new step for jean-cloud kind

This commit is contained in:
Adrian Amaglio 2023-08-28 20:25:32 +02:00
parent 269e2a1720
commit 90dd3bad64
39 changed files with 516 additions and 257 deletions

View File

@ -74,6 +74,9 @@ usage[I]="Interractive mode. Ask questions if needed."
varia[I]=interractive varia[I]=interractive
interractive=false interractive=false
usage[D]="Data Device. Will be encrypted."
varia[D]=data_device
data_device=
. driglibash-args . driglibash-args
@ -181,7 +184,7 @@ echo "$repos" >> "$mnt/etc/apt/sources.list"
run chroot "$mnt" <<EOF run chroot "$mnt" <<EOF
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get update -q -y apt-get update -q -y
apt-get install -q -y $install apt-get install -q -y cryptsetup $install
EOF EOF
# TODO watershed ? # TODO watershed ?
@ -191,6 +194,11 @@ echo -e "$locale" > "$mnt/etc/locale.gen"
chroot_run locale-gen chroot_run locale-gen
if [ -n "$data_device" ] ; then
section "Mounting data dir"
cryptsetup create --type plain dmcrypt-jeancloud "$data_device"
fi
section "Configuring new system" section "Configuring new system"
uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2) uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2)
@ -201,10 +209,12 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
# Set hostname # Set hostname
run echo "$hostname" > "$mnt/etc/hostname" run echo "$hostname" > "$mnt/etc/hostname"
# Prenvent suspend on lid close
line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
# Fix path and remove noisy beep # Fix path and remove noisy beep
run cat > "$mnt/root/.bashrc" <<EOF run cat > "$mnt/root/.bashrc" <<EOF
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
/usr/bin/setterm -blength 0
EOF EOF
# Be sure this fucking beep is gone # Be sure this fucking beep is gone
echo 'set bell-style none' >> "$mnt/etc/inputrc" echo 'set bell-style none' >> "$mnt/etc/inputrc"
@ -253,7 +263,7 @@ if [ -n "$(ls -A $secret_dir)" ]; then
#die "Secret dir '$secret_dir' is not empty" #die "Secret dir '$secret_dir' is not empty"
yell "Secret dir is not empty. May erase key." yell "Secret dir is not empty. May erase key."
fi fi
run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P '' run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P '' -C "access@$hostname"
run mkdir -p "$mnt/root/.ssh/" run mkdir -p "$mnt/root/.ssh/"
cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys" cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys"
chroot_run systemctl enable ssh chroot_run systemctl enable ssh

View File

@ -0,0 +1,156 @@
#!/bin/bash
. driglibash-base
. /etc/jeancloud.env
set -euo pipefail
noreload=false
deploy=true
if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
noreload=true
elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then
deploy=false
else
die "Usage: $0 <service> [no]reload [un]deploy"
fi
if [ -d "/docker/$1" ] ; then
service="$1"
elif [ -d "$1" ] && [[ "$service" = /docker/* ]] ; then
service="$(basename "$1")"
else
die "/docker/$service not found"
fi
if [ ! -d "$new_nginx_conf_path" ] ; then
die "Cant deploy service in degraded state. $new_nginx_conf_path dir is missing, please run deployer.sh first"
fi
docker_service="$(echo "$service" | tr '.' '_')"
driglibash_section_prefix="[$service] "
cd "/docker/$service"
[ -f .env ] && . .env
###############################################################################
# Useful directories
###############################################################################
if "$deploy" ; then
mkdir -p "$DATA_DIR" "$HTTP_DIR"
# Try running podman as non-root first…
chown www-data:www-data -R "$HTTP_DIR"
else
[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
fi
###############################################################################
# Run scripts
###############################################################################
if "$deploy" ; then
[ -x deploy.sh ] && ./deploy.sh
[ -x deploy_http.sh ] && sudo -u www-data ./deploy_http.sh
else
[ -x undeploy.sh ] && ./undeploy.sh
fi
###############################################################################
# Docker containers
###############################################################################
# If there is a docker-compose file and it has services in it
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
section "-------------------- $service"
if $deploy ; then
section "Logging to registry"
# XXX Login to docker registry
section "Pulling images"
run docker-compose pull
section "Starting service"
run docker-compose up -d --remove-orphans
else
section "Removing containers"
docker-compose down --rmi all --remove-orphans
fi
fi
if ! "$deploy" ; then
section "Remove stray containers"
while read container ; do
echo "Removing $container"
run docker rm "$container"
done <<< "$(docker ps | grep "$docker_service" | cut -d ' ' -f 1)"
fi
###############################################################################
# wireguard interface
###############################################################################
# If there is a wireguard vpn script
for file in $( find "/docker/$service" -name "wg-*.sh") ; do
section "Managing wg interface $(basename "$file")"
if [ -x "$file" ] ; then
wgif="$(basename "$file")"
wgif="${wgif:3:-3}"
"$file" $wgif > "/etc/wireguard/$wgif.conf"
if "$deploy" ; then
systemctl enable "wg-quick@$wgif"
startwg.sh "$wgif"
else
if [ -z "$(ip a | grep "$wgif")" ] ; then
wg-quick down "$wgif"
fi
fi
fi
done
###############################################################################
# Nginx conf
###############################################################################
# If there is a nginx conf file
if [ -f "/docker/$service/nginx_server.conf" ] ; then
section "Copy nginx conf"
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
section "Template nginx conf with vars from '.env' file"
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
fi
# Do we need dummy cert?
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
section "Testing nginx conf"
run nginx -t -c /etc/nginx/new_nginx.conf
if [ "$noreload" == false ] ; then
restart_nginx.sh
fi
section "Cleaning"
if [ -z "$(ls -A "$DATA_DIR")" ] ; then
run rmdir "$DATA_DIR"
fi
if [ -z "$(ls -A "$HTTP_DIR")" ] ; then
run rmdir "$HTTP_DIR"
fi

View File

@ -4,51 +4,29 @@ driglibash_run_retry=true
. driglibash-base . driglibash-base
set -euo pipefail set -euo pipefail
run gen_env.sh
############################################################################### ###############################################################################
# Variables # Variables
############################################################################### ###############################################################################
proxy_dir="/etc/nginx" export proxy_dir="/etc/nginx"
nginx_conf_path="$proxy_dir/sites-enabled" export nginx_conf_path="$proxy_dir/sites-enabled"
new_nginx_conf_path="$proxy_dir/new-sites-enabled" export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
certs_path="/etc/letsencrypt/live" export certs_path="/etc/letsencrypt/live"
dummy_cert_path="$certs_path/dummy" export dummy_cert_path="$certs_path/dummy"
############################################################################### ###############################################################################
# Helpers # Helpers
############################################################################### ###############################################################################
# Returns the public IP4 address of a domain name
function ipof {
resolv.sh "$1"
}
function jcservice {
if [ "$#" -ne 2 ] ; then
echo "usage: $0 <action> <service>"
echo "action is start/stop/reload/restart"
echo "service is a jc service name"
exit 1
fi
action="$1"
service="$2"
if [ -f "/docker/$service/install.sh" ] ; then
section "Running install script"
. "/docker/$service/install.sh"
# Is $action a bash function?
if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
"$action"
fi
unset -f start stop reload restart "$action"
fi
}
# Path to this directory # Path to this directory
here="$(where 'follow_links')" here="$(where 'follow_links')"
# Ip4 address # Ip4 address
my_ip="$(ipof "$(cat /etc/hostname)")" #my_ip="$(resolv.sh "$(cat /etc/hostname)")"
my_ip="$(curl -4 ifconfig.me 2>/dev/null)"
[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1 [ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
@ -57,7 +35,7 @@ my_ip="$(ipof "$(cat /etc/hostname)")"
############################################################################### ###############################################################################
driglibash_section_prefix="[Prepare nginx] " driglibash_section_prefix="[Prepare nginx] "
section "Delete new conf directory (to recover)" section "Delete new conf directory (to start from scratch)"
run rm -rf "$new_nginx_conf_path" run rm -rf "$new_nginx_conf_path"
section "Create new conf file (for tests purposes)" section "Create new conf file (for tests purposes)"
@ -85,121 +63,22 @@ run mkdir -p "$new_nginx_conf_path"
# Deploy services # Deploy services
############################################################################### ###############################################################################
section "Start docker"
run systemctl start docker docker.socket
section "Deploy mandatory services"
deploy_service.sh deployer.jean-cloud.org noreload
for dir in /docker/* ; do for dir in /docker/* ; do
service="$(basename "$dir")" service="$(basename "$dir")"
# Ignore _ prefixed directories # Ignore _ prefixed directories
[ "${service::1}" == '_' ] && continue [ "${service::1}" == '_' ] && continue
[ ! -d "$dir" ] && continue [ ! -d "$dir" ] && continue
[[ "$(resolv.sh $service)" != *$my_ip* ]] && continue
docker_service="$(echo "$service" | tr '.' '_')" deploy_service.sh "$service" "noreload"
driglibash_section_prefix="[$service] "
export DATA_DIR="/data/$service"
export HTTP_DIR="/srv/http/$service"
export JC_SERVICE="$service"
line_in_file "HTTP_DIR='$HTTP_DIR'" "/docker/$service/.env"
line_in_file "DATA_DIR='$DATA_DIR'" "/docker/$service/.env"
line_in_file "JC_SERVICE='$JC_SERVICE'" "/docker/$service/.env"
cd "/docker/$service"
# Is service meant to be on this server?
ip="$(ipof "$service")"
[ -z "$ip" ] && echo "No ip found for $service"
if [[ "$ip" != *"$my_ip"* ]] ; then
if [ -n "$(docker ps | grep "$docker_service")" ] ; then
section "--------------------"
section "Removing service"
docker-compose down --rmi all --remove-orphans
[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
fi
jcservice stop "$service"
# TODO check for leftover wg interfaces
continue
fi
mkdir -p "$DATA_DIR" "$HTTP_DIR"
# If there is a docker-compose file and it has services in it
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
section "-------------------- $service"
section "Logging to registry"
# XXX Login to docker registry
section "Pulling images"
run docker-compose pull
section "Starting service"
run docker-compose up -d --remove-orphans
fi
jcservice start "$service"
# If there is a wireguard vpn script
for file in "/docker/$service/"wg-*.sh ; do
section "Starting wg interface"
if [ -x "$file" ] ; then
wgif="$(basename "$file")"
wgif="${wgif:3:-3}"
"$file" $wgif > "/etc/wireguard/$wgif.conf"
systemctl enable "wg-quick@$wgif"
startwg.sh $wgif
fi
done
# If there is a nginx conf file
if [ -f "/docker/$service/nginx_server.conf" ] ; then
section "Copy nginx conf"
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
section "Template nginx conf with vars from '.env' file"
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
fi
# Do we need dummy cert?
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
section "Testing nginx conf"
run nginx -t -c /etc/nginx/new_nginx.conf
done done
############################################################################### restart_nginx.sh
# Nginx restart
###############################################################################
driglibash_section_prefix="[Restart nginx] "
section "Test if nginx conf is ok"
run nginx -t -c "$proxy_dir/new_nginx.conf"
section "Update nginx conf"
run rm -rf "$nginx_conf_path"
run mv "$new_nginx_conf_path" "$nginx_conf_path"
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
section "Test nginx conf to be sure"
run nginx -t
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
section "Start nginx"
run nginx
else
section "Reload nginx"
run nginx -s reload
fi
clean clean

View File

@ -48,11 +48,11 @@ section(){
fi fi
repeat '=' "$left" repeat '=' "$left"
if [ "$right" -ge 1 ] ; then
echo -ne " $text " echo -ne " $text "
if [ "$right" -ge 1 ] ; then
repeat '=' "$right" repeat '=' "$right"
echo
fi fi
echo
if "$driglibash_step_by_step" ; then if "$driglibash_step_by_step" ; then
echo "Press enter to proceed" echo "Press enter to proceed"

View File

@ -0,0 +1,28 @@
#!/bin/bash
set -euo pipefail
. driglibash-base
JC_ENV=/etc/jeancloud.env
certs_path=/etc/letsencrypt/live
proxy_dir=/etc/nginx
cat > "$JC_ENV" <<EOF
my_ip=$(resolv.sh "$(cat /etc/hostname)")
proxy_dir='$proxy_dir'
nginx_conf_path='$proxy_dir/sites-enabled'
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
certs_path='$certs_path'
dummy_cert_path='$certs_path/dummy'
EOF
for dir in /docker/* ; do
service="$(basename "$dir")"
[ ! -d "$dir" ] && continue
line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
done

View File

@ -0,0 +1,42 @@
#!/bin/bash
declare -A usage
declare -A varia
summary="$0 [options] <repo>"
usage[b]="Branch of git repo"
varia[b]=branch
branch=master
usage[d]="Destination of clone"
varia[d]=dst
dst='.'
usage[i]="privkey used to ssh pull"
varia[i]=privkey
privkey=''
. driglibash-args
# Some SSH options
ssh_opt='ssh'
if [ -n "$privkey" ] ; then
ssh_opt="$ssh_opt -i $privkey"
fi
repo="$1"
if [ -z "$repo" ] ; then
die "$0: Empty repo given\n$summary"
fi
cd "$dst"
if [ -d .git ] ; then
git reset --hard HEAD && git pull --depth 1 --ff-only --rebase --config core.sshCommand="$ssh_opt"
git submodule update --recursive --remote --recommend-shallow
else
git clone --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
fi

View File

@ -0,0 +1,14 @@
#!/bin/bash
set -euo pipefail
. "$DOCKER_DIR/.env"
. "$DATA_DIR/.env"
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
git_update.sh "$GIT_SOURCE_REPO"
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" -- webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
hugo

View File

@ -0,0 +1,22 @@
#!/bin/bash
. driglibash-base
if [ "$#" -ne 2 ] ; then
echo "usage: $0 <action> <service>"
echo "action is start/stop/reload/restart"
echo "service is a jc service name"
exit 1
fi
action="$1"
service="$2"
if [ -f "/docker/$service/install.sh" ] ; then
section "Running install script"
. "/docker/$service/install.sh"
# Is $action a bash function?
if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
(source "/docker/$service/.env" && "$action")
else
die "$0 no action $action found for service $service"
fi
fi

View File

@ -0,0 +1,24 @@
#!/bin/bash
. driglibash-base
. /etc/jeancloud.env
driglibash_section_prefix="[Restart nginx] "
section "Test if nginx conf is ok"
run nginx -t -c "$proxy_dir/new_nginx.conf"
section "Update nginx conf"
run rm -rf "$nginx_conf_path"
run cp -r "$new_nginx_conf_path" "$nginx_conf_path"
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
section "Test nginx conf to be sure"
run nginx -t
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
section "Start nginx"
run nginx
else
section "Reload nginx"
run nginx -s reload
fi

View File

@ -1,6 +1,6 @@
$TTL 604800 $TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. ( @ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
2023062300 ; Serial 2023082700 ; Serial
7200 ; Refresh 7200 ; Refresh
7200 ; Retry 7200 ; Retry
2419200 ; Expire 2419200 ; Expire
@ -23,6 +23,8 @@ _dmarc 86400 IN TXT v=DMARC1; p=quarantine;
; web ; web
@ IN A 51.255.33.248 @ IN A 51.195.40.128
@ IN A 82.65.204.254 @ IN A 109.18.84.200
www IN A 51.195.40.128
www IN A 109.18.84.200

View File

@ -1,13 +1,13 @@
$TTL 604800 $TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. ( @ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
2023061500 ; Serial 2023082700 ; Serial
7200 ; Refresh 7200 ; Refresh
7200 ; Retry 7200 ; Retry
2419200 ; Expire 2419200 ; Expire
7200 ) ; Negative Cache TTL 7200 ) ; Negative Cache TTL
; NS ; NS
@ IN NS max.jean-cloud.org. ;@ IN NS max.jean-cloud.org.
@ IN NS tetede.jean-cloud.org. @ IN NS tetede.jean-cloud.org.
@ IN NS ns1.he.net. @ IN NS ns1.he.net.
@ IN NS ns2.he.net. @ IN NS ns2.he.net.
@ -16,7 +16,7 @@ $TTL 604800
@ IN NS ns5.he.net. @ IN NS ns5.he.net.
@ IN A 51.255.33.248 @ IN A 51.255.33.248
@ IN A 82.65.204.254 @ IN A 109.18.84.200
@ 10800 IN MX 10 spool.mail.gandi.net. @ 10800 IN MX 10 spool.mail.gandi.net.
@ -26,7 +26,7 @@ $TTL 604800
; Resolving nameserver ; Resolving nameserver
ns2 IN A 51.255.33.248 ns2 IN A 51.255.33.248
ns1 IN A 82.65.204.254 ;ns1 IN A 82.65.204.254
;mail IN CNAME vandamme ;mail IN CNAME vandamme
webmail IN CNAME vandamme webmail IN CNAME vandamme
@ -49,8 +49,8 @@ tetede IN A 51.195.40.128
heart IN A 109.18.84.200 heart IN A 109.18.84.200
max IN A 82.65.204.254 ;max IN A 82.65.204.254
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97 ;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
montbonnot IN A 188.114.97.2 montbonnot IN A 188.114.97.2
montbonnot IN A 188.114.96.2 montbonnot IN A 188.114.96.2
@ -129,17 +129,18 @@ tracker IN CNAME tetede.jean-cloud.org.
raplacgr IN CNAME tetede.jean-cloud.org. raplacgr IN CNAME tetede.jean-cloud.org.
walou IN CNAME dumbcluster.jean-cloud.org.
nc-backup IN CNAME blatte.jean-cloud.org. nc-backup IN CNAME blatte.jean-cloud.org.
gypsy IN CNAME tetede.jean-cloud.org. gypsy IN CNAME tetede.jean-cloud.org.
shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org. shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org.
lexicographe IN CNAME max.jean-cloud.org. lexicographe IN CNAME tetede.jean-cloud.org.
chahut IN CNAME max.jean-cloud.org. chahut IN CNAME max.jean-cloud.org.
www.chahut IN CNAME max.jean-cloud.org. www.chahut IN CNAME max.jean-cloud.org.
wordpress.chahut IN CNAME max.jean-cloud.org. wordpress.chahut IN CNAME max.jean-cloud.org.
www.wordpress.chahut IN CNAME max.jean-cloud.org. www.wordpress.chahut IN CNAME max.jean-cloud.org.
grapes.chahut IN CNAME max.jean-cloud.org.
louixel IN CNAME raku.jean-cloud.org.

View File

@ -1,6 +1,6 @@
$TTL 604800 $TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. ( @ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
2023061500 ; Serial 2023082700 ; Serial
604800 ; Refresh 604800 ; Refresh
86400 ; Retry 86400 ; Retry
2419200 ; Expire 2419200 ; Expire
@ -9,12 +9,12 @@ $TTL 604800
@ IN NS max @ IN NS max
@ IN NS tetede @ IN NS tetede
@ IN A 109.18.84.200
@ IN A 51.255.33.248 @ IN A 51.255.33.248
@ IN A 82.65.204.254
; NS ; NS
;ns1 IN CNAME vandamme ;ns1 IN CNAME vandamme
ns2 IN A 82.65.204.254 ;ns2 IN A 82.65.204.254
ns3 IN A 51.195.40.128 ns3 IN A 51.195.40.128
; Mails ; Mails
@ -46,8 +46,8 @@ tetede IN AAAA 2001:41d0:701:1100::31f
heart IN A 109.18.84.200 heart IN A 109.18.84.200
max IN A 82.65.204.254 max IN A 109.18.84.200
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97 ;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
montbonnot IN A 188.114.97.2 montbonnot IN A 188.114.97.2
montbonnot IN A 188.114.96.2 montbonnot IN A 188.114.96.2
@ -55,3 +55,7 @@ montbonnot IN AAAA 2a06:98c1:3120::2
montbonnot IN AAAA 2a06:98c1:3121::2 montbonnot IN AAAA 2a06:98c1:3121::2
blatte IN A 10.98.1.2 blatte IN A 10.98.1.2
;raku IN A 37.65.25.194
raku IN AAAA 2a02:842a:39a:4d01:b283:feff:fe4c:5dee

View File

@ -15,7 +15,7 @@ $TTL 604800
@ IN NS ns4.he.net. @ IN NS ns4.he.net.
@ IN NS ns5.he.net. @ IN NS ns5.he.net.
@ IN A 82.65.204.254 @ IN A 213.186.33.40
;@ IN AAAA 2001:41d0:701:1100::31f ;@ IN AAAA 2001:41d0:701:1100::31f
@ -23,6 +23,6 @@ $TTL 604800
ns1 IN A 51.255.33.248 ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21 ns2 IN A 172.104.154.21
benevoles IN CNAME max.jean-cloud.org. ;benevoles IN CNAME max.jean-cloud.org.
benevoles31 IN CNAME max.jean-cloud.org. ;benevoles31 IN CNAME max.jean-cloud.org.

View File

@ -1,15 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

View File

@ -1,6 +1,6 @@
$TTL 604800 $TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. ( @ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
2023060100 ; Serial 2023082700 ; Serial
604800 ; Refresh 604800 ; Refresh
7200 ; Retry 7200 ; Retry
2419200 ; Expire 2419200 ; Expire
@ -8,7 +8,7 @@ $TTL 604800
; NS ; NS
@ IN NS max.jean-cloud.org. ;@ IN NS max.jean-cloud.org.
@ IN NS tetede.jean-cloud.org. @ IN NS tetede.jean-cloud.org.

View File

@ -58,11 +58,6 @@ zone "inurbe.fr"{
type master; type master;
file "/etc/bind/db.inurbe.fr"; file "/etc/bind/db.inurbe.fr";
}; };
zone "lalis.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.lalis.fr";
};
zone "leida.fr"{ zone "leida.fr"{
allow-update { none; }; # We are primary DNS allow-update { none; }; # We are primary DNS
type master; type master;

View File

@ -8,11 +8,16 @@
archive: false archive: false
recursive: true recursive: true
- name: Add binaries - name: Add binaries
ansible.posix.synchronize: ansible.posix.synchronize:
src: "{{ role_path }}/files/bin/" src: "{{ role_path }}/files/bin/"
dest: "/usr/local/bin" dest: "/usr/local/bin"
- name: Gen env vars
command: gen_env.sh
- name: Add bind conf - name: Add bind conf
ansible.posix.synchronize: ansible.posix.synchronize:
src: "{{ role_path }}/files/bind/" src: "{{ role_path }}/files/bind/"

View File

@ -29,7 +29,7 @@
- name: Install some softwares - name: Install some softwares
apt: apt:
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip'] name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'hugo', 'netcat-openbsd', 'nginx', 'podman', 'rclone', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
state: latest state: latest
# TODO disable certbot and certbot.timer services. We are using our own # TODO disable certbot and certbot.timer services. We are using our own
@ -40,6 +40,7 @@
state: directory state: directory
with_items: with_items:
- /docker - /docker
- /srv/http
- /data - /data
- /etc/letsencrypt - /etc/letsencrypt
@ -81,3 +82,12 @@
HISTTIMEFORMAT="%Y%m%d-%T " HISTTIMEFORMAT="%Y%m%d-%T "
export HISTSIZE HISTFILESIZE HISTTIMEFORMAT export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
- name : Disable docker service
service:
name: "{{ item }}"
state: stopped
enabled: false
with_items:
- docker
- docker.socket

View File

@ -18,13 +18,16 @@ Le script deployer.sh va pour chaque service
- Démarrer docker-compose si besoin - Démarrer docker-compose si besoin
- Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin) - Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin)
- Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent. - Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent.
- Exécuter le script install.sh du service sil existe - Exécuter le script deploy.sh du service sil existe
- Exécuter le script deploy_http.sh en tant que www-data sil existe. Ce script peut également être éxécuter par nginx pour mettre à jour le site web.
Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled). Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled).
## Variables ## Variables
Le script deployer.sh crée les variables Le script deployer.sh crée les variables
- DATA_DIR : là où sauvegarder des données - DATA_DIR : là où sauvegarder des données
- DOCKER_DIR : dossier contenant les fichiers de déploiement du service
- HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il nest pas sauvegardé. - HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il nest pas sauvegardé.
- JC_SERVICE : le nom du dossier service. Correspond souvent à ladresse du service. - JC_SERVICE : le nom du dossier service. Correspond souvent à ladresse du service.
Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc). Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc).

View File

@ -0,0 +1,2 @@
#!/bin/bash
chmod +x server.sh

View File

@ -1,12 +1,15 @@
limit_req_zone global zone=deployer_limit:100k rate=3r/m;
server { server {
listen 443; listen 443;
listen [::]:443; listen [::]:443;
server_name $SERVER_HOST; server_name $SERVER_HOST;
ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem; ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;
location /reload { location / {
fastcgi_param SCRIPT_FILENAME /var/www/html/test.sh; limit_req zone=deployer_limit;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /docker/deployer.jean-cloud.org/server.sh;
fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_pass unix:/var/run/fcgiwrap.socket;
} }
} }

View File

@ -0,0 +1,38 @@
#!/bin/bash
echo "Content-type: text/html"
echo ""
service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
path="/docker/$service/deploy_http.sh"
. /etc/jeancloud.env
echo '<html><head><title>Rechargement dun site web</title><meta charset="utf-8" /></head>'
echo '<body>'
echo "<h2>Rechargement dun site web : $service</h2>"
echo "<h3> Résultat local</h3>"
if [ -x "$path" ] ; then
echo "<pre>"
"$path"
ret="$?"
echo "</pre>"
if [ "$ret" -ne 0 ] ; then
echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
else
while read ip ; do
echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
if [ "$?" -eq 0 ] ; then
echo "$ip ok"
else
echo "$ip ERREUR"
fi
done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
fi
echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
else
echo "<p>Échec. Contactez Jean-Cloud</p>"
fi
echo '</body>'
echo '</html>

View File

@ -1 +1,2 @@
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant" GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"
CLOUD_LOCAL_PATH=content

View File

@ -0,0 +1,18 @@
#!/bin/bash
set -euo pipefail
. /docker/etrevivant.net/.env
. /data/etrevivant.net/.env
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
cd "$HTTP_DIR"
if [ -d .git ] ; then
git reset --hard origin/master
git pull --depth 1 --rebase
else
git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" .
fi
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
hugo

View File

@ -1,25 +0,0 @@
#!/bin/bash
set -euo pipefail
start() {
. /docker/etrevivant.net/.env
. /data/etrevivant.net/.env
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
sudo -u www-data bash <<EOF
set -euo pipefail
cd "$HTTP_DIR"
[ -d .git ] || git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . || (git checkout -- * && git pull --depth 1)
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
hugo
EOF
}
restart () {
start
}
stop () {
:
}

View File

@ -0,0 +1,2 @@
JC_NET=172.29.19
GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs

View File

@ -0,0 +1,6 @@
#!/bin/bash
set -euo pipefail
mkdir -p "$HTTP_DIR"
chown www-data:www-data "$HTTP_DIR"
sudo -u www-data git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"

View File

@ -0,0 +1,19 @@
version: '3'
services:
json_server:
image: jeancloud/json-server
volumes:
- "$DATA_DIR:/usr/lib/json-server"
networks:
default:
ipv4_address: $JC_NET.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: $JC_NET.0/24

View File

@ -0,0 +1,35 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
server_name grapes.chahut.jean-cloud.net;
root $HTTP_DIR;
# Security headers
# We can create a file with the base security headers and include it.
# Will it be possible to overload them then ?
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#add_header Content-Security-Policy "default-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ;frame-ancestors 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; base-uri 'self'; form-action 'self';" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
#add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
auth_basic "Mot de passe !";
auth_basic_user_file $DATA_DIR/pass.txt;
location / {
index index.html;
try_files $uri $uri/ =404;
}
location /projects {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://$JC_NET.100:3000;
proxy_redirect off;
}
}

View File

@ -0,0 +1,3 @@
#!/bin/bash
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder

View File

@ -1,14 +0,0 @@
#!/bin/bash
set -euo pipefail
start() {
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
}
restart () {
start
}
stop () {
:
}

View File

@ -10,7 +10,7 @@ server {
# We can create a file with the base security headers and include it. # We can create a file with the base security headers and include it.
# Will it be possible to overload them then ? # Will it be possible to overload them then ?
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always; add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options SAMEORIGIN always; add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;

View File

@ -0,0 +1,4 @@
#!/bin/bash
set -euo pipefail
podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder

View File

@ -1,16 +0,0 @@
#!/bin/bash
set -euo pipefail
start() {
mkdir -p "$DATA_DIR/git"
podman pull docker.io/jeancloud/pelican-rclone-builder
podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
}
restart () {
start
}
stop () {
:
}

View File

@ -1,2 +1,2 @@
#!/bin/bash #!/bin/bash
grep -ho '172.29.[^.]' . -r | sort -u grep -ho '172.29.[^.]\+' . -r | sort -u

View File

@ -15,10 +15,8 @@ Address = 10.100.1.254/32
[Peer] # adrian [Peer] # adrian
PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0= PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
AllowedIPs = 10.100.1.253/32 AllowedIPs = 10.100.1.253/32
PersistentKeepalive = 25
[Peer] # Passerelle [Peer] # Passerelle
PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo= PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
AllowedIPs = 10.100.1.0/24,192.168.100.0/24 AllowedIPs = 10.100.1.0/24,192.168.100.0/24
PersistentKeepalive = 25
" "

View File

@ -1 +0,0 @@
version: '3'

View File

@ -28,6 +28,7 @@ server {
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
location / { location / {
client_max_body_size 0;
proxy_pass http://$ENDPOINT; proxy_pass http://$ENDPOINT;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;

View File

@ -24,10 +24,15 @@ PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j
# packet masquerading # packet masquerading
PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o $wgif-j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
# remote settings for the private server # remote settings for the private server
[Peer] [Peer]
PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE= PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
AllowedIPs = 10.29.0.1/32,$NET.0/24 AllowedIPs = 10.29.0.1/32,$NET.0/24
# test separation PA
[Peer]
PublicKey = todo
AllowedlIPs = 10.29.0.2
" "