big update

installing/debootstrap_ordis_portables.sh

@@ -88,6 +88,7 @@ install="$install linux-image-amd64 console-data grub2 locales vim openssh-serve
 debootstrap_done_marker="$mnt/etc/debootstrap_done"
 uefi_mountpoint=/boot/efi
 
+dependancies="cryptsetup locales openssh-server wireguard-tools grub2"
 ###############################################################################
 #                              Actual script
 ###############################################################################
@@ -178,13 +179,12 @@ fi
 
 mount_misc
 
-
 section "Installing selected software"
 echo "$repos" >> "$mnt/etc/apt/sources.list"
 run chroot "$mnt" <<EOF
   export DEBIAN_FRONTEND=noninteractive
   apt-get update  -q -y 
-  apt-get install -q -y cryptsetup $install
+  apt-get install -q -y $install
 EOF
 # TODO watershed ?
 

provisioning/inventory.ini

@@ -10,5 +10,4 @@ montbonnot.jean-cloud.org
 max.jean-cloud.org
 tetede.jean-cloud.org
 raku.jean-cloud.org
-vandamme.jean-cloud.org
 izzo.jean-cloud.org

provisioning/roles/deploy_all/files/bin/deploy_service.sh

@@ -22,7 +22,7 @@ if [ -d "/docker/$1" ] ; then
 elif [ -d "$1" ] && [[ "$1" = /docker/* ]] ; then
 	service="$(basename "$1")"
 else
-	die "/docker/$service not found"
+	die "service $1 not found"
 fi
 
 if [ ! -d "$new_nginx_conf_path" ] ; then
@@ -45,6 +45,8 @@ cd "/docker/$service"
 
 # Source and export env file
 [ -f .env ] && set -a && . .env && set +a
+[ -f "$SECRET_DIR/.env" ] && set -a && . "$SECRET_DIR/.env" && set +a
+
 
 
 ###############################################################################
@@ -126,13 +128,11 @@ fi
 ###############################################################################
 
 # If there is a wireguard vpn script
-for file in $( find "/docker/$service" -name "wg-*.sh") ; do
+for file in $( find "/docker/$service" -name "wgns-*.sh") ; do
 	section "Managing wg interface $(basename "$file")"
     if [ -x "$file" ] ; then
-        wgnum="$(basename "$file")"
+        wgif="$(basename "$file")"
-        wgnum="${wgnum:3:-3}"
+        wgif="${wgif:5:-3}"
-		varname="WG_NAME_$wgnum"
-		wgif="${!varname}"
 		if [ -z "$wgif" ] ; then
 			echo "No wireguard name for $file"
 			returncode=1
@@ -140,13 +140,35 @@ for file in $( find "/docker/$service" -name "wg-*.sh") ; do
 		fi
         "$file" $wgif > "/etc/wireguard/$wgif.conf"
 		if "$deploy" ; then
-        	run systemctl enable "wg-quick@$wgif"
+        	#run systemctl enable "wg-quick@$wgif"
-        	run startwg.sh "$wgif"
+        	run managewg.sh start "$wgif"
 			[ "$?" -ne 0 ] && echo "Erreur wireguard" && returncode=1
 		else
-			if [ -z "$(ip a | grep "$wgif")" ] ; then
+        	run managewg.sh stop "$wgif"
-				run wg-quick down "$wgif"
+		fi
-			fi
+    fi
+done
+
+# If there is a wireguard vpn template
+for file in $( find "/docker/$service" -name "wg-*.sh") ; do
+	section "Creating wg iface $(basename "$file")"
+    if [ -x "$file" ] ; then
+        wgif="$(basename "$file")"
+        wgif="${wgif:3:-3}"
+		if [ -z "$wgif" ] ; then
+			echo "No wireguard name for $file"
+			returncode=1
+			continue
+		fi
+		#run template.sh "/docker/$service/.env" < "$file" > "/etc/wireguard/$wgif.conf"
+        "$file" $wgif > "/etc/wireguard/$wgif.conf"
+
+		if "$deploy" ; then
+        	run systemctl enable "wg-quick@$wgif"
+        	run startwg.sh start "$wgif"
+			[ "$?" -ne 0 ] && echo "Erreur wireguard" && returncode=1
+		else
+        	run managewg.sh stop "$wgif"
 		fi
     fi
 done

provisioning/roles/deploy_all/files/bin/gen_env.sh

@@ -33,6 +33,7 @@ do
 	#line_in_file "HOME='/data/$service'" "$dir/.env"
 	line_in_file "NET='172.29.$id'" "$dir/.env"
 	line_in_file "USER='$username'" "$dir/.env"
+	line_in_file "JC_ID='$id'" "$dir/.env"
 
 	cert="$(findcert.sh "$service")" || true
 	if [ -n "$cert" ] ; then

provisioning/roles/deploy_all/files/bin/git_update.sh

@@ -10,6 +10,10 @@ usage[b]="Branch of git repo"
 varia[b]=branch
 branch=master
 
+usage[t]="Tog of git repo"
+varia[t]=tag
+tag=
+
 usage[d]="Destination of clone"
 varia[d]=dst
 dst='.'
@@ -58,10 +62,18 @@ fi
 run mkdir -p "$dst"
 run cd "$dst"
 
+
 if [ -d .git ] ; then
-	run git fetch origin "$branch"
+
-	run git checkout --force -B "$branch" "origin/$branch"
+	# Compute git branch and tag
-    run git reset --hard
+	tagref=
+    if [ -n "$tag" ] ; then
+        tagref="tags/$tag"
+    fi
+
+	run git fetch origin "$branch" --tags
+	run git checkout --force $tagref -B "$branch"
+    run git reset --hard # TODO we can keep some files?
 	# Preserve existing files in some cases
 	if ! "$nonempty_target" ; then
 		git clean -qffdx

provisioning/roles/deploy_all/files/bin/managewg.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if [ "$#" -ne 2 ] ; then
+	echo "Usage: $0 <start|stop|reload|restart> <wgif>"
+	exit 1
+fi
+
+action="$1"
+wgif="$2"
+# Command to exec in netns
+run="ip netns exec $wgif"
+
+start () {
+	echo "Starting $wgif"
+
+	# Create netns if needed
+	if ! ip netns | grep -q "$wgif" ; then
+		ip netns add "$wgif"
+	fi
+	
+	# Create iface
+	if ! ip link | grep -q "$wgif" ; then
+		ip link add "$wgif" type wireguard
+		ip link set "$wgif" netns "$wgif"
+	fi
+
+	#$run wg-quick up "$wgif"
+	$run wg setconf "$wgif" "/etc/wireguard/$wgif.conf"
+}
+
+stop () {
+	echo "Stoping $wgif"
+	$run wg-quick down "$wgif" || true
+}
+
+reload () {
+	echo "Reloading $wgif"
+	$run wg syncconf "$wgif" <(wg-quick strip "$wgif")
+}
+
+case "$action" in
+	start)
+		if $run ip a | grep -q "$wgif" ; then
+			reload
+		else
+			start
+		fi
+		;;
+	stop)
+		stop
+		;;
+	reload)
+		reload
+		;;
+	restart)
+		stop
+		start
+		;;
+	*)
+		echo "Invalid action $action"
+		;;
+esac

provisioning/roles/deploy_all/files/bin/rclone_ncloud_publiclink.sh

@@ -1,6 +1,5 @@
 #!/bin/bash
 set -euo pipefail
-
 # Read all
 # NC_SHARE_LINK_URL.*
 # NC_SHARE_LINK_PASSWORD.*
@@ -50,7 +49,7 @@ while IFS='=' read key value ; do
 	    newname="${oldname:1}"    
 	    path="$(dirname "$filename")"    
 	    # And rename their references in md files  
-	    find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;    
+	    find "$path" -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;    
 	    mv "$path/$oldname" "$path/$newname"    
 	done < <(find -type d -name '.attachments.*')
 

provisioning/roles/deploy_all/files/bin/startwg.sh

@@ -2,16 +2,48 @@
 
 set -euo pipefail
 
-if [ "$#" -ne 1 ] ; then
+if [ "$#" -ne 2 ] ; then
-	echo "Usage: $0 <wgif>"
+	echo "Usage: $0 <start|stop|reload|restart> <wgif>"
 	exit 1
 fi
 
-wgif="$1"
+action="$1"
+wgif="$2"
 
-if [ -z "$(ip a | grep "$wgif")" ] ; then
+start () {
+	echo "Starting $wgif"
 	wg-quick up "$wgif"
-else
+}
-	wg syncconf "$wgif" <(wg-quick strip "$wgif")
-fi
 
+stop () {
+	echo "Stoping $wgif"
+	wg-quick down "$wgif" || true
+}
+
+reload () {
+	echo "Reloading $wgif"
+	wg syncconf "$wgif" <(wg-quick strip $wgif)
+}
+
+case "$action" in
+	start)
+		if ip a | grep -q "$wgif" ; then
+			reload
+		else
+			start
+		fi
+		;;
+	stop)
+		stop
+		;;
+	reload)
+		reload
+		;;
+	restart)
+		stop
+		start
+		;;
+	*)
+		echo "Invalid action $action"
+		;;
+esac

provisioning/roles/deploy_all/files/bin/wg-genkey.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [ "$#" -ne 1 ] ; then
+	echo "Usage: $0 <filename>"
+	exit 1
+fi
+
+keyfile="$1"    
+
+if [ ! -f "$keyfile" ] ; then    
+    touch "$keyfile"    
+    chmod 700 "$keyfile"    
+    if [ -n "$(lsof "$keyfile")" ] ; then    
+        echo "Error, key $keyfile is red"    
+        exit 1    
+    fi    
+    wg genkey > "$keyfile"    
+fi    

services/accent.jean-cloud.net/docker-compose.yml

@@ -1,40 +0,0 @@
-version: '3'
-services:
-  app:
-    image: mirego/accent:v1.19.12
-    depends_on:
-      - db
-    environment:
-      - DATABASE_URL=postgres://postgres@db:5432/accent_development
-    restart: "unless-stopped"
-    networks:
-      default:
-        ipv4_address: $NET.100
-    deploy:
-      resources:
-        limits:
-          cpus: '1'
-          memory: 200M
-
-  db:
-    image: postgres:10.3
-    environment:
-      - POSTGRES_DB=accent_development
-    volumes:
-      - $DATA_DIR/db:/var/lib/postgresql/data
-    restart: "unless-stopped"
-    networks:
-      default:
-        ipv4_address: $NET.101
-    deploy:
-      resources:
-        limits:
-          cpus: '1'
-          memory: 300M
-
-
-networks:
-  default:
-    ipam:
-      config:
-        - subnet: $NET.0/24

services/association-chahut.fr/.env

@@ -0,0 +1,2 @@
+GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/association-chahut.fr.git"
+

services/association-chahut.fr/deploy.sh

@@ -0,0 +1 @@
+../hugo/deploy.sh

services/association-chahut.fr/deploy_user.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+
+# Update git repo
+git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
+
+cd "$HTTP_DIR"
+
+# Get remote content files
+rclone_ncloud_publiclink.sh
+
+# Invalid cache
+#rm -rf "/tmp/hugo_cache_$USER"
+
+cd themes/blist
+npm install
+cd ../..
+npm install postcss-cli
+
+# Build website
+HUGO_CACHEDIR="/tmp/hugo_cache_$USER" hugo

services/association-chahut.fr/nginx_server.conf

@@ -0,0 +1,24 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR/public;
+
+  # Security headers
+  # We can create a file with the base security headers and include it.
+  # Will it be possible to overload them then ?
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'unsafe-inline'; img-src *; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
+
+  location / {
+          index index.html;
+          try_files $uri $uri/ =404;
+  }
+}

services/backup-borg-client/backup_list.sh

@@ -1 +0,0 @@
-#!/bin/bash

services/backup-borg-server/deploy_user.sh

@@ -13,7 +13,7 @@ echo -n "" > ~/.ssh/authorized_keys
 chmod 600 ~/.ssh/authorized_keys
 
 # Foreach client
-for client in raku.jean-cloud.org vandamme.jean-cloud.org ; do
+for client in raku.jean-cloud.org izzo.jean-cloud.org ; do
 	# Generate key
 	clientkey="$(mktemp -d)"
 	ssh-keygen -q -N '' -t rsa -C 'Borg client ssh key' -f "$clientkey/id_rsa" <<<y 2>&1 >/dev/null

services/benevoles32.karnaval.fr/docker-compose.yml

@@ -5,6 +5,8 @@ services:
     environment:
       UID: 33
       MOUNT: /
+    ports:
+      - "2229:2229"
     volumes:
       - /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
       - $DATA_DIR/app/assets:/usr/src/app/assets

services/chahut.jean-cloud.net/docker-compose.yml

@@ -1,41 +0,0 @@
-version: '3.1'
-
-services:
-
-  wp:
-    image: wordpress:5-apache
-    restart: unless-stopped
-    env_file: $DATA_DIR/wordpress.env
-    volumes:
-      - $DATA_DIR/wordpress:/var/www/html
-      - /srv/http/$JC_SERVICE:/var/www/html/static
-    networks:
-      default:
-        ipv4_address: $NET.100
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 100M
-
-  db:
-    image: mariadb:10.11
-    restart: unless-stopped
-    env_file: $DATA_DIR/wordpress.env
-    volumes:
-      - $DATA_DIR/db:/var/lib/mysql
-    networks:
-      default:
-        ipv4_address: $NET.101
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 300M
-
-networks:
-  default:
-    ipam:
-      config:
-        - subnet: $NET.0/24
-

services/chahut.jean-cloud.net/nginx_server.conf

@@ -1,30 +0,0 @@
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  ssl_certificate $JC_CERT/fullchain.pem;
-  ssl_certificate_key $JC_CERT/privkey.pem;
-  server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
-  location  / {
-    auth_basic           "Mot de passe !";
-    auth_basic_user_file /data/$JC_SERVICE/pass.txt;
-    client_max_body_size 2G;
-    #proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Forwarded-Proto https;
-    proxy_pass http://$NET.100;
-    proxy_redirect off;
-  }
-}
-
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  ssl_certificate $JC_CERT/fullchain.pem;
-  ssl_certificate_key $JC_CERT/privkey.pem;
-  server_name $JC_SERVICE www.$JC_SERVICE;
-
-  location /  {
-    root /srv/http/$JC_SERVICE;
-    try_files $uri $uri/ =404;
-  }
-}

services/coldcms.chahut.jean-cloud.net/docker-compose.yml

@@ -1,32 +0,0 @@
-version: '2'
-
-services:
-
-  coldcms:
-    image: coldcms/coldcms-backend:latest
-    volumes:
-      - $DATA_DIR/coldcms:/srv/build
-      - $DATA_DIR/db:/var/db
-    environment:
-      - DJANGO_SETTINGS_MODULE=coldcms.settings
-      - DB_URL=sqlite:////var/db/database.sqlite3
-      - BUILD_DIR=/srv/build
-      - STATIC_ROOT=/srv/build/static/
-      - ALLOWED_HOSTS=$JC_SERVICE
-      - SECRET_KEY=275bLEjLIsDg19HkIcjjwgdC41zcyTAc1y527VuX23khKUZGRCMybChydeBKFNJVjhD0KMrzIeLbMlS30IxPhfqLAcR2OK0LVxOu4G8dgx3p2pia4SUFm39tOznKZ0Kt9IdbX
-    restart: unless-stopped
-    networks:
-      default:
-        ipv4_address: $NET.100
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 500M
-
-
-networks:
-  default:
-    ipam:
-      config:
-        - subnet: $NET.0/24

services/coldcms.chahut.jean-cloud.net/nginx_server.conf

@@ -1,55 +0,0 @@
-server {
-  listen 443 ssl http2;    
-  listen [::]:443 ssl http2;    
-  ssl_certificate $JC_CERT/fullchain.pem;    
-  ssl_certificate_key $JC_CERT/privkey.pem;    
-  server_name $JC_SERVICE www.$JC_SERVICE;    
-
-    add_header  Strict-Transport-Security "max-age=31536000";
-
-    gzip on;
-    gzip_disable    "msie6";
-    gzip_types      text/plain text/css application/json text/xml application/xml text/javascript application/x-javascript;
-    gzip_min_length 1000;
-    gzip_proxied    no-cache no-store private expired auth;
-    gzip_vary       on;
-
-    root $HTTP_DIR;
-
-    location / {
-        set $try_files_value '';
-        if ($request_method = GET){
-            set $try_files_value $uri/;
-        }
-        gzip_static on;
-        try_files $try_files_value @uwsgi_backend;
-    }
-
-
-    location @uwsgi_backend {
-        uwsgi_pass $NET.100:8000;
-        include uwsgi_params;
-        client_max_body_size 20m;
-    }
-
-    location /media/ {
-        gzip_static on;
-        expires 100d;
-        add_header Cache-Control public;
-        access_log off;
-    }
-
-    location /static/ {
-        gzip_static on;
-        expires 100d;
-        add_header Cache-Control public;
-        access_log off;
-    }
-
-    location /admin/ {
-        uwsgi_pass $NET.100:8000;
-        include uwsgi_params;
-        client_max_body_size 20m;
-    }
-}
-

services/collectif-arthadie.fr/docker-compose.yml

@@ -3,7 +3,7 @@ version: '3.1'
 services:
 
   wp:
-    image: wordpress:5.3-apache
+    image: wordpress:6.5-apache
     restart: unless-stopped
     env_file: /data/collectif-arthadie.fr/env
     environment:
@@ -19,8 +19,8 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '0.50'
+          cpus: '1'
-          memory: 100M
+          memory: 500M
 
   db:
     image: mariadb:10.4

services/collectif-karafon.fr/nginx_server.conf

@@ -0,0 +1,24 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR/collectifkarafon.wixsite.com/;
+
+  # Security headers
+  # We can create a file with the base security headers and include it.
+  # Will it be possible to overload them then ?
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  #add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
+
+  location / {
+          index monsite.html;
+          try_files $uri $uri/ =404;
+  }
+}

services/compagnienouvelle.fr/.env

@@ -1 +1 @@
-DATA_DIR=/data/compagnienouvelle.fr
+SFTP_USER=compagnienouvelle.frRO

services/compagnienouvelle.fr/deploy.sh

@@ -0,0 +1 @@
+../sftp_jc/deploy.sh

services/compagnienouvelle.fr/deploy_user.sh

@@ -0,0 +1 @@
+../sftp_jc/deploy_user.sh

services/compagnienouvelle.fr/docker-compose.yml

@@ -1,43 +0,0 @@
-version: '3.1'
-
-services:
-
-  wp:
-    image: wordpress:5-apache
-    restart: unless-stopped
-    env_file: $DATA_DIR/wordpress.env
-    environment:
-      TZ: Europe/Paris
-    volumes:
-      - $DATA_DIR/wordpress:/var/www/html
-      - $DATA_DIR/static:/var/www/html/static
-    networks:
-      default:
-        ipv4_address: $NET.100
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 100M
-  db:
-    image: mariadb:10.7
-    restart: unless-stopped
-    environment:
-      TZ: Europe/Paris
-    volumes:
-      - $DATA_DIR/db:/var/lib/mysql
-    networks:
-      default:
-        ipv4_address: $NET.101
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 300M
-
-networks:
-  default:
-    ipam:
-      config:
-        - subnet: $NET.0/24
-

services/compagnienouvelle.fr/nginx_server.conf

@@ -1,30 +0,0 @@
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  ssl_certificate $JC_CERT/fullchain.pem;
-  ssl_certificate_key $JC_CERT/privkey.pem;
-  server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr;
-  location  / {
-    auth_basic           "Mot de passe !";
-    auth_basic_user_file /data/compagnienouvelle.fr/pass.txt;
-    client_max_body_size 2G;
-    #proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Forwarded-Proto https;
-    proxy_pass http://$NET.100;
-    proxy_redirect off;
-  }
-}
-
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  ssl_certificate $JC_CERT/fullchain.pem;
-  ssl_certificate_key $JC_CERT/privkey.pem;
-  server_name compagnienouvelle.fr www.compagnienouvelle.fr;
-
-  location /  {
-    root /data/compagnienouvelle.fr/static;
-    try_files $uri $uri/ =404;
-  }
-}

services/compagnienouvelle.fr/nginx_server.conf

@@ -0,0 +1 @@
+../sftp_jc/nginx_server.conf

services/compagnienouvelle.fr/tmp.log

@@ -1,58 +0,0 @@
-[class-ss-plugin.php:232] Received request to start generating a static archive
-[class-ss-archive-creation-job.php:61] Starting a job; no job is presently running
-[class-ss-archive-creation-job.php:62] Here's our task list: setup, fetch_urls, transfer_files_locally, wrapup
-[class-ss-archive-creation-job.php:76] Pushing first task to queue: setup
-[class-ss-archive-creation-job.php:105] Current task: setup
-[class-ss-archive-creation-job.php:120] Performing task: setup
-[class-ss-task.php:38] Status message: [setup] Mise en place
-[class-ss-setup-task.php:23] Creating archive directory: /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/
-[class-ss-setup-task.php:57] Adding origin URL to queue: https://wordpress.mysite.com/
-[class-ss-setup-task.php:68] Adding additional URL to queue: https://wordpress.mysite.com/wp-includes/js/wp-emoji-release.min.js
-[class-ss-setup-task.php:99] Adding files from directory: /var/www/html/wp-content/uploads/
-[class-ss-archive-creation-job.php:142] We've found our next task: fetch_urls
-[class-ss-archive-creation-job.php:105] Current task: fetch_urls
-[class-ss-archive-creation-job.php:120] Performing task: fetch_urls
-[class-ss-fetch-urls-task.php:37] Total pages: 2; Pages remaining: 2
-[class-ss-fetch-urls-task.php:40] URL: https://wordpress.mysite.com/
-[class-ss-fetch-urls-task.php:50] URL is not being excluded
-[class-ss-url-fetcher.php:85] Fetching URL and saving it to: /tmp/5f9593ab13a6a-QXn1T1.tmp
-[class-ss-url-fetcher.php:89] Filesize: 26432 bytes
-[class-ss-url-fetcher.php:104] http_status_code: 200 | content_type: text/html; charset=UTF-8
-[class-ss-url-fetcher.php:180] New filename for static page: index.html
-[class-ss-url-fetcher.php:120] Renaming temp file from /tmp/5f9593ab13a6a-QXn1T1.tmp to /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/index.html
-[class-ss-fetch-urls-task.php:99] Extracting URLs and replacing URLs in the static file
-[class-ss-fetch-urls-task.php:106] Adding 0 URLs to the queue
-[class-ss-fetch-urls-task.php:117] We're saving this URL; keeping the static file
-[class-ss-fetch-urls-task.php:40] URL: https://wordpress.mysite.com/wp-includes/js/wp-emoji-release.min.js
-[class-ss-fetch-urls-task.php:50] URL is not being excluded
-[class-ss-url-fetcher.php:85] Fetching URL and saving it to: /tmp/5f9593ab2d225-A0zDVK.tmp
-[class-ss-url-fetcher.php:89] Filesize: 14246 bytes
-[class-ss-url-fetcher.php:104] http_status_code: 200 | content_type: application/javascript
-[class-ss-url-fetcher.php:180] New filename for static page: wp-includes/js/wp-emoji-release.min.js
-[class-ss-url-fetcher.php:120] Renaming temp file from /tmp/5f9593ab2d225-A0zDVK.tmp to /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/wp-includes/js/wp-emoji-release.min.js
-[class-ss-fetch-urls-task.php:99] Extracting URLs and replacing URLs in the static file
-[class-ss-fetch-urls-task.php:106] Adding 0 URLs to the queue
-[class-ss-fetch-urls-task.php:117] We're saving this URL; keeping the static file
-[class-ss-task.php:38] Status message: [fetch_urls] 0 pages/fichiers sur 2 générés
-[class-ss-archive-creation-job.php:147] We're not done with the fetch_urls task yet
-[class-ss-archive-creation-job.php:105] Current task: fetch_urls
-[class-ss-archive-creation-job.php:120] Performing task: fetch_urls
-[class-ss-fetch-urls-task.php:37] Total pages: 2; Pages remaining: 0
-[class-ss-task.php:38] Status message: [fetch_urls] 2 pages/fichiers sur 2 générés
-[class-ss-archive-creation-job.php:142] We've found our next task: transfer_files_locally
-[class-ss-archive-creation-job.php:105] Current task: transfer_files_locally
-[class-ss-archive-creation-job.php:120] Performing task: transfer_files_locally
-[class-ss-transfer-files-locally-task.php:64] Total pages: 2; Pages remaining: 2
-[class-ss-archive-creation-job.php:147] We're not done with the transfer_files_locally task yet
-[class-ss-archive-creation-job.php:105] Current task: transfer_files_locally
-[class-ss-archive-creation-job.php:120] Performing task: transfer_files_locally
-[class-ss-transfer-files-locally-task.php:64] Total pages: 2; Pages remaining: 0
-[class-ss-task.php:38] Status message: [transfer_files_locally] 2 fichiers sur 2 copiés
-[class-ss-archive-creation-job.php:142] We've found our next task: wrapup
-[class-ss-archive-creation-job.php:105] Current task: wrapup
-[class-ss-archive-creation-job.php:120] Performing task: wrapup
-[class-ss-wrapup-task.php:13] Deleting temporary files
-[class-ss-task.php:38] Status message: [wrapup] Fin du processus
-[class-ss-archive-creation-job.php:138] This task is done and there are no more tasks, time to complete the job
-[class-ss-archive-creation-job.php:161] Completing the job
-[class-ss-archive-creation-job.php:271] Status message: [done] Effectué ! Fini en 00:00:01

services/dnscerts.jean-cloud.org/deploy_user.sh

@@ -1,15 +1,11 @@
 #!/bin/bash
 
-set -euo pipefail
+set -u
 
 . driglibash-base
-here="$(where)"
 
 # For some variables
 . /etc/jeancloud.env
-set -a
-. "$here/.env"
-set +a
 
 # Test secret presence
 [ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1
@@ -17,24 +13,13 @@ set +a
 export workdir="$(mktemp -d)"
 mkdir -p "$workdir/{work,logs}"
 
-# If there is some args, populate a fake service file
-if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
-	servicefile="$(mktemp)"
-	for service in "$@" ; do
-		echo "$service _" >> "$servicefile"
-	done
-fi
 
 echo "Renew existing certs"
-certbot renew --config-dir "$DATA_DIR/certs" --logs-dir "$workdir/logs" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" --work-dir "$workdir"
+certbot renew --config-dir "$DATA_DIR/certs" --logs-dir "$workdir/logs" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" --work-dir "$workdir" || true
 
 echo "For each service, read all possible domains"
 while IFS=';' read -r id username service target ; do
-	# TODO remove
+	if [ -z "$service" ] ; then continue ; fi
-	 [ "$service" = collectif-arthadie.fr ]  && continue
-
-	# remove dummy cert
-	dummy_cert.sh "$service" remove || true
 
 	if [ -d "$DATA_DIR/certs/live/$service" ] ; then
 		#echo "Already exists, thats a job for renew : $service"
@@ -42,12 +27,12 @@ while IFS=';' read -r id username service target ; do
 	fi
 
 	# acme
-	"$here/acme-dns.sh" "$service" "$workdir"
+	"$DOCKER_DIR/acme-dns.sh" "$service" "$workdir"
 
 done < <(grep -v '^#' "$servicefile")
 
 echo "Push certs to other servers"
-for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') vandamme nougaro ; do
+for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') nougaro tetede montbonnot max raku izzo ; do
 	server="$srv.jean-cloud.org"
 	[ -n "$(grep "$server" /etc/hosts)" ] && continue
 	echo "-- $server"

services/dnscerts.jean-cloud.org/run.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-. driglibash-base
-here="$(where)"
-
-sudo -u certs bash -c "$here/run_as.sh $@"

services/etrevivant.net/backup_list.sh

@@ -1 +0,0 @@
-#!/bin/bash

services/gaia.jean-cloud.net/.env

@@ -0,0 +1 @@
+GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/gaia

services/gaia.jean-cloud.net/deploy_user.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -euo pipefail
+
+git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
+

services/gaia.jean-cloud.net/nginx_server.conf

@@ -0,0 +1,13 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  location / {
+          add_header Content-language fr;
+          root $HTTP_DIR/src;
+          index index.html;
+          try_files $uri $uri/ =404;
+  }
+}

services/grapes.chahut.jean-cloud.net/.env

@@ -1 +0,0 @@
-GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs

services/grapes.chahut.jean-cloud.net/deploy_user.sh

@@ -1,3 +0,0 @@
-#!/bin/bash
-
-git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" 

services/grapes.chahut.jean-cloud.net/nginx_server.conf

@@ -1,35 +0,0 @@
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  ssl_certificate $JC_CERT/fullchain.pem;
-  ssl_certificate_key $JC_CERT/privkey.pem;
-  server_name grapes.chahut.jean-cloud.net;
-  root $HTTP_DIR;
-
-  # Security headers
-  # We can create a file with the base security headers and include it.
-  # Will it be possible to overload them then ?
-  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-  #add_header Content-Security-Policy "default-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ;frame-ancestors 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; base-uri 'self'; form-action 'self';" always;
-  add_header X-Content-Type-Options "nosniff";
-  add_header X-Frame-Options SAMEORIGIN always;
-  add_header X-XSS-Protection "1; mode=block" always;
-  #add_header Referrer-Policy "strict-origin-when-cross-origin";
-  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
-
-  auth_basic           "Mot de passe !";
-  auth_basic_user_file $DATA_DIR/pass.txt;
-
-  location / {
-    index index.html;
-    try_files $uri $uri/ =404;
-  }
-
-  location /projects {
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Forwarded-Proto https;
-	proxy_pass http://$NET.100:3000;
-    proxy_redirect off;
-
-  }
-}

services/inurbe.fr/nginx_server.conf

@@ -1,8 +1,8 @@
 server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
-  ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
-  ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
   server_name $JC_SERVICE www.$JC_SERVICE;
 
   location /  {

services/lexicographe.jean-cloud.net/backup_list.sh

@@ -1 +0,0 @@
-../pelican/backup_list.sh

services/lyon1.studios.oma-radio.fr/deploy.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+wgif=omaLyon1
+ip=10.100.100.254
+run="ip netns exec $wgif"
+
+# Create netns if needed
+if ! ip netns | grep -q "$wgif" ; then
+    ip netns add "$wgif"
+fi
+
+# Create iface
+if ! $run ip link | grep -q "$wgif" ; then
+    ip link add "$wgif" type wireguard
+    ip link set "$wgif" netns "$wgif"
+fi
+
+# Set ip
+if ! $run ip -4 -o a | grep -q "$ip" ; then
+	$run ip a add "$ip" dev "$wgif"
+fi
+
+# Set route
+if ! $run ip -4 -o r | grep -q "default dev $wgif" ; then
+	$run ip r add default dev "$wgif"
+fi
+
+# Up iface
+$run ip link set up dev "$wgif"
+
+# Load config
+$run wg setconf "$wgif" "/etc/wireguard/$wgif.conf"

services/lyon1.studios.oma-radio.fr/wgns-omaLyon1.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. .env
+
+wgif="$1"
+
+echo "
+[Interface]
+PrivateKey = $(cat $DATA_DIR/$wgif.wgprivatekey)
+ListenPort = $((51800+$JC_ID))
+#Address = 10.100.100.254/32
+
+[Peer] # Adrian
+PublicKey = p4/km7Rtl5IgYGw8OPIyE0/f8UoRbcMJwkVJ0Zyv/C8=
+AllowedIPs = 10.100.100.253/32
+
+[Peer] # Nico
+PublicKey = jsXBs8tZn1sWT73xx3DWEdGAWv6SjfQ2TAxX+8pL6mU=
+AllowedIPs = 10.100.100.252/32
+
+[Peer] # Passerelle
+PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
+AllowedIPs = 10.100.100.0/24,192.168.100.0/24
+
+[Peer] # Debug
+PublicKey = K9IpoUbjyN+42y0YG3OIwAPRBZcd92GnKfbYEj3RZ18=
+AllowedIPs = 10.100.100.21/32
+"

services/metamorphosemagazine.fr/.env

@@ -1 +1,3 @@
 GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/metamorphose
+GIT_SOURCE_BRANCH=master
+

services/metamorphosemagazine.fr/deploy_user.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
 set -euo pipefail
 
-git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
+git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
+

services/metamorphosemagazine.fr/docker-compose.yml

@@ -1 +0,0 @@
-version: '3'

services/mutubot.jean-cloud.net/deploy_user.sh.old

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ ! -d venv ] ; then
+	virtualenv venv
+fi
+
+. venv/bin/activate
+
+git_update.sh -b v1 -d $HTTP_DIR https://git.jean-cloud.net/adrian/mutubot.git
+
+pip install -r requirements.txt
+
+

services/mutubot.jean-cloud.net/docker-compose.yml

@@ -1,9 +1,16 @@
 version: '3'
+
 services:
-  json_server:
+
-    image: jeancloud/json-server
+  bot:
+    image: jeancloud/mutubot:1
+    restart: unless-stopped
+    env_file:
+      - $DATA_DIR/.env
+    environment:
+      TZ: Europe/Paris
     volumes:
-      - "$DATA_DIR:/usr/lib/json-server"
+      - $DATA_DIR/guilds.yml:/usr/src/app/guilds.yml
     networks:
       default:
         ipv4_address: $NET.100
@@ -12,8 +19,10 @@ services:
         limits:
           cpus: '0.50'
           memory: 100M
+
 networks:
   default:
     ipam:
       config:
         - subnet: $NET.0/24
+

services/mux.radiodemo.oma-radio.fr/backup_list.sh

@@ -1 +0,0 @@
-#!/bin/bash

services/mux.radiodemo.oma-radio.fr/docker-compose.yml

@@ -8,6 +8,7 @@ services:
     environment:
       OMA_CONFIG_Client1Host: $NET.108
       OMA_CONFIG_TelecommandeHost: $NET$TELECOM
+      OMA_CONFIG_Pige: on
     volumes:
       - $SOUNDBASE_DIR/pige:/app/pige
     ports:
@@ -73,6 +74,11 @@ services:
     networks:
       default:
         ipv4_address: $NET.108
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 300M
 
           #radioking:
           #  image: jeancloud/liquidsoap:1.3.7

services/mux.radiodemo.oma-radio.fr/liquidsoap.liq

@@ -42,14 +42,14 @@ end
 
 # Exaustive integrity check
 def clean_and_check_all ()
-	list.iter(clean_if_old, file.ls("/soundbase/pige/"))
+	#list.iter(clean_if_old, file.ls("/soundbase/pige/"))
 	list.iter(clean_and_check, file.ls("/soundbase/pige/"))
 end
 
 
 
 # Mux
-input1 = mksafe(input.harbor("direct.ogg",port=8000,password=getenv("LIQUIDSOAP_SOURCE_PASSWORD")))
+input1 = mksafe(input.harbor("direct.ogg",port=8000,password=getenv("ICECAST_SOURCE_PASSWORD")))
 
 # Direct mp3
 output.icecast(

services/nginx_exporter/deploy.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+format="$(grep -oP "^[[:space:]]*log_format main '\K[^;]*(?=';$)" nginx.conf | sed 's/"/\\\\"/g')"
+echo "$format"
+sed -e "s/%HOST%/$(hostname)/g" -e "s/%FORMAT%/$format/g" exporter_config_template.yml > exporter_config.yml

services/nginx_exporter/docker-compose.yml

@@ -0,0 +1,25 @@
+version: '3'
+services:
+  exporter:
+    image: quay.io/martinhelmich/prometheus-nginxlog-exporter:v1
+    volumes:
+      - /var/log/nginx:/var/log/nginx
+      - exporter_config.yml:/etc/exporter_config.yml
+    command: ["/etc/exporter_config.yml"]
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: $NET.100
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 100M
+
+
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: $NET.0/24
+

services/nginx_exporter/exporter_config_template.yml

@@ -0,0 +1,17 @@
+listen:
+  port: 4040
+  address: "localhost"
+  metrics_endpoint: "/metrics"
+
+namespaces:
+  - name: nginx
+    format: "%FORMAT%"
+    source:
+      files:
+        - /var/log/nginx/access.log
+     metrics_override:
+       - from: server_name
+    labels:
+      host: %HOST%
+      environment: "production"
+    histogram_buckets: [.001, .01, .1, .5, 1, 5, 10]

services/ns.jean-cloud.org/deploy.sh

@@ -9,7 +9,7 @@ set -a
 set +a
 
 # Do not run if primary exists
-[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0
+[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 1
 
 export keydir=""
 runthis secondary

services/ns1.jean-cloud.org/deploy.sh

@@ -27,6 +27,8 @@ primary_ips=""
 # IP of secondary servers (for zone transfer)
 # master.retzo.net
 secondary_ips="159.69.124.127;2a01:4f8:c17:d8f2::1;"
+# tetede
+secondary_ips="${secondary_ips}51.195.40.128;"
 
 # NS name
 default_dns_name="ns.jean-cloud.org."
@@ -39,8 +41,8 @@ runthis () {
 	fi
 
 	prepare
-	primary_ips="$primary_ips$(fakeresolve_ip_list tetede)"
+	primary_ips="$primary_ips$(fakeresolve_ip_list izzo)"
-	secondary_ips="$secondary_ips$(fakeresolve_ip_list shlago)"
+	secondary_ips="$secondary_ips$(fakeresolve_ip_list ns)"
 
 	line_in_file "primary_ips=\"$primary_ips\"" "$DOCKER_DIR/.env"
 	line_in_file "secondary_ips=\"$secondary_ips\"" "$DOCKER_DIR/.env"
@@ -55,6 +57,7 @@ runthis () {
 }
 
 main () {
+	aa-disable /etc/apparmor.d/usr.sbin.named
 	runthis primary
 }
 

services/ns1.jean-cloud.org/helper_functions.sh

@@ -21,11 +21,12 @@ prepare () {
 	fi
 	
 	echo 'Sync the git repo'
-	run sudo -u bind git_update.sh -N -b main -i "$SECRET_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
+	run sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
 	cd /etc/bind
 	
 	
 	echo 'Prepare bind: Remove autogenerated part from bind conf files'
+	rm /etc/bind/*.jnl &>/dev/null || true
 	sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/*
 	
 	echo 'Put the separator back'
@@ -39,12 +40,12 @@ restart () {
 	echo 'Check named conf'
 	run named-checkconf "$debian_bind_confdir/named.conf"
 	for db_file in $(list_db_files) ; do
-		domain="${db_file:3}"
+		domain="$(basename "$db_file")"
+		domain="${domain:3}"
 		run named-checkzone "$domain" "$db_file"
 	done
 
 	echo 'Restart named'
-	rm /etc/bind/*.jnl || true
 	systemctl restart named
 }
 
@@ -139,15 +140,14 @@ create_primary_files () {
 		sed -i "s/\(@ SOA [^(]*( \)[0-9]\+/\1$serial/"  "$new_db_file"
 
 		# Add this dns server if not present
-		if [ -z "$(grep '[^;].*(IN)?.*NS.*$default_dns_name' "$new_db_file")" ] ; then
+		if ! grep -q '[^;].*(IN)?.*NS.*' "$new_db_file" ; then
-			echo "@ NS $default_dns_name" >> "$new_db_file"
+			cat default_ns >> "$new_db_file"
 		fi
 
 		# Add DS record
-		if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
+		#if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
-			echo ""
 			#dnssec-dsfromkey "$DATA_DIR/keys/K$domain"*.key | sed "s/${domain}./@/" >> "$new_db_file"
-		fi
+		#fi
 
 		# Populate named.conf.local
 		cat  >> "$debian_bind_confdir/named.conf.local" <<-EOF

services/nuage.jean-cloud.net/docker-compose.yml

@@ -87,6 +87,21 @@ services:
           cpus: '0.50'
           memory: 2000M
 
+  collabora:
+    image: collabora/code
+    environment:
+      - "dictionaries=fr"
+      - "server_name=office.nuage.jean-cloud.net"
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: $NET.106
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 2000M
+
 networks:
   default:
     ipam:

services/nuage.jean-cloud.net/nginx_server.conf

@@ -24,7 +24,7 @@ server {
     ssl_certificate_key $JC_CERT/privkey.pem;
 
 
-    limit_req zone=defaultlimit burst=500 nodelay;
+    #limit_req zone=defaultlimit burst=500 nodelay;
 
     # Prevent nginx HTTP Server Detection
     server_tokens off;
@@ -76,8 +76,7 @@ server {
     # only for Nextcloud like below:
     include mime.types;
     types {
-        text/javascript js mjs;
+        text/javascript mjs;
-	application/wasm wasm;
     }
 
     # Specify how to handle directories -- specifying `/index.php$request_uri`
@@ -263,3 +262,29 @@ server {
         	proxy_set_header  Connection $connection_upgrade;
 	}
 }
+
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        ssl_certificate $JC_CERT/fullchain.pem;
+        ssl_certificate_key $JC_CERT/privkey.pem;
+        server_name office.nuage.jean-cloud.net;
+
+	location / {
+		proxy_pass https://$NET.106:9980;
+        	proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
+        	proxy_set_header   Host $host;
+        	proxy_pass_header  Server;
+
+        	# Note you might want to pass these headers etc too.
+        	#proxy_set_header    X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
+        	#proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
+        	proxy_set_header    X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+        	proxy_http_version  1.1; # recommended with keepalive connections
+
+        	# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
+        	proxy_set_header  Upgrade $http_upgrade;
+        	proxy_set_header  Connection $connection_upgrade;
+	}
+}
+

services/oma-radio.fr/backup_list.sh

@@ -1 +0,0 @@
-#!/bin/bash

services/quadrille-elsa.jean-cloud.net/deploy.sh

@@ -1 +0,0 @@
-../hugo/deploy.sh

services/quadrille-elsa.jean-cloud.net/deploy.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+apt install -y hugo

services/quadrille-elsa.jean-cloud.net/deploy_user.sh

@@ -1 +0,0 @@
-../hugo/deploy_user.sh

services/quadrille-elsa.jean-cloud.net/deploy_user.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -euo pipefail
+
+# Update git repo
+git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
+
+cd "$HTTP_DIR"
+
+# Get remote content files
+rclone_ncloud_publiclink.sh
+
+# Invalid cache
+#rm -rf "/tmp/hugo_cache_$USER"
+
+# Build website
+HUGO_CACHEDIR="/tmp/hugo_cache_$USER" hugo

services/quadrille-elsa.jean-cloud.net/nginx_server.conf

@@ -1 +0,0 @@
-../hugo/nginx_server.conf

services/quadrille-elsa.jean-cloud.net/nginx_server.conf

@@ -0,0 +1,24 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR/public;
+
+  # Security headers
+  # We can create a file with the base security headers and include it.
+  # Will it be possible to overload them then ?
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/; img-src 'self'; font-src 'self' https://cdn.jsdelivr.net/; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
+
+  location / {
+          index index.html;
+          try_files $uri $uri/ =404;
+  }
+}

services/radiokipik.org/.env

@@ -0,0 +1,4 @@
+GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
+RADIO_HOST=mux.radiodemo.oma-radio.fr
+USE_SSL=true
+WEBSOCKET_PORT=2004

services/radiokipik.org/.known_hosts

@@ -0,0 +1,2 @@
+gitlab.com ssh-dss AAAAB3NzaC1kc3MAAACBAMPKInNPflcRle9F5Qt2j9aI0EZuWQzdXTbYvsl+ChaacqCOWRMiOmXHXqetFz6jD/6Fcqg20ZATxqSskQBaRn97O/mbH+GQk4d3zw9WAEURicE8rKJop3qGtdfFxLzrTuF/PAkKRDMmutT3hwZIOO8CFWOl1BiuUYTncJTeonrfAAAAFQCujauoy3Yy+ul72b/WsTECUPj9yQAAAIBIV2yyF7RZf7IYS8tsWcKP7Y5Bv9eFdbvbtsaxcFCHcmHIGoJQrIdPoueoOb5EUTYz0NgYKsKaZzDZkgFk28GsmLxKvhnPjaw0lJVSKRchEE5xVlamOlabiRMjQ7X/bAdejkBJe96AjZZL3UO4acpwfy3Tnnap0w6YCDeaxoyHpwAAAIAU+dyNaL3Hy15VIV32QwWMekvxeptUY/DW03LNcgZZDoin87TE9xuQhM0qF3pi2i2a2ExuslgdttmYWvrbEz8eW+RFgvT5pKwWpalKWetHvtN3oYZP37ZIO1Y3Hd5A4YVcpYp1ccRayveLlCRwxb4HdGXT2OmYU+lmvimIR8zQ6A==
+gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9

services/radiokipik.org/deploy_user.sh.bak

@@ -0,0 +1 @@
+../hugo/deploy_user.sh

services/radiokipik.org/nginx_server.conf

@@ -0,0 +1,26 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR/;
+
+  # Security headers
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  #add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' 'https://static.jean-cloud.net/player-interface/*' ; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' 'https://static.jean-cloud.net/player-interface/*' 'https://cdn.jsdelivr.net/npm/*'; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
+
+  location / {
+          index index.html;
+          try_files $uri $uri/ =404;
+  }
+
+  location /manager {
+	  return 301 $scheme://mux.$JC_SERVICE/manager;
+  }
+}

services/services.csv

@@ -1,22 +1,19 @@
 # This is not real CSV. Do not put separator in a field, even escaped
 # ID ; username ; service name ; server name
 1;sftp.jean-cloud.net;sftp.jean-cloud.net;raku.jean-cloud.org
-2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org
+#2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org
 3;builder.rimarima.fr;builder.rimarima.fr;raku.jean-cloud.org
-4;chahut.jean-cloud.net;chahut.jean-cloud.net;max.jean-cloud.org
 5;chiloe.eu;chiloe.eu;shlago.jean-cloud.org
-#6;coldcms.chahut.jean-cloud.net;coldcms.chahut.jean-cloud.net;raku.jean-cloud.org
+7;collectif-arthadie.fr;collectif-arthadie.fr;izzo.jean-cloud.org
-7;collectif-arthadie.fr;collectif-arthadie.fr;vandamme.jean-cloud.org
+8;compagnienouvelle.fr;compagnienouvelle.fr;shlago.jean-cloud.org
-8;compagnienouvelle.fr;compagnienouvelle.fr;nougaro.jean-cloud.org
+9;copaines.jean-cloud.net;copaines.jean-cloud.net;shlago.jean-cloud.org
-9;copaines.jean-cloud.net;copaines.jean-cloud.net;max.jean-cloud.org
 11;deployer.jean-cloud.org;deployer.jean-cloud.org;shlago.jean-cloud.org
-12;dnscerts.jean-cloud.org;dnscerts.jean-cloud.org;max.jean-cloud.org
+12;dnscerts.jean-cloud.org;dnscerts.jean-cloud.org;montbonnot.jean-cloud.org
 13;etrevivant.net;etrevivant.net;shlago.jean-cloud.org
 14;feministesucl34.communistesliber;feministesucl34.communisteslibertaires.org;none
 15;feteducourt.jean-cloud.net;feteducourt.jean-cloud.net;shlago.jean-cloud.org
 16;feteducourt2020.jean-cloud.net;feteducourt2020.jean-cloud.net;shlago.jean-cloud.org
 17;git.jean-cloud.net;git.jean-cloud.net;izzo.jean-cloud.org
-#18;grapes.chahut.jean-cloud.net;grapes.chahut.jean-cloud.net;max.jean-cloud.org
 20;inurbe.fr;inurbe.fr;shlago.jean-cloud.org
 21;jean-cloud.net;jean-cloud.net;shlago.jean-cloud.org
 22;leida.fr;leida.fr;shlago.jean-cloud.org
@@ -24,8 +21,8 @@
 24;metamorphosemagazine.fr;metamorphosemagazine.fr;shlago.jean-cloud.org
 25;mux.radiodemo.oma-radio.fr;mux.radiodemo.oma-radio.fr;raku.jean-cloud.org
 26;nc-backup.jean-cloud.net;nc-backup.jean-cloud.net;raku.jean-cloud.org
-27;ns.jean-cloud.org;ns.jean-cloud.org;shlago.jean-cloud.org
+27;ns.jean-cloud.org;ns.jean-cloud.org;nowhere
-28;ns1.jean-cloud.org;ns1.jean-cloud.org;tetede.jean-cloud.org
+28;ns1.jean-cloud.org;ns1.jean-cloud.org;izzo.jean-cloud.org
 29;nuage.jean-cloud.net;nuage.jean-cloud.net;izzo.jean-cloud.org
 30;oma-radio.fr;oma-radio.fr;izzo.jean-cloud.org
 31;pa1.studios.oma-radio.fr;pa1.studios.oma-radio.fr;tetede.jean-cloud.org
@@ -33,7 +30,7 @@
 33;quadrille-elsa.jean-cloud.net;quadrille-elsa.jean-cloud.net;shlago.jean-cloud.org
 34;radiodemo.oma-radio.fr;radiodemo.oma-radio.fr;raku.jean-cloud.org
 35;radionimaitre.oma-radio.fr;radionimaitre.oma-radio.fr;tetede.jean-cloud.org
-36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;tetede.jean-cloud.org
+36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;izzo.jean-cloud.org
 37;rimarima.fr;rimarima.fr;raku.jean-cloud.org
 38;rpnow.jean-cloud.net;rpnow.jean-cloud.net;izzo.jean-cloud.org
 39;soundbase.radiodemo.oma-radio.fr;soundbase.radiodemo.oma-radio.fr;montbonnot.jean-cloud.org
@@ -41,7 +38,7 @@
 41;velov.jean-cloud.net;velov.jean-cloud.net;shlago.jean-cloud.org
 42;wiki-cgr.jean-cloud.net;wiki-cgr.jean-cloud.net;izzo.jean-cloud.org
 43;radio.karnaval.fr;radio.karnaval.fr;tetede.jean-cloud.org
-44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;max.jean-cloud.org
+44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;raku.jean-cloud.org
 45;jean-cloud.org;jean-cloud.org;shlago.jean-cloud.org
 46;soundbase.paj.oma-radio.fr;soundbase.paj.oma-radio.fr;montbonnot.jean-cloud.org
 47;backup-borg-server;backup-borg-server;montbonnot.jean-cloud.org
@@ -50,5 +47,11 @@
 50;monitoring.jean-cloud.net;monitoring.jean-cloud.net;montbonnot.jean-cloud.org
 51;benevoles32.karnaval.fr;benevoles32.karnaval.fr;izzo.jean-cloud.org
 52;nginx_exporter;nginx_exporter;shlago.jean-cloud.org
-53;benevoles.karnaval.fr;benevoles.karnaval.fr;izzo.jean-cloud.org
+#54;accent.jean-cloud.net;accent.jean-cloud.net;raku.jean-cloud.org
-54;accent.jean-cloud.net;accent.jean-cloud.net;raku.jean-cloud.org
+55;gaia.jean-cloud.net;gaia.jean-cloud.net;shlago.jean-cloud.org
+56;association-chahut.fr;association-chahut.fr;izzo.jean-cloud.org
+57;mutubot.jean-cloud.net;mutubot.jean-cloud.net;izzo.jean-cloud.org
+59;lyon1.studios.oma-radio.fr;lyon1.studios.oma-radio.fr;izzo.jean-cloud.org
+60;soundbase.radiokipik.org;soundbase.radiokipik.org;montbonnot.jean-cloud.org
+61;radiokipik.org;radiokipik.org;izzo.jean-cloud.org
+62;mux.radiokipik.org;mux.radiokipik.org;izzo.jean-cloud.org

services/sftp.jean-cloud.net/docker-compose.yml

@@ -11,6 +11,7 @@ services:
         - $DATA_DIR/home:/home
         - $DATA_DIR/home/leida/public:/home/leidaRO/public:ro
         - $DATA_DIR/home/chiloe/public:/home/chiloeRO/public:ro
+        - $DATA_DIR/home/compagnienouvelle.fr/public:/home/compagnienouvelle.frRO/public:ro
       ports:
         - '2929:22'
 

services/soundbase.radiodemo.oma-radio.fr/.env

@@ -19,6 +19,6 @@ DOCKER_INSTANCES_PREFIX=soundbaseradiodemooma-radiofr-
 DOCKER_INSTANCES_SUFIX=-1
 SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
 USE_SSL=true
-MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
+MANAGER_VERSION=3.0.0
 PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.1.1
 RADIO_HOST=radiodemo.oma-radio.fr

services/soundbase.radiodemo.oma-radio.fr/deploy.sh

@@ -1,3 +1,8 @@
 #!/bin/bash
 
-git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
+apt install -y nodejs npm
+#docker run --rm -i -v /srv/http/soundbase.radiodemo.oma-radio.fr:/app node:alpine sh <<EOF
+#cd /app
+#npm install --production omaradio-web-manager@~$MANAGER_VERSION
+#npm update
+#EOF

services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml

@@ -6,6 +6,9 @@ services:
     environment:
       OMA_CONFIG_Client1Host: mux.radiodemo.oma-radio.fr
       OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
+      OMA_CONFIG_Client2: off
+      OMA_CONFIG_Client2Host: radionimaitre.oma-radio.fr
+      OMA_CONFIG_Client2Port: 9003
     volumes:
       - $SOUNDBASE_DIR:/app/soundBase
       - $DATA_DIR/secours-jingle.wavM:/app/secours/secours-jingle.wavM
@@ -75,6 +78,7 @@ services:
   system_api:
     image: jeancloud/system-api:dev
     env_file: .env
+    environment:
       UID: 33
       SOUNDBASE_PATH: /soundbase
       MOUNT: /api

services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf

@@ -114,6 +114,7 @@ server {
 
 	# Admin interface
 	location  /manager {
+		alias $HTTP_DIR/manager/dist;
         auth_basic "Entrez votre identifiant et mot de passe";
         auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
 		try_files $uri $uri/ =404;

services/soundbase.radiokipik.org/.env

@@ -0,0 +1,24 @@
+NET=10.29.0
+TELECOM=.101
+ICECAST=.110
+WEBSERVER=.105
+SYSTEM_API=.107
+TZ=Europe/Paris
+OMA_DOCKER_VERSION=dev
+WEBSOCKET_PORT=2004
+TELECOM_SERVER_PORT=3494
+OMA_CONFIG_TelecommandeHost=mux.radiodemo.oma-radio.fr
+OMA_CONFIG_TelecommandePort=3494
+MUX_SERVER_PORT=9004
+RADIO_NAME_SIMPLE=radiodemo
+OMA_CONFIG_NomRadio=radiodemo
+OMA_CONFIG_LogLevel=8
+RADIO_NAME_PRETTY="Radio Démo"
+COMPOSE_NAME=soundbaseradiodemooma-radiofr
+DOCKER_INSTANCES_PREFIX=soundbaseradiodemooma-radiofr-
+DOCKER_INSTANCES_SUFIX=-1
+SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
+USE_SSL=true
+MANAGER_VERSION=3.0.0
+PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.1.1
+RADIO_HOST=radiodemo.oma-radio.fr

services/soundbase.radiokipik.org/deploy.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+apt install -y nodejs npm
+#docker run --rm -i -v /srv/http/soundbase.radiodemo.oma-radio.fr:/app node:alpine sh <<EOF
+#cd /app
+#npm install --production omaradio-web-manager@~$MANAGER_VERSION
+#npm update
+#EOF

services/soundbase.radiokipik.org/deploy_user.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+#if [ -d "$DATA_DIR/core" ] ; then
+#	git_update.sh -b dev -i "$DATA_DIR/gitlab-deploy.sshprivkey" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
+#fi
+
+chmod 700 "$SECRET_DIR/gitlab-deploy.sshprivkey"
+mkdir -p "$HTTP_DIR/manager"
+git_update.sh -b 'v3' -i "$SECRET_DIR/gitlab-deploy.sshprivkey" -d "$HTTP_DIR/manager" git@gitlab.com:omaradio/single-manager.git
+cd "$HTTP_DIR/manager"
+npm install
+#npm audit fix
+npm run build
+
+
+#semver_prefix="3."
+## Get available versions
+#json="$(curl 'https://gitlab.com/api/v4/projects/omaradio%2Fsingle-manager/packages?order_by=version&sort=desc&package_name=manager&status=default' )"
+#
+## Get the latest one
+#latest="$(echo "$json" | grep -Po '"version":"\K'"$semver_prefix"'[^"]+"' | tr -d '"' | sort -g | tail -n 1)"
+#if [ -z "$latest" ] ; then
+#	echo "Version is empty"
+#	exit 1
+#fi
+#
+## Get associated link
+#link="$(echo "$json" | jq ".[] | select(.version? | match(\"$latest\")) | ._links.web_path" | sed -e 's/^"//' -e 's/"$//')"
+#if [ -z "$link" ] ; then
+#	echo "Link is empty"
+#	exit 1
+#fi
+#
+#cd "$HTTP_DIR"
+
+#wget https://gitlab.com/omaradio/single-manager/-/package_files/117195410/download -O - | tar xz 

services/soundbase.radiokipik.org/docker-compose.yml

@@ -0,0 +1,130 @@
+version: '3'
+services:
+  anthracite_jukebox:
+    image: registry.gitlab.com/omaradio/core/oma-jukebox:$OMA_DOCKER_VERSION
+    env_file: .env
+    environment:
+      OMA_CONFIG_Client1Host: mux.radiodemo.oma-radio.fr
+      OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
+      OMA_CONFIG_Client2: off
+      OMA_CONFIG_Client2Host: radionimaitre.oma-radio.fr
+      OMA_CONFIG_Client2Port: 9003
+    volumes:
+      - $SOUNDBASE_DIR:/app/soundBase
+      - $DATA_DIR/secours-jingle.wavM:/app/secours/secours-jingle.wavM
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: $NET.102
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 100M
+
+  azurite_jukebox_simulator:
+    image: registry.gitlab.com/omaradio/core/oma-jukebox-simulator:$OMA_DOCKER_VERSION
+    env_file: .env
+    volumes:
+      - $SOUNDBASE_DIR:/app/soundBase
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: $NET.103
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 100M
+
+    #  aventurine_transcode:
+    #    image: jeancloud/transcode:$OMA_DOCKER_VERSION
+    #    env_file: .env
+    #    restart: unless-stopped
+
+
+  agate_importer:
+    image: registry.gitlab.com/omaradio/core/oma-baseimport:$OMA_DOCKER_VERSION
+    env_file: .env
+    volumes:
+      - $SOUNDBASE_DIR:/app/soundBase
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: $NET.104
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 500M
+
+
+  rubis_base_mg:
+    image: registry.gitlab.com/omaradio/core/oma-base-mg:$OMA_DOCKER_VERSION
+    env_file: .env
+    restart: unless-stopped
+    volumes:
+      - $SOUNDBASE_DIR:/soundbase
+    networks:
+      default:
+        ipv4_address: $NET.106
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 100M
+
+
+  system_api:
+    image: jeancloud/system-api:dev
+    env_file: .env
+    environment:
+      UID: 33
+      SOUNDBASE_PATH: /soundbase
+      MOUNT: /api
+      CONFIG_PATH: /config
+    restart: unless-stopped
+    volumes:
+      - /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
+      - /var/run/docker.sock:/var/run/docker.sock
+      - $SOUNDBASE_DIR:/soundbase
+    networks:
+      default:
+        ipv4_address: $NET.107
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 500M
+
+
+          #ammolite_mp3_addon:
+          #  image: jeancloud/mp3addon:$OMA_DOCKER_VERSION
+          #  env_file: .env
+          #  environment:
+          #    OMA_CONFIG_PigePrefix: /opt
+          #  restart: unless-stopped
+          #  volumes:
+          #      - $SOUNDBASE_DIR:/app/soundbase
+          #  networks:
+          #    default:
+          #      ipv4_address: $NET.109
+          #  deploy:
+          #    resources:
+          #      limits:
+          #        cpus: '0.05'
+
+            #  doxy:
+            #    image: qnib/doxy
+            #    volumes:
+            #      - /tmp/radiodemo.oma-radio.fr/doxy:/tmp/doxy
+            #      - /data/radiodemo.oma-radio.fr/doxy.pattern:/etc/doxy.pattern
+            #      - /var/run/docker.sock:/var/run/docker.sock
+            #    environment:
+            #      DOXY_PROXY_SOCKET: /tmp/doxy/doxy.sock
+
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: $NET.0/24

services/soundbase.radiokipik.org/generate_nat.sh

@@ -0,0 +1,20 @@
+function extract_ports_from_compose {
+	if [ "$#" -ne 1 ] ; then
+		echo "function extract_ports_from_dockerfile needs 1 parameter : docker-compose file" >&2
+		exit 1
+	fi
+    ports=false
+    while read line ; do
+    	if [ "$line" = 'ports:' ] ; then
+    		ports=true
+    	elif "$ports" ; then
+    		if [[ "$line" != -* ]] ; then
+    			ports=false
+    		else
+    			echo $line | tr -d ' ' | tail -c +2
+    		fi
+    	fi
+    done < docker-compose.yml
+}
+
+extract_ports_from_compose docker-compose.yml | ../_deployer/template.sh .env

services/soundbase.radiokipik.org/nginx_server.conf

@@ -0,0 +1,122 @@
+# Parameters:
+# radio name
+# file path
+# ws port (local)
+# wss port (open)
+# upload service port
+# ssl certs location
+
+# TODO
+# /speedtest-down returns random data
+# can use : openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > randomfile.bin
+# /speedtest-up just eat everything it can
+
+
+
+
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name $JC_SERVICE;
+
+	root $SOUNDBASE_DIR/website;
+	index index.html;
+
+    location ~ /api(/.*) {
+        auth_basic "Entrez votre identifiant et mot de passe";
+        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
+        include uwsgi_params;
+        uwsgi_param PATH_INFO "$1";
+        uwsgi_param SCRIPT_NAME /api;
+        uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock;
+        client_max_body_size 0;
+        proxy_connect_timeout       6000;
+        proxy_send_timeout          60000;
+        proxy_read_timeout          6000;
+        send_timeout                6000;
+        # kill cache
+        add_header Last-Modified $date_gmt;
+        add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+        if_modified_since off;
+        expires off;
+        etag off;
+    }
+
+	location /pige{
+		alias $SOUNDBASE_DIR/pige;
+		try_files $uri $uri/ =404;
+	}
+    location /png {
+        alias $SOUNDBASE_DIR/png;
+        try_files $uri $uri/ =404;
+    }
+    location /webpL {
+        alias $SOUNDBASE_DIR/webpL;
+        try_files $uri $uri/ =404;
+    }
+    location /webpH {
+        alias $SOUNDBASE_DIR/webpH;
+        try_files $uri $uri/ =404;
+    }
+    location /ogg {
+        alias $SOUNDBASE_DIR/ogg;
+        try_files $uri $uri/ =404;
+    }
+    location /txt {
+        alias $SOUNDBASE_DIR/txt;
+        try_files $uri $uri/ =404;
+    }
+    location /wavM {
+        auth_basic "Entrez votre identifiant et mot de passe";
+        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
+        alias $SOUNDBASE_DIR/wavM;
+        try_files $uri $uri/ =404;
+    }
+    location /import {
+        auth_basic "Entrez votre identifiant et mot de passe";
+        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
+        alias $SOUNDBASE_DIR/import;
+        try_files $uri $uri/ =404;
+    }
+    location /export {
+        auth_basic "Entrez votre identifiant et mot de passe";
+        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
+        alias $SOUNDBASE_DIR/export;
+        try_files $uri $uri/ =404;
+    }
+    location /wav {
+        auth_basic "Entrez votre identifiant et mot de passe";
+        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
+        alias $SOUNDBASE_DIR/wav;
+        try_files $uri $uri/ =404;
+    }
+    location /fic {
+        alias $SOUNDBASE_DIR/fic;
+        try_files $uri $uri/ =404;
+    }
+    location /prg {
+        auth_basic "Entrez votre identifiant et mot de passe";
+        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
+        alias $SOUNDBASE_DIR/prg;
+        try_files $uri $uri/ =404;
+    }
+    location /lst {
+        auth_basic "Entrez votre identifiant et mot de passe";
+        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
+        alias $SOUNDBASE_DIR/lst;
+        try_files $uri $uri/ =404;
+    }
+    location /statique {
+        alias $SOUNDBASE_DIR/statique;
+        try_files $uri $uri/ =404;
+    }
+
+	# Admin interface
+	location  /manager {
+		alias $HTTP_DIR/manager/dist;
+        auth_basic "Entrez votre identifiant et mot de passe";
+        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
+		try_files $uri $uri/ =404;
+    }
+}

services/soundbase.radiokipik.org/wg-radiokipik.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. .env
+
+[ -f "$DATA_DIR/soundbase.wgkey" ] || { echo 'No privatekey found' >&2 && exit 1 ; }
+
+echo "
+[Interface]
+PrivateKey = $(cat "$DATA_DIR/soundbase.wgkey")
+Address = 10.29.60.1/32
+ListenPort = 55860
+
+[Peer]
+PublicKey = 3ADrLVxzVqLHV530cT+paM+zNQBvm3KCW0voIN1wVBQ=
+AllowedIPs = 10.29.60.254/32
+Endpoint = mux.radiokipik.org:55825
+PersistentKeepalive = 30
+"