diff --git a/provisioning/inventory.ini b/provisioning/inventory.ini index c77b9f6..7c36edf 100644 --- a/provisioning/inventory.ini +++ b/provisioning/inventory.ini @@ -1,8 +1,8 @@ [servers] -#vandamme.jean-cloud.net -#nougaro.jean-cloud.net -tetede.jean-cloud.net -#carcasse.jean-cloud.net +#vandamme.jean-cloud.org +#nougaro.jean-cloud.org +tetede.jean-cloud.org +#carcasse.jean-cloud.org #benevoles.karnaval.fr -montbonnot.jean-cloud.net -max.jean-cloud.net +#montbonnot.jean-cloud.org +max.jean-cloud.org diff --git a/provisioning/roles/deploy_all/files/bin/deployer.sh b/provisioning/roles/deploy_all/files/bin/deployer.sh index 590efaf..5a6b2a0 100755 --- a/provisioning/roles/deploy_all/files/bin/deployer.sh +++ b/provisioning/roles/deploy_all/files/bin/deployer.sh @@ -72,6 +72,9 @@ for dir in /docker/* ; do [ "${service::1}" == '_' ] && continue [ ! -d "$dir" ] && continue + export DATA_DIR="/data/$service" + mkdir -p "$DATA_DIR" + docker_service="$(echo "$service" | tr '.' '_')" driglibash_section_prefix="[$service] " cd "/docker/$service" diff --git a/provisioning/roles/deploy_all/files/bin/driglibash-base b/provisioning/roles/deploy_all/files/bin/driglibash-base index d588596..d9bb9ea 100755 --- a/provisioning/roles/deploy_all/files/bin/driglibash-base +++ b/provisioning/roles/deploy_all/files/bin/driglibash-base @@ -25,9 +25,8 @@ repeat() { # Output a "section title" to visually separate different script part # TODO local variables -# TODO fixed place left aligned section(){ - text="$driglibash_section_prefix$1" + text="\033[00;36m$driglibash_section_prefix\033[0m$1" if [ -n "$text" ] ; then len="${#text}" max_len="$(($(tput cols)-2))" @@ -35,8 +34,8 @@ section(){ right=5 left=5 else - left="$((($max_len - $len)/2))" - right="$left" + left=4 + right="$(($max_len - $len - left))" fi else left=80 @@ -50,7 +49,7 @@ section(){ repeat '=' "$left" if [ "$right" -ge 1 ] ; then - echo -n " $text " + echo -ne " $text " repeat '=' "$right" echo fi diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net index 36b9038..02ab16d 100644 --- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net +++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net @@ -1,22 +1,23 @@ $TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042400 ; Serial +@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. ( + 2023051101 ; Serial 7200 ; Refresh 7200 ; Retry 2419200 ; Expire 7200 ) ; Negative Cache TTL ; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. +@ IN NS max.jean-cloud.org. +@ IN NS tetede.jean-cloud.org. @ IN NS ns1.he.net. @ IN NS ns2.he.net. @ IN NS ns3.he.net. @ IN NS ns4.he.net. @ IN NS ns5.he.net. -@ IN A 51.255.33.248 -@ IN A 82.65.204.254 +@ IN A 51.255.33.248 +@ IN A 82.65.204.254 + @ 10800 IN MX 10 spool.mail.gandi.net. @ 10800 IN MX 50 fb.mail.gandi.net. @@ -24,14 +25,14 @@ $TTL 604800 ; Resolving nameserver -ns1 IN A 51.255.33.248 -ns2 IN A 172.104.154.21 +ns2 IN A 51.255.33.248 +ns1 IN A 82.65.204.254 ;mail IN CNAME vandamme webmail IN CNAME vandamme vimbadmin IN CNAME vandamme -www IN CNAME vandamme +www IN CNAME jean-cloud.org. ; Naming nodes vandamme IN A 51.255.33.248 @@ -46,9 +47,6 @@ nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 tetede IN AAAA 2001:41d0:701:1100::31f tetede IN A 51.195.40.128 -carcasse IN A 109.18.84.200 -carcasse IN AAAA 2a02:8434:1633:df01:adf9:74c3:b444:262f - heart IN A 109.18.84.200 max IN A 82.65.204.254 @@ -60,88 +58,83 @@ montbonnot IN AAAA 2a06:98c1:3120::2 montbonnot IN AAAA 2a06:98c1:3121::2 -; Carcasse -dumbcluster IN A 109.18.84.200 -dumbcluster IN AAAA 2a02:8434:1633:df01:226:2dff:fe11:56af -; Tetede -dumbcluster IN A 51.195.40.128 -dumbcluster IN AAAA 2001:41d0:701:1100::31f - ; services -nuage IN CNAME vandamme -www.nuage IN CNAME vandamme -calc.nuage IN CNAME vandamme -pad.nuage IN CNAME vandamme +nuage IN CNAME vandamme.jean-cloud.org. +www.nuage IN CNAME vandamme.jean-cloud.org. +calc.nuage IN CNAME vandamme.jean-cloud.org. +pad.nuage IN CNAME vandamme.jean-cloud.org. -feteducourt IN CNAME vandamme -www.feteducourt IN CNAME vandamme -feteducourt2020 IN CNAME vandamme -www.feteducourt2020 IN CNAME vandamme +feteducourt IN CNAME vandamme.jean-cloud.org. +www.feteducourt IN CNAME vandamme.jean-cloud.org. +feteducourt2020 IN CNAME vandamme.jean-cloud.org. +www.feteducourt2020 IN CNAME vandamme.jean-cloud.org. -git IN CNAME vandamme -www.git IN CNAME vandamme +git IN CNAME vandamme.jean-cloud.org. +www.git IN CNAME vandamme.jean-cloud.org. -wiki-cgr IN CNAME vandamme -www.wiki-cgr IN CNAME vandamme -parsoid-wiki-cgr IN CNAME vandamme -www.parsoid-wiki-cgr IN CNAME vandamme +wiki-cgr IN CNAME vandamme.jean-cloud.org. +www.wiki-cgr IN CNAME vandamme.jean-cloud.org. +parsoid-wiki-cgr IN CNAME vandamme.jean-cloud.org. +www.parsoid-wiki-cgr IN CNAME vandamme.jean-cloud.org. -cousinades IN CNAME vandamme -www.cousinades IN CNAME vandamme +cousinades IN CNAME vandamme.jean-cloud.org. +www.cousinades IN CNAME vandamme.jean-cloud.org. -cousinadesi2 IN CNAME vandamme -www.cousinades2 IN CNAME vandamme +cousinadesi2 IN CNAME vandamme.jean-cloud.org. +www.cousinades2 IN CNAME vandamme.jean-cloud.org. -velov IN CNAME vandamme -www.velov IN CNAME vandamme +velov IN CNAME vandamme.jean-cloud.org. +www.velov IN CNAME vandamme.jean-cloud.org. -registry IN CNAME vandamme -www.registry IN CNAME vandamme +registry IN CNAME vandamme.jean-cloud.org. +www.registry IN CNAME vandamme.jean-cloud.org. -inurbe IN CNAME vandamme -www.inurbe IN CNAME vandamme +inurbe IN CNAME vandamme.jean-cloud.org. +www.inurbe IN CNAME vandamme.jean-cloud.org. -gmx-webmail IN CNAME vandamme -www.gmx-webmail IN CNAME vandamme +gmx-webmail IN CNAME vandamme.jean-cloud.org. +www.gmx-webmail IN CNAME vandamme.jean-cloud.org. -rpnow IN CNAME vandamme -www.rpnow IN CNAME vandamme -test.rpnow IN CNAME vandamme -www.test.rpnow IN CNAME vandamme +rpnow IN CNAME vandamme.jean-cloud.org. +www.rpnow IN CNAME vandamme.jean-cloud.org. +test.rpnow IN CNAME vandamme.jean-cloud.org. +www.test.rpnow IN CNAME vandamme.jean-cloud.org. -lalis IN CNAME vandamme -www.lalis IN CNAME vandamme +lalis IN CNAME vandamme.jean-cloud.org. +www.lalis IN CNAME vandamme.jean-cloud.org. -metamorphose IN CNAME vandamme -www.metamorphose IN CNAME vandamme +metamorphose IN CNAME vandamme.jean-cloud.org. +www.metamorphose IN CNAME vandamme.jean-cloud.org. -static IN CNAME vandamme -www.static IN CNAME vandamme +static IN CNAME vandamme.jean-cloud.org. +www.static IN CNAME vandamme.jean-cloud.org. -;educloud IN CNAME tetede -;www.educloud IN CNAME tetede -;educloud2 IN CNAME tetede -;www.educloud2 IN CNAME tetede +;educloud IN CNAME tetede.jean-cloud.org. +;www.educloud IN CNAME tetede.jean-cloud.org. +;educloud2 IN CNAME tetede.jean-cloud.org. +;www.educloud2 IN CNAME tetede.jean-cloud.org. -copaines IN CNAME tetede -www.copaines IN CNAME tetede -wordpress.copaines IN CNAME tetede -www.wordpress.copaines IN CNAME tetede +copaines IN CNAME tetede.jean-cloud.org. +www.copaines IN CNAME tetede.jean-cloud.org. +wordpress.copaines IN CNAME tetede.jean-cloud.org. +www.wordpress.copaines IN CNAME tetede.jean-cloud.org. -feministesucl34 IN CNAME tetede -www.feministesucl34 IN CNAME tetede -wordpress.feministesucl34 IN CNAME tetede -www.wordpress.feministesucl34 IN CNAME tetede +feministesucl34 IN CNAME tetede.jean-cloud.org. +www.feministesucl34 IN CNAME tetede.jean-cloud.org. +wordpress.feministesucl34 IN CNAME tetede.jean-cloud.org. +www.wordpress.feministesucl34 IN CNAME tetede.jean-cloud.org. -tracker IN CNAME tetede +tracker IN CNAME tetede.jean-cloud.org. -raplacgr IN CNAME tetede +raplacgr IN CNAME tetede.jean-cloud.org. -walou IN CNAME dumbcluster +walou IN CNAME dumbcluster.jean-cloud.org. -nc-backup IN CNAME tetede +nc-backup IN CNAME tetede.jean-cloud.org. -gypsy IN CNAME tetede +gypsy IN CNAME tetede.jean-cloud.org. -shlago.wireguard.jean-cloud.net IN CNAME teted +shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org. + +lexicographe IN CNAME max.jean-cloud.org. diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org index 045c973..efd16ce 100644 --- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org +++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org @@ -1,20 +1,56 @@ $TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2021060600 ; Serial +@ IN SOA max.jean-cloud.org. contact.jean-cloud.org. ( + 2023051100 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. - +@ IN NS max +@ IN NS tetede @ IN A 51.255.33.248 +@ IN A 82.65.204.254 +; NS +;ns1 IN CNAME vandamme +ns2 IN A 82.65.204.254 +ns3 IN A 51.195.40.128 + +; Mails @ 10800 IN MX 10 spool.mail.gandi.net. @ 10800 IN MX 50 fb.mail.gandi.net. @ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" +_imap._tcp 10800 IN SRV 0 0 0 . +_imaps._tcp 10800 IN SRV 0 1 993 mail.gandi.net. +_pop3._tcp 10800 IN SRV 0 0 0 . +_pop3s._tcp 10800 IN SRV 10 1 995 mail.gandi.net. +_submission._tcp 10800 IN SRV 0 1 465 mail.gandi.net. -ns1 IN A 51.255.33.248 +gm1._domainkey 10800 IN CNAME gm1.gandimail.net. +gm2._domainkey 10800 IN CNAME gm2.gandimail.net. +gm3._domainkey 10800 IN CNAME gm3.gandimail.net. + +; Website classics +webmail 10800 IN CNAME webmail.gandi.net. +www 10800 IN CNAME jean-cloud.org. + +; Machines +vandamme IN A 51.255.33.248 + +nougaro IN A 172.104.154.21 +nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 + +tetede IN A 51.195.40.128 +tetede IN AAAA 2001:41d0:701:1100::31f + +heart IN A 109.18.84.200 + +max IN A 82.65.204.254 +max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97 + +montbonnot IN A 188.114.97.2 +montbonnot IN A 188.114.96.2 +montbonnot IN AAAA 2a06:98c1:3120::2 +montbonnot IN AAAA 2a06:98c1:3121::2 diff --git a/provisioning/roles/jean-cloud-common/tasks/main.yml b/provisioning/roles/jean-cloud-common/tasks/main.yml index 53eef40..1d2bb20 100644 --- a/provisioning/roles/jean-cloud-common/tasks/main.yml +++ b/provisioning/roles/jean-cloud-common/tasks/main.yml @@ -29,7 +29,7 @@ - name: Install some softwares apt: - name: ['bind9', 'certbot', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'vim', 'wget', 'zip'] + name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'traceroute', 'vim', 'wget', 'zip'] state: latest # TODO disable certbot and certbot.timer services. We are using our own diff --git a/services/jean-cloud.net/install.sh b/services/jean-cloud.net/install.sh new file mode 100644 index 0000000..bdcfef3 --- /dev/null +++ b/services/jean-cloud.net/install.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -euo pipefail + +start() { + podman pull docker.io/jeancloud/pelican-rclone-builder + podman run -i --rm --env-file "$DATA_DIR/.env" -v "$DATA_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder +} + +restart () { + start +} diff --git a/services/jean-cloud.net/nginx_server.conf b/services/jean-cloud.net/nginx_server.conf index 20ee80b..07fd9a5 100755 --- a/services/jean-cloud.net/nginx_server.conf +++ b/services/jean-cloud.net/nginx_server.conf @@ -4,7 +4,7 @@ server { ssl_certificate /etc/letsencrypt/live/jean-cloud.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/jean-cloud.net/privkey.pem; server_name jean-cloud.net www.jean-cloud.net jean-cloud.org www.jean-cloud.org; - root /data/jean-cloud.net/public; + root /data/jean-cloud.net/output; # Security headers # We can create a file with the base security headers and include it. diff --git a/services/lexicographe.jean-cloud.net/docker-compose.yml b/services/lexicographe.jean-cloud.net/docker-compose.yml new file mode 100755 index 0000000..d077323 --- /dev/null +++ b/services/lexicographe.jean-cloud.net/docker-compose.yml @@ -0,0 +1,2 @@ +version: '3' + diff --git a/services/lexicographe.jean-cloud.net/install.sh b/services/lexicographe.jean-cloud.net/install.sh new file mode 100755 index 0000000..93f6318 --- /dev/null +++ b/services/lexicographe.jean-cloud.net/install.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -euo pipefail + +start() { + mkdir -p "$DATA_DIR/git" + podman pull docker.io/jeancloud/pelican-rclone-builder + podman run -i --rm --env-file "$DATA_DIR/.env" -v "$DATA_DIR/git:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder +} + +restart () { + start +} diff --git a/services/lexicographe.jean-cloud.net/nginx_server.conf b/services/lexicographe.jean-cloud.net/nginx_server.conf new file mode 100755 index 0000000..be4da5b --- /dev/null +++ b/services/lexicographe.jean-cloud.net/nginx_server.conf @@ -0,0 +1,24 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/lexicographe.jean-cloud.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/lexicographe.jean-cloud.net/privkey.pem; + server_name lexicographe.jean-cloud.net; + root /data/lexicographe.jean-cloud.net/git/output; + + # Security headers + # We can create a file with the base security headers and include it. + # Will it be possible to overload them then ? + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; + + location / { + index index.html; + try_files $uri $uri/ =404; + } +}