new step for jean-cloud kind

This commit is contained in:
Adrian Amaglio 2023-08-28 20:25:32 +02:00
parent 269e2a1720
commit 90dd3bad64
39 changed files with 516 additions and 257 deletions

View File

@ -74,6 +74,9 @@ usage[I]="Interractive mode. Ask questions if needed."
varia[I]=interractive
interractive=false
usage[D]="Data Device. Will be encrypted."
varia[D]=data_device
data_device=
. driglibash-args
@ -181,7 +184,7 @@ echo "$repos" >> "$mnt/etc/apt/sources.list"
run chroot "$mnt" <<EOF
export DEBIAN_FRONTEND=noninteractive
apt-get update -q -y
apt-get install -q -y $install
apt-get install -q -y cryptsetup $install
EOF
# TODO watershed ?
@ -191,6 +194,11 @@ echo -e "$locale" > "$mnt/etc/locale.gen"
chroot_run locale-gen
if [ -n "$data_device" ] ; then
section "Mounting data dir"
cryptsetup create --type plain dmcrypt-jeancloud "$data_device"
fi
section "Configuring new system"
uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2)
@ -201,10 +209,12 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
# Set hostname
run echo "$hostname" > "$mnt/etc/hostname"
# Prenvent suspend on lid close
line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
# Fix path and remove noisy beep
run cat > "$mnt/root/.bashrc" <<EOF
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
/usr/bin/setterm -blength 0
EOF
# Be sure this fucking beep is gone
echo 'set bell-style none' >> "$mnt/etc/inputrc"
@ -253,7 +263,7 @@ if [ -n "$(ls -A $secret_dir)" ]; then
#die "Secret dir '$secret_dir' is not empty"
yell "Secret dir is not empty. May erase key."
fi
run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P ''
run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P '' -C "access@$hostname"
run mkdir -p "$mnt/root/.ssh/"
cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys"
chroot_run systemctl enable ssh

View File

@ -0,0 +1,156 @@
#!/bin/bash
. driglibash-base
. /etc/jeancloud.env
set -euo pipefail
noreload=false
deploy=true
if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
noreload=true
elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then
deploy=false
else
die "Usage: $0 <service> [no]reload [un]deploy"
fi
if [ -d "/docker/$1" ] ; then
service="$1"
elif [ -d "$1" ] && [[ "$service" = /docker/* ]] ; then
service="$(basename "$1")"
else
die "/docker/$service not found"
fi
if [ ! -d "$new_nginx_conf_path" ] ; then
die "Cant deploy service in degraded state. $new_nginx_conf_path dir is missing, please run deployer.sh first"
fi
docker_service="$(echo "$service" | tr '.' '_')"
driglibash_section_prefix="[$service] "
cd "/docker/$service"
[ -f .env ] && . .env
###############################################################################
# Useful directories
###############################################################################
if "$deploy" ; then
mkdir -p "$DATA_DIR" "$HTTP_DIR"
# Try running podman as non-root first…
chown www-data:www-data -R "$HTTP_DIR"
else
[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
fi
###############################################################################
# Run scripts
###############################################################################
if "$deploy" ; then
[ -x deploy.sh ] && ./deploy.sh
[ -x deploy_http.sh ] && sudo -u www-data ./deploy_http.sh
else
[ -x undeploy.sh ] && ./undeploy.sh
fi
###############################################################################
# Docker containers
###############################################################################
# If there is a docker-compose file and it has services in it
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
section "-------------------- $service"
if $deploy ; then
section "Logging to registry"
# XXX Login to docker registry
section "Pulling images"
run docker-compose pull
section "Starting service"
run docker-compose up -d --remove-orphans
else
section "Removing containers"
docker-compose down --rmi all --remove-orphans
fi
fi
if ! "$deploy" ; then
section "Remove stray containers"
while read container ; do
echo "Removing $container"
run docker rm "$container"
done <<< "$(docker ps | grep "$docker_service" | cut -d ' ' -f 1)"
fi
###############################################################################
# wireguard interface
###############################################################################
# If there is a wireguard vpn script
for file in $( find "/docker/$service" -name "wg-*.sh") ; do
section "Managing wg interface $(basename "$file")"
if [ -x "$file" ] ; then
wgif="$(basename "$file")"
wgif="${wgif:3:-3}"
"$file" $wgif > "/etc/wireguard/$wgif.conf"
if "$deploy" ; then
systemctl enable "wg-quick@$wgif"
startwg.sh "$wgif"
else
if [ -z "$(ip a | grep "$wgif")" ] ; then
wg-quick down "$wgif"
fi
fi
fi
done
###############################################################################
# Nginx conf
###############################################################################
# If there is a nginx conf file
if [ -f "/docker/$service/nginx_server.conf" ] ; then
section "Copy nginx conf"
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
section "Template nginx conf with vars from '.env' file"
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
fi
# Do we need dummy cert?
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
section "Testing nginx conf"
run nginx -t -c /etc/nginx/new_nginx.conf
if [ "$noreload" == false ] ; then
restart_nginx.sh
fi
section "Cleaning"
if [ -z "$(ls -A "$DATA_DIR")" ] ; then
run rmdir "$DATA_DIR"
fi
if [ -z "$(ls -A "$HTTP_DIR")" ] ; then
run rmdir "$HTTP_DIR"
fi

View File

@ -4,51 +4,29 @@ driglibash_run_retry=true
. driglibash-base
set -euo pipefail
run gen_env.sh
###############################################################################
# Variables
###############################################################################
proxy_dir="/etc/nginx"
nginx_conf_path="$proxy_dir/sites-enabled"
new_nginx_conf_path="$proxy_dir/new-sites-enabled"
export proxy_dir="/etc/nginx"
export nginx_conf_path="$proxy_dir/sites-enabled"
export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
certs_path="/etc/letsencrypt/live"
dummy_cert_path="$certs_path/dummy"
export certs_path="/etc/letsencrypt/live"
export dummy_cert_path="$certs_path/dummy"
###############################################################################
# Helpers
###############################################################################
# Returns the public IP4 address of a domain name
function ipof {
resolv.sh "$1"
}
function jcservice {
if [ "$#" -ne 2 ] ; then
echo "usage: $0 <action> <service>"
echo "action is start/stop/reload/restart"
echo "service is a jc service name"
exit 1
fi
action="$1"
service="$2"
if [ -f "/docker/$service/install.sh" ] ; then
section "Running install script"
. "/docker/$service/install.sh"
# Is $action a bash function?
if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
"$action"
fi
unset -f start stop reload restart "$action"
fi
}
# Path to this directory
here="$(where 'follow_links')"
# Ip4 address
my_ip="$(ipof "$(cat /etc/hostname)")"
#my_ip="$(resolv.sh "$(cat /etc/hostname)")"
my_ip="$(curl -4 ifconfig.me 2>/dev/null)"
[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
@ -57,7 +35,7 @@ my_ip="$(ipof "$(cat /etc/hostname)")"
###############################################################################
driglibash_section_prefix="[Prepare nginx] "
section "Delete new conf directory (to recover)"
section "Delete new conf directory (to start from scratch)"
run rm -rf "$new_nginx_conf_path"
section "Create new conf file (for tests purposes)"
@ -85,121 +63,22 @@ run mkdir -p "$new_nginx_conf_path"
# Deploy services
###############################################################################
section "Start docker"
run systemctl start docker docker.socket
section "Deploy mandatory services"
deploy_service.sh deployer.jean-cloud.org noreload
for dir in /docker/* ; do
service="$(basename "$dir")"
# Ignore _ prefixed directories
[ "${service::1}" == '_' ] && continue
[ ! -d "$dir" ] && continue
docker_service="$(echo "$service" | tr '.' '_')"
driglibash_section_prefix="[$service] "
export DATA_DIR="/data/$service"
export HTTP_DIR="/srv/http/$service"
export JC_SERVICE="$service"
line_in_file "HTTP_DIR='$HTTP_DIR'" "/docker/$service/.env"
line_in_file "DATA_DIR='$DATA_DIR'" "/docker/$service/.env"
line_in_file "JC_SERVICE='$JC_SERVICE'" "/docker/$service/.env"
cd "/docker/$service"
# Is service meant to be on this server?
ip="$(ipof "$service")"
[ -z "$ip" ] && echo "No ip found for $service"
if [[ "$ip" != *"$my_ip"* ]] ; then
if [ -n "$(docker ps | grep "$docker_service")" ] ; then
section "--------------------"
section "Removing service"
docker-compose down --rmi all --remove-orphans
[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
fi
jcservice stop "$service"
# TODO check for leftover wg interfaces
continue
fi
mkdir -p "$DATA_DIR" "$HTTP_DIR"
# If there is a docker-compose file and it has services in it
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
section "-------------------- $service"
section "Logging to registry"
# XXX Login to docker registry
section "Pulling images"
run docker-compose pull
section "Starting service"
run docker-compose up -d --remove-orphans
fi
jcservice start "$service"
# If there is a wireguard vpn script
for file in "/docker/$service/"wg-*.sh ; do
section "Starting wg interface"
if [ -x "$file" ] ; then
wgif="$(basename "$file")"
wgif="${wgif:3:-3}"
"$file" $wgif > "/etc/wireguard/$wgif.conf"
systemctl enable "wg-quick@$wgif"
startwg.sh $wgif
fi
done
# If there is a nginx conf file
if [ -f "/docker/$service/nginx_server.conf" ] ; then
section "Copy nginx conf"
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
section "Template nginx conf with vars from '.env' file"
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
fi
# Do we need dummy cert?
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
section "Testing nginx conf"
run nginx -t -c /etc/nginx/new_nginx.conf
[[ "$(resolv.sh $service)" != *$my_ip* ]] && continue
deploy_service.sh "$service" "noreload"
done
###############################################################################
# Nginx restart
###############################################################################
driglibash_section_prefix="[Restart nginx] "
section "Test if nginx conf is ok"
run nginx -t -c "$proxy_dir/new_nginx.conf"
section "Update nginx conf"
run rm -rf "$nginx_conf_path"
run mv "$new_nginx_conf_path" "$nginx_conf_path"
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
section "Test nginx conf to be sure"
run nginx -t
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
section "Start nginx"
run nginx
else
section "Reload nginx"
run nginx -s reload
fi
restart_nginx.sh
clean

View File

@ -48,11 +48,11 @@ section(){
fi
repeat '=' "$left"
if [ "$right" -ge 1 ] ; then
echo -ne " $text "
if [ "$right" -ge 1 ] ; then
repeat '=' "$right"
echo
fi
echo
if "$driglibash_step_by_step" ; then
echo "Press enter to proceed"

View File

@ -0,0 +1,28 @@
#!/bin/bash
set -euo pipefail
. driglibash-base
JC_ENV=/etc/jeancloud.env
certs_path=/etc/letsencrypt/live
proxy_dir=/etc/nginx
cat > "$JC_ENV" <<EOF
my_ip=$(resolv.sh "$(cat /etc/hostname)")
proxy_dir='$proxy_dir'
nginx_conf_path='$proxy_dir/sites-enabled'
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
certs_path='$certs_path'
dummy_cert_path='$certs_path/dummy'
EOF
for dir in /docker/* ; do
service="$(basename "$dir")"
[ ! -d "$dir" ] && continue
line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
done

View File

@ -0,0 +1,42 @@
#!/bin/bash
declare -A usage
declare -A varia
summary="$0 [options] <repo>"
usage[b]="Branch of git repo"
varia[b]=branch
branch=master
usage[d]="Destination of clone"
varia[d]=dst
dst='.'
usage[i]="privkey used to ssh pull"
varia[i]=privkey
privkey=''
. driglibash-args
# Some SSH options
ssh_opt='ssh'
if [ -n "$privkey" ] ; then
ssh_opt="$ssh_opt -i $privkey"
fi
repo="$1"
if [ -z "$repo" ] ; then
die "$0: Empty repo given\n$summary"
fi
cd "$dst"
if [ -d .git ] ; then
git reset --hard HEAD && git pull --depth 1 --ff-only --rebase --config core.sshCommand="$ssh_opt"
git submodule update --recursive --remote --recommend-shallow
else
git clone --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
fi

View File

@ -0,0 +1,14 @@
#!/bin/bash
set -euo pipefail
. "$DOCKER_DIR/.env"
. "$DATA_DIR/.env"
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
git_update.sh "$GIT_SOURCE_REPO"
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" -- webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
hugo

View File

@ -0,0 +1,22 @@
#!/bin/bash
. driglibash-base
if [ "$#" -ne 2 ] ; then
echo "usage: $0 <action> <service>"
echo "action is start/stop/reload/restart"
echo "service is a jc service name"
exit 1
fi
action="$1"
service="$2"
if [ -f "/docker/$service/install.sh" ] ; then
section "Running install script"
. "/docker/$service/install.sh"
# Is $action a bash function?
if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
(source "/docker/$service/.env" && "$action")
else
die "$0 no action $action found for service $service"
fi
fi

View File

@ -0,0 +1,24 @@
#!/bin/bash
. driglibash-base
. /etc/jeancloud.env
driglibash_section_prefix="[Restart nginx] "
section "Test if nginx conf is ok"
run nginx -t -c "$proxy_dir/new_nginx.conf"
section "Update nginx conf"
run rm -rf "$nginx_conf_path"
run cp -r "$new_nginx_conf_path" "$nginx_conf_path"
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
section "Test nginx conf to be sure"
run nginx -t
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
section "Start nginx"
run nginx
else
section "Reload nginx"
run nginx -s reload
fi

View File

@ -1,6 +1,6 @@
$TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
2023062300 ; Serial
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
2023082700 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
@ -23,6 +23,8 @@ _dmarc 86400 IN TXT v=DMARC1; p=quarantine;
; web
@ IN A 51.255.33.248
@ IN A 82.65.204.254
@ IN A 51.195.40.128
@ IN A 109.18.84.200
www IN A 51.195.40.128
www IN A 109.18.84.200

View File

@ -1,13 +1,13 @@
$TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
2023061500 ; Serial
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
2023082700 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS max.jean-cloud.org.
;@ IN NS max.jean-cloud.org.
@ IN NS tetede.jean-cloud.org.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ -16,7 +16,7 @@ $TTL 604800
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ IN A 82.65.204.254
@ IN A 109.18.84.200
@ 10800 IN MX 10 spool.mail.gandi.net.
@ -26,7 +26,7 @@ $TTL 604800
; Resolving nameserver
ns2 IN A 51.255.33.248
ns1 IN A 82.65.204.254
;ns1 IN A 82.65.204.254
;mail IN CNAME vandamme
webmail IN CNAME vandamme
@ -49,8 +49,8 @@ tetede IN A 51.195.40.128
heart IN A 109.18.84.200
max IN A 82.65.204.254
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
;max IN A 82.65.204.254
;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
montbonnot IN A 188.114.97.2
montbonnot IN A 188.114.96.2
@ -129,17 +129,18 @@ tracker IN CNAME tetede.jean-cloud.org.
raplacgr IN CNAME tetede.jean-cloud.org.
walou IN CNAME dumbcluster.jean-cloud.org.
nc-backup IN CNAME blatte.jean-cloud.org.
gypsy IN CNAME tetede.jean-cloud.org.
shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org.
lexicographe IN CNAME max.jean-cloud.org.
lexicographe IN CNAME tetede.jean-cloud.org.
chahut IN CNAME max.jean-cloud.org.
www.chahut IN CNAME max.jean-cloud.org.
wordpress.chahut IN CNAME max.jean-cloud.org.
www.wordpress.chahut IN CNAME max.jean-cloud.org.
grapes.chahut IN CNAME max.jean-cloud.org.
louixel IN CNAME raku.jean-cloud.org.

View File

@ -1,6 +1,6 @@
$TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
2023061500 ; Serial
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
2023082700 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
@ -9,12 +9,12 @@ $TTL 604800
@ IN NS max
@ IN NS tetede
@ IN A 109.18.84.200
@ IN A 51.255.33.248
@ IN A 82.65.204.254
; NS
;ns1 IN CNAME vandamme
ns2 IN A 82.65.204.254
;ns2 IN A 82.65.204.254
ns3 IN A 51.195.40.128
; Mails
@ -46,8 +46,8 @@ tetede IN AAAA 2001:41d0:701:1100::31f
heart IN A 109.18.84.200
max IN A 82.65.204.254
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
max IN A 109.18.84.200
;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
montbonnot IN A 188.114.97.2
montbonnot IN A 188.114.96.2
@ -55,3 +55,7 @@ montbonnot IN AAAA 2a06:98c1:3120::2
montbonnot IN AAAA 2a06:98c1:3121::2
blatte IN A 10.98.1.2
;raku IN A 37.65.25.194
raku IN AAAA 2a02:842a:39a:4d01:b283:feff:fe4c:5dee

View File

@ -15,7 +15,7 @@ $TTL 604800
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 82.65.204.254
@ IN A 213.186.33.40
;@ IN AAAA 2001:41d0:701:1100::31f
@ -23,6 +23,6 @@ $TTL 604800
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
benevoles IN CNAME max.jean-cloud.org.
benevoles31 IN CNAME max.jean-cloud.org.
;benevoles IN CNAME max.jean-cloud.org.
;benevoles31 IN CNAME max.jean-cloud.org.

View File

@ -1,15 +0,0 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

View File

@ -1,6 +1,6 @@
$TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
2023060100 ; Serial
@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. (
2023082700 ; Serial
604800 ; Refresh
7200 ; Retry
2419200 ; Expire
@ -8,7 +8,7 @@ $TTL 604800
; NS
@ IN NS max.jean-cloud.org.
;@ IN NS max.jean-cloud.org.
@ IN NS tetede.jean-cloud.org.

View File

@ -58,11 +58,6 @@ zone "inurbe.fr"{
type master;
file "/etc/bind/db.inurbe.fr";
};
zone "lalis.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.lalis.fr";
};
zone "leida.fr"{
allow-update { none; }; # We are primary DNS
type master;

View File

@ -8,11 +8,16 @@
archive: false
recursive: true
- name: Add binaries
ansible.posix.synchronize:
src: "{{ role_path }}/files/bin/"
dest: "/usr/local/bin"
- name: Gen env vars
command: gen_env.sh
- name: Add bind conf
ansible.posix.synchronize:
src: "{{ role_path }}/files/bind/"

View File

@ -29,7 +29,7 @@
- name: Install some softwares
apt:
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'hugo', 'netcat-openbsd', 'nginx', 'podman', 'rclone', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
state: latest
# TODO disable certbot and certbot.timer services. We are using our own
@ -40,6 +40,7 @@
state: directory
with_items:
- /docker
- /srv/http
- /data
- /etc/letsencrypt
@ -81,3 +82,12 @@
HISTTIMEFORMAT="%Y%m%d-%T "
export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
- name : Disable docker service
service:
name: "{{ item }}"
state: stopped
enabled: false
with_items:
- docker
- docker.socket

View File

@ -18,13 +18,16 @@ Le script deployer.sh va pour chaque service
- Démarrer docker-compose si besoin
- Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin)
- Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent.
- Exécuter le script install.sh du service sil existe
- Exécuter le script deploy.sh du service sil existe
- Exécuter le script deploy_http.sh en tant que www-data sil existe. Ce script peut également être éxécuter par nginx pour mettre à jour le site web.
Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled).
## Variables
Le script deployer.sh crée les variables
- DATA_DIR : là où sauvegarder des données
- DOCKER_DIR : dossier contenant les fichiers de déploiement du service
- HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il nest pas sauvegardé.
- JC_SERVICE : le nom du dossier service. Correspond souvent à ladresse du service.
Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc).

View File

@ -0,0 +1,2 @@
#!/bin/bash
chmod +x server.sh

View File

@ -1,12 +1,15 @@
limit_req_zone global zone=deployer_limit:100k rate=3r/m;
server {
listen 443;
listen [::]:443;
server_name $SERVER_HOST;
ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;
location /reload {
fastcgi_param SCRIPT_FILENAME /var/www/html/test.sh;
location / {
limit_req zone=deployer_limit;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /docker/deployer.jean-cloud.org/server.sh;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
}

View File

@ -0,0 +1,38 @@
#!/bin/bash
echo "Content-type: text/html"
echo ""
service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
path="/docker/$service/deploy_http.sh"
. /etc/jeancloud.env
echo '<html><head><title>Rechargement dun site web</title><meta charset="utf-8" /></head>'
echo '<body>'
echo "<h2>Rechargement dun site web : $service</h2>"
echo "<h3> Résultat local</h3>"
if [ -x "$path" ] ; then
echo "<pre>"
"$path"
ret="$?"
echo "</pre>"
if [ "$ret" -ne 0 ] ; then
echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
else
while read ip ; do
echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
if [ "$?" -eq 0 ] ; then
echo "$ip ok"
else
echo "$ip ERREUR"
fi
done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
fi
echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
else
echo "<p>Échec. Contactez Jean-Cloud</p>"
fi
echo '</body>'
echo '</html>

View File

@ -1 +1,2 @@
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"
CLOUD_LOCAL_PATH=content

View File

@ -0,0 +1,18 @@
#!/bin/bash
set -euo pipefail
. /docker/etrevivant.net/.env
. /data/etrevivant.net/.env
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
cd "$HTTP_DIR"
if [ -d .git ] ; then
git reset --hard origin/master
git pull --depth 1 --rebase
else
git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" .
fi
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
hugo

View File

@ -1,25 +0,0 @@
#!/bin/bash
set -euo pipefail
start() {
. /docker/etrevivant.net/.env
. /data/etrevivant.net/.env
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
sudo -u www-data bash <<EOF
set -euo pipefail
cd "$HTTP_DIR"
[ -d .git ] || git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . || (git checkout -- * && git pull --depth 1)
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
hugo
EOF
}
restart () {
start
}
stop () {
:
}

View File

@ -0,0 +1,2 @@
JC_NET=172.29.19
GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs

View File

@ -0,0 +1,6 @@
#!/bin/bash
set -euo pipefail
mkdir -p "$HTTP_DIR"
chown www-data:www-data "$HTTP_DIR"
sudo -u www-data git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"

View File

@ -0,0 +1,19 @@
version: '3'
services:
json_server:
image: jeancloud/json-server
volumes:
- "$DATA_DIR:/usr/lib/json-server"
networks:
default:
ipv4_address: $JC_NET.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: $JC_NET.0/24

View File

@ -0,0 +1,35 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
server_name grapes.chahut.jean-cloud.net;
root $HTTP_DIR;
# Security headers
# We can create a file with the base security headers and include it.
# Will it be possible to overload them then ?
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#add_header Content-Security-Policy "default-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ;frame-ancestors 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; base-uri 'self'; form-action 'self';" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
#add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
auth_basic "Mot de passe !";
auth_basic_user_file $DATA_DIR/pass.txt;
location / {
index index.html;
try_files $uri $uri/ =404;
}
location /projects {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://$JC_NET.100:3000;
proxy_redirect off;
}
}

View File

@ -0,0 +1,3 @@
#!/bin/bash
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder

View File

@ -1,14 +0,0 @@
#!/bin/bash
set -euo pipefail
start() {
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
}
restart () {
start
}
stop () {
:
}

View File

@ -10,7 +10,7 @@ server {
# We can create a file with the base security headers and include it.
# Will it be possible to overload them then ?
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always;
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;

View File

@ -0,0 +1,4 @@
#!/bin/bash
set -euo pipefail
podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder

View File

@ -1,16 +0,0 @@
#!/bin/bash
set -euo pipefail
start() {
mkdir -p "$DATA_DIR/git"
podman pull docker.io/jeancloud/pelican-rclone-builder
podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
}
restart () {
start
}
stop () {
:
}

View File

@ -1,2 +1,2 @@
#!/bin/bash
grep -ho '172.29.[^.]' . -r | sort -u
grep -ho '172.29.[^.]\+' . -r | sort -u

View File

@ -15,10 +15,8 @@ Address = 10.100.1.254/32
[Peer] # adrian
PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
AllowedIPs = 10.100.1.253/32
PersistentKeepalive = 25
[Peer] # Passerelle
PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
PersistentKeepalive = 25
"

View File

@ -1 +0,0 @@
version: '3'

View File

@ -28,6 +28,7 @@ server {
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
location / {
client_max_body_size 0;
proxy_pass http://$ENDPOINT;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;

View File

@ -30,4 +30,9 @@ PostDown = iptables -t nat -D POSTROUTING -o $wgif-j MASQUERADE
[Peer]
PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
AllowedIPs = 10.29.0.1/32,$NET.0/24
# test separation PA
[Peer]
PublicKey = todo
AllowedlIPs = 10.29.0.2
"