adrian/jean-cloud-services
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Adrian Amaglio 2023-04-24 12:11:09 +02:00
commit ca56c39651
117 changed files with 4494 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
installing/secrets
installing/temporary_mount_point

231
installing/debootstrap_ordis_portables.sh Executable file
View File

@ -0,0 +1,231 @@
#!/bin/bash
# Ce script est une base quil faut sûrement améliorer.
# Il sert à installer un debian dordi portable JC pour le cluster SHLAGO
# Le but est dinstaller juste ce quil faut pour le le serveur tourne, le reste est laissé à ansible.
# Il génère une clé SSH qui permettra daccéder à la machine. Cest peut-être con, il faudrait plutôt le remplir de nos ssh publiques.
# https://github.com/adrianamaglio/driglibash
declare -A usage
declare -A varia
driglibash_run_retry=true
version="alpha nightly 0.0.1 pre-release unstable"
summary="$0 [options]"
usage[m]="Path of the temporar mount point"
varia[m]=mnt
mnt="temporary_mount_point"
usage[a]="The architecture of installed system as supported by debootstrap"
varia[a]=arch
arch="amd64"
usage[r]="The release of installed system as supported by debootstrap"
varia[r]=release
release="bullseye"
usage[s]="Source repository of installed system"
varia[s]=repo
#repo=
repo="http://ftp.fr.debian.org/debian"
#repo="http://localhost:3142/ftp.fr.debian.org/debian"
usage[n]="The hostname"
varia[n]=hostname
hostname=""
usage[b]="The device where grub will be installed"
varia[b]=boot_device
boot_device=
usage[R]="The device where the system will be installed"
varia[R]=boot_device
boot_device=
usage[l]="System locale"
varia[l]=locale
locale="en_US.UTF-8 UTF-8\nfr_FR.UTF-8 UTF-8"
. driglibash-args
secret_dir=secrets
secret_dir="$(realpath -m "$secret_dir/$hostname")"
install="vim openssh-server git nginx"
###############################################################################
# Actual script
###############################################################################
. driglibash-base
chroot_run(){
run echo "$@" | chroot "$mnt"
if [ "$?" -ne 0 ] ; then
die "Error, chroot command [$@] exited with code '$?'"
fi
}
wait_for_user(){
section "Time for a pause"
run echo "Press 'Enter' to continue"
read
}
mount_misc(){
run mkdir -p "$mnt"/{proc,dev,sys}
run mount -t proc none "$mnt/proc"
clean "umount '$mnt/proc'"
# To access physical devices
run mount -o bind /dev "$mnt/dev"
clean "umount '$mnt/dev'"
run mount -o bind /dev/pts "$mnt/dev/pts"
clean "umount '$mnt/dev/pts'"
run mount -o bind /sys "$mnt/sys"
clean "umount '$mnt/sys'"
# mount /dev/pts ? apt install complain about its absence
}
if [ -z "$hostname" ] ; then
die "Hostname arg needed"
fi
root_or_die
section "Testing for existing secrets"
if ! [ -d "$secret_dir" ] ; then
run mkdir -p "$secret_dir"
run chown -R root:root "$secret_dir"
run chmod 700 "$secret_dir"
fi
section "debootstraping"
# Debootstrap may fail when the target is an existing system
#if [ -n "$(ls -A $mnt)" ]; then
# die "Root dir '$mnt' is not empty. Wont debootstrap it."
#fi
run debootstrap --verbose --arch "$arch" "$release" "$mnt" "$repo"
section "Mounting additionnal items"
mount_misc
section "Installing selected software"
#XXX use chroot_run
chroot "$mnt" <<EOF
export DEBIAN_FRONTEND=noninteractive
apt-get update -q -y
apt-get install -q -y linux-image-amd64 console-data grub2 locales $install
EOF
# TODO watershed ?
section "Configuring new system"
uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2)
line_in_file "$uuid / ext4 errors=remount-ro 0 1" "$mnt/etc/fstab"
line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
# TODO set noauto to /boot if needed
# Set hostname
run echo "$hostname" > "$mnt/etc/hostname"
# Fix path and remove noisy beep
run cat > "$mnt/root/.bashrc" <<EOF
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
/usr/bin/setterm -blength 0
xset b off
EOF
# Be sure this fucking beep is gone
echo 'set bell-style none' >> "$mnt/etc/inputrc"
# TODO find a third method to kill this doomed beep
# boot crypted
#section "Installing cryptsetup in initramfs"
#run echo 'CRYPTSETUP=y' >> /etc/cryptsetup-initramfs/conf-hook
#run cp key "$mnt/root/"
#run echo 'FILES="/root/key"' >> /etc/initramfs-tools/initramfs.conf
#run update-initramfs -ut
#echo "$mnt/etc/initramfs-tools/conf.d/cryptsetup" <<EOF
## This will setup non-us keyboards in early userspace,
## necessary for punching in passphrases.
#KEYMAP=y
#
## force busybox and cryptsetup on initramfs
#BUSYBOX=y
#CRYPTSETUP=y
#
## and for systems using plymouth instead, use the new option
#FRAMEBUFFER=y
#EOF
#echo 'export CRYPTSETUP=y' >> "$mnt/etc/environment"
#echo 'export FILES="./key"' >> "$mnt/etc/initramfs-tools/initramfs.conf"
#chroot_run 'update-initramfs -ut'
section "Set up networking"
# Disable the unpredictable naming (since we are not on the future host)
run ln -s /dev/null "$mnt/etc/udev/rules.d/80-net-setup-link.rules"
run cat >> "$mnt/etc/network/interfaces" <<EOF
auto enp1s0
allow-hotplug enp1s0
iface enp1s0 inet dhcp
iface enp1s0 inet6 dhcp
auto enp2s0
allow-hotplug enp2s0
iface enp2s0 inet dhcp
iface enp2s0 inet6 dhcp
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
iface eth0 inet6 dhcp
auto eth1
allow-hotplug eth1
iface eth1 inet dhcp
iface eth1 inet6 dhcp
EOF
# TODO add dyndn service
section "Creating root SSH key to connect"
if [ -n "$(ls -A $secret_dir)" ]; then
#die "Secret dir '$secret_dir' is not empty"
yell "Secret dir is not empty. Wont save ssh key."
else
run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P ''
run mkdir -p "$mnt/root/.ssh/"
cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys"
fi
section "Generating locales"
chroot_run echo -e "$locale" > "/etc/locale.gen"
chroot_run locale-gen
section "Installing grub"
# Disable predictable name (again)
run sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"/g' "$mnt/etc/default/grub"
chroot_run update-grub
chroot_run grub-install "$boot_device"
if [ "$arg_test" != "false" ] ; then
section "Testing installed system"
run qemu-system-x86_64 -m 1024M "$boot_device"
fi
echo "To test the system with qemu type:"
echo "qemu-system-x86_64 -m 1024M '$boot_device'"
clean

3
provisioning/TODO Normal file
View File

@ -0,0 +1,3 @@
add to /etc/sysctl.conf :
fs.file-max = 4096
net.ipv4.ip_forward = 1

113
provisioning/group_vars/servers.yml Executable file
View File

@ -0,0 +1,113 @@
# Default registry
#
bootstrap_user: root
# For jean-cloud docker services
new_nginx_conf_path: '/data/proxy/new-sites-enabled'
new_blackbox_hosts_path: '/data/prometheus/new-blackbox-targets.yml'
blackbox_hosts_path: '/data/prometheus/blackbox-targets.yml'
remote_docker_login_registry: registry.jean-cloud.net
# sudo configuration
# using geerlingguy security
# https://galaxy.ansible.com/grog/sudo
#sudo_default_sudoers: yes
#sudo_list:
# - name: tits
# sudo:
# hosts: ALL
# as: ALL:ALL
# commands: ALL
# nopasswd: yes
# Security geerlingguy
security_ssh_port: 45985
# IMPORTANT following values should be quoted. You can lock yourself out.
security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "yes"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"
# Auto upgrades
security_autoupdate_enabled: true
# f2b
security_fail2ban_enabled: false
#locales
locales_default:
lang: en_US.UTF-8
lc_all: en_US.UTF-8
# For unattended upgrade configuration
unattended_upgrades_mail: contact@jean-cloud.org
# For ssh security
# https://galaxy.ansible.com/dev-sec/ssh-hardening
#network_ipv6_enable: true
#ssh_server_ports: ['45985']
#ssh_permit_root_login: no # TODO uncommenting that makes it bug
# Fail2ban
# https://galaxy.ansible.com/oefenweb/fail2ban
#fail2ban_filterd_path: ./fail2ban/etc/fail2ban/filter.d/
#fail2ban_actiond_path: ./fail2ban/etc/fail2ban/action.d/
#fail2ban_jaild_path: ./fail2ban/etc/fail2ban/jail.d/
#fail2ban_services:
# # In older versions of Fail2Ban this is called ssh
# - name: sshd
# port: 45985
# maxretry: 3
# bantime: -1
# # - name: wplogin
# # port: http,https
# # filter: wplogin
# # logpath: /var/lib/docker/containers/*/*-json.log
# # banaction: docker-action
# # maxretry: 5
# # findtime: 120
# # bantime: 86400
#
# https://galaxy.ansible.com/robertdebock/fail2ban
# For Firewall
# https://galaxy.ansible.com/geerlingguy/firewall
firewall_state: started
firewall_enabled_at_boot: true
firewall_log_dropped_packets: true
firewall_allowed_tcp_ports:
- "45985"
- "22529"
- "80"
- "443"
- "53"
- "5000"
firewall_allowed_udp_ports:
- "53"
# For rootkit protection
# https://galaxy.ansible.com/mablanco/antirootkits
antirootkits_mail_from: contact@jean-cloud.org
antirootkits_mail_to: contact@jean-cloud.org
antirootkits_log_expire: 90
# TODO wtf is /home/docker ?
shelldetector_scan_directory: /home/docker # Il va trouver trop de merde non ?
shelldetector_cron_hour: '4'
shelldetector_cron_minute: '00'
# Timezone
# https://galaxy.ansible.com/oefenweb/timezone
timezone_zone: Europe/Paris
# NTP
# https://galaxy.ansible.com/geerlingguy/ntp
ntp_timezone: Europe/Paris
ntp_daemon: ntp

1
provisioning/install.sh Executable file
View File

@ -0,0 +1 @@
ansible-galaxy install -r requirements.yml --force-with-deps

8
provisioning/inventory.ini Normal file
View File

@ -0,0 +1,8 @@
[servers]
#vandamme.jean-cloud.net
#nougaro.jean-cloud.net
tetede.jean-cloud.net
#carcasse.jean-cloud.net
#benevoles.karnaval.fr
montbonnot.jean-cloud.net
max.jean-cloud.net

100
provisioning/playbook.yml Executable file
View File

@ -0,0 +1,100 @@
- name: server
hosts: servers
become: yes
gather_facts: no
roles:
# Ansible prerequisites
- schuerg.prerequisites
- name: server
hosts: servers
become: yes
#gather_facts: no
roles:
# Ansible prerequisites
#- robertdebock.bootstrap
# EPEL for centos
#- geerlingguy.repo-epel
#NTP is important for curl and apt
# - ericsysmin.system.ntp
- jean-cloud-common
# Users
#- sysadmins
# Locales
# TODO set locales date and currency
#- alvistack.locales
- oefenweb.locales
# Sys update. Playbook bien fait.
- robertdebock.update
# Manage sudoers
#- GROG.sudo
# Unattended upgrades
#- jnv.unattended-upgrades
#- thorian93.unattended_upgrade
#- racqspace.unattended_upgrades
# ssh security
# using geerlingguy security
#- dev-sec.ssh-hardening
- geerlingguy.security
# fail2ban
#- oefenweb.fail2ban
#- robertdebock.fail2ban
# firewall conf
# TODO it destroy the DOCKER rules…
#- geerlingguy.firewall
# Rootkit protection
#- mablanco.antirootkits
# antivirus
#- geerlingguy.clamav
# docker
- geerlingguy.docker
# timezone
- oefenweb.timezone
# ntp
#- geerlingguy.ntp
# docker metrics proxy
#- docker-metrics-proxy
# logrotate
# - ontic/logrotate
# apparmor ?
# - manala.apparmor
# autofs
# - cmprescott.autofs_ng
# smart TODO
#- stuvusit/smartd
# graylog Nope, too heavy…
# TODO lininfile for prometheus
# 127.0.1.1 docker-host
##- deploy_all
- name: shlago
hosts: shlago
become: yes
gather_facts: no
roles:
- ordiportables

28
provisioning/readme.md Normal file
View File

@ -0,0 +1,28 @@
# Provisioning
## Installer les dépendances pour les playbooks
Il faut avoir installé ansible-playbook et ansible-galaxy. Puis faire ./install.sh
-> Ce fichier contient trop de trucs, il faudrait le mettre à jour…
## Configurer un serveur
Vérifier que le serveur est bien décommenté dans `inventory.ini`
```
ansible-playbook -i inventory.ini playbook.yml
```
## Déployer des services sur un serveur
Envoyer les fichiers de conf sur le serveur.
```
ansible-playbook -i inventory.ini services.yml
```
Déployer les services : (ssh sur le serveur)
```
/docker/_deployer/main.sh
```
## Déployer des services (ancienne méthode)
Cette méthode ne fonctionne pas avec le nouveau script de déploiement.
```
ansible-playbook -i inventory.ini services_vandamme.yml
```

48
provisioning/requirements.yml Executable file
View File

@ -0,0 +1,48 @@
# Bootstrap
- src: robertdebock.bootstrap
# Locales
- src: robertdebock.locale
# System update
- src: robertdebock.update
# Manage users
- src: GROG.user
# Manage sudoers
- src: GROG.sudo
# Manage authorized-keys
- src: GROG.authorized-key
# Unattended upgrades
- src: jnv.unattended-upgrades
# ssh security
- src: dev-sec.ssh-hardening
# fail2ban
- src: oefenweb.fail2ban
# firewall conf
# TODO it destroy the DOCKER rules…
#- src: geerlingguy.firewall
# Rootkit protection
- src: mablanco.antirootkits
# antivirus
- src: geerlingguy.clamav
# docker
- src: geerlingguy.docker
# timezone
- src: oefenweb.timezone
# hostname
- src: oefenweb.hostname
# ntp
- src: geerlingguy.ntp
# logrotate
# - src: ontic/logrotate
# apparmor ?
# - src: manala.apparmor
# autofs
# - src: cmprescott.autofs_ng
# smart TODO
#- src: stuvusit/smartd
# graylog Nope, too heavy…
# TODO lininfile for prometheus
# 127.0.1.1 docker-host

155
provisioning/roles/deploy_all/files/bin/deployer.sh Executable file
View File

@ -0,0 +1,155 @@
#!/bin/bash
driglibash_run_retry=true
. driglibash-base
set -euo pipefail
###############################################################################
# Variables
###############################################################################
proxy_dir="/etc/nginx"
nginx_conf_path="$proxy_dir/sites-enabled"
new_nginx_conf_path="$proxy_dir/new-sites-enabled"
certs_path="/etc/letsencrypt/live"
dummy_cert_path="$certs_path/dummy"
###############################################################################
# Helpers
###############################################################################
# Returns the public IP4 address of a domain name
function ipof {
resolv.sh "$1"
}
# Path to this directory
here="$(where 'follow_links')"
# Ip4 address
my_ip="$(ipof "$(cat /etc/hostname)")"
[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
###############################################################################
# Nginx preparation
###############################################################################
driglibash_section_prefix="[Prepare nginx] "
section "Delete new conf directory (to recover)"
run rm -rf "$new_nginx_conf_path"
section "Create new conf file (for tests purposes)"
sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"
section "Create proxy dir"
run mkdir -p "$proxy_dir" /docker /data
run chown root:root /docker
run chown root:root /data
run chmod 755 /docker
run chmod 755 /data
section "Check dummy cert exists "
#TODO check if expired
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
echo "Dummy cert generation"
run mkdir -p "$dummy_cert_path"
run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
fi
section "Create new conf directory"
run mkdir -p "$new_nginx_conf_path"
###############################################################################
# Deploy services
###############################################################################
for dir in /docker/* ; do
service="$(basename "$dir")"
# Ignore _ prefixed directories
[ "${service::1}" == '_' ] && continue
docker_service="$(echo "$service" | tr '.' '_')"
driglibash_section_prefix="[$service] "
cd "/docker/$service"
# Is service meant to be on this server?
ip="$(ipof "$service")"
[ -z "$ip" ] && yell "No IP found for $service" && continue
if [ "$ip" != "$my_ip" ] ; then
if [ -n "$(docker ps | grep "$docker_service")" ] ; then
section "--------------------"
section "Removing service"
docker-compose down --rmi all --remove-orphans
fi
continue
fi
# If there is a docker-compose file and it has services in it
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
section "-------------------- $service"
section "Logging to registry"
# XXX Login to docker registry
section "Pulling images"
run docker-compose pull
section "Starting service"
run docker-compose up -d --remove-orphans
fi
# If there is a nginx conf file
if [ -f "/docker/$service/nginx_server.conf" ] ; then
section "Copy nginx conf"
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
if [ -f "/docker/$service/.env" ] ; then
section "Template nginx conf with vars from '.env' file"
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
fi
fi
# Do we need dummy cert?
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
section "Testing nginx conf"
run nginx -t -c /etc/nginx/new_nginx.conf
done
###############################################################################
# Nginx restart
###############################################################################
driglibash_section_prefix="[Restart nginx] "
section "Test if nginx conf is ok"
run nginx -t -c "$proxy_dir/new_nginx.conf"
section "Update nginx conf"
run rm -rf "$nginx_conf_path"
run mv "$new_nginx_conf_path" "$nginx_conf_path"
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
section "Test nginx conf to be sure"
run nginx -t
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
section "Start nginx"
run nginx
else
section "Reload nginx"
run nginx -s reload
fi
clean

90
provisioning/roles/deploy_all/files/bin/driglibash-args Executable file
View File

@ -0,0 +1,90 @@
#!/bin/bash
###############################################################################
# https://github.com/adrianamaglio/driglibash-arg
###############################################################################
# Usage :
#
# version="alpha nightly 0.0.1 pre-release unstable"
# summary="$0 [options] <device>"
#
# usage[t]="Start qemu after the installation"
# varia[t]=tst
# tst=false
#
# usage[i]="Install the provided package. Not implemented"
# varia[i]=install
# declare -a install
#
# usage[k]="Keep the temporar mountpoints"
# varia[k]=keep
# keep=false
#
# usage[e]="bash command file to execute in the chroot. - to read from stdin"
# varia[e]=execute
# declare -a execute
. driglibash-base
#TODO keep order usage options
# Print usage and exit in error
usage() {
yell "Version: $version"
yell "Usage: $summary"
yell "Parameters:"
yell " -h print this help, version and exit."
for key in "${!usage[@]}" ; do
if [ "$(driglibash_arg_type "$key")" == "single_value" ] ; then
name="${varia[$key]}"
default=" (default : ${!name})"
else
default=
fi
yell " -$key ${usage[$key]}$default"
done
exit 0
}
# Guess the variable type
# Boolean, list or string
driglibash_arg_type() {
if [ $# -ne 1 ] ; then
die "Bad driglibash_arg_type usage";
fi
name="${varia[$1]}"
if [ "$name" == "" ] ; then die "Variable name is empty for key $1" ; fi
if [ "${!name}" == "false" ] ; then
echo "boolean"
elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then
echo "array"
else
echo "single_value"
fi
}
# Generate getopts string #
getopts_string=":h"
for key in ${!usage[@]} ; do
needs_parameter=
if [ "$(driglibash_arg_type "$key")" != "boolean" ] ; then needs_parameter=":" ; fi
getopts_string="$getopts_string$key$needs_parameter"
done
# Loop throught options #
while getopts "$getopts_string" opt; do
case $opt in
h) usage;;
:) die "Option -$OPTARG requires an argument.";;
\?) die "Invalid option: -$OPTARG";;
*)
name="${varia[$opt]}"
if [ "${!name}" == "false" ] ; then eval $name=true
elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then safe="${!name} $OPTARG" ; eval $name=\$safe
else eval $name=\$OPTARG
fi;;
esac
done ; shift $((OPTIND-1))

179
provisioning/roles/deploy_all/files/bin/driglibash-base Executable file
View File

@ -0,0 +1,179 @@
###############################################################################
# Driglibash pack 1
# Usual helper functions for bash scripts
# https://github.com/adrianamaglio/driglibash
###############################################################################
# Set to true to make a pause at each step
driglibash_step_by_step=false
# Set to watever you want to have a prefix
driglibash_section_prefix=""
trap 'die "Received sigint"' INT
# Output on standard error output
yell() {
echo >&2 -e "$@"
}
# Output first parameter, second parameter times
repeat() {
printf "$1"'%.s' $(eval "echo {1.."$(($2))"}")
}
# Output a "section title" to visually separate different script part
# TODO local variables
# TODO fixed place left aligned
section(){
text="$driglibash_section_prefix$1"
if [ -n "$text" ] ; then
len="${#text}"
max_len="$(($(tput cols)-2))"
if [ "$len" -ge "$max_len" ] ; then
right=5
left=5
else
left="$((($max_len - $len)/2))"
right="$left"
fi
else
left=80
right=0
fi
# If the character number was rounded down
if [ "$(($left + $right + $len +1 ))" -eq "$max_len" ] ; then
left="$(($left+ 1))"
fi
repeat '=' "$left"
if [ "$right" -ge 1 ] ; then
echo -n " $text "
repeat '=' "$right"
echo
fi
if "$driglibash_step_by_step" ; then
echo "Press enter to proceed"
read
fi
}
alias step=section
# Print an error, clean and exit
die() {
yell "$@"
clean
exit 1
}
# Exit on error if not root
root_or_die() {
if [ "$UID" -ne 0 ] ; then
die "You need to be root"
fi
}
# Execute a command and die if it returns with error #
run() {
while true ; do
"$@"
code=$?
if [ "$code" -ne 0 ] ; then
yell "command [$*] failed with exit code '$code'"
if [ -n "$driglibash_run_retry" ] ; then
echo "Retry ? Retry (y), skip the command (s) or exit script(n) [Y/s/n] ?"
read answer
if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then
continue
elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then
return "$code"
fi
fi
die "Aborting"
else
break
fi
done
}
# Execute a commad in background and return its pid
start(){
"$@" &
pid=$!
clean pre "kill $pid"
return $pid
}
# Clean exit #
# Record command lines passed as argument and execute them all when called without args #
# One argument = One command #
# TODO append or prepend according to arg
declare -a driglibash_clean_actions
clean() {
if [ "$#" -eq 0 ] ; then
echo "Cleaning"
for action in "${driglibash_clean_actions[@]}" ; do
echo "driglibash_clean> $action"
$action
done
elif [ "$#" -eq 1 ] ; then
driglibash_clean_actions+=("$1")
elif [ "$#" -eq 2 ] ; then
case "$1" in
"pre")
declare -a tmp
tmp=("${driglibash_clean_actions[@]}")
driglibash_clean_actions=("$2")
driglibash_clean_actions+=("${tmp[@]}")
;;
"post")
driglibash_clean_actions+=("$2")
;;
"del")
for i in "${!driglibash_clean_actions[@]}" ; do
if [ "$2" = "${driglibash_clean_actions[$i]}" ] ; then
unset driglibash_clean_actions[$i]
break
fi
done
;;
*)
die "driglibash_clean: action '$1' not supported"
esac
else
die "driglibash_clean : Bad clean usage, receveid more than two args"
fi
}
# tells where your executable is (absolute path). Follow simlinks if any argument provided
where() {
if [ -z "$1" ] ; then
echo "$( cd -P "$( dirname "$1" )" && pwd )"
else
SOURCE="$0"
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
SOURCE="$(readlink "$SOURCE")"
[[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
echo $DIR
fi
}
# Add the line $1 in file $2 if not present
line_in_file() {
if [ "$#" -ne 2 ] ; then die "Bad usage of 'line_in_file'. Got '$#' parameters : '$@'" ; fi
if [ -z "$1" ] ; then die "Line arg is emtpy in 'line_in_file'" ; fi
line="$1"
if [ -z "$2" ] ; then die "File arg is emtpy in 'line_in_file'" ; fi
file="$2"
if [ ! -f "$file" ] ; then run touch "$file" ; fi
grep -q -x -F "$line" "$file" || echo "$line" >> "$file"
}

105
provisioning/roles/deploy_all/files/bin/letsencrypt.sh Executable file
View File

@ -0,0 +1,105 @@
#!/bin/bash
# This script will run on new cert and on cron renew
# there is one cert by service
# TODO make it an ansible script
# No
# Les arguments du pauvre
if [ "$#" -eq 1 ] && [ "$1" = '-v' ] ; then
verbose=true
else
verbose=false
fi
# Variable
acmeroot=/var/www/letsencrypt
# Création du répertoire
mkdir -p "$acmeroot"
# With trailing slash or it will be a prefix selector
#nginx_sites_dir="/etc/nginx/sites-enabled/"
nginx_sites_dir="/etc/nginx/sites-enabled/"
for file in "$nginx_sites_dir"* ; do
if $verbose ; then
echo '-------------------------'
echo "$file"
fi
service_name="$(basename "$file")"
# Getting just the domain names
domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)"
if [ -n "$domains" ] ; then
# If using dummy cert, disabling it
if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then
rm -r "/etc/letsencrypt/live/$service_name"
fi
# removing duplicates
domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')"
echo "$domains"
# adding -d before every domain
domains="-d $(echo $domains | sed 's/ / -d /g')"
# Run certbot
command="certbot certonly -n --expand --agree-tos --webroot -w "$acmeroot" --email contact@jean-cloud.org --cert-name "$(basename $file)" $domains"
if $verbose ; then
echo $command
fi
out="$($command 2>&1)"
result="$?"
if [ "$result" -eq 0 ] && [[ "$out" = *"Certificate not yet due for renewal; no action taken."* ]]; then
echo "Cert still valid"
elif [ "$result" -eq 0 ] ; then
echo "Cert renewed or obtained"
#new_cert="$(echo "$out" | grep -oE '/etc/letsencrypt/live/.*/fullchain.pem')"
#echo "'$new_cert'"
#new_cert_dir="$(dirname "$out")"
#echo "'$new_cert_dir'"
#if [ -d "$new_cert_dir" ] ; then
# echo "New cert dir : '$new_cert_dir'"
# echo "cp '$new_cert_dir/*' '/data/proxy/certs/'"
#else
# echo "Error parsiong dir name"
#fi
elif [ "$result" -eq 1 ] ; then
echo "Cert failed"
echo " ------------------------------------------"
echo "$out"
echo " ------------------------------------------"
else
echo "Unknown error : $result.\n$out"
fi
fi
done
ls /etc/letsencrypt/live/*000* &> /dev/null
if [ "$?" -eq 0 ] ; then
echo " ---------------------------------------------------------------------------------------------"
echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…"
echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*"
echo " ---------------------------------------------------------------------------------------------"
fi
nginx -t
code="$?"
if [ "$code" -ne 0 ] ; then
echo "Nginx test error, cant reloat it"
exit 1
fi
nginx -s reload
code="$?"
if [ "$code" -ne 0 ] ; then
echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!"
exit 1
fi
echo "Done. No error detected."

2
provisioning/roles/deploy_all/files/bin/list_overlay_mounts.sh Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
docker inspect -f $'{{.Name}}\t{{.GraphDriver.Data.MergedDir}}' $(docker ps -aq)

61
provisioning/roles/deploy_all/files/bin/resolv.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
set -euo pipefail
########################### Helpers ###########################################
function yell {
echo "$@" >&2
}
function die {
yell "$@"
exit 1
}
function say {
if "$verbose" ; then
yell "$@"
fi
}
########################### Options ###########################################
verbose=false
if [ "$1" = '-v' ] ; then
verbose=true
shift
fi
########################### arguments ##########################################
if [ "$#" -ne 1 ] ; then
die "Usage: $0 [options] <domain_name>
options : -v verbose"
fi
name="$1"
########################### script ############################################
while true ; do
if "$verbose" ; then
say "Querying $name"
fi
while read line ; do
if [[ "$line" = *"is an alias for "* ]] ; then
name="$(echo "$line" | cut -d ' ' -f 6)"
break
elif [[ "$line" = *" has address "* ]] ; then
echo "$line" | cut -d ' ' -f 4
exit 0
elif [[ "$line" = *" not found: "* ]] ; then
exit 0
elif [[ "$line" = *" has no A record" ]] ; then
exit 0
else
say "unmatched: $line"
fi
done <<< "$(host -W 2 -t A "$name" localhost)"
done

8
provisioning/roles/deploy_all/files/bin/template.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
if [ "$#" -ne 1 ] ; then
echo "Usage: $0 <env_file>" >&2
echo "This script read env_file variables and replace theire occurences in stdin" >&2
exit 1
fi
bash -c 'set -a && . '"$1"' && envsubst "$(cat '"$1"' | grep -o ^.*= | sed "s/=//" | sed "s/^/$/")"'

22
provisioning/roles/deploy_all/files/bind/db.amaglio.fr Normal file
View File

@ -0,0 +1,22 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.dahus.net. (
2023041900 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ IN MX 10 mail.amaglio.fr.
mail IN A 91.216.107.37
imap IN CNAME mail.amaglio.fr.
pop IN CNAME mail.amaglio.fr.
smtp IN CNAME mail.amaglio.fr.

30
provisioning/roles/deploy_all/files/bind/db.collectif-arthadie.fr Normal file
View File

@ -0,0 +1,30 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2020031104 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
collectif-arthadie.fr. IN CAA 0 issue "letsencrypt.org"
collectif-arthadie.fr. IN CAA 0 issuewild ";"
wordpress IN CNAME vandamme.jean-cloud.net.
www.wordpress IN CNAME vandamme.jean-cloud.net.
www IN CNAME vandamme.jean-cloud.net.
www.wordpress.collectif-arthadie.fr IN CAA 0 issue "letsencrypt.org"
www.wordpress.collectif-arthadie.fr IN CAA 0 issuewild ";"

16
provisioning/roles/deploy_all/files/bind/db.compagnienouvelle.fr Normal file
View File

@ -0,0 +1,16 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 172.104.154.21
@ IN AAAA 2a01:7e01::f03c:92ff:fecf:e815

30
provisioning/roles/deploy_all/files/bind/db.gypsylyonfestival.com Normal file
View File

@ -0,0 +1,30 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023020400 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.195.40.128
@ IN AAAA 2001:41d0:701:1100::31f
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
tetede IN A 51.255.33.248
tetede IN AAAA 2001:41d0:701:1100::31f

19
provisioning/roles/deploy_all/files/bind/db.hid Normal file
View File

@ -0,0 +1,19 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023040300 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
radiodemo IN CNAME montbonnot.jean-cloud.net

15
provisioning/roles/deploy_all/files/bind/db.inurbe.fr Normal file
View File

@ -0,0 +1,15 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

146
provisioning/roles/deploy_all/files/bind/db.jean-cloud.net Normal file
View File

@ -0,0 +1,146 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042400 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
;mail IN CNAME vandamme
webmail IN CNAME vandamme
vimbadmin IN CNAME vandamme
www IN CNAME vandamme
; Naming nodes
vandamme IN A 51.255.33.248
local-adrian IN A 193.33.56.94
francois IN A 54.38.189.153
nougaro IN A 172.104.154.21
nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815
tetede IN AAAA 2001:41d0:701:1100::31f
tetede IN A 51.195.40.128
carcasse IN A 109.18.84.200
carcasse IN AAAA 2a02:8434:1633:df01:adf9:74c3:b444:262f
heart IN A 109.18.84.200
max IN A 82.65.204.254
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
montbonnot IN A 188.114.97.2
montbonnot IN A 188.114.96.2
montbonnot IN AAAA 2a06:98c1:3120::2
montbonnot IN AAAA 2a06:98c1:3121::2
; Carcasse
dumbcluster IN A 109.18.84.200
dumbcluster IN AAAA 2a02:8434:1633:df01:226:2dff:fe11:56af
; Tetede
dumbcluster IN A 51.195.40.128
dumbcluster IN AAAA 2001:41d0:701:1100::31f
; services
nuage IN CNAME vandamme
www.nuage IN CNAME vandamme
calc.nuage IN CNAME vandamme
pad.nuage IN CNAME vandamme
feteducourt IN CNAME vandamme
www.feteducourt IN CNAME vandamme
feteducourt2020 IN CNAME vandamme
www.feteducourt2020 IN CNAME vandamme
git IN CNAME vandamme
www.git IN CNAME vandamme
wiki-cgr IN CNAME vandamme
www.wiki-cgr IN CNAME vandamme
parsoid-wiki-cgr IN CNAME vandamme
www.parsoid-wiki-cgr IN CNAME vandamme
cousinades IN CNAME vandamme
www.cousinades IN CNAME vandamme
cousinadesi2 IN CNAME vandamme
www.cousinades2 IN CNAME vandamme
velov IN CNAME vandamme
www.velov IN CNAME vandamme
registry IN CNAME vandamme
www.registry IN CNAME vandamme
inurbe IN CNAME vandamme
www.inurbe IN CNAME vandamme
gmx-webmail IN CNAME vandamme
www.gmx-webmail IN CNAME vandamme
rpnow IN CNAME vandamme
www.rpnow IN CNAME vandamme
test.rpnow IN CNAME vandamme
www.test.rpnow IN CNAME vandamme
lalis IN CNAME vandamme
www.lalis IN CNAME vandamme
metamorphose IN CNAME vandamme
www.metamorphose IN CNAME vandamme
static IN CNAME vandamme
www.static IN CNAME vandamme
;educloud IN CNAME tetede
;www.educloud IN CNAME tetede
;educloud2 IN CNAME tetede
;www.educloud2 IN CNAME tetede
copaines IN CNAME tetede
www.copaines IN CNAME tetede
wordpress.copaines IN CNAME tetede
www.wordpress.copaines IN CNAME tetede
feministesucl34 IN CNAME tetede
www.feministesucl34 IN CNAME tetede
wordpress.feministesucl34 IN CNAME tetede
www.wordpress.feministesucl34 IN CNAME tetede
tracker IN CNAME tetede
raplacgr IN CNAME tetede
walou IN CNAME dumbcluster
nc-backup IN CNAME tetede
gypsy IN CNAME tetede
shlago.wireguard.jean-cloud.net IN CNAME teted

20
provisioning/roles/deploy_all/files/bind/db.jean-cloud.org Normal file
View File

@ -0,0 +1,20 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2021060600 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
ns1 IN A 51.255.33.248

27
provisioning/roles/deploy_all/files/bind/db.karnaval.fr Normal file
View File

@ -0,0 +1,27 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023020700 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.178.80.171
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
benevoles IN A 51.178.80.171
benevoles31 IN A 51.178.80.171

15
provisioning/roles/deploy_all/files/bind/db.lalis.fr Normal file
View File

@ -0,0 +1,15 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

15
provisioning/roles/deploy_all/files/bind/db.leida.fr Normal file
View File

@ -0,0 +1,15 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

15
provisioning/roles/deploy_all/files/bind/db.metamorphosemagazine.fr Normal file
View File

@ -0,0 +1,15 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

58
provisioning/roles/deploy_all/files/bind/db.oma-radio.fr Normal file
View File

@ -0,0 +1,58 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042200 ; Serial
604800 ; Refresh
7200 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ns1.jean-cloud.net.
@ IN NS ns5.he.net.
@ IN NS ns4.he.net.
@ IN NS ns3.he.net.
@ IN NS ns2.he.net.
@ IN A 51.255.33.248
@ IN MX 1 mx1.mail.ovh.net.
@ IN MX 5 mx2.mail.ovh.net.
@ IN MX 10 mx3.mail.ovh.net.
www IN CNAME vandamme.jean-cloud.net.
www.registry IN CNAME nougaro.jean-cloud.net.
registry IN CNAME nougaro.jean-cloud.net.
services IN CNAME nougaro.jean-cloud.net.
radionimaitre IN CNAME tetede.jean-cloud.net.
www.radionimaitre IN CNAME tetede.jean-cloud.net.
paj IN CNAME nougaro.jean-cloud.net.
www.paj IN CNAME nougaro.jean-cloud.net.
radiodemo IN CNAME tetede.jean-cloud.net.
radiodemo-back IN CNAME montbonnot.jean-cloud.net.
_autodiscover._tcp IN SRV 0 0 443 mailconfig.ovh.net.
_imaps._tcp IN SRV 0 0 993 ssl0.ovh.net.
_submission._tcp IN SRV 0 0 465 ssl0.ovh.net.
;autoconfig IN SRV mailconfig.ovh.net.
imap IN CNAME ssl0.ovh.net.
smtp IN CNAME ssl0.ovh.net.
mail IN CNAME ssl0.ovh.net.
pop3 IN CNAME ssl0.ovh.net.
stream.paj.ports IN TXT 9002
control.paj.ports IN TXT 9492
pa1.studios IN CNAME carcasse.jean-cloud.net.
montpellier1.studios IN CNAME tetede.jean-cloud.net.
npm IN CNAME vandamme.jean-cloud.net.
www.npm IN CNAME vandamme.jean-cloud.net.
static IN CNAME vandamme.jean-cloud.net.
www.static IN CNAME vandamme.jean-cloud.net.
discordbot IN CNAME vandamme.jean-cloud.net.
www.discordbot IN CNAME vandamme.jean-cloud.net.

78
provisioning/roles/deploy_all/files/bind/named.conf.local Normal file
View File

@ -0,0 +1,78 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "oma-radio.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.oma-radio.fr";
};
zone "jean-cloud.net"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.jean-cloud.net";
};
zone "jean-cloud.org"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.jean-cloud.org";
};
zone "karnaval.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.karnaval.fr";
};
zone "amaglio.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.amaglio.fr";
};
zone "collectif-arthadie.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.collectif-arthadie.fr";
};
zone "gypsylyonfestival.com"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.gypsylyonfestival.com";
};
zone "hid"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.hid";
};
zone "compagnienouvelle.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.compagnienouvelle.fr";
};
zone "inurbe.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.inurbe.fr";
};
zone "lalis.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.lalis.fr";
};
zone "leida.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.leida.fr";
};
zone "metamorphosemagazine.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.metamorphosemagazine.fr";
};

18
provisioning/roles/deploy_all/files/bind/named.conf.options Normal file
View File

@ -0,0 +1,18 @@
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
allow-update { none; };
allow-recursion { none; };
allow-recursion-on { none; };
recursion no;
notify yes;
allow-transfer {
none;
#216.218.133.2; 2001:470:600::2; //he.net
#172.104.154.21; 2a01:7e01::f03c:92ff:fecf:e815; // nougaro
};
};

33
provisioning/roles/deploy_all/tasks/main.yml Normal file
View File

@ -0,0 +1,33 @@
---
# tasks file for deploy_all
- name: sync services dirs
ansible.posix.synchronize:
src: ../services/
dest: /docker/
delete: true
archive: false
recursive: true
- name: Add binaries
ansible.posix.synchronize:
src: "{{ role_path }}/files/bin/"
dest: "/usr/local/bin"
- name: Add bind conf
ansible.posix.synchronize:
src: "{{ role_path }}/files/bind/"
dest: "/etc/bind/"
- name: make sure bind9 is started
ansible.builtin.service:
name: bind9
state: started
- name: Reload service bind9, in all cases
ansible.builtin.service:
name: bind9
state: reloaded
#- name: Start the deployer
# ansible.builtin.command:
# command: /docker/_deployer/main.sh

155
provisioning/roles/jean-cloud-common/files/bin/deployer.sh Executable file
View File

@ -0,0 +1,155 @@
#!/bin/bash
driglibash_run_retry=true
. driglibash-base
set -euo pipefail
###############################################################################
# Variables
###############################################################################
proxy_dir="/etc/nginx"
nginx_conf_path="$proxy_dir/sites-enabled"
new_nginx_conf_path="$proxy_dir/new-sites-enabled"
certs_path="/etc/letsencrypt/live"
dummy_cert_path="$certs_path/dummy"
###############################################################################
# Helpers
###############################################################################
# Returns the public IP4 address of a domain name
function ipof {
resolv.sh "$1"
}
# Path to this directory
here="$(where 'follow_links')"
# Ip4 address
my_ip="$(ipof "$(cat /etc/hostname)")"
[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
###############################################################################
# Nginx preparation
###############################################################################
driglibash_section_prefix="[Prepare nginx] "
section "Delete new conf directory (to recover)"
run rm -rf "$new_nginx_conf_path"
section "Create new conf file (for tests purposes)"
sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"
section "Create proxy dir"
run mkdir -p "$proxy_dir" /docker /data
run chown root:root /docker
run chown root:root /data
run chmod 755 /docker
run chmod 755 /data
section "Check dummy cert exists "
#TODO check if expired
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
echo "Dummy cert generation"
run mkdir -p "$dummy_cert_path"
run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
fi
section "Create new conf directory"
run mkdir -p "$new_nginx_conf_path"
###############################################################################
# Deploy services
###############################################################################
for dir in /docker/* ; do
service="$(basename "$dir")"
# Ignore _ prefixed directories
[ "${service::1}" == '_' ] && continue
docker_service="$(echo "$service" | tr '.' '_')"
driglibash_section_prefix="[$service] "
cd "/docker/$service"
# Is service meant to be on this server?
ip="$(ipof "$service")"
[ -z "$ip" ] && yell "No IP found for $service" && continue
if [ "$ip" != "$my_ip" ] ; then
if [ -n "$(docker ps | grep "$docker_service")" ] ; then
section "--------------------"
section "Removing service"
docker-compose down --rmi all --remove-orphans
fi
continue
fi
# If there is a docker-compose file and it has services in it
if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
section "-------------------- $service"
section "Logging to registry"
# XXX Login to docker registry
section "Pulling images"
run docker-compose pull
section "Starting service"
run docker-compose up -d --remove-orphans
fi
# If there is a nginx conf file
if [ -f "/docker/$service/nginx_server.conf" ] ; then
section "Copy nginx conf"
run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
if [ -f "/docker/$service/.env" ] ; then
section "Template nginx conf with vars from '.env' file"
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
fi
fi
# Do we need dummy cert?
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
section "Testing nginx conf"
run nginx -t -c /etc/nginx/new_nginx.conf
done
###############################################################################
# Nginx restart
###############################################################################
driglibash_section_prefix="[Restart nginx] "
section "Test if nginx conf is ok"
run nginx -t -c "$proxy_dir/new_nginx.conf"
section "Update nginx conf"
run rm -rf "$nginx_conf_path"
run mv "$new_nginx_conf_path" "$nginx_conf_path"
run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
section "Test nginx conf to be sure"
run nginx -t
if [ -z "$(cat /var/run/nginx.pid)" ] ; then
section "Start nginx"
run nginx
else
section "Reload nginx"
run nginx -s reload
fi
clean

90
provisioning/roles/jean-cloud-common/files/bin/driglibash-args Executable file
View File

@ -0,0 +1,90 @@
#!/bin/bash
###############################################################################
# https://github.com/adrianamaglio/driglibash-arg
###############################################################################
# Usage :
#
# version="alpha nightly 0.0.1 pre-release unstable"
# summary="$0 [options] <device>"
#
# usage[t]="Start qemu after the installation"
# varia[t]=tst
# tst=false
#
# usage[i]="Install the provided package. Not implemented"
# varia[i]=install
# declare -a install
#
# usage[k]="Keep the temporar mountpoints"
# varia[k]=keep
# keep=false
#
# usage[e]="bash command file to execute in the chroot. - to read from stdin"
# varia[e]=execute
# declare -a execute
. driglibash-base
#TODO keep order usage options
# Print usage and exit in error
usage() {
yell "Version: $version"
yell "Usage: $summary"
yell "Parameters:"
yell " -h print this help, version and exit."
for key in "${!usage[@]}" ; do
if [ "$(driglibash_arg_type "$key")" == "single_value" ] ; then
name="${varia[$key]}"
default=" (default : ${!name})"
else
default=
fi
yell " -$key ${usage[$key]}$default"
done
exit 0
}
# Guess the variable type
# Boolean, list or string
driglibash_arg_type() {
if [ $# -ne 1 ] ; then
die "Bad driglibash_arg_type usage";
fi
name="${varia[$1]}"
if [ "$name" == "" ] ; then die "Variable name is empty for key $1" ; fi
if [ "${!name}" == "false" ] ; then
echo "boolean"
elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then
echo "array"
else
echo "single_value"
fi
}
# Generate getopts string #
getopts_string=":h"
for key in ${!usage[@]} ; do
needs_parameter=
if [ "$(driglibash_arg_type "$key")" != "boolean" ] ; then needs_parameter=":" ; fi
getopts_string="$getopts_string$key$needs_parameter"
done
# Loop throught options #
while getopts "$getopts_string" opt; do
case $opt in
h) usage;;
:) die "Option -$OPTARG requires an argument.";;
\?) die "Invalid option: -$OPTARG";;
*)
name="${varia[$opt]}"
if [ "${!name}" == "false" ] ; then eval $name=true
elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then safe="${!name} $OPTARG" ; eval $name=\$safe
else eval $name=\$OPTARG
fi;;
esac
done ; shift $((OPTIND-1))

179
provisioning/roles/jean-cloud-common/files/bin/driglibash-base Executable file
View File

@ -0,0 +1,179 @@
###############################################################################
# Driglibash pack 1
# Usual helper functions for bash scripts
# https://github.com/adrianamaglio/driglibash
###############################################################################
# Set to true to make a pause at each step
driglibash_step_by_step=false
# Set to watever you want to have a prefix
driglibash_section_prefix=""
trap 'die "Received sigint"' INT
# Output on standard error output
yell() {
echo >&2 -e "$@"
}
# Output first parameter, second parameter times
repeat() {
printf "$1"'%.s' $(eval "echo {1.."$(($2))"}")
}
# Output a "section title" to visually separate different script part
# TODO local variables
# TODO fixed place left aligned
section(){
text="$driglibash_section_prefix$1"
if [ -n "$text" ] ; then
len="${#text}"
max_len="$(($(tput cols)-2))"
if [ "$len" -ge "$max_len" ] ; then
right=5
left=5
else
left="$((($max_len - $len)/2))"
right="$left"
fi
else
left=80
right=0
fi
# If the character number was rounded down
if [ "$(($left + $right + $len +1 ))" -eq "$max_len" ] ; then
left="$(($left+ 1))"
fi
repeat '=' "$left"
if [ "$right" -ge 1 ] ; then
echo -n " $text "
repeat '=' "$right"
echo
fi
if "$driglibash_step_by_step" ; then
echo "Press enter to proceed"
read
fi
}
alias step=section
# Print an error, clean and exit
die() {
yell "$@"
clean
exit 1
}
# Exit on error if not root
root_or_die() {
if [ "$UID" -ne 0 ] ; then
die "You need to be root"
fi
}
# Execute a command and die if it returns with error #
run() {
while true ; do
"$@"
code=$?
if [ "$code" -ne 0 ] ; then
yell "command [$*] failed with exit code '$code'"
if [ -n "$driglibash_run_retry" ] ; then
echo "Retry ? Retry (y), skip the command (s) or exit script(n) [Y/s/n] ?"
read answer
if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then
continue
elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then
return "$code"
fi
fi
die "Aborting"
else
break
fi
done
}
# Execute a commad in background and return its pid
start(){
"$@" &
pid=$!
clean pre "kill $pid"
return $pid
}
# Clean exit #
# Record command lines passed as argument and execute them all when called without args #
# One argument = One command #
# TODO append or prepend according to arg
declare -a driglibash_clean_actions
clean() {
if [ "$#" -eq 0 ] ; then
echo "Cleaning"
for action in "${driglibash_clean_actions[@]}" ; do
echo "driglibash_clean> $action"
$action
done
elif [ "$#" -eq 1 ] ; then
driglibash_clean_actions+=("$1")
elif [ "$#" -eq 2 ] ; then
case "$1" in
"pre")
declare -a tmp
tmp=("${driglibash_clean_actions[@]}")
driglibash_clean_actions=("$2")
driglibash_clean_actions+=("${tmp[@]}")
;;
"post")
driglibash_clean_actions+=("$2")
;;
"del")
for i in "${!driglibash_clean_actions[@]}" ; do
if [ "$2" = "${driglibash_clean_actions[$i]}" ] ; then
unset driglibash_clean_actions[$i]
break
fi
done
;;
*)
die "driglibash_clean: action '$1' not supported"
esac
else
die "driglibash_clean : Bad clean usage, receveid more than two args"
fi
}
# tells where your executable is (absolute path). Follow simlinks if any argument provided
where() {
if [ -z "$1" ] ; then
echo "$( cd -P "$( dirname "$1" )" && pwd )"
else
SOURCE="$0"
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
SOURCE="$(readlink "$SOURCE")"
[[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
echo $DIR
fi
}
# Add the line $1 in file $2 if not present
line_in_file() {
if [ "$#" -ne 2 ] ; then die "Bad usage of 'line_in_file'. Got '$#' parameters : '$@'" ; fi
if [ -z "$1" ] ; then die "Line arg is emtpy in 'line_in_file'" ; fi
line="$1"
if [ -z "$2" ] ; then die "File arg is emtpy in 'line_in_file'" ; fi
file="$2"
if [ ! -f "$file" ] ; then run touch "$file" ; fi
grep -q -x -F "$line" "$file" || echo "$line" >> "$file"
}

105
provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh Executable file
View File

@ -0,0 +1,105 @@
#!/bin/bash
# This script will run on new cert and on cron renew
# there is one cert by service
# TODO make it an ansible script
# No
# Les arguments du pauvre
if [ "$#" -eq 1 ] && [ "$1" = '-v' ] ; then
verbose=true
else
verbose=false
fi
# Variable
acmeroot=/var/www/letsencrypt
# Création du répertoire
mkdir -p "$acmeroot"
# With trailing slash or it will be a prefix selector
#nginx_sites_dir="/etc/nginx/sites-enabled/"
nginx_sites_dir="/etc/nginx/sites-enabled/"
for file in "$nginx_sites_dir"* ; do
if $verbose ; then
echo '-------------------------'
echo "$file"
fi
service_name="$(basename "$file")"
# Getting just the domain names
domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)"
if [ -n "$domains" ] ; then
# If using dummy cert, disabling it
if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then
rm -r "/etc/letsencrypt/live/$service_name"
fi
# removing duplicates
domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')"
echo "$domains"
# adding -d before every domain
domains="-d $(echo $domains | sed 's/ / -d /g')"
# Run certbot
command="certbot certonly -n --expand --agree-tos --webroot -w "$acmeroot" --email contact@jean-cloud.org --cert-name "$(basename $file)" $domains"
if $verbose ; then
echo $command
fi
out="$($command 2>&1)"
result="$?"
if [ "$result" -eq 0 ] && [[ "$out" = *"Certificate not yet due for renewal; no action taken."* ]]; then
echo "Cert still valid"
elif [ "$result" -eq 0 ] ; then
echo "Cert renewed or obtained"
#new_cert="$(echo "$out" | grep -oE '/etc/letsencrypt/live/.*/fullchain.pem')"
#echo "'$new_cert'"
#new_cert_dir="$(dirname "$out")"
#echo "'$new_cert_dir'"
#if [ -d "$new_cert_dir" ] ; then
# echo "New cert dir : '$new_cert_dir'"
# echo "cp '$new_cert_dir/*' '/data/proxy/certs/'"
#else
# echo "Error parsiong dir name"
#fi
elif [ "$result" -eq 1 ] ; then
echo "Cert failed"
echo " ------------------------------------------"
echo "$out"
echo " ------------------------------------------"
else
echo "Unknown error : $result.\n$out"
fi
fi
done
ls /etc/letsencrypt/live/*000* &> /dev/null
if [ "$?" -eq 0 ] ; then
echo " ---------------------------------------------------------------------------------------------"
echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…"
echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*"
echo " ---------------------------------------------------------------------------------------------"
fi
nginx -t
code="$?"
if [ "$code" -ne 0 ] ; then
echo "Nginx test error, cant reloat it"
exit 1
fi
nginx -s reload
code="$?"
if [ "$code" -ne 0 ] ; then
echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!"
exit 1
fi
echo "Done. No error detected."

2
provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
docker inspect -f $'{{.Name}}\t{{.GraphDriver.Data.MergedDir}}' $(docker ps -aq)

61
provisioning/roles/jean-cloud-common/files/bin/resolv.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
set -euo pipefail
########################### Helpers ###########################################
function yell {
echo "$@" >&2
}
function die {
yell "$@"
exit 1
}
function say {
if "$verbose" ; then
yell "$@"
fi
}
########################### Options ###########################################
verbose=false
if [ "$1" = '-v' ] ; then
verbose=true
shift
fi
########################### arguments ##########################################
if [ "$#" -ne 1 ] ; then
die "Usage: $0 [options] <domain_name>
options : -v verbose"
fi
name="$1"
########################### script ############################################
while true ; do
if "$verbose" ; then
say "Querying $name"
fi
while read line ; do
if [[ "$line" = *"is an alias for "* ]] ; then
name="$(echo "$line" | cut -d ' ' -f 6)"
break
elif [[ "$line" = *" has address "* ]] ; then
echo "$line" | cut -d ' ' -f 4
exit 0
elif [[ "$line" = *" not found: "* ]] ; then
exit 0
elif [[ "$line" = *" has no A record" ]] ; then
exit 0
else
say "unmatched: $line"
fi
done <<< "$(host -W 2 -t A "$name" localhost)"
done

8
provisioning/roles/jean-cloud-common/files/bin/template.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
if [ "$#" -ne 1 ] ; then
echo "Usage: $0 <env_file>" >&2
echo "This script read env_file variables and replace theire occurences in stdin" >&2
exit 1
fi
bash -c 'set -a && . '"$1"' && envsubst "$(cat '"$1"' | grep -o ^.*= | sed "s/=//" | sed "s/^/$/")"'

22
provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr Normal file
View File

@ -0,0 +1,22 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.dahus.net. (
2023041900 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ IN MX 10 mail.amaglio.fr.
mail IN A 91.216.107.37
imap IN CNAME mail.amaglio.fr.
pop IN CNAME mail.amaglio.fr.
smtp IN CNAME mail.amaglio.fr.

30
provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr Normal file
View File

@ -0,0 +1,30 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2020031104 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
collectif-arthadie.fr. IN CAA 0 issue "letsencrypt.org"
collectif-arthadie.fr. IN CAA 0 issuewild ";"
wordpress IN CNAME vandamme.jean-cloud.net.
www.wordpress IN CNAME vandamme.jean-cloud.net.
www IN CNAME vandamme.jean-cloud.net.
www.wordpress.collectif-arthadie.fr IN CAA 0 issue "letsencrypt.org"
www.wordpress.collectif-arthadie.fr IN CAA 0 issuewild ";"

16
provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr Normal file
View File

@ -0,0 +1,16 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 172.104.154.21
@ IN AAAA 2a01:7e01::f03c:92ff:fecf:e815

30
provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com Normal file
View File

@ -0,0 +1,30 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023020400 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.195.40.128
@ IN AAAA 2001:41d0:701:1100::31f
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
tetede IN A 51.255.33.248
tetede IN AAAA 2001:41d0:701:1100::31f

19
provisioning/roles/jean-cloud-common/files/bind/db.hid Normal file
View File

@ -0,0 +1,19 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023040300 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
radiodemo IN CNAME montbonnot.jean-cloud.net

15
provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr Normal file
View File

@ -0,0 +1,15 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

148
provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net Normal file
View File

@ -0,0 +1,148 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
;mail IN CNAME vandamme
webmail IN CNAME vandamme
vimbadmin IN CNAME vandamme
www IN CNAME vandamme
; Naming nodes
vandamme IN A 51.255.33.248
local-adrian IN A 193.33.56.94
francois IN A 54.38.189.153
nougaro IN A 172.104.154.21
nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815
tetede IN AAAA 2001:41d0:701:1100::31f
tetede IN A 51.195.40.128
carcasse IN A 109.18.84.200
carcasse IN AAAA 2a02:8434:1633:df01:adf9:74c3:b444:262f
gigi IN A 51.77.156.235
gigi IN AAAA 2001:41d0:305:2100::10e1
max IN A 82.65.204.254
max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
montbonnot IN A 188.114.97.2
montbonnot IN A 188.114.96.2
montbonnot IN AAAA 2a06:98c1:3120::2
montbonnot IN AAAA 2a06:98c1:3121::2
; Carcasse
dumbcluster IN A 109.18.84.200
dumbcluster IN AAAA 2a02:8434:1633:df01:226:2dff:fe11:56af
; Tetede
dumbcluster IN A 51.195.40.128
dumbcluster IN AAAA 2001:41d0:701:1100::31f
; services
team IN CNAME tetede
nuage IN CNAME vandamme
www.nuage IN CNAME vandamme
calc.nuage IN CNAME vandamme
pad.nuage IN CNAME vandamme
feteducourt IN CNAME vandamme
www.feteducourt IN CNAME vandamme
feteducourt2020 IN CNAME vandamme
www.feteducourt2020 IN CNAME vandamme
git IN CNAME vandamme
www.git IN CNAME vandamme
wiki-cgr IN CNAME vandamme
www.wiki-cgr IN CNAME vandamme
parsoid-wiki-cgr IN CNAME vandamme
www.parsoid-wiki-cgr IN CNAME vandamme
cousinades IN CNAME vandamme
www.cousinades IN CNAME vandamme
cousinadesi2 IN CNAME vandamme
www.cousinades2 IN CNAME vandamme
velov IN CNAME vandamme
www.velov IN CNAME vandamme
registry IN CNAME vandamme
www.registry IN CNAME vandamme
inurbe IN CNAME vandamme
www.inurbe IN CNAME vandamme
gmx-webmail IN CNAME vandamme
www.gmx-webmail IN CNAME vandamme
rpnow IN CNAME vandamme
www.rpnow IN CNAME vandamme
test.rpnow IN CNAME vandamme
www.test.rpnow IN CNAME vandamme
lalis IN CNAME vandamme
www.lalis IN CNAME vandamme
metamorphose IN CNAME vandamme
www.metamorphose IN CNAME vandamme
static IN CNAME vandamme
www.static IN CNAME vandamme
;educloud IN CNAME tetede
;www.educloud IN CNAME tetede
;educloud2 IN CNAME tetede
;www.educloud2 IN CNAME tetede
copaines IN CNAME tetede
www.copaines IN CNAME tetede
wordpress.copaines IN CNAME tetede
www.wordpress.copaines IN CNAME tetede
feministesucl34 IN CNAME tetede
www.feministesucl34 IN CNAME tetede
wordpress.feministesucl34 IN CNAME tetede
www.wordpress.feministesucl34 IN CNAME tetede
tracker IN CNAME tetede
raplacgr IN CNAME tetede
walou IN CNAME dumbcluster
nc-backup IN CNAME tetede
gypsy IN CNAME tetede
shlago.wireguard.jean-cloud.net IN CNAME teted

20
provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org Normal file
View File

@ -0,0 +1,20 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2021060600 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN A 51.255.33.248
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
ns1 IN A 51.255.33.248

27
provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr Normal file
View File

@ -0,0 +1,27 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023020700 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL
; NS
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.jean-cloud.net.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.178.80.171
; Resolving nameserver
ns1 IN A 51.255.33.248
ns2 IN A 172.104.154.21
benevoles IN A 51.178.80.171
benevoles31 IN A 51.178.80.171

15
provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr Normal file
View File

@ -0,0 +1,15 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

15
provisioning/roles/jean-cloud-common/files/bind/db.leida.fr Normal file
View File

@ -0,0 +1,15 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

15
provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr Normal file
View File

@ -0,0 +1,15 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042100 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
7200 ) ; Negative Cache TTL (min before refresh)
@ IN NS ns1.jean-cloud.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN A 51.255.33.248

58
provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr Normal file
View File

@ -0,0 +1,58 @@
$TTL 604800
@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. (
2023042200 ; Serial
604800 ; Refresh
7200 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ns1.jean-cloud.net.
@ IN NS ns5.he.net.
@ IN NS ns4.he.net.
@ IN NS ns3.he.net.
@ IN NS ns2.he.net.
@ IN A 51.255.33.248
@ IN MX 1 mx1.mail.ovh.net.
@ IN MX 5 mx2.mail.ovh.net.
@ IN MX 10 mx3.mail.ovh.net.
www IN CNAME vandamme.jean-cloud.net.
www.registry IN CNAME nougaro.jean-cloud.net.
registry IN CNAME nougaro.jean-cloud.net.
services IN CNAME nougaro.jean-cloud.net.
radionimaitre IN CNAME tetede.jean-cloud.net.
www.radionimaitre IN CNAME tetede.jean-cloud.net.
paj IN CNAME nougaro.jean-cloud.net.
www.paj IN CNAME nougaro.jean-cloud.net.
radiodemo IN CNAME tetede.jean-cloud.net.
radiodemo-back IN CNAME montbonnot.jean-cloud.net.
_autodiscover._tcp IN SRV 0 0 443 mailconfig.ovh.net.
_imaps._tcp IN SRV 0 0 993 ssl0.ovh.net.
_submission._tcp IN SRV 0 0 465 ssl0.ovh.net.
;autoconfig IN SRV mailconfig.ovh.net.
imap IN CNAME ssl0.ovh.net.
smtp IN CNAME ssl0.ovh.net.
mail IN CNAME ssl0.ovh.net.
pop3 IN CNAME ssl0.ovh.net.
stream.paj.ports IN TXT 9002
control.paj.ports IN TXT 9492
pa1.studios IN CNAME carcasse.jean-cloud.net.
montpellier1.studios IN CNAME tetede.jean-cloud.net.
npm IN CNAME vandamme.jean-cloud.net.
www.npm IN CNAME vandamme.jean-cloud.net.
static IN CNAME vandamme.jean-cloud.net.
www.static IN CNAME vandamme.jean-cloud.net.
discordbot IN CNAME vandamme.jean-cloud.net.
www.discordbot IN CNAME vandamme.jean-cloud.net.

78
provisioning/roles/jean-cloud-common/files/bind/named.conf.local Normal file
View File

@ -0,0 +1,78 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "oma-radio.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.oma-radio.fr";
};
zone "jean-cloud.net"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.jean-cloud.net";
};
zone "jean-cloud.org"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.jean-cloud.org";
};
zone "karnaval.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.karnaval.fr";
};
zone "amaglio.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.amaglio.fr";
};
zone "collectif-arthadie.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.collectif-arthadie.fr";
};
zone "gypsylyonfestival.com"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.gypsylyonfestival.com";
};
zone "hid"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.hid";
};
zone "compagnienouvelle.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.compagnienouvelle.fr";
};
zone "inurbe.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.inurbe.fr";
};
zone "lalis.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.lalis.fr";
};
zone "leida.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.leida.fr";
};
zone "metamorphosemagazine.fr"{
allow-update { none; }; # We are primary DNS
type master;
file "/etc/bind/db.metamorphosemagazine.fr";
};

18
provisioning/roles/jean-cloud-common/files/bind/named.conf.options Normal file
View File

@ -0,0 +1,18 @@
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
allow-update { none; };
allow-recursion { none; };
allow-recursion-on { none; };
recursion no;
notify yes;
allow-transfer {
none;
#216.218.133.2; 2001:470:600::2; //he.net
#172.104.154.21; 2a01:7e01::f03c:92ff:fecf:e815; // nougaro
};
};

60
provisioning/roles/jean-cloud-common/tasks/main.yml Normal file
View File

@ -0,0 +1,60 @@
---
# tasks file for jean-cloud-common
- name: Set hostname
ansible.builtin.hostname:
name: "{{inventory_hostname}}"
when: inventory_hostname is defined
- name: Set hostname IP
ansible.builtin.lineinfile:
path: /etc/hosts
line: "{{item}}"
with_items:
- "172.0.0.1 {{inventory_hostname}}"
- "::1 {{inventory_hostname}}"
- name: Show last changed password for security
copy:
dest: /etc/profile.d/user_last_passwd.sh
owner: root
group: root
mode: '0644'
content: |
#!/bin/bash
RED='\033[0;31m'
NC='\033[0m' # No Color
echo -e "Password last changed on $RED$(passwd -S $USER | cut -d ' ' -f 3)$NC"
- name: Install some softwares
apt:
name: ['bind9', 'certbot', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'sshfs', 'vim', 'zip']
state: latest
- name: create needed dirs
ansible.builtin.file:
path: "{{item}}"
state: directory
with_items:
- /docker
- /data
- /etc/letsencrypt
- name: Install docker-compose bash autocompletion
get_url:
url: https://raw.githubusercontent.com/docker/compose/1.29.2/contrib/completion/bash/docker-compose
dest: /etc/bash_completion.d/docker-compose
mode: '0705'
owner: 'root'
- name: Add letsencrypt crontab
ansible.builtin.lineinfile:
path: /etc/crontab
line: '26 03 * * * root letsencrypt.sh'
#TODO add this to /etc/docker/daemon.json
#{
# "iptables": false
#}

29
provisioning/roles/ordiportables/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

7
provisioning/roles/ordiportables/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
# tasks file for ordiportables
- name: Prevent suspend on lid close
ansible.builtin.lineinfile:
path: /etc/systemd/logind.conf
line: HandleLidSwitch=ignore

11
provisioning/services.yml Executable file
View File

@ -0,0 +1,11 @@
# TODO ansible secrets
# Oma-Radio host
- name: Deploy specific services
hosts: servers
become: yes
gather_facts: no
roles:
- deploy_all

64
provisioning/services_nougaro.yml Executable file
View File

@ -0,0 +1,64 @@
# TODO ansible secrets
# Oma-Radio host
- name: Deploy specific services
hosts: nougaro.jean-cloud.net
become: no
roles:
#- role: docker-network-setup
# The proxy docker stack must be the first to be deployed
- role: prepare-nginx
- role: deploy
service_name: proxy
state: started
monitored: false
- role: deploy
service_name: nsslave.jean-cloud.net
state: started
monitored: false
- role: deploy
service_name: registry.oma-radio.fr
state: started
- role: deploy
service_name: wordpress.inurbe.fr
state: started
- role: deploy
service_name: compagnienouvelle.fr
state: started
- role: deploy
service_name: icecast.oma-radio.fr
state: started
monitored: false
remote_docker_login_user: oma
remote_docker_login_pass: KkK8Aavmm4cN6nBM
remote_docker_login_registry: http://registry.oma-radio.fr
- role: deploy
service_name: soundbase.oma-radio.fr
state: started
monitored: false
- role: deploy
service_name: paj.oma-radio.fr
state: started
monitored: false
remote_docker_login_user: oma
remote_docker_login_pass: KkK8Aavmm4cN6nBM
remote_docker_login_registry: http://registry.oma-radio.fr
#- role: deploy
# service_name: radionimaitre.oma-radio.fr
# state: started
# monitored: false
# remote_docker_login_user: oma
# remote_docker_login_pass: KkK8Aavmm4cN6nBM
# remote_docker_login_registry: http://registry.oma-radio.fr
- role: restart-nginx

132
provisioning/services_vandamme.yml Executable file
View File

@ -0,0 +1,132 @@
# The host have:
# - /data -> every data
# - /docker -> deployed docker-compose files
- name: Deploy specific services
hosts: vandamme.jean-cloud.net
become: yes
roles:
#- role: docker-network-setup
# The proxy docker stack must be the first to be deployed
- role: prepare-nginx
- role: deploy
service_name: proxy
state: started
monitored: false
- role: deploy
service_name: meta-morpho.se
state: started
- role: deploy
service_name: mailer.jean-cloud.net
state: started
remote_docker_login_user: jean-cloud
remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
monitored: false
- role: deploy
service_name: static.jean-cloud.net
state: started
- role: deploy
service_name: ssh
state: started
monitored: false
#- role: deploy
# service_name: myrrdel.jean-cloud.net
# state: started
- role: deploy
service_name: collectif-arthadie.fr
state: started
#- role: deploy
# service_name: karna.jean-cloud.net
# state: started
- role: deploy
service_name: oma-radio.fr
state: started
- role: deploy
service_name: rpnow.jean-cloud.net
state: started
- role: deploy
service_name: ns.jean-cloud.org
state: started
monitored: false
- role: deploy
service_name: gmx-webmail.jean-cloud.net
state: started
- role: deploy
service_name: registry.jean-cloud.net
state: started
- role: deploy
service_name: inurbe.fr
state: started
- role: deploy
service_name: feteducourt.jean-cloud.net
state: started
remote_docker_login_user: jean-cloud
remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
- role: deploy
service_name: feteducourt2020.jean-cloud.net
state: started
remote_docker_login_user: jean-cloud
remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
- role: deploy
service_name: leida.fr
state: started
- role: deploy
service_name: lalis.fr
state: started
- role: deploy
service_name: amaglio.fr
state: started
- role: deploy
service_name: velov.jean-cloud.net
state: started
- role: deploy
service_name: cousinades.jean-cloud.net
state: started
monitored: false # web cant pass basic auth yet
- role: deploy
service_name: cousinades2.jean-cloud.net
state: started
monitored: false # web cant pass basic auth yet
- role: deploy
service_name: nuage.jean-cloud.net
state: started
- role: deploy
service_name: git.jean-cloud.net
state: started
- role: deploy
service_name: wiki-cgr.jean-cloud.net
state: started
- role: deploy
service_name: jean-cloud.net
state: started
- role: restart-nginx

87
services/_proxy/nginx.conf Executable file
View File

@ -0,0 +1,87 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 128;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
log_format compression '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# Maintenance
#error_page 503 https://jean-cloud.net/503;
# limit requests
limit_req_status 429;
limit_req_zone $binary_remote_addr zone=defaultlimit:10m rate=30r/s;
limit_req zone=defaultlimit burst=100 nodelay;
limit_conn_zone $request_uri zone=defaultconumber:10m;
limit_conn defaultconumber 20;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server{
listen 80 default_server;
listen [::]:80 default_server;
location '/.well-known/acme-challenge' {
root /var/www/letsencrypt;
default_type "text/plain";
try_files $uri $uri/ =404;
}
location / {
return 301 https://$host$request_uri;
}
}
}

13
services/_proxy/readme Executable file
View File

@ -0,0 +1,13 @@
resolver
Les adresse dns créées par docker à la volée lorsquun conteneur démarre ne sont pas forcemment toutes disponibles au lancement de nginx.
Or nginx neffectue par défaut quune résolution dadresse : au démarrage du service.
Pour avoir une résolution dynamique, il faut avoir une variable dans le nom de domaine et spécifier un résolveur:
```
set $empty '';
resolver 127.0.0.11 valid=30m;
fastcgi_pass files_jean-cloud_org$empty:9000;
```
CETTE SOLUTION EST COÙTEUSE LORS DES REQUÊTES
Nous choisirons de conserver la configuration statique des noms et de tester quils soient tous accessibles avant chaque redémarrage via la commande `nginx -t`
UPDATE 2022 : on utilise des IP, comme ça pas de surprises :p

15
services/_ssh/docker-compose.yml Normal file
View File

@ -0,0 +1,15 @@
version: '3'
services:
sshd:
image: atmoz/sftp
volumes:
- /data/ssh/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
- /data/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key
- /data/leida.fr:/home/leida/sftp
- /data/lalis.fr:/home/lalis/sftp
- /data/oma-radio.fr:/home/oma/sftp
- /data/collectif-arthadie.fr/wordpress:/home/collectifarthadie/sftp
- /data/ssh/users.conf:/etc/sftp/users.conf:ro
ports:
- '2222:22'

55
services/amaglio.fr/docker-compose.yml Executable file
View File

@ -0,0 +1,55 @@
version: '3'
services:
roundcube:
image: roundcube/roundcubemail:1.4.x-apache
restart: "unless-stopped"
depends_on:
- db
volumes:
- /data/amaglio.fr/app/plugins/enigma/home:/var/www/html/plugins/enigma/home
- /data/amaglio.fr/app/config/config.inc.php:/var/www/html/config/config.inc.php
- /data/amaglio.fr/app/enigma_pgp_homedir:/data/enigma_pgp_homedir
env_file: /data/amaglio.fr/env
environment:
ROUNDCUBEMAIL_DB_TYPE: pgsql
ROUNDCUBEMAIL_DB_HOST: db
ROUNDCUBEMAIL_DB_USER: postgres
ROUNDCUBEMAIL_DB_NAME: postgres
ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE: 25M
# imap server
ROUNDCUBEMAIL_DEFAULT_HOST: ssl://mail20.lwspanel.com
ROUNDCUBEMAIL_DEFAULT_PORT: 993
ROUNDCUBEMAIL_SMTP_SERVER: tls://mail20.lwspanel.com
ROUNDCUBEMAIL_SMTP_PORT: 587
ROUNDCUBEMAIL_PLUGINS: archive,zipdownload,enigma,attachment_reminder
networks:
default:
ipv4_address: 172.29.5.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
# https://hub.docker.com/_/postgres?tab=description
image: postgres:9.6-alpine
restart: "unless-stopped"
env_file: /data/amaglio.fr/env
volumes:
- /data/amaglio.fr/db:/var/lib/postgresql/data
networks:
default:
ipv4_address: 172.29.5.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.5.0/24

40
services/amaglio.fr/nginx_server.conf Executable file
View File

@ -0,0 +1,40 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/amaglio.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/amaglio.fr/privkey.pem;
server_name amaglio.fr www.amaglio.fr;
# root /data/amaglio.fr/app;
#
client_max_body_size 1024M;
charset utf-8;
#
# index index.php;
#
# location ~ ^/roundcube/(bin|SQL|config|temp|logs)/ {
# deny all;
# }
#
# location ~ /roundcube/\.(js|css|png|jpg|jpeg|gif|ico)$ {
# expires max;
# log_not_found off;
# }
#
location / {
proxy_pass http://172.29.5.100;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
#
# location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.*)$;
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
# fastcgi_param PATH_INFO $fastcgi_path_info;
# fastcgi_pass amaglio.fr:9000;
# fastcgi_index index.php;
# }
}

2
services/benevoles.karnaval.fr/.env Normal file
View File

@ -0,0 +1,2 @@
DATA_DIR=/data/benevoles.karnaval.fr
JC_HOST=benevoles.karnaval.fr

60
services/benevoles.karnaval.fr/docker-compose.yml Executable file
View File

@ -0,0 +1,60 @@
version: '3'
services:
app:
image: jeancloud/site-benevole:dev-karna
environment:
UID: 33
MOUNT: /
volumes:
- /tmp/uwsgi/$JC_HOST:/tmp/uwsgi
- $DATA_DIR/assets:/usr/src/app/assets
- $DATA_DIR/media:/usr/src/app/media
- $DATA_DIR/local_settings.py:/usr/src/app/site_benevole/local_settings.py
restart: unless-stopped
networks:
default:
ipv4_address: 172.29.17.100
db:
image: postgres:9.6-alpine
env_file: $DATA_DIR/postgres.env
environment:
POSTGRES_USER: benevoles
POSTGRES_DB: benevoles
volumes:
- $DATA_DIR/db:/var/lib/postgresql/data
networks:
default:
ipv4_address: 172.29.17.101
app2:
image: jeancloud/site-benevole:dev-karna-debian
environment:
UID: 33
MOUNT: /
volumes:
- /tmp/uwsgi/app2/$JC_HOST:/tmp/uwsgi
- $DATA_DIR/app2/assets:/usr/src/app/assets
- $DATA_DIR/app2/media:/usr/src/app/media
- $DATA_DIR/app2/local_settings.py:/usr/src/app/site_benevole/local_settings.py
restart: unless-stopped
networks:
default:
ipv4_address: 172.29.17.110
db2:
image: postgres:9.6-alpine
env_file: $DATA_DIR/postgres.env
environment:
POSTGRES_USER: benevoles
POSTGRES_DB: benevoles
volumes:
- $DATA_DIR/db2:/var/lib/postgresql/data
networks:
default:
ipv4_address: 172.29.17.111
networks:
default:
ipam:
config:
- subnet: 172.29.17.0/24

110
services/benevoles.karnaval.fr/nginx_server.conf Executable file
View File

@ -0,0 +1,110 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/$JC_HOST/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$JC_HOST/privkey.pem;
server_name $JC_HOST benevoles31.karnaval.fr;
root /data/benevoles.karnaval.fr/assets;
gzip on;
gzip_static on;
gzip_types application/javascript image/* text/css application/font-woff application/font-woff2;
gunzip on;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_buffer_size 4k;
client_max_body_size 4M;
location / {
include uwsgi_params;
uwsgi_pass unix:/tmp/uwsgi/benevoles.karnaval.fr/uwsgi.sock;
}
location = /favicon.ico {
root /data/benevoles.karnaval.fr/assets/;
}
location = /favicon-admin.ico {
root /data/benevoles.karnaval.fr/assets/;
}
location /assets/ {
alias /data/benevoles.karnaval.fr/assets/;
access_log off;
sendfile on;
tcp_nopush on;
sendfile_max_chunk 1m;
keepalive_timeout 65;
location ~* \.(jpg|jpeg|png|gif|ico|woff|woff2)$ {
access_log off;
expires 5d;
}
}
location /media/ {
alias /data/benevoles.karnaval.fr/media/;
access_log off;
sendfile on;
tcp_nopush on;
sendfile_max_chunk 1m;
keepalive_timeout 65;
}
}
server {
listen 444 ssl http2;
listen [::]:444 ssl http2;
ssl_certificate /etc/letsencrypt/live/$JC_HOST/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$JC_HOST/privkey.pem;
server_name $JC_HOST;
root /data/benevoles.karnaval.fr/app2/assets;
gzip on;
gzip_static on;
gzip_types application/javascript image/* text/css application/font-woff application/font-woff2;
gunzip on;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_buffer_size 4k;
client_max_body_size 4M;
location / {
include uwsgi_params;
uwsgi_pass unix:/tmp/uwsgi/app2/benevoles.karnaval.fr/app2/uwsgi.sock;
}
location = /favicon.ico {
root /data/benevoles.karnaval.fr/app2/assets/;
}
location = /favicon-admin.ico {
root /data/benevoles.karnaval.fr/app2/assets/;
}
location /assets/ {
alias /data/benevoles.karnaval.fr/app2/assets/;
access_log off;
sendfile on;
tcp_nopush on;
sendfile_max_chunk 1m;
keepalive_timeout 65;
location ~* \.(jpg|jpeg|png|gif|ico|woff|woff2)$ {
access_log off;
expires 5d;
}
}
location /media/ {
alias /data/benevoles.karnaval.fr/app2/media/;
access_log off;
sendfile on;
tcp_nopush on;
sendfile_max_chunk 1m;
keepalive_timeout 65;
}
}

49
services/collectif-arthadie.fr/docker-compose.yml Normal file
View File

@ -0,0 +1,49 @@
version: '3.1'
services:
wp:
image: wordpress:5.3-apache
restart: unless-stopped
env_file: /data/collectif-arthadie.fr/env
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_USER: wpdbuser
WORDPRESS_DB_NAME: wpdb
volumes:
- /data/collectif-arthadie.fr/wordpress:/var/www/html
- /data/collectif-arthadie.fr/static:/var/www/html/static
networks:
default:
ipv4_address: 172.29.6.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
image: mariadb:10.4
restart: unless-stopped
env_file: /data/collectif-arthadie.fr/env
environment:
MYSQL_DATABASE: wpdb
MYSQL_USER: wpdbuser
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- /data/collectif-arthadie.fr/db:/var/lib/mysql
networks:
default:
ipv4_address: 172.29.6.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.6.0/24

28
services/collectif-arthadie.fr/nginx_server.conf Executable file
View File

@ -0,0 +1,28 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr;
location / {
client_max_body_size 2G;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://172.29.6.100;
proxy_redirect off;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
server_name collectif-arthadie.fr www.collectif-arthadie.fr;
location / {
root /data/collectif-arthadie.fr/static;
try_files $uri $uri/ =404;
}
}

1
services/compagnienouvelle.fr/.env Normal file
View File

@ -0,0 +1 @@
DATA_DIR=/data/compagnienouvelle.fr

43
services/compagnienouvelle.fr/docker-compose.yml Normal file
View File

@ -0,0 +1,43 @@
version: '3.1'
services:
wp:
image: wordpress:5-apache
restart: unless-stopped
env_file: $DATA_DIR/wordpress.env
environment:
TZ: Europe/Paris
volumes:
- $DATA_DIR/wordpress:/var/www/html
- $DATA_DIR/static:/var/www/html/static
networks:
default:
ipv4_address: 172.29.7.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
image: mariadb:10.7
restart: unless-stopped
environment:
TZ: Europe/Paris
volumes:
- $DATA_DIR/db:/var/lib/mysql
networks:
default:
ipv4_address: 172.29.7.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.7.0/24

30
services/compagnienouvelle.fr/nginx_server.conf Executable file
View File

@ -0,0 +1,30 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem;
server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr;
location / {
auth_basic "Mot de passe !";
auth_basic_user_file /data/compagnienouvelle.fr/pass.txt;
client_max_body_size 2G;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://172.29.7.100;
proxy_redirect off;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem;
server_name compagnienouvelle.fr www.compagnienouvelle.fr;
location / {
root /data/compagnienouvelle.fr/static;
try_files $uri $uri/ =404;
}
}

58
services/compagnienouvelle.fr/tmp.log Normal file
View File

@ -0,0 +1,58 @@
[class-ss-plugin.php:232] Received request to start generating a static archive
[class-ss-archive-creation-job.php:61] Starting a job; no job is presently running
[class-ss-archive-creation-job.php:62] Here's our task list: setup, fetch_urls, transfer_files_locally, wrapup
[class-ss-archive-creation-job.php:76] Pushing first task to queue: setup
[class-ss-archive-creation-job.php:105] Current task: setup
[class-ss-archive-creation-job.php:120] Performing task: setup
[class-ss-task.php:38] Status message: [setup] Mise en place
[class-ss-setup-task.php:23] Creating archive directory: /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/
[class-ss-setup-task.php:57] Adding origin URL to queue: https://wordpress.mysite.com/
[class-ss-setup-task.php:68] Adding additional URL to queue: https://wordpress.mysite.com/wp-includes/js/wp-emoji-release.min.js
[class-ss-setup-task.php:99] Adding files from directory: /var/www/html/wp-content/uploads/
[class-ss-archive-creation-job.php:142] We've found our next task: fetch_urls
[class-ss-archive-creation-job.php:105] Current task: fetch_urls
[class-ss-archive-creation-job.php:120] Performing task: fetch_urls
[class-ss-fetch-urls-task.php:37] Total pages: 2; Pages remaining: 2
[class-ss-fetch-urls-task.php:40] URL: https://wordpress.mysite.com/
[class-ss-fetch-urls-task.php:50] URL is not being excluded
[class-ss-url-fetcher.php:85] Fetching URL and saving it to: /tmp/5f9593ab13a6a-QXn1T1.tmp
[class-ss-url-fetcher.php:89] Filesize: 26432 bytes
[class-ss-url-fetcher.php:104] http_status_code: 200 | content_type: text/html; charset=UTF-8
[class-ss-url-fetcher.php:180] New filename for static page: index.html
[class-ss-url-fetcher.php:120] Renaming temp file from /tmp/5f9593ab13a6a-QXn1T1.tmp to /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/index.html
[class-ss-fetch-urls-task.php:99] Extracting URLs and replacing URLs in the static file
[class-ss-fetch-urls-task.php:106] Adding 0 URLs to the queue
[class-ss-fetch-urls-task.php:117] We're saving this URL; keeping the static file
[class-ss-fetch-urls-task.php:40] URL: https://wordpress.mysite.com/wp-includes/js/wp-emoji-release.min.js
[class-ss-fetch-urls-task.php:50] URL is not being excluded
[class-ss-url-fetcher.php:85] Fetching URL and saving it to: /tmp/5f9593ab2d225-A0zDVK.tmp
[class-ss-url-fetcher.php:89] Filesize: 14246 bytes
[class-ss-url-fetcher.php:104] http_status_code: 200 | content_type: application/javascript
[class-ss-url-fetcher.php:180] New filename for static page: wp-includes/js/wp-emoji-release.min.js
[class-ss-url-fetcher.php:120] Renaming temp file from /tmp/5f9593ab2d225-A0zDVK.tmp to /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/wp-includes/js/wp-emoji-release.min.js
[class-ss-fetch-urls-task.php:99] Extracting URLs and replacing URLs in the static file
[class-ss-fetch-urls-task.php:106] Adding 0 URLs to the queue
[class-ss-fetch-urls-task.php:117] We're saving this URL; keeping the static file
[class-ss-task.php:38] Status message: [fetch_urls] 0 pages/fichiers sur 2 générés
[class-ss-archive-creation-job.php:147] We're not done with the fetch_urls task yet
[class-ss-archive-creation-job.php:105] Current task: fetch_urls
[class-ss-archive-creation-job.php:120] Performing task: fetch_urls
[class-ss-fetch-urls-task.php:37] Total pages: 2; Pages remaining: 0
[class-ss-task.php:38] Status message: [fetch_urls] 2 pages/fichiers sur 2 générés
[class-ss-archive-creation-job.php:142] We've found our next task: transfer_files_locally
[class-ss-archive-creation-job.php:105] Current task: transfer_files_locally
[class-ss-archive-creation-job.php:120] Performing task: transfer_files_locally
[class-ss-transfer-files-locally-task.php:64] Total pages: 2; Pages remaining: 2
[class-ss-archive-creation-job.php:147] We're not done with the transfer_files_locally task yet
[class-ss-archive-creation-job.php:105] Current task: transfer_files_locally
[class-ss-archive-creation-job.php:120] Performing task: transfer_files_locally
[class-ss-transfer-files-locally-task.php:64] Total pages: 2; Pages remaining: 0
[class-ss-task.php:38] Status message: [transfer_files_locally] 2 fichiers sur 2 copiés
[class-ss-archive-creation-job.php:142] We've found our next task: wrapup
[class-ss-archive-creation-job.php:105] Current task: wrapup
[class-ss-archive-creation-job.php:120] Performing task: wrapup
[class-ss-wrapup-task.php:13] Deleting temporary files
[class-ss-task.php:38] Status message: [wrapup] Fin du processus
[class-ss-archive-creation-job.php:138] This task is done and there are no more tasks, time to complete the job
[class-ss-archive-creation-job.php:161] Completing the job
[class-ss-archive-creation-job.php:271] Status message: [done] Effectué ! Fini en 00:00:01

2
services/copaines.jean-cloud.net/docker-compose.yml Normal file
View File

@ -0,0 +1,2 @@
version: '3.1'

30
services/copaines.jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,30 @@
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# ssl_certificate /etc/letsencrypt/live/copaines.jean-cloud.net/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/copaines.jean-cloud.net/privkey.pem;
# server_name wordpress.copaines.jean-cloud.net www.wordpress.copaines.jean-cloud.net;
# location / {
# auth_basic "Mot de passe !";
# auth_basic_user_file /data/copaines.jean-cloud.net/pass.txt;
# client_max_body_size 2G;
# #proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Host $http_host;
# proxy_set_header X-Forwarded-Proto https;
# proxy_pass http://wp.copainesjean-cloudnet.docker;
# proxy_redirect off;
# }
#}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/copaines.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/copaines.jean-cloud.net/privkey.pem;
server_name copaines.jean-cloud.net www.copaines.jean-cloud.net;
location / {
root /data/copaines.jean-cloud.net/static;
try_files $uri $uri/ =404;
}
}

6
services/cousinades.jean-cloud.net/Dockerfile Executable file
View File

@ -0,0 +1,6 @@
FROM php:7.2-fpm-alpine
#RUN apt-get update && apt-get install -y libpq-dev && docker-php-ext-install pdo pdo_pgsql
RUN set -ex \
&& apk --no-cache add \
postgresql-dev
RUN docker-php-ext-install pdo_pgsql

35
services/cousinades.jean-cloud.net/docker-compose.yml Executable file
View File

@ -0,0 +1,35 @@
version: '3'
services:
app:
build: .
volumes:
- /data/cousinades.jean-cloud.net/public:/usr/src/app
restart: unless-stopped
networks:
default:
ipv4_address: 172.29.4.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
image: postgres:9.6-alpine
volumes:
- /data/cousinades.jean-cloud.net/db:/var/lib/postgresql/data
networks:
default:
ipv4_address: 172.29.4.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.4.0/24

25
services/cousinades.jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,25 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/cousinades.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cousinades.jean-cloud.net/privkey.pem;
server_name cousinades.jean-cloud.net www.cousinades.jean-cloud.net;
index index.php;
root /data/cousinades.jean-cloud.net/public;
location / {
#auth_basic "Restricted";
#auth_basic_user_file /data/cousinades.jean-cloud.net/private/passwords.txt;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 172.29.4.100:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}

6
services/cousinades2.jean-cloud.net/Dockerfile Executable file
View File

@ -0,0 +1,6 @@
FROM php:7.2-fpm-alpine
#RUN apt-get update && apt-get install -y libpq-dev && docker-php-ext-install pdo pdo_pgsql
RUN set -ex \
&& apk --no-cache add \
postgresql-dev
RUN docker-php-ext-install pdo_pgsql

35
services/cousinades2.jean-cloud.net/docker-compose.yml Executable file
View File

@ -0,0 +1,35 @@
version: '3'
services:
app:
build: .
volumes:
- /data/cousinades2.jean-cloud.net/public:/usr/src/app
restart: unless-stopped
networks:
default:
ipv4_address: 172.29.8.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
image: postgres:9.6-alpine
volumes:
- /data/cousinades2.jean-cloud.net/db:/var/lib/postgresql/data
networks:
default:
ipv4_address: 172.29.8.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.8.0/24

25
services/cousinades2.jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,25 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/cousinades2.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cousinades2.jean-cloud.net/privkey.pem;
server_name cousinades2.jean-cloud.org www.cousinades2.jean-cloud.org;
index index.php;
root /data/cousinades2.jean-cloud.net/public;
location / {
#auth_basic "Restricted";
#auth_basic_user_file /data/cousinades2.jean-cloud.net/private/passwords.txt;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 172.29.8.100:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}

49
services/feministesucl34.jean-cloud.net/docker-compose.yml Normal file
View File

@ -0,0 +1,49 @@
version: '3.1'
services:
wp:
image: wordpress:5.8-apache
restart: unless-stopped
env_file: /data/feministesucl34.jean-cloud.net/env
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_USER: wpdbuser
WORDPRESS_DB_NAME: wpdb
#WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );"
volumes:
- /data/feministesucl34.jean-cloud.net/wordpress:/var/www/html
- /data/feministesucl34.jean-cloud.net/static:/var/www/html/static
networks:
default:
ipv4_address: 172.29.9.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
image: mariadb:10.4
restart: unless-stopped
env_file: /data/feministesucl34.jean-cloud.net/env
environment:
MYSQL_DATABASE: wpdb
MYSQL_USER: wpdbuser
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- /data/feministesucl34.jean-cloud.net/db:/var/lib/mysql
networks:
default:
ipv4_address: 172.29.9.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.9.0/24

32
services/feministesucl34.jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,32 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net;
location / {
client_max_body_size 2G;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://172.29.9.100;
proxy_redirect off;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net feministesucl34.communisteslibertaires.org;
location = /wp-login.php {
return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
}
location / {
root /data/feministesucl34.jean-cloud.net/static;
try_files $uri $uri/ =404;
}
}

1
services/feteducourt.jean-cloud.net/docker-compose.yml Executable file
View File

@ -0,0 +1 @@
version: '3'

20
services/feteducourt.jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,20 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/feteducourt.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feteducourt.jean-cloud.net/privkey.pem;
server_name feteducourt.jean-cloud.net www.feteducourt.jean-cloud.net;
#location /static {
# alias /data/feteducourt.jean-cloud.net/app/static;
# try_files $uri $uri/ =404;
#}
#location / {
# proxy_pass http://app.feteducourtjean-cloudnet.docker;
# proxy_set_header Host $host;
#}
location / {
root /data/feteducourt.jean-cloud.net/static;
try_files $uri $uri/ =404;
}
}

9
services/feteducourt2020.jean-cloud.net/docker-compose.yml Executable file
View File

@ -0,0 +1,9 @@
version: '3'
#services:
# app:
# image: registry.jean-cloud.net/feteducourt:2020
# environment:
# SECRET_KEY: azerty
# volumes:
# - /data/feteducourt2020.jean-cloud.net/db.sqlite3:/usr/src/app/db.sqlite3
# - /data/feteducourt2020.jean-cloud.net/app/static:/usr/src/app/static

22
services/feteducourt2020.jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,22 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/privkey.pem;
server_name feteducourt2020.jean-cloud.net www.feteducourt2020.jean-cloud.net;
#location /static {
# alias /data/feteducourt2020.jean-cloud.net/app/static;
# try_files $uri $uri/ =404;
#}
#location / {
# proxy_pass http://app.feteducourt2020jean-cloudnet.docker;
# proxy_set_header Host $host;
#}
location / {
root /data/feteducourt2020.jean-cloud.net/static;
try_files $uri $uri/ =404;
}
}

41
services/git.jean-cloud.net/docker-compose.yml Executable file
View File

@ -0,0 +1,41 @@
version: '3'
services:
gitea:
image: gitea/gitea:1.9.1
depends_on:
- db
volumes:
- /data/git.jean-cloud.net/web:/data
ports:
- "22529:22"
restart: unless-stopped
networks:
default:
ipv4_address: 172.29.10.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
# https://hub.docker.com/_/postgres?tab=description
image: postgres:9.6-alpine
volumes:
- /data/git.jean-cloud.net/db:/var/lib/postgresql/data
networks:
default:
ipv4_address: 172.29.10.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.10.0/24

12
services/git.jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,12 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/git.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.jean-cloud.net/privkey.pem;
server_name git.jean-cloud.net www.git.jean-cloud.net;
location / {
client_max_body_size 5G;
proxy_pass http://172.29.10.100:3000;
}
}

18
services/gmx-webmail.jean-cloud.net/docker-compose.yml Executable file
View File

@ -0,0 +1,18 @@
version: '3'
services:
roundcube:
image: roundcube/roundcubemail:1.4.2-apache
restart: "unless-stopped"
depends_on:
- db
volumes:
- /data/gmx-webmail.jean-cloud.net/app/plugins/:/var/www/html/plugins/
- /data/gmx-webmail.jean-cloud.net/app/config/config.inc.php:/var/www/html/config/config.inc.php
- /data/gmx-webmail.jean-cloud.net/app/enigma_pgp_homedir:/data/enigma_pgp_homedir
db:
# https://hub.docker.com/_/postgres?tab=description
image: postgres:9.6-alpine
restart: "unless-stopped"
volumes:
- /data/gmx-webmail.jean-cloud.net/db:/var/lib/postgresql/data

39
services/gmx-webmail.jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,39 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/privkey.pem;
server_name gmx-webmail.jean-cloud.net www.gmx-webmail.jean-cloud.net;
# root /data/gmx-webmail.jean-cloud.net/app;
#
client_max_body_size 1024M;
charset utf-8;
# index index.php;
#
# location ~ ^/roundcube/(bin|SQL|config|temp|logs)/ {
# deny all;
# }
#
# location ~ /roundcube/\.(js|css|png|jpg|jpeg|gif|ico)$ {
# expires max;
# log_not_found off;
# }
location / {
proxy_pass http://roundcube.gmx-webmailjean-cloudnet.docker;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
# location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.*)$;
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
# fastcgi_param PATH_INFO $fastcgi_path_info;
# fastcgi_pass gmx-webmail_jean-cloud_net:9000;
# fastcgi_index index.php;
# }
}

25
services/gypsylyonfestival.com/nginx_server.conf Executable file
View File

@ -0,0 +1,25 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/gypsylyonfestival.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gypsylyonfestival.com/privkey.pem;
#server_name gypsylyonfestival.com www.gypsylyonfestival.com;
server_name gypsy.jean-cloud.net;
root /data/gypsylyonfestival.com/output;
# Security headers
# We can create a file with the base security headers and include it.
# Will it be possible to overload them then ?
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self' always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
#add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
location / {
index index.html;
try_files $uri $uri/ =404;
}
}

1
services/inurbe.fr/docker-compose.yml Normal file
View File

@ -0,0 +1 @@
version: '3.1'

12
services/inurbe.fr/nginx_server.conf Executable file
View File

@ -0,0 +1,12 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem;
server_name inurbe.fr www.inurbe.fr;
location / {
root /data/inurbe.fr;
try_files $uri $uri/ =404;
}
}

2
services/jean-cloud.net/docker-compose.yml Executable file
View File

@ -0,0 +1,2 @@
version: '3'

33
services/jean-cloud.net/nginx_server.conf Executable file
View File

@ -0,0 +1,33 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jean-cloud.net/privkey.pem;
server_name jean-cloud.net www.jean-cloud.net jean-cloud.org www.jean-cloud.org;
root /data/jean-cloud.net/public;
# Security headers
# We can create a file with the base security headers and include it.
# Will it be possible to overload them then ?
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
location / {
index index.html;
try_files $uri $uri/ =404;
}
error_page 503 /503.html;
location = /503.html {
internal;
}
location = /503 {
return 503;
}
}

2
services/lalis.fr/Dockerfile Normal file
View File

@ -0,0 +1,2 @@
FROM php:7.2-fpm-alpine
RUN docker-php-ext-install mysqli

22
services/lalis.fr/docker-compose.yml Executable file
View File

@ -0,0 +1,22 @@
version: '3'
services:
php:
image: php:7.2-fpm-alpine
build: .
volumes:
- /data/lalis.fr:/usr/src/app
restart: unless-stopped
networks:
default:
ipv4_address: 172.29.11.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.11.0/24

24
services/lalis.fr/nginx_server.conf Executable file
View File

@ -0,0 +1,24 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/lalis.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lalis.fr/privkey.pem;
server_name lalis.fr lalis.jean-cloud.net www.lalis.jean-cloud.net;
root /data/lalis.fr;
index index.php index.html;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 172.29.11.100:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}

Some files were not shown because too many files have changed in this diff Show More