pleins de super mises à jour :)

2023-05-11 10:57:45 +02:00 · 2023-05-11 10:57:45 +02:00 · d9cef67dd4
commit d9cef67dd4
parent da3341bb2e
11 changed files with 172 additions and 92 deletions
--- a/provisioning/inventory.ini
+++ b/provisioning/inventory.ini
@ -1,8 +1,8 @@
 [servers]
-#vandamme.jean-cloud.net
-#nougaro.jean-cloud.net
-tetede.jean-cloud.net
-#carcasse.jean-cloud.net
+#vandamme.jean-cloud.org
+#nougaro.jean-cloud.org
+tetede.jean-cloud.org
+#carcasse.jean-cloud.org
 #benevoles.karnaval.fr
-montbonnot.jean-cloud.net
-max.jean-cloud.net
+#montbonnot.jean-cloud.org
+max.jean-cloud.org
--- a/provisioning/roles/deploy_all/files/bin/deployer.sh
+++ b/provisioning/roles/deploy_all/files/bin/deployer.sh
@ -72,6 +72,9 @@ for dir in /docker/* ; do
    [ "${service::1}" == '_' ] && continue
    [ ! -d "$dir" ] && continue

+	export DATA_DIR="/data/$service"
+	mkdir -p "$DATA_DIR"
+
    docker_service="$(echo "$service" | tr '.' '_')"
    driglibash_section_prefix="[$service] "
    cd "/docker/$service"
--- a/provisioning/roles/deploy_all/files/bin/driglibash-base
+++ b/provisioning/roles/deploy_all/files/bin/driglibash-base
@ -25,9 +25,8 @@ repeat() {

 # Output a "section title" to visually separate different script part
 # TODO local variables
-# TODO fixed place left aligned
 section(){
-  text="$driglibash_section_prefix$1"
+  text="\033[00;36m$driglibash_section_prefix\033[0m$1"
  if [ -n "$text" ] ; then
    len="${#text}"
    max_len="$(($(tput cols)-2))"
@ -35,8 +34,8 @@ section(){
      right=5
      left=5
    else
-      left="$((($max_len - $len)/2))"
-      right="$left"
+	  left=4
+      right="$(($max_len - $len - left))"
    fi
  else
    left=80
@ -50,7 +49,7 @@ section(){

  repeat '=' "$left"
  if [ "$right" -ge 1 ] ; then
-    echo -n " $text "
+    echo -ne " $text "
    repeat '=' "$right"
    echo
  fi
--- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
+++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
@ -1,22 +1,23 @@
 $TTL    604800
-@       IN      SOA     ns1.jean-cloud.net. contact.jean-cloud.org. (
-                    2023042400          ; Serial
+@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
+                    2023051101          ; Serial
                          7200          ; Refresh
                          7200          ; Retry
                        2419200         ; Expire
                         7200 ) ; Negative Cache TTL

 ; NS
-@                       IN      NS      ns1.jean-cloud.net.
-@                       IN      NS      ns2.jean-cloud.net.
+@                       IN      NS      max.jean-cloud.org.
+@                       IN      NS      tetede.jean-cloud.org.
@                       IN      NS      ns1.he.net.
@                       IN      NS      ns2.he.net.
@                       IN      NS      ns3.he.net.
@                       IN      NS      ns4.he.net.
@                       IN      NS      ns5.he.net.

-@                       IN      A       51.255.33.248
-@                       IN      A       82.65.204.254
+@						IN		A		51.255.33.248
+@						IN		A		82.65.204.254
+

@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ -24,14 +25,14 @@ $TTL    604800


 ; Resolving nameserver
-ns1                             IN      A       51.255.33.248
-ns2                             IN      A       172.104.154.21
+ns2                       IN      A       51.255.33.248
+ns1                       IN      A       82.65.204.254

 ;mail                                   IN      CNAME   vandamme
 webmail                         IN      CNAME   vandamme
 vimbadmin                       IN      CNAME   vandamme

-www                             IN      CNAME   vandamme
+www                             IN      CNAME   jean-cloud.org.

 ; Naming nodes
 vandamme                        IN      A       51.255.33.248
@ -46,9 +47,6 @@ nougaro				IN	AAAA	2a01:7e01::f03c:92ff:fecf:e815
 tetede                          IN      AAAA    2001:41d0:701:1100::31f
 tetede                          IN      A       51.195.40.128

-carcasse                        IN      A       109.18.84.200
-carcasse                        IN      AAAA    2a02:8434:1633:df01:adf9:74c3:b444:262f
-
 heart							IN		A		109.18.84.200

 max                             IN      A       82.65.204.254
@ -60,88 +58,83 @@ montbonnot                      IN      AAAA    2a06:98c1:3120::2
 montbonnot                      IN      AAAA    2a06:98c1:3121::2


-; Carcasse
-dumbcluster                     IN      A       109.18.84.200
-dumbcluster                     IN      AAAA    2a02:8434:1633:df01:226:2dff:fe11:56af
-; Tetede
-dumbcluster                     IN      A       51.195.40.128
-dumbcluster                     IN      AAAA    2001:41d0:701:1100::31f
-
 ; services

-nuage                           IN      CNAME   vandamme
-www.nuage                       IN      CNAME   vandamme
-calc.nuage                      IN      CNAME   vandamme
-pad.nuage                       IN      CNAME   vandamme
+nuage                           IN      CNAME   vandamme.jean-cloud.org.
+www.nuage                       IN      CNAME   vandamme.jean-cloud.org.
+calc.nuage                      IN      CNAME   vandamme.jean-cloud.org.
+pad.nuage                       IN      CNAME   vandamme.jean-cloud.org.

-feteducourt                     IN      CNAME   vandamme
-www.feteducourt                 IN      CNAME   vandamme
-feteducourt2020                 IN      CNAME   vandamme
-www.feteducourt2020             IN      CNAME   vandamme
+feteducourt                     IN      CNAME   vandamme.jean-cloud.org.
+www.feteducourt                 IN      CNAME   vandamme.jean-cloud.org.
+feteducourt2020                 IN      CNAME   vandamme.jean-cloud.org.
+www.feteducourt2020             IN      CNAME   vandamme.jean-cloud.org.

-git                             IN      CNAME   vandamme
-www.git                         IN      CNAME   vandamme
+git                             IN      CNAME   vandamme.jean-cloud.org.
+www.git                         IN      CNAME   vandamme.jean-cloud.org.

-wiki-cgr                        IN      CNAME vandamme
-www.wiki-cgr                    IN      CNAME vandamme
-parsoid-wiki-cgr                IN      CNAME vandamme
-www.parsoid-wiki-cgr            IN      CNAME vandamme
+wiki-cgr                        IN      CNAME vandamme.jean-cloud.org.
+www.wiki-cgr                    IN      CNAME vandamme.jean-cloud.org.
+parsoid-wiki-cgr                IN      CNAME vandamme.jean-cloud.org.
+www.parsoid-wiki-cgr            IN      CNAME vandamme.jean-cloud.org.

-cousinades                      IN      CNAME vandamme
-www.cousinades                  IN      CNAME vandamme
+cousinades                      IN      CNAME vandamme.jean-cloud.org.
+www.cousinades                  IN      CNAME vandamme.jean-cloud.org.

-cousinadesi2                    IN      CNAME vandamme
-www.cousinades2                 IN      CNAME vandamme
+cousinadesi2                    IN      CNAME vandamme.jean-cloud.org.
+www.cousinades2                 IN      CNAME vandamme.jean-cloud.org.

-velov                           IN      CNAME vandamme
-www.velov                       IN      CNAME vandamme
+velov                           IN      CNAME vandamme.jean-cloud.org.
+www.velov                       IN      CNAME vandamme.jean-cloud.org.

-registry                        IN      CNAME vandamme
-www.registry                    IN      CNAME vandamme
+registry                        IN      CNAME vandamme.jean-cloud.org.
+www.registry                    IN      CNAME vandamme.jean-cloud.org.

-inurbe                          IN      CNAME vandamme
-www.inurbe                      IN      CNAME vandamme
+inurbe                          IN      CNAME vandamme.jean-cloud.org.
+www.inurbe                      IN      CNAME vandamme.jean-cloud.org.

-gmx-webmail                     IN      CNAME   vandamme
-www.gmx-webmail                 IN      CNAME   vandamme
+gmx-webmail                     IN      CNAME   vandamme.jean-cloud.org.
+www.gmx-webmail                 IN      CNAME   vandamme.jean-cloud.org.

-rpnow                           IN      CNAME   vandamme
-www.rpnow                       IN      CNAME   vandamme
-test.rpnow                      IN      CNAME   vandamme
-www.test.rpnow                  IN      CNAME   vandamme
+rpnow                           IN      CNAME   vandamme.jean-cloud.org.
+www.rpnow                       IN      CNAME   vandamme.jean-cloud.org.
+test.rpnow                      IN      CNAME   vandamme.jean-cloud.org.
+www.test.rpnow                  IN      CNAME   vandamme.jean-cloud.org.

-lalis                           IN      CNAME   vandamme
-www.lalis                       IN      CNAME   vandamme
+lalis                           IN      CNAME   vandamme.jean-cloud.org.
+www.lalis                       IN      CNAME   vandamme.jean-cloud.org.

-metamorphose                    IN      CNAME   vandamme
-www.metamorphose                IN      CNAME   vandamme
+metamorphose                    IN      CNAME   vandamme.jean-cloud.org.
+www.metamorphose                IN      CNAME   vandamme.jean-cloud.org.

-static                          IN      CNAME   vandamme
-www.static                      IN      CNAME   vandamme
+static                          IN      CNAME   vandamme.jean-cloud.org.
+www.static                      IN      CNAME   vandamme.jean-cloud.org.

-;educloud                       IN      CNAME   tetede
-;www.educloud                   IN      CNAME   tetede
-;educloud2                      IN      CNAME   tetede
-;www.educloud2                  IN      CNAME   tetede
+;educloud                       IN      CNAME   tetede.jean-cloud.org.
+;www.educloud                   IN      CNAME   tetede.jean-cloud.org.
+;educloud2                      IN      CNAME   tetede.jean-cloud.org.
+;www.educloud2                  IN      CNAME   tetede.jean-cloud.org.

-copaines                        IN      CNAME   tetede
-www.copaines                    IN      CNAME   tetede
-wordpress.copaines              IN      CNAME   tetede
-www.wordpress.copaines          IN      CNAME   tetede
+copaines                        IN      CNAME   tetede.jean-cloud.org.
+www.copaines                    IN      CNAME   tetede.jean-cloud.org.
+wordpress.copaines              IN      CNAME   tetede.jean-cloud.org.
+www.wordpress.copaines          IN      CNAME   tetede.jean-cloud.org.

-feministesucl34                 IN      CNAME   tetede
-www.feministesucl34                     IN      CNAME   tetede
-wordpress.feministesucl34               IN      CNAME   tetede
-www.wordpress.feministesucl34           IN      CNAME   tetede
+feministesucl34                 IN      CNAME   tetede.jean-cloud.org.
+www.feministesucl34                     IN      CNAME   tetede.jean-cloud.org.
+wordpress.feministesucl34               IN      CNAME   tetede.jean-cloud.org.
+www.wordpress.feministesucl34           IN      CNAME   tetede.jean-cloud.org.

-tracker                         IN      CNAME   tetede
+tracker                         IN      CNAME   tetede.jean-cloud.org.

-raplacgr                        IN      CNAME   tetede
+raplacgr                        IN      CNAME   tetede.jean-cloud.org.

-walou                           IN      CNAME   dumbcluster
+walou                           IN      CNAME   dumbcluster.jean-cloud.org.

-nc-backup                       IN      CNAME   tetede
+nc-backup                       IN      CNAME   tetede.jean-cloud.org.

-gypsy                           IN      CNAME   tetede
+gypsy                           IN      CNAME   tetede.jean-cloud.org.

-shlago.wireguard.jean-cloud.net IN      CNAME   teted
+shlago.wireguard.jean-cloud.net IN      CNAME   tetede.jean-cloud.org.
+
+lexicographe					IN		CNAME	max.jean-cloud.org.
--- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
+++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
@ -1,20 +1,56 @@
 $TTL    604800
-@       IN      SOA     ns1.jean-cloud.net. contact.jean-cloud.org. (
-                     2021060600         ; Serial
+@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
+                     2023051100         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

-@                       IN      NS      ns1.jean-cloud.net.
-@                       IN      NS      ns2.jean-cloud.net.
-
+@                       IN      NS      max
+@                       IN      NS      tetede

@                       IN      A       51.255.33.248
+@                       IN      A       82.65.204.254

+; NS
+;ns1                     IN      CNAME   vandamme
+ns2                     IN      A   82.65.204.254
+ns3                     IN      A   51.195.40.128
+
+; Mails
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all"
+_imap._tcp 10800 IN SRV 0 0 0 .
+_imaps._tcp 10800 IN SRV 0 1 993 mail.gandi.net.
+_pop3._tcp 10800 IN SRV 0 0 0 .
+_pop3s._tcp 10800 IN SRV 10 1 995 mail.gandi.net.
+_submission._tcp 10800 IN SRV 0 1 465 mail.gandi.net.

-ns1                     IN      A       51.255.33.248
+gm1._domainkey 10800 IN CNAME gm1.gandimail.net.
+gm2._domainkey 10800 IN CNAME gm2.gandimail.net.
+gm3._domainkey 10800 IN CNAME gm3.gandimail.net.
+
+; Website classics
+webmail 10800 IN CNAME webmail.gandi.net.
+www 10800 IN CNAME jean-cloud.org.
+
+; Machines
+vandamme                        IN      A       51.255.33.248
+
+nougaro                         IN      A       172.104.154.21
+nougaro                         IN      AAAA    2a01:7e01::f03c:92ff:fecf:e815
+
+tetede                          IN      A       51.195.40.128
+tetede                          IN      AAAA    2001:41d0:701:1100::31f
+
+heart                           IN      A       109.18.84.200
+
+max                             IN      A       82.65.204.254
+max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
+
+montbonnot                      IN      A       188.114.97.2
+montbonnot                      IN      A       188.114.96.2
+montbonnot                      IN      AAAA    2a06:98c1:3120::2
+montbonnot                      IN      AAAA    2a06:98c1:3121::2

--- a/provisioning/roles/jean-cloud-common/tasks/main.yml
+++ b/provisioning/roles/jean-cloud-common/tasks/main.yml
@ -29,7 +29,7 @@

 - name: Install some softwares
  apt:
-      name: ['bind9', 'certbot', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'vim', 'wget', 'zip']
+      name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'traceroute', 'vim', 'wget', 'zip']
      state: latest

 # TODO disable certbot and certbot.timer services. We are using our own
--- a/services/jean-cloud.net/install.sh
+++ b/services/jean-cloud.net/install.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+set -euo pipefail
+
+start() {
+	podman pull docker.io/jeancloud/pelican-rclone-builder
+	podman run -i --rm --env-file "$DATA_DIR/.env" -v "$DATA_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
+}
+
+restart () {
+	start
+}
--- a/services/jean-cloud.net/nginx_server.conf
+++ b/services/jean-cloud.net/nginx_server.conf
@ -4,7 +4,7 @@ server {
  ssl_certificate /etc/letsencrypt/live/jean-cloud.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/jean-cloud.net/privkey.pem;
  server_name jean-cloud.net www.jean-cloud.net jean-cloud.org www.jean-cloud.org;
-  root /data/jean-cloud.net/public;
+  root /data/jean-cloud.net/output;

  # Security headers
  # We can create a file with the base security headers and include it.
--- a/services/lexicographe.jean-cloud.net/docker-compose.yml
+++ b/services/lexicographe.jean-cloud.net/docker-compose.yml
@ -0,0 +1,2 @@
+version: '3'
+
--- a/services/lexicographe.jean-cloud.net/install.sh
+++ b/services/lexicographe.jean-cloud.net/install.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+set -euo pipefail
+
+start() {
+	mkdir -p "$DATA_DIR/git"
+	podman pull docker.io/jeancloud/pelican-rclone-builder
+	podman run -i --rm --env-file "$DATA_DIR/.env" -v "$DATA_DIR/git:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
+}
+
+restart () {
+	start
+}
--- a/services/lexicographe.jean-cloud.net/nginx_server.conf
+++ b/services/lexicographe.jean-cloud.net/nginx_server.conf
@ -0,0 +1,24 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate /etc/letsencrypt/live/lexicographe.jean-cloud.net/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/lexicographe.jean-cloud.net/privkey.pem;
+  server_name lexicographe.jean-cloud.net;
+  root /data/lexicographe.jean-cloud.net/git/output;
+
+  # Security headers
+  # We can create a file with the base security headers and include it.
+  # Will it be possible to overload them then ?
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
+
+  location / {
+          index index.html;
+          try_files $uri $uri/ =404;
+  }
+}