Compare commits

..

2 Commits

Author SHA1 Message Date
Adrian Amaglio
66e0e9a4da leftovers 2024-02-22 01:44:24 +01:00
Adrian Amaglio
d75f851959 update 2024-02-22 01:43:01 +01:00
89 changed files with 1208 additions and 4551 deletions

View File

@ -1,50 +0,0 @@
- targets:
- amaglio.fr
- www.amaglio.fr
- collectif-arthadie.fr
- www.collectif-arthadie.fr
- copaines.jean-cloud.net
- www.copaines.jean-cloud.net
- cousinades.jean-cloud.net
- www.cousinades.jean-cloud.net
- feteducourt2020.jean-cloud.net
- www.feteducourt2020.jean-cloud.net
- feteducourt.jean-cloud.net
- www.feteducourt.jean-cloud.net
- git.jean-cloud.net
- www.git.jean-cloud.net
- gmx-webmail.jean-cloud.net
- www.gmx-webmail.jean-cloud.net
- inurbe.fr
- www.inurbe.fr
- jean-cloud.net
- www.jean-cloud.net
- lalis.fr
- leida.fr
- www.leida.fr
- metamorphosemagazine.fr
- nuage.jean-cloud.net
- www.nuage.jean-cloud.net
- oma-radio.fr
- www.oma-radio.fr
- paj.oma-radio.fr
- www.paj.oma-radio.fr
- grafana.jean-cloud.net
- www.grafana.jean-cloud.net
- radionimaitre.oma-radio.fr
- www.radionimaitre.oma-radio.fr
- registry.oma-radio.fr
- rpnow.jean-cloud.net
- www.rpnow.jean-cloud.net
- test.rpnow.jean-cloud.net
- www.test.rpnow.jean-cloud.net
- static.oma-radio.fr
- www.static.oma-radio.fr
- static.jean-cloud.net
- www.static.jean-cloud.net
- velov.jean-cloud.net
- www.velov.jean-cloud.net
- wiki-cgr.jean-cloud.net
- www.wiki-cgr.jean-cloud.net
- parsoid-wiki-cgr.jean-cloud.net
- www.parsoid-wiki-cgr.jean-cloud.net

View File

@ -1,56 +0,0 @@
#!/bin/bash
# Nginx configs
nginx_dir=/data/proxy/sites-enabled/
# The blackbox target file as it will be read by prometheus
blackbox=/data/$(cat /etc/hostname)/public/blackbox-targets.yml
echo '- targets:' > "$blackbox"
for file in "$nginx_dir"/* ; do
echo '-------------------------'
file="$file"
if [ ! -f "$file" ] ; then continue ; fi
echo "$file"
service_name="$(basename "$file")"
# Getting just the domain names
domains="$(grep '^[[:blank:]]*[^#][[:blank:]]*server_name' "$file" | sed 's/ _ / /g' | sed 's/server_name//g' | sed 's/default_server//g' | sed -e 's/^[[:space:]]*//' | cut -d ';' -f 1)"
if [ -n "$domains" ] ; then
# removing duplicates
domains="$(echo $domains | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')"
for domain in $domains ; do
echo " - $domain" >> "$blackbox"
done
fi
done
ls /etc/letsencrypt/live/*000* &> /dev/null
if [ "$?" -eq 0 ] ; then
echo " ---------------------------------------------------------------------------------------------"
echo "Bad certs detected in letsencrypt dir. Nginx conf wont work…"
echo "rm -r /etc/letsencrypt/live/*000* /etc/letsencrypt/archive/*000* /etc/letsencrypt/renewal/*000*"
echo " ---------------------------------------------------------------------------------------------"
fi
docker exec -it proxy_reverse-proxy_1 nginx -t
code="$?"
if [ "$code" -ne 0 ] ; then
echo "Nginx test error, cant reloat it"
exit 1
fi
docker exec -it proxy_reverse-proxy_1 nginx -s reload
code="$?"
if [ "$code" -ne 0 ] ; then
echo "Nginx reload error, GENERAL ALEEEEEEEEERT!!!!!"
exit 1
fi
echo "Done. No error detected."

View File

@ -1,80 +0,0 @@
version: '3.7'
services:
prometheus:
restart: unless-stopped
image: prom/prometheus
volumes:
- /docker/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
- /data/monitoring/blackbox-targets.yml:/etc/prometheus/blackbox-targets.yml
- type: bind
source: /data/monitoring/data
target: /prometheus
depends_on:
- cadvisor
networks:
default:
ipv4_address: 172.29.1.6
grafana:
restart: unless-stopped
image: grafana/grafana
volumes:
- /docker/monitoring/grafana.ini:/etc/grafana/grafana.ini
- /data/monitoring/grafana/data:/var/lib/grafana
networks:
default:
ipv4_address: 172.29.1.2
blackbox_exporter:
restart: unless-stopped
image: prom/blackbox-exporter
dns: 9.9.9.9
restart: always
volumes:
- /data/monitoring/blackbox-targets.yml:/config/blackbox-config.yml
networks:
default:
ipv4_address: 172.29.1.3
#icecast_exporter:
# image: markuslindenberg/icecast_exporter
# command: -icecast.scrape-uri http://listen.oma-radio.fr/status-json.xsl
cadvisor:
restart: unless-stopped
image: gcr.io/cadvisor/cadvisor:latest
container_name: cadvisor
ports:
- 8080:8080
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
depends_on:
- redis
networks:
default:
ipv4_address: 172.29.1.4
redis:
image: redis:latest
networks:
default:
ipv4_address: 172.29.1.5
node-exporter:
restart: unless-stopped
image: quay.io/prometheus/node-exporter:latest
volumes:
- /:/rootfs:ro
command:
- '--path.rootfs=/rootfs'
networks:
default:
ipv4_address: 172.29.1.7
networks:
default:
ipam:
config:
- subnet: 172.29.1.0/24

View File

@ -1,13 +0,0 @@
[smtp]
enabled = true
host = mail.gandi.net:587
user = nepasrepondre@jean-cloud.org
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
password = ZMTX9B6VgsVvdbXSzC7Zp4ASj6DU6q22Zi7KnjXtGYHE7WmJBM3pkhW9Rcdx
;skip_verify = false
from_address = nepasrepondre@jean-cloud.org
from_name = Grafana
# EHLO identity in SMTP dialog (defaults to instance_name)
;ehlo_identity = dashboard.example.com

View File

@ -1,326 +0,0 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "-- Grafana --",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Monitor and set alerts for all the pings to your servers using blackbox exporter and prometheus.",
"editable": true,
"gnetId": 5990,
"graphTooltip": 0,
"id": 3,
"iteration": 1629329153476,
"links": [],
"panels": [
{
"alert": {
"alertRuleTags": {},
"conditions": [
{
"evaluator": {
"params": [
1
],
"type": "lt"
},
"operator": {
"type": "and"
},
"query": {
"params": [
"A",
"5m",
"now"
]
},
"reducer": {
"params": [],
"type": "sum"
},
"type": "query"
}
],
"executionErrorState": "alerting",
"for": "0m",
"frequency": "60s",
"handler": 1,
"message": "Server does not respond to ping!",
"name": "Server Status alert",
"noDataState": "no_data",
"notifications": []
},
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fieldConfig": {
"defaults": {
"links": []
},
"overrides": []
},
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 8,
"w": 24,
"x": 0,
"y": 0
},
"hiddenSeries": false,
"id": 9,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 0,
"links": [],
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.0.6",
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "probe_success{job=\"ping\"}",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{instance}}",
"refId": "A"
}
],
"thresholds": [
{
"colorMode": "critical",
"fill": true,
"line": true,
"op": "lt",
"value": 1,
"visible": true
}
],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Server Status",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"decimals": 0,
"format": "none",
"label": "OK",
"logBase": 1,
"max": "1",
"min": "0",
"show": true
},
{
"decimals": null,
"format": "short",
"label": "",
"logBase": 1,
"max": null,
"min": null,
"show": false
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"cacheTimeout": null,
"datasource": "Prometheus",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"0": {
"text": "NOK"
},
"1": {
"text": "OK"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "#d44a3a",
"value": null
},
{
"color": "rgba(237, 129, 40, 0.89)",
"value": 1
},
{
"color": "#299c46",
"value": 1
}
]
},
"unit": "none"
},
"overrides": []
},
"gridPos": {
"h": 5,
"w": 6,
"x": 0,
"y": 8
},
"id": 2,
"interval": null,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "8.0.6",
"repeat": "node",
"repeatDirection": "h",
"targets": [
{
"expr": "probe_success{instance=~\"$node\"}",
"format": "time_series",
"instant": false,
"interval": "",
"intervalFactor": 1,
"legendFormat": "",
"refId": "A"
}
],
"title": "$node",
"type": "stat"
}
],
"schemaVersion": 30,
"style": "dark",
"tags": [
"alerts",
"linux",
"windows"
],
"templating": {
"list": [
{
"allValue": null,
"current": {
"selected": false,
"text": "All",
"value": "$__all"
},
"datasource": "Prometheus",
"definition": "",
"description": null,
"error": null,
"hide": 0,
"includeAll": true,
"label": "node",
"multi": true,
"name": "node",
"options": [],
"query": {
"query": "label_values(probe_success{job=\"ping\"}, instance) ",
"refId": "Prometheus-node-Variable-Query"
},
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"tagValuesQuery": "",
"tagsQuery": "",
"type": "query",
"useTags": false
}
]
},
"time": {
"from": "now-24h",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "Alerts - Server Status",
"uid": "pbHjqZzmk",
"version": 3
}

View File

@ -1,903 +0,0 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "Prometheus",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Fork of https://grafana.com/grafana/dashboards/5345 which uses 'instance' instead of 'target' label",
"editable": true,
"gnetId": 11175,
"graphTooltip": 0,
"id": 2,
"iteration": 1629329057681,
"links": [],
"panels": [
{
"collapsed": false,
"datasource": null,
"fieldConfig": {
"defaults": {},
"overrides": []
},
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"id": 15,
"panels": [],
"repeat": "targets",
"title": "$targets UP/DOWN Status",
"type": "row"
},
{
"cacheTimeout": null,
"datasource": "Prometheus",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"0": {
"text": "DOWN"
},
"1": {
"text": "UP"
}
},
"type": "value"
},
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "#d44a3a",
"value": null
},
{
"color": "rgba(237, 129, 40, 0.89)",
"value": 1
},
{
"color": "#299c46",
"value": 1
}
]
},
"unit": "none"
},
"overrides": []
},
"gridPos": {
"h": 2,
"w": 24,
"x": 0,
"y": 1
},
"id": 2,
"interval": null,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "8.0.6",
"repeat": null,
"repeatDirection": "h",
"targets": [
{
"expr": "probe_success{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"title": "$targets",
"type": "stat"
},
{
"cacheTimeout": null,
"datasource": "Prometheus",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"0": {
"text": "NO"
},
"1": {
"text": "YES"
}
},
"type": "value"
},
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "#d44a3a",
"value": null
},
{
"color": "rgba(237, 129, 40, 0.89)",
"value": 0
},
{
"color": "#299c46",
"value": 1
}
]
},
"unit": "none"
},
"overrides": []
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 3
},
"id": 18,
"interval": null,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "8.0.6",
"repeatDirection": "h",
"targets": [
{
"expr": "probe_http_ssl{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"title": "SSL",
"type": "stat"
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 6,
"w": 9,
"x": 6,
"y": 3
},
"hiddenSeries": false,
"id": 17,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.0.6",
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "probe_duration_seconds{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"legendFormat": "seconds",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Probe Duration",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "s",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"fillGradient": 0,
"gridPos": {
"h": 6,
"w": 9,
"x": 15,
"y": 3
},
"hiddenSeries": false,
"id": 21,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"options": {
"alertThreshold": true
},
"percentage": false,
"pluginVersion": "8.0.6",
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "probe_dns_lookup_time_seconds{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"legendFormat": "seconds",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "DNS Lookup",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "s",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
],
"yaxis": {
"align": false,
"alignLevel": null
}
},
{
"cacheTimeout": null,
"datasource": "Prometheus",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"decimals": 2,
"mappings": [
{
"options": {
"0": {
"text": "NO"
},
"1": {
"text": "YES"
}
},
"type": "value"
},
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "#d44a3a",
"value": null
},
{
"color": "rgba(237, 129, 40, 0.89)",
"value": 0
},
{
"color": "#299c46",
"value": 1209600
}
]
},
"unit": "dtdurations"
},
"overrides": []
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 5
},
"id": 19,
"interval": null,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "background",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "8.0.6",
"repeatDirection": "h",
"targets": [
{
"expr": "probe_ssl_earliest_cert_expiry{instance=~\"$targets\"}-time()",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"title": "SSL Cert Expiry",
"type": "stat"
},
{
"cacheTimeout": null,
"datasource": "Prometheus",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"decimals": 0,
"mappings": [
{
"options": {
"0": {
"text": "NO"
},
"1": {
"text": "YES"
}
},
"type": "value"
},
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "#299c46",
"value": null
},
{
"color": "rgba(237, 129, 40, 0.89)",
"value": 200
},
{
"color": "#d44a3a",
"value": 299
}
]
},
"unit": "none"
},
"overrides": []
},
"gridPos": {
"h": 2,
"w": 6,
"x": 0,
"y": 7
},
"id": 20,
"interval": null,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "none",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "8.0.6",
"repeatDirection": "h",
"targets": [
{
"expr": "probe_http_status_code{instance=~\"$targets\"}",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"title": "HTTP Status Code",
"type": "stat"
},
{
"cacheTimeout": null,
"datasource": "Prometheus",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {
"h": 2,
"w": 12,
"x": 0,
"y": 9
},
"id": 23,
"interval": null,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "none",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "8.0.6",
"targets": [
{
"expr": "avg(probe_duration_seconds{instance=~\"$targets\"})",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"title": "Average Probe Duration",
"type": "stat"
},
{
"cacheTimeout": null,
"datasource": "Prometheus",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"match": "null",
"result": {
"text": "N/A"
}
},
"type": "special"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {
"h": 2,
"w": 12,
"x": 12,
"y": 9
},
"id": 24,
"interval": null,
"links": [],
"maxDataPoints": 100,
"options": {
"colorMode": "none",
"graphMode": "none",
"justifyMode": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "auto"
},
"pluginVersion": "8.0.6",
"targets": [
{
"expr": "avg(probe_dns_lookup_time_seconds{instance=~\"$targets\"})",
"format": "time_series",
"interval": "$interval",
"intervalFactor": 1,
"refId": "A"
}
],
"title": "Average DNS Lookup",
"type": "stat"
}
],
"refresh": "1m",
"schemaVersion": 30,
"style": "dark",
"tags": [
"blackbox",
"prometheus"
],
"templating": {
"list": [
{
"auto": true,
"auto_count": 10,
"auto_min": "10s",
"current": {
"selected": false,
"text": "auto",
"value": "$__auto_interval_interval"
},
"description": null,
"error": null,
"hide": 0,
"label": "Interval",
"name": "interval",
"options": [
{
"selected": true,
"text": "auto",
"value": "$__auto_interval_interval"
},
{
"selected": false,
"text": "5s",
"value": "5s"
},
{
"selected": false,
"text": "10s",
"value": "10s"
},
{
"selected": false,
"text": "30s",
"value": "30s"
},
{
"selected": false,
"text": "1m",
"value": "1m"
},
{
"selected": false,
"text": "10m",
"value": "10m"
},
{
"selected": false,
"text": "30m",
"value": "30m"
},
{
"selected": false,
"text": "1h",
"value": "1h"
},
{
"selected": false,
"text": "6h",
"value": "6h"
},
{
"selected": false,
"text": "12h",
"value": "12h"
},
{
"selected": false,
"text": "1d",
"value": "1d"
},
{
"selected": false,
"text": "7d",
"value": "7d"
},
{
"selected": false,
"text": "14d",
"value": "14d"
},
{
"selected": false,
"text": "30d",
"value": "30d"
}
],
"query": "5s,10s,30s,1m,10m,30m,1h,6h,12h,1d,7d,14d,30d",
"refresh": 2,
"skipUrlSync": false,
"type": "interval"
},
{
"allValue": null,
"current": {
"selected": false,
"text": "All",
"value": "$__all"
},
"datasource": "Prometheus",
"definition": "label_values(probe_success, instance)",
"description": null,
"error": null,
"hide": 0,
"includeAll": true,
"label": null,
"multi": true,
"name": "targets",
"options": [],
"query": {
"query": "label_values(probe_success, instance)",
"refId": "Prometheus-targets-Variable-Query"
},
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"tagValuesQuery": "",
"tagsQuery": "",
"type": "query",
"useTags": false
}
]
},
"time": {
"from": "now-1h",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "Blackbox Exporter Overview",
"uid": "xtkCtBkiz",
"version": 1
}

View File

@ -1,12 +0,0 @@
#!/bin/sh
if [ "$1" = "uninstall" ] ; then
echo ""
else # Installation procedure below
mkdir -p /data/monitoring/grafana /data/monitoring/data
chown 472:472 /data/monitoring/grafana -R
chown nobody:nogroup -R /data/monitoring/data
fi

View File

@ -1,20 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/monitoring/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/monitoring/privkey.pem;
server_name grafana.jean-cloud.net www.grafana.jean-cloud.net;
location / {
#if ($remote_addr != "193.33.56.94") { return 503; }
client_max_body_size 2G;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://172.29.1.2:3000/;
proxy_redirect off;
}
}

View File

@ -1,97 +0,0 @@
# my global config
global:
scrape_interval: 60s
evaluation_interval: 60s
# scrape_timeout is set to the global default (10s).
# Attach these labels to any time series or alerts when communicating with
# external systems (federation, remote storage, Alertmanager).
external_labels:
monitor: 'codelab-monitor'
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first.rules"
# - "second.rules"
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'node-exporter'
metrics_path: /metrics
static_configs:
- targets:
- 'node-exporter:9100'
#- job_name: 'docker-exporter'
# metrics_path: /docker
# basic_auth:
# username: zqNQF2oQDB2SvmkJzgW9HRpeR8RiVeiEBFShVrPrLWZR4KzYgZjasCWXuMc
# password: jznVqvRQVDSpCK2y22ZFSegXVUoErm7typxuhpC5DYdnvZ2yEsYD6JQ5o9orCFMi6tHMg6J2kmiLzuzy95nZmLApe6zEiYnQB7sUGEWXWuk9o
# file_sd_configs:
# - files: ['/etc/prometheus/nodes.yml']
#- job_name: 'docker-official'
# metrics_path: /docker-official
# basic_auth:
# username: zqNQF2oQDB2SvmkJzgW9HRpeR8RiVeiEBFShVrPrLWZR4KzYgZjasCWXuMc
# password: jznVqvRQVDSpCK2y22ZFSegXVUoErm7typxuhpC5DYdnvZ2yEsYD6JQ5o9orCFMi6tHMg6J2kmiLzuzy95nZmLApe6zEiYnQB7sUGEWXWuk9o
# file_sd_configs:
# - files: ['/etc/prometheus/nodes.yml']
- job_name: cadvisor
scrape_interval: 30s
static_configs:
- targets:
- cadvisor:8080
- job_name: 'ping'
metrics_path: /probe
params:
module: [http_2xx]
file_sd_configs:
- files: ['/etc/prometheus/blackbox-targets.yml']
relabel_configs:
- source_labels: [__address__]
regex: (.*)(:80)?
target_label: __param_target
- source_labels: [__param_target]
regex: (.*)
target_label: instance
replacement: ${1}
- source_labels: []
regex: .*
target_label: __address__
replacement: blackbox_exporter:9115
- job_name: 'ssh_ping'
metrics_path: /probe
params:
module: [ssh_banner]
static_configs:
- targets:
- vandamme.jean-cloud.net
- tetede.jean-cloud.net
- carcasse.jean-cloud.net
- nougaro.jean-cloud.net
relabel_configs:
# Ensure port is 2222, pass as URL parameter
- source_labels: [__address__]
regex: (.*?)(:.*)?
replacement: ${1}:2222
target_label: __param_target
# Make instance label the target
- source_labels: [__param_target]
target_label: instance
# Actually talk to the blackbox exporter though
- target_label: __address__
replacement: 127.0.0.1:9115
#- job_name: 'icecast'
# static_configs:
# - targets: ['icecast_exporter:9146']

View File

@ -10,4 +10,5 @@ montbonnot.jean-cloud.org
max.jean-cloud.org
tetede.jean-cloud.org
raku.jean-cloud.org
#vandamme.jean-cloud.org
vandamme.jean-cloud.org
izzo.jean-cloud.org

View File

@ -30,8 +30,11 @@ if [ ! -d "$new_nginx_conf_path" ] ; then
fi
IFS=';' read id username _ server < <(grep ";$service;" /docker/services.csv)
if [ -z "$id" ] ; then
die "Service $service not found in list"
fi
uid=$(($services_uid_start + $id))
uid="$(($services_uid_start + $id))"
docker_service="$(echo "$service" | tr '.' '_')"
driglibash_section_prefix="[$service] "
@ -126,8 +129,15 @@ fi
for file in $( find "/docker/$service" -name "wg-*.sh") ; do
section "Managing wg interface $(basename "$file")"
if [ -x "$file" ] ; then
wgif="$(basename "$file")"
wgif="${wgif:3:-3}"
wgnum="$(basename "$file")"
wgnum="${wgnum:3:-3}"
varname="WG_NAME_$wgnum"
wgif="${!varname}"
if [ -z "$wgif" ] ; then
echo "No wireguard name for $file"
returncode=1
continue
fi
"$file" $wgif > "/etc/wireguard/$wgif.conf"
if "$deploy" ; then
run systemctl enable "wg-quick@$wgif"
@ -164,6 +174,7 @@ if [ "$noreload" == false ] ; then
run restart_nginx.sh
fi
section "Cleaning"
rmdir "$DATA_DIR" "$HTTP_DIR" 2>/dev/null || true

View File

@ -57,18 +57,12 @@ run mkdir -p "$new_nginx_conf_path"
section "Start docker"
run systemctl start docker docker.socket
#section "Deploy mandatory services"
#deploy_service.sh deployer.jean-cloud.org noreload
# List of failed services
failed=""
while IFS=';' read -r id username service target
do
# Ignore _ and # prefixed services
[ "${service::1}" == '_' ] && continue
echo -n "$service -> "
[ ! -d "/docker/$service" ] && die "/docker/$service directory not found"

View File

@ -16,7 +16,7 @@ new_nginx_conf_path='$proxy_dir/new-sites-enabled'
dns_certs_path='$dns_certs_path'
http_certs_path='$http_certs_path'
dummy_cert_path='$http_certs_path/dummy'
servicefile=/docker/services.txt
servicefile=/docker/services.csv
services_uid_start=2000
EOF

View File

@ -13,7 +13,7 @@ do
fi
done < <(grep -v '^#' /docker/services.csv)
apt install -y make
apt install -y make gcc
cd /usr/local/bin
make

View File

@ -2,7 +2,7 @@
# This script will run on new cert and on cron renew
# there is one cert by service
set -euo pipefail
set -u
. /etc/jeancloud.env

View File

@ -35,8 +35,8 @@ http {
##
# Logging Settings
##
log_format main '$time_local $remote_addr $status $host $request $bytes_sent'
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
log_format main '$remote_addr ($remote_user) [$time_local] $server_name "$request" $request_length $request_time -> $status $bytes_sent --- "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
@ -72,6 +72,7 @@ http {
server{
listen 80 default_server;
listen [::]:80 default_server;
server_tokens off;
location '/.well-known/acme-challenge' {
root /var/www/letsencrypt;
default_type "text/plain";

View File

@ -0,0 +1,40 @@
version: '3'
services:
app:
image: mirego/accent:v1.19.12
depends_on:
- db
environment:
- DATABASE_URL=postgres://postgres@db:5432/accent_development
restart: "unless-stopped"
networks:
default:
ipv4_address: $NET.100
deploy:
resources:
limits:
cpus: '1'
memory: 200M
db:
image: postgres:10.3
environment:
- POSTGRES_DB=accent_development
volumes:
- $DATA_DIR/db:/var/lib/postgresql/data
restart: "unless-stopped"
networks:
default:
ipv4_address: $NET.101
deploy:
resources:
limits:
cpus: '1'
memory: 300M
networks:
default:
ipam:
config:
- subnet: $NET.0/24

View File

@ -0,0 +1 @@
#!/bin/bash

View File

@ -0,0 +1,26 @@
#!/bin/bash
set -euo pipefail
pubkeyfile="/root/.ssh/authorized_keys"
separator="# backup-borg-begin DO NOT EDIT UNDER THIS LINE"
mkdir -p "$DATA_DIR/pubkeys" "$DATA_DIR/.ssh"
# Create ssh key if not found
if [ ! -e "$DATA_DIR/.ssh/borg-client" ] ; then
ssh-keygen -f "$DATA_DIR/.ssh/borg-client" -C "SSH key for backup trigger" -P ''
fi
# Remove separator and automated lines if found
if [ -n "$(grep "$separator" "$pubkeyfile")" ] ; then
sed -i "/$separator/,//d" "$pubkeyfile"
fi
# Place separator back
echo "$separator" >> "$pubkeyfile"
# Foreach borg server key
while read serverkey ; do
# Add authorized_keys line
echo "command=\"$DOCKER_DIR/script-sauvegarde.sh $serverkey\" $(cat "$DATA_DIR/pubkeys/$serverkey")" >> "$pubkeyfile"
done < <(ls "$DATA_DIR/pubkeys")

View File

@ -0,0 +1,49 @@
#!/bin/bash
. "$( cd -P "$( dirname "$0" )" && pwd )/.env"
server="$1"
failed=""
while IFS=';' read -r id username service target ; do
if [ ! -d "/data/$service" ] ; then
continue
fi
echo " = = ===== = ===== $service ===== = ===== = ="
# Create passfile if not exists
mkdir -p "$DATA_DIR/passphrase"
passfile="$DATA_DIR/passphrase/$service"
if [ ! -e "$passfile" ] ; then
LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 257 > "$passfile"
fi
# Borg variables
export BORG_REPO="backup-borg-server@127.0.0.1:/data/backup-borg-server/backups/$(hostname)/$service"
export BORG_PASSPHRASE="$(cat "$passfile")"
RSH='ssh -o StrictHostKeyChecking=no -p 12345'
# Get specific backup files
cd "/data/$service"
BACKUP_LIST="$(ls -A)"
if [ -x "/docker/$service/backup_list.sh" ] ; then
BACKUP_LIST="$(/docker/$service/backup_list.sh)"
fi
if [ -z "$BACKUP_LIST" ] ; then
continue
fi
echo "--------------> $BACKUP_LIST"
borg init --rsh "$RSH" --encryption repokey || true
borg create --rsh "$RSH" --list --filter=AMCE --stats --show-rc "::$(date +%Y%m%d%H%M)" $BACKUP_LIST
if [ "$?" -ne 0 ] ; then
failed="$failed $service"
fi
done < <(grep -v '^#' /docker/services.csv)
if [ -n "$failed" ] ; then
echo "FAILED"
echo "$failed"
fi

View File

@ -0,0 +1,39 @@
#!/bin/bash
sshkey=~/.ssh/borg-server
backup_dir="$DATA_DIR/backups"
mkdir -p ~/.ssh "$backup_dir"
if [ ! -e "$sshkey" ] ; then
ssh-keygen -q -C 'Borg server ssh key' -N '' -t rsa -f "$sshkey" <<<y 2>&1 >/dev/null
fi
echo -n "" > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Foreach client
for client in raku.jean-cloud.org vandamme.jean-cloud.org ; do
# Generate key
clientkey="$(mktemp -d)"
ssh-keygen -q -N '' -t rsa -C 'Borg client ssh key' -f "$clientkey/id_rsa" <<<y 2>&1 >/dev/null
cat > ~/.ssh/authorized_keys <<EOF
command="borg serve --append-only --restrict-to-path '$backup_dir/$client'",restrict $(cat "$clientkey/id_rsa.pub")
EOF
# Create needed directory
mkdir -p "$backup_dir/$client"
# Trigger the backup
eval $(ssh-agent) > /dev/null
ssh-add "$clientkey/id_rsa"
ssh -A -R localhost:12345:127.0.0.1:45985 "root@$client" -p 45985 -i "$sshkey"
# Clean
kill "${SSH_AGENT_PID}"
rm -r "$clientkey" ~/.ssh/authorized_keys
done

View File

View File

@ -0,0 +1,44 @@
version: '3'
services:
app:
image: jeancloud/site-benevole:debian-develop
environment:
UID: 33
MOUNT: /
volumes:
- /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
- $DATA_DIR/app/assets:/usr/src/app/assets
- $DATA_DIR/app/media:/usr/src/app/media
- $DATA_DIR/app/local_settings.py:/usr/src/app/site_benevole/local_settings.py
- $DATA_DIR/app/plugins.toml:/usr/src/app/site_benevole/plugins.toml
- $DATA_DIR/app/.plugins.sqlite3:/usr/src/app/site_benevole/.plugins.sqlite3
restart: unless-stopped
networks:
default:
ipv4_address: $NET.100
redis:
image: redis
networks:
default:
ipv4_address: $NET.102
db:
image: postgres:16.1-alpine
env_file: $DATA_DIR/postgres.env
environment:
POSTGRES_USER: benevoles
POSTGRES_DB: benevoles
volumes:
- $DATA_DIR/db:/var/lib/postgresql/data
networks:
default:
ipv4_address: $NET.101
networks:
default:
ipam:
config:
- subnet: $NET.0/24

View File

@ -0,0 +1,55 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE benevoles.karnaval.fr;
root $DATA_DIR/app/assets;
gzip on;
gzip_static on;
gzip_types application/javascript image/* text/css application/font-woff application/font-woff2;
gunzip on;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_buffer_size 4k;
client_max_body_size 4M;
location / {
include uwsgi_params;
uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi.sock;
}
location = /favicon.ico {
root $DATA_DIR/assets/;
}
location = /favicon-admin.ico {
root $DATA_DIR/assets/;
}
location /assets/ {
alias $DATA_DIR/app/assets/;
access_log off;
sendfile on;
tcp_nopush on;
sendfile_max_chunk 1m;
keepalive_timeout 65;
location ~* \.(jpg|jpeg|png|gif|ico|woff|woff2)$ {
access_log off;
expires 5d;
}
}
location /media/ {
alias $DATA_DIR/app/media/;
access_log off;
sendfile on;
tcp_nopush on;
sendfile_max_chunk 1m;
keepalive_timeout 65;
}
}

1
services/chiloe.eu/.env Normal file
View File

@ -0,0 +1 @@
SFTP_USER="chiloeRO"

View File

View File

@ -0,0 +1 @@
../sftp_jc/deploy.sh

View File

@ -1,3 +0,0 @@
#!/bin/bash
rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user chiloeRO --sftp-port 2929 --sftp-pass "$SFTP_PASS" :sftp:/public/ "$HTTP_DIR"

View File

@ -0,0 +1 @@
../sftp_jc/deploy_user.sh

View File

@ -0,0 +1 @@
SFTP_USER="copaines"

View File

@ -1,3 +0,0 @@
#!/bin/bash
chmod 700 "$SECRET_DIR/sftp.sshprivkey"

View File

@ -0,0 +1 @@
../sftp_jc/deploy.sh

View File

@ -1,5 +0,0 @@
#!/bin/bash
mkdir -p ~/.ssh
echo '[sftp.jean-cloud.net]:2929 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5WLG4HbhHMWZySQkCOfMyJ8HAojyJJ66prhn/WSh1T6vyi/oWuodhN5fzIenEpKrmIzXLLfFa8Q9YuEYmcwNGp0FrTnATDYLABL530DBsCQzA5S+fLecY0iLHEkluuJCcX2+cNpu7ytzgbEzHFDRDkd6RgI1cBL5smCnbxfrJSvfLR0VvihQJNZKPYEFHxt9euGkHhKilwbXa4VEtfY8GfMK18dGlM+K2nRu4G+ckoNzx9K2RdwAqUyj1WFLrS+FYY8EbHlffWf4WES32tSeyd6z3rF0jFoN83ojZ0nPfcch10tWklfRc2RcoItde9p0bR/Cgz2SI1nZT9EcBhrpqGkucLsx/xvcxXd/puQDe9svBq1vgWRuub7e6Q40v8Lhl5dTGJutKLWbCg9udonaUIR/LudSnSgEGrDoz/Yjx8Iytj9+tLj9C+rRASfUnHnTRjsVKJG3Ofx+YHhWs0gLJcV06EvM+PBgZOCnegcPrssi0OE+I5HtDixTkaBNQPHXfKcGqlSEPRmqEuwsvdcv7vOfWJn1ufmKpoaLXWPrX+U4gZYSMHrhieqdcieT8wSu/YJa8gBM5qkK1WMOYxwYzLU5q9H4g9sJfFqk14cvQk47Tb+nTLlFoYZvunATBAxQuNuMo8+scu0BuIqinB5SjO6bwF3nJUCigs8BTmo95Pw==' >> ~/.ssh/known_hosts
chmod 700 ~/.ssh/known_hosts
scp -i "$SECRET_DIR/sftp.sshprivkey" -rP 2929 copaines@sftp.jean-cloud.net:public/* "$HTTP_DIR"

View File

@ -0,0 +1 @@
../sftp_jc/deploy_user.sh

View File

@ -1,30 +0,0 @@
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# ssl_certificate $JC_CERT/fullchain.pem;
# ssl_certificate_key $JC_CERT/privkey.pem;
# server_name wordpress.copaines.jean-cloud.net www.wordpress.copaines.jean-cloud.net;
# location / {
# auth_basic "Mot de passe !";
# auth_basic_user_file /data/copaines.jean-cloud.net/pass.txt;
# client_max_body_size 2G;
# #proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Host $http_host;
# proxy_set_header X-Forwarded-Proto https;
# proxy_pass http://wp.copainesjean-cloudnet.docker;
# proxy_redirect off;
# }
#}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name copaines.jean-cloud.net www.copaines.jean-cloud.net;
location / {
root $HTTP_DIR;
try_files $uri $uri/ =404;
}
}

View File

@ -0,0 +1 @@
../sftp_jc/nginx_server.conf

View File

@ -29,9 +29,7 @@ echo "Renew existing certs"
certbot renew --config-dir "$DATA_DIR/certs" --logs-dir "$workdir/logs" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" --work-dir "$workdir"
echo "For each service, read all possible domains"
while read line ; do
read -r service target < <(echo "$line")
while IFS=';' read -r id username service target ; do
# TODO remove
[ "$service" = collectif-arthadie.fr ] && continue
@ -46,7 +44,7 @@ while read line ; do
# acme
"$here/acme-dns.sh" "$service" "$workdir"
done < "$servicefile"
done < <(grep -v '^#' "$servicefile")
echo "Push certs to other servers"
for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'descriptive text "\K[^"]+' | tr ',' ' ' | tr ' ' '\n') vandamme nougaro ; do

View File

@ -0,0 +1 @@
#!/bin/bash

View File

@ -0,0 +1 @@
SFTP_USER="feministesucl34"

View File

@ -0,0 +1 @@
../sftp_jc/deploy.sh

View File

@ -1,5 +0,0 @@
#!/bin/bash
set -euo pipefail
. "$SECRET_DIR/.env"
rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user feministesucl34 --sftp-port 2929 --sftp-pass "$SFTP_PASS" :sftp:/public/ "$HTTP_DIR"

View File

@ -0,0 +1 @@
../sftp_jc/deploy_user.sh

View File

@ -1,16 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE;
location = /wp-login.php {
return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
}
location / {
root $HTTP_DIR;
try_files $uri $uri/ =404;
}
}

View File

@ -0,0 +1 @@
../sftp_jc/nginx_server.conf

View File

@ -16,6 +16,7 @@ services:
image: postgres:16-alpine
volumes:
- /data/git.jean-cloud.net/db:/var/lib/postgresql/data
restart: unless-stopped
networks:
default:
ipv4_address: $NET.101

View File

@ -4,7 +4,6 @@ server {
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
limit_req zone=defaultlimit burst=20 nodelay;
location / {
client_max_body_size 5G;
proxy_pass http://$NET.100:3000;

View File

@ -9,5 +9,8 @@ cd "$HTTP_DIR"
# Get remote content files
rclone_ncloud_publiclink.sh
# Invalid cache
#rm -rf "/tmp/hugo_cache_$USER"
# Build website
HUGO_CACHEDIR=/tmp/hugo_cache_$USER hugo
HUGO_CACHEDIR="/tmp/hugo_cache_$USER" hugo

1
services/leida.fr/.env Normal file
View File

@ -0,0 +1 @@
SFTP_USER=leidaRO

View File

1
services/leida.fr/deploy.sh Symbolic link
View File

@ -0,0 +1 @@
../sftp_jc/deploy.sh

View File

@ -0,0 +1 @@
../sftp_jc/deploy_user.sh

View File

@ -1 +0,0 @@
version: '3'

View File

@ -1,15 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name leida.fr www.leida.fr;
location / {
root /data/leida.fr/public;
index index.htm index.html;
try_files $uri $uri/ =404;
}
location ~ .php {
deny all;
}
}

View File

@ -0,0 +1 @@
../sftp_jc/nginx_server.conf

View File

@ -0,0 +1 @@
../pelican/backup_list.sh

View File

@ -10,3 +10,4 @@ TELECOM_SERVER_PORT=3494
SOUNDBASE_DIR=/data/mux.radiodemo.oma-radio.fr/core/radioDemo
OMA_DOCKER_VERSION=dev
ICECAST=.110
WG_NAME_radiodemo=radiodemo

View File

@ -0,0 +1 @@
#!/bin/bash

View File

@ -2,7 +2,9 @@ version: '3'
services:
ambre_mux:
image: registry.gitlab.com/omaradio/core/oma-mux:$OMA_DOCKER_VERSION
env_file: .env
env_file:
- .env
- $DATA_DIR/.env
environment:
OMA_CONFIG_Client1Host: $NET.108
OMA_CONFIG_TelecommandeHost: $NET$TELECOM
@ -10,6 +12,8 @@ services:
- $SOUNDBASE_DIR/pige:/app/pige
ports:
- $MUX_SERVER_PORT:9000
depends_on:
- transcode
restart: unless-stopped
networks:
default:
@ -58,7 +62,9 @@ services:
transcode:
image: savonet/liquidsoap:v2.1.4
env_file: .env
env_file:
- .env
- $DATA_DIR/.env
volumes:
- ./liquidsoap.liq:/transcode.liq
- $SOUNDBASE_DIR:/soundbase

View File

@ -0,0 +1,42 @@
#!/bin/bash
echo "Content-type: text/html"
echo ""
. .env
instance=''
since=''
until=''
action="$(echo "$QUERY_STRING" | tr -d '/\;!<>?#[]()"*.' | sed 's/&/\n/g')"
while IFS='=' read key value ; do
case "$key" in
instance)
instance="$value"
;;
since)
since="$value"
;;
until)
until="$value"
;;
list)
docker-compose ps -a --format json
;;
*)
exit 1
esac
done < <(echo "$action")
[ -z "$instance" ] && exit 2
[ -z "$since" ] && exit 3
[ -z "$until" ] && exit 4
echo docker-compose logs --since "$since" --until "$until" "$instance"
if [ "$?" -ne 0 ] ; then
echo failed
fi

View File

@ -25,7 +25,8 @@ keydir="$DATA_DIR/keys"
primary_ips=""
# IP of secondary servers (for zone transfer)
secondary_ips="37.65.119.74;"
# master.retzo.net
secondary_ips="159.69.124.127;2a01:4f8:c17:d8f2::1;"
# NS name
default_dns_name="ns.jean-cloud.org."

View File

@ -20,7 +20,7 @@ prepare () {
chown bind:bind "$debian_bind_confdir" -R
fi
# Sync the git repo
echo 'Sync the git repo'
run sudo -u bind git_update.sh -N -b main -i "$SECRET_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
cd /etc/bind
@ -36,6 +36,13 @@ prepare () {
}
restart () {
echo 'Check named conf'
run named-checkconf "$debian_bind_confdir/named.conf"
for db_file in $(list_db_files) ; do
domain="${db_file:3}"
run named-checkzone "$domain" "$db_file"
done
echo 'Restart named'
rm /etc/bind/*.jnl || true
systemctl restart named
@ -109,6 +116,10 @@ list_template_db_files () {
ls "$debian_bind_confdir"/template.db.*
}
list_db_files () {
ls "$debian_bind_confdir"/db.* | grep -v -e '.jbk$' -e '.signed$' -e '.signed.jnl'
}
create_primary_files () {
# Compact the default SOA

View File

@ -0,0 +1,2 @@
DATA_DIR=/tmp/mock_data
NET=172.29.1

View File

@ -0,0 +1,94 @@
version: '3'
services:
db:
image: postgres:15-alpine
restart: unless-stopped
volumes:
- $DATA_DIR/db:/var/lib/postgresql/data
networks:
default:
ipv4_address: $NET.101
nextcloud:
image: nextcloud:28-fpm-alpine
volumes:
- $DATA_DIR/app:/var/www/html
depends_on:
- db
restart: unless-stopped
networks:
default:
ipv4_address: $NET.100
etherpad:
image: etherpad/etherpad
environment:
- DB_TYPE=postgres
- DB_HOST=db_etherpad
- DB_PORT=5432
- DB_NAME=etherpad
- DB_USER=etherpad
- DB_PASS=toDEzbjoTLBCugi9MrDMtVEPCLwcDeUJ6ofvqEWqmNEm7YvjNBHnKVa
restart: unless-stopped
networks:
default:
ipv4_address: $NET.104
deploy:
resources:
limits:
cpus: '0.50'
memory: 1000M
db_etherpad:
image: postgres:11-alpine
restart: unless-stopped
volumes:
- $DATA_DIR/db_etherpad:/var/lib/postgresql/data
environment:
- POSTGRES_USER=etherpad
- POSTGRES_DB=etherpad
- POSTGRES_PASSWORD=toDEzbjoTLBCugi9MrDMtVEPCLwcDeUJ6ofvqEWqmNEm7YvjNBHnKVa
networks:
default:
ipv4_address: $NET.105
deploy:
resources:
limits:
cpus: '0.50'
memory: 1000M
ethercalc:
image: audreyt/ethercalc
environment:
REDIS_PORT_6379_TCP_ADDR: redis
REDIS_PORT_6379_TCP_PORT: 6379
restart: unless-stopped
networks:
default:
ipv4_address: $NET.102
deploy:
resources:
limits:
cpus: '0.50'
memory: 1000M
redis:
image: redis:latest
volumes:
- /var/lib/redis:/data
command: redis-server --appendonly yes
restart: unless-stopped
networks:
default:
ipv4_address: $NET.103
deploy:
resources:
limits:
cpus: '0.50'
memory: 2000M
networks:
default:
ipam:
config:
- subnet: $NET.0/24

View File

@ -1,143 +1,189 @@
# inspired from
# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html?highlight=nginx
# 2021 05 25
# https://docs.nextcloud.com/server/28/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx
# 2024 02 11
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
"" "";
default ", immutable";
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $JC_SERVICE www.$JC_SERVICE;
root $DATA_DIR/app;
limit_req zone=defaultlimit burst=500 nodelay;
# Path to the root of your installation
root $DATA_DIR/app;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
limit_req zone=defaultlimit burst=500 nodelay;
# Prevent nginx HTTP Server Detection
server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
# set max upload size and increase upload timeout:
client_max_body_size 10G;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# The settings allows you to optimize the HTTP2 bandwidth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tuning hints
client_body_buffer_size 512k;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Set .mjs and .wasm MIME types
# Either include it in the default mime.types list
# and include that list explicitly or add the file extension
# only for Nextcloud like below:
include mime.types;
types {
text/javascript js mjs;
application/wasm wasm;
}
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Frame-Options "SAMEORIGIN";
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass $NET.100:9000;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}
fastcgi_max_temp_file_size 0;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
# Serve static files
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets
}
try_files $fastcgi_script_name =404;
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
# TODO is it needed? Is it buggy?
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass $NET.100:9000;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
@ -174,7 +220,7 @@ server {
proxy_buffers 32 64k;
proxy_buffer_size 128k;
add_header Strict-Transport-Security max-age=31536000;
include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
#include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
}
location / {
gzip on;
@ -189,7 +235,7 @@ server {
proxy_buffers 32 64k;
proxy_buffer_size 128k;
add_header Strict-Transport-Security max-age=31536000;
include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
#include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
}
}

View File

@ -0,0 +1,185 @@
#
#
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/run/php/php8.2-fpm.sock;
}
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
"" "";
default ", immutable";
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cloud.example.com;
# Path to the root of your installation
root /var/www/nextcloud;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Prevent nginx HTTP Server Detection
server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
# set max upload size and increase upload timeout:
client_max_body_size 512M;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# The settings allows you to optimize the HTTP2 bandwidth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tuning hints
client_body_buffer_size 512k;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Set .mjs and .wasm MIME types
# Either include it in the default mime.types list
# and include that list explicitly or add the file extension
# only for Nextcloud like below:
include mime.types;
types {
text/javascript js mjs;
application/wasm wasm;
}
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
# Serve static files
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

View File

@ -6,11 +6,11 @@ server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/fullchain.pem;
ssl_certificate_key /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/privkey.pem;
server_name nuage.jean-cloud.net www.nuage.jean-cloud.net;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
root /data/nuage.jean-cloud.net/app;
root $DATA_DIR/app;
limit_req zone=defaultlimit burst=500 nodelay;
@ -110,8 +110,7 @@ server {
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
#fastcgi_pass 172.16.11.100:9000;
fastcgi_pass nextcloud.nuagejean-cloudnet.docker:9000;
fastcgi_pass $NET.100:9000;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
@ -156,8 +155,8 @@ server {
large_client_header_buffers 32 64k;
root /usr/share/nginx/www;
index index.html index.htm;
ssl_certificate /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/fullchain.pem;
ssl_certificate_key /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/privkey.pem;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name calc.nuage.jean-cloud.net;
location ~* (\.(css|png|gif|svg|ico|txt)|static/.*\.js(on)?|manifest\.(appcache|webapp|json)|browserconfig\.xml)$ {
@ -167,7 +166,7 @@ server {
}
location ~* "(?:[.]|/_/[^/]+/)(?:html|csv|csv\.json)$" {
proxy_pass http://ethercalc.nuagejean-cloudnet.docker:8000;
proxy_pass http://$NET.102:8000;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
@ -175,13 +174,13 @@ server {
proxy_buffers 32 64k;
proxy_buffer_size 128k;
add_header Strict-Transport-Security max-age=31536000;
include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
#include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
}
location / {
gzip on;
gzip_min_length 1000;
gzip_proxied any;
proxy_pass http://ethercalc.nuagejean-cloudnet.docker:8000;
proxy_pass http://$NET.102:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_read_timeout 31536000;
@ -190,19 +189,19 @@ server {
proxy_buffers 32 64k;
proxy_buffer_size 128k;
add_header Strict-Transport-Security max-age=31536000;
include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
#include /data/proxy/nuage.jean-cloud.net/nginx_cors.conf;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/fullchain.pem;
ssl_certificate_key /data/dnscerts.jean-cloud.org/certs/live/nuage.jean-cloud.net/privkey.pem;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name pad.nuage.jean-cloud.net;
location / {
proxy_pass http://etherpad.nuagejean-cloudnet.docker:9001;
proxy_pass http://$NET.104:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;

View File

@ -0,0 +1,195 @@
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/run/php/php8.2-fpm.sock;
}
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
"" "";
default ", immutable";
}
server {
listen 80;
listen [::]:80;
server_name cloud.example.com;
# Prevent nginx HTTP Server Detection
server_tokens off;
# Enforce HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cloud.example.com;
# Path to the root of your installation
root /var/www/nextcloud;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Prevent nginx HTTP Server Detection
server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
# set max upload size and increase upload timeout:
client_max_body_size 512M;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# The settings allows you to optimize the HTTP2 bandwidth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tuning hints
client_body_buffer_size 512k;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Set .mjs and .wasm MIME types
# Either include it in the default mime.types list
# and include that list explicitly or add the file extension
# only for Nextcloud like below:
include mime.types;
types {
text/javascript js mjs;
application/wasm wasm;
}
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
# Serve static files
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

View File

@ -0,0 +1 @@
#!/bin/bash

View File

@ -23,4 +23,8 @@ AllowedIPs = 10.100.1.252/32
[Peer] # Passerelle
PublicKey = unY6v95qus8ttJvmSlxqa+J8lKj+CCiRItZ3pFwyjyM=
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
[Peer] # debug
PublicKey = K9IpoUbjyN+42y0YG3OIwAPRBZcd92GnKfbYEj3RZ18=
AllowedIPs = 10.100.1.21/32
"

View File

@ -0,0 +1,47 @@
version: '3'
services:
web:
image: jeancloud/rapla
environment:
MYSQL_DATABASE: rapla_db
MYSQL_USER: rapla_db_user
MYSQL_PASSWORD: aPxqhmqUvqNBVXEoIt9cSZTXgmtqzFdgbTHeUMNeT2iL9ch8rN0z0iIGIc2rpMQZfdk87OZ45k3mf99tbT
MYSQL_HOST: db
volumes:
- /docker/raplacgr.jean-cloud.net/server.xml:/usr/local/tomcat/conf/server.xml
depends_on:
- db
restart: unless-stopped
networks:
default:
ipv4_address: $NET.100
deploy:
resources:
limits:
cpus: '0.50'
memory: 300M
db:
image: mysql:5.7
environment:
MYSQL_DATABASE: rapla_db
MYSQL_USER: rapla_db_user
MYSQL_PASSWORD: aPxqhmqUvqNBVXEoIt9cSZTXgmtqzFdgbTHeUMNeT2iL9ch8rN0z0iIGIc2rpMQZfdk87OZ45k3mf99tbT
MYSQL_RANDOM_ROOT_PASSWORD: yes
volumes:
- /data/raplacgr.jean-cloud.net/db:/var/lib/mysql
restart: unless-stopped
networks:
default:
ipv4_address: $NET.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 300M
networks:
default:
ipam:
config:
- subnet: $NET.0/24

View File

@ -0,0 +1,13 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name raplacgr.jean-cloud.net;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
location / {
proxy_pass http://$NET.100:8080/;
proxy_set_header Host raplacgr.jean-cloud.net;
proxy_set_header X-Forwarded-Proto https;
}
}

View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!-- APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
proxyName="raplacgr.jean-cloud.net"
proxyPort="443"/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t &quot;%r&quot; %s %b" />
</Host>
</Engine>
</Service>
</Server>

View File

@ -13,18 +13,18 @@ services:
cpus: '0.50'
memory: 100M
test_rpnow:
image: jeancloud/rpnow:dev
volumes:
- /data/test.rpnow.jean-cloud.org/:/var/local/rpnow
networks:
default:
ipv4_address: $NET.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
# test_rpnow:
# image: jeancloud/rpnow:dev
# volumes:
# - /data/test.rpnow.jean-cloud.org/:/var/local/rpnow
# networks:
# default:
# ipv4_address: $NET.101
# deploy:
# resources:
# limits:
# cpus: '0.50'
# memory: 100M
networks:
default:

View File

@ -18,23 +18,23 @@ server {
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net;
location / {
client_max_body_size 2G;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
proxy_redirect off;
proxy_pass http://$NET.101;
}
}
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# ssl_certificate $JC_CERT/fullchain.pem;
# ssl_certificate_key $JC_CERT/privkey.pem;
# server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net;
#
# location / {
# client_max_body_size 2G;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Host $http_host;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_read_timeout 86400;
# proxy_redirect off;
# proxy_pass http://$NET.101;
# }
#}

View File

@ -1,11 +1,11 @@
# This is not real CSV. Do not put separator in a field, even escaped
# UID ; username ; service name ; server name
# ID ; username ; service name ; server name
1;sftp.jean-cloud.net;sftp.jean-cloud.net;raku.jean-cloud.org
2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org
3;builder.rimarima.fr;builder.rimarima.fr;raku.jean-cloud.org
4;chahut.jean-cloud.net;chahut.jean-cloud.net;max.jean-cloud.org
5;chiloe.eu;chiloe.eu;shlago.jean-cloud.org
6;coldcms.chahut.jean-cloud.net;coldcms.chahut.jean-cloud.net;raku.jean-cloud.org
#6;coldcms.chahut.jean-cloud.net;coldcms.chahut.jean-cloud.net;raku.jean-cloud.org
7;collectif-arthadie.fr;collectif-arthadie.fr;vandamme.jean-cloud.org
8;compagnienouvelle.fr;compagnienouvelle.fr;nougaro.jean-cloud.org
9;copaines.jean-cloud.net;copaines.jean-cloud.net;max.jean-cloud.org
@ -15,19 +15,19 @@
14;feministesucl34.communistesliber;feministesucl34.communisteslibertaires.org;none
15;feteducourt.jean-cloud.net;feteducourt.jean-cloud.net;shlago.jean-cloud.org
16;feteducourt2020.jean-cloud.net;feteducourt2020.jean-cloud.net;shlago.jean-cloud.org
17;git.jean-cloud.net;git.jean-cloud.net;vandamme.jean-cloud.org
18;grapes.chahut.jean-cloud.net;grapes.chahut.jean-cloud.net;max.jean-cloud.org
17;git.jean-cloud.net;git.jean-cloud.net;izzo.jean-cloud.org
#18;grapes.chahut.jean-cloud.net;grapes.chahut.jean-cloud.net;max.jean-cloud.org
20;inurbe.fr;inurbe.fr;shlago.jean-cloud.org
21;jean-cloud.net;jean-cloud.net;shlago.jean-cloud.org
22;leida.fr;leida.fr;vandamme.jean-cloud.org
22;leida.fr;leida.fr;shlago.jean-cloud.org
23;lexicographe.jean-cloud.net;lexicographe.jean-cloud.net;shlago.jean-cloud.org
24;metamorphosemagazine.fr;metamorphosemagazine.fr;shlago.jean-cloud.org
25;mux.radiodemo.oma-radio.fr;mux.radiodemo.oma-radio.fr;raku.jean-cloud.org
26;nc-backup.jean-cloud.net;nc-backup.jean-cloud.net;raku.jean-cloud.org
27;ns.jean-cloud.org;ns.jean-cloud.org;shlago.jean-cloud.org
28;ns1.jean-cloud.org;ns1.jean-cloud.org;tetede.jean-cloud.org
29;nuage.jean-cloud.net;nuage.jean-cloud.net;vandamme.jean-cloud.org
30;oma-radio.fr;oma-radio.fr;vandamme.jean-cloud.org
29;nuage.jean-cloud.net;nuage.jean-cloud.net;izzo.jean-cloud.org
30;oma-radio.fr;oma-radio.fr;izzo.jean-cloud.org
31;pa1.studios.oma-radio.fr;pa1.studios.oma-radio.fr;tetede.jean-cloud.org
32;paj.oma-radio.fr;paj.oma-radio.fr;nougaro.jean-cloud.org
33;quadrille-elsa.jean-cloud.net;quadrille-elsa.jean-cloud.net;shlago.jean-cloud.org
@ -35,11 +35,20 @@
35;radionimaitre.oma-radio.fr;radionimaitre.oma-radio.fr;tetede.jean-cloud.org
36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;tetede.jean-cloud.org
37;rimarima.fr;rimarima.fr;raku.jean-cloud.org
38;rpnow.jean-cloud.net;rpnow.jean-cloud.net;vandamme.jean-cloud.org
38;rpnow.jean-cloud.net;rpnow.jean-cloud.net;izzo.jean-cloud.org
39;soundbase.radiodemo.oma-radio.fr;soundbase.radiodemo.oma-radio.fr;montbonnot.jean-cloud.org
40;static.jean-cloud.net;static.jean-cloud.net;vandamme.jean-cloud.org
40;static.jean-cloud.net;static.jean-cloud.net;izzo.jean-cloud.org
41;velov.jean-cloud.net;velov.jean-cloud.net;shlago.jean-cloud.org
42;wiki-cgr.jean-cloud.net;wiki-cgr.jean-cloud.net;vandamme.jean-cloud.org
42;wiki-cgr.jean-cloud.net;wiki-cgr.jean-cloud.net;izzo.jean-cloud.org
43;radio.karnaval.fr;radio.karnaval.fr;tetede.jean-cloud.org
44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;max.jean-cloud.org
45;jean-cloud.org;jean-cloud.org;shlago.jean-cloud.org
46;soundbase.paj.oma-radio.fr;soundbase.paj.oma-radio.fr;montbonnot.jean-cloud.org
47;backup-borg-server;backup-borg-server;montbonnot.jean-cloud.org
48;backup-borg-client;backup-borg-client;raku.jean-cloud.org
49;soundbase.radionimaitre.oma;soundbase.radionimaitre.oma-radio.fr;montbonnot.jean-cloud.org
50;monitoring.jean-cloud.net;monitoring.jean-cloud.net;montbonnot.jean-cloud.org
51;benevoles32.karnaval.fr;benevoles32.karnaval.fr;izzo.jean-cloud.org
52;nginx_exporter;nginx_exporter;shlago.jean-cloud.org
53;benevoles.karnaval.fr;benevoles.karnaval.fr;izzo.jean-cloud.org
54;accent.jean-cloud.net;accent.jean-cloud.net;raku.jean-cloud.org

1 # This is not real CSV. Do not put separator in a field, even escaped
2 # UID ; username ; service name ; server name # ID ; username ; service name ; server name
3 1;sftp.jean-cloud.net;sftp.jean-cloud.net;raku.jean-cloud.org
4 2;benevoles31.karnaval.fr;benevoles31.karnaval.fr;max.jean-cloud.org
5 3;builder.rimarima.fr;builder.rimarima.fr;raku.jean-cloud.org
6 4;chahut.jean-cloud.net;chahut.jean-cloud.net;max.jean-cloud.org
7 5;chiloe.eu;chiloe.eu;shlago.jean-cloud.org
8 6;coldcms.chahut.jean-cloud.net;coldcms.chahut.jean-cloud.net;raku.jean-cloud.org #6;coldcms.chahut.jean-cloud.net;coldcms.chahut.jean-cloud.net;raku.jean-cloud.org
9 7;collectif-arthadie.fr;collectif-arthadie.fr;vandamme.jean-cloud.org
10 8;compagnienouvelle.fr;compagnienouvelle.fr;nougaro.jean-cloud.org
11 9;copaines.jean-cloud.net;copaines.jean-cloud.net;max.jean-cloud.org
15 14;feministesucl34.communistesliber;feministesucl34.communisteslibertaires.org;none
16 15;feteducourt.jean-cloud.net;feteducourt.jean-cloud.net;shlago.jean-cloud.org
17 16;feteducourt2020.jean-cloud.net;feteducourt2020.jean-cloud.net;shlago.jean-cloud.org
18 17;git.jean-cloud.net;git.jean-cloud.net;vandamme.jean-cloud.org 17;git.jean-cloud.net;git.jean-cloud.net;izzo.jean-cloud.org
19 18;grapes.chahut.jean-cloud.net;grapes.chahut.jean-cloud.net;max.jean-cloud.org #18;grapes.chahut.jean-cloud.net;grapes.chahut.jean-cloud.net;max.jean-cloud.org
20 20;inurbe.fr;inurbe.fr;shlago.jean-cloud.org
21 21;jean-cloud.net;jean-cloud.net;shlago.jean-cloud.org
22 22;leida.fr;leida.fr;vandamme.jean-cloud.org 22;leida.fr;leida.fr;shlago.jean-cloud.org
23 23;lexicographe.jean-cloud.net;lexicographe.jean-cloud.net;shlago.jean-cloud.org
24 24;metamorphosemagazine.fr;metamorphosemagazine.fr;shlago.jean-cloud.org
25 25;mux.radiodemo.oma-radio.fr;mux.radiodemo.oma-radio.fr;raku.jean-cloud.org
26 26;nc-backup.jean-cloud.net;nc-backup.jean-cloud.net;raku.jean-cloud.org
27 27;ns.jean-cloud.org;ns.jean-cloud.org;shlago.jean-cloud.org
28 28;ns1.jean-cloud.org;ns1.jean-cloud.org;tetede.jean-cloud.org
29 29;nuage.jean-cloud.net;nuage.jean-cloud.net;vandamme.jean-cloud.org 29;nuage.jean-cloud.net;nuage.jean-cloud.net;izzo.jean-cloud.org
30 30;oma-radio.fr;oma-radio.fr;vandamme.jean-cloud.org 30;oma-radio.fr;oma-radio.fr;izzo.jean-cloud.org
31 31;pa1.studios.oma-radio.fr;pa1.studios.oma-radio.fr;tetede.jean-cloud.org
32 32;paj.oma-radio.fr;paj.oma-radio.fr;nougaro.jean-cloud.org
33 33;quadrille-elsa.jean-cloud.net;quadrille-elsa.jean-cloud.net;shlago.jean-cloud.org
35 35;radionimaitre.oma-radio.fr;radionimaitre.oma-radio.fr;tetede.jean-cloud.org
36 36;raplacgr.jean-cloud.net;raplacgr.jean-cloud.net;tetede.jean-cloud.org
37 37;rimarima.fr;rimarima.fr;raku.jean-cloud.org
38 38;rpnow.jean-cloud.net;rpnow.jean-cloud.net;vandamme.jean-cloud.org 38;rpnow.jean-cloud.net;rpnow.jean-cloud.net;izzo.jean-cloud.org
39 39;soundbase.radiodemo.oma-radio.fr;soundbase.radiodemo.oma-radio.fr;montbonnot.jean-cloud.org
40 40;static.jean-cloud.net;static.jean-cloud.net;vandamme.jean-cloud.org 40;static.jean-cloud.net;static.jean-cloud.net;izzo.jean-cloud.org
41 41;velov.jean-cloud.net;velov.jean-cloud.net;shlago.jean-cloud.org
42 42;wiki-cgr.jean-cloud.net;wiki-cgr.jean-cloud.net;vandamme.jean-cloud.org 42;wiki-cgr.jean-cloud.net;wiki-cgr.jean-cloud.net;izzo.jean-cloud.org
43 43;radio.karnaval.fr;radio.karnaval.fr;tetede.jean-cloud.org
44 44;wordpress.abc.jean-cloud.net;wordpress.abc.jean-cloud.net;max.jean-cloud.org
45 45;jean-cloud.org;jean-cloud.org;shlago.jean-cloud.org
46 46;soundbase.paj.oma-radio.fr;soundbase.paj.oma-radio.fr;montbonnot.jean-cloud.org
47 47;backup-borg-server;backup-borg-server;montbonnot.jean-cloud.org
48 48;backup-borg-client;backup-borg-client;raku.jean-cloud.org
49 49;soundbase.radionimaitre.oma;soundbase.radionimaitre.oma-radio.fr;montbonnot.jean-cloud.org
50 50;monitoring.jean-cloud.net;monitoring.jean-cloud.net;montbonnot.jean-cloud.org
51 51;benevoles32.karnaval.fr;benevoles32.karnaval.fr;izzo.jean-cloud.org
52 52;nginx_exporter;nginx_exporter;shlago.jean-cloud.org
53 53;benevoles.karnaval.fr;benevoles.karnaval.fr;izzo.jean-cloud.org
54 54;accent.jean-cloud.net;accent.jean-cloud.net;raku.jean-cloud.org

View File

@ -9,9 +9,8 @@ services:
- $DOCKER_DIR/init.sh:/etc/sftp.d/init.sh:ro
- $DATA_DIR/home:/home
- $DATA_DIR/home/feministesucl34:/home/feministesucl34RO
- $DATA_DIR/home/leida:/home/leidaRO
- $DATA_DIR/home/chiloe:/home/chiloeRO
- $DATA_DIR/home/leida/public:/home/leidaRO/public:ro
- $DATA_DIR/home/chiloe/public:/home/chiloeRO/public:ro
ports:
- '2929:22'

3
services/sftp_jc/deploy.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
chmod 700 "$SECRET_DIR/sftp.sshprivkey"

View File

@ -0,0 +1,7 @@
#!/bin/bash
mkdir -p ~/.ssh
echo '[sftp.jean-cloud.net]:2929 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5WLG4HbhHMWZySQkCOfMyJ8HAojyJJ66prhn/WSh1T6vyi/oWuodhN5fzIenEpKrmIzXLLfFa8Q9YuEYmcwNGp0FrTnATDYLABL530DBsCQzA5S+fLecY0iLHEkluuJCcX2+cNpu7ytzgbEzHFDRDkd6RgI1cBL5smCnbxfrJSvfLR0VvihQJNZKPYEFHxt9euGkHhKilwbXa4VEtfY8GfMK18dGlM+K2nRu4G+ckoNzx9K2RdwAqUyj1WFLrS+FYY8EbHlffWf4WES32tSeyd6z3rF0jFoN83ojZ0nPfcch10tWklfRc2RcoItde9p0bR/Cgz2SI1nZT9EcBhrpqGkucLsx/xvcxXd/puQDe9svBq1vgWRuub7e6Q40v8Lhl5dTGJutKLWbCg9udonaUIR/LudSnSgEGrDoz/Yjx8Iytj9+tLj9C+rRASfUnHnTRjsVKJG3Ofx+YHhWs0gLJcV06EvM+PBgZOCnegcPrssi0OE+I5HtDixTkaBNQPHXfKcGqlSEPRmqEuwsvdcv7vOfWJn1ufmKpoaLXWPrX+U4gZYSMHrhieqdcieT8wSu/YJa8gBM5qkK1WMOYxwYzLU5q9H4g9sJfFqk14cvQk47Tb+nTLlFoYZvunATBAxQuNuMo8+scu0BuIqinB5SjO6bwF3nJUCigs8BTmo95Pw==' > ~/.ssh/known_hosts
chmod 700 ~/.ssh/known_hosts
rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user "$SFTP_USER" --sftp-port 2929 --sftp-key-file "$SECRET_DIR/sftp.sshprivkey" --sftp-known-hosts-file ~/.ssh/known_hosts :sftp:/public/ "$HTTP_DIR"

View File

@ -0,0 +1,12 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
location / {
root $HTTP_DIR;
try_files $uri $uri/ =404;
}
}

View File

@ -4,8 +4,6 @@ services:
image: registry.gitlab.com/omaradio/core/oma-jukebox:$OMA_DOCKER_VERSION
env_file: .env
environment:
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT
OMA_CONFIG_Client1Host: mux.radiodemo.oma-radio.fr
OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
volumes:
@ -24,8 +22,6 @@ services:
azurite_jukebox_simulator:
image: registry.gitlab.com/omaradio/core/oma-jukebox-simulator:$OMA_DOCKER_VERSION
env_file: .env
environment:
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
volumes:
- $SOUNDBASE_DIR:/app/soundBase
restart: unless-stopped
@ -47,8 +43,6 @@ services:
agate_importer:
image: registry.gitlab.com/omaradio/core/oma-baseimport:$OMA_DOCKER_VERSION
env_file: .env
environment:
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
volumes:
- $SOUNDBASE_DIR:/app/soundBase
restart: unless-stopped
@ -65,8 +59,6 @@ services:
rubis_base_mg:
image: registry.gitlab.com/omaradio/core/oma-base-mg:$OMA_DOCKER_VERSION
env_file: .env
environment:
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
restart: unless-stopped
volumes:
- $SOUNDBASE_DIR:/soundbase
@ -83,8 +75,6 @@ services:
system_api:
image: jeancloud/system-api:dev
env_file: .env
environment:
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
UID: 33
SOUNDBASE_PATH: /soundbase
MOUNT: /api
@ -108,7 +98,6 @@ services:
# image: jeancloud/mp3addon:$OMA_DOCKER_VERSION
# env_file: .env
# environment:
# OMA_CONFIG_TelecommandeHost: $NET.101
# OMA_CONFIG_PigePrefix: /opt
# restart: unless-stopped
# volumes:

View File

@ -4,7 +4,7 @@ server {
ssl_certificate $JC_CERT/fullchain.pem;
ssl_certificate_key $JC_CERT/privkey.pem;
server_name static.oma-radio.fr www.static.oma-radio.fr $JC_SERVICE www.$JC_SERVICE;
root $HTTP_DIR/public/;
root $DATA_DIR/public/;
location / {
add_header 'Access-Control-Allow-Origin' '*';

View File

@ -1,28 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr;
location / {
client_max_body_size 2G;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://wp.collectif-arthadiefr.docker;
proxy_redirect off;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
server_name collectif-arthadie.fr www.collectif-arthadie.fr;
location / {
root /data/collectif-arthadie.fr/static;
try_files $uri $uri/ =404;
}
}

View File

@ -1,25 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/cousinades.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cousinades.jean-cloud.net/privkey.pem;
server_name cousinades.jean-cloud.net www.cousinades.jean-cloud.net;
index index.php;
root /data/cousinades.jean-cloud.net/public;
location / {
#auth_basic "Restricted";
#auth_basic_user_file /data/cousinades.jean-cloud.net/private/passwords.txt;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app.cousinadesjean-cloudnet.docker:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}

View File

@ -1,12 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/git.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.jean-cloud.net/privkey.pem;
server_name git.jean-cloud.net www.git.jean-cloud.net;
location / {
client_max_body_size 5G;
proxy_pass http://gitea.gitjean-cloudnet.docker:3000;
}
}

View File

@ -1,17 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem;
server_name inurbe.fr www.inurbe.fr;
location /.git {
deny all;
return 404;
}
location / {
root /data/inurbe.fr;
try_files $uri $uri/ =404;
}
}

View File

@ -1,15 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/leida.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/leida.fr/privkey.pem;
server_name leida.fr www.leida.fr;
location / {
root /data/leida.fr/public;
index index.htm index.html;
try_files $uri $uri/ =404;
}
location ~ .php {
deny all;
}
}

View File

@ -1,13 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/oma-radio.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/oma-radio.fr/privkey.pem;
server_name oma-radio.fr www.oma-radio.fr;
root /data/oma-radio.fr;
location / {
index index.html;
try_files $uri $uri/ =404;
}
}

View File

@ -1,17 +0,0 @@
server{
listen 80 default_server;
listen [::]:80 default_server;
location '/.well-known/acme-challenge' {
root /var/www/letsencrypt;
default_type "text/plain";
try_files $uri $uri/ =404;
}
location / {
return 301 https://$host$request_uri;
}
location = /basic_status {
stub_status;
}
}

View File

@ -1,40 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem;
server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net;
location / {
client_max_body_size 2G;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
proxy_redirect off;
proxy_pass http://rpnow.rpnowjean-cloudnet.docker;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem;
server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net;
location / {
client_max_body_size 2G;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
proxy_redirect off;
proxy_pass http://test_rpnow.rpnowjean-cloudnet.docker;
}
}

View File

@ -1,15 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/static.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/static.jean-cloud.net/privkey.pem;
server_name static.oma-radio.fr www.static.oma-radio.fr static.jean-cloud.net www.static.jean-cloud.net;
root /data/static.jean-cloud.net/public/;
location / {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET';
index index.html;
try_files $uri $uri/ =404;
}
}

View File

@ -1,30 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/wiki-cgr.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wiki-cgr.jean-cloud.net/privkey.pem;
server_name wiki-cgr.jean-cloud.net www.wiki-cgr.jean-cloud.net;
location / {
client_max_body_size 2G;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://mediawiki.wiki-cgrjean-cloudnet.docker;
proxy_redirect off;
}
}
# Is the parsoid mutualisable on all wikis ?
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/wiki-cgr.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wiki-cgr.jean-cloud.net/privkey.pem;
server_name parsoid-wiki-cgr.jean-cloud.net www.parsoid-wiki-cgr.jean-cloud.net;
location / {
client_max_body_size 2G;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://parsoid.wiki-cgrjean-cloudnet.docker;
proxy_redirect off;
}
}