diff --git a/provisioning/playbook.yml b/provisioning/playbook.yml index c952c3d..5c5eb22 100755 --- a/provisioning/playbook.yml +++ b/provisioning/playbook.yml @@ -92,9 +92,3 @@ ##- deploy_all -- name: shlago - hosts: shlago - become: yes - gather_facts: no - roles: - - ordiportables diff --git a/provisioning/roles/deploy_all/files/bin/deploy_service.sh b/provisioning/roles/deploy_all/files/bin/deploy_service.sh index 4bc0e29..69a29da 100755 --- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh +++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh @@ -17,7 +17,7 @@ fi if [ -d "/docker/$1" ] ; then service="$1" -elif [ -d "$1" ] && [[ "$service" = /docker/* ]] ; then +elif [ -d "$1" ] && [[ "$1" = /docker/* ]] ; then service="$(basename "$1")" else die "/docker/$service not found" @@ -30,9 +30,13 @@ fi docker_service="$(echo "$service" | tr '.' '_')" driglibash_section_prefix="[$service] " +section "---------- Start -------------" cd "/docker/$service" -[ -f .env ] && . .env + + +# Source and export env file +[ -f .env ] && set -a && . .env && set +a ############################################################################### @@ -54,7 +58,7 @@ fi if "$deploy" ; then [ -x deploy.sh ] && ./deploy.sh - [ -x deploy_http.sh ] && sudo -u www-data ./deploy_http.sh + [ -x deploy_http.sh ] && sudo -u www-data bash -c ". '$DOCKER_DIR/.env' && . ./deploy_http.sh" else [ -x undeploy.sh ] && ./undeploy.sh fi @@ -66,7 +70,6 @@ fi # If there is a docker-compose file and it has services in it if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then - section "-------------------- $service" if $deploy ; then section "Logging to registry" # XXX Login to docker registry diff --git a/provisioning/roles/deploy_all/files/bin/deployer.sh b/provisioning/roles/deploy_all/files/bin/deployall.sh similarity index 76% rename from provisioning/roles/deploy_all/files/bin/deployer.sh rename to provisioning/roles/deploy_all/files/bin/deployall.sh index d2577ab..305d8f0 100755 --- a/provisioning/roles/deploy_all/files/bin/deployer.sh +++ b/provisioning/roles/deploy_all/files/bin/deployall.sh @@ -4,7 +4,8 @@ driglibash_run_retry=true . driglibash-base set -euo pipefail -run gen_env.sh +# Already done at upload time ? +#run gen_env.sh ############################################################################### # Variables @@ -24,11 +25,12 @@ export dummy_cert_path="$certs_path/dummy" # Path to this directory here="$(where 'follow_links')" -# Ip4 address -#my_ip="$(resolv.sh "$(cat /etc/hostname)")" -my_ip="$(curl -4 ifconfig.me 2>/dev/null)" -[ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1 +############################################################################### +# Test system requirements +############################################################################### + +[ ! -f /data/mounted ] && die "/data is not mounted" ############################################################################### # Nginx preparation @@ -63,21 +65,32 @@ run mkdir -p "$new_nginx_conf_path" # Deploy services ############################################################################### +if [ -f "/data/unmounted" ] || [ ! -f "/data/mounted" ] ; then + die "Error: /data is not mounted." +fi + section "Start docker" run systemctl start docker docker.socket section "Deploy mandatory services" deploy_service.sh deployer.jean-cloud.org noreload -for dir in /docker/* ; do - service="$(basename "$dir")" +while read line ; do + read -r service target <<<$(echo "$line") + # Ignore _ prefixed directories [ "${service::1}" == '_' ] && continue - [ ! -d "$dir" ] && continue - [[ "$(resolv.sh $service)" != *$my_ip* ]] && continue + + echo -n "$service -> " + [ ! -d "/docker/$service" ] && die "/docker/$service directory not found" + + # Check if service target is localhost + [[ "$(getent hosts $target)" != "::1 "* ]] && echo 'Not here' && continue + + echo "Deploying" deploy_service.sh "$service" "noreload" -done +done < /docker/services.txt restart_nginx.sh diff --git a/provisioning/roles/deploy_all/files/bin/extract_domain_nginx_conf.sh b/provisioning/roles/deploy_all/files/bin/extract_domain_nginx_conf.sh new file mode 100755 index 0000000..c902c7e --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/extract_domain_nginx_conf.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +. driglibash-base + +if [ "$#" -lt 1 ] ; then + die "Usage: $0 " +fi + +file="$1" + +grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' -e 's/;$//' | sort -u diff --git a/provisioning/roles/deploy_all/files/bin/gen_env.sh b/provisioning/roles/deploy_all/files/bin/gen_env.sh index 24c4db2..e0f75a3 100755 --- a/provisioning/roles/deploy_all/files/bin/gen_env.sh +++ b/provisioning/roles/deploy_all/files/bin/gen_env.sh @@ -9,7 +9,6 @@ certs_path=/etc/letsencrypt/live proxy_dir=/etc/nginx cat > "$JC_ENV" <&2 -} - -function die { - yell "$@" - exit 1 -} - -function say { - if "$verbose" ; then - yell "$@" - fi -} - -function resolv () { - if [ "$#" -ne 1 ] ; then - die "usage: $0 " - fi - name="$1" - say "Querying $name" - while read line ; do - if [[ "$line" = *"is an alias for "* ]] ; then - resolv "$(echo "$line" | cut -d ' ' -f 6)" - elif [[ "$line" = *" has address "* ]] ; then - echo "$line" | cut -d ' ' -f 4 - elif [[ "$line" = *" not found: "* ]] ; then - continue - elif [[ "$line" = *" has no A record" ]] ; then - continue - else - say "unmatched: $line" - fi - done <<< "$(host -W 2 -t A "$name" localhost)" -} - -########################### Options ########################################### - -verbose=false -if [ "$#" -gt 1 ] && [ "$1" = '-v' ] ; then - verbose=true - shift -fi - -########################### arguments ########################################## - -if [ "$#" -ne 1 ] ; then - die "Usage: $0 [options] - options : -v verbose" -fi - -########################### script ############################################ - -resolv "$1" diff --git a/provisioning/roles/deploy_all/files/bin/shutdownscreen.sh b/provisioning/roles/deploy_all/files/bin/shutdownscreen.sh new file mode 100644 index 0000000..ae1c630 --- /dev/null +++ b/provisioning/roles/deploy_all/files/bin/shutdownscreen.sh @@ -0,0 +1,2 @@ +#!/bin/bash +echo 0 > /sys/class/backlight/*/brightness diff --git a/provisioning/roles/deploy_all/files/bind/db.amaglio.fr b/provisioning/roles/deploy_all/files/bind/db.amaglio.fr deleted file mode 100644 index eedb24f..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.amaglio.fr +++ /dev/null @@ -1,22 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.dahus.net. ( - 2023041900 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. -@ IN A 51.255.33.248 - -@ IN MX 10 mail.amaglio.fr. - -mail IN A 91.216.107.37 -imap IN CNAME mail.amaglio.fr. -pop IN CNAME mail.amaglio.fr. -smtp IN CNAME mail.amaglio.fr. - diff --git a/provisioning/roles/deploy_all/files/bind/db.collectif-arthadie.fr b/provisioning/roles/deploy_all/files/bind/db.collectif-arthadie.fr deleted file mode 100644 index ebb5877..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.collectif-arthadie.fr +++ /dev/null @@ -1,30 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2020031104 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 - -@ 10800 IN MX 10 spool.mail.gandi.net. -@ 10800 IN MX 50 fb.mail.gandi.net. -@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" - -collectif-arthadie.fr. IN CAA 0 issue "letsencrypt.org" -collectif-arthadie.fr. IN CAA 0 issuewild ";" - -wordpress IN CNAME vandamme.jean-cloud.net. -www.wordpress IN CNAME vandamme.jean-cloud.net. -www IN CNAME vandamme.jean-cloud.net. - -www.wordpress.collectif-arthadie.fr IN CAA 0 issue "letsencrypt.org" -www.wordpress.collectif-arthadie.fr IN CAA 0 issuewild ";" diff --git a/provisioning/roles/deploy_all/files/bind/db.compagnienouvelle.fr b/provisioning/roles/deploy_all/files/bind/db.compagnienouvelle.fr deleted file mode 100644 index 1462ebf..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.compagnienouvelle.fr +++ /dev/null @@ -1,16 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 172.104.154.21 -@ IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 diff --git a/provisioning/roles/deploy_all/files/bind/db.etrevivant.net b/provisioning/roles/deploy_all/files/bind/db.etrevivant.net deleted file mode 100644 index c991d10..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.etrevivant.net +++ /dev/null @@ -1,30 +0,0 @@ -$TTL 604800 -@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. ( - 2023082700 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS max.jean-cloud.org. -@ IN NS tetede.jean-cloud.org. - - -; Mail config -@ 86400 IN MX 10 mail.etrevivant.net. -mail 21600 IN A 83.229.19.99 -imap 86400 IN CNAME mail.etrevivant.net. -pop 86400 IN CNAME mail.etrevivant.net. -smtp 86400 IN CNAME mail.etrevivant.net. -@ 86400 IN TXT v=spf1 mx:etrevivant.net a:mail.etrevivant.net a:mailphp.lws-hosting.com -all -dkim._domainkey 86400 IN TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8C8Xh049AFp+LuKVCUlwahtRFxO85rrJ0dE0idCfNAsI5Nlobf02gik8jesZ04clvZ0lxaM+L8IU50AKVHeFva83Y7LVJdeaXk14fO3gwQ1r/asNhzvg++88bfhSaLKD5M4Eid13mBrpsV3gP/MeGIzsty0AMUUNpDwe0otnv3wIDAQAB -_dmarc 86400 IN TXT v=DMARC1; p=quarantine; - - -; web -@ IN A 51.195.40.128 -@ IN A 109.18.84.200 - -www IN A 51.195.40.128 -www IN A 109.18.84.200 diff --git a/provisioning/roles/deploy_all/files/bind/db.gypsylyonfestival.com b/provisioning/roles/deploy_all/files/bind/db.gypsylyonfestival.com deleted file mode 100644 index a7c86a2..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.gypsylyonfestival.com +++ /dev/null @@ -1,30 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023020400 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. -@ IN NS ns1.he.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.195.40.128 -@ IN AAAA 2001:41d0:701:1100::31f - - - -; Resolving nameserver -ns1 IN A 51.255.33.248 -ns2 IN A 172.104.154.21 - -tetede IN A 51.255.33.248 -tetede IN AAAA 2001:41d0:701:1100::31f - - diff --git a/provisioning/roles/deploy_all/files/bind/db.hid b/provisioning/roles/deploy_all/files/bind/db.hid deleted file mode 100644 index ae7cbf8..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.hid +++ /dev/null @@ -1,19 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023040300 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. - - -; Resolving nameserver -ns1 IN A 51.255.33.248 -ns2 IN A 172.104.154.21 - -radiodemo IN CNAME montbonnot.jean-cloud.net - diff --git a/provisioning/roles/deploy_all/files/bind/db.inurbe.fr b/provisioning/roles/deploy_all/files/bind/db.inurbe.fr deleted file mode 100644 index 35317e7..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.inurbe.fr +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net deleted file mode 100644 index 29cbd4a..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net +++ /dev/null @@ -1,146 +0,0 @@ -$TTL 604800 -@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. ( - 2023082700 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -;@ IN NS max.jean-cloud.org. -@ IN NS tetede.jean-cloud.org. -@ IN NS ns1.he.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 -@ IN A 109.18.84.200 - - -@ 10800 IN MX 10 spool.mail.gandi.net. -@ 10800 IN MX 50 fb.mail.gandi.net. -@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" - - -; Resolving nameserver -ns2 IN A 51.255.33.248 -;ns1 IN A 82.65.204.254 - -;mail IN CNAME vandamme -webmail IN CNAME vandamme -vimbadmin IN CNAME vandamme - -www IN CNAME jean-cloud.org. - -; Naming nodes -vandamme IN A 51.255.33.248 - -local-adrian IN A 193.33.56.94 - -francois IN A 54.38.189.153 - -nougaro IN A 172.104.154.21 -nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 - -tetede IN AAAA 2001:41d0:701:1100::31f -tetede IN A 51.195.40.128 - -heart IN A 109.18.84.200 - -;max IN A 82.65.204.254 -;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97 - -montbonnot IN A 188.114.97.2 -montbonnot IN A 188.114.96.2 -montbonnot IN AAAA 2a06:98c1:3120::2 -montbonnot IN AAAA 2a06:98c1:3121::2 - - -; services - -nuage IN CNAME vandamme.jean-cloud.org. -www.nuage IN CNAME vandamme.jean-cloud.org. -calc.nuage IN CNAME vandamme.jean-cloud.org. -pad.nuage IN CNAME vandamme.jean-cloud.org. - -feteducourt IN CNAME vandamme.jean-cloud.org. -www.feteducourt IN CNAME vandamme.jean-cloud.org. -feteducourt2020 IN CNAME vandamme.jean-cloud.org. -www.feteducourt2020 IN CNAME vandamme.jean-cloud.org. - -git IN CNAME vandamme.jean-cloud.org. -www.git IN CNAME vandamme.jean-cloud.org. - -wiki-cgr IN CNAME vandamme.jean-cloud.org. -www.wiki-cgr IN CNAME vandamme.jean-cloud.org. -parsoid-wiki-cgr IN CNAME vandamme.jean-cloud.org. -www.parsoid-wiki-cgr IN CNAME vandamme.jean-cloud.org. - -cousinades IN CNAME vandamme.jean-cloud.org. -www.cousinades IN CNAME vandamme.jean-cloud.org. - -cousinadesi2 IN CNAME vandamme.jean-cloud.org. -www.cousinades2 IN CNAME vandamme.jean-cloud.org. - -velov IN CNAME vandamme.jean-cloud.org. -www.velov IN CNAME vandamme.jean-cloud.org. - -registry IN CNAME vandamme.jean-cloud.org. -www.registry IN CNAME vandamme.jean-cloud.org. - -inurbe IN CNAME vandamme.jean-cloud.org. -www.inurbe IN CNAME vandamme.jean-cloud.org. - -gmx-webmail IN CNAME vandamme.jean-cloud.org. -www.gmx-webmail IN CNAME vandamme.jean-cloud.org. - -rpnow IN CNAME vandamme.jean-cloud.org. -www.rpnow IN CNAME vandamme.jean-cloud.org. -test.rpnow IN CNAME vandamme.jean-cloud.org. -www.test.rpnow IN CNAME vandamme.jean-cloud.org. - -lalis IN CNAME vandamme.jean-cloud.org. -www.lalis IN CNAME vandamme.jean-cloud.org. - -metamorphose IN CNAME vandamme.jean-cloud.org. -www.metamorphose IN CNAME vandamme.jean-cloud.org. - -static IN CNAME vandamme.jean-cloud.org. -www.static IN CNAME vandamme.jean-cloud.org. - -;educloud IN CNAME tetede.jean-cloud.org. -;www.educloud IN CNAME tetede.jean-cloud.org. -;educloud2 IN CNAME tetede.jean-cloud.org. -;www.educloud2 IN CNAME tetede.jean-cloud.org. - -copaines IN CNAME tetede.jean-cloud.org. -www.copaines IN CNAME tetede.jean-cloud.org. -wordpress.copaines IN CNAME tetede.jean-cloud.org. -www.wordpress.copaines IN CNAME tetede.jean-cloud.org. - -feministesucl34 IN CNAME tetede.jean-cloud.org. -www.feministesucl34 IN CNAME tetede.jean-cloud.org. -wordpress.feministesucl34 IN CNAME tetede.jean-cloud.org. -www.wordpress.feministesucl34 IN CNAME tetede.jean-cloud.org. - -tracker IN CNAME tetede.jean-cloud.org. - -raplacgr IN CNAME tetede.jean-cloud.org. - -nc-backup IN CNAME blatte.jean-cloud.org. - -gypsy IN CNAME tetede.jean-cloud.org. - -shlago.wireguard.jean-cloud.net IN CNAME tetede.jean-cloud.org. - -lexicographe IN CNAME tetede.jean-cloud.org. - -chahut IN CNAME max.jean-cloud.org. -www.chahut IN CNAME max.jean-cloud.org. -wordpress.chahut IN CNAME max.jean-cloud.org. -www.wordpress.chahut IN CNAME max.jean-cloud.org. -grapes.chahut IN CNAME max.jean-cloud.org. - -louixel IN CNAME raku.jean-cloud.org. diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org deleted file mode 100644 index fe5a744..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org +++ /dev/null @@ -1,61 +0,0 @@ -$TTL 604800 -@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. ( - 2023082700 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL - -@ IN NS max -@ IN NS tetede - -@ IN A 109.18.84.200 -@ IN A 51.255.33.248 - -; NS -;ns1 IN CNAME vandamme -;ns2 IN A 82.65.204.254 -ns3 IN A 51.195.40.128 - -; Mails -@ 10800 IN MX 10 spool.mail.gandi.net. -@ 10800 IN MX 50 fb.mail.gandi.net. -@ 10800 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" -_imap._tcp 10800 IN SRV 0 0 0 . -_imaps._tcp 10800 IN SRV 0 1 993 mail.gandi.net. -_pop3._tcp 10800 IN SRV 0 0 0 . -_pop3s._tcp 10800 IN SRV 10 1 995 mail.gandi.net. -_submission._tcp 10800 IN SRV 0 1 465 mail.gandi.net. - -gm1._domainkey 10800 IN CNAME gm1.gandimail.net. -gm2._domainkey 10800 IN CNAME gm2.gandimail.net. -gm3._domainkey 10800 IN CNAME gm3.gandimail.net. - -; Website classics -webmail 10800 IN CNAME webmail.gandi.net. -www 10800 IN CNAME jean-cloud.net. - -; Machines -vandamme IN A 51.255.33.248 - -nougaro IN A 172.104.154.21 -nougaro IN AAAA 2a01:7e01::f03c:92ff:fecf:e815 - -tetede IN A 51.195.40.128 -tetede IN AAAA 2001:41d0:701:1100::31f - -heart IN A 109.18.84.200 - -max IN A 109.18.84.200 -;max IN AAAA 2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97 - -montbonnot IN A 188.114.97.2 -montbonnot IN A 188.114.96.2 -montbonnot IN AAAA 2a06:98c1:3120::2 -montbonnot IN AAAA 2a06:98c1:3121::2 - -blatte IN A 10.98.1.2 - - -;raku IN A 37.65.25.194 -raku IN AAAA 2a02:842a:39a:4d01:b283:feff:fe4c:5dee diff --git a/provisioning/roles/deploy_all/files/bind/db.karnaval.fr b/provisioning/roles/deploy_all/files/bind/db.karnaval.fr deleted file mode 100644 index 4bab8d0..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.karnaval.fr +++ /dev/null @@ -1,28 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023060100 ; Serial - 7200 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL - -; NS -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.jean-cloud.net. -@ IN NS ns1.he.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 213.186.33.40 -;@ IN AAAA 2001:41d0:701:1100::31f - - -; Resolving nameserver -ns1 IN A 51.255.33.248 -ns2 IN A 172.104.154.21 - -;benevoles IN CNAME max.jean-cloud.org. -;benevoles31 IN CNAME max.jean-cloud.org. - diff --git a/provisioning/roles/deploy_all/files/bind/db.leida.fr b/provisioning/roles/deploy_all/files/bind/db.leida.fr deleted file mode 100644 index 35317e7..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.leida.fr +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 diff --git a/provisioning/roles/deploy_all/files/bind/db.metamorphosemagazine.fr b/provisioning/roles/deploy_all/files/bind/db.metamorphosemagazine.fr deleted file mode 100644 index 35317e7..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.metamorphosemagazine.fr +++ /dev/null @@ -1,15 +0,0 @@ -$TTL 604800 -@ IN SOA ns1.jean-cloud.net. contact.jean-cloud.org. ( - 2023042100 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 7200 ) ; Negative Cache TTL (min before refresh) - -@ IN NS ns1.jean-cloud.net. -@ IN NS ns2.he.net. -@ IN NS ns3.he.net. -@ IN NS ns4.he.net. -@ IN NS ns5.he.net. - -@ IN A 51.255.33.248 diff --git a/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr b/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr deleted file mode 100644 index 205422d..0000000 --- a/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr +++ /dev/null @@ -1,63 +0,0 @@ -$TTL 604800 -@ IN SOA tetede.jean-cloud.org. contact.jean-cloud.org. ( - 2023082700 ; Serial - 604800 ; Refresh - 7200 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL - -; NS - -;@ IN NS max.jean-cloud.org. -@ IN NS tetede.jean-cloud.org. - - -; MAIL - -@ IN MX 1 mx0.mail.ovh.net. -@ IN MX 5 mx1.mail.ovh.net. -@ IN MX 50 mx2.mail.ovh.net. -@ IN MX 100 mx3.mail.ovh.net. -@ IN MX 200 mx4.mail.ovh.net. -@ IN TXT "v=spf1 include:mx.ovh.com ~all" - -_autodiscover._tcp IN SRV 0 0 443 mailconfig.ovh.net. -_imaps._tcp IN SRV 0 0 993 ssl0.ovh.net. -_submission._tcp IN SRV 0 0 465 ssl0.ovh.net. - -; web -@ IN A 51.255.33.248 -www IN CNAME vandamme.jean-cloud.org. - -registry IN CNAME montbonnot.jean-cloud.org. - -radionimaitre IN CNAME tetede.jean-cloud.org. -www.radionimaitre IN CNAME tetede.jean-cloud.org. -paj IN CNAME nougaro.jean-cloud.org. -www.paj IN CNAME nougaro.jean-cloud.org. -radiodemo IN CNAME tetede.jean-cloud.org. -radiodemo-back IN CNAME montbonnot.jean-cloud.org. - - - -;autoconfig IN SRV mailconfig.ovh.net. -imap IN CNAME ssl0.ovh.net. -smtp IN CNAME ssl0.ovh.net. -mail IN CNAME ssl0.ovh.net. -pop3 IN CNAME ssl0.ovh.net. - -stream.paj._ports IN TXT 9002 -control.paj._ports IN TXT 9492 - -pa1.studios IN CNAME tetede.jean-cloud.org. -montpellier1.studios IN CNAME tetede.jean-cloud.org. - -npm IN CNAME vandamme.jean-cloud.org. -www.npm IN CNAME vandamme.jean-cloud.org. - -static IN CNAME vandamme.jean-cloud.org. -www.static IN CNAME vandamme.jean-cloud.org. - -discordbot IN CNAME vandamme.jean-cloud.org. -www.discordbot IN CNAME vandamme.jean-cloud.org. - diff --git a/provisioning/roles/deploy_all/files/bind/named.conf.local b/provisioning/roles/deploy_all/files/bind/named.conf.local deleted file mode 100644 index 0e21805..0000000 --- a/provisioning/roles/deploy_all/files/bind/named.conf.local +++ /dev/null @@ -1,76 +0,0 @@ -// -// Do any local configuration here -// - -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; - - - -zone "oma-radio.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.oma-radio.fr"; -}; -zone "jean-cloud.net"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.jean-cloud.net"; -}; -zone "jean-cloud.org"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.jean-cloud.org"; -}; -zone "karnaval.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.karnaval.fr"; -}; -zone "amaglio.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.amaglio.fr"; -}; -zone "collectif-arthadie.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.collectif-arthadie.fr"; -}; -zone "gypsylyonfestival.com"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.gypsylyonfestival.com"; -}; -zone "hid"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.hid"; -}; -zone "compagnienouvelle.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.compagnienouvelle.fr"; -}; -zone "inurbe.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.inurbe.fr"; -}; -zone "leida.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.leida.fr"; -}; -zone "metamorphosemagazine.fr"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.metamorphosemagazine.fr"; -}; -zone "etrevivant.net"{ - allow-update { none; }; # We are primary DNS - type master; - file "/etc/bind/db.etrevivant.net"; -}; - diff --git a/provisioning/roles/deploy_all/files/bind/named.conf.options b/provisioning/roles/deploy_all/files/bind/named.conf.options deleted file mode 100644 index 19db25e..0000000 --- a/provisioning/roles/deploy_all/files/bind/named.conf.options +++ /dev/null @@ -1,18 +0,0 @@ -options { - directory "/var/cache/bind"; - dnssec-validation auto; - - auth-nxdomain no; # conform to RFC1035 - listen-on { any; }; - listen-on-v6 { any; }; - allow-update { none; }; - allow-recursion { none; }; - allow-recursion-on { none; }; - recursion no; - notify yes; - allow-transfer { - none; - #216.218.133.2; 2001:470:600::2; //he.net - #172.104.154.21; 2a01:7e01::f03c:92ff:fecf:e815; // nougaro - }; -}; diff --git a/provisioning/roles/deploy_all/tasks/main.yml b/provisioning/roles/deploy_all/tasks/main.yml index 33911b6..3cf6a9c 100644 --- a/provisioning/roles/deploy_all/tasks/main.yml +++ b/provisioning/roles/deploy_all/tasks/main.yml @@ -18,19 +18,19 @@ command: gen_env.sh -- name: Add bind conf - ansible.posix.synchronize: - src: "{{ role_path }}/files/bind/" - dest: "/etc/bind/" - -- name: make sure bind9 is started - ansible.builtin.service: - name: bind9 - state: started -- name: Reload service bind9, in all cases - ansible.builtin.service: - name: bind9 - state: reloaded + #- name: Add bind conf + # ansible.posix.synchronize: + # src: "{{ role_path }}/files/bind/" + # dest: "/etc/bind/" + # + #- name: make sure bind9 is started + # ansible.builtin.service: + # name: bind9 + # state: started + #- name: Reload service bind9, in all cases + # ansible.builtin.service: + # name: bind9 + # state: reloaded #- name: Start the deployer # ansible.builtin.command: diff --git a/provisioning/roles/jean-cloud-common/tasks/main.yml b/provisioning/roles/jean-cloud-common/tasks/main.yml index b99751e..a5f5daf 100644 --- a/provisioning/roles/jean-cloud-common/tasks/main.yml +++ b/provisioning/roles/jean-cloud-common/tasks/main.yml @@ -14,6 +14,16 @@ - "172.0.0.1 {{inventory_hostname}}" - "::1 {{inventory_hostname}}" +- name: Set shlago IP + ansible.builtin.lineinfile: + path: /etc/hosts + line: "{{item}}" + with_items: + - "172.0.0.1 shlago.jean-cloud.org" + - "::1 shlago.jean-cloud.org" + when: inventory_hostname in groups["shlago"] + + - name: Show last changed password for security copy: dest: /etc/profile.d/user_last_passwd.sh diff --git a/provisioning/roles/ordiportables/.travis.yml b/provisioning/roles/ordiportables/.travis.yml deleted file mode 100644 index 36bbf62..0000000 --- a/provisioning/roles/ordiportables/.travis.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -language: python -python: "2.7" - -# Use the new container infrastructure -sudo: false - -# Install ansible -addons: - apt: - packages: - - python-pip - -install: - # Install ansible - - pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - -script: - # Basic role syntax check - - ansible-playbook tests/test.yml -i tests/inventory --syntax-check - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/provisioning/roles/ordiportables/tasks/main.yml b/provisioning/roles/ordiportables/tasks/main.yml deleted file mode 100644 index 1022236..0000000 --- a/provisioning/roles/ordiportables/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# tasks file for ordiportables - -- name: Prevent suspend on lid close - ansible.builtin.lineinfile: - path: /etc/systemd/logind.conf - line: HandleLidSwitch=ignore diff --git a/readme.md b/readme.md index 94b99d4..04666e7 100644 --- a/readme.md +++ b/readme.md @@ -6,28 +6,38 @@ Contient des scripts sh pour installer debian sur un disque dur. Qui ira ensuite ## Dossier provisioning Contient - des rôles ansible pour configurer les serveurs -- un rôle ansible pour envoyer les services sur les serveurs +- un rôle ansible pour envoyer les services sur les serveurs (rsync bête) - des scripts maisons à envoyer sur les serveurs -- la conf DNS à envoyer sur les serveurs ## Dossier services Les services à faire tourner. -## scripts -Le script deployer.sh va pour chaque service -- Démarrer docker-compose si besoin -- Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin) -- Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent. -- Exécuter le script deploy.sh du service s’il existe -- Exécuter le script deploy_http.sh en tant que www-data s’il existe. Ce script peut également être éxécuter par nginx pour mettre à jour le site web. +Chaque service qui tourne sur jean-cloud est composé : +- `deploy.sh` d’un script d’installation +- `docker-compose.yaml` d’un fichier docker-compose +- `nginx_server.conf` d’un fichier de conf nginx +- `deploy_http.sh` d’un script de déploiement web (qui est exécuté avec l’utilisateur www-data et peut être exécuté par le serveur web lui-même) +- `wg-*.sh` Script qui génère une config wireguard pour l’interface * + +Chaque élément est facultatif. + +Chaque élément est éxécuté, démarré ou installé dans l’ordre par `deploy_service.sh` + + + +## scripts +dans `provisioning/roles/deploy_all/files/bin` + +-`deployall.sh` va pour chaque service vérifier s’il doit tourner sur la machine actuelle et lance le `deploy_service.sh` si c’est le cas. +- `letsencrypt.sh` va renouveler tous les certificats dont nginx a besoin (il va lire dans /etc/nginx/sites-enabled). +- `git_update.sh` récupère une copie à jour d’un dépôt git (fait un clone ou pull en fonction des besoins) et s’assure de ne pas garder tout l’historique du dépôt. -Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled). ## Variables -Le script deployer.sh crée les variables -- DATA_DIR : là où sauvegarder des données -- DOCKER_DIR : dossier contenant les fichiers de déploiement du service -- HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il n’est pas sauvegardé. -- JC_SERVICE : le nom du dossier service. Correspond souvent à l’adresse du service. -Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc). +Les scripts ont accès aux variables suivantes : +- `DATA_DIR` : là où sauvegarder des données. +- `DOCKER_DIR` : dossier contenant les fichiers de déploiement du service. +- `HTTP_DIR` : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il n’est pas sauvegardé. +- `JC_SERVICE` : le nom du dossier service. Correspond souvent à l’adresse du service. +Ces variables sont ajoutées au ficher .env du service par le script `gen_env.sh`. diff --git a/services/cousinades2.jean-cloud.net/nginx_server.conf b/services/cousinades2.jean-cloud.net/nginx_server.conf index ffc5956..dd8441e 100755 --- a/services/cousinades2.jean-cloud.net/nginx_server.conf +++ b/services/cousinades2.jean-cloud.net/nginx_server.conf @@ -3,7 +3,7 @@ server { listen [::]:443 ssl http2; ssl_certificate /etc/letsencrypt/live/cousinades2.jean-cloud.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cousinades2.jean-cloud.net/privkey.pem; - server_name cousinades2.jean-cloud.org www.cousinades2.jean-cloud.org; + server_name cousinades2.jean-cloud.net www.cousinades2.jean-cloud.net; index index.php; root /data/cousinades2.jean-cloud.net/public; diff --git a/services/deployer.jean-cloud.org/nginx_server.conf b/services/deployer.jean-cloud.org/nginx_server.conf index 680ed5a..3f0c4b5 100644 --- a/services/deployer.jean-cloud.org/nginx_server.conf +++ b/services/deployer.jean-cloud.org/nginx_server.conf @@ -3,7 +3,7 @@ limit_req_zone global zone=deployer_limit:100k rate=3r/m; server { listen 443; listen [::]:443; - server_name $SERVER_HOST; + server_name $JC_SERVICE; ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem; location / { diff --git a/services/etrevivant.net/deploy_http.sh b/services/etrevivant.net/deploy_http.sh index 6be3832..e7e51da 100755 --- a/services/etrevivant.net/deploy_http.sh +++ b/services/etrevivant.net/deploy_http.sh @@ -1,18 +1,14 @@ #!/bin/bash set -euo pipefail -. /docker/etrevivant.net/.env -. /data/etrevivant.net/.env +. "$DATA_DIR/.env" webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')" webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')" webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")" +git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" + +rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$HTTP_DIR/$CLOUD_LOCAL_PATH" + cd "$HTTP_DIR" -if [ -d .git ] ; then - git reset --hard origin/master - git pull --depth 1 --rebase -else - git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . -fi -rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/ hugo diff --git a/services/grapes.chahut.jean-cloud.net/deploy.sh b/services/grapes.chahut.jean-cloud.net/deploy.sh deleted file mode 100755 index 6cd537c..0000000 --- a/services/grapes.chahut.jean-cloud.net/deploy.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -set -euo pipefail - -mkdir -p "$HTTP_DIR" -chown www-data:www-data "$HTTP_DIR" -sudo -u www-data git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" diff --git a/services/grapes.chahut.jean-cloud.net/deploy_http.sh b/services/grapes.chahut.jean-cloud.net/deploy_http.sh new file mode 100755 index 0000000..93db870 --- /dev/null +++ b/services/grapes.chahut.jean-cloud.net/deploy_http.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" diff --git a/services/jean-cloud.net/deploy.sh b/services/jean-cloud.net/deploy.sh index 42eb75f..48f507e 100755 --- a/services/jean-cloud.net/deploy.sh +++ b/services/jean-cloud.net/deploy.sh @@ -1,3 +1,3 @@ #!/bin/bash -podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder +docker run -u 33 --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder diff --git a/services/static.jean-cloud.net/docker-compose.yml b/services/karnaval.fr/docker-compose.yml similarity index 92% rename from services/static.jean-cloud.net/docker-compose.yml rename to services/karnaval.fr/docker-compose.yml index 6bdf591..d077323 100755 --- a/services/static.jean-cloud.net/docker-compose.yml +++ b/services/karnaval.fr/docker-compose.yml @@ -1 +1,2 @@ version: '3' + diff --git a/services/karnaval.fr/nginx_server.conf b/services/karnaval.fr/nginx_server.conf new file mode 100755 index 0000000..3bd1d8f --- /dev/null +++ b/services/karnaval.fr/nginx_server.conf @@ -0,0 +1,24 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/karnaval.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/karnaval.fr/privkey.pem; + server_name karnaval.fr www.karnaval.fr; + root $HTTP_DIR/; + + # Security headers + # We can create a file with the base security headers and include it. + # Will it be possible to overload them then ? + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + #add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; img-src 'self'; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self';" always; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.karnaval.fr';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';"; + + location / { + index index.html; + try_files $uri $uri/ =404; + } +} diff --git a/services/lalis.fr/Dockerfile b/services/lalis.fr/Dockerfile deleted file mode 100644 index dde64c4..0000000 --- a/services/lalis.fr/Dockerfile +++ /dev/null @@ -1,2 +0,0 @@ -FROM php:7.2-fpm-alpine -RUN docker-php-ext-install mysqli diff --git a/services/lalis.fr/docker-compose.yml b/services/lalis.fr/docker-compose.yml deleted file mode 100755 index 3eefdb9..0000000 --- a/services/lalis.fr/docker-compose.yml +++ /dev/null @@ -1,22 +0,0 @@ -version: '3' -services: - php: - image: php:7.2-fpm-alpine - build: . - volumes: - - /data/lalis.fr:/usr/src/app - restart: unless-stopped - networks: - default: - ipv4_address: 172.29.11.101 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M -networks: - default: - ipam: - config: - - subnet: 172.29.11.0/24 - diff --git a/services/lalis.fr/nginx_server.conf b/services/lalis.fr/nginx_server.conf deleted file mode 100755 index 4ef2c65..0000000 --- a/services/lalis.fr/nginx_server.conf +++ /dev/null @@ -1,24 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/lalis.fr/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/lalis.fr/privkey.pem; - server_name lalis.fr lalis.jean-cloud.net www.lalis.jean-cloud.net; - root /data/lalis.fr; - - index index.php index.html; - - location / { - try_files $uri $uri/ =404; - } - - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass 172.29.11.100:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - } -} - diff --git a/services/lexicographe.jean-cloud.net/deploy.sh b/services/lexicographe.jean-cloud.net/deploy.sh index 034fcab..56de35f 100755 --- a/services/lexicographe.jean-cloud.net/deploy.sh +++ b/services/lexicographe.jean-cloud.net/deploy.sh @@ -1,4 +1,4 @@ #!/bin/bash set -euo pipefail -podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder +docker run -u 33 --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder diff --git a/services/list_ips.sh b/services/list_ips.sh index 52065ee..c024022 100755 --- a/services/list_ips.sh +++ b/services/list_ips.sh @@ -1,2 +1,4 @@ #!/bin/bash +# Ce script sert à lister les IPs du répertoire courant (donc des services docker) pour savoir quels réseaux sont encore disponibles. +# On part du principe que chaque service a un réseau /24 dédié grep -ho '172.29.[^.]\+' . -r | sort -u diff --git a/services/metamorphosemagazine.fr/.env b/services/metamorphosemagazine.fr/.env new file mode 100644 index 0000000..d4454f8 --- /dev/null +++ b/services/metamorphosemagazine.fr/.env @@ -0,0 +1 @@ +GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/metamorphose diff --git a/services/metamorphosemagazine.fr/deploy_http.sh b/services/metamorphosemagazine.fr/deploy_http.sh new file mode 100755 index 0000000..e0415ec --- /dev/null +++ b/services/metamorphosemagazine.fr/deploy_http.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -euo pipefail + +git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" diff --git a/services/metamorphosemagazine.fr/nginx_server.conf b/services/metamorphosemagazine.fr/nginx_server.conf index 0eb7515..36c5e1f 100755 --- a/services/metamorphosemagazine.fr/nginx_server.conf +++ b/services/metamorphosemagazine.fr/nginx_server.conf @@ -1,12 +1,12 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/meta-morpho.se/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/meta-morpho.se/privkey.pem; + ssl_certificate /etc/letsencrypt/live/metamorphosemagazine.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/metamorphosemagazine.fr/privkey.pem; server_name metamorphosemagazine.fr; location / { add_header Content-language fr; - root /data/meta-morpho.se/src; + root $HTTP_DIR/src; index index.html; try_files $uri $uri/ =404; } diff --git a/services/ns1.jean-cloud.org/deploy.sh b/services/ns1.jean-cloud.org/deploy.sh new file mode 100755 index 0000000..3f5959b --- /dev/null +++ b/services/ns1.jean-cloud.org/deploy.sh @@ -0,0 +1,125 @@ +#!/bin/bash + +. driglibash-base + +set -euo pipefail + +# Working variables +debian_bind_workdir="/var/cache/bind" +debian_bind_confdir="/etc/bind" +keydir="$DATA_DIR/keys" + +# Install dependencies +apt install -y bind9 &>/dev/null + +# Create Directories +mkdir -p "$keydir" +chown bind:bind "$keydir" -R +chown bind:bind "$debian_bind_confdir" -R + +# Empty bind dir if it is not our git repo +if [ ! -d "$debian_bind_confdir/.git" ] ; then + echo "lets delete $debian_bind_confdir" + rm -rf "$debian_bind_confdir/"{*,.*} +fi + +# Sync the git repo +sudo -u bind git_update.sh -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git' +cd /etc/bind +sudo -u bind git status + +### Generate zones from service directory ### + +servicefile="/docker/services.txt" + +# Function that simulate a DNS resolve by reading bind zone file +# Returns all the record line: +# @ IN A X.X.X.X +fakeresolve () { + if [ "$#" -ne 1 ] ; then + die "Usage: fakeresolve " + fi + name="$1" + + zonefile="$debian_bind_confdir/db.jean-cloud.org" + shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)" + + grep -v -e '^[[:space:]]*;' "$zonefile" |grep -oP "^[[:space:]]*$shortname\K[[:space:]]*IN[[:space:]]*A{1,4}[[:space:]]*[\S;]+" | sed 's/^/@/' + +} + +# Function that add DNS record in the right file +addbindline () { + if [ "$#" -ne 2 ] ; then + die "Usage: addbindline " + fi + + name="$1" + target="$2" + + # extract the truc.com part + domain="$(echo "$name" | grep -o '[^\.]\+\.[^\.]\+$' || true)" + [ -z "$domain" ] && return 0 + + # extract the subdomain part (www) + shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)" + + # bind DB file + bindfile="$debian_bind_confdir/db.$domain" + + if [ -z "$shortname" ] ; then + # CNAME are forbiden for empty shortnames, so we must resolve the target IPs + while read line ; do + line_in_file "$line" "$bindfile" + done < <(fakeresolve "$target") + else + line_in_file "$shortname IN CNAME $target." "$bindfile" + fi + + #XXX Add CAA records +} + + +autoconf_separator=";;; Autogeneration. Do not write under this line! ;;;" + +echo 'Prepare bind: Remove autogenerated part from bind conf files' +sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/* + +echo 'Put the separator back' +for file in $( ls "$debian_bind_confdir"/db.* | grep -v '.signed$\|.jbk$\|.jnl$') ; do + echo "$autoconf_separator" >> "$file" +done + +for file in "$debian_bind_confdir"/db.* ; do + domain="$(basename "$file" | sed 's/db.//')" + + # TODO fill header too? + + # If no NS record in the db file + if [ -z "$(grep '[^;].*IN.*NS' "$file")" ] ; then + echo -e "@ IN NS ns.jean-cloud.org\n" >> "$file" + fi + + echo -n " +zone '$domain' { + allow-update { none; }; + type master; + file \"$file\"; +};" >> "$debian_bind_confdir/named.conf.local" +done + +echo 'Find every used domain and add them to bind db' +while read line ; do + read -r service target <<<$(echo "$line") + addbindline "$service" "$target" + nginxfile="/docker/$service/nginx_server.conf" + if [ -f "$nginxfile" ] ; then + for name in $(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env") ; do + addbindline "$name" "$target" + done + fi +done <"$servicefile" + + +echo 'Restart bind9' +systemctl restart bind9 diff --git a/services/registry.jean-cloud.net/docker-compose.yml b/services/registry.jean-cloud.net/docker-compose.yml deleted file mode 100755 index a9c9200..0000000 --- a/services/registry.jean-cloud.net/docker-compose.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: '3' -services: - registry: - restart: 'unless-stopped' - image: registry:2 - environment: - REGISTRY_AUTH: htpasswd - REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd - REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm - volumes: - - /data/registry.jean-cloud.net/data:/var/lib/registry - - /data/registry.jean-cloud.net/auth:/auth # htpasswd -Bbn admin password - networks: - default: - ipv4_address: 172.29.12.100 - deploy: - resources: - limits: - cpus: '0.50' - memory: 100M - -networks: - default: - ipam: - config: - - subnet: 172.29.12.0/24 - diff --git a/services/registry.jean-cloud.net/nginx_server.conf b/services/registry.jean-cloud.net/nginx_server.conf deleted file mode 100755 index 0c8cb9d..0000000 --- a/services/registry.jean-cloud.net/nginx_server.conf +++ /dev/null @@ -1,18 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/registry.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/registry.jean-cloud.net/privkey.pem; - server_name registry.jean-cloud.net www.registry.jean-cloud.net; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - location / { - proxy_pass http://172.29.12.100:5000/; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - } -} diff --git a/services/services.txt b/services/services.txt new file mode 100644 index 0000000..297c9a7 --- /dev/null +++ b/services/services.txt @@ -0,0 +1,34 @@ +benevoles31.karnaval.fr max.jean-cloud.org +chahut.jean-cloud.net max.jean-cloud.org +collectif-arthadie.fr vandamme.jean-cloud.org +compagnienouvelle.fr max.jean-cloud.org +copaines.jean-cloud.net max.jean-cloud.org +cousinades2.jean-cloud.net max.jean-cloud.org +cousinades.jean-cloud.net max.jean-cloud.org +etrevivant.net shlago.jean-cloud.org +feministesucl34.jean-cloud.net tetede.jean-cloud.org +feteducourt2020.jean-cloud.net tetede.jean-cloud.org +feteducourt.jean-cloud.net tetede.jean-cloud.org +grapes.chahut.jean-cloud.net max.jean-cloud.org +gypsylyonfestival.com max.jean-cloud.org +metamorphosemagazine.fr shlago.jean-cloud.org +inurbe.fr max.jean-cloud.org +jean-cloud.net shlago.jean-cloud.org +lexicographe.jean-cloud.net shlago.jean-cloud.org +nc-backup.jean-cloud.net raku.jean-cloud.org +pa1.studios.oma-radio.fr tetede.jean-cloud.org +raplacgr.jean-cloud.net tetede.jean-cloud.org +velov.jean-cloud.net shlago.jean-cloud.org +radionimaitre.oma-radio.fr tetede.jean-cloud.org +paj.oma-radio.fr nougaro.jean-cloud.org +radiodemo.oma-radio.fr tetede.jean-cloud.org +radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org +pa1.studios.oma-radio.fr tetede.joun-cloud.org +leida.fr shlago.jean-cloud.org +deployer.jean-cloud.org shlago.jean-cloud.org +ns1.jean-cloud.org raku.jean-cloud.org +git.jean-cloud.net vandamme.jean-cloud.org +nuage.jean-cloud.net vandamme.jean-cloud.org +rpnow.jean-cloud.net vandamme.jean-cloud.org +wiki-cgr.jean-cloud.net vandamme.jean-cloud.org +_ssh vandamme.jean-cloud.org diff --git a/services/static.jean-cloud.net/nginx_server.conf b/services/static.jean-cloud.net/nginx_server.conf deleted file mode 100755 index a8d3a08..0000000 --- a/services/static.jean-cloud.net/nginx_server.conf +++ /dev/null @@ -1,15 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/static.jean-cloud.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/static.jean-cloud.net/privkey.pem; - server_name static.oma-radio.fr www.static.oma-radio.fr static.jean-cloud.net www.static.jean-cloud.net; - root /data/static.jean-cloud.net/public/; - - location / { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET'; - index index.html; - try_files $uri $uri/ =404; - } -} diff --git a/services/velov.jean-cloud.net/.env b/services/velov.jean-cloud.net/.env new file mode 100644 index 0000000..356f9a9 --- /dev/null +++ b/services/velov.jean-cloud.net/.env @@ -0,0 +1 @@ +GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/velov diff --git a/services/velov.jean-cloud.net/deploy_http.sh b/services/velov.jean-cloud.net/deploy_http.sh new file mode 100755 index 0000000..edb9cbd --- /dev/null +++ b/services/velov.jean-cloud.net/deploy_http.sh @@ -0,0 +1,3 @@ +#!/bin/bash +set -euo pipefail +git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" diff --git a/services/velov.jean-cloud.net/nginx_server.conf b/services/velov.jean-cloud.net/nginx_server.conf index 06ce28d..341726e 100755 --- a/services/velov.jean-cloud.net/nginx_server.conf +++ b/services/velov.jean-cloud.net/nginx_server.conf @@ -4,7 +4,7 @@ server { ssl_certificate /etc/letsencrypt/live/velov.jean-cloud.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/velov.jean-cloud.net/privkey.pem; server_name velov.jean-cloud.net www.velov.jean-cloud.net; - root /data/velov.jean-cloud.net; + root $HTTP_DIR; index index.php;