From ca56c39651ee6ce185fde7a7faefa1a2fc0ae0d8 Mon Sep 17 00:00:00 2001 From: Adrian Amaglio Date: Mon, 24 Apr 2023 12:11:09 +0200 Subject: [PATCH] initial commit --- .gitignore | 2 + installing/debootstrap_ordis_portables.sh | 231 ++++++++++++++++++ provisioning/TODO | 3 + provisioning/group_vars/servers.yml | 113 +++++++++ provisioning/install.sh | 1 + provisioning/inventory.ini | 8 + provisioning/playbook.yml | 100 ++++++++ provisioning/readme.md | 28 +++ provisioning/requirements.yml | 48 ++++ .../roles/deploy_all/files/bin/deployer.sh | 155 ++++++++++++ .../deploy_all/files/bin/driglibash-args | 90 +++++++ .../deploy_all/files/bin/driglibash-base | 179 ++++++++++++++ .../roles/deploy_all/files/bin/letsencrypt.sh | 105 ++++++++ .../files/bin/list_overlay_mounts.sh | 2 + .../roles/deploy_all/files/bin/resolv.sh | 61 +++++ .../roles/deploy_all/files/bin/template.sh | 8 + .../roles/deploy_all/files/bind/db.amaglio.fr | 22 ++ .../files/bind/db.collectif-arthadie.fr | 30 +++ .../files/bind/db.compagnienouvelle.fr | 16 ++ .../files/bind/db.gypsylyonfestival.com | 30 +++ .../roles/deploy_all/files/bind/db.hid | 19 ++ .../roles/deploy_all/files/bind/db.inurbe.fr | 15 ++ .../deploy_all/files/bind/db.jean-cloud.net | 146 +++++++++++ .../deploy_all/files/bind/db.jean-cloud.org | 20 ++ .../deploy_all/files/bind/db.karnaval.fr | 27 ++ .../roles/deploy_all/files/bind/db.lalis.fr | 15 ++ .../roles/deploy_all/files/bind/db.leida.fr | 15 ++ .../files/bind/db.metamorphosemagazine.fr | 15 ++ .../deploy_all/files/bind/db.oma-radio.fr | 58 +++++ .../deploy_all/files/bind/named.conf.local | 78 ++++++ .../deploy_all/files/bind/named.conf.options | 18 ++ provisioning/roles/deploy_all/tasks/main.yml | 33 +++ .../jean-cloud-common/files/bin/deployer.sh | 155 ++++++++++++ .../files/bin/driglibash-args | 90 +++++++ .../files/bin/driglibash-base | 179 ++++++++++++++ .../files/bin/letsencrypt.sh | 105 ++++++++ .../files/bin/list_overlay_mounts.sh | 2 + .../jean-cloud-common/files/bin/resolv.sh | 61 +++++ .../jean-cloud-common/files/bin/template.sh | 8 + .../files/bind/db.amaglio.fr | 22 ++ .../files/bind/db.collectif-arthadie.fr | 30 +++ .../files/bind/db.compagnienouvelle.fr | 16 ++ .../files/bind/db.gypsylyonfestival.com | 30 +++ .../roles/jean-cloud-common/files/bind/db.hid | 19 ++ .../jean-cloud-common/files/bind/db.inurbe.fr | 15 ++ .../files/bind/db.jean-cloud.net | 148 +++++++++++ .../files/bind/db.jean-cloud.org | 20 ++ .../files/bind/db.karnaval.fr | 27 ++ .../jean-cloud-common/files/bind/db.lalis.fr | 15 ++ .../jean-cloud-common/files/bind/db.leida.fr | 15 ++ .../files/bind/db.metamorphosemagazine.fr | 15 ++ .../files/bind/db.oma-radio.fr | 58 +++++ .../files/bind/named.conf.local | 78 ++++++ .../files/bind/named.conf.options | 18 ++ .../roles/jean-cloud-common/tasks/main.yml | 60 +++++ provisioning/roles/ordiportables/.travis.yml | 29 +++ .../roles/ordiportables/tasks/main.yml | 7 + provisioning/services.yml | 11 + provisioning/services_nougaro.yml | 64 +++++ provisioning/services_vandamme.yml | 132 ++++++++++ services/_proxy/nginx.conf | 87 +++++++ services/_proxy/readme | 13 + services/_ssh/docker-compose.yml | 15 ++ services/amaglio.fr/docker-compose.yml | 55 +++++ services/amaglio.fr/nginx_server.conf | 40 +++ services/benevoles.karnaval.fr/.env | 2 + .../benevoles.karnaval.fr/docker-compose.yml | 60 +++++ .../benevoles.karnaval.fr/nginx_server.conf | 110 +++++++++ .../collectif-arthadie.fr/docker-compose.yml | 49 ++++ .../collectif-arthadie.fr/nginx_server.conf | 28 +++ services/compagnienouvelle.fr/.env | 1 + .../compagnienouvelle.fr/docker-compose.yml | 43 ++++ .../compagnienouvelle.fr/nginx_server.conf | 30 +++ services/compagnienouvelle.fr/tmp.log | 58 +++++ .../docker-compose.yml | 2 + .../copaines.jean-cloud.net/nginx_server.conf | 30 +++ services/cousinades.jean-cloud.net/Dockerfile | 6 + .../docker-compose.yml | 35 +++ .../nginx_server.conf | 25 ++ .../cousinades2.jean-cloud.net/Dockerfile | 6 + .../docker-compose.yml | 35 +++ .../nginx_server.conf | 25 ++ .../docker-compose.yml | 49 ++++ .../nginx_server.conf | 32 +++ .../docker-compose.yml | 1 + .../nginx_server.conf | 20 ++ .../docker-compose.yml | 9 + .../nginx_server.conf | 22 ++ .../git.jean-cloud.net/docker-compose.yml | 41 ++++ services/git.jean-cloud.net/nginx_server.conf | 12 + .../docker-compose.yml | 18 ++ .../nginx_server.conf | 39 +++ .../gypsylyonfestival.com/nginx_server.conf | 25 ++ services/inurbe.fr/docker-compose.yml | 1 + services/inurbe.fr/nginx_server.conf | 12 + services/jean-cloud.net/docker-compose.yml | 2 + services/jean-cloud.net/nginx_server.conf | 33 +++ services/lalis.fr/Dockerfile | 2 + services/lalis.fr/docker-compose.yml | 22 ++ services/lalis.fr/nginx_server.conf | 24 ++ services/leida.fr/docker-compose.yml | 1 + services/leida.fr/nginx_server.conf | 15 ++ .../docker-compose.yml | 1 + .../metamorphosemagazine.fr/nginx_server.conf | 13 + .../docker-compose.yml | 22 ++ services/oma-radio.fr/docker-compose.yml | 1 + services/oma-radio.fr/nginx_server.conf | 13 + .../docker-compose.yml | 27 ++ .../registry.jean-cloud.net/nginx_server.conf | 18 ++ .../rpnow.jean-cloud.net/docker-compose.yml | 11 + .../rpnow.jean-cloud.net/nginx_server.conf | 40 +++ .../soundbase.oma-radio.fr/docker-compose.yml | 1 + services/soundbase.oma-radio.fr/installer.sh | 29 +++ .../static.jean-cloud.net/docker-compose.yml | 1 + .../static.jean-cloud.net/nginx_server.conf | 15 ++ .../velov.jean-cloud.net/docker-compose.yml | 22 ++ .../velov.jean-cloud.net/nginx_server.conf | 25 ++ 117 files changed, 4494 insertions(+) create mode 100644 .gitignore create mode 100755 installing/debootstrap_ordis_portables.sh create mode 100644 provisioning/TODO create mode 100755 provisioning/group_vars/servers.yml create mode 100755 provisioning/install.sh create mode 100644 provisioning/inventory.ini create mode 100755 provisioning/playbook.yml create mode 100644 provisioning/readme.md create mode 100755 provisioning/requirements.yml create mode 100755 provisioning/roles/deploy_all/files/bin/deployer.sh create mode 100755 provisioning/roles/deploy_all/files/bin/driglibash-args create mode 100755 provisioning/roles/deploy_all/files/bin/driglibash-base create mode 100755 provisioning/roles/deploy_all/files/bin/letsencrypt.sh create mode 100644 provisioning/roles/deploy_all/files/bin/list_overlay_mounts.sh create mode 100755 provisioning/roles/deploy_all/files/bin/resolv.sh create mode 100755 provisioning/roles/deploy_all/files/bin/template.sh create mode 100644 provisioning/roles/deploy_all/files/bind/db.amaglio.fr create mode 100644 provisioning/roles/deploy_all/files/bind/db.collectif-arthadie.fr create mode 100644 provisioning/roles/deploy_all/files/bind/db.compagnienouvelle.fr create mode 100644 provisioning/roles/deploy_all/files/bind/db.gypsylyonfestival.com create mode 100644 provisioning/roles/deploy_all/files/bind/db.hid create mode 100644 provisioning/roles/deploy_all/files/bind/db.inurbe.fr create mode 100644 provisioning/roles/deploy_all/files/bind/db.jean-cloud.net create mode 100644 provisioning/roles/deploy_all/files/bind/db.jean-cloud.org create mode 100644 provisioning/roles/deploy_all/files/bind/db.karnaval.fr create mode 100644 provisioning/roles/deploy_all/files/bind/db.lalis.fr create mode 100644 provisioning/roles/deploy_all/files/bind/db.leida.fr create mode 100644 provisioning/roles/deploy_all/files/bind/db.metamorphosemagazine.fr create mode 100644 provisioning/roles/deploy_all/files/bind/db.oma-radio.fr create mode 100644 provisioning/roles/deploy_all/files/bind/named.conf.local create mode 100644 provisioning/roles/deploy_all/files/bind/named.conf.options create mode 100644 provisioning/roles/deploy_all/tasks/main.yml create mode 100755 provisioning/roles/jean-cloud-common/files/bin/deployer.sh create mode 100755 provisioning/roles/jean-cloud-common/files/bin/driglibash-args create mode 100755 provisioning/roles/jean-cloud-common/files/bin/driglibash-base create mode 100755 provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh create mode 100644 provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh create mode 100755 provisioning/roles/jean-cloud-common/files/bin/resolv.sh create mode 100755 provisioning/roles/jean-cloud-common/files/bin/template.sh create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.hid create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.leida.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr create mode 100644 provisioning/roles/jean-cloud-common/files/bind/named.conf.local create mode 100644 provisioning/roles/jean-cloud-common/files/bind/named.conf.options create mode 100644 provisioning/roles/jean-cloud-common/tasks/main.yml create mode 100644 provisioning/roles/ordiportables/.travis.yml create mode 100644 provisioning/roles/ordiportables/tasks/main.yml create mode 100755 provisioning/services.yml create mode 100755 provisioning/services_nougaro.yml create mode 100755 provisioning/services_vandamme.yml create mode 100755 services/_proxy/nginx.conf create mode 100755 services/_proxy/readme create mode 100644 services/_ssh/docker-compose.yml create mode 100755 services/amaglio.fr/docker-compose.yml create mode 100755 services/amaglio.fr/nginx_server.conf create mode 100644 services/benevoles.karnaval.fr/.env create mode 100755 services/benevoles.karnaval.fr/docker-compose.yml create mode 100755 services/benevoles.karnaval.fr/nginx_server.conf create mode 100644 services/collectif-arthadie.fr/docker-compose.yml create mode 100755 services/collectif-arthadie.fr/nginx_server.conf create mode 100644 services/compagnienouvelle.fr/.env create mode 100644 services/compagnienouvelle.fr/docker-compose.yml create mode 100755 services/compagnienouvelle.fr/nginx_server.conf create mode 100644 services/compagnienouvelle.fr/tmp.log create mode 100644 services/copaines.jean-cloud.net/docker-compose.yml create mode 100755 services/copaines.jean-cloud.net/nginx_server.conf create mode 100755 services/cousinades.jean-cloud.net/Dockerfile create mode 100755 services/cousinades.jean-cloud.net/docker-compose.yml create mode 100755 services/cousinades.jean-cloud.net/nginx_server.conf create mode 100755 services/cousinades2.jean-cloud.net/Dockerfile create mode 100755 services/cousinades2.jean-cloud.net/docker-compose.yml create mode 100755 services/cousinades2.jean-cloud.net/nginx_server.conf create mode 100644 services/feministesucl34.jean-cloud.net/docker-compose.yml create mode 100755 services/feministesucl34.jean-cloud.net/nginx_server.conf create mode 100755 services/feteducourt.jean-cloud.net/docker-compose.yml create mode 100755 services/feteducourt.jean-cloud.net/nginx_server.conf create mode 100755 services/feteducourt2020.jean-cloud.net/docker-compose.yml create mode 100755 services/feteducourt2020.jean-cloud.net/nginx_server.conf create mode 100755 services/git.jean-cloud.net/docker-compose.yml create mode 100755 services/git.jean-cloud.net/nginx_server.conf create mode 100755 services/gmx-webmail.jean-cloud.net/docker-compose.yml create mode 100755 services/gmx-webmail.jean-cloud.net/nginx_server.conf create mode 100755 services/gypsylyonfestival.com/nginx_server.conf create mode 100644 services/inurbe.fr/docker-compose.yml create mode 100755 services/inurbe.fr/nginx_server.conf create mode 100755 services/jean-cloud.net/docker-compose.yml create mode 100755 services/jean-cloud.net/nginx_server.conf create mode 100644 services/lalis.fr/Dockerfile create mode 100755 services/lalis.fr/docker-compose.yml create mode 100755 services/lalis.fr/nginx_server.conf create mode 100755 services/leida.fr/docker-compose.yml create mode 100755 services/leida.fr/nginx_server.conf create mode 100644 services/metamorphosemagazine.fr/docker-compose.yml create mode 100755 services/metamorphosemagazine.fr/nginx_server.conf create mode 100755 services/nc-backup.jean-cloud.net/docker-compose.yml create mode 100755 services/oma-radio.fr/docker-compose.yml create mode 100755 services/oma-radio.fr/nginx_server.conf create mode 100755 services/registry.jean-cloud.net/docker-compose.yml create mode 100755 services/registry.jean-cloud.net/nginx_server.conf create mode 100755 services/rpnow.jean-cloud.net/docker-compose.yml create mode 100755 services/rpnow.jean-cloud.net/nginx_server.conf create mode 100644 services/soundbase.oma-radio.fr/docker-compose.yml create mode 100755 services/soundbase.oma-radio.fr/installer.sh create mode 100755 services/static.jean-cloud.net/docker-compose.yml create mode 100755 services/static.jean-cloud.net/nginx_server.conf create mode 100755 services/velov.jean-cloud.net/docker-compose.yml create mode 100755 services/velov.jean-cloud.net/nginx_server.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e1fb98a --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +installing/secrets +installing/temporary_mount_point diff --git a/installing/debootstrap_ordis_portables.sh b/installing/debootstrap_ordis_portables.sh new file mode 100755 index 0000000..3403028 --- /dev/null +++ b/installing/debootstrap_ordis_portables.sh @@ -0,0 +1,231 @@ +#!/bin/bash + +# Ce script est une base qu’il faut sûrement améliorer. +# Il sert à installer un debian d’ordi portable JC pour le cluster SHLAGO +# Le but est d’installer juste ce qu’il faut pour le le serveur tourne, le reste est laissé à ansible. +# Il génère une clé SSH qui permettra d’accéder à la machine. C’est peut-être con, il faudrait plutôt le remplir de nos ssh publiques. + +# https://github.com/adrianamaglio/driglibash +declare -A usage +declare -A varia +driglibash_run_retry=true +version="alpha nightly 0.0.1 pre-release unstable" +summary="$0 [options]" + +usage[m]="Path of the temporar mount point" +varia[m]=mnt +mnt="temporary_mount_point" + +usage[a]="The architecture of installed system as supported by debootstrap" +varia[a]=arch +arch="amd64" + +usage[r]="The release of installed system as supported by debootstrap" +varia[r]=release +release="bullseye" + +usage[s]="Source repository of installed system" +varia[s]=repo +#repo= +repo="http://ftp.fr.debian.org/debian" +#repo="http://localhost:3142/ftp.fr.debian.org/debian" + +usage[n]="The hostname" +varia[n]=hostname +hostname="" + +usage[b]="The device where grub will be installed" +varia[b]=boot_device +boot_device= + +usage[R]="The device where the system will be installed" +varia[R]=boot_device +boot_device= + +usage[l]="System locale" +varia[l]=locale +locale="en_US.UTF-8 UTF-8\nfr_FR.UTF-8 UTF-8" + + +. driglibash-args + + +secret_dir=secrets +secret_dir="$(realpath -m "$secret_dir/$hostname")" +install="vim openssh-server git nginx" + + + +############################################################################### +# Actual script +############################################################################### + +. driglibash-base + +chroot_run(){ + run echo "$@" | chroot "$mnt" + if [ "$?" -ne 0 ] ; then + die "Error, chroot command [$@] exited with code '$?'" + fi +} + +wait_for_user(){ + section "Time for a pause" + run echo "Press 'Enter' to continue" + read +} + +mount_misc(){ + run mkdir -p "$mnt"/{proc,dev,sys} + run mount -t proc none "$mnt/proc" + clean "umount '$mnt/proc'" + # To access physical devices + run mount -o bind /dev "$mnt/dev" + clean "umount '$mnt/dev'" + run mount -o bind /dev/pts "$mnt/dev/pts" + clean "umount '$mnt/dev/pts'" + run mount -o bind /sys "$mnt/sys" + clean "umount '$mnt/sys'" + # mount /dev/pts ? apt install complain about its absence +} + +if [ -z "$hostname" ] ; then + die "Hostname arg needed" +fi + +root_or_die + + +section "Testing for existing secrets" +if ! [ -d "$secret_dir" ] ; then + run mkdir -p "$secret_dir" + run chown -R root:root "$secret_dir" + run chmod 700 "$secret_dir" +fi + + +section "debootstraping" +# Debootstrap may fail when the target is an existing system +#if [ -n "$(ls -A $mnt)" ]; then +# die "Root dir '$mnt' is not empty. Won’t debootstrap it." +#fi +run debootstrap --verbose --arch "$arch" "$release" "$mnt" "$repo" + + +section "Mounting additionnal items" +mount_misc + + +section "Installing selected software" +#XXX use chroot_run +chroot "$mnt" < "$mnt/etc/hostname" + +# Fix path and remove noisy beep +run cat > "$mnt/root/.bashrc" <> "$mnt/etc/inputrc" +# TODO find a third method to kill this doomed beep + + +# boot crypted +#section "Installing cryptsetup in initramfs" +#run echo 'CRYPTSETUP=y' >> /etc/cryptsetup-initramfs/conf-hook +#run cp key "$mnt/root/" +#run echo 'FILES="/root/key"' >> /etc/initramfs-tools/initramfs.conf +#run update-initramfs -ut +#echo "$mnt/etc/initramfs-tools/conf.d/cryptsetup" <> "$mnt/etc/environment" +#echo 'export FILES="./key"' >> "$mnt/etc/initramfs-tools/initramfs.conf" +#chroot_run 'update-initramfs -ut' + + +section "Set up networking" +# Disable the unpredictable naming (since we are not on the future host) +run ln -s /dev/null "$mnt/etc/udev/rules.d/80-net-setup-link.rules" +run cat >> "$mnt/etc/network/interfaces" <> "$mnt/root/.ssh/authorized_keys" +fi + + +section "Generating locales" +chroot_run echo -e "$locale" > "/etc/locale.gen" +chroot_run locale-gen + + +section "Installing grub" +# Disable predictable name (again) +run sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"/g' "$mnt/etc/default/grub" +chroot_run update-grub +chroot_run grub-install "$boot_device" + + + +if [ "$arg_test" != "false" ] ; then + section "Testing installed system" + run qemu-system-x86_64 -m 1024M "$boot_device" +fi + +echo "To test the system with qemu type:" +echo "qemu-system-x86_64 -m 1024M '$boot_device'" + +clean diff --git a/provisioning/TODO b/provisioning/TODO new file mode 100644 index 0000000..dddbc53 --- /dev/null +++ b/provisioning/TODO @@ -0,0 +1,3 @@ +add to /etc/sysctl.conf : +fs.file-max = 4096 +net.ipv4.ip_forward = 1 diff --git a/provisioning/group_vars/servers.yml b/provisioning/group_vars/servers.yml new file mode 100755 index 0000000..8ba7965 --- /dev/null +++ b/provisioning/group_vars/servers.yml @@ -0,0 +1,113 @@ +# Default registry +# +bootstrap_user: root + +# For jean-cloud docker services +new_nginx_conf_path: '/data/proxy/new-sites-enabled' +new_blackbox_hosts_path: '/data/prometheus/new-blackbox-targets.yml' +blackbox_hosts_path: '/data/prometheus/blackbox-targets.yml' + +remote_docker_login_registry: registry.jean-cloud.net + +# sudo configuration +# using geerlingguy security +# https://galaxy.ansible.com/grog/sudo +#sudo_default_sudoers: yes +#sudo_list: +# - name: tits +# sudo: +# hosts: ALL +# as: ALL:ALL +# commands: ALL +# nopasswd: yes + +# Security geerlingguy +security_ssh_port: 45985 +# IMPORTANT following values should be quoted. You can lock yourself out. +security_ssh_password_authentication: "no" +security_ssh_permit_root_login: "yes" +security_ssh_usedns: "no" +security_ssh_permit_empty_password: "no" +security_ssh_challenge_response_auth: "no" +security_ssh_gss_api_authentication: "no" +security_ssh_x11_forwarding: "no" + +# Auto upgrades +security_autoupdate_enabled: true + +# f2b +security_fail2ban_enabled: false + +#locales +locales_default: + lang: en_US.UTF-8 + lc_all: en_US.UTF-8 + + +# For unattended upgrade configuration +unattended_upgrades_mail: contact@jean-cloud.org + +# For ssh security +# https://galaxy.ansible.com/dev-sec/ssh-hardening +#network_ipv6_enable: true +#ssh_server_ports: ['45985'] +#ssh_permit_root_login: no # TODO uncommenting that makes it bug + +# Fail2ban +# https://galaxy.ansible.com/oefenweb/fail2ban +#fail2ban_filterd_path: ./fail2ban/etc/fail2ban/filter.d/ +#fail2ban_actiond_path: ./fail2ban/etc/fail2ban/action.d/ +#fail2ban_jaild_path: ./fail2ban/etc/fail2ban/jail.d/ +#fail2ban_services: +# # In older versions of Fail2Ban this is called ssh +# - name: sshd +# port: 45985 +# maxretry: 3 +# bantime: -1 +# # - name: wplogin +# # port: http,https +# # filter: wplogin +# # logpath: /var/lib/docker/containers/*/*-json.log +# # banaction: docker-action +# # maxretry: 5 +# # findtime: 120 +# # bantime: 86400 +# +# https://galaxy.ansible.com/robertdebock/fail2ban + + +# For Firewall +# https://galaxy.ansible.com/geerlingguy/firewall +firewall_state: started +firewall_enabled_at_boot: true +firewall_log_dropped_packets: true +firewall_allowed_tcp_ports: + - "45985" + - "22529" + - "80" + - "443" + - "53" + - "5000" +firewall_allowed_udp_ports: + - "53" + +# For rootkit protection +# https://galaxy.ansible.com/mablanco/antirootkits +antirootkits_mail_from: contact@jean-cloud.org +antirootkits_mail_to: contact@jean-cloud.org +antirootkits_log_expire: 90 +# TODO wtf is /home/docker ? +shelldetector_scan_directory: /home/docker # Il va trouver trop de merde non ? +shelldetector_cron_hour: '4' +shelldetector_cron_minute: '00' + + +# Timezone +# https://galaxy.ansible.com/oefenweb/timezone +timezone_zone: Europe/Paris + +# NTP +# https://galaxy.ansible.com/geerlingguy/ntp +ntp_timezone: Europe/Paris +ntp_daemon: ntp + diff --git a/provisioning/install.sh b/provisioning/install.sh new file mode 100755 index 0000000..9a1a161 --- /dev/null +++ b/provisioning/install.sh @@ -0,0 +1 @@ +ansible-galaxy install -r requirements.yml --force-with-deps diff --git a/provisioning/inventory.ini b/provisioning/inventory.ini new file mode 100644 index 0000000..c77b9f6 --- /dev/null +++ b/provisioning/inventory.ini @@ -0,0 +1,8 @@ +[servers] +#vandamme.jean-cloud.net +#nougaro.jean-cloud.net +tetede.jean-cloud.net +#carcasse.jean-cloud.net +#benevoles.karnaval.fr +montbonnot.jean-cloud.net +max.jean-cloud.net diff --git a/provisioning/playbook.yml b/provisioning/playbook.yml new file mode 100755 index 0000000..6f4daa7 --- /dev/null +++ b/provisioning/playbook.yml @@ -0,0 +1,100 @@ +- name: server + hosts: servers + become: yes + gather_facts: no + roles: + # Ansible prerequisites + - schuerg.prerequisites + +- name: server + hosts: servers + become: yes + #gather_facts: no + roles: + # Ansible prerequisites + #- robertdebock.bootstrap + + # EPEL for centos + #- geerlingguy.repo-epel + + #NTP is important for curl and apt + # - ericsysmin.system.ntp + + - jean-cloud-common + + + # Users + #- sysadmins + + # Locales + # TODO set locales date and currency + #- alvistack.locales + - oefenweb.locales + + # Sys update. Playbook bien fait. + - robertdebock.update + + # Manage sudoers + #- GROG.sudo + + # Unattended upgrades + #- jnv.unattended-upgrades + #- thorian93.unattended_upgrade + #- racqspace.unattended_upgrades + + # ssh security + # using geerlingguy security + #- dev-sec.ssh-hardening + - geerlingguy.security + + # fail2ban + #- oefenweb.fail2ban + #- robertdebock.fail2ban + + # firewall conf + # TODO it destroy the DOCKER rules… + #- geerlingguy.firewall + + # Rootkit protection + #- mablanco.antirootkits + + + # antivirus + #- geerlingguy.clamav + + # docker + - geerlingguy.docker + + # timezone + - oefenweb.timezone + + # ntp + #- geerlingguy.ntp + + # docker metrics proxy + #- docker-metrics-proxy + + # logrotate + # - ontic/logrotate + + # apparmor ? + # - manala.apparmor + + # autofs + # - cmprescott.autofs_ng + + # smart TODO + #- stuvusit/smartd + + # graylog Nope, too heavy… + # TODO lininfile for prometheus + # 127.0.1.1 docker-host + + ##- deploy_all + +- name: shlago + hosts: shlago + become: yes + gather_facts: no + roles: + - ordiportables diff --git a/provisioning/readme.md b/provisioning/readme.md new file mode 100644 index 0000000..2220fb1 --- /dev/null +++ b/provisioning/readme.md @@ -0,0 +1,28 @@ +# Provisioning + +## Installer les dépendances pour les playbooks +Il faut avoir installé ansible-playbook et ansible-galaxy. Puis faire ./install.sh +-> Ce fichier contient trop de trucs, il faudrait le mettre à jour… + +## Configurer un serveur +Vérifier que le serveur est bien décommenté dans `inventory.ini` +``` +ansible-playbook -i inventory.ini playbook.yml +``` + +## Déployer des services sur un serveur +Envoyer les fichiers de conf sur le serveur. +``` +ansible-playbook -i inventory.ini services.yml +``` +Déployer les services : (ssh sur le serveur) +``` +/docker/_deployer/main.sh +``` + +## Déployer des services (ancienne méthode) +Cette méthode ne fonctionne pas avec le nouveau script de déploiement. +``` +ansible-playbook -i inventory.ini services_vandamme.yml +``` + diff --git a/provisioning/requirements.yml b/provisioning/requirements.yml new file mode 100755 index 0000000..5c6c4d7 --- /dev/null +++ b/provisioning/requirements.yml @@ -0,0 +1,48 @@ +# Bootstrap +- src: robertdebock.bootstrap +# Locales +- src: robertdebock.locale +# System update +- src: robertdebock.update + +# Manage users +- src: GROG.user +# Manage sudoers +- src: GROG.sudo +# Manage authorized-keys +- src: GROG.authorized-key +# Unattended upgrades +- src: jnv.unattended-upgrades +# ssh security +- src: dev-sec.ssh-hardening + +# fail2ban +- src: oefenweb.fail2ban +# firewall conf +# TODO it destroy the DOCKER rules… +#- src: geerlingguy.firewall +# Rootkit protection +- src: mablanco.antirootkits +# antivirus +- src: geerlingguy.clamav +# docker +- src: geerlingguy.docker + +# timezone +- src: oefenweb.timezone +# hostname +- src: oefenweb.hostname +# ntp +- src: geerlingguy.ntp + +# logrotate +# - src: ontic/logrotate +# apparmor ? +# - src: manala.apparmor +# autofs +# - src: cmprescott.autofs_ng +# smart TODO +#- src: stuvusit/smartd +# graylog Nope, too heavy… +# TODO lininfile for prometheus +# 127.0.1.1 docker-host diff --git a/provisioning/roles/deploy_all/files/bin/deployer.sh b/provisioning/roles/deploy_all/files/bin/deployer.sh new file mode 100755 index 0000000..5d58577 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/deployer.sh @@ -0,0 +1,155 @@ +#!/bin/bash + +driglibash_run_retry=true +. driglibash-base +set -euo pipefail + +############################################################################### +# Variables +############################################################################### + +proxy_dir="/etc/nginx" +nginx_conf_path="$proxy_dir/sites-enabled" +new_nginx_conf_path="$proxy_dir/new-sites-enabled" + +certs_path="/etc/letsencrypt/live" +dummy_cert_path="$certs_path/dummy" + +############################################################################### +# Helpers +############################################################################### + +# Returns the public IP4 address of a domain name +function ipof { + resolv.sh "$1" +} + +# Path to this directory +here="$(where 'follow_links')" + +# Ip4 address +my_ip="$(ipof "$(cat /etc/hostname)")" +[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1 + + +############################################################################### +# Nginx preparation +############################################################################### + +driglibash_section_prefix="[Prepare nginx] " +section "Delete new conf directory (to recover)" +run rm -rf "$new_nginx_conf_path" + +section "Create new conf file (for tests purposes)" +sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf" + +section "Create proxy dir" +run mkdir -p "$proxy_dir" /docker /data +run chown root:root /docker +run chown root:root /data +run chmod 755 /docker +run chmod 755 /data + +section "Check dummy cert exists " +#TODO check if expired +if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then + echo "Dummy cert generation" + run mkdir -p "$dummy_cert_path" + run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net" +fi + +section "Create new conf directory" +run mkdir -p "$new_nginx_conf_path" + +############################################################################### +# Deploy services +############################################################################### + +for dir in /docker/* ; do + service="$(basename "$dir")" + + # Ignore _ prefixed directories + [ "${service::1}" == '_' ] && continue + + docker_service="$(echo "$service" | tr '.' '_')" + driglibash_section_prefix="[$service] " + cd "/docker/$service" + + # Is service meant to be on this server? + ip="$(ipof "$service")" + [ -z "$ip" ] && yell "No IP found for $service" && continue + + if [ "$ip" != "$my_ip" ] ; then + if [ -n "$(docker ps | grep "$docker_service")" ] ; then + section "--------------------" + section "Removing service" + docker-compose down --rmi all --remove-orphans + fi + continue + fi + + # If there is a docker-compose file and it has services in it + if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then + section "-------------------- $service" + section "Logging to registry" + # XXX Login to docker registry + + section "Pulling images" + run docker-compose pull + + section "Starting service" + run docker-compose up -d --remove-orphans + fi + + # If there is a nginx conf file + if [ -f "/docker/$service/nginx_server.conf" ] ; then + section "Copy nginx conf" + run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service" + + if [ -f "/docker/$service/.env" ] ; then + section "Template nginx conf with vars from '.env' file" + run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service" + fi + fi + + # Do we need dummy cert? + if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then + section "Create cert dir" + run mkdir -p "$certs_path/$service" + + section "Link dummy to cert" + run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service" + run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service" + fi + + section "Testing nginx conf" + run nginx -t -c /etc/nginx/new_nginx.conf + +done + +############################################################################### +# Nginx restart +############################################################################### + +driglibash_section_prefix="[Restart nginx] " + +section "Test if nginx conf is ok" +run nginx -t -c "$proxy_dir/new_nginx.conf" + +section "Update nginx conf" +run rm -rf "$nginx_conf_path" +run mv "$new_nginx_conf_path" "$nginx_conf_path" +run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf" + +section "Test nginx conf to be sure" +run nginx -t + +if [ -z "$(cat /var/run/nginx.pid)" ] ; then + section "Start nginx" + run nginx +else + section "Reload nginx" + run nginx -s reload +fi + +clean diff --git a/provisioning/roles/deploy_all/files/bin/driglibash-args b/provisioning/roles/deploy_all/files/bin/driglibash-args new file mode 100755 index 0000000..1cfec48 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/driglibash-args @@ -0,0 +1,90 @@ +#!/bin/bash + +############################################################################### +# https://github.com/adrianamaglio/driglibash-arg +############################################################################### + + +# Usage : +# +# version="alpha nightly 0.0.1 pre-release unstable" +# summary="$0 [options] " +# +# usage[t]="Start qemu after the installation" +# varia[t]=tst +# tst=false +# +# usage[i]="Install the provided package. Not implemented" +# varia[i]=install +# declare -a install +# +# usage[k]="Keep the temporar mountpoints" +# varia[k]=keep +# keep=false +# +# usage[e]="bash command file to execute in the chroot. - to read from stdin" +# varia[e]=execute +# declare -a execute + +. driglibash-base + +#TODO keep order usage options +# Print usage and exit in error +usage() { + yell "Version: $version" + yell "Usage: $summary" + yell "Parameters:" + yell " -h print this help, version and exit." + for key in "${!usage[@]}" ; do + if [ "$(driglibash_arg_type "$key")" == "single_value" ] ; then + name="${varia[$key]}" + default=" (default : ${!name})" + else + default= + fi + yell " -$key ${usage[$key]}$default" + done + exit 0 +} + +# Guess the variable type +# Boolean, list or string +driglibash_arg_type() { + if [ $# -ne 1 ] ; then + die "Bad driglibash_arg_type usage"; + fi + + name="${varia[$1]}" + if [ "$name" == "" ] ; then die "Variable name is empty for key $1" ; fi + if [ "${!name}" == "false" ] ; then + echo "boolean" + elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then + echo "array" + else + echo "single_value" + fi +} + +# Generate getopts string # +getopts_string=":h" +for key in ${!usage[@]} ; do + needs_parameter= + if [ "$(driglibash_arg_type "$key")" != "boolean" ] ; then needs_parameter=":" ; fi + getopts_string="$getopts_string$key$needs_parameter" +done + +# Loop throught options # +while getopts "$getopts_string" opt; do + case $opt in + h) usage;; + :) die "Option -$OPTARG requires an argument.";; + \?) die "Invalid option: -$OPTARG";; + *) + name="${varia[$opt]}" + if [ "${!name}" == "false" ] ; then eval $name=true + elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then safe="${!name} $OPTARG" ; eval $name=\$safe + else eval $name=\$OPTARG + fi;; + esac +done ; shift $((OPTIND-1)) + diff --git a/provisioning/roles/deploy_all/files/bin/driglibash-base b/provisioning/roles/deploy_all/files/bin/driglibash-base new file mode 100755 index 0000000..d588596 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/driglibash-base @@ -0,0 +1,179 @@ +############################################################################### +# Driglibash pack 1 +# Usual helper functions for bash scripts +# https://github.com/adrianamaglio/driglibash +############################################################################### + +# Set to true to make a pause at each step +driglibash_step_by_step=false + +# Set to watever you want to have a prefix +driglibash_section_prefix="" + + +trap 'die "Received sigint"' INT + +# Output on standard error output +yell() { + echo >&2 -e "$@" +} + +# Output first parameter, second parameter times +repeat() { + printf "$1"'%.s' $(eval "echo {1.."$(($2))"}") +} + +# Output a "section title" to visually separate different script part +# TODO local variables +# TODO fixed place left aligned +section(){ + text="$driglibash_section_prefix$1" + if [ -n "$text" ] ; then + len="${#text}" + max_len="$(($(tput cols)-2))" + if [ "$len" -ge "$max_len" ] ; then + right=5 + left=5 + else + left="$((($max_len - $len)/2))" + right="$left" + fi + else + left=80 + right=0 + fi + + # If the character number was rounded down + if [ "$(($left + $right + $len +1 ))" -eq "$max_len" ] ; then + left="$(($left+ 1))" + fi + + repeat '=' "$left" + if [ "$right" -ge 1 ] ; then + echo -n " $text " + repeat '=' "$right" + echo + fi + + if "$driglibash_step_by_step" ; then + echo "Press enter to proceed" + read + fi +} +alias step=section + +# Print an error, clean and exit +die() { + yell "$@" + clean + exit 1 +} + +# Exit on error if not root +root_or_die() { + if [ "$UID" -ne 0 ] ; then + die "You need to be root" + fi +} + +# Execute a command and die if it returns with error # +run() { + while true ; do + "$@" + code=$? + if [ "$code" -ne 0 ] ; then + yell "command [$*] failed with exit code '$code'" + if [ -n "$driglibash_run_retry" ] ; then + echo "Retry ? Retry (y), skip the command (s) or exit script(n) [Y/s/n] ?" + read answer + if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then + continue + elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then + return "$code" + fi + fi + die "Aborting" + else + break + fi + done +} + + +# Execute a commad in background and return its pid +start(){ + "$@" & + pid=$! + clean pre "kill $pid" + return $pid +} + +# Clean exit # +# Record command lines passed as argument and execute them all when called without args # +# One argument = One command # +# TODO append or prepend according to arg +declare -a driglibash_clean_actions +clean() { + if [ "$#" -eq 0 ] ; then + echo "Cleaning" + for action in "${driglibash_clean_actions[@]}" ; do + echo "driglibash_clean> $action" + $action + done + elif [ "$#" -eq 1 ] ; then + driglibash_clean_actions+=("$1") + elif [ "$#" -eq 2 ] ; then + case "$1" in + "pre") + declare -a tmp + tmp=("${driglibash_clean_actions[@]}") + driglibash_clean_actions=("$2") + driglibash_clean_actions+=("${tmp[@]}") + ;; + "post") + driglibash_clean_actions+=("$2") + ;; + "del") + for i in "${!driglibash_clean_actions[@]}" ; do + if [ "$2" = "${driglibash_clean_actions[$i]}" ] ; then + unset driglibash_clean_actions[$i] + break + fi + done + ;; + *) + die "driglibash_clean: action '$1' not supported" + esac + else + die "driglibash_clean : Bad clean usage, receveid more than two args" + fi +} + +# tells where your executable is (absolute path). Follow simlinks if any argument provided +where() { + if [ -z "$1" ] ; then + echo "$( cd -P "$( dirname "$1" )" && pwd )" + else + SOURCE="$0" + while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located + done + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + + echo $DIR + fi +} + +# Add the line $1 in file $2 if not present +line_in_file() { + if [ "$#" -ne 2 ] ; then die "Bad usage of 'line_in_file'. Got '$#' parameters : '$@'" ; fi + if [ -z "$1" ] ; then die "Line arg is emtpy in 'line_in_file'" ; fi + line="$1" + if [ -z "$2" ] ; then die "File arg is emtpy in 'line_in_file'" ; fi + file="$2" + if [ ! -f "$file" ] ; then run touch "$file" ; fi + + grep -q -x -F "$line" "$file" || echo "$line" >> "$file" +} diff --git a/provisioning/roles/deploy_all/files/bin/letsencrypt.sh b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh new file mode 100755 index 0000000..9d90bd5 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh @@ -0,0 +1,105 @@ +#!/bin/bash +# This script will run on new cert and on cron renew +# there is one cert by service + +# TODO make it an ansible script +# No + +# Les arguments du pauvre +if [ "$#" -eq 1 ] && [ "$1" = '-v' ] ; then + verbose=true +else + verbose=false +fi + +# Variable +acmeroot=/var/www/letsencrypt + +# Création du répertoire +mkdir -p "$acmeroot" + +# With trailing slash or it will be a prefix selector +#nginx_sites_dir="/etc/nginx/sites-enabled/" +nginx_sites_dir="/etc/nginx/sites-enabled/" + +for file in "$nginx_sites_dir"* ; do + if $verbose ; then + echo '-------------------------' + echo "$file" + fi + + service_name="$(basename "$file")" + + # Getting just the domain names + domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)" + if [ -n "$domains" ] ; then + # If using dummy cert, disabling it + if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then + rm -r "/etc/letsencrypt/live/$service_name" + fi + + # removing duplicates + domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')" + echo "$domains" + + # adding -d before every domain + domains="-d $(echo $domains | sed 's/ / -d /g')" + + # Run certbot + command="certbot certonly -n --expand --agree-tos --webroot -w "$acmeroot" --email contact@jean-cloud.org --cert-name "$(basename $file)" $domains" + if $verbose ; then + echo $command + fi + out="$($command 2>&1)" + result="$?" + + if [ "$result" -eq 0 ] && [[ "$out" = *"Certificate not yet due for renewal; no action taken."* ]]; then + echo "Cert still valid" + elif [ "$result" -eq 0 ] ; then + echo "Cert renewed or obtained" + #new_cert="$(echo "$out" | grep -oE '/etc/letsencrypt/live/.*/fullchain.pem')" + #echo "'$new_cert'" + #new_cert_dir="$(dirname "$out")" + #echo "'$new_cert_dir'" + + #if [ -d "$new_cert_dir" ] ; then + # echo "New cert dir : '$new_cert_dir'" + # echo "cp '$new_cert_dir/*' '/data/proxy/certs/'" + #else + # echo "Error parsiong dir name" + #fi + + elif [ "$result" -eq 1 ] ; then + echo "Cert failed" + echo " ------------------------------------------" + echo "$out" + echo " ------------------------------------------" + else + echo "Unknown error : $result.\n$out" + fi + fi +done + +ls /etc/letsencrypt/live/*000* &> /dev/null +if [ "$?" -eq 0 ] ; then + echo " ---------------------------------------------------------------------------------------------" + echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…" + echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*" + echo " ---------------------------------------------------------------------------------------------" +fi + + +nginx -t +code="$?" +if [ "$code" -ne 0 ] ; then + echo "Nginx test error, can’t reloat it" + exit 1 +fi + +nginx -s reload +code="$?" +if [ "$code" -ne 0 ] ; then + echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!" + exit 1 +fi +echo "Done. No error detected." diff --git a/provisioning/roles/deploy_all/files/bin/list_overlay_mounts.sh b/provisioning/roles/deploy_all/files/bin/list_overlay_mounts.sh new file mode 100644 index 0000000..36d5fd6 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/list_overlay_mounts.sh @@ -0,0 +1,2 @@ +#!/bin/sh +docker inspect -f $'{{.Name}}\t{{.GraphDriver.Data.MergedDir}}' $(docker ps -aq) diff --git a/provisioning/roles/deploy_all/files/bin/resolv.sh b/provisioning/roles/deploy_all/files/bin/resolv.sh new file mode 100755 index 0000000..562e126 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/resolv.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +set -euo pipefail + +########################### Helpers ########################################### + +function yell { + echo "$@" >&2 +} + +function die { + yell "$@" + exit 1 +} + +function say { + if "$verbose" ; then + yell "$@" + fi +} + +########################### Options ########################################### + +verbose=false +if [ "$1" = '-v' ] ; then + verbose=true + shift +fi + +########################### arguments ########################################## + +if [ "$#" -ne 1 ] ; then + die "Usage: $0 [options] + options : -v verbose" +fi + +name="$1" + +########################### script ############################################ + +while true ; do + if "$verbose" ; then + say "Querying $name" + fi + while read line ; do + if [[ "$line" = *"is an alias for "* ]] ; then + name="$(echo "$line" | cut -d ' ' -f 6)" + break + elif [[ "$line" = *" has address "* ]] ; then + echo "$line" | cut -d ' ' -f 4 + exit 0 + elif [[ "$line" = *" not found: "* ]] ; then + exit 0 + elif [[ "$line" = *" has no A record" ]] ; then + exit 0 + else + say "unmatched: $line" + fi + done <<< "$(host -W 2 -t A "$name" localhost)" +done + diff --git a/provisioning/roles/deploy_all/files/bin/template.sh b/provisioning/roles/deploy_all/files/bin/template.sh new file mode 100755 index 0000000..4071401 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/template.sh @@ -0,0 +1,8 @@ +#!/bin/bash +if [ "$#" -ne 1 ] ; then + echo "Usage: $0 " >&2 + echo "This script read env_file variables and replace theire occurences in stdin" >&2 + exit 1 +fi + +bash -c 'set -a && . '"$1"' && envsubst "$(cat '"$1"' | grep -o ^.*= | sed "s/=//" | sed "s/^/$/")"' diff --git a/provisioning/roles/deploy_all/files/bind/db.amaglio.fr b/provisioning/roles/deploy_all/files/bind/db.amaglio.fr new file mode 100644 index 0000000..eedb24f --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.amaglio.fr @@ -0,0 +1,22 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.dahus.net. ( + 2023041900 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. +@ IN A 51.255.33.248 + +@ IN MX 10 mail.amaglio.fr. + +mail IN A 91.216.107.37 +imap IN CNAME mail.amaglio.fr. +pop IN CNAME mail.amaglio.fr. +smtp IN CNAME mail.amaglio.fr. + diff --git a/provisioning/roles/deploy_all/files/bind/db.collectif-arthadie.fr b/provisioning/roles/deploy_all/files/bind/db.collectif-arthadie.fr new file mode 100644 index 0000000..ebb5877 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.collectif-arthadie.fr @@ -0,0 +1,30 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2020031104 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 + +@ 10800 IN MX 10 spool.mail.gandi.net. +@ 10800 IN MX 50 fb.mail.gandi.net. +@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" + +collectif-arthadie.fr. IN CAA 0 issue "letsencrypt.org" +collectif-arthadie.fr. IN CAA 0 issuewild ";" + +wordpress IN CNAME vandamme.jean-cloud.net. +www.wordpress IN CNAME vandamme.jean-cloud.net. +www IN CNAME vandamme.jean-cloud.net. + +www.wordpress.collectif-arthadie.fr IN CAA 0 issue "letsencrypt.org" +www.wordpress.collectif-arthadie.fr IN CAA 0 issuewild ";" diff --git a/provisioning/roles/deploy_all/files/bind/db.compagnienouvelle.fr b/provisioning/roles/deploy_all/files/bind/db.compagnienouvelle.fr new file mode 100644 index 0000000..1462ebf --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.compagnienouvelle.fr @@ -0,0 +1,16 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 172.104.154.21 +@ IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 diff --git a/provisioning/roles/deploy_all/files/bind/db.gypsylyonfestival.com b/provisioning/roles/deploy_all/files/bind/db.gypsylyonfestival.com new file mode 100644 index 0000000..a7c86a2 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.gypsylyonfestival.com @@ -0,0 +1,30 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023020400 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. +@ IN NS ns1.he.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.195.40.128 +@ IN AAAA 2001:41d0:701:1100::31f + + + +; Resolving nameserver +ns1 IN A 51.255.33.248 +ns2 IN A 172.104.154.21 + +tetede IN A 51.255.33.248 +tetede IN AAAA 2001:41d0:701:1100::31f + + diff --git a/provisioning/roles/deploy_all/files/bind/db.hid b/provisioning/roles/deploy_all/files/bind/db.hid new file mode 100644 index 0000000..ae7cbf8 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.hid @@ -0,0 +1,19 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023040300 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. + + +; Resolving nameserver +ns1 IN A 51.255.33.248 +ns2 IN A 172.104.154.21 + +radiodemo IN CNAME montbonnot.jean-cloud.net + diff --git a/provisioning/roles/deploy_all/files/bind/db.inurbe.fr b/provisioning/roles/deploy_all/files/bind/db.inurbe.fr new file mode 100644 index 0000000..35317e7 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.inurbe.fr @@ -0,0 +1,15 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net new file mode 100644 index 0000000..13032db --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net @@ -0,0 +1,146 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042400 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. +@ IN NS ns1.he.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 + +@ 10800 IN MX 10 spool.mail.gandi.net. +@ 10800 IN MX 50 fb.mail.gandi.net. +@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" + + +; Resolving nameserver +ns1 IN A 51.255.33.248 +ns2 IN A 172.104.154.21 + +;mail IN CNAME vandamme +webmail IN CNAME vandamme +vimbadmin IN CNAME vandamme + +www IN CNAME vandamme + +; Naming nodes +vandamme IN A 51.255.33.248 + +local-adrian IN A 193.33.56.94 + +francois IN A 54.38.189.153 + +nougaro IN A 172.104.154.21 +nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 + +tetede IN AAAA 2001:41d0:701:1100::31f +tetede IN A 51.195.40.128 + +carcasse IN A 109.18.84.200 +carcasse IN AAAA 2a02:8434:1633:df01:adf9:74c3:b444:262f + +heart IN A 109.18.84.200 + +max IN A 82.65.204.254 +max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97 + +montbonnot IN A 188.114.97.2 +montbonnot IN A 188.114.96.2 +montbonnot IN AAAA 2a06:98c1:3120::2 +montbonnot IN AAAA 2a06:98c1:3121::2 + + +; Carcasse +dumbcluster IN A 109.18.84.200 +dumbcluster IN AAAA 2a02:8434:1633:df01:226:2dff:fe11:56af +; Tetede +dumbcluster IN A 51.195.40.128 +dumbcluster IN AAAA 2001:41d0:701:1100::31f + +; services + +nuage IN CNAME vandamme +www.nuage IN CNAME vandamme +calc.nuage IN CNAME vandamme +pad.nuage IN CNAME vandamme + +feteducourt IN CNAME vandamme +www.feteducourt IN CNAME vandamme +feteducourt2020 IN CNAME vandamme +www.feteducourt2020 IN CNAME vandamme + +git IN CNAME vandamme +www.git IN CNAME vandamme + +wiki-cgr IN CNAME vandamme +www.wiki-cgr IN CNAME vandamme +parsoid-wiki-cgr IN CNAME vandamme +www.parsoid-wiki-cgr IN CNAME vandamme + +cousinades IN CNAME vandamme +www.cousinades IN CNAME vandamme + +cousinadesi2 IN CNAME vandamme +www.cousinades2 IN CNAME vandamme + +velov IN CNAME vandamme +www.velov IN CNAME vandamme + +registry IN CNAME vandamme +www.registry IN CNAME vandamme + +inurbe IN CNAME vandamme +www.inurbe IN CNAME vandamme + +gmx-webmail IN CNAME vandamme +www.gmx-webmail IN CNAME vandamme + +rpnow IN CNAME vandamme +www.rpnow IN CNAME vandamme +test.rpnow IN CNAME vandamme +www.test.rpnow IN CNAME vandamme + +lalis IN CNAME vandamme +www.lalis IN CNAME vandamme + +metamorphose IN CNAME vandamme +www.metamorphose IN CNAME vandamme + +static IN CNAME vandamme +www.static IN CNAME vandamme + +;educloud IN CNAME tetede +;www.educloud IN CNAME tetede +;educloud2 IN CNAME tetede +;www.educloud2 IN CNAME tetede + +copaines IN CNAME tetede +www.copaines IN CNAME tetede +wordpress.copaines IN CNAME tetede +www.wordpress.copaines IN CNAME tetede + +feministesucl34 IN CNAME tetede +www.feministesucl34 IN CNAME tetede +wordpress.feministesucl34 IN CNAME tetede +www.wordpress.feministesucl34 IN CNAME tetede + +tracker IN CNAME tetede + +raplacgr IN CNAME tetede + +walou IN CNAME dumbcluster + +nc-backup IN CNAME tetede + +gypsy IN CNAME tetede + +shlago.wireguard.jean-cloud.net IN CNAME teted diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org new file mode 100644 index 0000000..045c973 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org @@ -0,0 +1,20 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2021060600 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. + + +@ IN A 51.255.33.248 + +@ 10800 IN MX 10 spool.mail.gandi.net. +@ 10800 IN MX 50 fb.mail.gandi.net. +@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" + +ns1 IN A 51.255.33.248 + diff --git a/provisioning/roles/deploy_all/files/bind/db.karnaval.fr b/provisioning/roles/deploy_all/files/bind/db.karnaval.fr new file mode 100644 index 0000000..a620992 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.karnaval.fr @@ -0,0 +1,27 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023020700 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. +@ IN NS ns1.he.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.178.80.171 + + +; Resolving nameserver +ns1 IN A 51.255.33.248 +ns2 IN A 172.104.154.21 + +benevoles IN A 51.178.80.171 +benevoles31 IN A 51.178.80.171 + diff --git a/provisioning/roles/deploy_all/files/bind/db.lalis.fr b/provisioning/roles/deploy_all/files/bind/db.lalis.fr new file mode 100644 index 0000000..35317e7 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.lalis.fr @@ -0,0 +1,15 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 diff --git a/provisioning/roles/deploy_all/files/bind/db.leida.fr b/provisioning/roles/deploy_all/files/bind/db.leida.fr new file mode 100644 index 0000000..35317e7 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.leida.fr @@ -0,0 +1,15 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 diff --git a/provisioning/roles/deploy_all/files/bind/db.metamorphosemagazine.fr b/provisioning/roles/deploy_all/files/bind/db.metamorphosemagazine.fr new file mode 100644 index 0000000..35317e7 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.metamorphosemagazine.fr @@ -0,0 +1,15 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 diff --git a/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr b/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr new file mode 100644 index 0000000..ada3e54 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr @@ -0,0 +1,58 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042200 ; Serial + 604800 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns5.he.net. +@ IN NS ns4.he.net. +@ IN NS ns3.he.net. +@ IN NS ns2.he.net. + +@ IN A 51.255.33.248 + +@ IN MX 1 mx1.mail.ovh.net. +@ IN MX 5 mx2.mail.ovh.net. +@ IN MX 10 mx3.mail.ovh.net. + +www IN CNAME vandamme.jean-cloud.net. + +www.registry IN CNAME nougaro.jean-cloud.net. +registry IN CNAME nougaro.jean-cloud.net. +services IN CNAME nougaro.jean-cloud.net. + +radionimaitre IN CNAME tetede.jean-cloud.net. +www.radionimaitre IN CNAME tetede.jean-cloud.net. +paj IN CNAME nougaro.jean-cloud.net. +www.paj IN CNAME nougaro.jean-cloud.net. +radiodemo IN CNAME tetede.jean-cloud.net. +radiodemo-back IN CNAME montbonnot.jean-cloud.net. + + +_autodiscover._tcp IN SRV 0 0 443 mailconfig.ovh.net. +_imaps._tcp IN SRV 0 0 993 ssl0.ovh.net. +_submission._tcp IN SRV 0 0 465 ssl0.ovh.net. +;autoconfig IN SRV mailconfig.ovh.net. +imap IN CNAME ssl0.ovh.net. +smtp IN CNAME ssl0.ovh.net. +mail IN CNAME ssl0.ovh.net. +pop3 IN CNAME ssl0.ovh.net. + +stream.paj.ports IN TXT 9002 +control.paj.ports IN TXT 9492 + +pa1.studios IN CNAME carcasse.jean-cloud.net. +montpellier1.studios IN CNAME tetede.jean-cloud.net. + +npm IN CNAME vandamme.jean-cloud.net. +www.npm IN CNAME vandamme.jean-cloud.net. + +static IN CNAME vandamme.jean-cloud.net. +www.static IN CNAME vandamme.jean-cloud.net. + +discordbot IN CNAME vandamme.jean-cloud.net. +www.discordbot IN CNAME vandamme.jean-cloud.net. + diff --git a/provisioning/roles/deploy_all/files/bind/named.conf.local b/provisioning/roles/deploy_all/files/bind/named.conf.local new file mode 100644 index 0000000..b4bcb9d --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/named.conf.local @@ -0,0 +1,78 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + + + +zone "oma-radio.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.oma-radio.fr"; +}; +zone "jean-cloud.net"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.jean-cloud.net"; +}; +zone "jean-cloud.org"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.jean-cloud.org"; +}; +zone "karnaval.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.karnaval.fr"; +}; +zone "amaglio.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.amaglio.fr"; +}; +zone "collectif-arthadie.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.collectif-arthadie.fr"; +}; +zone "gypsylyonfestival.com"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.gypsylyonfestival.com"; +}; +zone "hid"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.hid"; +}; +zone "compagnienouvelle.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.compagnienouvelle.fr"; +}; +zone "inurbe.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.inurbe.fr"; +}; +zone "lalis.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.lalis.fr"; +}; +zone "leida.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.leida.fr"; +}; +zone "metamorphosemagazine.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.metamorphosemagazine.fr"; +}; + + + diff --git a/provisioning/roles/deploy_all/files/bind/named.conf.options b/provisioning/roles/deploy_all/files/bind/named.conf.options new file mode 100644 index 0000000..19db25e --- /dev/null +++ b/provisioning/roles/deploy_all/files/bind/named.conf.options @@ -0,0 +1,18 @@ +options { + directory "/var/cache/bind"; + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on { any; }; + listen-on-v6 { any; }; + allow-update { none; }; + allow-recursion { none; }; + allow-recursion-on { none; }; + recursion no; + notify yes; + allow-transfer { + none; + #216.218.133.2; 2001:470:600::2; //he.net + #172.104.154.21; 2a01:7e01::f03c:92ff:fecf:e815; // nougaro + }; +}; diff --git a/provisioning/roles/deploy_all/tasks/main.yml b/provisioning/roles/deploy_all/tasks/main.yml new file mode 100644 index 0000000..a72b27d --- /dev/null +++ b/provisioning/roles/deploy_all/tasks/main.yml @@ -0,0 +1,33 @@ +--- +# tasks file for deploy_all +- name: sync services dirs + ansible.posix.synchronize: + src: ../services/ + dest: /docker/ + delete: true + archive: false + recursive: true + +- name: Add binaries + ansible.posix.synchronize: + src: "{{ role_path }}/files/bin/" + dest: "/usr/local/bin" + +- name: Add bind conf + ansible.posix.synchronize: + src: "{{ role_path }}/files/bind/" + dest: "/etc/bind/" + +- name: make sure bind9 is started + ansible.builtin.service: + name: bind9 + state: started +- name: Reload service bind9, in all cases + ansible.builtin.service: + name: bind9 + state: reloaded + + #- name: Start the deployer + # ansible.builtin.command: + # command: /docker/_deployer/main.sh + diff --git a/provisioning/roles/jean-cloud-common/files/bin/deployer.sh b/provisioning/roles/jean-cloud-common/files/bin/deployer.sh new file mode 100755 index 0000000..5d58577 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bin/deployer.sh @@ -0,0 +1,155 @@ +#!/bin/bash + +driglibash_run_retry=true +. driglibash-base +set -euo pipefail + +############################################################################### +# Variables +############################################################################### + +proxy_dir="/etc/nginx" +nginx_conf_path="$proxy_dir/sites-enabled" +new_nginx_conf_path="$proxy_dir/new-sites-enabled" + +certs_path="/etc/letsencrypt/live" +dummy_cert_path="$certs_path/dummy" + +############################################################################### +# Helpers +############################################################################### + +# Returns the public IP4 address of a domain name +function ipof { + resolv.sh "$1" +} + +# Path to this directory +here="$(where 'follow_links')" + +# Ip4 address +my_ip="$(ipof "$(cat /etc/hostname)")" +[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1 + + +############################################################################### +# Nginx preparation +############################################################################### + +driglibash_section_prefix="[Prepare nginx] " +section "Delete new conf directory (to recover)" +run rm -rf "$new_nginx_conf_path" + +section "Create new conf file (for tests purposes)" +sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf" + +section "Create proxy dir" +run mkdir -p "$proxy_dir" /docker /data +run chown root:root /docker +run chown root:root /data +run chmod 755 /docker +run chmod 755 /data + +section "Check dummy cert exists " +#TODO check if expired +if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then + echo "Dummy cert generation" + run mkdir -p "$dummy_cert_path" + run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net" +fi + +section "Create new conf directory" +run mkdir -p "$new_nginx_conf_path" + +############################################################################### +# Deploy services +############################################################################### + +for dir in /docker/* ; do + service="$(basename "$dir")" + + # Ignore _ prefixed directories + [ "${service::1}" == '_' ] && continue + + docker_service="$(echo "$service" | tr '.' '_')" + driglibash_section_prefix="[$service] " + cd "/docker/$service" + + # Is service meant to be on this server? + ip="$(ipof "$service")" + [ -z "$ip" ] && yell "No IP found for $service" && continue + + if [ "$ip" != "$my_ip" ] ; then + if [ -n "$(docker ps | grep "$docker_service")" ] ; then + section "--------------------" + section "Removing service" + docker-compose down --rmi all --remove-orphans + fi + continue + fi + + # If there is a docker-compose file and it has services in it + if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then + section "-------------------- $service" + section "Logging to registry" + # XXX Login to docker registry + + section "Pulling images" + run docker-compose pull + + section "Starting service" + run docker-compose up -d --remove-orphans + fi + + # If there is a nginx conf file + if [ -f "/docker/$service/nginx_server.conf" ] ; then + section "Copy nginx conf" + run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service" + + if [ -f "/docker/$service/.env" ] ; then + section "Template nginx conf with vars from '.env' file" + run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service" + fi + fi + + # Do we need dummy cert? + if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then + section "Create cert dir" + run mkdir -p "$certs_path/$service" + + section "Link dummy to cert" + run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service" + run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service" + fi + + section "Testing nginx conf" + run nginx -t -c /etc/nginx/new_nginx.conf + +done + +############################################################################### +# Nginx restart +############################################################################### + +driglibash_section_prefix="[Restart nginx] " + +section "Test if nginx conf is ok" +run nginx -t -c "$proxy_dir/new_nginx.conf" + +section "Update nginx conf" +run rm -rf "$nginx_conf_path" +run mv "$new_nginx_conf_path" "$nginx_conf_path" +run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf" + +section "Test nginx conf to be sure" +run nginx -t + +if [ -z "$(cat /var/run/nginx.pid)" ] ; then + section "Start nginx" + run nginx +else + section "Reload nginx" + run nginx -s reload +fi + +clean diff --git a/provisioning/roles/jean-cloud-common/files/bin/driglibash-args b/provisioning/roles/jean-cloud-common/files/bin/driglibash-args new file mode 100755 index 0000000..1cfec48 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bin/driglibash-args @@ -0,0 +1,90 @@ +#!/bin/bash + +############################################################################### +# https://github.com/adrianamaglio/driglibash-arg +############################################################################### + + +# Usage : +# +# version="alpha nightly 0.0.1 pre-release unstable" +# summary="$0 [options] " +# +# usage[t]="Start qemu after the installation" +# varia[t]=tst +# tst=false +# +# usage[i]="Install the provided package. Not implemented" +# varia[i]=install +# declare -a install +# +# usage[k]="Keep the temporar mountpoints" +# varia[k]=keep +# keep=false +# +# usage[e]="bash command file to execute in the chroot. - to read from stdin" +# varia[e]=execute +# declare -a execute + +. driglibash-base + +#TODO keep order usage options +# Print usage and exit in error +usage() { + yell "Version: $version" + yell "Usage: $summary" + yell "Parameters:" + yell " -h print this help, version and exit." + for key in "${!usage[@]}" ; do + if [ "$(driglibash_arg_type "$key")" == "single_value" ] ; then + name="${varia[$key]}" + default=" (default : ${!name})" + else + default= + fi + yell " -$key ${usage[$key]}$default" + done + exit 0 +} + +# Guess the variable type +# Boolean, list or string +driglibash_arg_type() { + if [ $# -ne 1 ] ; then + die "Bad driglibash_arg_type usage"; + fi + + name="${varia[$1]}" + if [ "$name" == "" ] ; then die "Variable name is empty for key $1" ; fi + if [ "${!name}" == "false" ] ; then + echo "boolean" + elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then + echo "array" + else + echo "single_value" + fi +} + +# Generate getopts string # +getopts_string=":h" +for key in ${!usage[@]} ; do + needs_parameter= + if [ "$(driglibash_arg_type "$key")" != "boolean" ] ; then needs_parameter=":" ; fi + getopts_string="$getopts_string$key$needs_parameter" +done + +# Loop throught options # +while getopts "$getopts_string" opt; do + case $opt in + h) usage;; + :) die "Option -$OPTARG requires an argument.";; + \?) die "Invalid option: -$OPTARG";; + *) + name="${varia[$opt]}" + if [ "${!name}" == "false" ] ; then eval $name=true + elif [ -n "$( declare -p "$name" 2>/dev/null | grep 'declare \-a')" ] ; then safe="${!name} $OPTARG" ; eval $name=\$safe + else eval $name=\$OPTARG + fi;; + esac +done ; shift $((OPTIND-1)) + diff --git a/provisioning/roles/jean-cloud-common/files/bin/driglibash-base b/provisioning/roles/jean-cloud-common/files/bin/driglibash-base new file mode 100755 index 0000000..d588596 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bin/driglibash-base @@ -0,0 +1,179 @@ +############################################################################### +# Driglibash pack 1 +# Usual helper functions for bash scripts +# https://github.com/adrianamaglio/driglibash +############################################################################### + +# Set to true to make a pause at each step +driglibash_step_by_step=false + +# Set to watever you want to have a prefix +driglibash_section_prefix="" + + +trap 'die "Received sigint"' INT + +# Output on standard error output +yell() { + echo >&2 -e "$@" +} + +# Output first parameter, second parameter times +repeat() { + printf "$1"'%.s' $(eval "echo {1.."$(($2))"}") +} + +# Output a "section title" to visually separate different script part +# TODO local variables +# TODO fixed place left aligned +section(){ + text="$driglibash_section_prefix$1" + if [ -n "$text" ] ; then + len="${#text}" + max_len="$(($(tput cols)-2))" + if [ "$len" -ge "$max_len" ] ; then + right=5 + left=5 + else + left="$((($max_len - $len)/2))" + right="$left" + fi + else + left=80 + right=0 + fi + + # If the character number was rounded down + if [ "$(($left + $right + $len +1 ))" -eq "$max_len" ] ; then + left="$(($left+ 1))" + fi + + repeat '=' "$left" + if [ "$right" -ge 1 ] ; then + echo -n " $text " + repeat '=' "$right" + echo + fi + + if "$driglibash_step_by_step" ; then + echo "Press enter to proceed" + read + fi +} +alias step=section + +# Print an error, clean and exit +die() { + yell "$@" + clean + exit 1 +} + +# Exit on error if not root +root_or_die() { + if [ "$UID" -ne 0 ] ; then + die "You need to be root" + fi +} + +# Execute a command and die if it returns with error # +run() { + while true ; do + "$@" + code=$? + if [ "$code" -ne 0 ] ; then + yell "command [$*] failed with exit code '$code'" + if [ -n "$driglibash_run_retry" ] ; then + echo "Retry ? Retry (y), skip the command (s) or exit script(n) [Y/s/n] ?" + read answer + if [ "$answer" = "y" ] || [ "$answer" = "Y" ] || [ -z "$answer" ] ; then + continue + elif [ "$answer" = "s" ] || [ "$answer" = "S" ] ; then + return "$code" + fi + fi + die "Aborting" + else + break + fi + done +} + + +# Execute a commad in background and return its pid +start(){ + "$@" & + pid=$! + clean pre "kill $pid" + return $pid +} + +# Clean exit # +# Record command lines passed as argument and execute them all when called without args # +# One argument = One command # +# TODO append or prepend according to arg +declare -a driglibash_clean_actions +clean() { + if [ "$#" -eq 0 ] ; then + echo "Cleaning" + for action in "${driglibash_clean_actions[@]}" ; do + echo "driglibash_clean> $action" + $action + done + elif [ "$#" -eq 1 ] ; then + driglibash_clean_actions+=("$1") + elif [ "$#" -eq 2 ] ; then + case "$1" in + "pre") + declare -a tmp + tmp=("${driglibash_clean_actions[@]}") + driglibash_clean_actions=("$2") + driglibash_clean_actions+=("${tmp[@]}") + ;; + "post") + driglibash_clean_actions+=("$2") + ;; + "del") + for i in "${!driglibash_clean_actions[@]}" ; do + if [ "$2" = "${driglibash_clean_actions[$i]}" ] ; then + unset driglibash_clean_actions[$i] + break + fi + done + ;; + *) + die "driglibash_clean: action '$1' not supported" + esac + else + die "driglibash_clean : Bad clean usage, receveid more than two args" + fi +} + +# tells where your executable is (absolute path). Follow simlinks if any argument provided +where() { + if [ -z "$1" ] ; then + echo "$( cd -P "$( dirname "$1" )" && pwd )" + else + SOURCE="$0" + while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located + done + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + + echo $DIR + fi +} + +# Add the line $1 in file $2 if not present +line_in_file() { + if [ "$#" -ne 2 ] ; then die "Bad usage of 'line_in_file'. Got '$#' parameters : '$@'" ; fi + if [ -z "$1" ] ; then die "Line arg is emtpy in 'line_in_file'" ; fi + line="$1" + if [ -z "$2" ] ; then die "File arg is emtpy in 'line_in_file'" ; fi + file="$2" + if [ ! -f "$file" ] ; then run touch "$file" ; fi + + grep -q -x -F "$line" "$file" || echo "$line" >> "$file" +} diff --git a/provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh b/provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh new file mode 100755 index 0000000..9d90bd5 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bin/letsencrypt.sh @@ -0,0 +1,105 @@ +#!/bin/bash +# This script will run on new cert and on cron renew +# there is one cert by service + +# TODO make it an ansible script +# No + +# Les arguments du pauvre +if [ "$#" -eq 1 ] && [ "$1" = '-v' ] ; then + verbose=true +else + verbose=false +fi + +# Variable +acmeroot=/var/www/letsencrypt + +# Création du répertoire +mkdir -p "$acmeroot" + +# With trailing slash or it will be a prefix selector +#nginx_sites_dir="/etc/nginx/sites-enabled/" +nginx_sites_dir="/etc/nginx/sites-enabled/" + +for file in "$nginx_sites_dir"* ; do + if $verbose ; then + echo '-------------------------' + echo "$file" + fi + + service_name="$(basename "$file")" + + # Getting just the domain names + domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)" + if [ -n "$domains" ] ; then + # If using dummy cert, disabling it + if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then + rm -r "/etc/letsencrypt/live/$service_name" + fi + + # removing duplicates + domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')" + echo "$domains" + + # adding -d before every domain + domains="-d $(echo $domains | sed 's/ / -d /g')" + + # Run certbot + command="certbot certonly -n --expand --agree-tos --webroot -w "$acmeroot" --email contact@jean-cloud.org --cert-name "$(basename $file)" $domains" + if $verbose ; then + echo $command + fi + out="$($command 2>&1)" + result="$?" + + if [ "$result" -eq 0 ] && [[ "$out" = *"Certificate not yet due for renewal; no action taken."* ]]; then + echo "Cert still valid" + elif [ "$result" -eq 0 ] ; then + echo "Cert renewed or obtained" + #new_cert="$(echo "$out" | grep -oE '/etc/letsencrypt/live/.*/fullchain.pem')" + #echo "'$new_cert'" + #new_cert_dir="$(dirname "$out")" + #echo "'$new_cert_dir'" + + #if [ -d "$new_cert_dir" ] ; then + # echo "New cert dir : '$new_cert_dir'" + # echo "cp '$new_cert_dir/*' '/data/proxy/certs/'" + #else + # echo "Error parsiong dir name" + #fi + + elif [ "$result" -eq 1 ] ; then + echo "Cert failed" + echo " ------------------------------------------" + echo "$out" + echo " ------------------------------------------" + else + echo "Unknown error : $result.\n$out" + fi + fi +done + +ls /etc/letsencrypt/live/*000* &> /dev/null +if [ "$?" -eq 0 ] ; then + echo " ---------------------------------------------------------------------------------------------" + echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…" + echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*" + echo " ---------------------------------------------------------------------------------------------" +fi + + +nginx -t +code="$?" +if [ "$code" -ne 0 ] ; then + echo "Nginx test error, can’t reloat it" + exit 1 +fi + +nginx -s reload +code="$?" +if [ "$code" -ne 0 ] ; then + echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!" + exit 1 +fi +echo "Done. No error detected." diff --git a/provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh b/provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh new file mode 100644 index 0000000..36d5fd6 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bin/list_overlay_mounts.sh @@ -0,0 +1,2 @@ +#!/bin/sh +docker inspect -f $'{{.Name}}\t{{.GraphDriver.Data.MergedDir}}' $(docker ps -aq) diff --git a/provisioning/roles/jean-cloud-common/files/bin/resolv.sh b/provisioning/roles/jean-cloud-common/files/bin/resolv.sh new file mode 100755 index 0000000..562e126 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bin/resolv.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +set -euo pipefail + +########################### Helpers ########################################### + +function yell { + echo "$@" >&2 +} + +function die { + yell "$@" + exit 1 +} + +function say { + if "$verbose" ; then + yell "$@" + fi +} + +########################### Options ########################################### + +verbose=false +if [ "$1" = '-v' ] ; then + verbose=true + shift +fi + +########################### arguments ########################################## + +if [ "$#" -ne 1 ] ; then + die "Usage: $0 [options] + options : -v verbose" +fi + +name="$1" + +########################### script ############################################ + +while true ; do + if "$verbose" ; then + say "Querying $name" + fi + while read line ; do + if [[ "$line" = *"is an alias for "* ]] ; then + name="$(echo "$line" | cut -d ' ' -f 6)" + break + elif [[ "$line" = *" has address "* ]] ; then + echo "$line" | cut -d ' ' -f 4 + exit 0 + elif [[ "$line" = *" not found: "* ]] ; then + exit 0 + elif [[ "$line" = *" has no A record" ]] ; then + exit 0 + else + say "unmatched: $line" + fi + done <<< "$(host -W 2 -t A "$name" localhost)" +done + diff --git a/provisioning/roles/jean-cloud-common/files/bin/template.sh b/provisioning/roles/jean-cloud-common/files/bin/template.sh new file mode 100755 index 0000000..4071401 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bin/template.sh @@ -0,0 +1,8 @@ +#!/bin/bash +if [ "$#" -ne 1 ] ; then + echo "Usage: $0 " >&2 + echo "This script read env_file variables and replace theire occurences in stdin" >&2 + exit 1 +fi + +bash -c 'set -a && . '"$1"' && envsubst "$(cat '"$1"' | grep -o ^.*= | sed "s/=//" | sed "s/^/$/")"' diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr b/provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr new file mode 100644 index 0000000..eedb24f --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.amaglio.fr @@ -0,0 +1,22 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.dahus.net. ( + 2023041900 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. +@ IN A 51.255.33.248 + +@ IN MX 10 mail.amaglio.fr. + +mail IN A 91.216.107.37 +imap IN CNAME mail.amaglio.fr. +pop IN CNAME mail.amaglio.fr. +smtp IN CNAME mail.amaglio.fr. + diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr b/provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr new file mode 100644 index 0000000..ebb5877 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.collectif-arthadie.fr @@ -0,0 +1,30 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2020031104 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 + +@ 10800 IN MX 10 spool.mail.gandi.net. +@ 10800 IN MX 50 fb.mail.gandi.net. +@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" + +collectif-arthadie.fr. IN CAA 0 issue "letsencrypt.org" +collectif-arthadie.fr. IN CAA 0 issuewild ";" + +wordpress IN CNAME vandamme.jean-cloud.net. +www.wordpress IN CNAME vandamme.jean-cloud.net. +www IN CNAME vandamme.jean-cloud.net. + +www.wordpress.collectif-arthadie.fr IN CAA 0 issue "letsencrypt.org" +www.wordpress.collectif-arthadie.fr IN CAA 0 issuewild ";" diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr b/provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr new file mode 100644 index 0000000..1462ebf --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.compagnienouvelle.fr @@ -0,0 +1,16 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 172.104.154.21 +@ IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com b/provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com new file mode 100644 index 0000000..a7c86a2 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.gypsylyonfestival.com @@ -0,0 +1,30 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023020400 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. +@ IN NS ns1.he.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.195.40.128 +@ IN AAAA 2001:41d0:701:1100::31f + + + +; Resolving nameserver +ns1 IN A 51.255.33.248 +ns2 IN A 172.104.154.21 + +tetede IN A 51.255.33.248 +tetede IN AAAA 2001:41d0:701:1100::31f + + diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.hid b/provisioning/roles/jean-cloud-common/files/bind/db.hid new file mode 100644 index 0000000..ae7cbf8 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.hid @@ -0,0 +1,19 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023040300 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. + + +; Resolving nameserver +ns1 IN A 51.255.33.248 +ns2 IN A 172.104.154.21 + +radiodemo IN CNAME montbonnot.jean-cloud.net + diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr b/provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr new file mode 100644 index 0000000..35317e7 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.inurbe.fr @@ -0,0 +1,15 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net b/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net new file mode 100644 index 0000000..270ace7 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.net @@ -0,0 +1,148 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. +@ IN NS ns1.he.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 + +@ 10800 IN MX 10 spool.mail.gandi.net. +@ 10800 IN MX 50 fb.mail.gandi.net. +@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" + + +; Resolving nameserver +ns1 IN A 51.255.33.248 +ns2 IN A 172.104.154.21 + +;mail IN CNAME vandamme +webmail IN CNAME vandamme +vimbadmin IN CNAME vandamme + +www IN CNAME vandamme + +; Naming nodes +vandamme IN A 51.255.33.248 + +local-adrian IN A 193.33.56.94 + +francois IN A 54.38.189.153 + +nougaro IN A 172.104.154.21 +nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 + +tetede IN AAAA 2001:41d0:701:1100::31f +tetede IN A 51.195.40.128 + +carcasse IN A 109.18.84.200 +carcasse IN AAAA 2a02:8434:1633:df01:adf9:74c3:b444:262f + +gigi IN A 51.77.156.235 +gigi IN AAAA 2001:41d0:305:2100::10e1 + +max IN A 82.65.204.254 +max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97 + +montbonnot IN A 188.114.97.2 +montbonnot IN A 188.114.96.2 +montbonnot IN AAAA 2a06:98c1:3120::2 +montbonnot IN AAAA 2a06:98c1:3121::2 + + +; Carcasse +dumbcluster IN A 109.18.84.200 +dumbcluster IN AAAA 2a02:8434:1633:df01:226:2dff:fe11:56af +; Tetede +dumbcluster IN A 51.195.40.128 +dumbcluster IN AAAA 2001:41d0:701:1100::31f + +; services +team IN CNAME tetede + +nuage IN CNAME vandamme +www.nuage IN CNAME vandamme +calc.nuage IN CNAME vandamme +pad.nuage IN CNAME vandamme + +feteducourt IN CNAME vandamme +www.feteducourt IN CNAME vandamme +feteducourt2020 IN CNAME vandamme +www.feteducourt2020 IN CNAME vandamme + +git IN CNAME vandamme +www.git IN CNAME vandamme + +wiki-cgr IN CNAME vandamme +www.wiki-cgr IN CNAME vandamme +parsoid-wiki-cgr IN CNAME vandamme +www.parsoid-wiki-cgr IN CNAME vandamme + +cousinades IN CNAME vandamme +www.cousinades IN CNAME vandamme + +cousinadesi2 IN CNAME vandamme +www.cousinades2 IN CNAME vandamme + +velov IN CNAME vandamme +www.velov IN CNAME vandamme + +registry IN CNAME vandamme +www.registry IN CNAME vandamme + +inurbe IN CNAME vandamme +www.inurbe IN CNAME vandamme + +gmx-webmail IN CNAME vandamme +www.gmx-webmail IN CNAME vandamme + +rpnow IN CNAME vandamme +www.rpnow IN CNAME vandamme +test.rpnow IN CNAME vandamme +www.test.rpnow IN CNAME vandamme + +lalis IN CNAME vandamme +www.lalis IN CNAME vandamme + +metamorphose IN CNAME vandamme +www.metamorphose IN CNAME vandamme + +static IN CNAME vandamme +www.static IN CNAME vandamme + +;educloud IN CNAME tetede +;www.educloud IN CNAME tetede +;educloud2 IN CNAME tetede +;www.educloud2 IN CNAME tetede + +copaines IN CNAME tetede +www.copaines IN CNAME tetede +wordpress.copaines IN CNAME tetede +www.wordpress.copaines IN CNAME tetede + +feministesucl34 IN CNAME tetede +www.feministesucl34 IN CNAME tetede +wordpress.feministesucl34 IN CNAME tetede +www.wordpress.feministesucl34 IN CNAME tetede + +tracker IN CNAME tetede + +raplacgr IN CNAME tetede + +walou IN CNAME dumbcluster + +nc-backup IN CNAME tetede + +gypsy IN CNAME tetede + +shlago.wireguard.jean-cloud.net IN CNAME teted diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org b/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org new file mode 100644 index 0000000..045c973 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.jean-cloud.org @@ -0,0 +1,20 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2021060600 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. + + +@ IN A 51.255.33.248 + +@ 10800 IN MX 10 spool.mail.gandi.net. +@ 10800 IN MX 50 fb.mail.gandi.net. +@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" + +ns1 IN A 51.255.33.248 + diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr b/provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr new file mode 100644 index 0000000..a620992 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.karnaval.fr @@ -0,0 +1,27 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023020700 ; Serial + 7200 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL + +; NS +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.jean-cloud.net. +@ IN NS ns1.he.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.178.80.171 + + +; Resolving nameserver +ns1 IN A 51.255.33.248 +ns2 IN A 172.104.154.21 + +benevoles IN A 51.178.80.171 +benevoles31 IN A 51.178.80.171 + diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr b/provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr new file mode 100644 index 0000000..35317e7 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.lalis.fr @@ -0,0 +1,15 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.leida.fr b/provisioning/roles/jean-cloud-common/files/bind/db.leida.fr new file mode 100644 index 0000000..35317e7 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.leida.fr @@ -0,0 +1,15 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr b/provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr new file mode 100644 index 0000000..35317e7 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.metamorphosemagazine.fr @@ -0,0 +1,15 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042100 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 7200 ) ; Negative Cache TTL (min before refresh) + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns2.he.net. +@ IN NS ns3.he.net. +@ IN NS ns4.he.net. +@ IN NS ns5.he.net. + +@ IN A 51.255.33.248 diff --git a/provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr b/provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr new file mode 100644 index 0000000..ada3e54 --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/db.oma-radio.fr @@ -0,0 +1,58 @@ +$TTL 604800 +@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( + 2023042200 ; Serial + 604800 ; Refresh + 7200 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + +@ IN NS ns1.jean-cloud.net. +@ IN NS ns5.he.net. +@ IN NS ns4.he.net. +@ IN NS ns3.he.net. +@ IN NS ns2.he.net. + +@ IN A 51.255.33.248 + +@ IN MX 1 mx1.mail.ovh.net. +@ IN MX 5 mx2.mail.ovh.net. +@ IN MX 10 mx3.mail.ovh.net. + +www IN CNAME vandamme.jean-cloud.net. + +www.registry IN CNAME nougaro.jean-cloud.net. +registry IN CNAME nougaro.jean-cloud.net. +services IN CNAME nougaro.jean-cloud.net. + +radionimaitre IN CNAME tetede.jean-cloud.net. +www.radionimaitre IN CNAME tetede.jean-cloud.net. +paj IN CNAME nougaro.jean-cloud.net. +www.paj IN CNAME nougaro.jean-cloud.net. +radiodemo IN CNAME tetede.jean-cloud.net. +radiodemo-back IN CNAME montbonnot.jean-cloud.net. + + +_autodiscover._tcp IN SRV 0 0 443 mailconfig.ovh.net. +_imaps._tcp IN SRV 0 0 993 ssl0.ovh.net. +_submission._tcp IN SRV 0 0 465 ssl0.ovh.net. +;autoconfig IN SRV mailconfig.ovh.net. +imap IN CNAME ssl0.ovh.net. +smtp IN CNAME ssl0.ovh.net. +mail IN CNAME ssl0.ovh.net. +pop3 IN CNAME ssl0.ovh.net. + +stream.paj.ports IN TXT 9002 +control.paj.ports IN TXT 9492 + +pa1.studios IN CNAME carcasse.jean-cloud.net. +montpellier1.studios IN CNAME tetede.jean-cloud.net. + +npm IN CNAME vandamme.jean-cloud.net. +www.npm IN CNAME vandamme.jean-cloud.net. + +static IN CNAME vandamme.jean-cloud.net. +www.static IN CNAME vandamme.jean-cloud.net. + +discordbot IN CNAME vandamme.jean-cloud.net. +www.discordbot IN CNAME vandamme.jean-cloud.net. + diff --git a/provisioning/roles/jean-cloud-common/files/bind/named.conf.local b/provisioning/roles/jean-cloud-common/files/bind/named.conf.local new file mode 100644 index 0000000..b4bcb9d --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/named.conf.local @@ -0,0 +1,78 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + + + +zone "oma-radio.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.oma-radio.fr"; +}; +zone "jean-cloud.net"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.jean-cloud.net"; +}; +zone "jean-cloud.org"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.jean-cloud.org"; +}; +zone "karnaval.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.karnaval.fr"; +}; +zone "amaglio.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.amaglio.fr"; +}; +zone "collectif-arthadie.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.collectif-arthadie.fr"; +}; +zone "gypsylyonfestival.com"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.gypsylyonfestival.com"; +}; +zone "hid"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.hid"; +}; +zone "compagnienouvelle.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.compagnienouvelle.fr"; +}; +zone "inurbe.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.inurbe.fr"; +}; +zone "lalis.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.lalis.fr"; +}; +zone "leida.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.leida.fr"; +}; +zone "metamorphosemagazine.fr"{ + allow-update { none; }; # We are primary DNS + type master; + file "/etc/bind/db.metamorphosemagazine.fr"; +}; + + + diff --git a/provisioning/roles/jean-cloud-common/files/bind/named.conf.options b/provisioning/roles/jean-cloud-common/files/bind/named.conf.options new file mode 100644 index 0000000..19db25e --- /dev/null +++ b/provisioning/roles/jean-cloud-common/files/bind/named.conf.options @@ -0,0 +1,18 @@ +options { + directory "/var/cache/bind"; + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on { any; }; + listen-on-v6 { any; }; + allow-update { none; }; + allow-recursion { none; }; + allow-recursion-on { none; }; + recursion no; + notify yes; + allow-transfer { + none; + #216.218.133.2; 2001:470:600::2; //he.net + #172.104.154.21; 2a01:7e01::f03c:92ff:fecf:e815; // nougaro + }; +}; diff --git a/provisioning/roles/jean-cloud-common/tasks/main.yml b/provisioning/roles/jean-cloud-common/tasks/main.yml new file mode 100644 index 0000000..8f08f4b --- /dev/null +++ b/provisioning/roles/jean-cloud-common/tasks/main.yml @@ -0,0 +1,60 @@ +--- +# tasks file for jean-cloud-common + +- name: Set hostname + ansible.builtin.hostname: + name: "{{inventory_hostname}}" + when: inventory_hostname is defined + +- name: Set hostname IP + ansible.builtin.lineinfile: + path: /etc/hosts + line: "{{item}}" + with_items: + - "172.0.0.1 {{inventory_hostname}}" + - "::1 {{inventory_hostname}}" + +- name: Show last changed password for security + copy: + dest: /etc/profile.d/user_last_passwd.sh + owner: root + group: root + mode: '0644' + content: | + #!/bin/bash + RED='\033[0;31m' + NC='\033[0m' # No Color + echo -e "Password last changed on $RED$(passwd -S $USER | cut -d ' ' -f 3)$NC" + + +- name: Install some softwares + apt: + name: ['bind9', 'certbot', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'sshfs', 'vim', 'zip'] + state: latest + +- name: create needed dirs + ansible.builtin.file: + path: "{{item}}" + state: directory + with_items: + - /docker + - /data + - /etc/letsencrypt + +- name: Install docker-compose bash autocompletion + get_url: + url: https://raw.githubusercontent.com/docker/compose/1.29.2/contrib/completion/bash/docker-compose + dest: /etc/bash_completion.d/docker-compose + mode: '0705' + owner: 'root' + +- name: Add letsencrypt crontab + ansible.builtin.lineinfile: + path: /etc/crontab + line: '26 03 * * * root letsencrypt.sh' + +#TODO add this to /etc/docker/daemon.json +#{ +# "iptables": false +#} + diff --git a/provisioning/roles/ordiportables/.travis.yml b/provisioning/roles/ordiportables/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/provisioning/roles/ordiportables/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/provisioning/roles/ordiportables/tasks/main.yml b/provisioning/roles/ordiportables/tasks/main.yml new file mode 100644 index 0000000..1022236 --- /dev/null +++ b/provisioning/roles/ordiportables/tasks/main.yml @@ -0,0 +1,7 @@ +--- +# tasks file for ordiportables + +- name: Prevent suspend on lid close + ansible.builtin.lineinfile: + path: /etc/systemd/logind.conf + line: HandleLidSwitch=ignore diff --git a/provisioning/services.yml b/provisioning/services.yml new file mode 100755 index 0000000..12202b5 --- /dev/null +++ b/provisioning/services.yml @@ -0,0 +1,11 @@ +# TODO ansible secrets +# Oma-Radio host + +- name: Deploy specific services + hosts: servers + become: yes + gather_facts: no + roles: + - deploy_all + + diff --git a/provisioning/services_nougaro.yml b/provisioning/services_nougaro.yml new file mode 100755 index 0000000..88d342b --- /dev/null +++ b/provisioning/services_nougaro.yml @@ -0,0 +1,64 @@ +# TODO ansible secrets +# Oma-Radio host + +- name: Deploy specific services + hosts: nougaro.jean-cloud.net + become: no + roles: + #- role: docker-network-setup + + # The proxy docker stack must be the first to be deployed + - role: prepare-nginx + + - role: deploy + service_name: proxy + state: started + monitored: false + + - role: deploy + service_name: nsslave.jean-cloud.net + state: started + monitored: false + + - role: deploy + service_name: registry.oma-radio.fr + state: started + + - role: deploy + service_name: wordpress.inurbe.fr + state: started + + - role: deploy + service_name: compagnienouvelle.fr + state: started + + - role: deploy + service_name: icecast.oma-radio.fr + state: started + monitored: false + remote_docker_login_user: oma + remote_docker_login_pass: KkK8Aavmm4cN6nBM + remote_docker_login_registry: http://registry.oma-radio.fr + + - role: deploy + service_name: soundbase.oma-radio.fr + state: started + monitored: false + + - role: deploy + service_name: paj.oma-radio.fr + state: started + monitored: false + remote_docker_login_user: oma + remote_docker_login_pass: KkK8Aavmm4cN6nBM + remote_docker_login_registry: http://registry.oma-radio.fr + + #- role: deploy + # service_name: radionimaitre.oma-radio.fr + # state: started + # monitored: false + # remote_docker_login_user: oma + # remote_docker_login_pass: KkK8Aavmm4cN6nBM + # remote_docker_login_registry: http://registry.oma-radio.fr + + - role: restart-nginx diff --git a/provisioning/services_vandamme.yml b/provisioning/services_vandamme.yml new file mode 100755 index 0000000..5182fb6 --- /dev/null +++ b/provisioning/services_vandamme.yml @@ -0,0 +1,132 @@ +# The host have: +# - /data -> every data +# - /docker -> deployed docker-compose files + +- name: Deploy specific services + hosts: vandamme.jean-cloud.net + become: yes + roles: + #- role: docker-network-setup + + # The proxy docker stack must be the first to be deployed + - role: prepare-nginx + + - role: deploy + service_name: proxy + state: started + monitored: false + + - role: deploy + service_name: meta-morpho.se + state: started + + - role: deploy + service_name: mailer.jean-cloud.net + state: started + remote_docker_login_user: jean-cloud + remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX + monitored: false + + - role: deploy + service_name: static.jean-cloud.net + state: started + + + - role: deploy + service_name: ssh + state: started + monitored: false + + #- role: deploy + # service_name: myrrdel.jean-cloud.net + # state: started + + - role: deploy + service_name: collectif-arthadie.fr + state: started + + #- role: deploy + # service_name: karna.jean-cloud.net + # state: started + + - role: deploy + service_name: oma-radio.fr + state: started + + - role: deploy + service_name: rpnow.jean-cloud.net + state: started + + - role: deploy + service_name: ns.jean-cloud.org + state: started + monitored: false + + - role: deploy + service_name: gmx-webmail.jean-cloud.net + state: started + + - role: deploy + service_name: registry.jean-cloud.net + state: started + + - role: deploy + service_name: inurbe.fr + state: started + + - role: deploy + service_name: feteducourt.jean-cloud.net + state: started + remote_docker_login_user: jean-cloud + remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX + + - role: deploy + service_name: feteducourt2020.jean-cloud.net + state: started + remote_docker_login_user: jean-cloud + remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX + + - role: deploy + service_name: leida.fr + state: started + + - role: deploy + service_name: lalis.fr + state: started + + - role: deploy + service_name: amaglio.fr + state: started + + - role: deploy + service_name: velov.jean-cloud.net + state: started + + - role: deploy + service_name: cousinades.jean-cloud.net + state: started + monitored: false # web cant pass basic auth yet + + - role: deploy + service_name: cousinades2.jean-cloud.net + state: started + monitored: false # web cant pass basic auth yet + + + - role: deploy + service_name: nuage.jean-cloud.net + state: started + + - role: deploy + service_name: git.jean-cloud.net + state: started + + - role: deploy + service_name: wiki-cgr.jean-cloud.net + state: started + + - role: deploy + service_name: jean-cloud.net + state: started + + - role: restart-nginx diff --git a/services/_proxy/nginx.conf b/services/_proxy/nginx.conf new file mode 100755 index 0000000..49affb5 --- /dev/null +++ b/services/_proxy/nginx.conf @@ -0,0 +1,87 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + server_names_hash_bucket_size 128; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + log_format compression '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$gzip_ratio"'; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + # Maintenance + #error_page 503 https://jean-cloud.net/503; + + # limit requests + limit_req_status 429; + limit_req_zone $binary_remote_addr zone=defaultlimit:10m rate=30r/s; + limit_req zone=defaultlimit burst=100 nodelay; + limit_conn_zone $request_uri zone=defaultconumber:10m; + limit_conn defaultconumber 20; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +server{ + listen 80 default_server; + listen [::]:80 default_server; + location '/.well-known/acme-challenge' { + root /var/www/letsencrypt; + default_type "text/plain"; + try_files $uri $uri/ =404; + } + + location / { + return 301 https://$host$request_uri; + } +} + +} diff --git a/services/_proxy/readme b/services/_proxy/readme new file mode 100755 index 0000000..ce6a810 --- /dev/null +++ b/services/_proxy/readme @@ -0,0 +1,13 @@ +resolver +Les adresse dns créées par docker à la volée lorsqu’un conteneur démarre ne sont pas forcemment toutes disponibles au lancement de nginx. +Or nginx n’effectue par défaut qu’une résolution d’adresse : au démarrage du service. +Pour avoir une résolution dynamique, il faut avoir une variable dans le nom de domaine et spécifier un résolveur: +``` +set $empty ''; +resolver 127.0.0.11 valid=30m; +fastcgi_pass files_jean-cloud_org$empty:9000; +``` +CETTE SOLUTION EST COÙTEUSE LORS DES REQUÊTES +Nous choisirons de conserver la configuration statique des noms et de tester qu’ils soient tous accessibles avant chaque redémarrage via la commande `nginx -t` + +UPDATE 2022 : on utilise des IP, comme ça pas de surprises :p diff --git a/services/_ssh/docker-compose.yml b/services/_ssh/docker-compose.yml new file mode 100644 index 0000000..e014065 --- /dev/null +++ b/services/_ssh/docker-compose.yml @@ -0,0 +1,15 @@ +version: '3' +services: + sshd: + image: atmoz/sftp + volumes: + - /data/ssh/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key + - /data/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key + - /data/leida.fr:/home/leida/sftp + - /data/lalis.fr:/home/lalis/sftp + - /data/oma-radio.fr:/home/oma/sftp + - /data/collectif-arthadie.fr/wordpress:/home/collectifarthadie/sftp + - /data/ssh/users.conf:/etc/sftp/users.conf:ro + ports: + - '2222:22' + diff --git a/services/amaglio.fr/docker-compose.yml b/services/amaglio.fr/docker-compose.yml new file mode 100755 index 0000000..b912364 --- /dev/null +++ b/services/amaglio.fr/docker-compose.yml @@ -0,0 +1,55 @@ +version: '3' +services: + roundcube: + image: roundcube/roundcubemail:1.4.x-apache + restart: "unless-stopped" + depends_on: + - db + volumes: + - /data/amaglio.fr/app/plugins/enigma/home:/var/www/html/plugins/enigma/home + - /data/amaglio.fr/app/config/config.inc.php:/var/www/html/config/config.inc.php + - /data/amaglio.fr/app/enigma_pgp_homedir:/data/enigma_pgp_homedir + env_file: /data/amaglio.fr/env + environment: + ROUNDCUBEMAIL_DB_TYPE: pgsql + ROUNDCUBEMAIL_DB_HOST: db + ROUNDCUBEMAIL_DB_USER: postgres + ROUNDCUBEMAIL_DB_NAME: postgres + ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE: 25M + + # imap server + ROUNDCUBEMAIL_DEFAULT_HOST: ssl://mail20.lwspanel.com + ROUNDCUBEMAIL_DEFAULT_PORT: 993 + ROUNDCUBEMAIL_SMTP_SERVER: tls://mail20.lwspanel.com + ROUNDCUBEMAIL_SMTP_PORT: 587 + ROUNDCUBEMAIL_PLUGINS: archive,zipdownload,enigma,attachment_reminder + networks: + default: + ipv4_address: 172.29.5.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + db: + # https://hub.docker.com/_/postgres?tab=description + image: postgres:9.6-alpine + restart: "unless-stopped" + env_file: /data/amaglio.fr/env + volumes: + - /data/amaglio.fr/db:/var/lib/postgresql/data + networks: + default: + ipv4_address: 172.29.5.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M +networks: + default: + ipam: + config: + - subnet: 172.29.5.0/24 + diff --git a/services/amaglio.fr/nginx_server.conf b/services/amaglio.fr/nginx_server.conf new file mode 100755 index 0000000..c57a55c --- /dev/null +++ b/services/amaglio.fr/nginx_server.conf @@ -0,0 +1,40 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/amaglio.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/amaglio.fr/privkey.pem; + + server_name amaglio.fr www.amaglio.fr; +# root /data/amaglio.fr/app; +# + client_max_body_size 1024M; + charset utf-8; +# +# index index.php; +# +# location ~ ^/roundcube/(bin|SQL|config|temp|logs)/ { +# deny all; +# } +# +# location ~ /roundcube/\.(js|css|png|jpg|jpeg|gif|ico)$ { +# expires max; +# log_not_found off; +# } +# + location / { + proxy_pass http://172.29.5.100; + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-For $remote_addr; + } +# +# location ~ \.php$ { +# fastcgi_split_path_info ^(.+\.php)(/.*)$; +# include fastcgi_params; +# fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; +# fastcgi_param PATH_INFO $fastcgi_path_info; +# fastcgi_pass amaglio.fr:9000; +# fastcgi_index index.php; +# } +} + diff --git a/services/benevoles.karnaval.fr/.env b/services/benevoles.karnaval.fr/.env new file mode 100644 index 0000000..b9712b8 --- /dev/null +++ b/services/benevoles.karnaval.fr/.env @@ -0,0 +1,2 @@ +DATA_DIR=/data/benevoles.karnaval.fr +JC_HOST=benevoles.karnaval.fr diff --git a/services/benevoles.karnaval.fr/docker-compose.yml b/services/benevoles.karnaval.fr/docker-compose.yml new file mode 100755 index 0000000..1a8b3c6 --- /dev/null +++ b/services/benevoles.karnaval.fr/docker-compose.yml @@ -0,0 +1,60 @@ +version: '3' +services: + app: + image: jeancloud/site-benevole:dev-karna + environment: + UID: 33 + MOUNT: / + volumes: + - /tmp/uwsgi/$JC_HOST:/tmp/uwsgi + - $DATA_DIR/assets:/usr/src/app/assets + - $DATA_DIR/media:/usr/src/app/media + - $DATA_DIR/local_settings.py:/usr/src/app/site_benevole/local_settings.py + restart: unless-stopped + networks: + default: + ipv4_address: 172.29.17.100 + + db: + image: postgres:9.6-alpine + env_file: $DATA_DIR/postgres.env + environment: + POSTGRES_USER: benevoles + POSTGRES_DB: benevoles + volumes: + - $DATA_DIR/db:/var/lib/postgresql/data + networks: + default: + ipv4_address: 172.29.17.101 + app2: + image: jeancloud/site-benevole:dev-karna-debian + environment: + UID: 33 + MOUNT: / + volumes: + - /tmp/uwsgi/app2/$JC_HOST:/tmp/uwsgi + - $DATA_DIR/app2/assets:/usr/src/app/assets + - $DATA_DIR/app2/media:/usr/src/app/media + - $DATA_DIR/app2/local_settings.py:/usr/src/app/site_benevole/local_settings.py + restart: unless-stopped + networks: + default: + ipv4_address: 172.29.17.110 + + db2: + image: postgres:9.6-alpine + env_file: $DATA_DIR/postgres.env + environment: + POSTGRES_USER: benevoles + POSTGRES_DB: benevoles + volumes: + - $DATA_DIR/db2:/var/lib/postgresql/data + networks: + default: + ipv4_address: 172.29.17.111 + +networks: + default: + ipam: + config: + - subnet: 172.29.17.0/24 diff --git a/services/benevoles.karnaval.fr/nginx_server.conf b/services/benevoles.karnaval.fr/nginx_server.conf new file mode 100755 index 0000000..5fb8762 --- /dev/null +++ b/services/benevoles.karnaval.fr/nginx_server.conf @@ -0,0 +1,110 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/$JC_HOST/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$JC_HOST/privkey.pem; + server_name $JC_HOST benevoles31.karnaval.fr; + + root /data/benevoles.karnaval.fr/assets; + + gzip on; + gzip_static on; + gzip_types application/javascript image/* text/css application/font-woff application/font-woff2; + gunzip on; + + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_buffer_size 4k; + client_max_body_size 4M; + + location / { + include uwsgi_params; + uwsgi_pass unix:/tmp/uwsgi/benevoles.karnaval.fr/uwsgi.sock; + } + + location = /favicon.ico { + root /data/benevoles.karnaval.fr/assets/; + } + location = /favicon-admin.ico { + root /data/benevoles.karnaval.fr/assets/; + } + + location /assets/ { + alias /data/benevoles.karnaval.fr/assets/; + access_log off; + sendfile on; + tcp_nopush on; + sendfile_max_chunk 1m; + keepalive_timeout 65; + location ~* \.(jpg|jpeg|png|gif|ico|woff|woff2)$ { + access_log off; + expires 5d; + } + } + + location /media/ { + alias /data/benevoles.karnaval.fr/media/; + access_log off; + sendfile on; + tcp_nopush on; + sendfile_max_chunk 1m; + keepalive_timeout 65; + } + + +} +server { + listen 444 ssl http2; + listen [::]:444 ssl http2; + ssl_certificate /etc/letsencrypt/live/$JC_HOST/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$JC_HOST/privkey.pem; + server_name $JC_HOST; + + root /data/benevoles.karnaval.fr/app2/assets; + + gzip on; + gzip_static on; + gzip_types application/javascript image/* text/css application/font-woff application/font-woff2; + gunzip on; + + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_buffer_size 4k; + client_max_body_size 4M; + + location / { + include uwsgi_params; + uwsgi_pass unix:/tmp/uwsgi/app2/benevoles.karnaval.fr/app2/uwsgi.sock; + } + + location = /favicon.ico { + root /data/benevoles.karnaval.fr/app2/assets/; + } + location = /favicon-admin.ico { + root /data/benevoles.karnaval.fr/app2/assets/; + } + + location /assets/ { + alias /data/benevoles.karnaval.fr/app2/assets/; + access_log off; + sendfile on; + tcp_nopush on; + sendfile_max_chunk 1m; + keepalive_timeout 65; + location ~* \.(jpg|jpeg|png|gif|ico|woff|woff2)$ { + access_log off; + expires 5d; + } + } + + location /media/ { + alias /data/benevoles.karnaval.fr/app2/media/; + access_log off; + sendfile on; + tcp_nopush on; + sendfile_max_chunk 1m; + keepalive_timeout 65; + } + + +} diff --git a/services/collectif-arthadie.fr/docker-compose.yml b/services/collectif-arthadie.fr/docker-compose.yml new file mode 100644 index 0000000..cfcf1ad --- /dev/null +++ b/services/collectif-arthadie.fr/docker-compose.yml @@ -0,0 +1,49 @@ +version: '3.1' + +services: + + wp: + image: wordpress:5.3-apache + restart: unless-stopped + env_file: /data/collectif-arthadie.fr/env + environment: + WORDPRESS_DB_HOST: db + WORDPRESS_DB_USER: wpdbuser + WORDPRESS_DB_NAME: wpdb + volumes: + - /data/collectif-arthadie.fr/wordpress:/var/www/html + - /data/collectif-arthadie.fr/static:/var/www/html/static + networks: + default: + ipv4_address: 172.29.6.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + db: + image: mariadb:10.4 + restart: unless-stopped + env_file: /data/collectif-arthadie.fr/env + environment: + MYSQL_DATABASE: wpdb + MYSQL_USER: wpdbuser + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - /data/collectif-arthadie.fr/db:/var/lib/mysql + networks: + default: + ipv4_address: 172.29.6.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.29.6.0/24 + diff --git a/services/collectif-arthadie.fr/nginx_server.conf b/services/collectif-arthadie.fr/nginx_server.conf new file mode 100755 index 0000000..1c47de4 --- /dev/null +++ b/services/collectif-arthadie.fr/nginx_server.conf @@ -0,0 +1,28 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem; + server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr; + location / { + client_max_body_size 2G; + #proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + proxy_pass http://172.29.6.100; + proxy_redirect off; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem; + server_name collectif-arthadie.fr www.collectif-arthadie.fr; + + location / { + root /data/collectif-arthadie.fr/static; + try_files $uri $uri/ =404; + } +} diff --git a/services/compagnienouvelle.fr/.env b/services/compagnienouvelle.fr/.env new file mode 100644 index 0000000..10a3998 --- /dev/null +++ b/services/compagnienouvelle.fr/.env @@ -0,0 +1 @@ +DATA_DIR=/data/compagnienouvelle.fr diff --git a/services/compagnienouvelle.fr/docker-compose.yml b/services/compagnienouvelle.fr/docker-compose.yml new file mode 100644 index 0000000..3ee2d38 --- /dev/null +++ b/services/compagnienouvelle.fr/docker-compose.yml @@ -0,0 +1,43 @@ +version: '3.1' + +services: + + wp: + image: wordpress:5-apache + restart: unless-stopped + env_file: $DATA_DIR/wordpress.env + environment: + TZ: Europe/Paris + volumes: + - $DATA_DIR/wordpress:/var/www/html + - $DATA_DIR/static:/var/www/html/static + networks: + default: + ipv4_address: 172.29.7.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + db: + image: mariadb:10.7 + restart: unless-stopped + environment: + TZ: Europe/Paris + volumes: + - $DATA_DIR/db:/var/lib/mysql + networks: + default: + ipv4_address: 172.29.7.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.29.7.0/24 + diff --git a/services/compagnienouvelle.fr/nginx_server.conf b/services/compagnienouvelle.fr/nginx_server.conf new file mode 100755 index 0000000..89071b9 --- /dev/null +++ b/services/compagnienouvelle.fr/nginx_server.conf @@ -0,0 +1,30 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem; + server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr; + location / { + auth_basic "Mot de passe !"; + auth_basic_user_file /data/compagnienouvelle.fr/pass.txt; + client_max_body_size 2G; + #proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + proxy_pass http://172.29.7.100; + proxy_redirect off; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem; + server_name compagnienouvelle.fr www.compagnienouvelle.fr; + + location / { + root /data/compagnienouvelle.fr/static; + try_files $uri $uri/ =404; + } +} diff --git a/services/compagnienouvelle.fr/tmp.log b/services/compagnienouvelle.fr/tmp.log new file mode 100644 index 0000000..69589d1 --- /dev/null +++ b/services/compagnienouvelle.fr/tmp.log @@ -0,0 +1,58 @@ +[class-ss-plugin.php:232] Received request to start generating a static archive +[class-ss-archive-creation-job.php:61] Starting a job; no job is presently running +[class-ss-archive-creation-job.php:62] Here's our task list: setup, fetch_urls, transfer_files_locally, wrapup +[class-ss-archive-creation-job.php:76] Pushing first task to queue: setup +[class-ss-archive-creation-job.php:105] Current task: setup +[class-ss-archive-creation-job.php:120] Performing task: setup +[class-ss-task.php:38] Status message: [setup] Mise en place +[class-ss-setup-task.php:23] Creating archive directory: /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/ +[class-ss-setup-task.php:57] Adding origin URL to queue: https://wordpress.mysite.com/ +[class-ss-setup-task.php:68] Adding additional URL to queue: https://wordpress.mysite.com/wp-includes/js/wp-emoji-release.min.js +[class-ss-setup-task.php:99] Adding files from directory: /var/www/html/wp-content/uploads/ +[class-ss-archive-creation-job.php:142] We've found our next task: fetch_urls +[class-ss-archive-creation-job.php:105] Current task: fetch_urls +[class-ss-archive-creation-job.php:120] Performing task: fetch_urls +[class-ss-fetch-urls-task.php:37] Total pages: 2; Pages remaining: 2 +[class-ss-fetch-urls-task.php:40] URL: https://wordpress.mysite.com/ +[class-ss-fetch-urls-task.php:50] URL is not being excluded +[class-ss-url-fetcher.php:85] Fetching URL and saving it to: /tmp/5f9593ab13a6a-QXn1T1.tmp +[class-ss-url-fetcher.php:89] Filesize: 26432 bytes +[class-ss-url-fetcher.php:104] http_status_code: 200 | content_type: text/html; charset=UTF-8 +[class-ss-url-fetcher.php:180] New filename for static page: index.html +[class-ss-url-fetcher.php:120] Renaming temp file from /tmp/5f9593ab13a6a-QXn1T1.tmp to /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/index.html +[class-ss-fetch-urls-task.php:99] Extracting URLs and replacing URLs in the static file +[class-ss-fetch-urls-task.php:106] Adding 0 URLs to the queue +[class-ss-fetch-urls-task.php:117] We're saving this URL; keeping the static file +[class-ss-fetch-urls-task.php:40] URL: https://wordpress.mysite.com/wp-includes/js/wp-emoji-release.min.js +[class-ss-fetch-urls-task.php:50] URL is not being excluded +[class-ss-url-fetcher.php:85] Fetching URL and saving it to: /tmp/5f9593ab2d225-A0zDVK.tmp +[class-ss-url-fetcher.php:89] Filesize: 14246 bytes +[class-ss-url-fetcher.php:104] http_status_code: 200 | content_type: application/javascript +[class-ss-url-fetcher.php:180] New filename for static page: wp-includes/js/wp-emoji-release.min.js +[class-ss-url-fetcher.php:120] Renaming temp file from /tmp/5f9593ab2d225-A0zDVK.tmp to /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/wp-includes/js/wp-emoji-release.min.js +[class-ss-fetch-urls-task.php:99] Extracting URLs and replacing URLs in the static file +[class-ss-fetch-urls-task.php:106] Adding 0 URLs to the queue +[class-ss-fetch-urls-task.php:117] We're saving this URL; keeping the static file +[class-ss-task.php:38] Status message: [fetch_urls] 0 pages/fichiers sur 2 générés +[class-ss-archive-creation-job.php:147] We're not done with the fetch_urls task yet +[class-ss-archive-creation-job.php:105] Current task: fetch_urls +[class-ss-archive-creation-job.php:120] Performing task: fetch_urls +[class-ss-fetch-urls-task.php:37] Total pages: 2; Pages remaining: 0 +[class-ss-task.php:38] Status message: [fetch_urls] 2 pages/fichiers sur 2 générés +[class-ss-archive-creation-job.php:142] We've found our next task: transfer_files_locally +[class-ss-archive-creation-job.php:105] Current task: transfer_files_locally +[class-ss-archive-creation-job.php:120] Performing task: transfer_files_locally +[class-ss-transfer-files-locally-task.php:64] Total pages: 2; Pages remaining: 2 +[class-ss-archive-creation-job.php:147] We're not done with the transfer_files_locally task yet +[class-ss-archive-creation-job.php:105] Current task: transfer_files_locally +[class-ss-archive-creation-job.php:120] Performing task: transfer_files_locally +[class-ss-transfer-files-locally-task.php:64] Total pages: 2; Pages remaining: 0 +[class-ss-task.php:38] Status message: [transfer_files_locally] 2 fichiers sur 2 copiés +[class-ss-archive-creation-job.php:142] We've found our next task: wrapup +[class-ss-archive-creation-job.php:105] Current task: wrapup +[class-ss-archive-creation-job.php:120] Performing task: wrapup +[class-ss-wrapup-task.php:13] Deleting temporary files +[class-ss-task.php:38] Status message: [wrapup] Fin du processus +[class-ss-archive-creation-job.php:138] This task is done and there are no more tasks, time to complete the job +[class-ss-archive-creation-job.php:161] Completing the job +[class-ss-archive-creation-job.php:271] Status message: [done] Effectué ! Fini en 00:00:01 diff --git a/services/copaines.jean-cloud.net/docker-compose.yml b/services/copaines.jean-cloud.net/docker-compose.yml new file mode 100644 index 0000000..6433ad5 --- /dev/null +++ b/services/copaines.jean-cloud.net/docker-compose.yml @@ -0,0 +1,2 @@ +version: '3.1' + diff --git a/services/copaines.jean-cloud.net/nginx_server.conf b/services/copaines.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..d96d7fe --- /dev/null +++ b/services/copaines.jean-cloud.net/nginx_server.conf @@ -0,0 +1,30 @@ +#server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# ssl_certificate /etc/letsencrypt/live/copaines.jean-cloud.net/fullchain.pem; +# ssl_certificate_key /etc/letsencrypt/live/copaines.jean-cloud.net/privkey.pem; +# server_name wordpress.copaines.jean-cloud.net www.wordpress.copaines.jean-cloud.net; +# location / { +# auth_basic "Mot de passe !"; +# auth_basic_user_file /data/copaines.jean-cloud.net/pass.txt; +# client_max_body_size 2G; +# #proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header Host $http_host; +# proxy_set_header X-Forwarded-Proto https; +# proxy_pass http://wp.copainesjean-cloudnet.docker; +# proxy_redirect off; +# } +#} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/copaines.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/copaines.jean-cloud.net/privkey.pem; + server_name copaines.jean-cloud.net www.copaines.jean-cloud.net; + + location / { + root /data/copaines.jean-cloud.net/static; + try_files $uri $uri/ =404; + } +} diff --git a/services/cousinades.jean-cloud.net/Dockerfile b/services/cousinades.jean-cloud.net/Dockerfile new file mode 100755 index 0000000..de80780 --- /dev/null +++ b/services/cousinades.jean-cloud.net/Dockerfile @@ -0,0 +1,6 @@ +FROM php:7.2-fpm-alpine +#RUN apt-get update && apt-get install -y libpq-dev && docker-php-ext-install pdo pdo_pgsql +RUN set -ex \ + && apk --no-cache add \ + postgresql-dev +RUN docker-php-ext-install pdo_pgsql diff --git a/services/cousinades.jean-cloud.net/docker-compose.yml b/services/cousinades.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..fea7e24 --- /dev/null +++ b/services/cousinades.jean-cloud.net/docker-compose.yml @@ -0,0 +1,35 @@ +version: '3' +services: + app: + build: . + volumes: + - /data/cousinades.jean-cloud.net/public:/usr/src/app + restart: unless-stopped + networks: + default: + ipv4_address: 172.29.4.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + + db: + image: postgres:9.6-alpine + volumes: + - /data/cousinades.jean-cloud.net/db:/var/lib/postgresql/data + networks: + default: + ipv4_address: 172.29.4.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.29.4.0/24 diff --git a/services/cousinades.jean-cloud.net/nginx_server.conf b/services/cousinades.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..3f25723 --- /dev/null +++ b/services/cousinades.jean-cloud.net/nginx_server.conf @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/cousinades.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cousinades.jean-cloud.net/privkey.pem; + server_name cousinades.jean-cloud.net www.cousinades.jean-cloud.net; + + index index.php; + root /data/cousinades.jean-cloud.net/public; + + location / { + #auth_basic "Restricted"; + #auth_basic_user_file /data/cousinades.jean-cloud.net/private/passwords.txt; + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 172.29.4.100:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } +} diff --git a/services/cousinades2.jean-cloud.net/Dockerfile b/services/cousinades2.jean-cloud.net/Dockerfile new file mode 100755 index 0000000..de80780 --- /dev/null +++ b/services/cousinades2.jean-cloud.net/Dockerfile @@ -0,0 +1,6 @@ +FROM php:7.2-fpm-alpine +#RUN apt-get update && apt-get install -y libpq-dev && docker-php-ext-install pdo pdo_pgsql +RUN set -ex \ + && apk --no-cache add \ + postgresql-dev +RUN docker-php-ext-install pdo_pgsql diff --git a/services/cousinades2.jean-cloud.net/docker-compose.yml b/services/cousinades2.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..b268cc7 --- /dev/null +++ b/services/cousinades2.jean-cloud.net/docker-compose.yml @@ -0,0 +1,35 @@ +version: '3' +services: + app: + build: . + volumes: + - /data/cousinades2.jean-cloud.net/public:/usr/src/app + restart: unless-stopped + networks: + default: + ipv4_address: 172.29.8.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + db: + image: postgres:9.6-alpine + volumes: + - /data/cousinades2.jean-cloud.net/db:/var/lib/postgresql/data + networks: + default: + ipv4_address: 172.29.8.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.29.8.0/24 + diff --git a/services/cousinades2.jean-cloud.net/nginx_server.conf b/services/cousinades2.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..ffc5956 --- /dev/null +++ b/services/cousinades2.jean-cloud.net/nginx_server.conf @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/cousinades2.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cousinades2.jean-cloud.net/privkey.pem; + server_name cousinades2.jean-cloud.org www.cousinades2.jean-cloud.org; + + index index.php; + root /data/cousinades2.jean-cloud.net/public; + + location / { + #auth_basic "Restricted"; + #auth_basic_user_file /data/cousinades2.jean-cloud.net/private/passwords.txt; + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 172.29.8.100:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } +} diff --git a/services/feministesucl34.jean-cloud.net/docker-compose.yml b/services/feministesucl34.jean-cloud.net/docker-compose.yml new file mode 100644 index 0000000..caefc4b --- /dev/null +++ b/services/feministesucl34.jean-cloud.net/docker-compose.yml @@ -0,0 +1,49 @@ +version: '3.1' + +services: + + wp: + image: wordpress:5.8-apache + restart: unless-stopped + env_file: /data/feministesucl34.jean-cloud.net/env + environment: + WORDPRESS_DB_HOST: db + WORDPRESS_DB_USER: wpdbuser + WORDPRESS_DB_NAME: wpdb + #WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );" + volumes: + - /data/feministesucl34.jean-cloud.net/wordpress:/var/www/html + - /data/feministesucl34.jean-cloud.net/static:/var/www/html/static + networks: + default: + ipv4_address: 172.29.9.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + db: + image: mariadb:10.4 + restart: unless-stopped + env_file: /data/feministesucl34.jean-cloud.net/env + environment: + MYSQL_DATABASE: wpdb + MYSQL_USER: wpdbuser + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - /data/feministesucl34.jean-cloud.net/db:/var/lib/mysql + networks: + default: + ipv4_address: 172.29.9.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.29.9.0/24 + diff --git a/services/feministesucl34.jean-cloud.net/nginx_server.conf b/services/feministesucl34.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..1420e66 --- /dev/null +++ b/services/feministesucl34.jean-cloud.net/nginx_server.conf @@ -0,0 +1,32 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem; + server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net; + location / { + client_max_body_size 2G; + #proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + proxy_pass http://172.29.9.100; + proxy_redirect off; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem; + server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net feministesucl34.communisteslibertaires.org; + + location = /wp-login.php { + return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php; + } + + location / { + root /data/feministesucl34.jean-cloud.net/static; + try_files $uri $uri/ =404; + } +} diff --git a/services/feteducourt.jean-cloud.net/docker-compose.yml b/services/feteducourt.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..6bdf591 --- /dev/null +++ b/services/feteducourt.jean-cloud.net/docker-compose.yml @@ -0,0 +1 @@ +version: '3' diff --git a/services/feteducourt.jean-cloud.net/nginx_server.conf b/services/feteducourt.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..98959b8 --- /dev/null +++ b/services/feteducourt.jean-cloud.net/nginx_server.conf @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/feteducourt.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/feteducourt.jean-cloud.net/privkey.pem; + server_name feteducourt.jean-cloud.net www.feteducourt.jean-cloud.net; + #location /static { + # alias /data/feteducourt.jean-cloud.net/app/static; + # try_files $uri $uri/ =404; + #} + #location / { + # proxy_pass http://app.feteducourtjean-cloudnet.docker; + # proxy_set_header Host $host; + #} + location / { + root /data/feteducourt.jean-cloud.net/static; + try_files $uri $uri/ =404; + } +} + diff --git a/services/feteducourt2020.jean-cloud.net/docker-compose.yml b/services/feteducourt2020.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..cd6121d --- /dev/null +++ b/services/feteducourt2020.jean-cloud.net/docker-compose.yml @@ -0,0 +1,9 @@ +version: '3' +#services: +# app: +# image: registry.jean-cloud.net/feteducourt:2020 +# environment: +# SECRET_KEY: azerty +# volumes: +# - /data/feteducourt2020.jean-cloud.net/db.sqlite3:/usr/src/app/db.sqlite3 +# - /data/feteducourt2020.jean-cloud.net/app/static:/usr/src/app/static diff --git a/services/feteducourt2020.jean-cloud.net/nginx_server.conf b/services/feteducourt2020.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..94c0eb3 --- /dev/null +++ b/services/feteducourt2020.jean-cloud.net/nginx_server.conf @@ -0,0 +1,22 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/privkey.pem; + server_name feteducourt2020.jean-cloud.net www.feteducourt2020.jean-cloud.net; + + #location /static { + # alias /data/feteducourt2020.jean-cloud.net/app/static; + # try_files $uri $uri/ =404; + #} + #location / { + # proxy_pass http://app.feteducourt2020jean-cloudnet.docker; + # proxy_set_header Host $host; + #} + + location / { + root /data/feteducourt2020.jean-cloud.net/static; + try_files $uri $uri/ =404; + } +} + diff --git a/services/git.jean-cloud.net/docker-compose.yml b/services/git.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..1b7b615 --- /dev/null +++ b/services/git.jean-cloud.net/docker-compose.yml @@ -0,0 +1,41 @@ +version: '3' +services: + gitea: + image: gitea/gitea:1.9.1 + depends_on: + - db + volumes: + - /data/git.jean-cloud.net/web:/data + ports: + - "22529:22" + restart: unless-stopped + networks: + default: + ipv4_address: 172.29.10.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + + db: + # https://hub.docker.com/_/postgres?tab=description + image: postgres:9.6-alpine + volumes: + - /data/git.jean-cloud.net/db:/var/lib/postgresql/data + networks: + default: + ipv4_address: 172.29.10.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.29.10.0/24 + diff --git a/services/git.jean-cloud.net/nginx_server.conf b/services/git.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..0108d1c --- /dev/null +++ b/services/git.jean-cloud.net/nginx_server.conf @@ -0,0 +1,12 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/git.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.jean-cloud.net/privkey.pem; + server_name git.jean-cloud.net www.git.jean-cloud.net; + location / { + client_max_body_size 5G; + proxy_pass http://172.29.10.100:3000; + } +} + diff --git a/services/gmx-webmail.jean-cloud.net/docker-compose.yml b/services/gmx-webmail.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..60500a2 --- /dev/null +++ b/services/gmx-webmail.jean-cloud.net/docker-compose.yml @@ -0,0 +1,18 @@ +version: '3' +services: + roundcube: + image: roundcube/roundcubemail:1.4.2-apache + restart: "unless-stopped" + depends_on: + - db + volumes: + - /data/gmx-webmail.jean-cloud.net/app/plugins/:/var/www/html/plugins/ + - /data/gmx-webmail.jean-cloud.net/app/config/config.inc.php:/var/www/html/config/config.inc.php + - /data/gmx-webmail.jean-cloud.net/app/enigma_pgp_homedir:/data/enigma_pgp_homedir + + db: + # https://hub.docker.com/_/postgres?tab=description + image: postgres:9.6-alpine + restart: "unless-stopped" + volumes: + - /data/gmx-webmail.jean-cloud.net/db:/var/lib/postgresql/data diff --git a/services/gmx-webmail.jean-cloud.net/nginx_server.conf b/services/gmx-webmail.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..3b61858 --- /dev/null +++ b/services/gmx-webmail.jean-cloud.net/nginx_server.conf @@ -0,0 +1,39 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/privkey.pem; + + server_name gmx-webmail.jean-cloud.net www.gmx-webmail.jean-cloud.net; +# root /data/gmx-webmail.jean-cloud.net/app; +# + client_max_body_size 1024M; + charset utf-8; + +# index index.php; +# +# location ~ ^/roundcube/(bin|SQL|config|temp|logs)/ { +# deny all; +# } +# +# location ~ /roundcube/\.(js|css|png|jpg|jpeg|gif|ico)$ { +# expires max; +# log_not_found off; +# } + + location / { + proxy_pass http://roundcube.gmx-webmailjean-cloudnet.docker; + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-For $remote_addr; + } + +# location ~ \.php$ { +# fastcgi_split_path_info ^(.+\.php)(/.*)$; +# include fastcgi_params; +# fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; +# fastcgi_param PATH_INFO $fastcgi_path_info; +# fastcgi_pass gmx-webmail_jean-cloud_net:9000; +# fastcgi_index index.php; +# } +} diff --git a/services/gypsylyonfestival.com/nginx_server.conf b/services/gypsylyonfestival.com/nginx_server.conf new file mode 100755 index 0000000..766c8ff --- /dev/null +++ b/services/gypsylyonfestival.com/nginx_server.conf @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/gypsylyonfestival.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gypsylyonfestival.com/privkey.pem; + #server_name gypsylyonfestival.com www.gypsylyonfestival.com; + server_name gypsy.jean-cloud.net; + root /data/gypsylyonfestival.com/output; + + # Security headers + # We can create a file with the base security headers and include it. + # Will it be possible to overload them then ? + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + #add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self' always; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + #add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; + + location / { + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/services/inurbe.fr/docker-compose.yml b/services/inurbe.fr/docker-compose.yml new file mode 100644 index 0000000..292963e --- /dev/null +++ b/services/inurbe.fr/docker-compose.yml @@ -0,0 +1 @@ +version: '3.1' diff --git a/services/inurbe.fr/nginx_server.conf b/services/inurbe.fr/nginx_server.conf new file mode 100755 index 0000000..e4e65da --- /dev/null +++ b/services/inurbe.fr/nginx_server.conf @@ -0,0 +1,12 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem; + server_name inurbe.fr www.inurbe.fr; + + location / { + root /data/inurbe.fr; + try_files $uri $uri/ =404; + } +} diff --git a/services/jean-cloud.net/docker-compose.yml b/services/jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..d077323 --- /dev/null +++ b/services/jean-cloud.net/docker-compose.yml @@ -0,0 +1,2 @@ +version: '3' + diff --git a/services/jean-cloud.net/nginx_server.conf b/services/jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..20ee80b --- /dev/null +++ b/services/jean-cloud.net/nginx_server.conf @@ -0,0 +1,33 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/jean-cloud.net/privkey.pem; + server_name jean-cloud.net www.jean-cloud.net jean-cloud.org www.jean-cloud.org; + root /data/jean-cloud.net/public; + + # Security headers + # We can create a file with the base security headers and include it. + # Will it be possible to overload them then ? + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; + + location / { + index index.html; + try_files $uri $uri/ =404; + } + + error_page 503 /503.html; + location = /503.html { + internal; + } + + location = /503 { + return 503; + } +} diff --git a/services/lalis.fr/Dockerfile b/services/lalis.fr/Dockerfile new file mode 100644 index 0000000..dde64c4 --- /dev/null +++ b/services/lalis.fr/Dockerfile @@ -0,0 +1,2 @@ +FROM php:7.2-fpm-alpine +RUN docker-php-ext-install mysqli diff --git a/services/lalis.fr/docker-compose.yml b/services/lalis.fr/docker-compose.yml new file mode 100755 index 0000000..3eefdb9 --- /dev/null +++ b/services/lalis.fr/docker-compose.yml @@ -0,0 +1,22 @@ +version: '3' +services: + php: + image: php:7.2-fpm-alpine + build: . + volumes: + - /data/lalis.fr:/usr/src/app + restart: unless-stopped + networks: + default: + ipv4_address: 172.29.11.101 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M +networks: + default: + ipam: + config: + - subnet: 172.29.11.0/24 + diff --git a/services/lalis.fr/nginx_server.conf b/services/lalis.fr/nginx_server.conf new file mode 100755 index 0000000..4ef2c65 --- /dev/null +++ b/services/lalis.fr/nginx_server.conf @@ -0,0 +1,24 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/lalis.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/lalis.fr/privkey.pem; + server_name lalis.fr lalis.jean-cloud.net www.lalis.jean-cloud.net; + root /data/lalis.fr; + + index index.php index.html; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 172.29.11.100:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } +} + diff --git a/services/leida.fr/docker-compose.yml b/services/leida.fr/docker-compose.yml new file mode 100755 index 0000000..6bdf591 --- /dev/null +++ b/services/leida.fr/docker-compose.yml @@ -0,0 +1 @@ +version: '3' diff --git a/services/leida.fr/nginx_server.conf b/services/leida.fr/nginx_server.conf new file mode 100755 index 0000000..1466b7e --- /dev/null +++ b/services/leida.fr/nginx_server.conf @@ -0,0 +1,15 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/leida.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/leida.fr/privkey.pem; + server_name leida.fr www.leida.fr; + location / { + root /data/leida.fr/public; + index index.htm index.html; + try_files $uri $uri/ =404; + } + location ~ .php { + deny all; + } +} diff --git a/services/metamorphosemagazine.fr/docker-compose.yml b/services/metamorphosemagazine.fr/docker-compose.yml new file mode 100644 index 0000000..6bdf591 --- /dev/null +++ b/services/metamorphosemagazine.fr/docker-compose.yml @@ -0,0 +1 @@ +version: '3' diff --git a/services/metamorphosemagazine.fr/nginx_server.conf b/services/metamorphosemagazine.fr/nginx_server.conf new file mode 100755 index 0000000..0eb7515 --- /dev/null +++ b/services/metamorphosemagazine.fr/nginx_server.conf @@ -0,0 +1,13 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/meta-morpho.se/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/meta-morpho.se/privkey.pem; + server_name metamorphosemagazine.fr; + location / { + add_header Content-language fr; + root /data/meta-morpho.se/src; + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/services/nc-backup.jean-cloud.net/docker-compose.yml b/services/nc-backup.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..2c31dbe --- /dev/null +++ b/services/nc-backup.jean-cloud.net/docker-compose.yml @@ -0,0 +1,22 @@ +version: '3' +services: + app: + image: jeancloud/backup-to-nextcloud + volumes: + - /data/nc-backup.jean-cloud.net/db:/usr/local/app/db + restart: unless-stopped + networks: + default: + ipv4_address: 172.29.16.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + + +networks: + default: + ipam: + config: + - subnet: 172.29.16.0/24 diff --git a/services/oma-radio.fr/docker-compose.yml b/services/oma-radio.fr/docker-compose.yml new file mode 100755 index 0000000..6bdf591 --- /dev/null +++ b/services/oma-radio.fr/docker-compose.yml @@ -0,0 +1 @@ +version: '3' diff --git a/services/oma-radio.fr/nginx_server.conf b/services/oma-radio.fr/nginx_server.conf new file mode 100755 index 0000000..694532b --- /dev/null +++ b/services/oma-radio.fr/nginx_server.conf @@ -0,0 +1,13 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/oma-radio.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/oma-radio.fr/privkey.pem; + server_name oma-radio.fr www.oma-radio.fr; + root /data/oma-radio.fr; + + location / { + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/services/registry.jean-cloud.net/docker-compose.yml b/services/registry.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..a9c9200 --- /dev/null +++ b/services/registry.jean-cloud.net/docker-compose.yml @@ -0,0 +1,27 @@ +version: '3' +services: + registry: + restart: 'unless-stopped' + image: registry:2 + environment: + REGISTRY_AUTH: htpasswd + REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd + REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm + volumes: + - /data/registry.jean-cloud.net/data:/var/lib/registry + - /data/registry.jean-cloud.net/auth:/auth # htpasswd -Bbn admin password + networks: + default: + ipv4_address: 172.29.12.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.29.12.0/24 + diff --git a/services/registry.jean-cloud.net/nginx_server.conf b/services/registry.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..0c8cb9d --- /dev/null +++ b/services/registry.jean-cloud.net/nginx_server.conf @@ -0,0 +1,18 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/registry.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/registry.jean-cloud.net/privkey.pem; + server_name registry.jean-cloud.net www.registry.jean-cloud.net; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + location / { + proxy_pass http://172.29.12.100:5000/; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; + } +} diff --git a/services/rpnow.jean-cloud.net/docker-compose.yml b/services/rpnow.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..ae04434 --- /dev/null +++ b/services/rpnow.jean-cloud.net/docker-compose.yml @@ -0,0 +1,11 @@ +version: '3' +services: + rpnow: + image: jeancloud/rpnow:1.0 + volumes: + - /data/rpnow.jean-cloud.org/:/var/local/rpnow + + test_rpnow: + image: jeancloud/rpnow:dev + volumes: + - /data/test.rpnow.jean-cloud.org/:/var/local/rpnow diff --git a/services/rpnow.jean-cloud.net/nginx_server.conf b/services/rpnow.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..d8d0fc9 --- /dev/null +++ b/services/rpnow.jean-cloud.net/nginx_server.conf @@ -0,0 +1,40 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem; + server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net; + + location / { + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + proxy_redirect off; + proxy_pass http://rpnow.rpnowjean-cloudnet.docker; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem; + server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net; + + location / { + client_max_body_size 2G; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + proxy_redirect off; + proxy_pass http://test_rpnow.rpnowjean-cloudnet.docker; + } +} + diff --git a/services/soundbase.oma-radio.fr/docker-compose.yml b/services/soundbase.oma-radio.fr/docker-compose.yml new file mode 100644 index 0000000..6bdf591 --- /dev/null +++ b/services/soundbase.oma-radio.fr/docker-compose.yml @@ -0,0 +1 @@ +version: '3' diff --git a/services/soundbase.oma-radio.fr/installer.sh b/services/soundbase.oma-radio.fr/installer.sh new file mode 100755 index 0000000..754f2a3 --- /dev/null +++ b/services/soundbase.oma-radio.fr/installer.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +. /bin/driglibash-base + +fstab_content='storage@195.154.226.199:/data /data/soundbase.oma-radio.fr/data/ fuse.sshfs defaults,_netdev,allow_other,default_permissions,reconnect,IdentityFile=/data/soundbase.oma-radio.fr/Niilos 0' + +if [ "$1" = "uninstall" ] ; then + echo "Uninstalling mountpoint" + umount /data/soundbase.oma-radio.fr/data + run sed -i "s#$fstab_content##" /etc/fstab + run sed -i '/195.154.226.199/d' ~/.ssh/known_hosts + +else # Installation procedure below + echo "Installing mountpoint" + run mkdir -p /data/soundbase.oma-radio.fr/data/ + run line_in_file "$fstab_content" /etc/fstab + grep 'storage@195.154.226.199:/data' /etc/fstab + if [ "$?" -ne 0 ] ; then + run mount /data/soundbase.oma-radio.fr/data + fi + + grep 195.154.226.199 ~/.ssh/known_hosts &> /dev/null + if [ "$?" -ne 0 ] ; then + run ssh-keyscan 195.154.226.199 >> ~/.ssh/known_hosts 2> /dev/null + fi +fi + + + diff --git a/services/static.jean-cloud.net/docker-compose.yml b/services/static.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..6bdf591 --- /dev/null +++ b/services/static.jean-cloud.net/docker-compose.yml @@ -0,0 +1 @@ +version: '3' diff --git a/services/static.jean-cloud.net/nginx_server.conf b/services/static.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..a8d3a08 --- /dev/null +++ b/services/static.jean-cloud.net/nginx_server.conf @@ -0,0 +1,15 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/static.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/static.jean-cloud.net/privkey.pem; + server_name static.oma-radio.fr www.static.oma-radio.fr static.jean-cloud.net www.static.jean-cloud.net; + root /data/static.jean-cloud.net/public/; + + location / { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET'; + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/services/velov.jean-cloud.net/docker-compose.yml b/services/velov.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..661b2d8 --- /dev/null +++ b/services/velov.jean-cloud.net/docker-compose.yml @@ -0,0 +1,22 @@ +version: '3' +services: + app: + image: php:7.2-fpm-alpine + volumes: + - /data/velov.jean-cloud.net:/usr/src/app + restart: unless-stopped + networks: + default: + ipv4_address: 172.29.13.100 + deploy: + resources: + limits: + cpus: '0.50' + memory: 100M + +networks: + default: + ipam: + config: + - subnet: 172.29.13.0/24 + diff --git a/services/velov.jean-cloud.net/nginx_server.conf b/services/velov.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..06ce28d --- /dev/null +++ b/services/velov.jean-cloud.net/nginx_server.conf @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/velov.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/velov.jean-cloud.net/privkey.pem; + server_name velov.jean-cloud.net www.velov.jean-cloud.net; + root /data/velov.jean-cloud.net; + + index index.php; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 172.29.13.100:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; + #fastcgi_param SCRIPT_FILENAME /usr/src/app/index.php; + fastcgi_param PATH_INFO $fastcgi_path_info; + } +} +