adding some leftovers

big standardisation update
update
2023-10-31 17:00:18 +01:00 · 2023-10-31 16:42:06 +01:00 · 2023-10-16 10:47:35 +02:00 · 2023-10-02 23:45:09 +02:00
70 changed files with 552 additions and 300 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
-installing/secrets
 installing/temporary_mount_point
+installing/secrets
+provisioning/roles/deploy_all/files/secrets
--- a/provisioning/inventory.ini
+++ b/provisioning/inventory.ini
@ -4,9 +4,7 @@ tetede.jean-cloud.org
 raku.jean-cloud.org

 [servers]
-#nougaro.jean-cloud.org
-#carcasse.jean-cloud.org
-#benevoles.karnaval.fr
+nougaro.jean-cloud.org
 montbonnot.jean-cloud.org
 #blatte.jean-cloud.org
 max.jean-cloud.org
--- a/provisioning/roles/deploy_all/files/bin/deploy_service.sh
+++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh
@ -61,9 +61,9 @@ fi

 if "$deploy" ; then
 	[ -x deploy.sh ] && ./deploy.sh
-	[ -x deploy_http.sh ] && sudo -u www-data bash -c ". '$DOCKER_DIR/.env' && . ./deploy_http.sh"
+	[ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh"
 else
-	[ -x undeploy.sh ] && ./undeploy.sh
+	[ -x undeploy.sh ] && . undeploy.sh
 fi


@ -133,10 +133,8 @@ if [ -f "/docker/$service/nginx_server.conf" ] ; then

    section "Template nginx conf with vars from '.env' file"
    run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
-fi

-section "Add dummy cert if needed"
-dummy_cert.sh "$service" add
+fi

 section "Testing nginx conf"
 run nginx -t -c /etc/nginx/new_nginx.conf
--- a/provisioning/roles/deploy_all/files/bin/deployall.sh
+++ b/provisioning/roles/deploy_all/files/bin/deployall.sh
@ -38,7 +38,7 @@ section "Delete new conf directory (to start from scratch)"
 run rm -rf "$new_nginx_conf_path"

 section "Create new conf file (for tests purposes)"
-sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"
+sed "s#$nginx_conf_path#$new_nginx_conf_path/#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"

 section "Create proxy dir"
 run mkdir -p "$proxy_dir" /docker /data
--- a/provisioning/roles/deploy_all/files/bin/dummy_cert.sh
+++ b/provisioning/roles/deploy_all/files/bin/dummy_cert.sh
@ -15,7 +15,7 @@ action="$2"
 if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
    echo "Dummy cert generation"
    run mkdir -p "$dummy_cert_path"
-    run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
+    run openssl req -x509 -newkey rsa:2048 -keyout "$http_certs_path/dummy/privkey.pem" -out "$http_certs_path/dummy/fullchain.pem" -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
 fi

 if [ "$action" = add ] ; then
--- a/provisioning/roles/deploy_all/files/bin/gen_env.sh
+++ b/provisioning/roles/deploy_all/files/bin/gen_env.sh
@ -5,15 +5,17 @@ set -euo pipefail

 JC_ENV=/etc/jeancloud.env

-certs_path=/etc/letsencrypt/live
+dns_certs_path=/data/dnscerts.jean-cloud.org/certs/live
+http_certs_path=/etc/letsencrypt/live
 proxy_dir=/etc/nginx

 cat > "$JC_ENV" <<EOF
 proxy_dir='$proxy_dir'
-nginx_conf_path='$proxy_dir/sites-enabled'
+nginx_conf_path='$proxy_dir/sites-enabled/'
 new_nginx_conf_path='$proxy_dir/new-sites-enabled'
-certs_path='$certs_path'
-dummy_cert_path='$certs_path/dummy'
+dns_certs_path='$dns_certs_path'
+http_certs_path='$http_certs_path'
+dummy_cert_path='$http_certs_path/dummy'
 servicefile=/docker/services.txt
 EOF
 	
@ -23,7 +25,12 @@ for dir in /docker/* ; do

 	line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
 	line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
+	line_in_file "SECRET_DIR='/data/secrets/$service'" "/docker/$service/.env"
 	line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
 	line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
-	line_in_file "JC_CERT='/data/dnscerts.jean-cloud.org/certs/live/$service'" "/docker/$service/.env"
+	cert="$(findcert.sh "$service")" || true
+	if [ -n "$cert" ] ; then
+		line_in_file "JC_CERT='$cert'" "/docker/$service/.env"
+	fi
+		
 done
--- a/provisioning/roles/deploy_all/files/bin/git_update.sh
+++ b/provisioning/roles/deploy_all/files/bin/git_update.sh
@ -22,6 +22,10 @@ usage[N]="Clone to a Non-empty target. Existing files will be overwriten"
 varia[N]=nonempty_target
 nonempty_target=false

+usage[K]="Remote host key file (known_hosts) for ssh connections"
+varia[K]=hostkeyfile
+hostkeyfile=''
+

 . driglibash-args

@ -32,12 +36,17 @@ if [ -n "$privkey" ] ; then
 	ssh_opt="$ssh_opt -i $privkey"
 fi

+if [ -n "$hostkeyfile" ] ; then
+	ssh_opt="$ssh_opt -o 'UserKnownHostsFile $hostkeyfile'"
+fi
+
 repo="$1"
 if [ -z "$repo" ] ; then
 	die "$0: Empty repo given\n$summary"
 fi

-cd "$dst"
+run mkdir -p "$dst"
+run cd "$dst"

 if [ -d .git ] ; then
 	run git fetch origin "$branch"
--- a/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
+++ b/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
@ -1,14 +1,35 @@
 #!/bin/bash
+
+. driglibash-base
+
 set -euo pipefail

-. "$DOCKER_DIR/.env"
-. "$DATA_DIR/.env"
+[ "$#" -ne 1 ] && die "Usage: $0 <hugo_directory>"
+dest_dir="$1"
+[ -z "$dest_dir" ] && die "Arg 'hugo_directory' should not be empty."

+
+# Get content from nextcloud
+if [ -v NC_SHARE_LINK ] ; then
 	webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
 	webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
 	webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"

-git_update.sh "$GIT_SOURCE_REPO"    
-rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --      webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
-hugo    
+	rclone sync --config=/notfound --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH"
+fi

+# Go to website
+cd "$dest_dir"
+
+# Rename .attachement dirs created by nextcloud
+while read filename ; do    
+    oldname="$(basename "$filename")"    
+    newname="${oldname:1}"    
+    path="$(dirname "$filename")"    
+    # And rename their references in md files  
+    find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;    
+    mv "$path/$oldname" "$path/$newname"    
+done < <(find -type d -name '.attachments.*')
+
+# Build the website
+hugo
--- a/provisioning/roles/deploy_all/files/bin/letsencrypt.sh
+++ b/provisioning/roles/deploy_all/files/bin/letsencrypt.sh
@ -2,6 +2,10 @@
 # This script will run on new cert and on cron renew
 # there is one cert by service

+set -euo pipefail
+
+. /etc/jeancloud.env
+
 # TODO make it an ansible script
 # No

@ -18,11 +22,8 @@ acmeroot=/var/www/letsencrypt
 # Création du répertoire
 mkdir -p "$acmeroot"

-# With trailing slash or it will be a prefix selector
-#nginx_sites_dir="/etc/nginx/sites-enabled/"
-nginx_sites_dir="/etc/nginx/sites-enabled/"

-for file in "$nginx_sites_dir"* ; do
+for file in "$nginx_conf_path"* ; do
  if $verbose ; then
    echo '-------------------------'
    echo "$file"
@ -30,6 +31,11 @@ for file in "$nginx_sites_dir"* ; do

  service_name="$(basename "$file")"

+  if [ -d "$dns_certs_path/$service_name" ] ; then
+	  echo "$service_name is handled by dnscerts"
+	  continue
+  fi
+    
  # Getting just the domain names
  domains="$(extract_domain_nginx_conf.sh "$file")"
  if [ -n "$domains" ] ; then
@ -69,10 +75,8 @@ for file in "$nginx_sites_dir"* ; do
      echo "     ------------------------------------------"
      echo "$out"
      echo "     ------------------------------------------"
-	  dummy_cert.sh "$service_name" add
    else
        echo "Unknown error : $result.\n$out"
-	    dummy_cert.sh "$service_name" add
    fi
  fi
 done
--- a/provisioning/roles/deploy_all/tasks/main.yml
+++ b/provisioning/roles/deploy_all/tasks/main.yml
@ -1,5 +1,13 @@
 ---
 # tasks file for deploy_all
+
+- name: "Check for secrets volume. Fail if not found"
+  include: "{{ item }}"
+  with_first_found:
+    - files:
+      - secrets/mounted
+
+
 - name: sync services dirs
  ansible.posix.synchronize:
    src: ../services/
@ -17,6 +25,13 @@
 - name: Gen env vars
  command: gen_env.sh

+- name: sync secrets
+  ansible.posix.synchronize:
+    src: secrets/
+    dest: /data/secrets
+    delete: true
+    archive: false
+    recursive: true

    #- name: Add bind conf
    #  ansible.posix.synchronize:
--- a/provisioning/roles/jean-cloud-common/tasks/main.yml
+++ b/provisioning/roles/jean-cloud-common/tasks/main.yml
@ -94,6 +94,7 @@
         }

 #TODO add this to /etc/docker/daemon.json
+# TODO no it breaks containers acces to internet
 #{
 #        "iptables": false
 #}
--- a/provisioning/services.yml
+++ b/provisioning/services.yml
@ -3,7 +3,7 @@

 - name: Deploy specific services
  hosts: servers
-  become: yes
+  become: no
  gather_facts: no
  roles:
    - deploy_all
--- a/services/amaglio.fr/nginx_server.conf
+++ b/services/amaglio.fr/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/amaglio.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/amaglio.fr/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;

  server_name amaglio.fr www.amaglio.fr;
 #  root /data/amaglio.fr/app;
--- a/services/ariege1.studios.oma-radio.fr/wg-ariege1.sh
+++ b/services/ariege1.studios.oma-radio.fr/wg-ariege1.sh
@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. .env
+filename="$(basename "$0")"
+ifname="${filename:3:-3}"
+
+echo "
+[Interface]
+PrivateKey = $(cat $DATA_DIR/privatekey)
+ListenPort = 51822
+Address = 10.100.2.254/32
+
+[Peer] # adrian
+PublicKey = 34DD9W9Pr2EpVK4IvU3tVY6fsIvGqDisUYr5Xtk62FI=
+AllowedIPs = 10.100.2.253/32
+
+[Peer] # Passerelle
+PublicKey = SM40+PyJSNk+Rmsa7Ym4+PwBgkRlRCsqEC7s7wfo/QE=
+AllowedIPs = 10.100.2.0/24,192.168.100.0/24
+"
--- a/services/benevoles31.karnaval.fr/nginx_server.conf
+++ b/services/benevoles31.karnaval.fr/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name $JC_SERVICE benevoles.karnaval.fr;

  root $DATA_DIR/assets;
--- a/services/chahut.jean-cloud.net/nginx_server.conf
+++ b/services/chahut.jean-cloud.net/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
  location  / {
    auth_basic           "Mot de passe !";
@ -19,8 +19,8 @@ server {
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name $JC_SERVICE www.$JC_SERVICE;

  location /  {
--- a/services/chiloe.eu/deploy_http.sh
+++ b/services/chiloe.eu/deploy_http.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+set -euo pipefail
+. "$SECRET_DIR/.env"
+
+rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user chiloeRO --sftp-port 2929 --sftp-pass "$SFTP_PASS" :sftp:/public/ "$HTTP_DIR"
--- a/services/chiloe.eu/nginx_server.conf
+++ b/services/chiloe.eu/nginx_server.conf
@ -0,0 +1,22 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR;
+
+  # Security headers
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self' fonts.gstatic.com; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
+
+  location / {
+          index index.html;
+          try_files $uri $uri/ =404;
+  }
+}
--- a/services/collectif-arthadie.fr/nginx_server.conf
+++ b/services/collectif-arthadie.fr/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr;
  location  / {
    client_max_body_size 2G;
@ -17,8 +17,8 @@ server {
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name collectif-arthadie.fr www.collectif-arthadie.fr;

  location /  {
--- a/services/compagnienouvelle.fr/nginx_server.conf
+++ b/services/compagnienouvelle.fr/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr;
  location  / {
    auth_basic           "Mot de passe !";
@ -19,8 +19,8 @@ server {
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name compagnienouvelle.fr www.compagnienouvelle.fr;

  location /  {
--- a/services/deployer.jean-cloud.org/deploy.sh
+++ b/services/deployer.jean-cloud.org/deploy.sh
@ -1,2 +0,0 @@
-#!/bin/bash
-chmod +x server.sh
--- a/services/deployer.jean-cloud.org/nginx_server.conf
+++ b/services/deployer.jean-cloud.org/nginx_server.conf
@ -4,8 +4,8 @@ server {
        listen 443;    
        listen [::]:443;    
 		server_name $JC_SERVICE;
-        ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;           
+        ssl_certificate $JC_CERT/fullchain.pem;
+        ssl_certificate_key $JC_CERT/privkey.pem;           
        location / {
 				limit_req zone=deployer_limit;
 			    include /etc/nginx/fastcgi_params;
--- a/services/deployer.jean-cloud.org/server.sh
+++ b/services/deployer.jean-cloud.org/server.sh
@ -1,38 +1,26 @@
 #!/bin/bash
+
+# TODO js (dnssec is trusting google right now)
+# fetch('https://dns.google/resolve?name=deployer.jean-cloud.org&cd=true&type=a').then(r => {r.json().then(j => {for (const i in j.Answer) {console.log(j.Answer[i].data)}})})
+
+
 echo "Content-type: text/html"
 echo ""

 service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
-path="/docker/$service/deploy_http.sh"
+deployer="/docker/$service/deploy_http.sh"
 . /etc/jeancloud.env

-echo '<html><head><title>Rechargement d’un site web</title><meta charset="utf-8" /></head>'
-echo '<body>'
-echo "<h2>Rechargement d’un site web : $service</h2>"
-echo "<h3> Résultat local</h3>"
-if [ -x "$path" ] ; then
-	echo "<pre>"
-	"$path"
+if [ -z "$service" ] || [ ! -x "$deployer" ] ; then
+	echo "error"
+else
+	set -a
+	. "/docker/$service/.env"
+	set +a
+	"$deployer" 2>&1
 	ret="$?"
-	echo "</pre>"
 	if [ "$ret" -ne 0 ] ; then
-		echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
+		echo 'Error'
 	else
-		while read ip ; do
-			echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
-			if [ "$?" -eq 0 ] ; then
-				echo "$ip ok"
-			else
-				echo "$ip ERREUR"
-			fi
-		done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
 fi

-	echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
-else
-	echo "<p>Échec. Contactez Jean-Cloud</p>"
-fi
-
-echo '</body>'
-echo '</html>
-
--- a/services/dnscerts.jean-cloud.org/acme-dns.sh
+++ b/services/dnscerts.jean-cloud.org/acme-dns.sh
@ -1,11 +1,12 @@
 #!/bin/bash

-if [ "$#" -ne 1 ] ; then
-	echo "Usage: $0 <service_name>" >&2
+if [ "$#" -ne 2 ] ; then
+	echo "Usage: $0 <service_name> <workdir>" >&2
 	exit 1
 fi

 service="$1"
+workdir="$2"

 nginxfile="/docker/$service/nginx_server.conf"
 if [ -f "$nginxfile" ] ; then    
@ -13,5 +14,5 @@ if [ -f "$nginxfile" ] ; then
 	domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
 	[ -z "$domains" ] && exit 0
 	echo "--------------- -d $domains"
-	certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
+	certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$workdir/work" --logs-dir "$workdir/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
 fi
--- a/services/dnscerts.jean-cloud.org/run_as.sh
+++ b/services/dnscerts.jean-cloud.org/run_as.sh
@ -29,22 +29,17 @@ echo "For each service, read all possible domains"
 while read line ; do
 	read -r service target < <(echo "$line")

-	# Auto letsencrypt
-	[ "$target" = vandamme.jean-cloud.org ] && continue
-
 	# TODO remove
-	#( [ "$service" = collectif-arthadie.fr ] || [[ "$service" == *oma-radio.fr ]] ) && continue
+	 [ "$service" = collectif-arthadie.fr ]  && continue

 	# remove dummy cert
-	dummy_cert.sh "$service" remove
+	dummy_cert.sh "$service" remove || true

 	[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue

 	# acme
-	"$here/acme-dns.sh" "$service"
+	"$here/acme-dns.sh" "$service" "$tmp"

-	# Replace dummy cert if letsencrypt failed
-	[ "$?" -ne 0 ] && dummy_cert.sh "$service" add
 done < "$servicefile"

 echo "Push certs to other servers"
@ -52,5 +47,5 @@ for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'des
 	server="$srv.jean-cloud.org"
 	[ -n "$(grep "$server" /etc/hosts)" ] && continue
 	echo "-- $server"
-	rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/"
+	rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/" || true
 done
--- a/services/etrevivant.net/deploy_http.sh
+++ b/services/etrevivant.net/deploy_http.sh
@ -1,29 +1,8 @@
 #!/bin/bash
 set -euo pipefail
+set -a
+. "$SECRET_DIR/.env"
+set +a

-. "$DATA_DIR/.env"
-webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
-webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
-webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
-
-# Get website files
 git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
-
-# Get content from nextcloud
-rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$HTTP_DIR/$CLOUD_LOCAL_PATH"
-
-# Go to website
-cd "$HTTP_DIR"
-
-# Rename .attachement dirs created by nextcloud
-while read filename ; do    
-    oldname="$(basename "$filename")"    
-    newname="${oldname:1}"    
-    path="$(dirname "$filename")"    
-    # And rename their references in md files  
-    find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;    
-    mv "$path/$oldname" "$path/$newname"    
-done < <(find -type d -name '.attachments.*')
-
-# Build the website
-hugo
+hugo_rclone.sh "$HTTP_DIR"
--- a/services/feministesucl34.communisteslibertaires.org/deploy_http.sh
+++ b/services/feministesucl34.communisteslibertaires.org/deploy_http.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+set -euo pipefail
+. "$SECRET_DIR/.env"
+
+rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user feministesucl34 --sftp-port 2929 --sftp-pass "$SFTP_PASS" :sftp:/public/ "$HTTP_DIR"
--- a/services/feministesucl34.communisteslibertaires.org/nginx_server.conf
+++ b/services/feministesucl34.communisteslibertaires.org/nginx_server.conf
@ -0,0 +1,16 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE;
+
+  location = /wp-login.php {
+    return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
+  }
+
+  location /  {
+    root $HTTP_DIR;
+    try_files $uri $uri/ =404;
+  }
+}
--- a/services/feteducourt.jean-cloud.net/nginx_server.conf
+++ b/services/feteducourt.jean-cloud.net/nginx_server.conf
@ -5,7 +5,7 @@ server {
  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name $JC_SERVICE www.$JC_SERVICE;
  location / {
-    root $HTTP_DIR;
+    root $HTTP_DIR/public;
    try_files $uri $uri/ =404;
  }
 }
--- a/services/feteducourt2020.jean-cloud.net/nginx_server.conf
+++ b/services/feteducourt2020.jean-cloud.net/nginx_server.conf
@ -5,7 +5,7 @@ server {
  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name $JC_SERVICE www.$JC_SERVICE;
  location / {
-    root $HTTP_DIR;
+    root $HTTP_DIR/public;
    try_files $uri $uri/ =404;
  }
 }
--- a/services/git.jean-cloud.net/nginx_server.conf
+++ b/services/git.jean-cloud.net/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/git.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/git.jean-cloud.net/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name git.jean-cloud.net www.git.jean-cloud.net;
  location / {
    client_max_body_size 5G;
--- a/services/gmx-webmail.jean-cloud.net/nginx_server.conf
+++ b/services/gmx-webmail.jean-cloud.net/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;

  server_name gmx-webmail.jean-cloud.net www.gmx-webmail.jean-cloud.net;
 #  root /data/gmx-webmail.jean-cloud.net/app;
--- a/services/grapes.chahut.jean-cloud.net/nginx_server.conf
+++ b/services/grapes.chahut.jean-cloud.net/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name grapes.chahut.jean-cloud.net;
  root $HTTP_DIR;

--- a/services/gypsylyonfestival.com/nginx_server.conf
+++ b/services/gypsylyonfestival.com/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/gypsylyonfestival.com/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/gypsylyonfestival.com/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  #server_name gypsylyonfestival.com www.gypsylyonfestival.com;
  server_name gypsy.jean-cloud.net;
  root /data/gypsylyonfestival.com/output;
--- a/services/inurbe.fr/.env
+++ b/services/inurbe.fr/.env
@ -0,0 +1 @@
+GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/inurbe"
--- a/services/inurbe.fr/deploy_http.sh
+++ b/services/inurbe.fr/deploy_http.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+set -euo pipefail
+
+git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
--- a/services/inurbe.fr/docker-compose.yml
+++ b/services/inurbe.fr/docker-compose.yml
@ -1 +0,0 @@
-version: '3.1'
--- a/services/inurbe.fr/nginx_server.conf
+++ b/services/inurbe.fr/nginx_server.conf
@ -1,12 +1,12 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem;
-  server_name inurbe.fr www.inurbe.fr;
+  ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem;
+  ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;

  location /  {
-    root /data/inurbe.fr;
+    root $HTTP_DIR/public;
    try_files $uri $uri/ =404;
  }
 }
--- a/services/jean-cloud.net/docker-compose.yml
+++ b/services/jean-cloud.net/docker-compose.yml
@ -1,2 +0,0 @@
-version: '3'
-
--- a/services/karnaval.fr/nginx_server.conf
+++ b/services/karnaval.fr/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/karnaval.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/karnaval.fr/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name karnaval.fr www.karnaval.fr;
  root $HTTP_DIR/;

--- a/services/leida.fr/nginx_server.conf
+++ b/services/leida.fr/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/leida.fr/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/leida.fr/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name leida.fr www.leida.fr;
  location / {
          root /data/leida.fr/public;
--- a/services/lexicographe.jean-cloud.net/deploy.sh
+++ b/services/lexicographe.jean-cloud.net/deploy.sh
@ -1,4 +1,4 @@
 #!/bin/bash
 set -euo pipefail

-docker run -u 33 --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
+docker run -u 33 --rm --env-file "$SECRET_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
--- a/services/mux.radiodemo.oma-radio.fr/.env
+++ b/services/mux.radiodemo.oma-radio.fr/.env
@ -0,0 +1,12 @@
+ENDPOINT=10.29.0.1
+WEBSERVER=.105
+MUX=.100
+TELECOM=.101
+NET=172.29.0
+WEBSOCKET_PORT=2004
+RADIO_HOST=mux.radiodemo.oma-radio.fr
+MUX_SERVER_PORT=9004
+TELECOM_SERVER_PORT=3494
+SOUNDBASE_DIR=/data/mux.radiodemo.oma-radio.fr/core/radioDemo
+OMA_DOCKER_VERSION=dev
+ICECAST=.110
--- a/services/mux.radiodemo.oma-radio.fr/deploy.sh
+++ b/services/mux.radiodemo.oma-radio.fr/deploy.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+mkdir -p "$DATA_DIR/pige"
+chown 10000:10000 "$DATA_DIR/pige" -R
+
--- a/services/mux.radiodemo.oma-radio.fr/docker-compose.yml
+++ b/services/mux.radiodemo.oma-radio.fr/docker-compose.yml
@ -1,7 +1,7 @@
 version: '3'
 services:
  ambre_mux:
-    image: jeancloud/mux:$OMA_DOCKER_VERSION
+    image: registry.gitlab.com/omaradio/core/oma-mux:$OMA_DOCKER_VERSION
    env_file: .env
    environment:
      OMA_CONFIG_Client1Host: $NET.108
@ -22,7 +22,7 @@ services:


  saphir_telecom_server:
-    image: jeancloud/telecom-server:$OMA_DOCKER_VERSION
+    image: registry.gitlab.com/omaradio/core/oma-telecom-server:$OMA_DOCKER_VERSION
    env_file: .env
    ports:
      - $TELECOM_SERVER_PORT:3490
@ -37,7 +37,7 @@ services:
          memory: 100M

  amarante_webserver:
-    image: jeancloud/webserver:$OMA_DOCKER_VERSION
+    image: registry.gitlab.com/omaradio/core/oma-webserver:$OMA_DOCKER_VERSION
    env_file: .env
    environment:
      OMA_CONFIG_TelecommandeHost: $NET$TELECOM
@ -58,7 +58,7 @@ services:
    image: savonet/liquidsoap:v2.1.4
    env_file: .env
    volumes:
-      - ./icecast.liq:/transcode.liq
+      - ./liquidsoap.liq:/transcode.liq
      - $SOUNDBASE_DIR:/soundbase
    command: /transcode.liq
    restart: unless-stopped
--- a/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq
+++ b/services/mux.radiodemo.oma-radio.fr/liquidsoap.liq
@ -0,0 +1,79 @@
+#!/usr/bin/liquidsoap
+
+# Extract timestamp from pige path
+def ts_from_filepath (filepath)
+	splitpath = string.split(separator='/', filepath)
+	# Keep only filename
+	filename = list.nth(splitpath,list.length(splitpath)-1)
+	int_of_string(list.hd(string.split(separator='\\.', filename)))
+end
+
+# Remove pige from now-1month
+def  clean_single_old_pige(ts)
+	# ts of one month sooner
+	ts = ts - 2678400
+	filepath = "/soundbase/pige/#{ts}.ogg"
+	if file.exists("#{filepath}") then
+		process.run("rm #{filepath}")
+	end
+end
+
+# Remove a pige file if it is too old
+def clean_if_old(filename)
+	filepath = "/soundbase/pige/#{filename}"
+	if ( ts_from_filepath (filename) < int_of_float(time()) - 2678400 ) then
+		process.run("rm #{filepath}")
+	end
+end
+
+# Check that the timestamp starts exactly on a minute
+def integrity_check(ts)
+	if ts mod 60 != 0 then
+		log.important("#{ts} is to fix")
+	end
+end
+
+# Routine integrity check for each files
+def clean_and_check (filepath)
+	ts = ts_from_filepath (filepath)
+	integrity_check (ts)
+	clean_single_old_pige (ts)
+end
+
+# Exaustive integrity check
+def clean_and_check_all ()
+	list.iter(clean_if_old, file.ls("/soundbase/pige/"))
+	list.iter(clean_and_check, file.ls("/soundbase/pige/"))
+end
+
+
+
+# Mux
+input1 = mksafe(input.harbor("direct.ogg",port=8000,password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f"))
+
+# Direct mp3
+output.icecast(
+  %mp3(bitrate=128, samplerate=22050, stereo=false),
+  mount="/direct.mp3",
+  host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f",
+  input1)
+
+# Radioking
+#output.icecast(    
+#  %mp3(bitrate=128, samplerate=22050, stereo=false),    
+#  mount="/test355",
+#  host="live.radioking.com", port=80, user="", password="",
+#  input)
+
+# Direct ogg
+output.icecast(
+  %vorbis(samplerate=44100, channels=1, quality=0.2),
+  mount="/direct.ogg",
+  host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f",
+  input1)
+
+# Pige
+output.file(%vorbis(samplerate=44100, channels=1, quality=0.2), {"/soundbase/pige/#{int_of_float(time())}.ogg"}, input1, reopen_when={0s}, reopen_delay=1.0, on_close=clean_and_check)
+
+# Integrity checks
+clean_and_check_all()
--- a/services/mux.radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/mux.radiodemo.oma-radio.fr/nginx_server.conf
@ -0,0 +1,51 @@
+map $http_upgrade $connection_upgrade {
+       default upgrade;
+       '' close;
+}
+
+server{
+	listen $WEBSOCKET_PORT ssl;
+	ssl_certificate     $JC_CERT/fullchain.pem;
+    ssl_certificate_key $JC_CERT/privkey.pem;
+
+	location / {
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host $host;
+            proxy_pass http://$NET$WEBSERVER:9000;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+	        proxy_read_timeout 120s;
+	}
+}
+
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	server_name $JC_SERVICE;
+	ssl_certificate     $JC_CERT/fullchain.pem;
+    ssl_certificate_key $JC_CERT/privkey.pem;
+
+    location / {
+        client_max_body_size 0;
+        proxy_pass http://$ENDPOINT;
+        proxy_set_header Host 'soundbase.radiodemo.oma-radio.fr';
+		proxy_set_header X-Forwarded-Host $JC_SERVICE;
+		proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+
+
+	location /direct.ogg {
+		client_max_body_size 0;
+		proxy_pass http://$NET$ICECAST:8000/direct.ogg;
+	}
+	location /direct.mp3 {
+		client_max_body_size 0;
+		proxy_pass http://$NET$ICECAST:8000/direct.mp3;
+	}
+
+	# TODO open some stat route
+
+	
+}
--- a/services/radiodemo-back.oma-radio.fr/radioking.liq
+++ b/services/radiodemo-back.oma-radio.fr/radioking.liq
--- a/services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh
+++ b/services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh
@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. .env
+
+wgif="$1"
+
+echo "
+[Interface]
+PrivateKey = $(cat $DATA_DIR/privatekey)
+Address = 10.29.0.254/32
+ListenPort = 55820
+
+# packet forwarding
+PreUp = sysctl -w net.ipv4.ip_forward=1
+
+# port forwarding
+#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
+#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
+
+#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
+#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
+
+# packet masquerading
+#PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
+#PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
+
+# remote settings for the private server
+[Peer]
+PublicKey = 6/Mlxe9auEw/WQnC6QYNAYtSAo8jAEMhJ1wXaRNy4AE=
+AllowedIPs = 10.29.0.0/24
+"
--- a/services/ns1.jean-cloud.org/deploy.sh
+++ b/services/ns1.jean-cloud.org/deploy.sh
@ -28,7 +28,7 @@ primary_ips=""
 secondary_ips="37.65.119.74;"

 # NS name
-default_dns_name="shlago.jean-cloud.org."
+default_dns_name="ns.jean-cloud.org."

 CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'

--- a/services/ns1.jean-cloud.org/helper_functions.sh
+++ b/services/ns1.jean-cloud.org/helper_functions.sh
@ -89,14 +89,19 @@ addbindline () {
 	sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"


-	if [ -z "$shortname" ] ; then
+	# TODO check if name already existst with a different target
+	# Hard since we are resolving targets now…
+
 	# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
+	# For performance reasons, we just put plain IP everywhere
+	# to put aliases in place of ip juste do the following if $shortname is empty:
+	#line_in_file "$shortname CNAME $target." "$bindfile"
 	while read line ; do
+		if [ -n "$shortname" ] ; then
+			line="$(echo "$line" | sed "s/@/$shortname/")"
+		fi
 		line_in_file "$line" "$bindfile"
 	done < <(fakeresolve "$target")
-	else
-		line_in_file "$shortname CNAME $target." "$bindfile"
-	fi
 }

 list_template_db_files () {
@ -126,6 +131,12 @@ create_primary_files () {
 			echo "@ NS $default_dns_name" >> "$new_db_file"
 		fi

+		# Add DS record
+		if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
+			echo ""
+			#dnssec-dsfromkey "$DATA_DIR/keys/K$domain"*.key | sed "s/${domain}./@/" >> "$new_db_file"
+		fi
+
 		# Populate named.conf.local
 		cat  >> "$debian_bind_confdir/named.conf.local" <<-EOF
 			zone "$domain" {
--- a/services/pa1.studios.oma-radio.fr/wg-pa1.sh
+++ b/services/pa1.studios.oma-radio.fr/wg-pa1.sh
@ -17,6 +17,6 @@ PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
 AllowedIPs = 10.100.1.253/32

 [Peer] # Passerelle
-PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
+PublicKey = unY6v95qus8ttJvmSlxqa+J8lKj+CCiRItZ3pFwyjyM=
 AllowedIPs = 10.100.1.0/24,192.168.100.0/24
 "
--- a/services/radiodemo.oma-radio.fr/.env
+++ b/services/radiodemo.oma-radio.fr/.env
@ -1,12 +1,4 @@
-ENDPOINT=10.29.0.1
-WEBSERVER=.105
-MUX=.100
-TELECOM=.101
-NET=172.29.0
+GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
+RADIO_HOST=mux.radiodemo.oma-radio.fr
+USE_SSL=true
 WEBSOCKET_PORT=2004
-RADIO_HOST=radiodemo.oma-radio.fr
-MUX_SERVER_PORT=9004
-TELECOM_SERVER_PORT=3494
-SOUNDBASE_DIR=/data/radiodemo.oma-radio.fr/soundbase
-OMA_DOCKER_VERSION=dev
-ICECAST=.110
--- a/services/radiodemo.oma-radio.fr/.known_hosts
+++ b/services/radiodemo.oma-radio.fr/.known_hosts
@ -0,0 +1,2 @@
+gitlab.com ssh-dss AAAAB3NzaC1kc3MAAACBAMPKInNPflcRle9F5Qt2j9aI0EZuWQzdXTbYvsl+ChaacqCOWRMiOmXHXqetFz6jD/6Fcqg20ZATxqSskQBaRn97O/mbH+GQk4d3zw9WAEURicE8rKJop3qGtdfFxLzrTuF/PAkKRDMmutT3hwZIOO8CFWOl1BiuUYTncJTeonrfAAAAFQCujauoy3Yy+ul72b/WsTECUPj9yQAAAIBIV2yyF7RZf7IYS8tsWcKP7Y5Bv9eFdbvbtsaxcFCHcmHIGoJQrIdPoueoOb5EUTYz0NgYKsKaZzDZkgFk28GsmLxKvhnPjaw0lJVSKRchEE5xVlamOlabiRMjQ7X/bAdejkBJe96AjZZL3UO4acpwfy3Tnnap0w6YCDeaxoyHpwAAAIAU+dyNaL3Hy15VIV32QwWMekvxeptUY/DW03LNcgZZDoin87TE9xuQhM0qF3pi2i2a2ExuslgdttmYWvrbEz8eW+RFgvT5pKwWpalKWetHvtN3oYZP37ZIO1Y3Hd5A4YVcpYp1ccRayveLlCRwxb4HdGXT2OmYU+lmvimIR8zQ6A==
+gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
--- a/services/radiodemo.oma-radio.fr/deploy_http.sh
+++ b/services/radiodemo.oma-radio.fr/deploy_http.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+set -euo pipefail
+
+git_update.sh -b main -d "$HTTP_DIR" -K "$DOCKER_DIR/.known_hosts" -i "$DATA_DIR/website" "$GIT_SOURCE_REPO"
+hugo_rclone.sh "$HTTP_DIR"
--- a/services/radiodemo.oma-radio.fr/icecast.liq
+++ b/services/radiodemo.oma-radio.fr/icecast.liq
@ -1,46 +0,0 @@
-#!/usr/bin/liquidsoap
-
-def clean_and_check (filename)
-	ts = string.split(separator='/', filename)
-	ts = int_of_string(list.hd(string.split(separator='\.', list.nth(ts, list.length(ts)-1))))
-	integrity_check (ts)
-	clean_old_pige (ts)
-end
-
-def clean_and_check (filename)
-
-end
-
-def integrity_check(filename)
-	if ts mod 60 != 0 then
-		log.important("#{filename} is to fix")
-	end
-end
-
-# Mux
-input1 = mksafe(input.harbor("direct.ogg",port=8000,password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f"))
-
-# Direct mp3
-output.icecast(
-  %mp3(bitrate=128, samplerate=22050, stereo=false),
-  mount="/direct.mp3",
-  host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f",
-  input1)
-
-# Radioking
-#output.icecast(    
-#  %mp3(bitrate=128, samplerate=22050, stereo=false),    
-#  mount="/test355",
-#  host="live.radioking.com", port=80, user="", password="",
-#  input)
-
-# Direct ogg
-output.icecast(
-  %vorbis(samplerate=44100, channels=1, quality=0.2),
-  mount="/direct.ogg",
-  host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f",
-  input1)
-
-# Pige
-output.file(%vorbis(samplerate=44100, channels=1, quality=0.2), {"/soundbase/pige/#{int_of_float(time())}.ogg"}, input1, reopen_when={0s}, reopen_delay=1.0, on_close=clean_and_check)
-
--- a/services/radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/radiodemo.oma-radio.fr/nginx_server.conf
@ -1,38 +1,22 @@
-map $http_upgrade $connection_upgrade {
-       default upgrade;
-       '' close;
-}
-
 server {
-	listen $WEBSOCKET_PORT ssl;
-	listen [::]:$WEBSOCKET_PORT ssl;
-	ssl_certificate      /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR/public/;
+
+  # Security headers
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  #add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' 'https://static.jean-cloud.net/player-interface/*' ; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' 'https://static.jean-cloud.net/player-interface/*' 'https://cdn.jsdelivr.net/npm/*'; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";

  location / {
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header Host $host;
-            proxy_pass http://172.29.0.105:9000;
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
-	        proxy_read_timeout 120s;
+          index index.html;
+          try_files $uri $uri/ =404;
  }
 }
-
-server {
-	listen 443 ssl;
-	listen [::]:443 ssl;
-	server_name $RADIO_HOST;
-	ssl_certificate     /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
-
-	location / {
-		client_max_body_size 0;
-		proxy_pass http://$ENDPOINT;
-		proxy_set_header Host            $host;
-    	proxy_set_header X-Forwarded-For $remote_addr;
-	}
-
-	
-}
--- a/services/rpnow.jean-cloud.net/nginx_server.conf
+++ b/services/rpnow.jean-cloud.net/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net;

  location / {
@ -21,8 +21,8 @@ server {
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
  server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net;

  location / {
--- a/services/services.txt
+++ b/services/services.txt
@ -1,4 +1,5 @@
 benevoles31.karnaval.fr max.jean-cloud.org
+feministesucl34.communisteslibertaires.org none
 chahut.jean-cloud.net max.jean-cloud.org
 collectif-arthadie.fr vandamme.jean-cloud.org
 compagnienouvelle.fr nougaro.jean-cloud.org
@ -6,13 +7,12 @@ copaines.jean-cloud.net max.jean-cloud.org
 cousinades.jean-cloud.net max.jean-cloud.org
 deployer.jean-cloud.org shlago.jean-cloud.org
 etrevivant.net shlago.jean-cloud.org
-feministesucl34.jean-cloud.net tetede.jean-cloud.org
 feteducourt2020.jean-cloud.net shlago.jean-cloud.org
 feteducourt.jean-cloud.net shlago.jean-cloud.org
 git.jean-cloud.net vandamme.jean-cloud.org
 grapes.chahut.jean-cloud.net max.jean-cloud.org
 gypsylyonfestival.com max.jean-cloud.org
-inurbe.fr max.jean-cloud.org
+inurbe.fr shlago.jean-cloud.org
 jean-cloud.net shlago.jean-cloud.org
 leida.fr vandamme.jean-cloud.org
 dnscerts.jean-cloud.org max.jean-cloud.org
@ -25,8 +25,10 @@ nuage.jean-cloud.net vandamme.jean-cloud.org
 pa1.studios.oma-radio.fr tetede.jean-cloud.org
 paj.oma-radio.fr nougaro.jean-cloud.org
 quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
-radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
-radiodemo.oma-radio.fr tetede.jean-cloud.org
+chiloe.eu shlago.jean-cloud.org
+soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org
+radiodemo.oma-radio.fr raku.jean-cloud.org
+mux.radiodemo.oma-radio.fr raku.jean-cloud.org
 radionimaitre.oma-radio.fr tetede.jean-cloud.org
 raplacgr.jean-cloud.net tetede.jean-cloud.org
 rpnow.jean-cloud.net vandamme.jean-cloud.org
--- a/services/sftp.jean-cloud.net/deploy.sh
+++ b/services/sftp.jean-cloud.net/deploy.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd "$DATA_DIR"
+
+[ ! -f users.conf ] && touch users.conf
+
+# Create key if not exists
+if [ ! -f ssh_host_ed25519_key ] ; then
+	ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
+	ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ''
+fi
--- a/services/sftp.jean-cloud.net/docker-compose.yml
+++ b/services/sftp.jean-cloud.net/docker-compose.yml
@ -0,0 +1,18 @@
+version: '3'
+services:
+    sshd:
+      image: docker.io/atmoz/sftp:alpine
+      volumes:
+        - $DATA_DIR/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key:ro
+        - $DATA_DIR/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key:ro
+        - $DATA_DIR/users.conf:/etc/sftp/users.conf:ro
+
+        - $DATA_DIR/home/feministesucl34:/home/feministesucl34RO:ro
+        - $DATA_DIR/home/leida:/home/leida
+        - $DATA_DIR/home/leida:/home/leidaRO
+        - $DATA_DIR/home/chiloe:/home/chiloe
+        - $DATA_DIR/home/chiloe:/home/chiloeRO
+        - $DATA_DIR/home/collectifarthadie:/home/collectifarthadieRO:ro
+      ports:
+        - '2929:22'
+
--- a/services/soundbase.radiodemo.oma-radio.fr/.env
+++ b/services/soundbase.radiodemo.oma-radio.fr/.env
@ -1,6 +1,5 @@
 NET=10.29.0
 TELECOM=.101
-MUX=.100
 ICECAST=.110
 WEBSERVER=.105
 SYSTEM_API=.107
@ -13,12 +12,10 @@ RADIO_NAME_SIMPLE=radiodemo
 OMA_CONFIG_NomRadio=radiodemo
 OMA_CONFIG_LogLevel=8
 RADIO_NAME_PRETTY="Radio Démo"
-COMPOSE_NAME=radiodemo-backoma-radiofr
+COMPOSE_NAME=soundbaseradiodemooma-radiofr
 DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
 DOCKER_INSTANCES_SUFIX=-1
-DATA_DIR=/home/data/radiodemo-back.oma-radio.fr
-SOUNDBASE_DIR=/home/data/radiodemo-back.oma-radio.fr/core/radioDemo
+SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
 USE_SSL=true
-PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.5.0
 MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
 RADIO_HOST=radiodemo.oma-radio.fr
--- a/services/soundbase.radiodemo.oma-radio.fr/deploy.sh
+++ b/services/soundbase.radiodemo.oma-radio.fr/deploy.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
--- a/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml
+++ b/services/soundbase.radiodemo.oma-radio.fr/docker-compose.yml
@ -1,12 +1,12 @@
 version: '3'
 services:
  anthracite_jukebox:
-    image: jeancloud/jukebox:$OMA_DOCKER_VERSION
+    image: registry.gitlab.com/omaradio/core/oma-jukebox:$OMA_DOCKER_VERSION
    env_file: .env
    environment:
      OMA_CONFIG_TelecommandeHost: $RADIO_HOST
      OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT
-      OMA_CONFIG_Client1Host: $RADIO_HOST
+      OMA_CONFIG_Client1Host: soundbase.radiodemo.osoundbase.radiodemo.oma-radio.fr
      OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
    volumes:
      - $SOUNDBASE_DIR:/app/soundBase
@ -22,7 +22,7 @@ services:
          memory: 100M

  azurite_jukebox_simulator:
-    image: jeancloud/jukebox-simulator:$OMA_DOCKER_VERSION
+    image: registry.gitlab.com/omaradio/core/oma-jukebox-simulator:$OMA_DOCKER_VERSION
    env_file: .env
    environment:
      OMA_CONFIG_TelecommandeHost: $RADIO_HOST
@ -45,7 +45,7 @@ services:


  agate_importer:
-    image: jeancloud/baseimport:$OMA_DOCKER_VERSION
+    image: registry.gitlab.com/omaradio/core/oma-baseimport:$OMA_DOCKER_VERSION
    env_file: .env
    environment:
      OMA_CONFIG_TelecommandeHost: $RADIO_HOST
@ -63,7 +63,7 @@ services:


  rubis_base_mg:
-    image: jeancloud/base-mg:$OMA_DOCKER_VERSION
+    image: registry.gitlab.com/omaradio/core/oma-base-mg:$OMA_DOCKER_VERSION
    env_file: .env
    environment:
      OMA_CONFIG_TelecommandeHost: $RADIO_HOST
--- a/services/soundbase.radiodemo.oma-radio.fr/generate_nat.sh
+++ b/services/soundbase.radiodemo.oma-radio.fr/generate_nat.sh
--- a/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/soundbase.radiodemo.oma-radio.fr/nginx_server.conf
@ -25,24 +25,6 @@ server {
        add_header Access-Control-Allow-Origin https://radio.karnaval.fr;


-	location = /direct.ogg {
-		proxy_pass http://172.29.0.110:8000/direct.ogg;
-		# kill cache
-        add_header Last-Modified $date_gmt;
-        add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-        if_modified_since off;
-        expires off;
-        etag off;
-	}
-	location = /direct.mp3 {
-		proxy_pass http://172.29.0.110:8000/direct.mp3;
-		# kill cache
-        add_header Last-Modified $date_gmt;
-        add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-        if_modified_since off;
-        expires off;
-        etag off;
-	}

    location = /api { rewrite ^ /api/; }
    location ~ /api/pigeindex(/.*) {
@ -210,14 +192,4 @@ server {
        auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd; 
 		try_files $uri $uri/ =404;
    }
-	location = /favicon.ico {
-		return 301 /favicon.webp;
-    }
-
-	# for js, css, html — dynamic site, players
-	location  / {
-		try_files $uri $uri/ =404;
-		add_header Cache-Control 'public must-revalidate';
-        	add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
-	}
 }
--- a/services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh
+++ b/services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh
@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. .env
+
+[ -f "$DATA_DIR/radiodemo-soundbase.wgkey" ] || { echo 'No privatekey found' >&2 && exit 1 ; }
+
+echo "
+[Interface]
+PrivateKey = $(cat "$DATA_DIR/radiodemo-soundbase.wgkey")
+Address = 10.29.0.1/32
+ListenPort = 55820
+
+[Peer]
+PublicKey = iwIsUriF4CT/Jpu29VXlj43hT3bUjG67FeEgCTcQCVc=
+AllowedIPs = 10.29.0.254/32
+Endpoint = mux.radiodemo.oma-radio.fr:55820
+PersistentKeepalive = 30
+"
--- a/services/static.jean-cloud.net/nginx_server.conf
+++ b/services/static.jean-cloud.net/nginx_server.conf
@ -0,0 +1,15 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate $JC_CERT/fullchain.pem;
+  ssl_certificate_key $JC_CERT/privkey.pem;
+  server_name static.oma-radio.fr www.static.oma-radio.fr $JC_SERVICE www.$JC_SERVICE;
+  root $HTTP_DIR/public/;
+
+  location / {
+    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Methods' 'GET';
+    index index.html;
+    try_files $uri $uri/ =404;
+  }
+}
--- a/services/wordpress.feministesucl34.jean-cloud.net/docker-compose.yml
+++ b/services/wordpress.feministesucl34.jean-cloud.net/docker-compose.yml
@ -5,15 +5,15 @@ services:
  wp:
    image: wordpress:5.8-apache
    restart: unless-stopped
-    env_file: /data/feministesucl34.jean-cloud.net/env
+    env_file: $DATA_DIR/env
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: wpdbuser
      WORDPRESS_DB_NAME: wpdb
      #WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );"
    volumes:
-      - /data/feministesucl34.jean-cloud.net/wordpress:/var/www/html
-      - /data/feministesucl34.jean-cloud.net/static:/var/www/html/static
+      - $DATA_DIR/wordpress:/var/www/html
+      - $DATA_DIR/static:/var/www/html/static
    networks:
      default:
        ipv4_address: 172.29.9.100
@ -25,13 +25,13 @@ services:
  db:
    image: mariadb:10.4
    restart: unless-stopped
-    env_file: /data/feministesucl34.jean-cloud.net/env
+    env_file: $DATA_DIR/env
    environment:
      MYSQL_DATABASE: wpdb
      MYSQL_USER: wpdbuser
      MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
    volumes:
-      - /data/feministesucl34.jean-cloud.net/db:/var/lib/mysql
+      - $DATA_DIR/db:/var/lib/mysql
    networks:
      default:
        ipv4_address: 172.29.9.101
--- a/services/wordpress.feministesucl34.jean-cloud.net/nginx_server.conf
+++ b/services/wordpress.feministesucl34.jean-cloud.net/nginx_server.conf
@ -1,8 +1,8 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
+  ssl_certificate $JC_CERTS/fullchain.pem;
+  ssl_certificate_key $JC_CERTS/privkey.pem;
  server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net;
  location  / {
    client_max_body_size 2G;
@ -17,9 +17,9 @@ server {
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
-  server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net feministesucl34.communisteslibertaires.org;
+  ssl_certificate $JC_CERTS/fullchain.pem;
+  ssl_certificate_key $JC_CERTS/privkey.pem;
+  server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net;

  location = /wp-login.php {
    return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
Author	SHA1	Message	Date
Adrian Amaglio	0a971ebdac	adding some leftovers	2023-10-31 17:00:18 +01:00
Adrian Amaglio	813e4dd904	big standardisation update	2023-10-31 16:42:06 +01:00
Adrian Amaglio	82c3f2bb2e	update	2023-10-16 10:47:35 +02:00
Adrian Amaglio	a0e674c3e5	update	2023-10-02 23:45:09 +02:00
				`@ -0,0 +1 @@`
				`GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/inurbe"`