new step for jean-cloud kind
This commit is contained in:
parent
269e2a1720
commit
90dd3bad64
@ -74,6 +74,9 @@ usage[I]="Interractive mode. Ask questions if needed."
|
||||
varia[I]=interractive
|
||||
interractive=false
|
||||
|
||||
usage[D]="Data Device. Will be encrypted."
|
||||
varia[D]=data_device
|
||||
data_device=
|
||||
|
||||
. driglibash-args
|
||||
|
||||
@ -181,7 +184,7 @@ echo "$repos" >> "$mnt/etc/apt/sources.list"
|
||||
run chroot "$mnt" <<EOF
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update -q -y
|
||||
apt-get install -q -y $install
|
||||
apt-get install -q -y cryptsetup $install
|
||||
EOF
|
||||
# TODO watershed ?
|
||||
|
||||
@ -191,6 +194,11 @@ echo -e "$locale" > "$mnt/etc/locale.gen"
|
||||
chroot_run locale-gen
|
||||
|
||||
|
||||
if [ -n "$data_device" ] ; then
|
||||
section "Mounting data dir"
|
||||
cryptsetup create --type plain dmcrypt-jeancloud "$data_device"
|
||||
fi
|
||||
|
||||
|
||||
section "Configuring new system"
|
||||
uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2)
|
||||
@ -201,10 +209,12 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
|
||||
# Set hostname
|
||||
run echo "$hostname" > "$mnt/etc/hostname"
|
||||
|
||||
# Prenvent suspend on lid close
|
||||
line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
|
||||
|
||||
# Fix path and remove noisy beep
|
||||
run cat > "$mnt/root/.bashrc" <<EOF
|
||||
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
|
||||
/usr/bin/setterm -blength 0
|
||||
EOF
|
||||
# Be sure this fucking beep is gone
|
||||
echo 'set bell-style none' >> "$mnt/etc/inputrc"
|
||||
@ -253,7 +263,7 @@ if [ -n "$(ls -A $secret_dir)" ]; then
|
||||
#die "Secret dir '$secret_dir' is not empty"
|
||||
yell "Secret dir is not empty. May erase key."
|
||||
fi
|
||||
run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P ''
|
||||
run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P '' -C "access@$hostname"
|
||||
run mkdir -p "$mnt/root/.ssh/"
|
||||
cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys"
|
||||
chroot_run systemctl enable ssh
|
||||
|
156
provisioning/roles/deploy_all/files/bin/deploy_service.sh
Executable file
156
provisioning/roles/deploy_all/files/bin/deploy_service.sh
Executable file
@ -0,0 +1,156 @@
|
||||
#!/bin/bash
|
||||
. driglibash-base
|
||||
. /etc/jeancloud.env
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
noreload=false
|
||||
deploy=true
|
||||
if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
|
||||
noreload=true
|
||||
elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then
|
||||
deploy=false
|
||||
else
|
||||
die "Usage: $0 <service> [no]reload [un]deploy"
|
||||
fi
|
||||
|
||||
|
||||
if [ -d "/docker/$1" ] ; then
|
||||
service="$1"
|
||||
elif [ -d "$1" ] && [[ "$service" = /docker/* ]] ; then
|
||||
service="$(basename "$1")"
|
||||
else
|
||||
die "/docker/$service not found"
|
||||
fi
|
||||
|
||||
if [ ! -d "$new_nginx_conf_path" ] ; then
|
||||
die "Can’t deploy service in degraded state. $new_nginx_conf_path dir is missing, please run deployer.sh first"
|
||||
fi
|
||||
|
||||
|
||||
docker_service="$(echo "$service" | tr '.' '_')"
|
||||
driglibash_section_prefix="[$service] "
|
||||
|
||||
cd "/docker/$service"
|
||||
[ -f .env ] && . .env
|
||||
|
||||
|
||||
###############################################################################
|
||||
# Useful directories
|
||||
###############################################################################
|
||||
|
||||
if "$deploy" ; then
|
||||
mkdir -p "$DATA_DIR" "$HTTP_DIR"
|
||||
# Try running podman as non-root first…
|
||||
chown www-data:www-data -R "$HTTP_DIR"
|
||||
else
|
||||
[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
|
||||
fi
|
||||
|
||||
|
||||
###############################################################################
|
||||
# Run scripts
|
||||
###############################################################################
|
||||
|
||||
if "$deploy" ; then
|
||||
[ -x deploy.sh ] && ./deploy.sh
|
||||
[ -x deploy_http.sh ] && sudo -u www-data ./deploy_http.sh
|
||||
else
|
||||
[ -x undeploy.sh ] && ./undeploy.sh
|
||||
fi
|
||||
|
||||
|
||||
###############################################################################
|
||||
# Docker containers
|
||||
###############################################################################
|
||||
|
||||
# If there is a docker-compose file and it has services in it
|
||||
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
|
||||
section "-------------------- $service"
|
||||
if $deploy ; then
|
||||
section "Logging to registry"
|
||||
# XXX Login to docker registry
|
||||
|
||||
section "Pulling images"
|
||||
run docker-compose pull
|
||||
|
||||
section "Starting service"
|
||||
run docker-compose up -d --remove-orphans
|
||||
else
|
||||
section "Removing containers"
|
||||
docker-compose down --rmi all --remove-orphans
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! "$deploy" ; then
|
||||
section "Remove stray containers"
|
||||
while read container ; do
|
||||
echo "Removing $container"
|
||||
run docker rm "$container"
|
||||
done <<< "$(docker ps | grep "$docker_service" | cut -d ' ' -f 1)"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
###############################################################################
|
||||
# wireguard interface
|
||||
###############################################################################
|
||||
|
||||
# If there is a wireguard vpn script
|
||||
for file in $( find "/docker/$service" -name "wg-*.sh") ; do
|
||||
section "Managing wg interface $(basename "$file")"
|
||||
if [ -x "$file" ] ; then
|
||||
wgif="$(basename "$file")"
|
||||
wgif="${wgif:3:-3}"
|
||||
"$file" $wgif > "/etc/wireguard/$wgif.conf"
|
||||
if "$deploy" ; then
|
||||
systemctl enable "wg-quick@$wgif"
|
||||
startwg.sh "$wgif"
|
||||
else
|
||||
if [ -z "$(ip a | grep "$wgif")" ] ; then
|
||||
wg-quick down "$wgif"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
###############################################################################
|
||||
# Nginx conf
|
||||
###############################################################################
|
||||
|
||||
# If there is a nginx conf file
|
||||
if [ -f "/docker/$service/nginx_server.conf" ] ; then
|
||||
section "Copy nginx conf"
|
||||
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
|
||||
|
||||
section "Template nginx conf with vars from '.env' file"
|
||||
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
|
||||
fi
|
||||
|
||||
# Do we need dummy cert?
|
||||
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
|
||||
section "Create cert dir"
|
||||
run mkdir -p "$certs_path/$service"
|
||||
|
||||
section "Link dummy to cert"
|
||||
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
|
||||
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
|
||||
fi
|
||||
|
||||
section "Testing nginx conf"
|
||||
run nginx -t -c /etc/nginx/new_nginx.conf
|
||||
|
||||
if [ "$noreload" == false ] ; then
|
||||
restart_nginx.sh
|
||||
fi
|
||||
|
||||
section "Cleaning"
|
||||
if [ -z "$(ls -A "$DATA_DIR")" ] ; then
|
||||
run rmdir "$DATA_DIR"
|
||||
fi
|
||||
if [ -z "$(ls -A "$HTTP_DIR")" ] ; then
|
||||
run rmdir "$HTTP_DIR"
|
||||
fi
|
||||
|
||||
|
@ -4,51 +4,29 @@ driglibash_run_retry=true
|
||||
. driglibash-base
|
||||
set -euo pipefail
|
||||
|
||||
run gen_env.sh
|
||||
|
||||
###############################################################################
|
||||
# Variables
|
||||
###############################################################################
|
||||
|
||||
proxy_dir="/etc/nginx"
|
||||
nginx_conf_path="$proxy_dir/sites-enabled"
|
||||
new_nginx_conf_path="$proxy_dir/new-sites-enabled"
|
||||
export proxy_dir="/etc/nginx"
|
||||
export nginx_conf_path="$proxy_dir/sites-enabled"
|
||||
export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
|
||||
|
||||
certs_path="/etc/letsencrypt/live"
|
||||
dummy_cert_path="$certs_path/dummy"
|
||||
export certs_path="/etc/letsencrypt/live"
|
||||
export dummy_cert_path="$certs_path/dummy"
|
||||
|
||||
###############################################################################
|
||||
# Helpers
|
||||
###############################################################################
|
||||
|
||||
# Returns the public IP4 address of a domain name
|
||||
function ipof {
|
||||
resolv.sh "$1"
|
||||
}
|
||||
|
||||
function jcservice {
|
||||
if [ "$#" -ne 2 ] ; then
|
||||
echo "usage: $0 <action> <service>"
|
||||
echo "action is start/stop/reload/restart"
|
||||
echo "service is a jc service name"
|
||||
exit 1
|
||||
fi
|
||||
action="$1"
|
||||
service="$2"
|
||||
if [ -f "/docker/$service/install.sh" ] ; then
|
||||
section "Running install script"
|
||||
. "/docker/$service/install.sh"
|
||||
# Is $action a bash function?
|
||||
if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
|
||||
"$action"
|
||||
fi
|
||||
unset -f start stop reload restart "$action"
|
||||
fi
|
||||
}
|
||||
|
||||
# Path to this directory
|
||||
here="$(where 'follow_links')"
|
||||
|
||||
# Ip4 address
|
||||
my_ip="$(ipof "$(cat /etc/hostname)")"
|
||||
#my_ip="$(resolv.sh "$(cat /etc/hostname)")"
|
||||
my_ip="$(curl -4 ifconfig.me 2>/dev/null)"
|
||||
[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
|
||||
|
||||
|
||||
@ -57,7 +35,7 @@ my_ip="$(ipof "$(cat /etc/hostname)")"
|
||||
###############################################################################
|
||||
|
||||
driglibash_section_prefix="[Prepare nginx] "
|
||||
section "Delete new conf directory (to recover)"
|
||||
section "Delete new conf directory (to start from scratch)"
|
||||
run rm -rf "$new_nginx_conf_path"
|
||||
|
||||
section "Create new conf file (for tests purposes)"
|
||||
@ -85,121 +63,22 @@ run mkdir -p "$new_nginx_conf_path"
|
||||
# Deploy services
|
||||
###############################################################################
|
||||
|
||||
section "Start docker"
|
||||
run systemctl start docker docker.socket
|
||||
|
||||
section "Deploy mandatory services"
|
||||
deploy_service.sh deployer.jean-cloud.org noreload
|
||||
|
||||
for dir in /docker/* ; do
|
||||
service="$(basename "$dir")"
|
||||
# Ignore _ prefixed directories
|
||||
[ "${service::1}" == '_' ] && continue
|
||||
[ ! -d "$dir" ] && continue
|
||||
|
||||
docker_service="$(echo "$service" | tr '.' '_')"
|
||||
driglibash_section_prefix="[$service] "
|
||||
export DATA_DIR="/data/$service"
|
||||
export HTTP_DIR="/srv/http/$service"
|
||||
export JC_SERVICE="$service"
|
||||
line_in_file "HTTP_DIR='$HTTP_DIR'" "/docker/$service/.env"
|
||||
line_in_file "DATA_DIR='$DATA_DIR'" "/docker/$service/.env"
|
||||
line_in_file "JC_SERVICE='$JC_SERVICE'" "/docker/$service/.env"
|
||||
|
||||
cd "/docker/$service"
|
||||
|
||||
# Is service meant to be on this server?
|
||||
ip="$(ipof "$service")"
|
||||
[ -z "$ip" ] && echo "No ip found for $service"
|
||||
|
||||
if [[ "$ip" != *"$my_ip"* ]] ; then
|
||||
if [ -n "$(docker ps | grep "$docker_service")" ] ; then
|
||||
section "--------------------"
|
||||
section "Removing service"
|
||||
docker-compose down --rmi all --remove-orphans
|
||||
[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
|
||||
fi
|
||||
|
||||
jcservice stop "$service"
|
||||
|
||||
# TODO check for leftover wg interfaces
|
||||
continue
|
||||
fi
|
||||
|
||||
mkdir -p "$DATA_DIR" "$HTTP_DIR"
|
||||
|
||||
|
||||
# If there is a docker-compose file and it has services in it
|
||||
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
|
||||
section "-------------------- $service"
|
||||
|
||||
section "Logging to registry"
|
||||
# XXX Login to docker registry
|
||||
|
||||
section "Pulling images"
|
||||
run docker-compose pull
|
||||
|
||||
section "Starting service"
|
||||
run docker-compose up -d --remove-orphans
|
||||
fi
|
||||
|
||||
jcservice start "$service"
|
||||
|
||||
|
||||
# If there is a wireguard vpn script
|
||||
for file in "/docker/$service/"wg-*.sh ; do
|
||||
section "Starting wg interface"
|
||||
if [ -x "$file" ] ; then
|
||||
wgif="$(basename "$file")"
|
||||
wgif="${wgif:3:-3}"
|
||||
"$file" $wgif > "/etc/wireguard/$wgif.conf"
|
||||
systemctl enable "wg-quick@$wgif"
|
||||
startwg.sh $wgif
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# If there is a nginx conf file
|
||||
if [ -f "/docker/$service/nginx_server.conf" ] ; then
|
||||
section "Copy nginx conf"
|
||||
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
|
||||
|
||||
section "Template nginx conf with vars from '.env' file"
|
||||
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
|
||||
fi
|
||||
|
||||
# Do we need dummy cert?
|
||||
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
|
||||
section "Create cert dir"
|
||||
run mkdir -p "$certs_path/$service"
|
||||
|
||||
section "Link dummy to cert"
|
||||
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
|
||||
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
|
||||
fi
|
||||
|
||||
section "Testing nginx conf"
|
||||
run nginx -t -c /etc/nginx/new_nginx.conf
|
||||
[[ "$(resolv.sh $service)" != *$my_ip* ]] && continue
|
||||
deploy_service.sh "$service" "noreload"
|
||||
|
||||
done
|
||||
|
||||
###############################################################################
|
||||
# Nginx restart
|
||||
###############################################################################
|
||||
|
||||
driglibash_section_prefix="[Restart nginx] "
|
||||
|
||||
section "Test if nginx conf is ok"
|
||||
run nginx -t -c "$proxy_dir/new_nginx.conf"
|
||||
|
||||
section "Update nginx conf"
|
||||
run rm -rf "$nginx_conf_path"
|
||||
run mv "$new_nginx_conf_path" "$nginx_conf_path"
|
||||
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
|
||||
|
||||
section "Test nginx conf to be sure"
|
||||
run nginx -t
|
||||
|
||||
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
|
||||
section "Start nginx"
|
||||
run nginx
|
||||
else
|
||||
section "Reload nginx"
|
||||
run nginx -s reload
|
||||
fi
|
||||
restart_nginx.sh
|
||||
|
||||
clean
|
||||
|
@ -48,11 +48,11 @@ section(){
|
||||
fi
|
||||
|
||||
repeat '=' "$left"
|
||||
if [ "$right" -ge 1 ] ; then
|
||||
echo -ne " $text "
|
||||
if [ "$right" -ge 1 ] ; then
|
||||
repeat '=' "$right"
|
||||
echo
|
||||
fi
|
||||
echo
|
||||
|
||||
if "$driglibash_step_by_step" ; then
|
||||
echo "Press enter to proceed"
|
||||
|
28
provisioning/roles/deploy_all/files/bin/gen_env.sh
Executable file
28
provisioning/roles/deploy_all/files/bin/gen_env.sh
Executable file
@ -0,0 +1,28 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
. driglibash-base
|
||||
|
||||
JC_ENV=/etc/jeancloud.env
|
||||
|
||||
certs_path=/etc/letsencrypt/live
|
||||
proxy_dir=/etc/nginx
|
||||
|
||||
cat > "$JC_ENV" <<EOF
|
||||
my_ip=$(resolv.sh "$(cat /etc/hostname)")
|
||||
proxy_dir='$proxy_dir'
|
||||
nginx_conf_path='$proxy_dir/sites-enabled'
|
||||
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
|
||||
certs_path='$certs_path'
|
||||
dummy_cert_path='$certs_path/dummy'
|
||||
EOF
|
||||
|
||||
for dir in /docker/* ; do
|
||||
service="$(basename "$dir")"
|
||||
[ ! -d "$dir" ] && continue
|
||||
|
||||
line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
|
||||
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
|
||||
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
|
||||
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
|
||||
done
|
42
provisioning/roles/deploy_all/files/bin/git_update.sh
Executable file
42
provisioning/roles/deploy_all/files/bin/git_update.sh
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
declare -A usage
|
||||
declare -A varia
|
||||
|
||||
summary="$0 [options] <repo>"
|
||||
|
||||
usage[b]="Branch of git repo"
|
||||
varia[b]=branch
|
||||
branch=master
|
||||
|
||||
usage[d]="Destination of clone"
|
||||
varia[d]=dst
|
||||
dst='.'
|
||||
|
||||
usage[i]="privkey used to ssh pull"
|
||||
varia[i]=privkey
|
||||
privkey=''
|
||||
|
||||
|
||||
. driglibash-args
|
||||
|
||||
# Some SSH options
|
||||
ssh_opt='ssh'
|
||||
if [ -n "$privkey" ] ; then
|
||||
ssh_opt="$ssh_opt -i $privkey"
|
||||
fi
|
||||
|
||||
repo="$1"
|
||||
if [ -z "$repo" ] ; then
|
||||
die "$0: Empty repo given\n$summary"
|
||||
fi
|
||||
|
||||
cd "$dst"
|
||||
|
||||
if [ -d .git ] ; then
|
||||
git reset --hard HEAD && git pull --depth 1 --ff-only --rebase --config core.sshCommand="$ssh_opt"
|
||||
git submodule update --recursive --remote --recommend-shallow
|
||||
else
|
||||
git clone --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
|
||||
fi
|
||||
|
14
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
Normal file
14
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
Normal file
@ -0,0 +1,14 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
. "$DOCKER_DIR/.env"
|
||||
. "$DATA_DIR/.env"
|
||||
|
||||
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
||||
|
||||
git_update.sh "$GIT_SOURCE_REPO"
|
||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" -- webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
|
||||
hugo
|
||||
|
22
provisioning/roles/deploy_all/files/bin/jcservice.sh
Executable file
22
provisioning/roles/deploy_all/files/bin/jcservice.sh
Executable file
@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
. driglibash-base
|
||||
|
||||
if [ "$#" -ne 2 ] ; then
|
||||
echo "usage: $0 <action> <service>"
|
||||
echo "action is start/stop/reload/restart"
|
||||
echo "service is a jc service name"
|
||||
exit 1
|
||||
fi
|
||||
action="$1"
|
||||
service="$2"
|
||||
if [ -f "/docker/$service/install.sh" ] ; then
|
||||
section "Running install script"
|
||||
. "/docker/$service/install.sh"
|
||||
# Is $action a bash function?
|
||||
if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
|
||||
(source "/docker/$service/.env" && "$action")
|
||||
else
|
||||
die "$0 no action $action found for service $service"
|
||||
fi
|
||||
fi
|
24
provisioning/roles/deploy_all/files/bin/restart_nginx.sh
Executable file
24
provisioning/roles/deploy_all/files/bin/restart_nginx.sh
Executable file
@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
. driglibash-base
|
||||
. /etc/jeancloud.env
|
||||
|
||||
driglibash_section_prefix="[Restart nginx] "
|
||||
|
||||
section "Test if nginx conf is ok"
|
||||
run nginx -t -c "$proxy_dir/new_nginx.conf"
|
||||
|
||||
section "Update nginx conf"
|
||||
run rm -rf "$nginx_conf_path"
|
||||
run cp -r "$new_nginx_conf_path" "$nginx_conf_path"
|
||||
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
|
||||
|
||||
section "Test nginx conf to be sure"
|
||||
run nginx -t
|
||||
|
||||
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
|
||||
section "Start nginx"
|
||||
run nginx
|
||||
else
|
||||
section "Reload nginx"
|
||||
run nginx -s reload
|
||||
fi
|
@ -1,6 +1,6 @@
|
||||
$TTL 604800
|
||||
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
|
||||
2023062300 ; Serial
|
||||
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
|
||||
2023082700 ; Serial
|
||||
7200 ; Refresh
|
||||
7200 ; Retry
|
||||
2419200 ; Expire
|
||||
@ -23,6 +23,8 @@ _dmarc 86400 IN TXT v=DMARC1; p=quarantine;
|
||||
|
||||
|
||||
; web
|
||||
@ IN A 51.255.33.248
|
||||
@ IN A 82.65.204.254
|
||||
@ IN A 51.195.40.128
|
||||
@ IN A 109.18.84.200
|
||||
|
||||
www IN A 51.195.40.128
|
||||
www IN A 109.18.84.200
|
||||
|
@ -1,13 +1,13 @@
|
||||
$TTL 604800
|
||||
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
|
||||
2023061500 ; Serial
|
||||
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
|
||||
2023082700 ; Serial
|
||||
7200 ; Refresh
|
||||
7200 ; Retry
|
||||
2419200 ; Expire
|
||||
7200 ) ; Negative Cache TTL
|
||||
|
||||
; NS
|
||||
@ IN NS max.jean-cloud.org.
|
||||
;@ IN NS max.jean-cloud.org.
|
||||
@ IN NS tetede.jean-cloud.org.
|
||||
@ IN NS ns1.he.net.
|
||||
@ IN NS ns2.he.net.
|
||||
@ -16,7 +16,7 @@ $TTL 604800
|
||||
@ IN NS ns5.he.net.
|
||||
|
||||
@ IN A 51.255.33.248
|
||||
@ IN A 82.65.204.254
|
||||
@ IN A 109.18.84.200
|
||||
|
||||
|
||||
@ 10800 IN MX 10 spool.mail.gandi.net.
|
||||
@ -26,7 +26,7 @@ $TTL 604800
|
||||
|
||||
; Resolving nameserver
|
||||
ns2 IN A 51.255.33.248
|
||||
ns1 IN A 82.65.204.254
|
||||
;ns1 IN A 82.65.204.254
|
||||
|
||||
;mail IN CNAME vandamme
|
||||
webmail IN CNAME vandamme
|
||||
@ -49,8 +49,8 @@ tetede IN A 51.195.40.128
|
||||
|
||||
heart IN A 109.18.84.200
|
||||
|
||||
max IN A 82.65.204.254
|
||||
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
|
||||
;max IN A 82.65.204.254
|
||||
;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
|
||||
|
||||
montbonnot IN A 188.114.97.2
|
||||
montbonnot IN A 188.114.96.2
|
||||
@ -129,17 +129,18 @@ tracker IN CNAME tetede.jean-cloud.org.
|
||||
|
||||
raplacgr IN CNAME tetede.jean-cloud.org.
|
||||
|
||||
walou IN CNAME dumbcluster.jean-cloud.org.
|
||||
|
||||
nc-backup IN CNAME blatte.jean-cloud.org.
|
||||
|
||||
gypsy IN CNAME tetede.jean-cloud.org.
|
||||
|
||||
shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org.
|
||||
|
||||
lexicographe IN CNAME max.jean-cloud.org.
|
||||
lexicographe IN CNAME tetede.jean-cloud.org.
|
||||
|
||||
chahut IN CNAME max.jean-cloud.org.
|
||||
www.chahut IN CNAME max.jean-cloud.org.
|
||||
wordpress.chahut IN CNAME max.jean-cloud.org.
|
||||
www.wordpress.chahut IN CNAME max.jean-cloud.org.
|
||||
grapes.chahut IN CNAME max.jean-cloud.org.
|
||||
|
||||
louixel IN CNAME raku.jean-cloud.org.
|
||||
|
@ -1,6 +1,6 @@
|
||||
$TTL 604800
|
||||
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
|
||||
2023061500 ; Serial
|
||||
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
|
||||
2023082700 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
@ -9,12 +9,12 @@ $TTL 604800
|
||||
@ IN NS max
|
||||
@ IN NS tetede
|
||||
|
||||
@ IN A 109.18.84.200
|
||||
@ IN A 51.255.33.248
|
||||
@ IN A 82.65.204.254
|
||||
|
||||
; NS
|
||||
;ns1 IN CNAME vandamme
|
||||
ns2 IN A 82.65.204.254
|
||||
;ns2 IN A 82.65.204.254
|
||||
ns3 IN A 51.195.40.128
|
||||
|
||||
; Mails
|
||||
@ -46,8 +46,8 @@ tetede IN AAAA 2001:41d0:701:1100::31f
|
||||
|
||||
heart IN A 109.18.84.200
|
||||
|
||||
max IN A 82.65.204.254
|
||||
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
|
||||
max IN A 109.18.84.200
|
||||
;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
|
||||
|
||||
montbonnot IN A 188.114.97.2
|
||||
montbonnot IN A 188.114.96.2
|
||||
@ -55,3 +55,7 @@ montbonnot IN AAAA 2a06:98c1:3120::2
|
||||
montbonnot IN AAAA 2a06:98c1:3121::2
|
||||
|
||||
blatte IN A 10.98.1.2
|
||||
|
||||
|
||||
;raku IN A 37.65.25.194
|
||||
raku IN AAAA 2a02:842a:39a:4d01:b283:feff:fe4c:5dee
|
||||
|
@ -15,7 +15,7 @@ $TTL 604800
|
||||
@ IN NS ns4.he.net.
|
||||
@ IN NS ns5.he.net.
|
||||
|
||||
@ IN A 82.65.204.254
|
||||
@ IN A 213.186.33.40
|
||||
;@ IN AAAA 2001:41d0:701:1100::31f
|
||||
|
||||
|
||||
@ -23,6 +23,6 @@ $TTL 604800
|
||||
ns1 IN A 51.255.33.248
|
||||
ns2 IN A 172.104.154.21
|
||||
|
||||
benevoles IN CNAME max.jean-cloud.org.
|
||||
benevoles31 IN CNAME max.jean-cloud.org.
|
||||
;benevoles IN CNAME max.jean-cloud.org.
|
||||
;benevoles31 IN CNAME max.jean-cloud.org.
|
||||
|
||||
|
@ -1,15 +0,0 @@
|
||||
$TTL 604800
|
||||
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
|
||||
2023042100 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
7200 ) ; Negative Cache TTL (min before refresh)
|
||||
|
||||
@ IN NS ns1.jean-cloud.net.
|
||||
@ IN NS ns2.he.net.
|
||||
@ IN NS ns3.he.net.
|
||||
@ IN NS ns4.he.net.
|
||||
@ IN NS ns5.he.net.
|
||||
|
||||
@ IN A 51.255.33.248
|
@ -1,6 +1,6 @@
|
||||
$TTL 604800
|
||||
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
|
||||
2023060100 ; Serial
|
||||
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
|
||||
2023082700 ; Serial
|
||||
604800 ; Refresh
|
||||
7200 ; Retry
|
||||
2419200 ; Expire
|
||||
@ -8,7 +8,7 @@ $TTL 604800
|
||||
|
||||
; NS
|
||||
|
||||
@ IN NS max.jean-cloud.org.
|
||||
;@ IN NS max.jean-cloud.org.
|
||||
@ IN NS tetede.jean-cloud.org.
|
||||
|
||||
|
||||
|
@ -58,11 +58,6 @@ zone "inurbe.fr"{
|
||||
type master;
|
||||
file "/etc/bind/db.inurbe.fr";
|
||||
};
|
||||
zone "lalis.fr"{
|
||||
allow-update { none; }; # We are primary DNS
|
||||
type master;
|
||||
file "/etc/bind/db.lalis.fr";
|
||||
};
|
||||
zone "leida.fr"{
|
||||
allow-update { none; }; # We are primary DNS
|
||||
type master;
|
||||
|
@ -8,11 +8,16 @@
|
||||
archive: false
|
||||
recursive: true
|
||||
|
||||
|
||||
- name: Add binaries
|
||||
ansible.posix.synchronize:
|
||||
src: "{{ role_path }}/files/bin/"
|
||||
dest: "/usr/local/bin"
|
||||
|
||||
- name: Gen env vars
|
||||
command: gen_env.sh
|
||||
|
||||
|
||||
- name: Add bind conf
|
||||
ansible.posix.synchronize:
|
||||
src: "{{ role_path }}/files/bind/"
|
||||
|
@ -29,7 +29,7 @@
|
||||
|
||||
- name: Install some softwares
|
||||
apt:
|
||||
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
|
||||
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'hugo', 'netcat-openbsd', 'nginx', 'podman', 'rclone', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
|
||||
state: latest
|
||||
|
||||
# TODO disable certbot and certbot.timer services. We are using our own
|
||||
@ -40,6 +40,7 @@
|
||||
state: directory
|
||||
with_items:
|
||||
- /docker
|
||||
- /srv/http
|
||||
- /data
|
||||
- /etc/letsencrypt
|
||||
|
||||
@ -81,3 +82,12 @@
|
||||
HISTTIMEFORMAT="%Y%m%d-%T "
|
||||
export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
|
||||
|
||||
|
||||
- name : Disable docker service
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: stopped
|
||||
enabled: false
|
||||
with_items:
|
||||
- docker
|
||||
- docker.socket
|
||||
|
@ -18,13 +18,16 @@ Le script deployer.sh va pour chaque service
|
||||
- Démarrer docker-compose si besoin
|
||||
- Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin)
|
||||
- Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent.
|
||||
- Exécuter le script install.sh du service s’il existe
|
||||
- Exécuter le script deploy.sh du service s’il existe
|
||||
- Exécuter le script deploy_http.sh en tant que www-data s’il existe. Ce script peut également être éxécuter par nginx pour mettre à jour le site web.
|
||||
|
||||
Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled).
|
||||
|
||||
## Variables
|
||||
Le script deployer.sh crée les variables
|
||||
- DATA_DIR : là où sauvegarder des données
|
||||
- DOCKER_DIR : dossier contenant les fichiers de déploiement du service
|
||||
- HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il n’est pas sauvegardé.
|
||||
- JC_SERVICE : le nom du dossier service. Correspond souvent à l’adresse du service.
|
||||
Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc).
|
||||
|
||||
|
2
services/deployer.jean-cloud.org/deploy.sh
Normal file
2
services/deployer.jean-cloud.org/deploy.sh
Normal file
@ -0,0 +1,2 @@
|
||||
#!/bin/bash
|
||||
chmod +x server.sh
|
@ -1,12 +1,15 @@
|
||||
limit_req_zone global zone=deployer_limit:100k rate=3r/m;
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
listen [::]:443;
|
||||
server_name $SERVER_HOST;
|
||||
ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;
|
||||
location /reload {
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/html/test.sh;
|
||||
location / {
|
||||
limit_req zone=deployer_limit;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME /docker/deployer.jean-cloud.org/server.sh;
|
||||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
||||
}
|
||||
}
|
||||
|
38
services/deployer.jean-cloud.org/server.sh
Executable file
38
services/deployer.jean-cloud.org/server.sh
Executable file
@ -0,0 +1,38 @@
|
||||
#!/bin/bash
|
||||
echo "Content-type: text/html"
|
||||
echo ""
|
||||
|
||||
service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
|
||||
path="/docker/$service/deploy_http.sh"
|
||||
. /etc/jeancloud.env
|
||||
|
||||
echo '<html><head><title>Rechargement d’un site web</title><meta charset="utf-8" /></head>'
|
||||
echo '<body>'
|
||||
echo "<h2>Rechargement d’un site web : $service</h2>"
|
||||
echo "<h3> Résultat local</h3>"
|
||||
if [ -x "$path" ] ; then
|
||||
echo "<pre>"
|
||||
"$path"
|
||||
ret="$?"
|
||||
echo "</pre>"
|
||||
if [ "$ret" -ne 0 ] ; then
|
||||
echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
|
||||
else
|
||||
while read ip ; do
|
||||
echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
echo "$ip ok"
|
||||
else
|
||||
echo "$ip ERREUR"
|
||||
fi
|
||||
done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
|
||||
fi
|
||||
|
||||
echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
|
||||
else
|
||||
echo "<p>Échec. Contactez Jean-Cloud</p>"
|
||||
fi
|
||||
|
||||
echo '</body>'
|
||||
echo '</html>
|
||||
|
@ -1 +1,2 @@
|
||||
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"
|
||||
CLOUD_LOCAL_PATH=content
|
||||
|
18
services/etrevivant.net/deploy_http.sh
Executable file
18
services/etrevivant.net/deploy_http.sh
Executable file
@ -0,0 +1,18 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
. /docker/etrevivant.net/.env
|
||||
. /data/etrevivant.net/.env
|
||||
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
||||
|
||||
cd "$HTTP_DIR"
|
||||
if [ -d .git ] ; then
|
||||
git reset --hard origin/master
|
||||
git pull --depth 1 --rebase
|
||||
else
|
||||
git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" .
|
||||
fi
|
||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
|
||||
hugo
|
@ -1,25 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
start() {
|
||||
. /docker/etrevivant.net/.env
|
||||
. /data/etrevivant.net/.env
|
||||
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
||||
sudo -u www-data bash <<EOF
|
||||
set -euo pipefail
|
||||
cd "$HTTP_DIR"
|
||||
[ -d .git ] || git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . || (git checkout -- * && git pull --depth 1)
|
||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
|
||||
hugo
|
||||
EOF
|
||||
}
|
||||
|
||||
restart () {
|
||||
start
|
||||
}
|
||||
|
||||
stop () {
|
||||
:
|
||||
}
|
2
services/grapes.chahut.jean-cloud.net/.env
Normal file
2
services/grapes.chahut.jean-cloud.net/.env
Normal file
@ -0,0 +1,2 @@
|
||||
JC_NET=172.29.19
|
||||
GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs
|
6
services/grapes.chahut.jean-cloud.net/deploy.sh
Executable file
6
services/grapes.chahut.jean-cloud.net/deploy.sh
Executable file
@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
mkdir -p "$HTTP_DIR"
|
||||
chown www-data:www-data "$HTTP_DIR"
|
||||
sudo -u www-data git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
19
services/grapes.chahut.jean-cloud.net/docker-compose.yml
Executable file
19
services/grapes.chahut.jean-cloud.net/docker-compose.yml
Executable file
@ -0,0 +1,19 @@
|
||||
version: '3'
|
||||
services:
|
||||
json_server:
|
||||
image: jeancloud/json-server
|
||||
volumes:
|
||||
- "$DATA_DIR:/usr/lib/json-server"
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $JC_NET.100
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
config:
|
||||
- subnet: $JC_NET.0/24
|
35
services/grapes.chahut.jean-cloud.net/nginx_server.conf
Executable file
35
services/grapes.chahut.jean-cloud.net/nginx_server.conf
Executable file
@ -0,0 +1,35 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
|
||||
server_name grapes.chahut.jean-cloud.net;
|
||||
root $HTTP_DIR;
|
||||
|
||||
# Security headers
|
||||
# We can create a file with the base security headers and include it.
|
||||
# Will it be possible to overload them then ?
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
#add_header Content-Security-Policy "default-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ;frame-ancestors 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; base-uri 'self'; form-action 'self';" always;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
#add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||
|
||||
auth_basic "Mot de passe !";
|
||||
auth_basic_user_file $DATA_DIR/pass.txt;
|
||||
|
||||
location / {
|
||||
index index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location /projects {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_pass http://$JC_NET.100:3000;
|
||||
proxy_redirect off;
|
||||
|
||||
}
|
||||
}
|
3
services/jean-cloud.net/deploy.sh
Executable file
3
services/jean-cloud.net/deploy.sh
Executable file
@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
@ -1,14 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
start() {
|
||||
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
||||
}
|
||||
|
||||
restart () {
|
||||
start
|
||||
}
|
||||
|
||||
stop () {
|
||||
:
|
||||
}
|
@ -10,7 +10,7 @@ server {
|
||||
# We can create a file with the base security headers and include it.
|
||||
# Will it be possible to overload them then ?
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always;
|
||||
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
4
services/lexicographe.jean-cloud.net/deploy.sh
Executable file
4
services/lexicographe.jean-cloud.net/deploy.sh
Executable file
@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
@ -1,16 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
start() {
|
||||
mkdir -p "$DATA_DIR/git"
|
||||
podman pull docker.io/jeancloud/pelican-rclone-builder
|
||||
podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
||||
}
|
||||
|
||||
restart () {
|
||||
start
|
||||
}
|
||||
|
||||
stop () {
|
||||
:
|
||||
}
|
@ -1,2 +1,2 @@
|
||||
#!/bin/bash
|
||||
grep -ho '172.29.[^.]' . -r | sort -u
|
||||
grep -ho '172.29.[^.]\+' . -r | sort -u
|
||||
|
@ -15,10 +15,8 @@ Address = 10.100.1.254/32
|
||||
[Peer] # adrian
|
||||
PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
|
||||
AllowedIPs = 10.100.1.253/32
|
||||
PersistentKeepalive = 25
|
||||
|
||||
[Peer] # Passerelle
|
||||
PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
|
||||
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
|
||||
PersistentKeepalive = 25
|
||||
"
|
||||
|
@ -1 +0,0 @@
|
||||
version: '3'
|
@ -28,6 +28,7 @@ server {
|
||||
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
|
||||
|
||||
location / {
|
||||
client_max_body_size 0;
|
||||
proxy_pass http://$ENDPOINT;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
|
@ -30,4 +30,9 @@ PostDown = iptables -t nat -D POSTROUTING -o $wgif-j MASQUERADE
|
||||
[Peer]
|
||||
PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
|
||||
AllowedIPs = 10.29.0.1/32,$NET.0/24
|
||||
|
||||
# test separation PA
|
||||
[Peer]
|
||||
PublicKey = todo
|
||||
AllowedlIPs = 10.29.0.2
|
||||
"
|
||||
|
Loading…
Reference in New Issue
Block a user