new step for jean-cloud kind
This commit is contained in:
parent
269e2a1720
commit
90dd3bad64
@ -74,6 +74,9 @@ usage[I]="Interractive mode. Ask questions if needed."
|
|||||||
varia[I]=interractive
|
varia[I]=interractive
|
||||||
interractive=false
|
interractive=false
|
||||||
|
|
||||||
|
usage[D]="Data Device. Will be encrypted."
|
||||||
|
varia[D]=data_device
|
||||||
|
data_device=
|
||||||
|
|
||||||
. driglibash-args
|
. driglibash-args
|
||||||
|
|
||||||
@ -181,7 +184,7 @@ echo "$repos" >> "$mnt/etc/apt/sources.list"
|
|||||||
run chroot "$mnt" <<EOF
|
run chroot "$mnt" <<EOF
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
apt-get update -q -y
|
apt-get update -q -y
|
||||||
apt-get install -q -y $install
|
apt-get install -q -y cryptsetup $install
|
||||||
EOF
|
EOF
|
||||||
# TODO watershed ?
|
# TODO watershed ?
|
||||||
|
|
||||||
@ -191,6 +194,11 @@ echo -e "$locale" > "$mnt/etc/locale.gen"
|
|||||||
chroot_run locale-gen
|
chroot_run locale-gen
|
||||||
|
|
||||||
|
|
||||||
|
if [ -n "$data_device" ] ; then
|
||||||
|
section "Mounting data dir"
|
||||||
|
cryptsetup create --type plain dmcrypt-jeancloud "$data_device"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
section "Configuring new system"
|
section "Configuring new system"
|
||||||
uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2)
|
uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2)
|
||||||
@ -201,10 +209,12 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
|
|||||||
# Set hostname
|
# Set hostname
|
||||||
run echo "$hostname" > "$mnt/etc/hostname"
|
run echo "$hostname" > "$mnt/etc/hostname"
|
||||||
|
|
||||||
|
# Prenvent suspend on lid close
|
||||||
|
line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
|
||||||
|
|
||||||
# Fix path and remove noisy beep
|
# Fix path and remove noisy beep
|
||||||
run cat > "$mnt/root/.bashrc" <<EOF
|
run cat > "$mnt/root/.bashrc" <<EOF
|
||||||
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
|
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
|
||||||
/usr/bin/setterm -blength 0
|
|
||||||
EOF
|
EOF
|
||||||
# Be sure this fucking beep is gone
|
# Be sure this fucking beep is gone
|
||||||
echo 'set bell-style none' >> "$mnt/etc/inputrc"
|
echo 'set bell-style none' >> "$mnt/etc/inputrc"
|
||||||
@ -253,7 +263,7 @@ if [ -n "$(ls -A $secret_dir)" ]; then
|
|||||||
#die "Secret dir '$secret_dir' is not empty"
|
#die "Secret dir '$secret_dir' is not empty"
|
||||||
yell "Secret dir is not empty. May erase key."
|
yell "Secret dir is not empty. May erase key."
|
||||||
fi
|
fi
|
||||||
run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P ''
|
run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P '' -C "access@$hostname"
|
||||||
run mkdir -p "$mnt/root/.ssh/"
|
run mkdir -p "$mnt/root/.ssh/"
|
||||||
cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys"
|
cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys"
|
||||||
chroot_run systemctl enable ssh
|
chroot_run systemctl enable ssh
|
||||||
|
156
provisioning/roles/deploy_all/files/bin/deploy_service.sh
Executable file
156
provisioning/roles/deploy_all/files/bin/deploy_service.sh
Executable file
@ -0,0 +1,156 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
. driglibash-base
|
||||||
|
. /etc/jeancloud.env
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
noreload=false
|
||||||
|
deploy=true
|
||||||
|
if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
|
||||||
|
noreload=true
|
||||||
|
elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then
|
||||||
|
deploy=false
|
||||||
|
else
|
||||||
|
die "Usage: $0 <service> [no]reload [un]deploy"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ -d "/docker/$1" ] ; then
|
||||||
|
service="$1"
|
||||||
|
elif [ -d "$1" ] && [[ "$service" = /docker/* ]] ; then
|
||||||
|
service="$(basename "$1")"
|
||||||
|
else
|
||||||
|
die "/docker/$service not found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -d "$new_nginx_conf_path" ] ; then
|
||||||
|
die "Can’t deploy service in degraded state. $new_nginx_conf_path dir is missing, please run deployer.sh first"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
docker_service="$(echo "$service" | tr '.' '_')"
|
||||||
|
driglibash_section_prefix="[$service] "
|
||||||
|
|
||||||
|
cd "/docker/$service"
|
||||||
|
[ -f .env ] && . .env
|
||||||
|
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Useful directories
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
if "$deploy" ; then
|
||||||
|
mkdir -p "$DATA_DIR" "$HTTP_DIR"
|
||||||
|
# Try running podman as non-root first…
|
||||||
|
chown www-data:www-data -R "$HTTP_DIR"
|
||||||
|
else
|
||||||
|
[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Run scripts
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
if "$deploy" ; then
|
||||||
|
[ -x deploy.sh ] && ./deploy.sh
|
||||||
|
[ -x deploy_http.sh ] && sudo -u www-data ./deploy_http.sh
|
||||||
|
else
|
||||||
|
[ -x undeploy.sh ] && ./undeploy.sh
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Docker containers
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
# If there is a docker-compose file and it has services in it
|
||||||
|
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
|
||||||
|
section "-------------------- $service"
|
||||||
|
if $deploy ; then
|
||||||
|
section "Logging to registry"
|
||||||
|
# XXX Login to docker registry
|
||||||
|
|
||||||
|
section "Pulling images"
|
||||||
|
run docker-compose pull
|
||||||
|
|
||||||
|
section "Starting service"
|
||||||
|
run docker-compose up -d --remove-orphans
|
||||||
|
else
|
||||||
|
section "Removing containers"
|
||||||
|
docker-compose down --rmi all --remove-orphans
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! "$deploy" ; then
|
||||||
|
section "Remove stray containers"
|
||||||
|
while read container ; do
|
||||||
|
echo "Removing $container"
|
||||||
|
run docker rm "$container"
|
||||||
|
done <<< "$(docker ps | grep "$docker_service" | cut -d ' ' -f 1)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# wireguard interface
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
# If there is a wireguard vpn script
|
||||||
|
for file in $( find "/docker/$service" -name "wg-*.sh") ; do
|
||||||
|
section "Managing wg interface $(basename "$file")"
|
||||||
|
if [ -x "$file" ] ; then
|
||||||
|
wgif="$(basename "$file")"
|
||||||
|
wgif="${wgif:3:-3}"
|
||||||
|
"$file" $wgif > "/etc/wireguard/$wgif.conf"
|
||||||
|
if "$deploy" ; then
|
||||||
|
systemctl enable "wg-quick@$wgif"
|
||||||
|
startwg.sh "$wgif"
|
||||||
|
else
|
||||||
|
if [ -z "$(ip a | grep "$wgif")" ] ; then
|
||||||
|
wg-quick down "$wgif"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Nginx conf
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
# If there is a nginx conf file
|
||||||
|
if [ -f "/docker/$service/nginx_server.conf" ] ; then
|
||||||
|
section "Copy nginx conf"
|
||||||
|
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
|
||||||
|
|
||||||
|
section "Template nginx conf with vars from '.env' file"
|
||||||
|
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Do we need dummy cert?
|
||||||
|
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
|
||||||
|
section "Create cert dir"
|
||||||
|
run mkdir -p "$certs_path/$service"
|
||||||
|
|
||||||
|
section "Link dummy to cert"
|
||||||
|
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
|
||||||
|
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
|
||||||
|
fi
|
||||||
|
|
||||||
|
section "Testing nginx conf"
|
||||||
|
run nginx -t -c /etc/nginx/new_nginx.conf
|
||||||
|
|
||||||
|
if [ "$noreload" == false ] ; then
|
||||||
|
restart_nginx.sh
|
||||||
|
fi
|
||||||
|
|
||||||
|
section "Cleaning"
|
||||||
|
if [ -z "$(ls -A "$DATA_DIR")" ] ; then
|
||||||
|
run rmdir "$DATA_DIR"
|
||||||
|
fi
|
||||||
|
if [ -z "$(ls -A "$HTTP_DIR")" ] ; then
|
||||||
|
run rmdir "$HTTP_DIR"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
@ -4,51 +4,29 @@ driglibash_run_retry=true
|
|||||||
. driglibash-base
|
. driglibash-base
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
run gen_env.sh
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Variables
|
# Variables
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
proxy_dir="/etc/nginx"
|
export proxy_dir="/etc/nginx"
|
||||||
nginx_conf_path="$proxy_dir/sites-enabled"
|
export nginx_conf_path="$proxy_dir/sites-enabled"
|
||||||
new_nginx_conf_path="$proxy_dir/new-sites-enabled"
|
export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
|
||||||
|
|
||||||
certs_path="/etc/letsencrypt/live"
|
export certs_path="/etc/letsencrypt/live"
|
||||||
dummy_cert_path="$certs_path/dummy"
|
export dummy_cert_path="$certs_path/dummy"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Helpers
|
# Helpers
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
# Returns the public IP4 address of a domain name
|
|
||||||
function ipof {
|
|
||||||
resolv.sh "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
function jcservice {
|
|
||||||
if [ "$#" -ne 2 ] ; then
|
|
||||||
echo "usage: $0 <action> <service>"
|
|
||||||
echo "action is start/stop/reload/restart"
|
|
||||||
echo "service is a jc service name"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
action="$1"
|
|
||||||
service="$2"
|
|
||||||
if [ -f "/docker/$service/install.sh" ] ; then
|
|
||||||
section "Running install script"
|
|
||||||
. "/docker/$service/install.sh"
|
|
||||||
# Is $action a bash function?
|
|
||||||
if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
|
|
||||||
"$action"
|
|
||||||
fi
|
|
||||||
unset -f start stop reload restart "$action"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Path to this directory
|
# Path to this directory
|
||||||
here="$(where 'follow_links')"
|
here="$(where 'follow_links')"
|
||||||
|
|
||||||
# Ip4 address
|
# Ip4 address
|
||||||
my_ip="$(ipof "$(cat /etc/hostname)")"
|
#my_ip="$(resolv.sh "$(cat /etc/hostname)")"
|
||||||
|
my_ip="$(curl -4 ifconfig.me 2>/dev/null)"
|
||||||
[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
|
[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
|
||||||
|
|
||||||
|
|
||||||
@ -57,7 +35,7 @@ my_ip="$(ipof "$(cat /etc/hostname)")"
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
driglibash_section_prefix="[Prepare nginx] "
|
driglibash_section_prefix="[Prepare nginx] "
|
||||||
section "Delete new conf directory (to recover)"
|
section "Delete new conf directory (to start from scratch)"
|
||||||
run rm -rf "$new_nginx_conf_path"
|
run rm -rf "$new_nginx_conf_path"
|
||||||
|
|
||||||
section "Create new conf file (for tests purposes)"
|
section "Create new conf file (for tests purposes)"
|
||||||
@ -85,121 +63,22 @@ run mkdir -p "$new_nginx_conf_path"
|
|||||||
# Deploy services
|
# Deploy services
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
|
section "Start docker"
|
||||||
|
run systemctl start docker docker.socket
|
||||||
|
|
||||||
|
section "Deploy mandatory services"
|
||||||
|
deploy_service.sh deployer.jean-cloud.org noreload
|
||||||
|
|
||||||
for dir in /docker/* ; do
|
for dir in /docker/* ; do
|
||||||
service="$(basename "$dir")"
|
service="$(basename "$dir")"
|
||||||
# Ignore _ prefixed directories
|
# Ignore _ prefixed directories
|
||||||
[ "${service::1}" == '_' ] && continue
|
[ "${service::1}" == '_' ] && continue
|
||||||
[ ! -d "$dir" ] && continue
|
[ ! -d "$dir" ] && continue
|
||||||
|
[[ "$(resolv.sh $service)" != *$my_ip* ]] && continue
|
||||||
docker_service="$(echo "$service" | tr '.' '_')"
|
deploy_service.sh "$service" "noreload"
|
||||||
driglibash_section_prefix="[$service] "
|
|
||||||
export DATA_DIR="/data/$service"
|
|
||||||
export HTTP_DIR="/srv/http/$service"
|
|
||||||
export JC_SERVICE="$service"
|
|
||||||
line_in_file "HTTP_DIR='$HTTP_DIR'" "/docker/$service/.env"
|
|
||||||
line_in_file "DATA_DIR='$DATA_DIR'" "/docker/$service/.env"
|
|
||||||
line_in_file "JC_SERVICE='$JC_SERVICE'" "/docker/$service/.env"
|
|
||||||
|
|
||||||
cd "/docker/$service"
|
|
||||||
|
|
||||||
# Is service meant to be on this server?
|
|
||||||
ip="$(ipof "$service")"
|
|
||||||
[ -z "$ip" ] && echo "No ip found for $service"
|
|
||||||
|
|
||||||
if [[ "$ip" != *"$my_ip"* ]] ; then
|
|
||||||
if [ -n "$(docker ps | grep "$docker_service")" ] ; then
|
|
||||||
section "--------------------"
|
|
||||||
section "Removing service"
|
|
||||||
docker-compose down --rmi all --remove-orphans
|
|
||||||
[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
|
|
||||||
fi
|
|
||||||
|
|
||||||
jcservice stop "$service"
|
|
||||||
|
|
||||||
# TODO check for leftover wg interfaces
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
mkdir -p "$DATA_DIR" "$HTTP_DIR"
|
|
||||||
|
|
||||||
|
|
||||||
# If there is a docker-compose file and it has services in it
|
|
||||||
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
|
|
||||||
section "-------------------- $service"
|
|
||||||
|
|
||||||
section "Logging to registry"
|
|
||||||
# XXX Login to docker registry
|
|
||||||
|
|
||||||
section "Pulling images"
|
|
||||||
run docker-compose pull
|
|
||||||
|
|
||||||
section "Starting service"
|
|
||||||
run docker-compose up -d --remove-orphans
|
|
||||||
fi
|
|
||||||
|
|
||||||
jcservice start "$service"
|
|
||||||
|
|
||||||
|
|
||||||
# If there is a wireguard vpn script
|
|
||||||
for file in "/docker/$service/"wg-*.sh ; do
|
|
||||||
section "Starting wg interface"
|
|
||||||
if [ -x "$file" ] ; then
|
|
||||||
wgif="$(basename "$file")"
|
|
||||||
wgif="${wgif:3:-3}"
|
|
||||||
"$file" $wgif > "/etc/wireguard/$wgif.conf"
|
|
||||||
systemctl enable "wg-quick@$wgif"
|
|
||||||
startwg.sh $wgif
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
|
|
||||||
# If there is a nginx conf file
|
|
||||||
if [ -f "/docker/$service/nginx_server.conf" ] ; then
|
|
||||||
section "Copy nginx conf"
|
|
||||||
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
|
|
||||||
|
|
||||||
section "Template nginx conf with vars from '.env' file"
|
|
||||||
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Do we need dummy cert?
|
|
||||||
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
|
|
||||||
section "Create cert dir"
|
|
||||||
run mkdir -p "$certs_path/$service"
|
|
||||||
|
|
||||||
section "Link dummy to cert"
|
|
||||||
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
|
|
||||||
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
|
|
||||||
fi
|
|
||||||
|
|
||||||
section "Testing nginx conf"
|
|
||||||
run nginx -t -c /etc/nginx/new_nginx.conf
|
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
###############################################################################
|
restart_nginx.sh
|
||||||
# Nginx restart
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
driglibash_section_prefix="[Restart nginx] "
|
|
||||||
|
|
||||||
section "Test if nginx conf is ok"
|
|
||||||
run nginx -t -c "$proxy_dir/new_nginx.conf"
|
|
||||||
|
|
||||||
section "Update nginx conf"
|
|
||||||
run rm -rf "$nginx_conf_path"
|
|
||||||
run mv "$new_nginx_conf_path" "$nginx_conf_path"
|
|
||||||
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
|
|
||||||
|
|
||||||
section "Test nginx conf to be sure"
|
|
||||||
run nginx -t
|
|
||||||
|
|
||||||
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
|
|
||||||
section "Start nginx"
|
|
||||||
run nginx
|
|
||||||
else
|
|
||||||
section "Reload nginx"
|
|
||||||
run nginx -s reload
|
|
||||||
fi
|
|
||||||
|
|
||||||
clean
|
clean
|
||||||
|
@ -48,11 +48,11 @@ section(){
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
repeat '=' "$left"
|
repeat '=' "$left"
|
||||||
if [ "$right" -ge 1 ] ; then
|
|
||||||
echo -ne " $text "
|
echo -ne " $text "
|
||||||
|
if [ "$right" -ge 1 ] ; then
|
||||||
repeat '=' "$right"
|
repeat '=' "$right"
|
||||||
echo
|
|
||||||
fi
|
fi
|
||||||
|
echo
|
||||||
|
|
||||||
if "$driglibash_step_by_step" ; then
|
if "$driglibash_step_by_step" ; then
|
||||||
echo "Press enter to proceed"
|
echo "Press enter to proceed"
|
||||||
|
28
provisioning/roles/deploy_all/files/bin/gen_env.sh
Executable file
28
provisioning/roles/deploy_all/files/bin/gen_env.sh
Executable file
@ -0,0 +1,28 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. driglibash-base
|
||||||
|
|
||||||
|
JC_ENV=/etc/jeancloud.env
|
||||||
|
|
||||||
|
certs_path=/etc/letsencrypt/live
|
||||||
|
proxy_dir=/etc/nginx
|
||||||
|
|
||||||
|
cat > "$JC_ENV" <<EOF
|
||||||
|
my_ip=$(resolv.sh "$(cat /etc/hostname)")
|
||||||
|
proxy_dir='$proxy_dir'
|
||||||
|
nginx_conf_path='$proxy_dir/sites-enabled'
|
||||||
|
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
|
||||||
|
certs_path='$certs_path'
|
||||||
|
dummy_cert_path='$certs_path/dummy'
|
||||||
|
EOF
|
||||||
|
|
||||||
|
for dir in /docker/* ; do
|
||||||
|
service="$(basename "$dir")"
|
||||||
|
[ ! -d "$dir" ] && continue
|
||||||
|
|
||||||
|
line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
|
||||||
|
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
|
||||||
|
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
|
||||||
|
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
|
||||||
|
done
|
42
provisioning/roles/deploy_all/files/bin/git_update.sh
Executable file
42
provisioning/roles/deploy_all/files/bin/git_update.sh
Executable file
@ -0,0 +1,42 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
declare -A usage
|
||||||
|
declare -A varia
|
||||||
|
|
||||||
|
summary="$0 [options] <repo>"
|
||||||
|
|
||||||
|
usage[b]="Branch of git repo"
|
||||||
|
varia[b]=branch
|
||||||
|
branch=master
|
||||||
|
|
||||||
|
usage[d]="Destination of clone"
|
||||||
|
varia[d]=dst
|
||||||
|
dst='.'
|
||||||
|
|
||||||
|
usage[i]="privkey used to ssh pull"
|
||||||
|
varia[i]=privkey
|
||||||
|
privkey=''
|
||||||
|
|
||||||
|
|
||||||
|
. driglibash-args
|
||||||
|
|
||||||
|
# Some SSH options
|
||||||
|
ssh_opt='ssh'
|
||||||
|
if [ -n "$privkey" ] ; then
|
||||||
|
ssh_opt="$ssh_opt -i $privkey"
|
||||||
|
fi
|
||||||
|
|
||||||
|
repo="$1"
|
||||||
|
if [ -z "$repo" ] ; then
|
||||||
|
die "$0: Empty repo given\n$summary"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cd "$dst"
|
||||||
|
|
||||||
|
if [ -d .git ] ; then
|
||||||
|
git reset --hard HEAD && git pull --depth 1 --ff-only --rebase --config core.sshCommand="$ssh_opt"
|
||||||
|
git submodule update --recursive --remote --recommend-shallow
|
||||||
|
else
|
||||||
|
git clone --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
|
||||||
|
fi
|
||||||
|
|
14
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
Normal file
14
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. "$DOCKER_DIR/.env"
|
||||||
|
. "$DATA_DIR/.env"
|
||||||
|
|
||||||
|
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
||||||
|
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
||||||
|
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
||||||
|
|
||||||
|
git_update.sh "$GIT_SOURCE_REPO"
|
||||||
|
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" -- webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
|
||||||
|
hugo
|
||||||
|
|
22
provisioning/roles/deploy_all/files/bin/jcservice.sh
Executable file
22
provisioning/roles/deploy_all/files/bin/jcservice.sh
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
. driglibash-base
|
||||||
|
|
||||||
|
if [ "$#" -ne 2 ] ; then
|
||||||
|
echo "usage: $0 <action> <service>"
|
||||||
|
echo "action is start/stop/reload/restart"
|
||||||
|
echo "service is a jc service name"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
action="$1"
|
||||||
|
service="$2"
|
||||||
|
if [ -f "/docker/$service/install.sh" ] ; then
|
||||||
|
section "Running install script"
|
||||||
|
. "/docker/$service/install.sh"
|
||||||
|
# Is $action a bash function?
|
||||||
|
if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
|
||||||
|
(source "/docker/$service/.env" && "$action")
|
||||||
|
else
|
||||||
|
die "$0 no action $action found for service $service"
|
||||||
|
fi
|
||||||
|
fi
|
24
provisioning/roles/deploy_all/files/bin/restart_nginx.sh
Executable file
24
provisioning/roles/deploy_all/files/bin/restart_nginx.sh
Executable file
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
. driglibash-base
|
||||||
|
. /etc/jeancloud.env
|
||||||
|
|
||||||
|
driglibash_section_prefix="[Restart nginx] "
|
||||||
|
|
||||||
|
section "Test if nginx conf is ok"
|
||||||
|
run nginx -t -c "$proxy_dir/new_nginx.conf"
|
||||||
|
|
||||||
|
section "Update nginx conf"
|
||||||
|
run rm -rf "$nginx_conf_path"
|
||||||
|
run cp -r "$new_nginx_conf_path" "$nginx_conf_path"
|
||||||
|
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
|
||||||
|
|
||||||
|
section "Test nginx conf to be sure"
|
||||||
|
run nginx -t
|
||||||
|
|
||||||
|
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
|
||||||
|
section "Start nginx"
|
||||||
|
run nginx
|
||||||
|
else
|
||||||
|
section "Reload nginx"
|
||||||
|
run nginx -s reload
|
||||||
|
fi
|
@ -1,6 +1,6 @@
|
|||||||
$TTL 604800
|
$TTL 604800
|
||||||
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
|
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
|
||||||
2023062300 ; Serial
|
2023082700 ; Serial
|
||||||
7200 ; Refresh
|
7200 ; Refresh
|
||||||
7200 ; Retry
|
7200 ; Retry
|
||||||
2419200 ; Expire
|
2419200 ; Expire
|
||||||
@ -23,6 +23,8 @@ _dmarc 86400 IN TXT v=DMARC1; p=quarantine;
|
|||||||
|
|
||||||
|
|
||||||
; web
|
; web
|
||||||
@ IN A 51.255.33.248
|
@ IN A 51.195.40.128
|
||||||
@ IN A 82.65.204.254
|
@ IN A 109.18.84.200
|
||||||
|
|
||||||
|
www IN A 51.195.40.128
|
||||||
|
www IN A 109.18.84.200
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
$TTL 604800
|
$TTL 604800
|
||||||
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
|
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
|
||||||
2023061500 ; Serial
|
2023082700 ; Serial
|
||||||
7200 ; Refresh
|
7200 ; Refresh
|
||||||
7200 ; Retry
|
7200 ; Retry
|
||||||
2419200 ; Expire
|
2419200 ; Expire
|
||||||
7200 ) ; Negative Cache TTL
|
7200 ) ; Negative Cache TTL
|
||||||
|
|
||||||
; NS
|
; NS
|
||||||
@ IN NS max.jean-cloud.org.
|
;@ IN NS max.jean-cloud.org.
|
||||||
@ IN NS tetede.jean-cloud.org.
|
@ IN NS tetede.jean-cloud.org.
|
||||||
@ IN NS ns1.he.net.
|
@ IN NS ns1.he.net.
|
||||||
@ IN NS ns2.he.net.
|
@ IN NS ns2.he.net.
|
||||||
@ -16,7 +16,7 @@ $TTL 604800
|
|||||||
@ IN NS ns5.he.net.
|
@ IN NS ns5.he.net.
|
||||||
|
|
||||||
@ IN A 51.255.33.248
|
@ IN A 51.255.33.248
|
||||||
@ IN A 82.65.204.254
|
@ IN A 109.18.84.200
|
||||||
|
|
||||||
|
|
||||||
@ 10800 IN MX 10 spool.mail.gandi.net.
|
@ 10800 IN MX 10 spool.mail.gandi.net.
|
||||||
@ -26,7 +26,7 @@ $TTL 604800
|
|||||||
|
|
||||||
; Resolving nameserver
|
; Resolving nameserver
|
||||||
ns2 IN A 51.255.33.248
|
ns2 IN A 51.255.33.248
|
||||||
ns1 IN A 82.65.204.254
|
;ns1 IN A 82.65.204.254
|
||||||
|
|
||||||
;mail IN CNAME vandamme
|
;mail IN CNAME vandamme
|
||||||
webmail IN CNAME vandamme
|
webmail IN CNAME vandamme
|
||||||
@ -49,8 +49,8 @@ tetede IN A 51.195.40.128
|
|||||||
|
|
||||||
heart IN A 109.18.84.200
|
heart IN A 109.18.84.200
|
||||||
|
|
||||||
max IN A 82.65.204.254
|
;max IN A 82.65.204.254
|
||||||
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
|
;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
|
||||||
|
|
||||||
montbonnot IN A 188.114.97.2
|
montbonnot IN A 188.114.97.2
|
||||||
montbonnot IN A 188.114.96.2
|
montbonnot IN A 188.114.96.2
|
||||||
@ -129,17 +129,18 @@ tracker IN CNAME tetede.jean-cloud.org.
|
|||||||
|
|
||||||
raplacgr IN CNAME tetede.jean-cloud.org.
|
raplacgr IN CNAME tetede.jean-cloud.org.
|
||||||
|
|
||||||
walou IN CNAME dumbcluster.jean-cloud.org.
|
|
||||||
|
|
||||||
nc-backup IN CNAME blatte.jean-cloud.org.
|
nc-backup IN CNAME blatte.jean-cloud.org.
|
||||||
|
|
||||||
gypsy IN CNAME tetede.jean-cloud.org.
|
gypsy IN CNAME tetede.jean-cloud.org.
|
||||||
|
|
||||||
shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org.
|
shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org.
|
||||||
|
|
||||||
lexicographe IN CNAME max.jean-cloud.org.
|
lexicographe IN CNAME tetede.jean-cloud.org.
|
||||||
|
|
||||||
chahut IN CNAME max.jean-cloud.org.
|
chahut IN CNAME max.jean-cloud.org.
|
||||||
www.chahut IN CNAME max.jean-cloud.org.
|
www.chahut IN CNAME max.jean-cloud.org.
|
||||||
wordpress.chahut IN CNAME max.jean-cloud.org.
|
wordpress.chahut IN CNAME max.jean-cloud.org.
|
||||||
www.wordpress.chahut IN CNAME max.jean-cloud.org.
|
www.wordpress.chahut IN CNAME max.jean-cloud.org.
|
||||||
|
grapes.chahut IN CNAME max.jean-cloud.org.
|
||||||
|
|
||||||
|
louixel IN CNAME raku.jean-cloud.org.
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
$TTL 604800
|
$TTL 604800
|
||||||
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
|
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
|
||||||
2023061500 ; Serial
|
2023082700 ; Serial
|
||||||
604800 ; Refresh
|
604800 ; Refresh
|
||||||
86400 ; Retry
|
86400 ; Retry
|
||||||
2419200 ; Expire
|
2419200 ; Expire
|
||||||
@ -9,12 +9,12 @@ $TTL 604800
|
|||||||
@ IN NS max
|
@ IN NS max
|
||||||
@ IN NS tetede
|
@ IN NS tetede
|
||||||
|
|
||||||
|
@ IN A 109.18.84.200
|
||||||
@ IN A 51.255.33.248
|
@ IN A 51.255.33.248
|
||||||
@ IN A 82.65.204.254
|
|
||||||
|
|
||||||
; NS
|
; NS
|
||||||
;ns1 IN CNAME vandamme
|
;ns1 IN CNAME vandamme
|
||||||
ns2 IN A 82.65.204.254
|
;ns2 IN A 82.65.204.254
|
||||||
ns3 IN A 51.195.40.128
|
ns3 IN A 51.195.40.128
|
||||||
|
|
||||||
; Mails
|
; Mails
|
||||||
@ -46,8 +46,8 @@ tetede IN AAAA 2001:41d0:701:1100::31f
|
|||||||
|
|
||||||
heart IN A 109.18.84.200
|
heart IN A 109.18.84.200
|
||||||
|
|
||||||
max IN A 82.65.204.254
|
max IN A 109.18.84.200
|
||||||
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
|
;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
|
||||||
|
|
||||||
montbonnot IN A 188.114.97.2
|
montbonnot IN A 188.114.97.2
|
||||||
montbonnot IN A 188.114.96.2
|
montbonnot IN A 188.114.96.2
|
||||||
@ -55,3 +55,7 @@ montbonnot IN AAAA 2a06:98c1:3120::2
|
|||||||
montbonnot IN AAAA 2a06:98c1:3121::2
|
montbonnot IN AAAA 2a06:98c1:3121::2
|
||||||
|
|
||||||
blatte IN A 10.98.1.2
|
blatte IN A 10.98.1.2
|
||||||
|
|
||||||
|
|
||||||
|
;raku IN A 37.65.25.194
|
||||||
|
raku IN AAAA 2a02:842a:39a:4d01:b283:feff:fe4c:5dee
|
||||||
|
@ -15,7 +15,7 @@ $TTL 604800
|
|||||||
@ IN NS ns4.he.net.
|
@ IN NS ns4.he.net.
|
||||||
@ IN NS ns5.he.net.
|
@ IN NS ns5.he.net.
|
||||||
|
|
||||||
@ IN A 82.65.204.254
|
@ IN A 213.186.33.40
|
||||||
;@ IN AAAA 2001:41d0:701:1100::31f
|
;@ IN AAAA 2001:41d0:701:1100::31f
|
||||||
|
|
||||||
|
|
||||||
@ -23,6 +23,6 @@ $TTL 604800
|
|||||||
ns1 IN A 51.255.33.248
|
ns1 IN A 51.255.33.248
|
||||||
ns2 IN A 172.104.154.21
|
ns2 IN A 172.104.154.21
|
||||||
|
|
||||||
benevoles IN CNAME max.jean-cloud.org.
|
;benevoles IN CNAME max.jean-cloud.org.
|
||||||
benevoles31 IN CNAME max.jean-cloud.org.
|
;benevoles31 IN CNAME max.jean-cloud.org.
|
||||||
|
|
||||||
|
@ -1,15 +0,0 @@
|
|||||||
$TTL 604800
|
|
||||||
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
|
|
||||||
2023042100 ; Serial
|
|
||||||
604800 ; Refresh
|
|
||||||
86400 ; Retry
|
|
||||||
2419200 ; Expire
|
|
||||||
7200 ) ; Negative Cache TTL (min before refresh)
|
|
||||||
|
|
||||||
@ IN NS ns1.jean-cloud.net.
|
|
||||||
@ IN NS ns2.he.net.
|
|
||||||
@ IN NS ns3.he.net.
|
|
||||||
@ IN NS ns4.he.net.
|
|
||||||
@ IN NS ns5.he.net.
|
|
||||||
|
|
||||||
@ IN A 51.255.33.248
|
|
@ -1,6 +1,6 @@
|
|||||||
$TTL 604800
|
$TTL 604800
|
||||||
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
|
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
|
||||||
2023060100 ; Serial
|
2023082700 ; Serial
|
||||||
604800 ; Refresh
|
604800 ; Refresh
|
||||||
7200 ; Retry
|
7200 ; Retry
|
||||||
2419200 ; Expire
|
2419200 ; Expire
|
||||||
@ -8,7 +8,7 @@ $TTL 604800
|
|||||||
|
|
||||||
; NS
|
; NS
|
||||||
|
|
||||||
@ IN NS max.jean-cloud.org.
|
;@ IN NS max.jean-cloud.org.
|
||||||
@ IN NS tetede.jean-cloud.org.
|
@ IN NS tetede.jean-cloud.org.
|
||||||
|
|
||||||
|
|
||||||
|
@ -58,11 +58,6 @@ zone "inurbe.fr"{
|
|||||||
type master;
|
type master;
|
||||||
file "/etc/bind/db.inurbe.fr";
|
file "/etc/bind/db.inurbe.fr";
|
||||||
};
|
};
|
||||||
zone "lalis.fr"{
|
|
||||||
allow-update { none; }; # We are primary DNS
|
|
||||||
type master;
|
|
||||||
file "/etc/bind/db.lalis.fr";
|
|
||||||
};
|
|
||||||
zone "leida.fr"{
|
zone "leida.fr"{
|
||||||
allow-update { none; }; # We are primary DNS
|
allow-update { none; }; # We are primary DNS
|
||||||
type master;
|
type master;
|
||||||
|
@ -8,11 +8,16 @@
|
|||||||
archive: false
|
archive: false
|
||||||
recursive: true
|
recursive: true
|
||||||
|
|
||||||
|
|
||||||
- name: Add binaries
|
- name: Add binaries
|
||||||
ansible.posix.synchronize:
|
ansible.posix.synchronize:
|
||||||
src: "{{ role_path }}/files/bin/"
|
src: "{{ role_path }}/files/bin/"
|
||||||
dest: "/usr/local/bin"
|
dest: "/usr/local/bin"
|
||||||
|
|
||||||
|
- name: Gen env vars
|
||||||
|
command: gen_env.sh
|
||||||
|
|
||||||
|
|
||||||
- name: Add bind conf
|
- name: Add bind conf
|
||||||
ansible.posix.synchronize:
|
ansible.posix.synchronize:
|
||||||
src: "{{ role_path }}/files/bind/"
|
src: "{{ role_path }}/files/bind/"
|
||||||
|
@ -29,7 +29,7 @@
|
|||||||
|
|
||||||
- name: Install some softwares
|
- name: Install some softwares
|
||||||
apt:
|
apt:
|
||||||
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
|
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'hugo', 'netcat-openbsd', 'nginx', 'podman', 'rclone', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
|
||||||
state: latest
|
state: latest
|
||||||
|
|
||||||
# TODO disable certbot and certbot.timer services. We are using our own
|
# TODO disable certbot and certbot.timer services. We are using our own
|
||||||
@ -40,6 +40,7 @@
|
|||||||
state: directory
|
state: directory
|
||||||
with_items:
|
with_items:
|
||||||
- /docker
|
- /docker
|
||||||
|
- /srv/http
|
||||||
- /data
|
- /data
|
||||||
- /etc/letsencrypt
|
- /etc/letsencrypt
|
||||||
|
|
||||||
@ -81,3 +82,12 @@
|
|||||||
HISTTIMEFORMAT="%Y%m%d-%T "
|
HISTTIMEFORMAT="%Y%m%d-%T "
|
||||||
export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
|
export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
|
||||||
|
|
||||||
|
|
||||||
|
- name : Disable docker service
|
||||||
|
service:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: stopped
|
||||||
|
enabled: false
|
||||||
|
with_items:
|
||||||
|
- docker
|
||||||
|
- docker.socket
|
||||||
|
@ -18,13 +18,16 @@ Le script deployer.sh va pour chaque service
|
|||||||
- Démarrer docker-compose si besoin
|
- Démarrer docker-compose si besoin
|
||||||
- Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin)
|
- Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin)
|
||||||
- Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent.
|
- Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent.
|
||||||
- Exécuter le script install.sh du service s’il existe
|
- Exécuter le script deploy.sh du service s’il existe
|
||||||
|
- Exécuter le script deploy_http.sh en tant que www-data s’il existe. Ce script peut également être éxécuter par nginx pour mettre à jour le site web.
|
||||||
|
|
||||||
Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled).
|
Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled).
|
||||||
|
|
||||||
## Variables
|
## Variables
|
||||||
Le script deployer.sh crée les variables
|
Le script deployer.sh crée les variables
|
||||||
- DATA_DIR : là où sauvegarder des données
|
- DATA_DIR : là où sauvegarder des données
|
||||||
|
- DOCKER_DIR : dossier contenant les fichiers de déploiement du service
|
||||||
- HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il n’est pas sauvegardé.
|
- HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il n’est pas sauvegardé.
|
||||||
- JC_SERVICE : le nom du dossier service. Correspond souvent à l’adresse du service.
|
- JC_SERVICE : le nom du dossier service. Correspond souvent à l’adresse du service.
|
||||||
Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc).
|
Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc).
|
||||||
|
|
||||||
|
2
services/deployer.jean-cloud.org/deploy.sh
Normal file
2
services/deployer.jean-cloud.org/deploy.sh
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
chmod +x server.sh
|
@ -1,12 +1,15 @@
|
|||||||
|
limit_req_zone global zone=deployer_limit:100k rate=3r/m;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443;
|
listen 443;
|
||||||
listen [::]:443;
|
listen [::]:443;
|
||||||
server_name $SERVER_HOST;
|
server_name $SERVER_HOST;
|
||||||
ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;
|
||||||
location /reload {
|
location / {
|
||||||
fastcgi_param SCRIPT_FILENAME /var/www/html/test.sh;
|
limit_req zone=deployer_limit;
|
||||||
|
include /etc/nginx/fastcgi_params;
|
||||||
|
fastcgi_param SCRIPT_FILENAME /docker/deployer.jean-cloud.org/server.sh;
|
||||||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
38
services/deployer.jean-cloud.org/server.sh
Executable file
38
services/deployer.jean-cloud.org/server.sh
Executable file
@ -0,0 +1,38 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
echo "Content-type: text/html"
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
|
||||||
|
path="/docker/$service/deploy_http.sh"
|
||||||
|
. /etc/jeancloud.env
|
||||||
|
|
||||||
|
echo '<html><head><title>Rechargement d’un site web</title><meta charset="utf-8" /></head>'
|
||||||
|
echo '<body>'
|
||||||
|
echo "<h2>Rechargement d’un site web : $service</h2>"
|
||||||
|
echo "<h3> Résultat local</h3>"
|
||||||
|
if [ -x "$path" ] ; then
|
||||||
|
echo "<pre>"
|
||||||
|
"$path"
|
||||||
|
ret="$?"
|
||||||
|
echo "</pre>"
|
||||||
|
if [ "$ret" -ne 0 ] ; then
|
||||||
|
echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
|
||||||
|
else
|
||||||
|
while read ip ; do
|
||||||
|
echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
|
||||||
|
if [ "$?" -eq 0 ] ; then
|
||||||
|
echo "$ip ok"
|
||||||
|
else
|
||||||
|
echo "$ip ERREUR"
|
||||||
|
fi
|
||||||
|
done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
|
||||||
|
else
|
||||||
|
echo "<p>Échec. Contactez Jean-Cloud</p>"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo '</body>'
|
||||||
|
echo '</html>
|
||||||
|
|
@ -1 +1,2 @@
|
|||||||
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"
|
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"
|
||||||
|
CLOUD_LOCAL_PATH=content
|
||||||
|
18
services/etrevivant.net/deploy_http.sh
Executable file
18
services/etrevivant.net/deploy_http.sh
Executable file
@ -0,0 +1,18 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. /docker/etrevivant.net/.env
|
||||||
|
. /data/etrevivant.net/.env
|
||||||
|
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
||||||
|
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
||||||
|
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
||||||
|
|
||||||
|
cd "$HTTP_DIR"
|
||||||
|
if [ -d .git ] ; then
|
||||||
|
git reset --hard origin/master
|
||||||
|
git pull --depth 1 --rebase
|
||||||
|
else
|
||||||
|
git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" .
|
||||||
|
fi
|
||||||
|
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
|
||||||
|
hugo
|
@ -1,25 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
start() {
|
|
||||||
. /docker/etrevivant.net/.env
|
|
||||||
. /data/etrevivant.net/.env
|
|
||||||
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
|
||||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
|
||||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
|
||||||
sudo -u www-data bash <<EOF
|
|
||||||
set -euo pipefail
|
|
||||||
cd "$HTTP_DIR"
|
|
||||||
[ -d .git ] || git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . || (git checkout -- * && git pull --depth 1)
|
|
||||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
|
|
||||||
hugo
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
restart () {
|
|
||||||
start
|
|
||||||
}
|
|
||||||
|
|
||||||
stop () {
|
|
||||||
:
|
|
||||||
}
|
|
2
services/grapes.chahut.jean-cloud.net/.env
Normal file
2
services/grapes.chahut.jean-cloud.net/.env
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
JC_NET=172.29.19
|
||||||
|
GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs
|
6
services/grapes.chahut.jean-cloud.net/deploy.sh
Executable file
6
services/grapes.chahut.jean-cloud.net/deploy.sh
Executable file
@ -0,0 +1,6 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
mkdir -p "$HTTP_DIR"
|
||||||
|
chown www-data:www-data "$HTTP_DIR"
|
||||||
|
sudo -u www-data git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
19
services/grapes.chahut.jean-cloud.net/docker-compose.yml
Executable file
19
services/grapes.chahut.jean-cloud.net/docker-compose.yml
Executable file
@ -0,0 +1,19 @@
|
|||||||
|
version: '3'
|
||||||
|
services:
|
||||||
|
json_server:
|
||||||
|
image: jeancloud/json-server
|
||||||
|
volumes:
|
||||||
|
- "$DATA_DIR:/usr/lib/json-server"
|
||||||
|
networks:
|
||||||
|
default:
|
||||||
|
ipv4_address: $JC_NET.100
|
||||||
|
deploy:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpus: '0.50'
|
||||||
|
memory: 100M
|
||||||
|
networks:
|
||||||
|
default:
|
||||||
|
ipam:
|
||||||
|
config:
|
||||||
|
- subnet: $JC_NET.0/24
|
35
services/grapes.chahut.jean-cloud.net/nginx_server.conf
Executable file
35
services/grapes.chahut.jean-cloud.net/nginx_server.conf
Executable file
@ -0,0 +1,35 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
|
||||||
|
server_name grapes.chahut.jean-cloud.net;
|
||||||
|
root $HTTP_DIR;
|
||||||
|
|
||||||
|
# Security headers
|
||||||
|
# We can create a file with the base security headers and include it.
|
||||||
|
# Will it be possible to overload them then ?
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
#add_header Content-Security-Policy "default-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ;frame-ancestors 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; base-uri 'self'; form-action 'self';" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
add_header X-Frame-Options SAMEORIGIN always;
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
#add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||||
|
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||||
|
|
||||||
|
auth_basic "Mot de passe !";
|
||||||
|
auth_basic_user_file $DATA_DIR/pass.txt;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /projects {
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
proxy_pass http://$JC_NET.100:3000;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
3
services/jean-cloud.net/deploy.sh
Executable file
3
services/jean-cloud.net/deploy.sh
Executable file
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
@ -1,14 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
start() {
|
|
||||||
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
|
||||||
}
|
|
||||||
|
|
||||||
restart () {
|
|
||||||
start
|
|
||||||
}
|
|
||||||
|
|
||||||
stop () {
|
|
||||||
:
|
|
||||||
}
|
|
@ -10,7 +10,7 @@ server {
|
|||||||
# We can create a file with the base security headers and include it.
|
# We can create a file with the base security headers and include it.
|
||||||
# Will it be possible to overload them then ?
|
# Will it be possible to overload them then ?
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always;
|
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
|
||||||
add_header X-Content-Type-Options "nosniff";
|
add_header X-Content-Type-Options "nosniff";
|
||||||
add_header X-Frame-Options SAMEORIGIN always;
|
add_header X-Frame-Options SAMEORIGIN always;
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
4
services/lexicographe.jean-cloud.net/deploy.sh
Executable file
4
services/lexicographe.jean-cloud.net/deploy.sh
Executable file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
@ -1,16 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
start() {
|
|
||||||
mkdir -p "$DATA_DIR/git"
|
|
||||||
podman pull docker.io/jeancloud/pelican-rclone-builder
|
|
||||||
podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
|
||||||
}
|
|
||||||
|
|
||||||
restart () {
|
|
||||||
start
|
|
||||||
}
|
|
||||||
|
|
||||||
stop () {
|
|
||||||
:
|
|
||||||
}
|
|
@ -1,2 +1,2 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
grep -ho '172.29.[^.]' . -r | sort -u
|
grep -ho '172.29.[^.]\+' . -r | sort -u
|
||||||
|
@ -15,10 +15,8 @@ Address = 10.100.1.254/32
|
|||||||
[Peer] # adrian
|
[Peer] # adrian
|
||||||
PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
|
PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
|
||||||
AllowedIPs = 10.100.1.253/32
|
AllowedIPs = 10.100.1.253/32
|
||||||
PersistentKeepalive = 25
|
|
||||||
|
|
||||||
[Peer] # Passerelle
|
[Peer] # Passerelle
|
||||||
PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
|
PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
|
||||||
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
|
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
|
||||||
PersistentKeepalive = 25
|
|
||||||
"
|
"
|
||||||
|
@ -1 +0,0 @@
|
|||||||
version: '3'
|
|
@ -28,6 +28,7 @@ server {
|
|||||||
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
client_max_body_size 0;
|
||||||
proxy_pass http://$ENDPOINT;
|
proxy_pass http://$ENDPOINT;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
@ -24,10 +24,15 @@ PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j
|
|||||||
|
|
||||||
# packet masquerading
|
# packet masquerading
|
||||||
PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
|
PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
|
||||||
PostDown = iptables -t nat -D POSTROUTING -o $wgif-j MASQUERADE
|
PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
|
||||||
|
|
||||||
# remote settings for the private server
|
# remote settings for the private server
|
||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
|
PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
|
||||||
AllowedIPs = 10.29.0.1/32,$NET.0/24
|
AllowedIPs = 10.29.0.1/32,$NET.0/24
|
||||||
|
|
||||||
|
# test separation PA
|
||||||
|
[Peer]
|
||||||
|
PublicKey = todo
|
||||||
|
AllowedlIPs = 10.29.0.2
|
||||||
"
|
"
|
||||||
|
Loading…
Reference in New Issue
Block a user