new step for jean-cloud kind

2023-08-28 20:25:32 +02:00 · 2023-08-28 20:25:32 +02:00 · 90dd3bad64
commit 90dd3bad64
parent 269e2a1720
39 changed files with 516 additions and 257 deletions
--- a/installing/debootstrap_ordis_portables.sh
+++ b/installing/debootstrap_ordis_portables.sh
@ -74,6 +74,9 @@ usage[I]="Interractive mode. Ask questions if needed."
 varia[I]=interractive
 interractive=false
 usage[D]="Data Device. Will be encrypted."
 varia[D]=data_device
 data_device=
 . driglibash-args
@ -181,7 +184,7 @@ echo "$repos" >> "$mnt/etc/apt/sources.list"
 run chroot "$mnt" <<EOF
  export DEBIAN_FRONTEND=noninteractive
  apt-get update  -q -y 
-  apt-get install -q -y $install
+  apt-get install -q -y cryptsetup $install
 EOF
 # TODO watershed ?
@ -191,6 +194,11 @@ echo -e "$locale" > "$mnt/etc/locale.gen"
 chroot_run locale-gen
 if [ -n "$data_device" ] ; then
 	section "Mounting data dir"
 	cryptsetup create --type plain dmcrypt-jeancloud "$data_device"	
 fi
 section "Configuring new system"
 uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2)
@ -201,10 +209,12 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
 # Set hostname
 run echo "$hostname" > "$mnt/etc/hostname"
 # Prenvent suspend on lid close
 line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
 # Fix path and remove noisy beep
 run cat > "$mnt/root/.bashrc" <<EOF
 PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
 /usr/bin/setterm -blength 0
 EOF
 # Be sure this fucking beep is gone
 echo 'set bell-style none' >> "$mnt/etc/inputrc"
@ -253,7 +263,7 @@ if [ -n "$(ls -A $secret_dir)" ]; then
  #die "Secret dir '$secret_dir' is not empty"
  yell "Secret dir is not empty. May erase key."
 fi
-run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P ''
+run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P '' -C "access@$hostname"
 run mkdir -p "$mnt/root/.ssh/"
 cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys"
 chroot_run systemctl enable ssh
--- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh
+++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh
@ -0,0 +1,156 @@
 #!/bin/bash
 . driglibash-base
 . /etc/jeancloud.env
 set -euo pipefail
 noreload=false
 deploy=true
 if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
 	noreload=true
 elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then
 	deploy=false
 else
 	die "Usage: $0 <service> [no]reload [un]deploy"
 fi
 if [ -d "/docker/$1" ] ; then
 	service="$1"
 elif [ -d "$1" ] && [[ "$service" = /docker/* ]] ; then
 	service="$(basename "$1")"
 else
 	die "/docker/$service not found"
 fi
 if [ ! -d "$new_nginx_conf_path" ] ; then
 	die "Can’t deploy service in degraded state. $new_nginx_conf_path dir is missing, please run deployer.sh first"
 fi
 docker_service="$(echo "$service" | tr '.' '_')"
 driglibash_section_prefix="[$service] "
 cd "/docker/$service"
 [ -f .env ] && . .env
 ###############################################################################
 #							Useful directories
 ###############################################################################
 if "$deploy" ; then
 	mkdir -p "$DATA_DIR" "$HTTP_DIR"
 	# Try running podman as non-root first…
 	chown www-data:www-data -R "$HTTP_DIR"
 else
    [ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
 fi
 ###############################################################################
 #							Run scripts
 ###############################################################################
 if "$deploy" ; then
 	[ -x deploy.sh ] && ./deploy.sh
 	[ -x deploy_http.sh ] && sudo -u www-data ./deploy_http.sh
 else
 	[ -x undeploy.sh ] && ./undeploy.sh
 fi
 ###############################################################################
 #							Docker containers
 ###############################################################################
 # If there is a docker-compose file and it has services in it
 if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep  '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
    section "-------------------- $service"
 	if $deploy ; then
    	section "Logging to registry"
    	# XXX Login to docker registry
    	section "Pulling images"
    	run docker-compose pull
    	section "Starting service"
    	run docker-compose up -d --remove-orphans
 	else
 		section "Removing containers"
    	docker-compose down --rmi all --remove-orphans
 	fi
 fi
 if ! "$deploy" ; then
 	section "Remove stray containers"
 	while read container ; do
 		echo "Removing $container"
 		run docker rm "$container"
 	done <<< "$(docker ps | grep "$docker_service" | cut -d ' ' -f 1)"
 fi
 ###############################################################################
 #							wireguard interface
 ###############################################################################
 # If there is a wireguard vpn script
 for file in $( find "/docker/$service" -name "wg-*.sh") ; do
 	section "Managing wg interface $(basename "$file")"
    if [ -x "$file" ] ; then
        wgif="$(basename "$file")"
        wgif="${wgif:3:-3}"
        "$file" $wgif > "/etc/wireguard/$wgif.conf"
 		if "$deploy" ; then
        	systemctl enable "wg-quick@$wgif"
        	startwg.sh "$wgif"
 		else
 			if [ -z "$(ip a | grep "$wgif")" ] ; then
 				wg-quick down "$wgif"
 			fi
 		fi
    fi
 done
 ###############################################################################
 #							Nginx conf
 ###############################################################################
 # If there is a nginx conf file
 if [ -f "/docker/$service/nginx_server.conf" ] ; then
    section "Copy nginx conf"
    run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
    section "Template nginx conf with vars from '.env' file"
    run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
 fi
 # Do we need dummy cert?
 if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
    section "Create cert dir"
    run mkdir -p "$certs_path/$service"
    section "Link dummy to cert"
    run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
    run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
 fi
 section "Testing nginx conf"
 run nginx -t -c /etc/nginx/new_nginx.conf
 if [ "$noreload" == false ] ; then
 	restart_nginx.sh
 fi
 section "Cleaning"
 if [ -z "$(ls -A "$DATA_DIR")" ] ; then
 	run rmdir "$DATA_DIR"
 fi
 if [ -z "$(ls -A "$HTTP_DIR")" ] ; then
 	run rmdir "$HTTP_DIR"
 fi
--- a/provisioning/roles/deploy_all/files/bin/deployer.sh
+++ b/provisioning/roles/deploy_all/files/bin/deployer.sh
@ -4,51 +4,29 @@ driglibash_run_retry=true
 . driglibash-base
 set -euo pipefail
 run gen_env.sh
 ###############################################################################
 #                       Variables
 ###############################################################################
-proxy_dir="/etc/nginx"
+export proxy_dir="/etc/nginx"
-nginx_conf_path="$proxy_dir/sites-enabled"
+export nginx_conf_path="$proxy_dir/sites-enabled"
-new_nginx_conf_path="$proxy_dir/new-sites-enabled"
+export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
-certs_path="/etc/letsencrypt/live"
+export certs_path="/etc/letsencrypt/live"
-dummy_cert_path="$certs_path/dummy"
+export dummy_cert_path="$certs_path/dummy"
 ###############################################################################
 #                       Helpers
 ###############################################################################
 # Returns the public IP4 address of a domain name
 function ipof {
 	resolv.sh "$1"
 }
 function jcservice {
 	if [ "$#" -ne 2 ] ; then
 		echo "usage: $0 <action> <service>"
 		echo "action is start/stop/reload/restart"
 		echo "service is a jc service name"
 		exit 1
 	fi
 	action="$1"
 	service="$2"
 	if [ -f "/docker/$service/install.sh" ] ; then
 	    section "Running install script"
 		. "/docker/$service/install.sh"
 		# Is $action a bash function?
 		if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
 			"$action"
 		fi
 		unset -f start stop reload restart "$action"
 	fi
 }
 # Path to this directory
 here="$(where 'follow_links')"
 # Ip4 address
-my_ip="$(ipof "$(cat /etc/hostname)")"
+#my_ip="$(resolv.sh "$(cat /etc/hostname)")"
 my_ip="$(curl -4 ifconfig.me 2>/dev/null)"
 [ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
@ -57,7 +35,7 @@ my_ip="$(ipof "$(cat /etc/hostname)")"
 ###############################################################################
 driglibash_section_prefix="[Prepare nginx] "
-section "Delete new conf directory (to recover)"
+section "Delete new conf directory (to start from scratch)"
 run rm -rf "$new_nginx_conf_path"
 section "Create new conf file (for tests purposes)"
@ -85,121 +63,22 @@ run mkdir -p "$new_nginx_conf_path"
 #                       Deploy services
 ###############################################################################
 section "Start docker"
 run systemctl start docker docker.socket
 section "Deploy mandatory services"
 deploy_service.sh deployer.jean-cloud.org noreload
 for dir in /docker/* ; do
    service="$(basename "$dir")"
    # Ignore _ prefixed directories
    [ "${service::1}" == '_' ] && continue
    [ ! -d "$dir" ] && continue
-
+	[[ "$(resolv.sh $service)" != *$my_ip* ]] && continue
-    docker_service="$(echo "$service" | tr '.' '_')"
+    deploy_service.sh "$service" "noreload"
    driglibash_section_prefix="[$service] "
 	export DATA_DIR="/data/$service"
 	export HTTP_DIR="/srv/http/$service"
 	export JC_SERVICE="$service"
 	line_in_file "HTTP_DIR='$HTTP_DIR'" "/docker/$service/.env"
 	line_in_file "DATA_DIR='$DATA_DIR'" "/docker/$service/.env"
 	line_in_file "JC_SERVICE='$JC_SERVICE'" "/docker/$service/.env"
    cd "/docker/$service"
    # Is service meant to be on this server?
    ip="$(ipof "$service")"
 	[ -z "$ip" ] && echo "No ip found for $service"
    if [[ "$ip" != *"$my_ip"* ]] ; then
        if [ -n "$(docker ps | grep "$docker_service")" ] ; then
    	    section "--------------------"
            section "Removing service"
            docker-compose down --rmi all --remove-orphans
 			[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
        fi
 		jcservice stop "$service"
 		# TODO check for leftover wg interfaces
        continue
    fi
 	mkdir -p "$DATA_DIR" "$HTTP_DIR"
    # If there is a docker-compose file and it has services in it
    if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep  '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
    	section "-------------------- $service"
        section "Logging to registry"
        # XXX Login to docker registry
        section "Pulling images"
        run docker-compose pull
        section "Starting service"
        run docker-compose up -d --remove-orphans
    fi
 	jcservice start "$service"
 	# If there is a wireguard vpn script
 	for file in "/docker/$service/"wg-*.sh ; do
        section "Starting wg interface"
 		if [ -x "$file" ] ; then
 			wgif="$(basename "$file")"
 			wgif="${wgif:3:-3}"
 			"$file" $wgif > "/etc/wireguard/$wgif.conf"
 			systemctl enable "wg-quick@$wgif"
 			startwg.sh $wgif
 		fi
 	done
    # If there is a nginx conf file
    if [ -f "/docker/$service/nginx_server.conf" ] ; then
        section "Copy nginx conf"
        run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
        section "Template nginx conf with vars from '.env' file"
 		run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
    fi
    # Do we need dummy cert?
    if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
        section "Create cert dir"
        run mkdir -p "$certs_path/$service"
        section "Link dummy to cert"
        run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
        run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
    fi
    section "Testing nginx conf"
    run nginx -t -c /etc/nginx/new_nginx.conf
 done
-###############################################################################
+restart_nginx.sh
 #                       Nginx restart
 ###############################################################################
 driglibash_section_prefix="[Restart nginx] "
 section "Test if nginx conf is ok"
 run nginx -t -c "$proxy_dir/new_nginx.conf"
 section "Update nginx conf"
 run rm -rf "$nginx_conf_path"
 run mv "$new_nginx_conf_path" "$nginx_conf_path"
 run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
 section "Test nginx conf to be sure"
 run nginx -t
 if [ -z "$(cat /var/run/nginx.pid)" ] ; then
    section "Start nginx"
    run nginx
 else
    section "Reload nginx"
    run nginx -s reload
 fi
 clean
--- a/provisioning/roles/deploy_all/files/bin/driglibash-base
+++ b/provisioning/roles/deploy_all/files/bin/driglibash-base
@ -48,11 +48,11 @@ section(){
  fi
  repeat '=' "$left"
  echo -ne " $text "
  if [ "$right" -ge 1 ] ; then
    echo -ne " $text "
    repeat '=' "$right"
    echo
  fi
  echo
  if "$driglibash_step_by_step" ; then
    echo "Press enter to proceed"
--- a/provisioning/roles/deploy_all/files/bin/gen_env.sh
+++ b/provisioning/roles/deploy_all/files/bin/gen_env.sh
@ -0,0 +1,28 @@
 #!/bin/bash
 set -euo pipefail
 . driglibash-base
 JC_ENV=/etc/jeancloud.env
 certs_path=/etc/letsencrypt/live
 proxy_dir=/etc/nginx
 cat > "$JC_ENV" <<EOF
 my_ip=$(resolv.sh "$(cat /etc/hostname)")
 proxy_dir='$proxy_dir'
 nginx_conf_path='$proxy_dir/sites-enabled'
 new_nginx_conf_path='$proxy_dir/new-sites-enabled'
 certs_path='$certs_path'
 dummy_cert_path='$certs_path/dummy'
 EOF
 for dir in /docker/* ; do
 	service="$(basename "$dir")"
    [ ! -d "$dir" ] && continue    
 	line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
 	line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
 	line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
 	line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
 done
--- a/provisioning/roles/deploy_all/files/bin/git_update.sh
+++ b/provisioning/roles/deploy_all/files/bin/git_update.sh
@ -0,0 +1,42 @@
 #!/bin/bash
 declare -A usage
 declare -A varia
 summary="$0 [options] <repo>"
 usage[b]="Branch of git repo"
 varia[b]=branch
 branch=master
 usage[d]="Destination of clone"
 varia[d]=dst
 dst='.'
 usage[i]="privkey used to ssh pull"
 varia[i]=privkey
 privkey=''
 . driglibash-args
 # Some SSH options
 ssh_opt='ssh'
 if [ -n "$privkey" ] ; then
 	ssh_opt="$ssh_opt -i $privkey"
 fi
 repo="$1"
 if [ -z "$repo" ] ; then
 	die "$0: Empty repo given\n$summary"
 fi
 cd "$dst"
 if [ -d .git ] ; then
    git reset --hard HEAD && git pull --depth 1 --ff-only --rebase --config core.sshCommand="$ssh_opt"
    git submodule update --recursive --remote --recommend-shallow
 else
    git clone --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
 fi
--- a/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
+++ b/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
@ -0,0 +1,14 @@
 #!/bin/bash
 set -euo pipefail
 . "$DOCKER_DIR/.env"
 . "$DATA_DIR/.env"
 webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"    
 webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"    
 webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"    
 git_update.sh "$GIT_SOURCE_REPO"    
 rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --      webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
 hugo    
--- a/provisioning/roles/deploy_all/files/bin/jcservice.sh
+++ b/provisioning/roles/deploy_all/files/bin/jcservice.sh
@ -0,0 +1,22 @@
 #!/bin/bash
 . driglibash-base
 if [ "$#" -ne 2 ] ; then
    echo "usage: $0 <action> <service>"
    echo "action is start/stop/reload/restart"
    echo "service is a jc service name"
    exit 1
 fi
 action="$1"
 service="$2"
 if [ -f "/docker/$service/install.sh" ] ; then
    section "Running install script"
    . "/docker/$service/install.sh"
    # Is $action a bash function?
    if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
        (source "/docker/$service/.env" && "$action")
 	else
 		die "$0 no action $action found for service $service"
    fi
 fi
--- a/provisioning/roles/deploy_all/files/bin/restart_nginx.sh
+++ b/provisioning/roles/deploy_all/files/bin/restart_nginx.sh
@ -0,0 +1,24 @@
 #!/bin/bash
 . driglibash-base
 . /etc/jeancloud.env
 driglibash_section_prefix="[Restart nginx] "
 section "Test if nginx conf is ok"
 run nginx -t -c "$proxy_dir/new_nginx.conf"
 section "Update nginx conf"
 run rm -rf "$nginx_conf_path"
 run cp -r "$new_nginx_conf_path" "$nginx_conf_path"
 run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
 section "Test nginx conf to be sure"
 run nginx -t
 if [ -z "$(cat /var/run/nginx.pid)" ] ; then
    section "Start nginx"
    run nginx
 else
    section "Reload nginx"
    run nginx -s reload
 fi
--- a/provisioning/roles/deploy_all/files/bind/db.etrevivant.net
+++ b/provisioning/roles/deploy_all/files/bind/db.etrevivant.net
@ -1,6 +1,6 @@
 $TTL    604800
-@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
+@       IN      SOA     tetede.jean-cloud.org. contact.jean-cloud.org. (
-                    2023062300          ; Serial
+                    2023082700          ; Serial
                          7200          ; Refresh
                          7200          ; Retry
                        2419200         ; Expire
@ -23,6 +23,8 @@ _dmarc 86400 IN TXT v=DMARC1; p=quarantine;
 ; web
-@						IN		A		51.255.33.248
+@						IN		A		51.195.40.128
-@						IN		A		82.65.204.254
+@						IN		A		109.18.84.200
 www						IN		A		51.195.40.128
 www						IN		A		109.18.84.200
--- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
+++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
@ -1,13 +1,13 @@
 $TTL    604800
-@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
+@       IN      SOA     tetede.jean-cloud.org. contact.jean-cloud.org. (
-                    2023061500          ; Serial
+                    2023082700          ; Serial
                          7200          ; Refresh
                          7200          ; Retry
                        2419200         ; Expire
                         7200 ) ; Negative Cache TTL
 ; NS
-@                       IN      NS      max.jean-cloud.org.
+;@                       IN      NS      max.jean-cloud.org.
@                       IN      NS      tetede.jean-cloud.org.
@                       IN      NS      ns1.he.net.
@                       IN      NS      ns2.he.net.
@ -16,7 +16,7 @@ $TTL    604800
@                       IN      NS      ns5.he.net.
@						IN		A		51.255.33.248
-@						IN		A		82.65.204.254
+@						IN		A		109.18.84.200
@ 10800 IN MX 10 spool.mail.gandi.net.
@ -26,7 +26,7 @@ $TTL    604800
 ; Resolving nameserver
 ns2                       IN      A       51.255.33.248
-ns1                       IN      A       82.65.204.254
+;ns1                       IN      A       82.65.204.254
 ;mail                                   IN      CNAME   vandamme
 webmail                         IN      CNAME   vandamme
@ -49,8 +49,8 @@ tetede                          IN      A       51.195.40.128
 heart							IN		A		109.18.84.200
-max                             IN      A       82.65.204.254
+;max                             IN      A       82.65.204.254
-max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
+;max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
 montbonnot                      IN      A       188.114.97.2
 montbonnot                      IN      A       188.114.96.2
@ -129,17 +129,18 @@ tracker                         IN      CNAME   tetede.jean-cloud.org.
 raplacgr                        IN      CNAME   tetede.jean-cloud.org.
 walou                           IN      CNAME   dumbcluster.jean-cloud.org.
 nc-backup                       IN      CNAME   blatte.jean-cloud.org.
 gypsy                           IN      CNAME   tetede.jean-cloud.org.
 shlago.wireguard.jean-cloud.net IN      CNAME   tetede.jean-cloud.org.
-lexicographe					IN		CNAME	max.jean-cloud.org.
+lexicographe					IN		CNAME	tetede.jean-cloud.org.
 chahut							IN		CNAME	max.jean-cloud.org.
 www.chahut						IN		CNAME	max.jean-cloud.org.
 wordpress.chahut				IN		CNAME	max.jean-cloud.org.
 www.wordpress.chahut			IN		CNAME	max.jean-cloud.org.
 grapes.chahut					IN		CNAME	max.jean-cloud.org.
 louixel							IN		CNAME	raku.jean-cloud.org.
--- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
+++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
@ -1,6 +1,6 @@
 $TTL    604800
-@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
+@       IN      SOA     tetede.jean-cloud.org. contact.jean-cloud.org. (
-                     2023061500         ; Serial
+                     2023082700         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
@ -9,12 +9,12 @@ $TTL    604800
@                       IN      NS      max
@                       IN      NS      tetede
@                       IN      A       109.18.84.200
@                       IN      A       51.255.33.248
@                       IN      A       82.65.204.254
 ; NS
 ;ns1                     IN      CNAME   vandamme
-ns2                     IN      A   82.65.204.254
+;ns2                     IN      A   82.65.204.254
 ns3                     IN      A   51.195.40.128
 ; Mails
@ -46,8 +46,8 @@ tetede                          IN      AAAA    2001:41d0:701:1100::31f
 heart                           IN      A       109.18.84.200
-max                             IN      A       82.65.204.254
+max                             IN      A       109.18.84.200
-max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
+;max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
 montbonnot                      IN      A       188.114.97.2
 montbonnot                      IN      A       188.114.96.2
@ -55,3 +55,7 @@ montbonnot                      IN      AAAA    2a06:98c1:3120::2
 montbonnot                      IN      AAAA    2a06:98c1:3121::2
 blatte							IN		A		10.98.1.2
 ;raku							IN		A		37.65.25.194
 raku							IN		AAAA	2a02:842a:39a:4d01:b283:feff:fe4c:5dee
--- a/provisioning/roles/deploy_all/files/bind/db.karnaval.fr
+++ b/provisioning/roles/deploy_all/files/bind/db.karnaval.fr
@ -15,7 +15,7 @@ $TTL    604800
@                       IN      NS      ns4.he.net.
@                       IN      NS      ns5.he.net.
-@                       IN      A       82.65.204.254
+@                       IN      A       213.186.33.40
 ;@						IN		AAAA	2001:41d0:701:1100::31f
@ -23,6 +23,6 @@ $TTL    604800
 ns1                             IN      A       51.255.33.248
 ns2                             IN      A       172.104.154.21
-benevoles                       IN      CNAME		max.jean-cloud.org.
+;benevoles                       IN      CNAME		max.jean-cloud.org.
-benevoles31                     IN      CNAME       max.jean-cloud.org.
+;benevoles31                     IN      CNAME       max.jean-cloud.org.
--- a/provisioning/roles/deploy_all/files/bind/db.lalis.fr
+++ b/provisioning/roles/deploy_all/files/bind/db.lalis.fr
@ -1,15 +0,0 @@
 $TTL    604800
@       IN      SOA     ns1.jean-cloud.net. contact.jean-cloud.org. (
                     2023042100         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                           7200 )       ; Negative Cache TTL (min before refresh)
@                       IN      NS      ns1.jean-cloud.net.
@                       IN      NS      ns2.he.net.
@                       IN      NS      ns3.he.net.
@                       IN      NS      ns4.he.net.
@                       IN      NS      ns5.he.net.
@			IN	A	51.255.33.248
--- a/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr
+++ b/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr
@ -1,6 +1,6 @@
 $TTL    604800
-@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
+@       IN      SOA     tetede.jean-cloud.org. contact.jean-cloud.org. (
-                     2023060100         ; Serial
+                     2023082700         ; Serial
                         604800         ; Refresh
                           7200         ; Retry
                        2419200         ; Expire
@ -8,7 +8,7 @@ $TTL    604800
 ; NS
-@                       IN      NS      max.jean-cloud.org.
+;@                       IN      NS      max.jean-cloud.org.
@                       IN      NS      tetede.jean-cloud.org.
--- a/provisioning/roles/deploy_all/files/bind/named.conf.local
+++ b/provisioning/roles/deploy_all/files/bind/named.conf.local
@ -58,11 +58,6 @@ zone "inurbe.fr"{
    type master;
    file "/etc/bind/db.inurbe.fr";
 };
 zone "lalis.fr"{
    allow-update { none; }; # We are primary DNS
    type master;
    file "/etc/bind/db.lalis.fr";
 };
 zone "leida.fr"{
    allow-update { none; }; # We are primary DNS
    type master;
--- a/provisioning/roles/deploy_all/tasks/main.yml
+++ b/provisioning/roles/deploy_all/tasks/main.yml
@ -8,11 +8,16 @@
    archive: false
    recursive: true
 - name: Add binaries
  ansible.posix.synchronize:
    src: "{{ role_path }}/files/bin/"
    dest: "/usr/local/bin"
 - name: Gen env vars
  command: gen_env.sh
 - name: Add bind conf
  ansible.posix.synchronize:
    src: "{{ role_path }}/files/bind/"
--- a/provisioning/roles/jean-cloud-common/tasks/main.yml
+++ b/provisioning/roles/jean-cloud-common/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Install some softwares
  apt:
-      name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
+      name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'hugo', 'netcat-openbsd', 'nginx', 'podman', 'rclone', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
      state: latest
 # TODO disable certbot and certbot.timer services. We are using our own
@ -40,6 +40,7 @@
    state: directory
  with_items:
    - /docker
    - /srv/http
    - /data
    - /etc/letsencrypt
@ -81,3 +82,12 @@
      HISTTIMEFORMAT="%Y%m%d-%T "
      export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
 - name : Disable docker service
  service:
      name: "{{ item }}"
      state: stopped
      enabled: false
  with_items:
    - docker
    - docker.socket
--- a/readme.md
+++ b/readme.md
@ -18,13 +18,16 @@ Le script deployer.sh va pour chaque service
 - Démarrer docker-compose si besoin
 - Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin)
 - Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent.
- Exécuter le script install.sh du service s’il existe
+- Exécuter le script deploy.sh du service s’il existe
 - Exécuter le script deploy_http.sh en tant que www-data s’il existe. Ce script peut également être éxécuter par nginx pour mettre à jour le site web.
 Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled).
 ## Variables
 Le script deployer.sh crée les variables
 - DATA_DIR : là où sauvegarder des données
 - DOCKER_DIR : dossier contenant les fichiers de déploiement du service
 - HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il n’est pas sauvegardé.
 - JC_SERVICE : le nom du dossier service. Correspond souvent à l’adresse du service.
 Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc).
--- a/services/deployer.jean-cloud.org/deploy.sh
+++ b/services/deployer.jean-cloud.org/deploy.sh
@ -0,0 +1,2 @@
 #!/bin/bash
 chmod +x server.sh
--- a/services/deployer.jean-cloud.org/nginx_server.conf
+++ b/services/deployer.jean-cloud.org/nginx_server.conf
@ -1,12 +1,15 @@
 limit_req_zone global zone=deployer_limit:100k rate=3r/m;
 server {    
        listen 443;    
        listen [::]:443;    
 		server_name $SERVER_HOST;
        ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;           
-        location /reload {
+        location / {
-                fastcgi_param SCRIPT_FILENAME /var/www/html/test.sh;
+				limit_req zone=deployer_limit;
 			    include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME /docker/deployer.jean-cloud.org/server.sh;
                fastcgi_pass unix:/var/run/fcgiwrap.socket;
        }
 }
--- a/services/deployer.jean-cloud.org/server.sh
+++ b/services/deployer.jean-cloud.org/server.sh
@ -0,0 +1,38 @@
 #!/bin/bash
 echo "Content-type: text/html"
 echo ""
 service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
 path="/docker/$service/deploy_http.sh"
 . /etc/jeancloud.env
 echo '<html><head><title>Rechargement d’un site web</title><meta charset="utf-8" /></head>'
 echo '<body>'
 echo "<h2>Rechargement d’un site web : $service</h2>"
 echo "<h3> Résultat local</h3>"
 if [ -x "$path" ] ; then
 	echo "<pre>"
 	"$path"
 	ret="$?"
 	echo "</pre>"
 	if [ "$ret" -ne 0 ] ; then
 		echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
 	else
 		while read ip ; do
 			echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
 			if [ "$?" -eq 0 ] ; then
 				echo "$ip ok"
 			else
 				echo "$ip ERREUR"
 			fi
 		done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
 	fi
 	echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
 else
 	echo "<p>Échec. Contactez Jean-Cloud</p>"
 fi
 echo '</body>'
 echo '</html>
--- a/services/etrevivant.net/.env
+++ b/services/etrevivant.net/.env
@ -1 +1,2 @@
 GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"
 CLOUD_LOCAL_PATH=content
--- a/services/etrevivant.net/deploy_http.sh
+++ b/services/etrevivant.net/deploy_http.sh
@ -0,0 +1,18 @@
 #!/bin/bash
 set -euo pipefail
 . /docker/etrevivant.net/.env
 . /data/etrevivant.net/.env
 webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
 webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
 webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
 cd "$HTTP_DIR"
 if [ -d .git ] ; then
 	git reset --hard origin/master
 	git pull --depth 1 --rebase
 else
 	git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" .
 fi
 rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
 hugo
--- a/services/etrevivant.net/install.sh
+++ b/services/etrevivant.net/install.sh
@ -1,25 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 start() {
 	. /docker/etrevivant.net/.env
 	. /data/etrevivant.net/.env
 	webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
 	webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
 	webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
 	sudo -u www-data bash <<EOF
 		set -euo pipefail
 		cd "$HTTP_DIR"
 		[ -d .git ] || git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . || (git checkout -- * && git pull --depth 1)
 		rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
 		hugo
 EOF
 }
 restart () {
 	start
 }
 stop () {
 	:
 }
--- a/services/grapes.chahut.jean-cloud.net/.env
+++ b/services/grapes.chahut.jean-cloud.net/.env
@ -0,0 +1,2 @@
 JC_NET=172.29.19
 GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs
--- a/services/grapes.chahut.jean-cloud.net/deploy.sh
+++ b/services/grapes.chahut.jean-cloud.net/deploy.sh
@ -0,0 +1,6 @@
 #!/bin/bash
 set -euo pipefail
 mkdir -p "$HTTP_DIR"
 chown www-data:www-data "$HTTP_DIR"
 sudo -u www-data git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" 
--- a/services/grapes.chahut.jean-cloud.net/docker-compose.yml
+++ b/services/grapes.chahut.jean-cloud.net/docker-compose.yml
@ -0,0 +1,19 @@
 version: '3'
 services:
  json_server:
    image: jeancloud/json-server
    volumes:
      - "$DATA_DIR:/usr/lib/json-server"
    networks:
      default:
        ipv4_address: $JC_NET.100
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 100M
 networks:
  default:
    ipam:
      config:
        - subnet: $JC_NET.0/24
--- a/services/grapes.chahut.jean-cloud.net/nginx_server.conf
+++ b/services/grapes.chahut.jean-cloud.net/nginx_server.conf
@ -0,0 +1,35 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
  server_name grapes.chahut.jean-cloud.net;
  root $HTTP_DIR;
  # Security headers
  # We can create a file with the base security headers and include it.
  # Will it be possible to overload them then ?
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  #add_header Content-Security-Policy "default-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ;frame-ancestors 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; base-uri 'self'; form-action 'self';" always;
  add_header X-Content-Type-Options "nosniff";
  add_header X-Frame-Options SAMEORIGIN always;
  add_header X-XSS-Protection "1; mode=block" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
  auth_basic           "Mot de passe !";
  auth_basic_user_file $DATA_DIR/pass.txt;
  location / {
    index index.html;
    try_files $uri $uri/ =404;
  }
  location /projects {
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
 	proxy_pass http://$JC_NET.100:3000;
    proxy_redirect off;
  }
 }
--- a/services/jean-cloud.net/deploy.sh
+++ b/services/jean-cloud.net/deploy.sh
@ -0,0 +1,3 @@
 #!/bin/bash
 podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
--- a/services/jean-cloud.net/install.sh
+++ b/services/jean-cloud.net/install.sh
@ -1,14 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 start() {
 	podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
 }
 restart () {
 	start
 }
 stop () {
 	:
 }
--- a/services/jean-cloud.net/nginx_server.conf
+++ b/services/jean-cloud.net/nginx_server.conf
@ -10,7 +10,7 @@ server {
  # We can create a file with the base security headers and include it.
  # Will it be possible to overload them then ?
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always;
+  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
  add_header X-Content-Type-Options "nosniff";
  add_header X-Frame-Options SAMEORIGIN always;
  add_header X-XSS-Protection "1; mode=block" always;
--- a/services/lexicographe.jean-cloud.net/deploy.sh
+++ b/services/lexicographe.jean-cloud.net/deploy.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 set -euo pipefail
 podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
--- a/services/lexicographe.jean-cloud.net/install.sh
+++ b/services/lexicographe.jean-cloud.net/install.sh
@ -1,16 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 start() {
 	mkdir -p "$DATA_DIR/git"
 	podman pull docker.io/jeancloud/pelican-rclone-builder
 	podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
 }
 restart () {
 	start
 }
 stop () {
 	:
 }
--- a/services/list_ips.sh
+++ b/services/list_ips.sh
@ -1,2 +1,2 @@
 #!/bin/bash
-grep -ho '172.29.[^.]' . -r | sort -u
+grep -ho '172.29.[^.]\+' . -r | sort -u
--- a/services/pa1.studios.oma-radio.fr/wg-pa1.sh
+++ b/services/pa1.studios.oma-radio.fr/wg-pa1.sh
@ -15,10 +15,8 @@ Address = 10.100.1.254/32
 [Peer] # adrian
 PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
 AllowedIPs = 10.100.1.253/32
 PersistentKeepalive = 25
 [Peer] # Passerelle
 PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
 AllowedIPs = 10.100.1.0/24,192.168.100.0/24
 PersistentKeepalive = 25
 "
--- a/services/radiodemo.oma-radio.fr/docker-compose.yml
+++ b/services/radiodemo.oma-radio.fr/docker-compose.yml
@ -1 +0,0 @@
 version: '3'
--- a/services/radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/radiodemo.oma-radio.fr/nginx_server.conf
@ -28,6 +28,7 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
 	location / {
 		client_max_body_size 0;
 		proxy_pass http://$ENDPOINT;
 		proxy_set_header Host            $host;
    	proxy_set_header X-Forwarded-For $remote_addr;
--- a/services/radiodemo.oma-radio.fr/wg-radiodemo.sh
+++ b/services/radiodemo.oma-radio.fr/wg-radiodemo.sh
@ -24,10 +24,15 @@ PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j
 # packet masquerading
 PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
-PostDown = iptables -t nat -D POSTROUTING -o $wgif-j MASQUERADE
+PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
 # remote settings for the private server
 [Peer]
 PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
 AllowedIPs = 10.29.0.1/32,$NET.0/24
 # test separation PA
 [Peer]
 PublicKey = todo
 AllowedlIPs = 10.29.0.2
 "
`@ -1 +1,2 @@`
	`GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"`	`GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"`
		`CLOUD_LOCAL_PATH=content`
		`@ -0,0 +1,2 @@`
							`JC_NET=172.29.19`
							`GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs`
		`@ -0,0 +1,3 @@`
							`#!/bin/bash`

							`podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder`
`@ -1,2 +1,2 @@`
	`#!/bin/bash`	`#!/bin/bash`
	`grep -ho '172.29.[^.]' . -r \| sort -u`	`grep -ho '172.29.[^.]\+' . -r \| sort -u`