update

provisioning/group_vars/servers.yml

@@ -2,13 +2,6 @@
 #
 bootstrap_user: root
 
-# For jean-cloud docker services
-new_nginx_conf_path: '/data/proxy/new-sites-enabled'
-new_blackbox_hosts_path: '/data/prometheus/new-blackbox-targets.yml'
-blackbox_hosts_path: '/data/prometheus/blackbox-targets.yml'
-
-remote_docker_login_registry: registry.jean-cloud.net
-
 # sudo configuration
 # using geerlingguy security
 # https://galaxy.ansible.com/grog/sudo
@@ -21,31 +14,7 @@ remote_docker_login_registry: registry.jean-cloud.net
 #      commands: ALL
 #      nopasswd: yes
 
-# Security geerlingguy
-security_ssh_port: 45985
-# IMPORTANT following values should be quoted. You can lock yourself out.
-security_ssh_password_authentication: "no"
-security_ssh_permit_root_login: "yes"
-security_ssh_usedns: "no"
-security_ssh_permit_empty_password: "no"
-security_ssh_challenge_response_auth: "no"
-security_ssh_gss_api_authentication: "no"
-security_ssh_x11_forwarding: "no"
 
-# Auto upgrades
-security_autoupdate_enabled: true
-
-# f2b
-security_fail2ban_enabled: false
-
-#locales
-locales_default:
-  lang: en_US.UTF-8
-  lc_all: en_US.UTF-8
-
-
-# For unattended upgrade configuration
-unattended_upgrades_mail: contact@jean-cloud.org
 
 # For ssh security
 # https://galaxy.ansible.com/dev-sec/ssh-hardening
@@ -102,9 +71,6 @@ shelldetector_cron_hour: '4'
 shelldetector_cron_minute: '00'
 
 
-# Timezone
-# https://galaxy.ansible.com/oefenweb/timezone
-timezone_zone: Europe/Paris
 
 # NTP
 # https://galaxy.ansible.com/geerlingguy/ntp

provisioning/playbook.yml

@@ -28,7 +28,12 @@
     # Locales
     # TODO set locales date and currency
     #- alvistack.locales
-    - oefenweb.locales
+    - role: oefenweb.locales
+      vars:
+        locales_default:                              
+          lang: en_US.UTF-8                          
+          lc_all: en_US.UTF-8
+
 
     # Sys update. Playbook bien fait.
     - robertdebock.update
@@ -36,15 +41,23 @@
     # Manage sudoers
     #- GROG.sudo
 
-    # Unattended upgrades
-    #- jnv.unattended-upgrades
-    #- thorian93.unattended_upgrade
-    #- racqspace.unattended_upgrades
-
+    
     # ssh security
     # using geerlingguy security
     #- dev-sec.ssh-hardening
-    - geerlingguy.security
+    - role: geerlingguy.security
+      vars:
+        security_ssh_port: 45985
+        security_ssh_password_authentication: "no"    
+        security_ssh_permit_root_login: "yes"    
+        security_ssh_usedns: "no"    
+        security_ssh_permit_empty_password: "no"    
+        security_ssh_challenge_response_auth: "no"    
+        security_ssh_gss_api_authentication: "no"    
+        security_ssh_x11_forwarding: "no"
+        security_autoupdate_enabled: true
+        security_fail2ban_enabled: false
+
     
     # fail2ban
     #- oefenweb.fail2ban
@@ -62,13 +75,18 @@
         #- geerlingguy.clamav
 
     # docker
-    - geerlingguy.docker
+    - role: geerlingguy.docker
+      vars:
+        docker_service_enabled: false
 
     # timezone
-    - oefenweb.timezone
+    - role: oefenweb.timezone
+      vars:
+        timezone_zone: Europe/Paris
 
     # ntp
     #- geerlingguy.ntp
+    #TODO
 
     # docker metrics proxy
     #- docker-metrics-proxy

provisioning/roles/deploy_all/files/bin/deploy_service.sh

@@ -8,6 +8,7 @@ set -euo pipefail
 
 noreload=false
 deploy=true
+service=
 if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
 	noreload=true
 elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then

provisioning/roles/deploy_all/files/bin/driglibash-base

@@ -10,6 +10,9 @@ driglibash_step_by_step=false
 # Set to watever you want to have a prefix
 driglibash_section_prefix=""
 
+# set to retry failed commands
+driglibash_run_retry=
+
 
 trap 'die "Received sigint"' INT
 
@@ -88,7 +91,7 @@ run() {
         if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then
           continue
         elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then
-          return "$code"
+          exit "$code"
         fi
       fi
       die "Aborting"

provisioning/roles/jean-cloud-common/tasks/main.yml

@@ -29,7 +29,7 @@
   ansible.builtin.user:
     name: certs
     shell: /bin/bash
-    home: /data/letsencrypt.jean-cloud.org
+    home: /data/dnscerts.jean-cloud.org
 
 - name: Set authorized key, removing all the authorized keys already set
   ansible.posix.authorized_key:
@@ -108,12 +108,3 @@
       HISTTIMEFORMAT="%Y%m%d-%T "
       export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
 
-
-- name : Disable docker service
-  service:
-      name: "{{ item }}"
-      state: stopped
-      enabled: false
-  with_items:
-    - docker
-    - docker.socket

services/dnscerts.jean-cloud.org/acme-dns.sh

@@ -10,7 +10,7 @@ service="$1"
 nginxfile="/docker/$service/nginx_server.conf"
 if [ -f "$nginxfile" ] ; then    
 	nginxdomains="$(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env")"
-	domains="$(echo "$service $nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
+	domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
 	[ -z "$domains" ] && exit 0
 	echo "--------------- -d $domains"
 	certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains

services/dnscerts.jean-cloud.org/run_bind.sh

@@ -7,7 +7,9 @@ here="$(where)"
 
 # For some variables
 . /etc/jeancloud.env
+set -a
 . "$here/.env"
+set +a
 
 # Test secret presence
 [ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1
@@ -23,10 +25,13 @@ if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
 	done
 fi
 
-# For each service, read all possible domains
+echo "For each service, read all possible domains"
 while read line ; do
 	read -r service target < <(echo "$line")
 
+	# TODO remove
+	( [ "$service" = collectif-arthadie.fr ] || [[ "$service" == *oma-radio.fr ]] ) && continue
+
 	# removo dummy cert
 	dummy_cert.sh "$service" remove
 
@@ -36,5 +41,12 @@ while read line ; do
 	"$here/acme-dns.sh" "$service"
 
 	# Replace dummy cert if letsencrypt failed
-	[ "$?" -ne 0 ] && dummy_cert.sh "$servic" remove
+	[ "$?" -ne 0 ] && dummy_cert.sh "$service" add
 done < "$servicefile"
+
+echo "Push certs to other servers"
+for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') ; do
+	server="$srv.jean-cloud.org"
+	echo "-- $server"
+	rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/certs"
+done

services/ns.jean-cloud.org/deploy.sh

@@ -3,11 +3,13 @@
 set -euo pipefail
 
 cd ../ns1.jean-cloud.org
-. deploy.sh
+set -a
 . .env
+. deploy.sh
+set +a
 
 # Do not run if primary exists
 [ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0
 
 export keydir=""
-run secondary
+runthis secondary

services/ns1.jean-cloud.org/deploy.sh

@@ -21,24 +21,25 @@ server_zone_file="template.db.jean-cloud.org"
 keydir="$DATA_DIR/keys"
 
 # IP of primary servers
+# MUST end with ; if non-empty
 primary_ips=""
 
 # IP of secondary servers (for zone transfer)
-secondary_ips="37.65.119.74"
+secondary_ips="37.65.119.74;"
 
 # NS name
 default_dns_name="shlago.jean-cloud.org."
 
 CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'
 
-run () {
+runthis () {
 	if [ "$#" -ne 1 ] ; then
-		die "Usage: run <primary|secondary>"
+		die "Usage: runthis <primary|secondary>"
 	fi
 
 	prepare
-	primary_ips="$primary_ips;$(fakeresolve_ip_list raku)"
-	secondary_ips="$secondary_ips;$(fakeresolve_ip_list shlago)"
+	primary_ips="$primary_ips$(fakeresolve_ip_list raku)"
+	secondary_ips="$secondary_ips$(fakeresolve_ip_list shlago)"
 
 	line_in_file "primary_ips=\"$primary_ips\"" "$DOCKER_DIR/.env"
 	line_in_file "secondary_ips=\"$secondary_ips\"" "$DOCKER_DIR/.env"
@@ -53,7 +54,7 @@ run () {
 }
 
 main () {
-	run primary
+	runthis primary
 }
 
 # Do not execute main if script is sourced

services/ns1.jean-cloud.org/helper_functions.sh

@@ -1,5 +1,7 @@
 set -euo pipefail
 
+. driglibash-base
+
 fakeresolve_ip_list () {
 	if [ "$#" -ne 1 ] ; then
 		die "Usage: fakeresolve_ip_list <name>"
@@ -19,7 +21,7 @@ prepare () {
 	fi
 	
 	# Sync the git repo
-	sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
+	run sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
 	cd /etc/bind
 	
 	
@@ -106,7 +108,7 @@ create_primary_files () {
 	# Compact the default SOA
 	SOA="$(grep -o '^[^;]*' SOA | sed -z -e 's/[[:space:]]\{2,\}/ /g' -e 's/\n/\\n/')"
 	
-	cat "$debian_bind_confdir/template.named.conf" | template.sh "$DOCKER_DIR/.env" > "$debian_bind_confdir/named.conf"
+	line_in_file "include \"$DATA_DIR/letsencrypt.key\";" "$debian_bind_confdir/named.conf"
 	
 	for file in $(list_template_db_files) ; do
 		domain="$(basename "$file" | sed 's/template.db.//')"
@@ -170,7 +172,7 @@ create_primary_files () {
 create_secondary_files () {
 	primary_ips="$(echo "$primary_ips" | sed 's/^;//')"
 	for file in "$debian_bind_confdir"/template.db.* ; do
-		file="$(echo "$file" | sed 's/template.db.//')"
+		file="$(echo "$file" | sed -e 's/template.db.//' -e "s#$debian_bind_confdir#/var/lib/bind/#")"
 		domain="$(basename "$file")"
 	
 		echo -n "
@@ -180,5 +182,4 @@ zone \"$domain\" {
     file \"$file\";
 };" >> "$debian_bind_confdir/named.conf.local"
 	done
-
 }