Compare commits
3 Commits
66e0e9a4da
...
19e0dc9c2f
Author | SHA1 | Date | |
---|---|---|---|
19e0dc9c2f | |||
|
38b20cf49d | ||
|
815965501b |
@ -88,6 +88,7 @@ install="$install linux-image-amd64 console-data grub2 locales vim openssh-serve
|
||||
debootstrap_done_marker="$mnt/etc/debootstrap_done"
|
||||
uefi_mountpoint=/boot/efi
|
||||
|
||||
dependancies="cryptsetup locales openssh-server wireguard-tools grub2"
|
||||
###############################################################################
|
||||
# Actual script
|
||||
###############################################################################
|
||||
@ -178,13 +179,12 @@ fi
|
||||
|
||||
mount_misc
|
||||
|
||||
|
||||
section "Installing selected software"
|
||||
echo "$repos" >> "$mnt/etc/apt/sources.list"
|
||||
run chroot "$mnt" <<EOF
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update -q -y
|
||||
apt-get install -q -y cryptsetup $install
|
||||
apt-get install -q -y $install
|
||||
EOF
|
||||
# TODO watershed ?
|
||||
|
||||
|
@ -10,5 +10,4 @@ montbonnot.jean-cloud.org
|
||||
max.jean-cloud.org
|
||||
tetede.jean-cloud.org
|
||||
raku.jean-cloud.org
|
||||
vandamme.jean-cloud.org
|
||||
izzo.jean-cloud.org
|
||||
|
@ -22,7 +22,7 @@ if [ -d "/docker/$1" ] ; then
|
||||
elif [ -d "$1" ] && [[ "$1" = /docker/* ]] ; then
|
||||
service="$(basename "$1")"
|
||||
else
|
||||
die "/docker/$service not found"
|
||||
die "service $1 not found"
|
||||
fi
|
||||
|
||||
if [ ! -d "$new_nginx_conf_path" ] ; then
|
||||
@ -45,6 +45,8 @@ cd "/docker/$service"
|
||||
|
||||
# Source and export env file
|
||||
[ -f .env ] && set -a && . .env && set +a
|
||||
[ -f "$SECRET_DIR/.env" ] && set -a && . "$SECRET_DIR/.env" && set +a
|
||||
|
||||
|
||||
|
||||
###############################################################################
|
||||
@ -126,13 +128,11 @@ fi
|
||||
###############################################################################
|
||||
|
||||
# If there is a wireguard vpn script
|
||||
for file in $( find "/docker/$service" -name "wg-*.sh") ; do
|
||||
for file in $( find "/docker/$service" -name "wgns-*.sh") ; do
|
||||
section "Managing wg interface $(basename "$file")"
|
||||
if [ -x "$file" ] ; then
|
||||
wgnum="$(basename "$file")"
|
||||
wgnum="${wgnum:3:-3}"
|
||||
varname="WG_NAME_$wgnum"
|
||||
wgif="${!varname}"
|
||||
wgif="$(basename "$file")"
|
||||
wgif="${wgif:5:-3}"
|
||||
if [ -z "$wgif" ] ; then
|
||||
echo "No wireguard name for $file"
|
||||
returncode=1
|
||||
@ -140,13 +140,35 @@ for file in $( find "/docker/$service" -name "wg-*.sh") ; do
|
||||
fi
|
||||
"$file" $wgif > "/etc/wireguard/$wgif.conf"
|
||||
if "$deploy" ; then
|
||||
run systemctl enable "wg-quick@$wgif"
|
||||
run startwg.sh "$wgif"
|
||||
#run systemctl enable "wg-quick@$wgif"
|
||||
run managewg.sh start "$wgif"
|
||||
[ "$?" -ne 0 ] && echo "Erreur wireguard" && returncode=1
|
||||
else
|
||||
if [ -z "$(ip a | grep "$wgif")" ] ; then
|
||||
run wg-quick down "$wgif"
|
||||
fi
|
||||
run managewg.sh stop "$wgif"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# If there is a wireguard vpn template
|
||||
for file in $( find "/docker/$service" -name "wg-*.sh") ; do
|
||||
section "Creating wg iface $(basename "$file")"
|
||||
if [ -x "$file" ] ; then
|
||||
wgif="$(basename "$file")"
|
||||
wgif="${wgif:3:-3}"
|
||||
if [ -z "$wgif" ] ; then
|
||||
echo "No wireguard name for $file"
|
||||
returncode=1
|
||||
continue
|
||||
fi
|
||||
#run template.sh "/docker/$service/.env" < "$file" > "/etc/wireguard/$wgif.conf"
|
||||
"$file" $wgif > "/etc/wireguard/$wgif.conf"
|
||||
|
||||
if "$deploy" ; then
|
||||
run systemctl enable "wg-quick@$wgif"
|
||||
run startwg.sh start "$wgif"
|
||||
[ "$?" -ne 0 ] && echo "Erreur wireguard" && returncode=1
|
||||
else
|
||||
run managewg.sh stop "$wgif"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
@ -33,6 +33,7 @@ do
|
||||
#line_in_file "HOME='/data/$service'" "$dir/.env"
|
||||
line_in_file "NET='172.29.$id'" "$dir/.env"
|
||||
line_in_file "USER='$username'" "$dir/.env"
|
||||
line_in_file "JC_ID='$id'" "$dir/.env"
|
||||
|
||||
cert="$(findcert.sh "$service")" || true
|
||||
if [ -n "$cert" ] ; then
|
||||
|
@ -10,6 +10,10 @@ usage[b]="Branch of git repo"
|
||||
varia[b]=branch
|
||||
branch=master
|
||||
|
||||
usage[t]="Tog of git repo"
|
||||
varia[t]=tag
|
||||
tag=
|
||||
|
||||
usage[d]="Destination of clone"
|
||||
varia[d]=dst
|
||||
dst='.'
|
||||
@ -58,10 +62,18 @@ fi
|
||||
run mkdir -p "$dst"
|
||||
run cd "$dst"
|
||||
|
||||
|
||||
if [ -d .git ] ; then
|
||||
run git fetch origin "$branch"
|
||||
run git checkout --force -B "$branch" "origin/$branch"
|
||||
run git reset --hard
|
||||
|
||||
# Compute git branch and tag
|
||||
tagref=
|
||||
if [ -n "$tag" ] ; then
|
||||
tagref="tags/$tag"
|
||||
fi
|
||||
|
||||
run git fetch origin "$branch" --tags
|
||||
run git checkout --force $tagref -B "$branch"
|
||||
run git reset --hard # TODO we can keep some files?
|
||||
# Preserve existing files in some cases
|
||||
if ! "$nonempty_target" ; then
|
||||
git clean -qffdx
|
||||
|
64
provisioning/roles/deploy_all/files/bin/managewg.sh
Executable file
64
provisioning/roles/deploy_all/files/bin/managewg.sh
Executable file
@ -0,0 +1,64 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
if [ "$#" -ne 2 ] ; then
|
||||
echo "Usage: $0 <start|stop|reload|restart> <wgif>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
action="$1"
|
||||
wgif="$2"
|
||||
# Command to exec in netns
|
||||
run="ip netns exec $wgif"
|
||||
|
||||
start () {
|
||||
echo "Starting $wgif"
|
||||
|
||||
# Create netns if needed
|
||||
if ! ip netns | grep -q "$wgif" ; then
|
||||
ip netns add "$wgif"
|
||||
fi
|
||||
|
||||
# Create iface
|
||||
if ! ip link | grep -q "$wgif" ; then
|
||||
ip link add "$wgif" type wireguard
|
||||
ip link set "$wgif" netns "$wgif"
|
||||
fi
|
||||
|
||||
#$run wg-quick up "$wgif"
|
||||
$run wg setconf "$wgif" "/etc/wireguard/$wgif.conf"
|
||||
}
|
||||
|
||||
stop () {
|
||||
echo "Stoping $wgif"
|
||||
$run wg-quick down "$wgif" || true
|
||||
}
|
||||
|
||||
reload () {
|
||||
echo "Reloading $wgif"
|
||||
$run wg syncconf "$wgif" <(wg-quick strip "$wgif")
|
||||
}
|
||||
|
||||
case "$action" in
|
||||
start)
|
||||
if $run ip a | grep -q "$wgif" ; then
|
||||
reload
|
||||
else
|
||||
start
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
reload)
|
||||
reload
|
||||
;;
|
||||
restart)
|
||||
stop
|
||||
start
|
||||
;;
|
||||
*)
|
||||
echo "Invalid action $action"
|
||||
;;
|
||||
esac
|
@ -1,6 +1,5 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Read all
|
||||
# NC_SHARE_LINK_URL.*
|
||||
# NC_SHARE_LINK_PASSWORD.*
|
||||
@ -50,7 +49,7 @@ while IFS='=' read key value ; do
|
||||
newname="${oldname:1}"
|
||||
path="$(dirname "$filename")"
|
||||
# And rename their references in md files
|
||||
find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;
|
||||
find "$path" -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;
|
||||
mv "$path/$oldname" "$path/$newname"
|
||||
done < <(find -type d -name '.attachments.*')
|
||||
|
||||
|
@ -2,16 +2,48 @@
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
if [ "$#" -ne 1 ] ; then
|
||||
echo "Usage: $0 <wgif>"
|
||||
if [ "$#" -ne 2 ] ; then
|
||||
echo "Usage: $0 <start|stop|reload|restart> <wgif>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
wgif="$1"
|
||||
action="$1"
|
||||
wgif="$2"
|
||||
|
||||
if [ -z "$(ip a | grep "$wgif")" ] ; then
|
||||
start () {
|
||||
echo "Starting $wgif"
|
||||
wg-quick up "$wgif"
|
||||
else
|
||||
wg syncconf "$wgif" <(wg-quick strip "$wgif")
|
||||
fi
|
||||
}
|
||||
|
||||
stop () {
|
||||
echo "Stoping $wgif"
|
||||
wg-quick down "$wgif" || true
|
||||
}
|
||||
|
||||
reload () {
|
||||
echo "Reloading $wgif"
|
||||
wg syncconf "$wgif" <(wg-quick strip $wgif)
|
||||
}
|
||||
|
||||
case "$action" in
|
||||
start)
|
||||
if ip a | grep -q "$wgif" ; then
|
||||
reload
|
||||
else
|
||||
start
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
reload)
|
||||
reload
|
||||
;;
|
||||
restart)
|
||||
stop
|
||||
start
|
||||
;;
|
||||
*)
|
||||
echo "Invalid action $action"
|
||||
;;
|
||||
esac
|
||||
|
18
provisioning/roles/deploy_all/files/bin/wg-genkey.sh
Normal file
18
provisioning/roles/deploy_all/files/bin/wg-genkey.sh
Normal file
@ -0,0 +1,18 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "$#" -ne 1 ] ; then
|
||||
echo "Usage: $0 <filename>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
keyfile="$1"
|
||||
|
||||
if [ ! -f "$keyfile" ] ; then
|
||||
touch "$keyfile"
|
||||
chmod 700 "$keyfile"
|
||||
if [ -n "$(lsof "$keyfile")" ] ; then
|
||||
echo "Error, key $keyfile is red"
|
||||
exit 1
|
||||
fi
|
||||
wg genkey > "$keyfile"
|
||||
fi
|
Binary file not shown.
@ -1,40 +0,0 @@
|
||||
version: '3'
|
||||
services:
|
||||
app:
|
||||
image: mirego/accent:v1.19.12
|
||||
depends_on:
|
||||
- db
|
||||
environment:
|
||||
- DATABASE_URL=postgres://postgres@db:5432/accent_development
|
||||
restart: "unless-stopped"
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.100
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '1'
|
||||
memory: 200M
|
||||
|
||||
db:
|
||||
image: postgres:10.3
|
||||
environment:
|
||||
- POSTGRES_DB=accent_development
|
||||
volumes:
|
||||
- $DATA_DIR/db:/var/lib/postgresql/data
|
||||
restart: "unless-stopped"
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.101
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '1'
|
||||
memory: 300M
|
||||
|
||||
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
config:
|
||||
- subnet: $NET.0/24
|
2
services/association-chahut.fr/.env
Normal file
2
services/association-chahut.fr/.env
Normal file
@ -0,0 +1,2 @@
|
||||
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/association-chahut.fr.git"
|
||||
|
1
services/association-chahut.fr/deploy.sh
Symbolic link
1
services/association-chahut.fr/deploy.sh
Symbolic link
@ -0,0 +1 @@
|
||||
../hugo/deploy.sh
|
21
services/association-chahut.fr/deploy_user.sh
Executable file
21
services/association-chahut.fr/deploy_user.sh
Executable file
@ -0,0 +1,21 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Update git repo
|
||||
git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
|
||||
|
||||
cd "$HTTP_DIR"
|
||||
|
||||
# Get remote content files
|
||||
rclone_ncloud_publiclink.sh
|
||||
|
||||
# Invalid cache
|
||||
#rm -rf "/tmp/hugo_cache_$USER"
|
||||
|
||||
cd themes/blist
|
||||
npm install
|
||||
cd ../..
|
||||
npm install postcss-cli
|
||||
|
||||
# Build website
|
||||
HUGO_CACHEDIR="/tmp/hugo_cache_$USER" hugo
|
24
services/association-chahut.fr/nginx_server.conf
Executable file
24
services/association-chahut.fr/nginx_server.conf
Executable file
@ -0,0 +1,24 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||
root $HTTP_DIR/public;
|
||||
|
||||
# Security headers
|
||||
# We can create a file with the base security headers and include it.
|
||||
# Will it be possible to overload them then ?
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'unsafe-inline'; img-src *; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||
|
||||
location / {
|
||||
index index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
@ -1 +0,0 @@
|
||||
#!/bin/bash
|
@ -13,7 +13,7 @@ echo -n "" > ~/.ssh/authorized_keys
|
||||
chmod 600 ~/.ssh/authorized_keys
|
||||
|
||||
# Foreach client
|
||||
for client in raku.jean-cloud.org vandamme.jean-cloud.org ; do
|
||||
for client in raku.jean-cloud.org izzo.jean-cloud.org ; do
|
||||
# Generate key
|
||||
clientkey="$(mktemp -d)"
|
||||
ssh-keygen -q -N '' -t rsa -C 'Borg client ssh key' -f "$clientkey/id_rsa" <<<y 2>&1 >/dev/null
|
||||
|
@ -5,6 +5,8 @@ services:
|
||||
environment:
|
||||
UID: 33
|
||||
MOUNT: /
|
||||
ports:
|
||||
- "2229:2229"
|
||||
volumes:
|
||||
- /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
|
||||
- $DATA_DIR/app/assets:/usr/src/app/assets
|
||||
|
@ -1,41 +0,0 @@
|
||||
version: '3.1'
|
||||
|
||||
services:
|
||||
|
||||
wp:
|
||||
image: wordpress:5-apache
|
||||
restart: unless-stopped
|
||||
env_file: $DATA_DIR/wordpress.env
|
||||
volumes:
|
||||
- $DATA_DIR/wordpress:/var/www/html
|
||||
- /srv/http/$JC_SERVICE:/var/www/html/static
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.100
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
|
||||
db:
|
||||
image: mariadb:10.11
|
||||
restart: unless-stopped
|
||||
env_file: $DATA_DIR/wordpress.env
|
||||
volumes:
|
||||
- $DATA_DIR/db:/var/lib/mysql
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.101
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 300M
|
||||
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
config:
|
||||
- subnet: $NET.0/24
|
||||
|
@ -1,30 +0,0 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
|
||||
location / {
|
||||
auth_basic "Mot de passe !";
|
||||
auth_basic_user_file /data/$JC_SERVICE/pass.txt;
|
||||
client_max_body_size 2G;
|
||||
#proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_pass http://$NET.100;
|
||||
proxy_redirect off;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||
|
||||
location / {
|
||||
root /srv/http/$JC_SERVICE;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
@ -1,32 +0,0 @@
|
||||
version: '2'
|
||||
|
||||
services:
|
||||
|
||||
coldcms:
|
||||
image: coldcms/coldcms-backend:latest
|
||||
volumes:
|
||||
- $DATA_DIR/coldcms:/srv/build
|
||||
- $DATA_DIR/db:/var/db
|
||||
environment:
|
||||
- DJANGO_SETTINGS_MODULE=coldcms.settings
|
||||
- DB_URL=sqlite:////var/db/database.sqlite3
|
||||
- BUILD_DIR=/srv/build
|
||||
- STATIC_ROOT=/srv/build/static/
|
||||
- ALLOWED_HOSTS=$JC_SERVICE
|
||||
- SECRET_KEY=275bLEjLIsDg19HkIcjjwgdC41zcyTAc1y527VuX23khKUZGRCMybChydeBKFNJVjhD0KMrzIeLbMlS30IxPhfqLAcR2OK0LVxOu4G8dgx3p2pia4SUFm39tOznKZ0Kt9IdbX
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.100
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 500M
|
||||
|
||||
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
config:
|
||||
- subnet: $NET.0/24
|
@ -1,55 +0,0 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
gzip_types text/plain text/css application/json text/xml application/xml text/javascript application/x-javascript;
|
||||
gzip_min_length 1000;
|
||||
gzip_proxied no-cache no-store private expired auth;
|
||||
gzip_vary on;
|
||||
|
||||
root $HTTP_DIR;
|
||||
|
||||
location / {
|
||||
set $try_files_value '';
|
||||
if ($request_method = GET){
|
||||
set $try_files_value $uri/;
|
||||
}
|
||||
gzip_static on;
|
||||
try_files $try_files_value @uwsgi_backend;
|
||||
}
|
||||
|
||||
|
||||
location @uwsgi_backend {
|
||||
uwsgi_pass $NET.100:8000;
|
||||
include uwsgi_params;
|
||||
client_max_body_size 20m;
|
||||
}
|
||||
|
||||
location /media/ {
|
||||
gzip_static on;
|
||||
expires 100d;
|
||||
add_header Cache-Control public;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location /static/ {
|
||||
gzip_static on;
|
||||
expires 100d;
|
||||
add_header Cache-Control public;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location /admin/ {
|
||||
uwsgi_pass $NET.100:8000;
|
||||
include uwsgi_params;
|
||||
client_max_body_size 20m;
|
||||
}
|
||||
}
|
||||
|
@ -3,7 +3,7 @@ version: '3.1'
|
||||
services:
|
||||
|
||||
wp:
|
||||
image: wordpress:5.3-apache
|
||||
image: wordpress:6.5-apache
|
||||
restart: unless-stopped
|
||||
env_file: /data/collectif-arthadie.fr/env
|
||||
environment:
|
||||
@ -19,8 +19,8 @@ services:
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
cpus: '1'
|
||||
memory: 500M
|
||||
|
||||
db:
|
||||
image: mariadb:10.4
|
||||
|
24
services/collectif-karafon.fr/nginx_server.conf
Executable file
24
services/collectif-karafon.fr/nginx_server.conf
Executable file
@ -0,0 +1,24 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||
root $HTTP_DIR/collectifkarafon.wixsite.com/;
|
||||
|
||||
# Security headers
|
||||
# We can create a file with the base security headers and include it.
|
||||
# Will it be possible to overload them then ?
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
#add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||
|
||||
location / {
|
||||
index monsite.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
@ -1 +1 @@
|
||||
DATA_DIR=/data/compagnienouvelle.fr
|
||||
SFTP_USER=compagnienouvelle.frRO
|
||||
|
1
services/compagnienouvelle.fr/deploy.sh
Symbolic link
1
services/compagnienouvelle.fr/deploy.sh
Symbolic link
@ -0,0 +1 @@
|
||||
../sftp_jc/deploy.sh
|
1
services/compagnienouvelle.fr/deploy_user.sh
Symbolic link
1
services/compagnienouvelle.fr/deploy_user.sh
Symbolic link
@ -0,0 +1 @@
|
||||
../sftp_jc/deploy_user.sh
|
@ -1,43 +0,0 @@
|
||||
version: '3.1'
|
||||
|
||||
services:
|
||||
|
||||
wp:
|
||||
image: wordpress:5-apache
|
||||
restart: unless-stopped
|
||||
env_file: $DATA_DIR/wordpress.env
|
||||
environment:
|
||||
TZ: Europe/Paris
|
||||
volumes:
|
||||
- $DATA_DIR/wordpress:/var/www/html
|
||||
- $DATA_DIR/static:/var/www/html/static
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.100
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
db:
|
||||
image: mariadb:10.7
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
TZ: Europe/Paris
|
||||
volumes:
|
||||
- $DATA_DIR/db:/var/lib/mysql
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.101
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 300M
|
||||
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
config:
|
||||
- subnet: $NET.0/24
|
||||
|
@ -1,30 +0,0 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr;
|
||||
location / {
|
||||
auth_basic "Mot de passe !";
|
||||
auth_basic_user_file /data/compagnienouvelle.fr/pass.txt;
|
||||
client_max_body_size 2G;
|
||||
#proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_pass http://$NET.100;
|
||||
proxy_redirect off;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name compagnienouvelle.fr www.compagnienouvelle.fr;
|
||||
|
||||
location / {
|
||||
root /data/compagnienouvelle.fr/static;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
1
services/compagnienouvelle.fr/nginx_server.conf
Symbolic link
1
services/compagnienouvelle.fr/nginx_server.conf
Symbolic link
@ -0,0 +1 @@
|
||||
../sftp_jc/nginx_server.conf
|
@ -1,58 +0,0 @@
|
||||
[class-ss-plugin.php:232] Received request to start generating a static archive
|
||||
[class-ss-archive-creation-job.php:61] Starting a job; no job is presently running
|
||||
[class-ss-archive-creation-job.php:62] Here's our task list: setup, fetch_urls, transfer_files_locally, wrapup
|
||||
[class-ss-archive-creation-job.php:76] Pushing first task to queue: setup
|
||||
[class-ss-archive-creation-job.php:105] Current task: setup
|
||||
[class-ss-archive-creation-job.php:120] Performing task: setup
|
||||
[class-ss-task.php:38] Status message: [setup] Mise en place
|
||||
[class-ss-setup-task.php:23] Creating archive directory: /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/
|
||||
[class-ss-setup-task.php:57] Adding origin URL to queue: https://wordpress.mysite.com/
|
||||
[class-ss-setup-task.php:68] Adding additional URL to queue: https://wordpress.mysite.com/wp-includes/js/wp-emoji-release.min.js
|
||||
[class-ss-setup-task.php:99] Adding files from directory: /var/www/html/wp-content/uploads/
|
||||
[class-ss-archive-creation-job.php:142] We've found our next task: fetch_urls
|
||||
[class-ss-archive-creation-job.php:105] Current task: fetch_urls
|
||||
[class-ss-archive-creation-job.php:120] Performing task: fetch_urls
|
||||
[class-ss-fetch-urls-task.php:37] Total pages: 2; Pages remaining: 2
|
||||
[class-ss-fetch-urls-task.php:40] URL: https://wordpress.mysite.com/
|
||||
[class-ss-fetch-urls-task.php:50] URL is not being excluded
|
||||
[class-ss-url-fetcher.php:85] Fetching URL and saving it to: /tmp/5f9593ab13a6a-QXn1T1.tmp
|
||||
[class-ss-url-fetcher.php:89] Filesize: 26432 bytes
|
||||
[class-ss-url-fetcher.php:104] http_status_code: 200 | content_type: text/html; charset=UTF-8
|
||||
[class-ss-url-fetcher.php:180] New filename for static page: index.html
|
||||
[class-ss-url-fetcher.php:120] Renaming temp file from /tmp/5f9593ab13a6a-QXn1T1.tmp to /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/index.html
|
||||
[class-ss-fetch-urls-task.php:99] Extracting URLs and replacing URLs in the static file
|
||||
[class-ss-fetch-urls-task.php:106] Adding 0 URLs to the queue
|
||||
[class-ss-fetch-urls-task.php:117] We're saving this URL; keeping the static file
|
||||
[class-ss-fetch-urls-task.php:40] URL: https://wordpress.mysite.com/wp-includes/js/wp-emoji-release.min.js
|
||||
[class-ss-fetch-urls-task.php:50] URL is not being excluded
|
||||
[class-ss-url-fetcher.php:85] Fetching URL and saving it to: /tmp/5f9593ab2d225-A0zDVK.tmp
|
||||
[class-ss-url-fetcher.php:89] Filesize: 14246 bytes
|
||||
[class-ss-url-fetcher.php:104] http_status_code: 200 | content_type: application/javascript
|
||||
[class-ss-url-fetcher.php:180] New filename for static page: wp-includes/js/wp-emoji-release.min.js
|
||||
[class-ss-url-fetcher.php:120] Renaming temp file from /tmp/5f9593ab2d225-A0zDVK.tmp to /var/www/html/wp-content/plugins/simply-static/static-files/simply-static-1-1603638186/wp-includes/js/wp-emoji-release.min.js
|
||||
[class-ss-fetch-urls-task.php:99] Extracting URLs and replacing URLs in the static file
|
||||
[class-ss-fetch-urls-task.php:106] Adding 0 URLs to the queue
|
||||
[class-ss-fetch-urls-task.php:117] We're saving this URL; keeping the static file
|
||||
[class-ss-task.php:38] Status message: [fetch_urls] 0 pages/fichiers sur 2 générés
|
||||
[class-ss-archive-creation-job.php:147] We're not done with the fetch_urls task yet
|
||||
[class-ss-archive-creation-job.php:105] Current task: fetch_urls
|
||||
[class-ss-archive-creation-job.php:120] Performing task: fetch_urls
|
||||
[class-ss-fetch-urls-task.php:37] Total pages: 2; Pages remaining: 0
|
||||
[class-ss-task.php:38] Status message: [fetch_urls] 2 pages/fichiers sur 2 générés
|
||||
[class-ss-archive-creation-job.php:142] We've found our next task: transfer_files_locally
|
||||
[class-ss-archive-creation-job.php:105] Current task: transfer_files_locally
|
||||
[class-ss-archive-creation-job.php:120] Performing task: transfer_files_locally
|
||||
[class-ss-transfer-files-locally-task.php:64] Total pages: 2; Pages remaining: 2
|
||||
[class-ss-archive-creation-job.php:147] We're not done with the transfer_files_locally task yet
|
||||
[class-ss-archive-creation-job.php:105] Current task: transfer_files_locally
|
||||
[class-ss-archive-creation-job.php:120] Performing task: transfer_files_locally
|
||||
[class-ss-transfer-files-locally-task.php:64] Total pages: 2; Pages remaining: 0
|
||||
[class-ss-task.php:38] Status message: [transfer_files_locally] 2 fichiers sur 2 copiés
|
||||
[class-ss-archive-creation-job.php:142] We've found our next task: wrapup
|
||||
[class-ss-archive-creation-job.php:105] Current task: wrapup
|
||||
[class-ss-archive-creation-job.php:120] Performing task: wrapup
|
||||
[class-ss-wrapup-task.php:13] Deleting temporary files
|
||||
[class-ss-task.php:38] Status message: [wrapup] Fin du processus
|
||||
[class-ss-archive-creation-job.php:138] This task is done and there are no more tasks, time to complete the job
|
||||
[class-ss-archive-creation-job.php:161] Completing the job
|
||||
[class-ss-archive-creation-job.php:271] Status message: [done] Effectué ! Fini en 00:00:01
|
@ -1,15 +1,11 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
set -u
|
||||
|
||||
. driglibash-base
|
||||
here="$(where)"
|
||||
|
||||
# For some variables
|
||||
. /etc/jeancloud.env
|
||||
set -a
|
||||
. "$here/.env"
|
||||
set +a
|
||||
|
||||
# Test secret presence
|
||||
[ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1
|
||||
@ -17,24 +13,13 @@ set +a
|
||||
export workdir="$(mktemp -d)"
|
||||
mkdir -p "$workdir/{work,logs}"
|
||||
|
||||
# If there is some args, populate a fake service file
|
||||
if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
|
||||
servicefile="$(mktemp)"
|
||||
for service in "$@" ; do
|
||||
echo "$service _" >> "$servicefile"
|
||||
done
|
||||
fi
|
||||
|
||||
echo "Renew existing certs"
|
||||
certbot renew --config-dir "$DATA_DIR/certs" --logs-dir "$workdir/logs" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" --work-dir "$workdir"
|
||||
certbot renew --config-dir "$DATA_DIR/certs" --logs-dir "$workdir/logs" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" --work-dir "$workdir" || true
|
||||
|
||||
echo "For each service, read all possible domains"
|
||||
while IFS=';' read -r id username service target ; do
|
||||
# TODO remove
|
||||
[ "$service" = collectif-arthadie.fr ] && continue
|
||||
|
||||
# remove dummy cert
|
||||
dummy_cert.sh "$service" remove || true
|
||||
if [ -z "$service" ] ; then continue ; fi
|
||||
|
||||
if [ -d "$DATA_DIR/certs/live/$service" ] ; then
|
||||
#echo "Already exists, thats a job for renew : $service"
|
||||
@ -42,12 +27,12 @@ while IFS=';' read -r id username service target ; do
|
||||
fi
|
||||
|
||||
# acme
|
||||
"$here/acme-dns.sh" "$service" "$workdir"
|
||||
"$DOCKER_DIR/acme-dns.sh" "$service" "$workdir"
|
||||
|
||||
done < <(grep -v '^#' "$servicefile")
|
||||
|
||||
echo "Push certs to other servers"
|
||||
for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') vandamme nougaro ; do
|
||||
for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') nougaro tetede montbonnot max raku izzo ; do
|
||||
server="$srv.jean-cloud.org"
|
||||
[ -n "$(grep "$server" /etc/hosts)" ] && continue
|
||||
echo "-- $server"
|
@ -1,8 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
. driglibash-base
|
||||
here="$(where)"
|
||||
|
||||
sudo -u certs bash -c "$here/run_as.sh $@"
|
@ -1 +0,0 @@
|
||||
#!/bin/bash
|
1
services/gaia.jean-cloud.net/.env
Normal file
1
services/gaia.jean-cloud.net/.env
Normal file
@ -0,0 +1 @@
|
||||
GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/gaia
|
5
services/gaia.jean-cloud.net/deploy_user.sh
Executable file
5
services/gaia.jean-cloud.net/deploy_user.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
|
||||
|
13
services/gaia.jean-cloud.net/nginx_server.conf
Executable file
13
services/gaia.jean-cloud.net/nginx_server.conf
Executable file
@ -0,0 +1,13 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||
location / {
|
||||
add_header Content-language fr;
|
||||
root $HTTP_DIR/src;
|
||||
index index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
@ -1 +0,0 @@
|
||||
GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs
|
@ -1,3 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
@ -1,35 +0,0 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name grapes.chahut.jean-cloud.net;
|
||||
root $HTTP_DIR;
|
||||
|
||||
# Security headers
|
||||
# We can create a file with the base security headers and include it.
|
||||
# Will it be possible to overload them then ?
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
#add_header Content-Security-Policy "default-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ;frame-ancestors 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; base-uri 'self'; form-action 'self';" always;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
#add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||
|
||||
auth_basic "Mot de passe !";
|
||||
auth_basic_user_file $DATA_DIR/pass.txt;
|
||||
|
||||
location / {
|
||||
index index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location /projects {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_pass http://$NET.100:3000;
|
||||
proxy_redirect off;
|
||||
|
||||
}
|
||||
}
|
@ -1,8 +1,8 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem;
|
||||
ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||
|
||||
location / {
|
||||
|
@ -1 +0,0 @@
|
||||
../pelican/backup_list.sh
|
32
services/lyon1.studios.oma-radio.fr/deploy.sh
Executable file
32
services/lyon1.studios.oma-radio.fr/deploy.sh
Executable file
@ -0,0 +1,32 @@
|
||||
#!/bin/bash
|
||||
|
||||
wgif=omaLyon1
|
||||
ip=10.100.100.254
|
||||
run="ip netns exec $wgif"
|
||||
|
||||
# Create netns if needed
|
||||
if ! ip netns | grep -q "$wgif" ; then
|
||||
ip netns add "$wgif"
|
||||
fi
|
||||
|
||||
# Create iface
|
||||
if ! $run ip link | grep -q "$wgif" ; then
|
||||
ip link add "$wgif" type wireguard
|
||||
ip link set "$wgif" netns "$wgif"
|
||||
fi
|
||||
|
||||
# Set ip
|
||||
if ! $run ip -4 -o a | grep -q "$ip" ; then
|
||||
$run ip a add "$ip" dev "$wgif"
|
||||
fi
|
||||
|
||||
# Set route
|
||||
if ! $run ip -4 -o r | grep -q "default dev $wgif" ; then
|
||||
$run ip r add default dev "$wgif"
|
||||
fi
|
||||
|
||||
# Up iface
|
||||
$run ip link set up dev "$wgif"
|
||||
|
||||
# Load config
|
||||
$run wg setconf "$wgif" "/etc/wireguard/$wgif.conf"
|
30
services/lyon1.studios.oma-radio.fr/wgns-omaLyon1.sh
Executable file
30
services/lyon1.studios.oma-radio.fr/wgns-omaLyon1.sh
Executable file
@ -0,0 +1,30 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
. .env
|
||||
|
||||
wgif="$1"
|
||||
|
||||
echo "
|
||||
[Interface]
|
||||
PrivateKey = $(cat $DATA_DIR/$wgif.wgprivatekey)
|
||||
ListenPort = $((51800+$JC_ID))
|
||||
#Address = 10.100.100.254/32
|
||||
|
||||
[Peer] # Adrian
|
||||
PublicKey = p4/km7Rtl5IgYGw8OPIyE0/f8UoRbcMJwkVJ0Zyv/C8=
|
||||
AllowedIPs = 10.100.100.253/32
|
||||
|
||||
[Peer] # Nico
|
||||
PublicKey = jsXBs8tZn1sWT73xx3DWEdGAWv6SjfQ2TAxX+8pL6mU=
|
||||
AllowedIPs = 10.100.100.252/32
|
||||
|
||||
[Peer] # Passerelle
|
||||
PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
|
||||
AllowedIPs = 10.100.100.0/24,192.168.100.0/24
|
||||
|
||||
[Peer] # Debug
|
||||
PublicKey = K9IpoUbjyN+42y0YG3OIwAPRBZcd92GnKfbYEj3RZ18=
|
||||
AllowedIPs = 10.100.100.21/32
|
||||
"
|
@ -1 +1,3 @@
|
||||
GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/metamorphose
|
||||
GIT_SOURCE_BRANCH=master
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
||||
git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
|
||||
|
||||
|
@ -1 +0,0 @@
|
||||
version: '3'
|
13
services/mutubot.jean-cloud.net/deploy_user.sh.old
Normal file
13
services/mutubot.jean-cloud.net/deploy_user.sh.old
Normal file
@ -0,0 +1,13 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ! -d venv ] ; then
|
||||
virtualenv venv
|
||||
fi
|
||||
|
||||
. venv/bin/activate
|
||||
|
||||
git_update.sh -b v1 -d $HTTP_DIR https://git.jean-cloud.net/adrian/mutubot.git
|
||||
|
||||
pip install -r requirements.txt
|
||||
|
||||
|
15
services/grapes.chahut.jean-cloud.net/docker-compose.yml → services/mutubot.jean-cloud.net/docker-compose.yml
Executable file → Normal file
15
services/grapes.chahut.jean-cloud.net/docker-compose.yml → services/mutubot.jean-cloud.net/docker-compose.yml
Executable file → Normal file
@ -1,9 +1,16 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
json_server:
|
||||
image: jeancloud/json-server
|
||||
|
||||
bot:
|
||||
image: jeancloud/mutubot:1
|
||||
restart: unless-stopped
|
||||
env_file:
|
||||
- $DATA_DIR/.env
|
||||
environment:
|
||||
TZ: Europe/Paris
|
||||
volumes:
|
||||
- "$DATA_DIR:/usr/lib/json-server"
|
||||
- $DATA_DIR/guilds.yml:/usr/src/app/guilds.yml
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.100
|
||||
@ -12,8 +19,10 @@ services:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
config:
|
||||
- subnet: $NET.0/24
|
||||
|
@ -1 +0,0 @@
|
||||
#!/bin/bash
|
@ -8,6 +8,7 @@ services:
|
||||
environment:
|
||||
OMA_CONFIG_Client1Host: $NET.108
|
||||
OMA_CONFIG_TelecommandeHost: $NET$TELECOM
|
||||
OMA_CONFIG_Pige: on
|
||||
volumes:
|
||||
- $SOUNDBASE_DIR/pige:/app/pige
|
||||
ports:
|
||||
@ -73,6 +74,11 @@ services:
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.108
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 300M
|
||||
|
||||
#radioking:
|
||||
# image: jeancloud/liquidsoap:1.3.7
|
||||
|
@ -42,14 +42,14 @@ end
|
||||
|
||||
# Exaustive integrity check
|
||||
def clean_and_check_all ()
|
||||
list.iter(clean_if_old, file.ls("/soundbase/pige/"))
|
||||
#list.iter(clean_if_old, file.ls("/soundbase/pige/"))
|
||||
list.iter(clean_and_check, file.ls("/soundbase/pige/"))
|
||||
end
|
||||
|
||||
|
||||
|
||||
# Mux
|
||||
input1 = mksafe(input.harbor("direct.ogg",port=8000,password=getenv("LIQUIDSOAP_SOURCE_PASSWORD")))
|
||||
input1 = mksafe(input.harbor("direct.ogg",port=8000,password=getenv("ICECAST_SOURCE_PASSWORD")))
|
||||
|
||||
# Direct mp3
|
||||
output.icecast(
|
||||
|
4
services/nginx_exporter/deploy.sh
Executable file
4
services/nginx_exporter/deploy.sh
Executable file
@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
format="$(grep -oP "^[[:space:]]*log_format main '\K[^;]*(?=';$)" nginx.conf | sed 's/"/\\\\"/g')"
|
||||
echo "$format"
|
||||
sed -e "s/%HOST%/$(hostname)/g" -e "s/%FORMAT%/$format/g" exporter_config_template.yml > exporter_config.yml
|
25
services/nginx_exporter/docker-compose.yml
Normal file
25
services/nginx_exporter/docker-compose.yml
Normal file
@ -0,0 +1,25 @@
|
||||
version: '3'
|
||||
services:
|
||||
exporter:
|
||||
image: quay.io/martinhelmich/prometheus-nginxlog-exporter:v1
|
||||
volumes:
|
||||
- /var/log/nginx:/var/log/nginx
|
||||
- exporter_config.yml:/etc/exporter_config.yml
|
||||
command: ["/etc/exporter_config.yml"]
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.100
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
|
||||
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
config:
|
||||
- subnet: $NET.0/24
|
||||
|
17
services/nginx_exporter/exporter_config_template.yml
Normal file
17
services/nginx_exporter/exporter_config_template.yml
Normal file
@ -0,0 +1,17 @@
|
||||
listen:
|
||||
port: 4040
|
||||
address: "localhost"
|
||||
metrics_endpoint: "/metrics"
|
||||
|
||||
namespaces:
|
||||
- name: nginx
|
||||
format: "%FORMAT%"
|
||||
source:
|
||||
files:
|
||||
- /var/log/nginx/access.log
|
||||
metrics_override:
|
||||
- from: server_name
|
||||
labels:
|
||||
host: %HOST%
|
||||
environment: "production"
|
||||
histogram_buckets: [.001, .01, .1, .5, 1, 5, 10]
|
@ -9,7 +9,7 @@ set -a
|
||||
set +a
|
||||
|
||||
# Do not run if primary exists
|
||||
[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0
|
||||
[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 1
|
||||
|
||||
export keydir=""
|
||||
runthis secondary
|
||||
|
@ -27,6 +27,8 @@ primary_ips=""
|
||||
# IP of secondary servers (for zone transfer)
|
||||
# master.retzo.net
|
||||
secondary_ips="159.69.124.127;2a01:4f8:c17:d8f2::1;"
|
||||
# tetede
|
||||
secondary_ips="${secondary_ips}51.195.40.128;"
|
||||
|
||||
# NS name
|
||||
default_dns_name="ns.jean-cloud.org."
|
||||
@ -39,8 +41,8 @@ runthis () {
|
||||
fi
|
||||
|
||||
prepare
|
||||
primary_ips="$primary_ips$(fakeresolve_ip_list tetede)"
|
||||
secondary_ips="$secondary_ips$(fakeresolve_ip_list shlago)"
|
||||
primary_ips="$primary_ips$(fakeresolve_ip_list izzo)"
|
||||
secondary_ips="$secondary_ips$(fakeresolve_ip_list ns)"
|
||||
|
||||
line_in_file "primary_ips=\"$primary_ips\"" "$DOCKER_DIR/.env"
|
||||
line_in_file "secondary_ips=\"$secondary_ips\"" "$DOCKER_DIR/.env"
|
||||
@ -55,6 +57,7 @@ runthis () {
|
||||
}
|
||||
|
||||
main () {
|
||||
aa-disable /etc/apparmor.d/usr.sbin.named
|
||||
runthis primary
|
||||
}
|
||||
|
||||
|
@ -21,11 +21,12 @@ prepare () {
|
||||
fi
|
||||
|
||||
echo 'Sync the git repo'
|
||||
run sudo -u bind git_update.sh -N -b main -i "$SECRET_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
|
||||
run sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
|
||||
cd /etc/bind
|
||||
|
||||
|
||||
echo 'Prepare bind: Remove autogenerated part from bind conf files'
|
||||
rm /etc/bind/*.jnl &>/dev/null || true
|
||||
sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/*
|
||||
|
||||
echo 'Put the separator back'
|
||||
@ -39,12 +40,12 @@ restart () {
|
||||
echo 'Check named conf'
|
||||
run named-checkconf "$debian_bind_confdir/named.conf"
|
||||
for db_file in $(list_db_files) ; do
|
||||
domain="${db_file:3}"
|
||||
domain="$(basename "$db_file")"
|
||||
domain="${domain:3}"
|
||||
run named-checkzone "$domain" "$db_file"
|
||||
done
|
||||
|
||||
echo 'Restart named'
|
||||
rm /etc/bind/*.jnl || true
|
||||
systemctl restart named
|
||||
}
|
||||
|
||||
@ -139,15 +140,14 @@ create_primary_files () {
|
||||
sed -i "s/\(@ SOA [^(]*( \)[0-9]\+/\1$serial/" "$new_db_file"
|
||||
|
||||
# Add this dns server if not present
|
||||
if [ -z "$(grep '[^;].*(IN)?.*NS.*$default_dns_name' "$new_db_file")" ] ; then
|
||||
echo "@ NS $default_dns_name" >> "$new_db_file"
|
||||
if ! grep -q '[^;].*(IN)?.*NS.*' "$new_db_file" ; then
|
||||
cat default_ns >> "$new_db_file"
|
||||
fi
|
||||
|
||||
# Add DS record
|
||||
if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
|
||||
echo ""
|
||||
#if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
|
||||
#dnssec-dsfromkey "$DATA_DIR/keys/K$domain"*.key | sed "s/${domain}./@/" >> "$new_db_file"
|
||||
fi
|
||||
#fi
|
||||
|
||||
# Populate named.conf.local
|
||||
cat >> "$debian_bind_confdir/named.conf.local" <<-EOF
|
||||
|
@ -87,6 +87,21 @@ services:
|
||||
cpus: '0.50'
|
||||
memory: 2000M
|
||||
|
||||
collabora:
|
||||
image: collabora/code
|
||||
environment:
|
||||
- "dictionaries=fr"
|
||||
- "server_name=office.nuage.jean-cloud.net"
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.106
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '1'
|
||||
memory: 2000M
|
||||
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
|
@ -24,7 +24,7 @@ server {
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
|
||||
|
||||
limit_req zone=defaultlimit burst=500 nodelay;
|
||||
#limit_req zone=defaultlimit burst=500 nodelay;
|
||||
|
||||
# Prevent nginx HTTP Server Detection
|
||||
server_tokens off;
|
||||
@ -76,8 +76,7 @@ server {
|
||||
# only for Nextcloud like below:
|
||||
include mime.types;
|
||||
types {
|
||||
text/javascript js mjs;
|
||||
application/wasm wasm;
|
||||
text/javascript mjs;
|
||||
}
|
||||
|
||||
# Specify how to handle directories -- specifying `/index.php$request_uri`
|
||||
@ -263,3 +262,29 @@ server {
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name office.nuage.jean-cloud.net;
|
||||
|
||||
location / {
|
||||
proxy_pass https://$NET.106:9980;
|
||||
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass_header Server;
|
||||
|
||||
# Note you might want to pass these headers etc too.
|
||||
#proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
||||
#proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
|
||||
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
|
||||
proxy_http_version 1.1; # recommended with keepalive connections
|
||||
|
||||
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1 +0,0 @@
|
||||
#!/bin/bash
|
@ -1 +0,0 @@
|
||||
../hugo/deploy.sh
|
2
services/quadrille-elsa.jean-cloud.net/deploy.sh
Executable file
2
services/quadrille-elsa.jean-cloud.net/deploy.sh
Executable file
@ -0,0 +1,2 @@
|
||||
#!/bin/bash
|
||||
apt install -y hugo
|
@ -1 +0,0 @@
|
||||
../hugo/deploy_user.sh
|
16
services/quadrille-elsa.jean-cloud.net/deploy_user.sh
Executable file
16
services/quadrille-elsa.jean-cloud.net/deploy_user.sh
Executable file
@ -0,0 +1,16 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Update git repo
|
||||
git_update.sh -d "$HTTP_DIR" -b "${GIT_SOURCE_BRANCH:-main}" "$GIT_SOURCE_REPO"
|
||||
|
||||
cd "$HTTP_DIR"
|
||||
|
||||
# Get remote content files
|
||||
rclone_ncloud_publiclink.sh
|
||||
|
||||
# Invalid cache
|
||||
#rm -rf "/tmp/hugo_cache_$USER"
|
||||
|
||||
# Build website
|
||||
HUGO_CACHEDIR="/tmp/hugo_cache_$USER" hugo
|
@ -1 +0,0 @@
|
||||
../hugo/nginx_server.conf
|
24
services/quadrille-elsa.jean-cloud.net/nginx_server.conf
Executable file
24
services/quadrille-elsa.jean-cloud.net/nginx_server.conf
Executable file
@ -0,0 +1,24 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||
root $HTTP_DIR/public;
|
||||
|
||||
# Security headers
|
||||
# We can create a file with the base security headers and include it.
|
||||
# Will it be possible to overload them then ?
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/; img-src 'self'; font-src 'self' https://cdn.jsdelivr.net/; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/; base-uri 'self'; form-action 'self';" always;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||
|
||||
location / {
|
||||
index index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
4
services/radiokipik.org/.env
Normal file
4
services/radiokipik.org/.env
Normal file
@ -0,0 +1,4 @@
|
||||
GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
|
||||
RADIO_HOST=mux.radiodemo.oma-radio.fr
|
||||
USE_SSL=true
|
||||
WEBSOCKET_PORT=2004
|
2
services/radiokipik.org/.known_hosts
Normal file
2
services/radiokipik.org/.known_hosts
Normal file
@ -0,0 +1,2 @@
|
||||
gitlab.com ssh-dss AAAAB3NzaC1kc3MAAACBAMPKInNPflcRle9F5Qt2j9aI0EZuWQzdXTbYvsl+ChaacqCOWRMiOmXHXqetFz6jD/6Fcqg20ZATxqSskQBaRn97O/mbH+GQk4d3zw9WAEURicE8rKJop3qGtdfFxLzrTuF/PAkKRDMmutT3hwZIOO8CFWOl1BiuUYTncJTeonrfAAAAFQCujauoy3Yy+ul72b/WsTECUPj9yQAAAIBIV2yyF7RZf7IYS8tsWcKP7Y5Bv9eFdbvbtsaxcFCHcmHIGoJQrIdPoueoOb5EUTYz0NgYKsKaZzDZkgFk28GsmLxKvhnPjaw0lJVSKRchEE5xVlamOlabiRMjQ7X/bAdejkBJe96AjZZL3UO4acpwfy3Tnnap0w6YCDeaxoyHpwAAAIAU+dyNaL3Hy15VIV32QwWMekvxeptUY/DW03LNcgZZDoin87TE9xuQhM0qF3pi2i2a2ExuslgdttmYWvrbEz8eW+RFgvT5pKwWpalKWetHvtN3oYZP37ZIO1Y3Hd5A4YVcpYp1ccRayveLlCRwxb4HdGXT2OmYU+lmvimIR8zQ6A==
|
||||
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
|
1
services/radiokipik.org/deploy_user.sh.bak
Symbolic link
1
services/radiokipik.org/deploy_user.sh.bak
Symbolic link
@ -0,0 +1 @@
|
||||
../hugo/deploy_user.sh
|
26
services/radiokipik.org/nginx_server.conf
Executable file
26
services/radiokipik.org/nginx_server.conf
Executable file
@ -0,0 +1,26 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate $JC_CERT/fullchain.pem;
|
||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||
root $HTTP_DIR/;
|
||||
|
||||
# Security headers
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
#add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' 'https://static.jean-cloud.net/player-interface/*' ; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' 'https://static.jean-cloud.net/player-interface/*' 'https://cdn.jsdelivr.net/npm/*'; base-uri 'self'; form-action 'self';" always;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||
|
||||
location / {
|
||||
index index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location /manager {
|
||||
return 301 $scheme://mux.$JC_SERVICE/manager;
|
||||
}
|
||||
}
|
@ -1,22 +1,19 @@
|
||||
# This is not real CSV. Do not put separator in a field, even escaped
|
||||
# ID ; username ; service name ; server name
|
||||
1;sftp.jean-cloud.net;sftp.jean-cloud.net;raku.jean-cloud.org
|
||||
2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org
|
||||
#2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org
|
||||
3;builder.rimarima.fr;builder.rimarima.fr;raku.jean-cloud.org
|
||||
4;chahut.jean-cloud.net;chahut.jean-cloud.net;max.jean-cloud.org
|
||||
5;chiloe.eu;chiloe.eu;shlago.jean-cloud.org
|
||||
#6;coldcms.chahut.jean-cloud.net;coldcms.chahut.jean-cloud.net;raku.jean-cloud.org
|
||||
7;collectif-arthadie.fr;collectif-arthadie.fr;vandamme.jean-cloud.org
|
||||
8;compagnienouvelle.fr;compagnienouvelle.fr;nougaro.jean-cloud.org
|
||||
9;copaines.jean-cloud.net;copaines.jean-cloud.net;max.jean-cloud.org
|
||||
7;collectif-arthadie.fr;collectif-arthadie.fr;izzo.jean-cloud.org
|
||||
8;compagnienouvelle.fr;compagnienouvelle.fr;shlago.jean-cloud.org
|
||||
9;copaines.jean-cloud.net;copaines.jean-cloud.net;shlago.jean-cloud.org
|
||||
11;deployer.jean-cloud.org;deployer.jean-cloud.org;shlago.jean-cloud.org
|
||||
12;dnscerts.jean-cloud.org;dnscerts.jean-cloud.org;max.jean-cloud.org
|
||||
12;dnscerts.jean-cloud.org;dnscerts.jean-cloud.org;montbonnot.jean-cloud.org
|
||||
13;etrevivant.net;etrevivant.net;shlago.jean-cloud.org
|
||||
14;feministesucl34.communistesliber;feministesucl34.communisteslibertaires.org;none
|
||||
15;feteducourt.jean-cloud.net;feteducourt.jean-cloud.net;shlago.jean-cloud.org
|
||||
16;feteducourt2020.jean-cloud.net;feteducourt2020.jean-cloud.net;shlago.jean-cloud.org
|
||||
17;git.jean-cloud.net;git.jean-cloud.net;izzo.jean-cloud.org
|
||||
#18;grapes.chahut.jean-cloud.net;grapes.chahut.jean-cloud.net;max.jean-cloud.org
|
||||
20;inurbe.fr;inurbe.fr;shlago.jean-cloud.org
|
||||
21;jean-cloud.net;jean-cloud.net;shlago.jean-cloud.org
|
||||
22;leida.fr;leida.fr;shlago.jean-cloud.org
|
||||
@ -24,8 +21,8 @@
|
||||
24;metamorphosemagazine.fr;metamorphosemagazine.fr;shlago.jean-cloud.org
|
||||
25;mux.radiodemo.oma-radio.fr;mux.radiodemo.oma-radio.fr;raku.jean-cloud.org
|
||||
26;nc-backup.jean-cloud.net;nc-backup.jean-cloud.net;raku.jean-cloud.org
|
||||
27;ns.jean-cloud.org;ns.jean-cloud.org;shlago.jean-cloud.org
|
||||
28;ns1.jean-cloud.org;ns1.jean-cloud.org;tetede.jean-cloud.org
|
||||
27;ns.jean-cloud.org;ns.jean-cloud.org;nowhere
|
||||
28;ns1.jean-cloud.org;ns1.jean-cloud.org;izzo.jean-cloud.org
|
||||
29;nuage.jean-cloud.net;nuage.jean-cloud.net;izzo.jean-cloud.org
|
||||
30;oma-radio.fr;oma-radio.fr;izzo.jean-cloud.org
|
||||
31;pa1.studios.oma-radio.fr;pa1.studios.oma-radio.fr;tetede.jean-cloud.org
|
||||
@ -33,7 +30,7 @@
|
||||
33;quadrille-elsa.jean-cloud.net;quadrille-elsa.jean-cloud.net;shlago.jean-cloud.org
|
||||
34;radiodemo.oma-radio.fr;radiodemo.oma-radio.fr;raku.jean-cloud.org
|
||||
35;radionimaitre.oma-radio.fr;radionimaitre.oma-radio.fr;tetede.jean-cloud.org
|
||||
36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;tetede.jean-cloud.org
|
||||
36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;izzo.jean-cloud.org
|
||||
37;rimarima.fr;rimarima.fr;raku.jean-cloud.org
|
||||
38;rpnow.jean-cloud.net;rpnow.jean-cloud.net;izzo.jean-cloud.org
|
||||
39;soundbase.radiodemo.oma-radio.fr;soundbase.radiodemo.oma-radio.fr;montbonnot.jean-cloud.org
|
||||
@ -41,7 +38,7 @@
|
||||
41;velov.jean-cloud.net;velov.jean-cloud.net;shlago.jean-cloud.org
|
||||
42;wiki-cgr.jean-cloud.net;wiki-cgr.jean-cloud.net;izzo.jean-cloud.org
|
||||
43;radio.karnaval.fr;radio.karnaval.fr;tetede.jean-cloud.org
|
||||
44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;max.jean-cloud.org
|
||||
44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;raku.jean-cloud.org
|
||||
45;jean-cloud.org;jean-cloud.org;shlago.jean-cloud.org
|
||||
46;soundbase.paj.oma-radio.fr;soundbase.paj.oma-radio.fr;montbonnot.jean-cloud.org
|
||||
47;backup-borg-server;backup-borg-server;montbonnot.jean-cloud.org
|
||||
@ -50,5 +47,11 @@
|
||||
50;monitoring.jean-cloud.net;monitoring.jean-cloud.net;montbonnot.jean-cloud.org
|
||||
51;benevoles32.karnaval.fr;benevoles32.karnaval.fr;izzo.jean-cloud.org
|
||||
52;nginx_exporter;nginx_exporter;shlago.jean-cloud.org
|
||||
53;benevoles.karnaval.fr;benevoles.karnaval.fr;izzo.jean-cloud.org
|
||||
54;accent.jean-cloud.net;accent.jean-cloud.net;raku.jean-cloud.org
|
||||
#54;accent.jean-cloud.net;accent.jean-cloud.net;raku.jean-cloud.org
|
||||
55;gaia.jean-cloud.net;gaia.jean-cloud.net;shlago.jean-cloud.org
|
||||
56;association-chahut.fr;association-chahut.fr;izzo.jean-cloud.org
|
||||
57;mutubot.jean-cloud.net;mutubot.jean-cloud.net;izzo.jean-cloud.org
|
||||
59;lyon1.studios.oma-radio.fr;lyon1.studios.oma-radio.fr;izzo.jean-cloud.org
|
||||
60;soundbase.radiokipik.org;soundbase.radiokipik.org;montbonnot.jean-cloud.org
|
||||
61;radiokipik.org;radiokipik.org;izzo.jean-cloud.org
|
||||
62;mux.radiokipik.org;mux.radiokipik.org;izzo.jean-cloud.org
|
||||
|
|
@ -11,6 +11,7 @@ services:
|
||||
- $DATA_DIR/home:/home
|
||||
- $DATA_DIR/home/leida/public:/home/leidaRO/public:ro
|
||||
- $DATA_DIR/home/chiloe/public:/home/chiloeRO/public:ro
|
||||
- $DATA_DIR/home/compagnienouvelle.fr/public:/home/compagnienouvelle.frRO/public:ro
|
||||
ports:
|
||||
- '2929:22'
|
||||
|
||||
|
@ -19,6 +19,6 @@ DOCKER_INSTANCES_PREFIX=soundbaseradiodemooma-radiofr-
|
||||
DOCKER_INSTANCES_SUFIX=-1
|
||||
SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
|
||||
USE_SSL=true
|
||||
MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
|
||||
MANAGER_VERSION=3.0.0
|
||||
PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.1.1
|
||||
RADIO_HOST=radiodemo.oma-radio.fr
|
||||
|
@ -1,3 +1,8 @@
|
||||
#!/bin/bash
|
||||
|
||||
git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
|
||||
apt install -y nodejs npm
|
||||
#docker run --rm -i -v /srv/http/soundbase.radiodemo.oma-radio.fr:/app node:alpine sh <<EOF
|
||||
#cd /app
|
||||
#npm install --production omaradio-web-manager@~$MANAGER_VERSION
|
||||
#npm update
|
||||
#EOF
|
||||
|
@ -6,6 +6,9 @@ services:
|
||||
environment:
|
||||
OMA_CONFIG_Client1Host: mux.radiodemo.oma-radio.fr
|
||||
OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
|
||||
OMA_CONFIG_Client2: off
|
||||
OMA_CONFIG_Client2Host: radionimaitre.oma-radio.fr
|
||||
OMA_CONFIG_Client2Port: 9003
|
||||
volumes:
|
||||
- $SOUNDBASE_DIR:/app/soundBase
|
||||
- $DATA_DIR/secours-jingle.wavM:/app/secours/secours-jingle.wavM
|
||||
@ -75,6 +78,7 @@ services:
|
||||
system_api:
|
||||
image: jeancloud/system-api:dev
|
||||
env_file: .env
|
||||
environment:
|
||||
UID: 33
|
||||
SOUNDBASE_PATH: /soundbase
|
||||
MOUNT: /api
|
||||
|
@ -114,6 +114,7 @@ server {
|
||||
|
||||
# Admin interface
|
||||
location /manager {
|
||||
alias $HTTP_DIR/manager/dist;
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
try_files $uri $uri/ =404;
|
||||
|
24
services/soundbase.radiokipik.org/.env
Normal file
24
services/soundbase.radiokipik.org/.env
Normal file
@ -0,0 +1,24 @@
|
||||
NET=10.29.0
|
||||
TELECOM=.101
|
||||
ICECAST=.110
|
||||
WEBSERVER=.105
|
||||
SYSTEM_API=.107
|
||||
TZ=Europe/Paris
|
||||
OMA_DOCKER_VERSION=dev
|
||||
WEBSOCKET_PORT=2004
|
||||
TELECOM_SERVER_PORT=3494
|
||||
OMA_CONFIG_TelecommandeHost=mux.radiodemo.oma-radio.fr
|
||||
OMA_CONFIG_TelecommandePort=3494
|
||||
MUX_SERVER_PORT=9004
|
||||
RADIO_NAME_SIMPLE=radiodemo
|
||||
OMA_CONFIG_NomRadio=radiodemo
|
||||
OMA_CONFIG_LogLevel=8
|
||||
RADIO_NAME_PRETTY="Radio Démo"
|
||||
COMPOSE_NAME=soundbaseradiodemooma-radiofr
|
||||
DOCKER_INSTANCES_PREFIX=soundbaseradiodemooma-radiofr-
|
||||
DOCKER_INSTANCES_SUFIX=-1
|
||||
SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
|
||||
USE_SSL=true
|
||||
MANAGER_VERSION=3.0.0
|
||||
PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.1.1
|
||||
RADIO_HOST=radiodemo.oma-radio.fr
|
8
services/soundbase.radiokipik.org/deploy.sh
Executable file
8
services/soundbase.radiokipik.org/deploy.sh
Executable file
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
|
||||
apt install -y nodejs npm
|
||||
#docker run --rm -i -v /srv/http/soundbase.radiodemo.oma-radio.fr:/app node:alpine sh <<EOF
|
||||
#cd /app
|
||||
#npm install --production omaradio-web-manager@~$MANAGER_VERSION
|
||||
#npm update
|
||||
#EOF
|
36
services/soundbase.radiokipik.org/deploy_user.sh
Executable file
36
services/soundbase.radiokipik.org/deploy_user.sh
Executable file
@ -0,0 +1,36 @@
|
||||
#!/bin/bash
|
||||
|
||||
#if [ -d "$DATA_DIR/core" ] ; then
|
||||
# git_update.sh -b dev -i "$DATA_DIR/gitlab-deploy.sshprivkey" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
|
||||
#fi
|
||||
|
||||
chmod 700 "$SECRET_DIR/gitlab-deploy.sshprivkey"
|
||||
mkdir -p "$HTTP_DIR/manager"
|
||||
git_update.sh -b 'v3' -i "$SECRET_DIR/gitlab-deploy.sshprivkey" -d "$HTTP_DIR/manager" git@gitlab.com:omaradio/single-manager.git
|
||||
cd "$HTTP_DIR/manager"
|
||||
npm install
|
||||
#npm audit fix
|
||||
npm run build
|
||||
|
||||
|
||||
#semver_prefix="3."
|
||||
## Get available versions
|
||||
#json="$(curl 'https://gitlab.com/api/v4/projects/omaradio%2Fsingle-manager/packages?order_by=version&sort=desc&package_name=manager&status=default' )"
|
||||
#
|
||||
## Get the latest one
|
||||
#latest="$(echo "$json" | grep -Po '"version":"\K'"$semver_prefix"'[^"]+"' | tr -d '"' | sort -g | tail -n 1)"
|
||||
#if [ -z "$latest" ] ; then
|
||||
# echo "Version is empty"
|
||||
# exit 1
|
||||
#fi
|
||||
#
|
||||
## Get associated link
|
||||
#link="$(echo "$json" | jq ".[] | select(.version? | match(\"$latest\")) | ._links.web_path" | sed -e 's/^"//' -e 's/"$//')"
|
||||
#if [ -z "$link" ] ; then
|
||||
# echo "Link is empty"
|
||||
# exit 1
|
||||
#fi
|
||||
#
|
||||
#cd "$HTTP_DIR"
|
||||
|
||||
#wget https://gitlab.com/omaradio/single-manager/-/package_files/117195410/download -O - | tar xz
|
130
services/soundbase.radiokipik.org/docker-compose.yml
Normal file
130
services/soundbase.radiokipik.org/docker-compose.yml
Normal file
@ -0,0 +1,130 @@
|
||||
version: '3'
|
||||
services:
|
||||
anthracite_jukebox:
|
||||
image: registry.gitlab.com/omaradio/core/oma-jukebox:$OMA_DOCKER_VERSION
|
||||
env_file: .env
|
||||
environment:
|
||||
OMA_CONFIG_Client1Host: mux.radiodemo.oma-radio.fr
|
||||
OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
|
||||
OMA_CONFIG_Client2: off
|
||||
OMA_CONFIG_Client2Host: radionimaitre.oma-radio.fr
|
||||
OMA_CONFIG_Client2Port: 9003
|
||||
volumes:
|
||||
- $SOUNDBASE_DIR:/app/soundBase
|
||||
- $DATA_DIR/secours-jingle.wavM:/app/secours/secours-jingle.wavM
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.102
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
|
||||
azurite_jukebox_simulator:
|
||||
image: registry.gitlab.com/omaradio/core/oma-jukebox-simulator:$OMA_DOCKER_VERSION
|
||||
env_file: .env
|
||||
volumes:
|
||||
- $SOUNDBASE_DIR:/app/soundBase
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.103
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
|
||||
# aventurine_transcode:
|
||||
# image: jeancloud/transcode:$OMA_DOCKER_VERSION
|
||||
# env_file: .env
|
||||
# restart: unless-stopped
|
||||
|
||||
|
||||
agate_importer:
|
||||
image: registry.gitlab.com/omaradio/core/oma-baseimport:$OMA_DOCKER_VERSION
|
||||
env_file: .env
|
||||
volumes:
|
||||
- $SOUNDBASE_DIR:/app/soundBase
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.104
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 500M
|
||||
|
||||
|
||||
rubis_base_mg:
|
||||
image: registry.gitlab.com/omaradio/core/oma-base-mg:$OMA_DOCKER_VERSION
|
||||
env_file: .env
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- $SOUNDBASE_DIR:/soundbase
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.106
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 100M
|
||||
|
||||
|
||||
system_api:
|
||||
image: jeancloud/system-api:dev
|
||||
env_file: .env
|
||||
environment:
|
||||
UID: 33
|
||||
SOUNDBASE_PATH: /soundbase
|
||||
MOUNT: /api
|
||||
CONFIG_PATH: /config
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- $SOUNDBASE_DIR:/soundbase
|
||||
networks:
|
||||
default:
|
||||
ipv4_address: $NET.107
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
cpus: '0.50'
|
||||
memory: 500M
|
||||
|
||||
|
||||
#ammolite_mp3_addon:
|
||||
# image: jeancloud/mp3addon:$OMA_DOCKER_VERSION
|
||||
# env_file: .env
|
||||
# environment:
|
||||
# OMA_CONFIG_PigePrefix: /opt
|
||||
# restart: unless-stopped
|
||||
# volumes:
|
||||
# - $SOUNDBASE_DIR:/app/soundbase
|
||||
# networks:
|
||||
# default:
|
||||
# ipv4_address: $NET.109
|
||||
# deploy:
|
||||
# resources:
|
||||
# limits:
|
||||
# cpus: '0.05'
|
||||
|
||||
# doxy:
|
||||
# image: qnib/doxy
|
||||
# volumes:
|
||||
# - /tmp/radiodemo.oma-radio.fr/doxy:/tmp/doxy
|
||||
# - /data/radiodemo.oma-radio.fr/doxy.pattern:/etc/doxy.pattern
|
||||
# - /var/run/docker.sock:/var/run/docker.sock
|
||||
# environment:
|
||||
# DOXY_PROXY_SOCKET: /tmp/doxy/doxy.sock
|
||||
|
||||
networks:
|
||||
default:
|
||||
ipam:
|
||||
config:
|
||||
- subnet: $NET.0/24
|
20
services/soundbase.radiokipik.org/generate_nat.sh
Executable file
20
services/soundbase.radiokipik.org/generate_nat.sh
Executable file
@ -0,0 +1,20 @@
|
||||
function extract_ports_from_compose {
|
||||
if [ "$#" -ne 1 ] ; then
|
||||
echo "function extract_ports_from_dockerfile needs 1 parameter : docker-compose file" >&2
|
||||
exit 1
|
||||
fi
|
||||
ports=false
|
||||
while read line ; do
|
||||
if [ "$line" = 'ports:' ] ; then
|
||||
ports=true
|
||||
elif "$ports" ; then
|
||||
if [[ "$line" != -* ]] ; then
|
||||
ports=false
|
||||
else
|
||||
echo $line | tr -d ' ' | tail -c +2
|
||||
fi
|
||||
fi
|
||||
done < docker-compose.yml
|
||||
}
|
||||
|
||||
extract_ports_from_compose docker-compose.yml | ../_deployer/template.sh .env
|
122
services/soundbase.radiokipik.org/nginx_server.conf
Normal file
122
services/soundbase.radiokipik.org/nginx_server.conf
Normal file
@ -0,0 +1,122 @@
|
||||
# Parameters:
|
||||
# radio name
|
||||
# file path
|
||||
# ws port (local)
|
||||
# wss port (open)
|
||||
# upload service port
|
||||
# ssl certs location
|
||||
|
||||
# TODO
|
||||
# /speedtest-down returns random data
|
||||
# can use : openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > randomfile.bin
|
||||
# /speedtest-up just eat everything it can
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name $JC_SERVICE;
|
||||
|
||||
root $SOUNDBASE_DIR/website;
|
||||
index index.html;
|
||||
|
||||
location ~ /api(/.*) {
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
include uwsgi_params;
|
||||
uwsgi_param PATH_INFO "$1";
|
||||
uwsgi_param SCRIPT_NAME /api;
|
||||
uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock;
|
||||
client_max_body_size 0;
|
||||
proxy_connect_timeout 6000;
|
||||
proxy_send_timeout 60000;
|
||||
proxy_read_timeout 6000;
|
||||
send_timeout 6000;
|
||||
# kill cache
|
||||
add_header Last-Modified $date_gmt;
|
||||
add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
|
||||
if_modified_since off;
|
||||
expires off;
|
||||
etag off;
|
||||
}
|
||||
|
||||
location /pige{
|
||||
alias $SOUNDBASE_DIR/pige;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /png {
|
||||
alias $SOUNDBASE_DIR/png;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /webpL {
|
||||
alias $SOUNDBASE_DIR/webpL;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /webpH {
|
||||
alias $SOUNDBASE_DIR/webpH;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /ogg {
|
||||
alias $SOUNDBASE_DIR/ogg;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /txt {
|
||||
alias $SOUNDBASE_DIR/txt;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /wavM {
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
alias $SOUNDBASE_DIR/wavM;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /import {
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
alias $SOUNDBASE_DIR/import;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /export {
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
alias $SOUNDBASE_DIR/export;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /wav {
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
alias $SOUNDBASE_DIR/wav;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /fic {
|
||||
alias $SOUNDBASE_DIR/fic;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /prg {
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
alias $SOUNDBASE_DIR/prg;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /lst {
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
alias $SOUNDBASE_DIR/lst;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location /statique {
|
||||
alias $SOUNDBASE_DIR/statique;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
# Admin interface
|
||||
location /manager {
|
||||
alias $HTTP_DIR/manager/dist;
|
||||
auth_basic "Entrez votre identifiant et mot de passe";
|
||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
20
services/soundbase.radiokipik.org/wg-radiokipik.sh
Executable file
20
services/soundbase.radiokipik.org/wg-radiokipik.sh
Executable file
@ -0,0 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
. .env
|
||||
|
||||
[ -f "$DATA_DIR/soundbase.wgkey" ] || { echo 'No privatekey found' >&2 && exit 1 ; }
|
||||
|
||||
echo "
|
||||
[Interface]
|
||||
PrivateKey = $(cat "$DATA_DIR/soundbase.wgkey")
|
||||
Address = 10.29.60.1/32
|
||||
ListenPort = 55860
|
||||
|
||||
[Peer]
|
||||
PublicKey = 3ADrLVxzVqLHV530cT+paM+zNQBvm3KCW0voIN1wVBQ=
|
||||
AllowedIPs = 10.29.60.254/32
|
||||
Endpoint = mux.radiokipik.org:55825
|
||||
PersistentKeepalive = 30
|
||||
"
|
Loading…
Reference in New Issue
Block a user