||
[ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1
|
||||
@ -23,10 +25,13 @@ if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
|
||||
done
|
||||
fi
|
||||
|
||||
# For each service, read all possible domains
|
||||
echo "For each service, read all possible domains"
|
||||
while read line ; do
|
||||
read -r service target < <(echo "$line")
|
||||
|
||||
# TODO remove
|
||||
( [ "$service" = collectif-arthadie.fr ] || [[ "$service" == *oma-radio.fr ]] ) && continue
|
||||
|
||||
# removo dummy cert
|
||||
dummy_cert.sh "$service" remove
|
||||
|
||||
@ -36,5 +41,12 @@ while read line ; do
|
||||
"$here/acme-dns.sh" "$service"
|
||||
|
||||
# Replace dummy cert if letsencrypt failed
|
||||
[ "$?" -ne 0 ] && dummy_cert.sh "$servic" remove
|
||||
[ "$?" -ne 0 ] && dummy_cert.sh "$service" add
|
||||
done < "$servicefile"
|
||||
|
||||
echo "Push certs to other servers"
|
||||
for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') ; do
|
||||
server="$srv.jean-cloud.org"
|
||||
echo "-- $server"
|
||||
rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/certs"
|
||||
done
|
@ -3,11 +3,13 @@
|
||||
set -euo pipefail
|
||||
|
||||
cd ../ns1.jean-cloud.org
|
||||
. deploy.sh
|
||||
set -a
|
||||
. .env
|
||||
. deploy.sh
|
||||
set +a
|
||||
|
||||
# Do not run if primary exists
|
||||
[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0
|
||||
|
||||
export keydir=""
|
||||
run secondary
|
||||
runthis secondary
|
||||
|
@ -21,24 +21,25 @@ server_zone_file="template.db.jean-cloud.org"
|
||||
keydir="$DATA_DIR/keys"
|
||||
|
||||
# IP of primary servers
|
||||
# MUST end with ; if non-empty
|
||||
primary_ips=""
|
||||
|
||||
# IP of secondary servers (for zone transfer)
|
||||
secondary_ips="37.65.119.74"
|
||||
secondary_ips="37.65.119.74;"
|
||||
|
||||
# NS name
|
||||
default_dns_name="shlago.jean-cloud.org."
|
||||
|
||||
CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'
|
||||
|
||||
run () {
|
||||
runthis () {
|
||||
if [ "$#" -ne 1 ] ; then
|
||||
die "Usage: run <primary|secondary>"
|
||||
die "Usage: runthis <primary|secondary>"
|
||||
fi
|
||||
|
||||
prepare
|
||||
primary_ips="$primary_ips;$(fakeresolve_ip_list raku)"
|
||||
secondary_ips="$secondary_ips;$(fakeresolve_ip_list shlago)"
|
||||
primary_ips="$primary_ips$(fakeresolve_ip_list raku)"
|
||||
secondary_ips="$secondary_ips$(fakeresolve_ip_list shlago)"
|
||||
|
||||
line_in_file "primary_ips=\"$primary_ips\"" "$DOCKER_DIR/.env"
|
||||
line_in_file "secondary_ips=\"$secondary_ips\"" "$DOCKER_DIR/.env"
|
||||
@ -53,7 +54,7 @@ run () {
|
||||
}
|
||||
|
||||
main () {
|
||||
run primary
|
||||
runthis primary
|
||||
}
|
||||
|
||||
# Do not execute main if script is sourced
|
||||
|
@ -1,5 +1,7 @@
|
||||
set -euo pipefail
|
||||
|
||||
. driglibash-base
|
||||
|
||||
fakeresolve_ip_list () {
|
||||
if [ "$#" -ne 1 ] ; then
|
||||
die "Usage: fakeresolve_ip_list <name>"
|
||||
@ -19,7 +21,7 @@ prepare () {
|
||||
fi
|
||||
|
||||
# Sync the git repo
|
||||
sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
|
||||
run sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
|
||||
cd /etc/bind
|
||||
|
||||
|
||||
@ -106,7 +108,7 @@ create_primary_files () {
|
||||
# Compact the default SOA
|
||||
SOA="$(grep -o '^[^;]*' SOA | sed -z -e 's/[[:space:]]\{2,\}/ /g' -e 's/\n/\\n/')"
|
||||
|
||||
cat "$debian_bind_confdir/template.named.conf" | template.sh "$DOCKER_DIR/.env" > "$debian_bind_confdir/named.conf"
|
||||
line_in_file "include \"$DATA_DIR/letsencrypt.key\";" "$debian_bind_confdir/named.conf"
|
||||
|
||||
for file in $(list_template_db_files) ; do
|
||||
domain="$(basename "$file" | sed 's/template.db.//')"
|
||||
@ -170,7 +172,7 @@ create_primary_files () {
|
||||
create_secondary_files () {
|
||||
primary_ips="$(echo "$primary_ips" | sed 's/^;//')"
|
||||
for file in "$debian_bind_confdir"/template.db.* ; do
|
||||
file="$(echo "$file" | sed 's/template.db.//')"
|
||||
file="$(echo "$file" | sed -e 's/template.db.//' -e "s#$debian_bind_confdir#/var/lib/bind/#")"
|
||||
domain="$(basename "$file")"
|
||||
|
||||
echo -n "
|
||||
@ -180,5 +182,4 @@ zone \"$domain\" {
|
||||
file \"$file\";
|
||||
};" >> "$debian_bind_confdir/named.conf.local"
|
||||
done
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user