From 9bda639aa3f8965bf73351d52b11ac628a8d6451 Mon Sep 17 00:00:00 2001
From: Adrian Amaglio <aamaglio@dbmtechnologies.com>
Date: Thu, 6 Jul 2023 17:37:16 +0200
Subject: [PATCH] update

---
 installing/debootstrap_ordis_portables.sh     |  1 -
 provisioning/inventory.ini                    |  3 +-
 provisioning/playbook.yml                     |  2 +-
 .../deploy_all/files/bind/db.etrevivant.net   | 28 +++++++++++++
 .../deploy_all/files/bind/db.jean-cloud.net   |  9 +++-
 .../deploy_all/files/bind/db.jean-cloud.org   |  3 +-
 .../deploy_all/files/bind/db.karnaval.fr      |  4 +-
 .../deploy_all/files/bind/named.conf.local    |  7 +++-
 .../roles/jean-cloud-common/tasks/main.yml    | 25 ++++++++++-
 .../docker-compose.yml                        |  4 +-
 .../chahut.jean-cloud.net/docker-compose.yml  | 41 +++++++++++++++++++
 .../chahut.jean-cloud.net/nginx_server.conf   | 30 ++++++++++++++
 services/etrevivant.net/.env                  |  1 +
 services/etrevivant.net/install.sh            | 25 +++++++++++
 services/etrevivant.net/nginx_server.conf     | 22 ++++++++++
 services/jean-cloud.net/install.sh            |  1 -
 services/radiodemo-back.oma-radio.fr/.env     |  2 +-
 .../wg-radiodemo.sh                           |  2 +-
 18 files changed, 193 insertions(+), 17 deletions(-)
 create mode 100644 provisioning/roles/deploy_all/files/bind/db.etrevivant.net
 create mode 100644 services/chahut.jean-cloud.net/docker-compose.yml
 create mode 100755 services/chahut.jean-cloud.net/nginx_server.conf
 create mode 100644 services/etrevivant.net/.env
 create mode 100755 services/etrevivant.net/install.sh
 create mode 100755 services/etrevivant.net/nginx_server.conf

diff --git a/installing/debootstrap_ordis_portables.sh b/installing/debootstrap_ordis_portables.sh
index 22badb7..2accc9c 100755
--- a/installing/debootstrap_ordis_portables.sh
+++ b/installing/debootstrap_ordis_portables.sh
@@ -76,7 +76,6 @@ debootstrap_done_marker="$mnt/etc/debootstrap_done"
 #                              Actual script
 ###############################################################################
 
-. driglibash-base
 
 chroot_run(){
   chroot "$mnt" $@
diff --git a/provisioning/inventory.ini b/provisioning/inventory.ini
index 7c36edf..7de6cf1 100644
--- a/provisioning/inventory.ini
+++ b/provisioning/inventory.ini
@@ -1,8 +1,9 @@
 [servers]
 #vandamme.jean-cloud.org
 #nougaro.jean-cloud.org
-tetede.jean-cloud.org
+#tetede.jean-cloud.org
 #carcasse.jean-cloud.org
 #benevoles.karnaval.fr
 #montbonnot.jean-cloud.org
 max.jean-cloud.org
+#blatte.jean-cloud.org
diff --git a/provisioning/playbook.yml b/provisioning/playbook.yml
index cb2a8be..c952c3d 100755
--- a/provisioning/playbook.yml
+++ b/provisioning/playbook.yml
@@ -20,7 +20,6 @@
     #NTP is important for curl and apt
     #    - ericsysmin.system.ntp
 
-    - jean-cloud-common
 
 
     # Users
@@ -89,6 +88,7 @@
     # graylog Nope, too heavy…
     # TODO lininfile for prometheus
     # 127.0.1.1 docker-host
+    - jean-cloud-common
 
     ##- deploy_all
     
diff --git a/provisioning/roles/deploy_all/files/bind/db.etrevivant.net b/provisioning/roles/deploy_all/files/bind/db.etrevivant.net
new file mode 100644
index 0000000..b33a5cb
--- /dev/null
+++ b/provisioning/roles/deploy_all/files/bind/db.etrevivant.net
@@ -0,0 +1,28 @@
+$TTL    604800
+@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
+                    2023062300          ; Serial
+                          7200          ; Refresh
+                          7200          ; Retry
+                        2419200         ; Expire
+                         7200 ) ; Negative Cache TTL
+
+; NS
+@                       IN      NS      max.jean-cloud.org.
+@                       IN      NS      tetede.jean-cloud.org.
+
+
+; Mail config
+@ 86400 IN MX 10 mail.etrevivant.net.
+mail 21600 IN A 83.229.19.99
+imap 86400 IN CNAME mail.etrevivant.net.
+pop 86400 IN CNAME mail.etrevivant.net.
+smtp 86400 IN CNAME mail.etrevivant.net.
+@ 86400 IN TXT v=spf1 mx:etrevivant.net a:mail.etrevivant.net a:mailphp.lws-hosting.com -all
+dkim._domainkey 86400 IN TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8C8Xh049AFp+LuKVCUlwahtRFxO85rrJ0dE0idCfNAsI5Nlobf02gik8jesZ04clvZ0lxaM+L8IU50AKVHeFva83Y7LVJdeaXk14fO3gwQ1r/asNhzvg++88bfhSaLKD5M4Eid13mBrpsV3gP/MeGIzsty0AMUUNpDwe0otnv3wIDAQAB
+_dmarc 86400 IN TXT v=DMARC1; p=quarantine;
+
+
+; web
+@						IN		A		51.255.33.248
+@						IN		A		82.65.204.254
+
diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
index 02ab16d..81407b9 100644
--- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
+++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
@@ -1,6 +1,6 @@
 $TTL    604800
 @       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
-                    2023051101          ; Serial
+                    2023061500          ; Serial
                           7200          ; Refresh
                           7200          ; Retry
                         2419200         ; Expire
@@ -131,10 +131,15 @@ raplacgr                        IN      CNAME   tetede.jean-cloud.org.
 
 walou                           IN      CNAME   dumbcluster.jean-cloud.org.
 
-nc-backup                       IN      CNAME   tetede.jean-cloud.org.
+nc-backup                       IN      CNAME   blatte.jean-cloud.org.
 
 gypsy                           IN      CNAME   tetede.jean-cloud.org.
 
 shlago.wireguard.jean-cloud.net IN      CNAME   tetede.jean-cloud.org.
 
 lexicographe					IN		CNAME	max.jean-cloud.org.
+
+chahut							IN		CNAME	max.jean-cloud.org.
+www.chahut						IN		CNAME	max.jean-cloud.org.
+wordpress.chahut				IN		CNAME	max.jean-cloud.org.
+www.wordpress.chahut			IN		CNAME	max.jean-cloud.org.
diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
index 2752757..96848ba 100644
--- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
+++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
@@ -1,6 +1,6 @@
 $TTL    604800
 @       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
-                     2023051100         ; Serial
+                     2023061500         ; Serial
                          604800         ; Refresh
                           86400         ; Retry
                         2419200         ; Expire
@@ -54,3 +54,4 @@ montbonnot                      IN      A       188.114.96.2
 montbonnot                      IN      AAAA    2a06:98c1:3120::2
 montbonnot                      IN      AAAA    2a06:98c1:3121::2
 
+blatte							IN		A		10.98.1.2
diff --git a/provisioning/roles/deploy_all/files/bind/db.karnaval.fr b/provisioning/roles/deploy_all/files/bind/db.karnaval.fr
index 09fc8c0..75a6cf9 100644
--- a/provisioning/roles/deploy_all/files/bind/db.karnaval.fr
+++ b/provisioning/roles/deploy_all/files/bind/db.karnaval.fr
@@ -15,8 +15,8 @@ $TTL    604800
 @                       IN      NS      ns4.he.net.
 @                       IN      NS      ns5.he.net.
 
-@                       IN      A       51.195.40.128
-@						IN		AAAA	2001:41d0:701:1100::31f
+@                       IN      A       82.65.204.254
+;@						IN		AAAA	2001:41d0:701:1100::31f
 
 
 ; Resolving nameserver
diff --git a/provisioning/roles/deploy_all/files/bind/named.conf.local b/provisioning/roles/deploy_all/files/bind/named.conf.local
index b4bcb9d..70453a8 100644
--- a/provisioning/roles/deploy_all/files/bind/named.conf.local
+++ b/provisioning/roles/deploy_all/files/bind/named.conf.local
@@ -73,6 +73,9 @@ zone "metamorphosemagazine.fr"{
     type master;
     file "/etc/bind/db.metamorphosemagazine.fr";
 };
-
-
+zone "etrevivant.net"{
+    allow-update { none; }; # We are primary DNS
+    type master;
+    file "/etc/bind/db.etrevivant.net";
+};
 
diff --git a/provisioning/roles/jean-cloud-common/tasks/main.yml b/provisioning/roles/jean-cloud-common/tasks/main.yml
index 1d2bb20..5b92dc9 100644
--- a/provisioning/roles/jean-cloud-common/tasks/main.yml
+++ b/provisioning/roles/jean-cloud-common/tasks/main.yml
@@ -29,7 +29,7 @@
 
 - name: Install some softwares
   apt:
-      name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'traceroute', 'vim', 'wget', 'zip']
+      name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
       state: latest
 
 # TODO disable certbot and certbot.timer services. We are using our own
@@ -54,9 +54,30 @@
   ansible.builtin.lineinfile:
     path: /etc/crontab
     line: '26 03  * * * root letsencrypt.sh'
-
+      
+- name: Docker config
+  ansible.builtin.copy:
+    dest: /etc/docker/daemon.json
+    content: |
+      {
+         "log-driver": "json-file",
+         "log-opts": {
+             "max-size": "10m",    
+             "max-file": "3"    
+             }
+         }
 #TODO add this to /etc/docker/daemon.json
 #{
 #        "iptables": false
 #}
+         
+- name: Bash history
+  ansible.builtin.copy:
+    dest: /etc/profile.d/history.sh
+    mode : 755
+    content: |
+      HISTSIZE=
+      HISTFILESIZE=10000
+      HISTTIMEFORMAT="%Y%m%d-%T "
+      export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
 
diff --git a/services/benevoles31.karnaval.fr/docker-compose.yml b/services/benevoles31.karnaval.fr/docker-compose.yml
index dbb357a..a0cc407 100755
--- a/services/benevoles31.karnaval.fr/docker-compose.yml
+++ b/services/benevoles31.karnaval.fr/docker-compose.yml
@@ -15,8 +15,8 @@ services:
       default:
         ipv4_address: 172.16.17.100
 
-  redis:
-    image: redis
+          #redis:
+          #  image: redis
   db:
     image: postgres:9.6-alpine
     env_file: $DATA_DIR/postgres.env
diff --git a/services/chahut.jean-cloud.net/docker-compose.yml b/services/chahut.jean-cloud.net/docker-compose.yml
new file mode 100644
index 0000000..bc7e303
--- /dev/null
+++ b/services/chahut.jean-cloud.net/docker-compose.yml
@@ -0,0 +1,41 @@
+version: '3.1'
+
+services:
+
+  wp:
+    image: wordpress:5-apache
+    restart: unless-stopped
+    env_file: $DATA_DIR/wordpress.env
+    volumes:
+      - $DATA_DIR/wordpress:/var/www/html
+      - /srv/http/$JC_SERVICE:/var/www/html/static
+    networks:
+      default:
+        ipv4_address: 172.29.18.100
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 100M
+
+  db:
+    image: mariadb:10.11
+    restart: unless-stopped
+    env_file: $DATA_DIR/wordpress.env
+    volumes:
+      - $DATA_DIR/db:/var/lib/mysql
+    networks:
+      default:
+        ipv4_address: 172.29.18.101
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 100M
+
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: 172.29.18.0/24
+
diff --git a/services/chahut.jean-cloud.net/nginx_server.conf b/services/chahut.jean-cloud.net/nginx_server.conf
new file mode 100755
index 0000000..7440082
--- /dev/null
+++ b/services/chahut.jean-cloud.net/nginx_server.conf
@@ -0,0 +1,30 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
+  server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
+  location  / {
+    auth_basic           "Mot de passe !";
+    auth_basic_user_file /data/$JC_SERVICE/pass.txt;
+    client_max_body_size 2G;
+    #proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_pass http://172.29.18.100;
+    proxy_redirect off;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+
+  location /  {
+    root /srv/http/$JC_SERVICE;
+    try_files $uri $uri/ =404;
+  }
+}
diff --git a/services/etrevivant.net/.env b/services/etrevivant.net/.env
new file mode 100644
index 0000000..7d98583
--- /dev/null
+++ b/services/etrevivant.net/.env
@@ -0,0 +1 @@
+GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"
diff --git a/services/etrevivant.net/install.sh b/services/etrevivant.net/install.sh
new file mode 100755
index 0000000..9c41c3a
--- /dev/null
+++ b/services/etrevivant.net/install.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+set -euo pipefail
+
+start() {
+	. /docker/etrevivant.net/.env
+	. /data/etrevivant.net/.env
+	webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
+	webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
+	webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
+	sudo -u www-data bash <<EOF
+		set -euo pipefail
+		cd "$HTTP_DIR"
+		[ -d .git ] || git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . || (git checkout -- * && git pull --depth 1)
+		rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
+		hugo
+EOF
+}
+
+restart () {
+	start
+}
+
+stop () {
+	:
+}
diff --git a/services/etrevivant.net/nginx_server.conf b/services/etrevivant.net/nginx_server.conf
new file mode 100755
index 0000000..2cb04ff
--- /dev/null
+++ b/services/etrevivant.net/nginx_server.conf
@@ -0,0 +1,22 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR/public/;
+
+  # Security headers
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
+
+  location / {
+          index index.html;
+          try_files $uri $uri/ =404;
+  }
+}
diff --git a/services/jean-cloud.net/install.sh b/services/jean-cloud.net/install.sh
index 2095e56..abe1df3 100755
--- a/services/jean-cloud.net/install.sh
+++ b/services/jean-cloud.net/install.sh
@@ -2,7 +2,6 @@
 set -euo pipefail
 
 start() {
-	podman pull docker.io/jeancloud/pelican-rclone-builder
 	podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
 }
 
diff --git a/services/radiodemo-back.oma-radio.fr/.env b/services/radiodemo-back.oma-radio.fr/.env
index 85b0f5a..fa4a92b 100644
--- a/services/radiodemo-back.oma-radio.fr/.env
+++ b/services/radiodemo-back.oma-radio.fr/.env
@@ -15,7 +15,7 @@ OMA_CONFIG_LogLevel=8
 RADIO_NAME_PRETTY="Radio Démo"
 RADIO_HOST=radiodemo.oma-radio.fr
 COMPOSE_NAME=radiodemo-backoma-radiofr
-DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr
+DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
 DOCKER_INSTANCES_SUFIX=-1
 DATA_DIR=/home/data/radiodemo-back.oma-radio.fr
 SOUNDBASE_DIR=/home/data/radiodemo-back.oma-radio.fr/core/radioDemo
diff --git a/services/radiodemo-back.oma-radio.fr/wg-radiodemo.sh b/services/radiodemo-back.oma-radio.fr/wg-radiodemo.sh
index d4f9bf7..a52bc61 100755
--- a/services/radiodemo-back.oma-radio.fr/wg-radiodemo.sh
+++ b/services/radiodemo-back.oma-radio.fr/wg-radiodemo.sh
@@ -13,7 +13,7 @@ Address = 10.29.0.1/32
 ListenPort = 55820
 
 [Peer]
-PublicKey = uXAXi3rthdRY2zkSgHpl3EqxQnxdw3aiAwNX6HhFHgI=
+PublicKey = iwIsUriF4CT/Jpu29VXlj43hT3bUjG67FeEgCTcQCVc=
 AllowedIPs = 10.29.0.254/32
 Endpoint = radiodemo.oma-radio.fr:55820
 PersistentKeepalive = 30