This commit is contained in:
Adrian Amaglio 2023-07-06 17:37:16 +02:00
parent 48a27ddf71
commit 9bda639aa3
18 changed files with 193 additions and 17 deletions

View File

@ -76,7 +76,6 @@ debootstrap_done_marker="$mnt/etc/debootstrap_done"
# Actual script
###############################################################################
. driglibash-base
chroot_run(){
chroot "$mnt" $@

View File

@ -1,8 +1,9 @@
[servers]
#vandamme.jean-cloud.org
#nougaro.jean-cloud.org
tetede.jean-cloud.org
#tetede.jean-cloud.org
#carcasse.jean-cloud.org
#benevoles.karnaval.fr
#montbonnot.jean-cloud.org
max.jean-cloud.org
#blatte.jean-cloud.org

View File

@ -20,7 +20,6 @@
#NTP is important for curl and apt
# - ericsysmin.system.ntp
- jean-cloud-common
# Users
@ -89,6 +88,7 @@
# graylog Nope, too heavy…
# TODO lininfile for prometheus
# 127.0.1.1 docker-host
- jean-cloud-common
##- deploy_all

View File

@ -0,0 +1,28 @@
$TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
2023062300 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS max.jean-cloud.org.
@ IN NS tetede.jean-cloud.org.
; Mail config
@ 86400 IN MX 10 mail.etrevivant.net.
mail 21600 IN A 83.229.19.99
imap 86400 IN CNAME mail.etrevivant.net.
pop 86400 IN CNAME mail.etrevivant.net.
smtp 86400 IN CNAME mail.etrevivant.net.
@ 86400 IN TXT v=spf1 mx:etrevivant.net a:mail.etrevivant.net a:mailphp.lws-hosting.com -all
dkim._domainkey 86400 IN TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8C8Xh049AFp+LuKVCUlwahtRFxO85rrJ0dE0idCfNAsI5Nlobf02gik8jesZ04clvZ0lxaM+L8IU50AKVHeFva83Y7LVJdeaXk14fO3gwQ1r/asNhzvg++88bfhSaLKD5M4Eid13mBrpsV3gP/MeGIzsty0AMUUNpDwe0otnv3wIDAQAB
_dmarc 86400 IN TXT v=DMARC1; p=quarantine;
; web
@ IN A 51.255.33.248
@ IN A 82.65.204.254

View File

@ -1,6 +1,6 @@
$TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
2023051101 ; Serial
2023061500 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
@ -131,10 +131,15 @@ raplacgr IN CNAME tetede.jean-cloud.org.
walou IN CNAME dumbcluster.jean-cloud.org.
nc-backup IN CNAME tetede.jean-cloud.org.
nc-backup IN CNAME blatte.jean-cloud.org.
gypsy IN CNAME tetede.jean-cloud.org.
shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org.
lexicographe IN CNAME max.jean-cloud.org.
chahut IN CNAME max.jean-cloud.org.
www.chahut IN CNAME max.jean-cloud.org.
wordpress.chahut IN CNAME max.jean-cloud.org.
www.wordpress.chahut IN CNAME max.jean-cloud.org.

View File

@ -1,6 +1,6 @@
$TTL 604800
@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. (
2023051100 ; Serial
2023061500 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
@ -54,3 +54,4 @@ montbonnot IN A 188.114.96.2
montbonnot IN AAAA 2a06:98c1:3120::2
montbonnot IN AAAA 2a06:98c1:3121::2
blatte IN A 10.98.1.2

View File

@ -15,8 +15,8 @@ $TTL 604800
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.195.40.128
@ IN AAAA 2001:41d0:701:1100::31f
@ IN A 82.65.204.254
;@ IN AAAA 2001:41d0:701:1100::31f
; Resolving nameserver

View File

@ -73,6 +73,9 @@ zone "metamorphosemagazine.fr"{
type master;
file "/etc/bind/db.metamorphosemagazine.fr";
};
zone "etrevivant.net"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.etrevivant.net";
};

View File

@ -29,7 +29,7 @@
- name: Install some softwares
apt:
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'traceroute', 'vim', 'wget', 'zip']
name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
state: latest
# TODO disable certbot and certbot.timer services. We are using our own
@ -54,9 +54,30 @@
ansible.builtin.lineinfile:
path: /etc/crontab
line: '26 03 * * * root letsencrypt.sh'
- name: Docker config
ansible.builtin.copy:
dest: /etc/docker/daemon.json
content: |
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
#TODO add this to /etc/docker/daemon.json
#{
# "iptables": false
#}
- name: Bash history
ansible.builtin.copy:
dest: /etc/profile.d/history.sh
mode : 755
content: |
HISTSIZE=
HISTFILESIZE=10000
HISTTIMEFORMAT="%Y%m%d-%T "
export HISTSIZE HISTFILESIZE HISTTIMEFORMAT

View File

@ -15,8 +15,8 @@ services:
default:
ipv4_address: 172.16.17.100
redis:
image: redis
#redis:
# image: redis
db:
image: postgres:9.6-alpine
env_file: $DATA_DIR/postgres.env

View File

@ -0,0 +1,41 @@
version: '3.1'
services:
wp:
image: wordpress:5-apache
restart: unless-stopped
env_file: $DATA_DIR/wordpress.env
volumes:
- $DATA_DIR/wordpress:/var/www/html
- /srv/http/$JC_SERVICE:/var/www/html/static
networks:
default:
ipv4_address: 172.29.18.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
image: mariadb:10.11
restart: unless-stopped
env_file: $DATA_DIR/wordpress.env
volumes:
- $DATA_DIR/db:/var/lib/mysql
networks:
default:
ipv4_address: 172.29.18.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.18.0/24

View File

@ -0,0 +1,30 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
location / {
auth_basic "Mot de passe !";
auth_basic_user_file /data/$JC_SERVICE/pass.txt;
client_max_body_size 2G;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://172.29.18.100;
proxy_redirect off;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
location / {
root /srv/http/$JC_SERVICE;
try_files $uri $uri/ =404;
}
}

View File

@ -0,0 +1 @@
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"

View File

@ -0,0 +1,25 @@
#!/bin/bash
set -euo pipefail
start() {
. /docker/etrevivant.net/.env
. /data/etrevivant.net/.env
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
sudo -u www-data bash <<EOF
set -euo pipefail
cd "$HTTP_DIR"
[ -d .git ] || git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . || (git checkout -- * && git pull --depth 1)
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
hugo
EOF
}
restart () {
start
}
stop () {
:
}

View File

@ -0,0 +1,22 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
root $HTTP_DIR/public/;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
location / {
index index.html;
try_files $uri $uri/ =404;
}
}

View File

@ -2,7 +2,6 @@
set -euo pipefail
start() {
podman pull docker.io/jeancloud/pelican-rclone-builder
podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
}

View File

@ -15,7 +15,7 @@ OMA_CONFIG_LogLevel=8
RADIO_NAME_PRETTY="Radio Démo"
RADIO_HOST=radiodemo.oma-radio.fr
COMPOSE_NAME=radiodemo-backoma-radiofr
DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr
DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
DOCKER_INSTANCES_SUFIX=-1
DATA_DIR=/home/data/radiodemo-back.oma-radio.fr
SOUNDBASE_DIR=/home/data/radiodemo-back.oma-radio.fr/core/radioDemo

View File

@ -13,7 +13,7 @@ Address = 10.29.0.1/32
ListenPort = 55820
[Peer]
PublicKey = uXAXi3rthdRY2zkSgHpl3EqxQnxdw3aiAwNX6HhFHgI=
PublicKey = iwIsUriF4CT/Jpu29VXlj43hT3bUjG67FeEgCTcQCVc=
AllowedIPs = 10.29.0.254/32
Endpoint = radiodemo.oma-radio.fr:55820
PersistentKeepalive = 30