Compare commits
4 Commits
8e04aa4f13
...
0a971ebdac
Author | SHA1 | Date | |
---|---|---|---|
|
0a971ebdac | ||
|
813e4dd904 | ||
|
82c3f2bb2e | ||
|
a0e674c3e5 |
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,2 +1,3 @@
|
|||||||
installing/secrets
|
|
||||||
installing/temporary_mount_point
|
installing/temporary_mount_point
|
||||||
|
installing/secrets
|
||||||
|
provisioning/roles/deploy_all/files/secrets
|
||||||
|
@ -4,9 +4,7 @@ tetede.jean-cloud.org
|
|||||||
raku.jean-cloud.org
|
raku.jean-cloud.org
|
||||||
|
|
||||||
[servers]
|
[servers]
|
||||||
#nougaro.jean-cloud.org
|
nougaro.jean-cloud.org
|
||||||
#carcasse.jean-cloud.org
|
|
||||||
#benevoles.karnaval.fr
|
|
||||||
montbonnot.jean-cloud.org
|
montbonnot.jean-cloud.org
|
||||||
#blatte.jean-cloud.org
|
#blatte.jean-cloud.org
|
||||||
max.jean-cloud.org
|
max.jean-cloud.org
|
||||||
|
@ -61,9 +61,9 @@ fi
|
|||||||
|
|
||||||
if "$deploy" ; then
|
if "$deploy" ; then
|
||||||
[ -x deploy.sh ] && ./deploy.sh
|
[ -x deploy.sh ] && ./deploy.sh
|
||||||
[ -x deploy_http.sh ] && sudo -u www-data bash -c ". '$DOCKER_DIR/.env' && . ./deploy_http.sh"
|
[ -x deploy_http.sh ] && sudo -u www-data bash -c "set -a ; . '$DOCKER_DIR/.env' ; set +a ; . ./deploy_http.sh"
|
||||||
else
|
else
|
||||||
[ -x undeploy.sh ] && ./undeploy.sh
|
[ -x undeploy.sh ] && . undeploy.sh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@ -133,10 +133,8 @@ if [ -f "/docker/$service/nginx_server.conf" ] ; then
|
|||||||
|
|
||||||
section "Template nginx conf with vars from '.env' file"
|
section "Template nginx conf with vars from '.env' file"
|
||||||
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
|
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
|
||||||
fi
|
|
||||||
|
|
||||||
section "Add dummy cert if needed"
|
fi
|
||||||
dummy_cert.sh "$service" add
|
|
||||||
|
|
||||||
section "Testing nginx conf"
|
section "Testing nginx conf"
|
||||||
run nginx -t -c /etc/nginx/new_nginx.conf
|
run nginx -t -c /etc/nginx/new_nginx.conf
|
||||||
|
@ -38,7 +38,7 @@ section "Delete new conf directory (to start from scratch)"
|
|||||||
run rm -rf "$new_nginx_conf_path"
|
run rm -rf "$new_nginx_conf_path"
|
||||||
|
|
||||||
section "Create new conf file (for tests purposes)"
|
section "Create new conf file (for tests purposes)"
|
||||||
sed "s#$nginx_conf_path#$new_nginx_conf_path#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"
|
sed "s#$nginx_conf_path#$new_nginx_conf_path/#" "/docker/_proxy/nginx.conf" > "$proxy_dir/new_nginx.conf"
|
||||||
|
|
||||||
section "Create proxy dir"
|
section "Create proxy dir"
|
||||||
run mkdir -p "$proxy_dir" /docker /data
|
run mkdir -p "$proxy_dir" /docker /data
|
||||||
|
@ -15,7 +15,7 @@ action="$2"
|
|||||||
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
|
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
|
||||||
echo "Dummy cert generation"
|
echo "Dummy cert generation"
|
||||||
run mkdir -p "$dummy_cert_path"
|
run mkdir -p "$dummy_cert_path"
|
||||||
run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
|
run openssl req -x509 -newkey rsa:2048 -keyout "$http_certs_path/dummy/privkey.pem" -out "$http_certs_path/dummy/fullchain.pem" -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$action" = add ] ; then
|
if [ "$action" = add ] ; then
|
||||||
|
@ -5,15 +5,17 @@ set -euo pipefail
|
|||||||
|
|
||||||
JC_ENV=/etc/jeancloud.env
|
JC_ENV=/etc/jeancloud.env
|
||||||
|
|
||||||
certs_path=/etc/letsencrypt/live
|
dns_certs_path=/data/dnscerts.jean-cloud.org/certs/live
|
||||||
|
http_certs_path=/etc/letsencrypt/live
|
||||||
proxy_dir=/etc/nginx
|
proxy_dir=/etc/nginx
|
||||||
|
|
||||||
cat > "$JC_ENV" <<EOF
|
cat > "$JC_ENV" <<EOF
|
||||||
proxy_dir='$proxy_dir'
|
proxy_dir='$proxy_dir'
|
||||||
nginx_conf_path='$proxy_dir/sites-enabled'
|
nginx_conf_path='$proxy_dir/sites-enabled/'
|
||||||
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
|
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
|
||||||
certs_path='$certs_path'
|
dns_certs_path='$dns_certs_path'
|
||||||
dummy_cert_path='$certs_path/dummy'
|
http_certs_path='$http_certs_path'
|
||||||
|
dummy_cert_path='$http_certs_path/dummy'
|
||||||
servicefile=/docker/services.txt
|
servicefile=/docker/services.txt
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -23,7 +25,12 @@ for dir in /docker/* ; do
|
|||||||
|
|
||||||
line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
|
line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
|
||||||
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
|
line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
|
||||||
|
line_in_file "SECRET_DIR='/data/secrets/$service'" "/docker/$service/.env"
|
||||||
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
|
line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
|
||||||
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
|
line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
|
||||||
line_in_file "JC_CERT='/data/dnscerts.jean-cloud.org/certs/live/$service'" "/docker/$service/.env"
|
cert="$(findcert.sh "$service")" || true
|
||||||
|
if [ -n "$cert" ] ; then
|
||||||
|
line_in_file "JC_CERT='$cert'" "/docker/$service/.env"
|
||||||
|
fi
|
||||||
|
|
||||||
done
|
done
|
||||||
|
@ -22,6 +22,10 @@ usage[N]="Clone to a Non-empty target. Existing files will be overwriten"
|
|||||||
varia[N]=nonempty_target
|
varia[N]=nonempty_target
|
||||||
nonempty_target=false
|
nonempty_target=false
|
||||||
|
|
||||||
|
usage[K]="Remote host key file (known_hosts) for ssh connections"
|
||||||
|
varia[K]=hostkeyfile
|
||||||
|
hostkeyfile=''
|
||||||
|
|
||||||
|
|
||||||
. driglibash-args
|
. driglibash-args
|
||||||
|
|
||||||
@ -32,12 +36,17 @@ if [ -n "$privkey" ] ; then
|
|||||||
ssh_opt="$ssh_opt -i $privkey"
|
ssh_opt="$ssh_opt -i $privkey"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -n "$hostkeyfile" ] ; then
|
||||||
|
ssh_opt="$ssh_opt -o 'UserKnownHostsFile $hostkeyfile'"
|
||||||
|
fi
|
||||||
|
|
||||||
repo="$1"
|
repo="$1"
|
||||||
if [ -z "$repo" ] ; then
|
if [ -z "$repo" ] ; then
|
||||||
die "$0: Empty repo given\n$summary"
|
die "$0: Empty repo given\n$summary"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cd "$dst"
|
run mkdir -p "$dst"
|
||||||
|
run cd "$dst"
|
||||||
|
|
||||||
if [ -d .git ] ; then
|
if [ -d .git ] ; then
|
||||||
run git fetch origin "$branch"
|
run git fetch origin "$branch"
|
||||||
|
37
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
Normal file → Executable file
37
provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
Normal file → Executable file
@ -1,14 +1,35 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
. driglibash-base
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
. "$DOCKER_DIR/.env"
|
[ "$#" -ne 1 ] && die "Usage: $0 <hugo_directory>"
|
||||||
. "$DATA_DIR/.env"
|
dest_dir="$1"
|
||||||
|
[ -z "$dest_dir" ] && die "Arg 'hugo_directory' should not be empty."
|
||||||
|
|
||||||
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
|
||||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
|
||||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
|
||||||
|
|
||||||
git_update.sh "$GIT_SOURCE_REPO"
|
# Get content from nextcloud
|
||||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" -- webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
|
if [ -v NC_SHARE_LINK ] ; then
|
||||||
|
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
||||||
|
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
||||||
|
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
||||||
|
|
||||||
|
rclone sync --config=/notfound --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$dest_dir/$CLOUD_LOCAL_PATH"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Go to website
|
||||||
|
cd "$dest_dir"
|
||||||
|
|
||||||
|
# Rename .attachement dirs created by nextcloud
|
||||||
|
while read filename ; do
|
||||||
|
oldname="$(basename "$filename")"
|
||||||
|
newname="${oldname:1}"
|
||||||
|
path="$(dirname "$filename")"
|
||||||
|
# And rename their references in md files
|
||||||
|
find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;
|
||||||
|
mv "$path/$oldname" "$path/$newname"
|
||||||
|
done < <(find -type d -name '.attachments.*')
|
||||||
|
|
||||||
|
# Build the website
|
||||||
hugo
|
hugo
|
||||||
|
|
||||||
|
@ -2,6 +2,10 @@
|
|||||||
# This script will run on new cert and on cron renew
|
# This script will run on new cert and on cron renew
|
||||||
# there is one cert by service
|
# there is one cert by service
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. /etc/jeancloud.env
|
||||||
|
|
||||||
# TODO make it an ansible script
|
# TODO make it an ansible script
|
||||||
# No
|
# No
|
||||||
|
|
||||||
@ -18,11 +22,8 @@ acmeroot=/var/www/letsencrypt
|
|||||||
# Création du répertoire
|
# Création du répertoire
|
||||||
mkdir -p "$acmeroot"
|
mkdir -p "$acmeroot"
|
||||||
|
|
||||||
# With trailing slash or it will be a prefix selector
|
|
||||||
#nginx_sites_dir="/etc/nginx/sites-enabled/"
|
|
||||||
nginx_sites_dir="/etc/nginx/sites-enabled/"
|
|
||||||
|
|
||||||
for file in "$nginx_sites_dir"* ; do
|
for file in "$nginx_conf_path"* ; do
|
||||||
if $verbose ; then
|
if $verbose ; then
|
||||||
echo '-------------------------'
|
echo '-------------------------'
|
||||||
echo "$file"
|
echo "$file"
|
||||||
@ -30,6 +31,11 @@ for file in "$nginx_sites_dir"* ; do
|
|||||||
|
|
||||||
service_name="$(basename "$file")"
|
service_name="$(basename "$file")"
|
||||||
|
|
||||||
|
if [ -d "$dns_certs_path/$service_name" ] ; then
|
||||||
|
echo "$service_name is handled by dnscerts"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
# Getting just the domain names
|
# Getting just the domain names
|
||||||
domains="$(extract_domain_nginx_conf.sh "$file")"
|
domains="$(extract_domain_nginx_conf.sh "$file")"
|
||||||
if [ -n "$domains" ] ; then
|
if [ -n "$domains" ] ; then
|
||||||
@ -69,10 +75,8 @@ for file in "$nginx_sites_dir"* ; do
|
|||||||
echo " ------------------------------------------"
|
echo " ------------------------------------------"
|
||||||
echo "$out"
|
echo "$out"
|
||||||
echo " ------------------------------------------"
|
echo " ------------------------------------------"
|
||||||
dummy_cert.sh "$service_name" add
|
|
||||||
else
|
else
|
||||||
echo "Unknown error : $result.\n$out"
|
echo "Unknown error : $result.\n$out"
|
||||||
dummy_cert.sh "$service_name" add
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -1,5 +1,13 @@
|
|||||||
---
|
---
|
||||||
# tasks file for deploy_all
|
# tasks file for deploy_all
|
||||||
|
|
||||||
|
- name: "Check for secrets volume. Fail if not found"
|
||||||
|
include: "{{ item }}"
|
||||||
|
with_first_found:
|
||||||
|
- files:
|
||||||
|
- secrets/mounted
|
||||||
|
|
||||||
|
|
||||||
- name: sync services dirs
|
- name: sync services dirs
|
||||||
ansible.posix.synchronize:
|
ansible.posix.synchronize:
|
||||||
src: ../services/
|
src: ../services/
|
||||||
@ -17,6 +25,13 @@
|
|||||||
- name: Gen env vars
|
- name: Gen env vars
|
||||||
command: gen_env.sh
|
command: gen_env.sh
|
||||||
|
|
||||||
|
- name: sync secrets
|
||||||
|
ansible.posix.synchronize:
|
||||||
|
src: secrets/
|
||||||
|
dest: /data/secrets
|
||||||
|
delete: true
|
||||||
|
archive: false
|
||||||
|
recursive: true
|
||||||
|
|
||||||
#- name: Add bind conf
|
#- name: Add bind conf
|
||||||
# ansible.posix.synchronize:
|
# ansible.posix.synchronize:
|
||||||
|
@ -94,6 +94,7 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
#TODO add this to /etc/docker/daemon.json
|
#TODO add this to /etc/docker/daemon.json
|
||||||
|
# TODO no it breaks containers acces to internet
|
||||||
#{
|
#{
|
||||||
# "iptables": false
|
# "iptables": false
|
||||||
#}
|
#}
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
- name: Deploy specific services
|
- name: Deploy specific services
|
||||||
hosts: servers
|
hosts: servers
|
||||||
become: yes
|
become: no
|
||||||
gather_facts: no
|
gather_facts: no
|
||||||
roles:
|
roles:
|
||||||
- deploy_all
|
- deploy_all
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/amaglio.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/amaglio.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
|
||||||
server_name amaglio.fr www.amaglio.fr;
|
server_name amaglio.fr www.amaglio.fr;
|
||||||
# root /data/amaglio.fr/app;
|
# root /data/amaglio.fr/app;
|
||||||
|
22
services/ariege1.studios.oma-radio.fr/wg-ariege1.sh
Executable file
22
services/ariege1.studios.oma-radio.fr/wg-ariege1.sh
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. .env
|
||||||
|
filename="$(basename "$0")"
|
||||||
|
ifname="${filename:3:-3}"
|
||||||
|
|
||||||
|
echo "
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = $(cat $DATA_DIR/privatekey)
|
||||||
|
ListenPort = 51822
|
||||||
|
Address = 10.100.2.254/32
|
||||||
|
|
||||||
|
[Peer] # adrian
|
||||||
|
PublicKey = 34DD9W9Pr2EpVK4IvU3tVY6fsIvGqDisUYr5Xtk62FI=
|
||||||
|
AllowedIPs = 10.100.2.253/32
|
||||||
|
|
||||||
|
[Peer] # Passerelle
|
||||||
|
PublicKey = SM40+PyJSNk+Rmsa7Ym4+PwBgkRlRCsqEC7s7wfo/QE=
|
||||||
|
AllowedIPs = 10.100.2.0/24,192.168.100.0/24
|
||||||
|
"
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name $JC_SERVICE benevoles.karnaval.fr;
|
server_name $JC_SERVICE benevoles.karnaval.fr;
|
||||||
|
|
||||||
root $DATA_DIR/assets;
|
root $DATA_DIR/assets;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
|
server_name wordpress.$JC_SERVICE www.wordpress.$JC_SERVICE;
|
||||||
location / {
|
location / {
|
||||||
auth_basic "Mot de passe !";
|
auth_basic "Mot de passe !";
|
||||||
@ -19,8 +19,8 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
5
services/chiloe.eu/deploy_http.sh
Executable file
5
services/chiloe.eu/deploy_http.sh
Executable file
@ -0,0 +1,5 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
. "$SECRET_DIR/.env"
|
||||||
|
|
||||||
|
rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user chiloeRO --sftp-port 2929 --sftp-pass "$SFTP_PASS" :sftp:/public/ "$HTTP_DIR"
|
22
services/chiloe.eu/nginx_server.conf
Executable file
22
services/chiloe.eu/nginx_server.conf
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
root $HTTP_DIR;
|
||||||
|
|
||||||
|
# Security headers
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self' fonts.gstatic.com; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; base-uri 'self'; form-action 'self';" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
add_header X-Frame-Options SAMEORIGIN always;
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||||
|
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr;
|
server_name wordpress.collectif-arthadie.fr www.wordpress.collectif-arthadie.fr;
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 2G;
|
client_max_body_size 2G;
|
||||||
@ -17,8 +17,8 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/collectif-arthadie.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/collectif-arthadie.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name collectif-arthadie.fr www.collectif-arthadie.fr;
|
server_name collectif-arthadie.fr www.collectif-arthadie.fr;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr;
|
server_name wordpress.compagnienouvelle.fr www.wordpress.compagnienouvelle.fr;
|
||||||
location / {
|
location / {
|
||||||
auth_basic "Mot de passe !";
|
auth_basic "Mot de passe !";
|
||||||
@ -19,8 +19,8 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/compagnienouvelle.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/compagnienouvelle.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name compagnienouvelle.fr www.compagnienouvelle.fr;
|
server_name compagnienouvelle.fr www.compagnienouvelle.fr;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
chmod +x server.sh
|
|
@ -4,8 +4,8 @@ server {
|
|||||||
listen 443;
|
listen 443;
|
||||||
listen [::]:443;
|
listen [::]:443;
|
||||||
server_name $JC_SERVICE;
|
server_name $JC_SERVICE;
|
||||||
ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
location / {
|
location / {
|
||||||
limit_req zone=deployer_limit;
|
limit_req zone=deployer_limit;
|
||||||
include /etc/nginx/fastcgi_params;
|
include /etc/nginx/fastcgi_params;
|
||||||
|
@ -1,38 +1,26 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
# TODO js (dnssec is trusting google right now)
|
||||||
|
# fetch('https://dns.google/resolve?name=deployer.jean-cloud.org&cd=true&type=a').then(r => {r.json().then(j => {for (const i in j.Answer) {console.log(j.Answer[i].data)}})})
|
||||||
|
|
||||||
|
|
||||||
echo "Content-type: text/html"
|
echo "Content-type: text/html"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
|
service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
|
||||||
path="/docker/$service/deploy_http.sh"
|
deployer="/docker/$service/deploy_http.sh"
|
||||||
. /etc/jeancloud.env
|
. /etc/jeancloud.env
|
||||||
|
|
||||||
echo '<html><head><title>Rechargement d’un site web</title><meta charset="utf-8" /></head>'
|
if [ -z "$service" ] || [ ! -x "$deployer" ] ; then
|
||||||
echo '<body>'
|
echo "error"
|
||||||
echo "<h2>Rechargement d’un site web : $service</h2>"
|
|
||||||
echo "<h3> Résultat local</h3>"
|
|
||||||
if [ -x "$path" ] ; then
|
|
||||||
echo "<pre>"
|
|
||||||
"$path"
|
|
||||||
ret="$?"
|
|
||||||
echo "</pre>"
|
|
||||||
if [ "$ret" -ne 0 ] ; then
|
|
||||||
echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
|
|
||||||
else
|
|
||||||
while read ip ; do
|
|
||||||
echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
|
|
||||||
if [ "$?" -eq 0 ] ; then
|
|
||||||
echo "$ip ok"
|
|
||||||
else
|
|
||||||
echo "$ip ERREUR"
|
|
||||||
fi
|
|
||||||
done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
|
|
||||||
else
|
else
|
||||||
echo "<p>Échec. Contactez Jean-Cloud</p>"
|
set -a
|
||||||
|
. "/docker/$service/.env"
|
||||||
|
set +a
|
||||||
|
"$deployer" 2>&1
|
||||||
|
ret="$?"
|
||||||
|
if [ "$ret" -ne 0 ] ; then
|
||||||
|
echo 'Error'
|
||||||
|
else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo '</body>'
|
|
||||||
echo '</html>
|
|
||||||
|
|
||||||
|
@ -1,11 +1,12 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
if [ "$#" -ne 1 ] ; then
|
if [ "$#" -ne 2 ] ; then
|
||||||
echo "Usage: $0 <service_name>" >&2
|
echo "Usage: $0 <service_name> <workdir>" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
service="$1"
|
service="$1"
|
||||||
|
workdir="$2"
|
||||||
|
|
||||||
nginxfile="/docker/$service/nginx_server.conf"
|
nginxfile="/docker/$service/nginx_server.conf"
|
||||||
if [ -f "$nginxfile" ] ; then
|
if [ -f "$nginxfile" ] ; then
|
||||||
@ -13,5 +14,5 @@ if [ -f "$nginxfile" ] ; then
|
|||||||
domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
|
domains="$(echo "$nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
|
||||||
[ -z "$domains" ] && exit 0
|
[ -z "$domains" ] && exit 0
|
||||||
echo "--------------- -d $domains"
|
echo "--------------- -d $domains"
|
||||||
certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
|
certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$workdir/work" --logs-dir "$workdir/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
|
||||||
fi
|
fi
|
||||||
|
@ -29,22 +29,17 @@ echo "For each service, read all possible domains"
|
|||||||
while read line ; do
|
while read line ; do
|
||||||
read -r service target < <(echo "$line")
|
read -r service target < <(echo "$line")
|
||||||
|
|
||||||
# Auto letsencrypt
|
|
||||||
[ "$target" = vandamme.jean-cloud.org ] && continue
|
|
||||||
|
|
||||||
# TODO remove
|
# TODO remove
|
||||||
#( [ "$service" = collectif-arthadie.fr ] || [[ "$service" == *oma-radio.fr ]] ) && continue
|
[ "$service" = collectif-arthadie.fr ] && continue
|
||||||
|
|
||||||
# remove dummy cert
|
# remove dummy cert
|
||||||
dummy_cert.sh "$service" remove
|
dummy_cert.sh "$service" remove || true
|
||||||
|
|
||||||
[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
|
[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
|
||||||
|
|
||||||
# acme
|
# acme
|
||||||
"$here/acme-dns.sh" "$service"
|
"$here/acme-dns.sh" "$service" "$tmp"
|
||||||
|
|
||||||
# Replace dummy cert if letsencrypt failed
|
|
||||||
[ "$?" -ne 0 ] && dummy_cert.sh "$service" add
|
|
||||||
done < "$servicefile"
|
done < "$servicefile"
|
||||||
|
|
||||||
echo "Push certs to other servers"
|
echo "Push certs to other servers"
|
||||||
@ -52,5 +47,5 @@ for srv in $(host -t TXT shlago.jean-cloud.org ns.jean-cloud.org | grep -Po 'des
|
|||||||
server="$srv.jean-cloud.org"
|
server="$srv.jean-cloud.org"
|
||||||
[ -n "$(grep "$server" /etc/hosts)" ] && continue
|
[ -n "$(grep "$server" /etc/hosts)" ] && continue
|
||||||
echo "-- $server"
|
echo "-- $server"
|
||||||
rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/"
|
rsync -avz -e "ssh -i '$DATA_DIR/certs.priv' -p 45985" "$DATA_DIR/certs" "certs@$server:$DATA_DIR/" || true
|
||||||
done
|
done
|
||||||
|
@ -1,29 +1,8 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
set -a
|
||||||
|
. "$SECRET_DIR/.env"
|
||||||
|
set +a
|
||||||
|
|
||||||
. "$DATA_DIR/.env"
|
|
||||||
webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
|
|
||||||
webdav_user="$(echo "$NC_SHARE_LINK" |sed 's#.*/s/##')"
|
|
||||||
webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
|
|
||||||
|
|
||||||
# Get website files
|
|
||||||
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
||||||
|
hugo_rclone.sh "$HTTP_DIR"
|
||||||
# Get content from nextcloud
|
|
||||||
rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$HTTP_DIR/$CLOUD_LOCAL_PATH"
|
|
||||||
|
|
||||||
# Go to website
|
|
||||||
cd "$HTTP_DIR"
|
|
||||||
|
|
||||||
# Rename .attachement dirs created by nextcloud
|
|
||||||
while read filename ; do
|
|
||||||
oldname="$(basename "$filename")"
|
|
||||||
newname="${oldname:1}"
|
|
||||||
path="$(dirname "$filename")"
|
|
||||||
# And rename their references in md files
|
|
||||||
find -type f -iname '*.md' -exec sed -i "s/$oldname/$newname/g" {} \;
|
|
||||||
mv "$path/$oldname" "$path/$newname"
|
|
||||||
done < <(find -type d -name '.attachments.*')
|
|
||||||
|
|
||||||
# Build the website
|
|
||||||
hugo
|
|
||||||
|
5
services/feministesucl34.communisteslibertaires.org/deploy_http.sh
Executable file
5
services/feministesucl34.communisteslibertaires.org/deploy_http.sh
Executable file
@ -0,0 +1,5 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
. "$SECRET_DIR/.env"
|
||||||
|
|
||||||
|
rclone sync --config=/notfound --sftp-host sftp.jean-cloud.net --sftp-user feministesucl34 --sftp-port 2929 --sftp-pass "$SFTP_PASS" :sftp:/public/ "$HTTP_DIR"
|
16
services/feministesucl34.communisteslibertaires.org/nginx_server.conf
Executable file
16
services/feministesucl34.communisteslibertaires.org/nginx_server.conf
Executable file
@ -0,0 +1,16 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
server_name $JC_SERVICE;
|
||||||
|
|
||||||
|
location = /wp-login.php {
|
||||||
|
return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
root $HTTP_DIR;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
@ -5,7 +5,7 @@ server {
|
|||||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
location / {
|
location / {
|
||||||
root $HTTP_DIR;
|
root $HTTP_DIR/public;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -5,7 +5,7 @@ server {
|
|||||||
ssl_certificate_key $JC_CERT/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name $JC_SERVICE www.$JC_SERVICE;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
location / {
|
location / {
|
||||||
root $HTTP_DIR;
|
root $HTTP_DIR/public;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/git.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/git.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name git.jean-cloud.net www.git.jean-cloud.net;
|
server_name git.jean-cloud.net www.git.jean-cloud.net;
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 5G;
|
client_max_body_size 5G;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/gmx-webmail.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
|
||||||
server_name gmx-webmail.jean-cloud.net www.gmx-webmail.jean-cloud.net;
|
server_name gmx-webmail.jean-cloud.net www.gmx-webmail.jean-cloud.net;
|
||||||
# root /data/gmx-webmail.jean-cloud.net/app;
|
# root /data/gmx-webmail.jean-cloud.net/app;
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name grapes.chahut.jean-cloud.net;
|
server_name grapes.chahut.jean-cloud.net;
|
||||||
root $HTTP_DIR;
|
root $HTTP_DIR;
|
||||||
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/gypsylyonfestival.com/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/gypsylyonfestival.com/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
#server_name gypsylyonfestival.com www.gypsylyonfestival.com;
|
#server_name gypsylyonfestival.com www.gypsylyonfestival.com;
|
||||||
server_name gypsy.jean-cloud.net;
|
server_name gypsy.jean-cloud.net;
|
||||||
root /data/gypsylyonfestival.com/output;
|
root /data/gypsylyonfestival.com/output;
|
||||||
|
1
services/inurbe.fr/.env
Normal file
1
services/inurbe.fr/.env
Normal file
@ -0,0 +1 @@
|
|||||||
|
GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/inurbe"
|
4
services/inurbe.fr/deploy_http.sh
Executable file
4
services/inurbe.fr/deploy_http.sh
Executable file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO"
|
@ -1 +0,0 @@
|
|||||||
version: '3.1'
|
|
@ -1,12 +1,12 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/inurbe.fr/fullchain.pem;
|
ssl_certificate $http_certs_dir/inurbe.fr/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/inurbe.fr/privkey.pem;
|
ssl_certificate_key $http_certs_dir/inurbe.fr/privkey.pem;
|
||||||
server_name inurbe.fr www.inurbe.fr;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
root /data/inurbe.fr;
|
root $HTTP_DIR/public;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
version: '3'
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/karnaval.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/karnaval.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name karnaval.fr www.karnaval.fr;
|
server_name karnaval.fr www.karnaval.fr;
|
||||||
root $HTTP_DIR/;
|
root $HTTP_DIR/;
|
||||||
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/leida.fr/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/leida.fr/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name leida.fr www.leida.fr;
|
server_name leida.fr www.leida.fr;
|
||||||
location / {
|
location / {
|
||||||
root /data/leida.fr/public;
|
root /data/leida.fr/public;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
docker run -u 33 --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
docker run -u 33 --rm --env-file "$SECRET_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
|
||||||
|
12
services/mux.radiodemo.oma-radio.fr/.env
Normal file
12
services/mux.radiodemo.oma-radio.fr/.env
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
ENDPOINT=10.29.0.1
|
||||||
|
WEBSERVER=.105
|
||||||
|
MUX=.100
|
||||||
|
TELECOM=.101
|
||||||
|
NET=172.29.0
|
||||||
|
WEBSOCKET_PORT=2004
|
||||||
|
RADIO_HOST=mux.radiodemo.oma-radio.fr
|
||||||
|
MUX_SERVER_PORT=9004
|
||||||
|
TELECOM_SERVER_PORT=3494
|
||||||
|
SOUNDBASE_DIR=/data/mux.radiodemo.oma-radio.fr/core/radioDemo
|
||||||
|
OMA_DOCKER_VERSION=dev
|
||||||
|
ICECAST=.110
|
4
services/mux.radiodemo.oma-radio.fr/deploy.sh
Executable file
4
services/mux.radiodemo.oma-radio.fr/deploy.sh
Executable file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
mkdir -p "$DATA_DIR/pige"
|
||||||
|
chown 10000:10000 "$DATA_DIR/pige" -R
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
ambre_mux:
|
ambre_mux:
|
||||||
image: jeancloud/mux:$OMA_DOCKER_VERSION
|
image: registry.gitlab.com/omaradio/core/oma-mux:$OMA_DOCKER_VERSION
|
||||||
env_file: .env
|
env_file: .env
|
||||||
environment:
|
environment:
|
||||||
OMA_CONFIG_Client1Host: $NET.108
|
OMA_CONFIG_Client1Host: $NET.108
|
||||||
@ -22,7 +22,7 @@ services:
|
|||||||
|
|
||||||
|
|
||||||
saphir_telecom_server:
|
saphir_telecom_server:
|
||||||
image: jeancloud/telecom-server:$OMA_DOCKER_VERSION
|
image: registry.gitlab.com/omaradio/core/oma-telecom-server:$OMA_DOCKER_VERSION
|
||||||
env_file: .env
|
env_file: .env
|
||||||
ports:
|
ports:
|
||||||
- $TELECOM_SERVER_PORT:3490
|
- $TELECOM_SERVER_PORT:3490
|
||||||
@ -37,7 +37,7 @@ services:
|
|||||||
memory: 100M
|
memory: 100M
|
||||||
|
|
||||||
amarante_webserver:
|
amarante_webserver:
|
||||||
image: jeancloud/webserver:$OMA_DOCKER_VERSION
|
image: registry.gitlab.com/omaradio/core/oma-webserver:$OMA_DOCKER_VERSION
|
||||||
env_file: .env
|
env_file: .env
|
||||||
environment:
|
environment:
|
||||||
OMA_CONFIG_TelecommandeHost: $NET$TELECOM
|
OMA_CONFIG_TelecommandeHost: $NET$TELECOM
|
||||||
@ -58,7 +58,7 @@ services:
|
|||||||
image: savonet/liquidsoap:v2.1.4
|
image: savonet/liquidsoap:v2.1.4
|
||||||
env_file: .env
|
env_file: .env
|
||||||
volumes:
|
volumes:
|
||||||
- ./icecast.liq:/transcode.liq
|
- ./liquidsoap.liq:/transcode.liq
|
||||||
- $SOUNDBASE_DIR:/soundbase
|
- $SOUNDBASE_DIR:/soundbase
|
||||||
command: /transcode.liq
|
command: /transcode.liq
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
79
services/mux.radiodemo.oma-radio.fr/liquidsoap.liq
Normal file
79
services/mux.radiodemo.oma-radio.fr/liquidsoap.liq
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
#!/usr/bin/liquidsoap
|
||||||
|
|
||||||
|
# Extract timestamp from pige path
|
||||||
|
def ts_from_filepath (filepath)
|
||||||
|
splitpath = string.split(separator='/', filepath)
|
||||||
|
# Keep only filename
|
||||||
|
filename = list.nth(splitpath,list.length(splitpath)-1)
|
||||||
|
int_of_string(list.hd(string.split(separator='\\.', filename)))
|
||||||
|
end
|
||||||
|
|
||||||
|
# Remove pige from now-1month
|
||||||
|
def clean_single_old_pige(ts)
|
||||||
|
# ts of one month sooner
|
||||||
|
ts = ts - 2678400
|
||||||
|
filepath = "/soundbase/pige/#{ts}.ogg"
|
||||||
|
if file.exists("#{filepath}") then
|
||||||
|
process.run("rm #{filepath}")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Remove a pige file if it is too old
|
||||||
|
def clean_if_old(filename)
|
||||||
|
filepath = "/soundbase/pige/#{filename}"
|
||||||
|
if ( ts_from_filepath (filename) < int_of_float(time()) - 2678400 ) then
|
||||||
|
process.run("rm #{filepath}")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Check that the timestamp starts exactly on a minute
|
||||||
|
def integrity_check(ts)
|
||||||
|
if ts mod 60 != 0 then
|
||||||
|
log.important("#{ts} is to fix")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Routine integrity check for each files
|
||||||
|
def clean_and_check (filepath)
|
||||||
|
ts = ts_from_filepath (filepath)
|
||||||
|
integrity_check (ts)
|
||||||
|
clean_single_old_pige (ts)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Exaustive integrity check
|
||||||
|
def clean_and_check_all ()
|
||||||
|
list.iter(clean_if_old, file.ls("/soundbase/pige/"))
|
||||||
|
list.iter(clean_and_check, file.ls("/soundbase/pige/"))
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Mux
|
||||||
|
input1 = mksafe(input.harbor("direct.ogg",port=8000,password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f"))
|
||||||
|
|
||||||
|
# Direct mp3
|
||||||
|
output.icecast(
|
||||||
|
%mp3(bitrate=128, samplerate=22050, stereo=false),
|
||||||
|
mount="/direct.mp3",
|
||||||
|
host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f",
|
||||||
|
input1)
|
||||||
|
|
||||||
|
# Radioking
|
||||||
|
#output.icecast(
|
||||||
|
# %mp3(bitrate=128, samplerate=22050, stereo=false),
|
||||||
|
# mount="/test355",
|
||||||
|
# host="live.radioking.com", port=80, user="", password="",
|
||||||
|
# input)
|
||||||
|
|
||||||
|
# Direct ogg
|
||||||
|
output.icecast(
|
||||||
|
%vorbis(samplerate=44100, channels=1, quality=0.2),
|
||||||
|
mount="/direct.ogg",
|
||||||
|
host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f",
|
||||||
|
input1)
|
||||||
|
|
||||||
|
# Pige
|
||||||
|
output.file(%vorbis(samplerate=44100, channels=1, quality=0.2), {"/soundbase/pige/#{int_of_float(time())}.ogg"}, input1, reopen_when={0s}, reopen_delay=1.0, on_close=clean_and_check)
|
||||||
|
|
||||||
|
# Integrity checks
|
||||||
|
clean_and_check_all()
|
51
services/mux.radiodemo.oma-radio.fr/nginx_server.conf
Normal file
51
services/mux.radiodemo.oma-radio.fr/nginx_server.conf
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
|
server{
|
||||||
|
listen $WEBSOCKET_PORT ssl;
|
||||||
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://$NET$WEBSERVER:9000;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_read_timeout 120s;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_name $JC_SERVICE;
|
||||||
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
client_max_body_size 0;
|
||||||
|
proxy_pass http://$ENDPOINT;
|
||||||
|
proxy_set_header Host 'soundbase.radiodemo.oma-radio.fr';
|
||||||
|
proxy_set_header X-Forwarded-Host $JC_SERVICE;
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
location /direct.ogg {
|
||||||
|
client_max_body_size 0;
|
||||||
|
proxy_pass http://$NET$ICECAST:8000/direct.ogg;
|
||||||
|
}
|
||||||
|
location /direct.mp3 {
|
||||||
|
client_max_body_size 0;
|
||||||
|
proxy_pass http://$NET$ICECAST:8000/direct.mp3;
|
||||||
|
}
|
||||||
|
|
||||||
|
# TODO open some stat route
|
||||||
|
|
||||||
|
|
||||||
|
}
|
33
services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh
Executable file
33
services/mux.radiodemo.oma-radio.fr/wg-radiodemo.sh
Executable file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. .env
|
||||||
|
|
||||||
|
wgif="$1"
|
||||||
|
|
||||||
|
echo "
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = $(cat $DATA_DIR/privatekey)
|
||||||
|
Address = 10.29.0.254/32
|
||||||
|
ListenPort = 55820
|
||||||
|
|
||||||
|
# packet forwarding
|
||||||
|
PreUp = sysctl -w net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# port forwarding
|
||||||
|
#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
|
||||||
|
#PreUp = iptables -t nat -A PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
|
||||||
|
|
||||||
|
#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $MUX_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$MUX_SERVER_PORT
|
||||||
|
#PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j DNAT --to-destination $ENDPOINT:$TELECOM_SERVER_PORT
|
||||||
|
|
||||||
|
# packet masquerading
|
||||||
|
#PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
|
||||||
|
#PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
|
||||||
|
|
||||||
|
# remote settings for the private server
|
||||||
|
[Peer]
|
||||||
|
PublicKey = 6/Mlxe9auEw/WQnC6QYNAYtSAo8jAEMhJ1wXaRNy4AE=
|
||||||
|
AllowedIPs = 10.29.0.0/24
|
||||||
|
"
|
@ -28,7 +28,7 @@ primary_ips=""
|
|||||||
secondary_ips="37.65.119.74;"
|
secondary_ips="37.65.119.74;"
|
||||||
|
|
||||||
# NS name
|
# NS name
|
||||||
default_dns_name="shlago.jean-cloud.org."
|
default_dns_name="ns.jean-cloud.org."
|
||||||
|
|
||||||
CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'
|
CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'
|
||||||
|
|
||||||
|
@ -89,14 +89,19 @@ addbindline () {
|
|||||||
sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"
|
sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"
|
||||||
|
|
||||||
|
|
||||||
if [ -z "$shortname" ] ; then
|
# TODO check if name already existst with a different target
|
||||||
|
# Hard since we are resolving targets now…
|
||||||
|
|
||||||
# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
|
# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
|
||||||
|
# For performance reasons, we just put plain IP everywhere
|
||||||
|
# to put aliases in place of ip juste do the following if $shortname is empty:
|
||||||
|
#line_in_file "$shortname CNAME $target." "$bindfile"
|
||||||
while read line ; do
|
while read line ; do
|
||||||
|
if [ -n "$shortname" ] ; then
|
||||||
|
line="$(echo "$line" | sed "s/@/$shortname/")"
|
||||||
|
fi
|
||||||
line_in_file "$line" "$bindfile"
|
line_in_file "$line" "$bindfile"
|
||||||
done < <(fakeresolve "$target")
|
done < <(fakeresolve "$target")
|
||||||
else
|
|
||||||
line_in_file "$shortname CNAME $target." "$bindfile"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
list_template_db_files () {
|
list_template_db_files () {
|
||||||
@ -126,6 +131,12 @@ create_primary_files () {
|
|||||||
echo "@ NS $default_dns_name" >> "$new_db_file"
|
echo "@ NS $default_dns_name" >> "$new_db_file"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Add DS record
|
||||||
|
if [ -n "$(ls "$DATA_DIR/keys/K$domain"*.key)" ] ; then
|
||||||
|
echo ""
|
||||||
|
#dnssec-dsfromkey "$DATA_DIR/keys/K$domain"*.key | sed "s/${domain}./@/" >> "$new_db_file"
|
||||||
|
fi
|
||||||
|
|
||||||
# Populate named.conf.local
|
# Populate named.conf.local
|
||||||
cat >> "$debian_bind_confdir/named.conf.local" <<-EOF
|
cat >> "$debian_bind_confdir/named.conf.local" <<-EOF
|
||||||
zone "$domain" {
|
zone "$domain" {
|
||||||
|
@ -17,6 +17,6 @@ PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
|
|||||||
AllowedIPs = 10.100.1.253/32
|
AllowedIPs = 10.100.1.253/32
|
||||||
|
|
||||||
[Peer] # Passerelle
|
[Peer] # Passerelle
|
||||||
PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
|
PublicKey = unY6v95qus8ttJvmSlxqa+J8lKj+CCiRItZ3pFwyjyM=
|
||||||
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
|
AllowedIPs = 10.100.1.0/24,192.168.100.0/24
|
||||||
"
|
"
|
||||||
|
@ -1,12 +1,4 @@
|
|||||||
ENDPOINT=10.29.0.1
|
GIT_SOURCE_REPO="git@gitlab.com:omaradio/website.git"
|
||||||
WEBSERVER=.105
|
RADIO_HOST=mux.radiodemo.oma-radio.fr
|
||||||
MUX=.100
|
USE_SSL=true
|
||||||
TELECOM=.101
|
|
||||||
NET=172.29.0
|
|
||||||
WEBSOCKET_PORT=2004
|
WEBSOCKET_PORT=2004
|
||||||
RADIO_HOST=radiodemo.oma-radio.fr
|
|
||||||
MUX_SERVER_PORT=9004
|
|
||||||
TELECOM_SERVER_PORT=3494
|
|
||||||
SOUNDBASE_DIR=/data/radiodemo.oma-radio.fr/soundbase
|
|
||||||
OMA_DOCKER_VERSION=dev
|
|
||||||
ICECAST=.110
|
|
||||||
|
2
services/radiodemo.oma-radio.fr/.known_hosts
Normal file
2
services/radiodemo.oma-radio.fr/.known_hosts
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
gitlab.com ssh-dss AAAAB3NzaC1kc3MAAACBAMPKInNPflcRle9F5Qt2j9aI0EZuWQzdXTbYvsl+ChaacqCOWRMiOmXHXqetFz6jD/6Fcqg20ZATxqSskQBaRn97O/mbH+GQk4d3zw9WAEURicE8rKJop3qGtdfFxLzrTuF/PAkKRDMmutT3hwZIOO8CFWOl1BiuUYTncJTeonrfAAAAFQCujauoy3Yy+ul72b/WsTECUPj9yQAAAIBIV2yyF7RZf7IYS8tsWcKP7Y5Bv9eFdbvbtsaxcFCHcmHIGoJQrIdPoueoOb5EUTYz0NgYKsKaZzDZkgFk28GsmLxKvhnPjaw0lJVSKRchEE5xVlamOlabiRMjQ7X/bAdejkBJe96AjZZL3UO4acpwfy3Tnnap0w6YCDeaxoyHpwAAAIAU+dyNaL3Hy15VIV32QwWMekvxeptUY/DW03LNcgZZDoin87TE9xuQhM0qF3pi2i2a2ExuslgdttmYWvrbEz8eW+RFgvT5pKwWpalKWetHvtN3oYZP37ZIO1Y3Hd5A4YVcpYp1ccRayveLlCRwxb4HdGXT2OmYU+lmvimIR8zQ6A==
|
||||||
|
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
|
5
services/radiodemo.oma-radio.fr/deploy_http.sh
Executable file
5
services/radiodemo.oma-radio.fr/deploy_http.sh
Executable file
@ -0,0 +1,5 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
git_update.sh -b main -d "$HTTP_DIR" -K "$DOCKER_DIR/.known_hosts" -i "$DATA_DIR/website" "$GIT_SOURCE_REPO"
|
||||||
|
hugo_rclone.sh "$HTTP_DIR"
|
@ -1,46 +0,0 @@
|
|||||||
#!/usr/bin/liquidsoap
|
|
||||||
|
|
||||||
def clean_and_check (filename)
|
|
||||||
ts = string.split(separator='/', filename)
|
|
||||||
ts = int_of_string(list.hd(string.split(separator='\.', list.nth(ts, list.length(ts)-1))))
|
|
||||||
integrity_check (ts)
|
|
||||||
clean_old_pige (ts)
|
|
||||||
end
|
|
||||||
|
|
||||||
def clean_and_check (filename)
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
def integrity_check(filename)
|
|
||||||
if ts mod 60 != 0 then
|
|
||||||
log.important("#{filename} is to fix")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Mux
|
|
||||||
input1 = mksafe(input.harbor("direct.ogg",port=8000,password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f"))
|
|
||||||
|
|
||||||
# Direct mp3
|
|
||||||
output.icecast(
|
|
||||||
%mp3(bitrate=128, samplerate=22050, stereo=false),
|
|
||||||
mount="/direct.mp3",
|
|
||||||
host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f",
|
|
||||||
input1)
|
|
||||||
|
|
||||||
# Radioking
|
|
||||||
#output.icecast(
|
|
||||||
# %mp3(bitrate=128, samplerate=22050, stereo=false),
|
|
||||||
# mount="/test355",
|
|
||||||
# host="live.radioking.com", port=80, user="", password="",
|
|
||||||
# input)
|
|
||||||
|
|
||||||
# Direct ogg
|
|
||||||
output.icecast(
|
|
||||||
%vorbis(samplerate=44100, channels=1, quality=0.2),
|
|
||||||
mount="/direct.ogg",
|
|
||||||
host="icecast", port=8000, password="JsCabjWJUZXrrrKCaaRZma5wD4YKj5LQLXv6f",
|
|
||||||
input1)
|
|
||||||
|
|
||||||
# Pige
|
|
||||||
output.file(%vorbis(samplerate=44100, channels=1, quality=0.2), {"/soundbase/pige/#{int_of_float(time())}.ogg"}, input1, reopen_when={0s}, reopen_delay=1.0, on_close=clean_and_check)
|
|
||||||
|
|
50
services/radiodemo.oma-radio.fr/nginx_server.conf
Normal file → Executable file
50
services/radiodemo.oma-radio.fr/nginx_server.conf
Normal file → Executable file
@ -1,38 +1,22 @@
|
|||||||
map $http_upgrade $connection_upgrade {
|
|
||||||
default upgrade;
|
|
||||||
'' close;
|
|
||||||
}
|
|
||||||
|
|
||||||
server{
|
|
||||||
listen $WEBSOCKET_PORT ssl;
|
|
||||||
listen [::]:$WEBSOCKET_PORT ssl;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_pass http://172.29.0.105:9000;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_read_timeout 120s;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl;
|
listen [::]:443 ssl http2;
|
||||||
server_name $RADIO_HOST;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate /etc/letsencrypt/live/$RADIO_HOST/fullchain.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
|
server_name $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
root $HTTP_DIR/public/;
|
||||||
|
|
||||||
|
# Security headers
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
#add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' 'https://static.jean-cloud.net/player-interface/*' ; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' 'https://static.jean-cloud.net/player-interface/*' 'https://cdn.jsdelivr.net/npm/*'; base-uri 'self'; form-action 'self';" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
add_header X-Frame-Options SAMEORIGIN always;
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||||
|
add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 0;
|
index index.html;
|
||||||
proxy_pass http://$ENDPOINT;
|
try_files $uri $uri/ =404;
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net;
|
server_name rpnow.jean-cloud.net www.rpnow.jean-cloud.net;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
@ -21,8 +21,8 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/rpnow.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/rpnow.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net;
|
server_name test.rpnow.jean-cloud.net www.test.rpnow.jean-cloud.net;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
benevoles31.karnaval.fr max.jean-cloud.org
|
benevoles31.karnaval.fr max.jean-cloud.org
|
||||||
|
feministesucl34.communisteslibertaires.org none
|
||||||
chahut.jean-cloud.net max.jean-cloud.org
|
chahut.jean-cloud.net max.jean-cloud.org
|
||||||
collectif-arthadie.fr vandamme.jean-cloud.org
|
collectif-arthadie.fr vandamme.jean-cloud.org
|
||||||
compagnienouvelle.fr nougaro.jean-cloud.org
|
compagnienouvelle.fr nougaro.jean-cloud.org
|
||||||
@ -6,13 +7,12 @@ copaines.jean-cloud.net max.jean-cloud.org
|
|||||||
cousinades.jean-cloud.net max.jean-cloud.org
|
cousinades.jean-cloud.net max.jean-cloud.org
|
||||||
deployer.jean-cloud.org shlago.jean-cloud.org
|
deployer.jean-cloud.org shlago.jean-cloud.org
|
||||||
etrevivant.net shlago.jean-cloud.org
|
etrevivant.net shlago.jean-cloud.org
|
||||||
feministesucl34.jean-cloud.net tetede.jean-cloud.org
|
|
||||||
feteducourt2020.jean-cloud.net shlago.jean-cloud.org
|
feteducourt2020.jean-cloud.net shlago.jean-cloud.org
|
||||||
feteducourt.jean-cloud.net shlago.jean-cloud.org
|
feteducourt.jean-cloud.net shlago.jean-cloud.org
|
||||||
git.jean-cloud.net vandamme.jean-cloud.org
|
git.jean-cloud.net vandamme.jean-cloud.org
|
||||||
grapes.chahut.jean-cloud.net max.jean-cloud.org
|
grapes.chahut.jean-cloud.net max.jean-cloud.org
|
||||||
gypsylyonfestival.com max.jean-cloud.org
|
gypsylyonfestival.com max.jean-cloud.org
|
||||||
inurbe.fr max.jean-cloud.org
|
inurbe.fr shlago.jean-cloud.org
|
||||||
jean-cloud.net shlago.jean-cloud.org
|
jean-cloud.net shlago.jean-cloud.org
|
||||||
leida.fr vandamme.jean-cloud.org
|
leida.fr vandamme.jean-cloud.org
|
||||||
dnscerts.jean-cloud.org max.jean-cloud.org
|
dnscerts.jean-cloud.org max.jean-cloud.org
|
||||||
@ -25,8 +25,10 @@ nuage.jean-cloud.net vandamme.jean-cloud.org
|
|||||||
pa1.studios.oma-radio.fr tetede.jean-cloud.org
|
pa1.studios.oma-radio.fr tetede.jean-cloud.org
|
||||||
paj.oma-radio.fr nougaro.jean-cloud.org
|
paj.oma-radio.fr nougaro.jean-cloud.org
|
||||||
quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
|
quadrille-elsa.jean-cloud.net shlago.jean-cloud.org
|
||||||
radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
|
chiloe.eu shlago.jean-cloud.org
|
||||||
radiodemo.oma-radio.fr tetede.jean-cloud.org
|
soundbase.radiodemo.oma-radio.fr montbonnot.jean-cloud.org
|
||||||
|
radiodemo.oma-radio.fr raku.jean-cloud.org
|
||||||
|
mux.radiodemo.oma-radio.fr raku.jean-cloud.org
|
||||||
radionimaitre.oma-radio.fr tetede.jean-cloud.org
|
radionimaitre.oma-radio.fr tetede.jean-cloud.org
|
||||||
raplacgr.jean-cloud.net tetede.jean-cloud.org
|
raplacgr.jean-cloud.net tetede.jean-cloud.org
|
||||||
rpnow.jean-cloud.net vandamme.jean-cloud.org
|
rpnow.jean-cloud.net vandamme.jean-cloud.org
|
||||||
|
11
services/sftp.jean-cloud.net/deploy.sh
Executable file
11
services/sftp.jean-cloud.net/deploy.sh
Executable file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
cd "$DATA_DIR"
|
||||||
|
|
||||||
|
[ ! -f users.conf ] && touch users.conf
|
||||||
|
|
||||||
|
# Create key if not exists
|
||||||
|
if [ ! -f ssh_host_ed25519_key ] ; then
|
||||||
|
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
|
||||||
|
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ''
|
||||||
|
fi
|
18
services/sftp.jean-cloud.net/docker-compose.yml
Normal file
18
services/sftp.jean-cloud.net/docker-compose.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
version: '3'
|
||||||
|
services:
|
||||||
|
sshd:
|
||||||
|
image: docker.io/atmoz/sftp:alpine
|
||||||
|
volumes:
|
||||||
|
- $DATA_DIR/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key:ro
|
||||||
|
- $DATA_DIR/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key:ro
|
||||||
|
- $DATA_DIR/users.conf:/etc/sftp/users.conf:ro
|
||||||
|
|
||||||
|
- $DATA_DIR/home/feministesucl34:/home/feministesucl34RO:ro
|
||||||
|
- $DATA_DIR/home/leida:/home/leida
|
||||||
|
- $DATA_DIR/home/leida:/home/leidaRO
|
||||||
|
- $DATA_DIR/home/chiloe:/home/chiloe
|
||||||
|
- $DATA_DIR/home/chiloe:/home/chiloeRO
|
||||||
|
- $DATA_DIR/home/collectifarthadie:/home/collectifarthadieRO:ro
|
||||||
|
ports:
|
||||||
|
- '2929:22'
|
||||||
|
|
@ -1,6 +1,5 @@
|
|||||||
NET=10.29.0
|
NET=10.29.0
|
||||||
TELECOM=.101
|
TELECOM=.101
|
||||||
MUX=.100
|
|
||||||
ICECAST=.110
|
ICECAST=.110
|
||||||
WEBSERVER=.105
|
WEBSERVER=.105
|
||||||
SYSTEM_API=.107
|
SYSTEM_API=.107
|
||||||
@ -13,12 +12,10 @@ RADIO_NAME_SIMPLE=radiodemo
|
|||||||
OMA_CONFIG_NomRadio=radiodemo
|
OMA_CONFIG_NomRadio=radiodemo
|
||||||
OMA_CONFIG_LogLevel=8
|
OMA_CONFIG_LogLevel=8
|
||||||
RADIO_NAME_PRETTY="Radio Démo"
|
RADIO_NAME_PRETTY="Radio Démo"
|
||||||
COMPOSE_NAME=radiodemo-backoma-radiofr
|
COMPOSE_NAME=soundbaseradiodemooma-radiofr
|
||||||
DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
|
DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
|
||||||
DOCKER_INSTANCES_SUFIX=-1
|
DOCKER_INSTANCES_SUFIX=-1
|
||||||
DATA_DIR=/home/data/radiodemo-back.oma-radio.fr
|
SOUNDBASE_DIR=/data/soundbase.radiodemo.oma-radio.fr/core/radioDemo
|
||||||
SOUNDBASE_DIR=/home/data/radiodemo-back.oma-radio.fr/core/radioDemo
|
|
||||||
USE_SSL=true
|
USE_SSL=true
|
||||||
PUBLIC_WEBSITE_UPSTREAM=https://static.oma-radio.fr/player-interface/1.5.0
|
|
||||||
MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
|
MANAGER_WEBSITE_UPSTREAM=https://static.oma-radio.fr/single-manager/1.1.1
|
||||||
RADIO_HOST=radiodemo.oma-radio.fr
|
RADIO_HOST=radiodemo.oma-radio.fr
|
3
services/soundbase.radiodemo.oma-radio.fr/deploy.sh
Executable file
3
services/soundbase.radiodemo.oma-radio.fr/deploy.sh
Executable file
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
git_update.sh -b dev -i "$DATA_DIR/radiodemo-deploy" -d "$DATA_DIR/core" git@gitlab.com:omaradio/core.git
|
@ -1,12 +1,12 @@
|
|||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
anthracite_jukebox:
|
anthracite_jukebox:
|
||||||
image: jeancloud/jukebox:$OMA_DOCKER_VERSION
|
image: registry.gitlab.com/omaradio/core/oma-jukebox:$OMA_DOCKER_VERSION
|
||||||
env_file: .env
|
env_file: .env
|
||||||
environment:
|
environment:
|
||||||
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
||||||
OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT
|
OMA_CONFIG_TelecommandePort: $TELECOM_SERVER_PORT
|
||||||
OMA_CONFIG_Client1Host: $RADIO_HOST
|
OMA_CONFIG_Client1Host: soundbase.radiodemo.osoundbase.radiodemo.oma-radio.fr
|
||||||
OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
|
OMA_CONFIG_Client1Port: $MUX_SERVER_PORT
|
||||||
volumes:
|
volumes:
|
||||||
- $SOUNDBASE_DIR:/app/soundBase
|
- $SOUNDBASE_DIR:/app/soundBase
|
||||||
@ -22,7 +22,7 @@ services:
|
|||||||
memory: 100M
|
memory: 100M
|
||||||
|
|
||||||
azurite_jukebox_simulator:
|
azurite_jukebox_simulator:
|
||||||
image: jeancloud/jukebox-simulator:$OMA_DOCKER_VERSION
|
image: registry.gitlab.com/omaradio/core/oma-jukebox-simulator:$OMA_DOCKER_VERSION
|
||||||
env_file: .env
|
env_file: .env
|
||||||
environment:
|
environment:
|
||||||
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
||||||
@ -45,7 +45,7 @@ services:
|
|||||||
|
|
||||||
|
|
||||||
agate_importer:
|
agate_importer:
|
||||||
image: jeancloud/baseimport:$OMA_DOCKER_VERSION
|
image: registry.gitlab.com/omaradio/core/oma-baseimport:$OMA_DOCKER_VERSION
|
||||||
env_file: .env
|
env_file: .env
|
||||||
environment:
|
environment:
|
||||||
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
||||||
@ -63,7 +63,7 @@ services:
|
|||||||
|
|
||||||
|
|
||||||
rubis_base_mg:
|
rubis_base_mg:
|
||||||
image: jeancloud/base-mg:$OMA_DOCKER_VERSION
|
image: registry.gitlab.com/omaradio/core/oma-base-mg:$OMA_DOCKER_VERSION
|
||||||
env_file: .env
|
env_file: .env
|
||||||
environment:
|
environment:
|
||||||
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
OMA_CONFIG_TelecommandeHost: $RADIO_HOST
|
@ -25,24 +25,6 @@ server {
|
|||||||
add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
|
add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
|
||||||
|
|
||||||
|
|
||||||
location = /direct.ogg {
|
|
||||||
proxy_pass http://172.29.0.110:8000/direct.ogg;
|
|
||||||
# kill cache
|
|
||||||
add_header Last-Modified $date_gmt;
|
|
||||||
add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
|
|
||||||
if_modified_since off;
|
|
||||||
expires off;
|
|
||||||
etag off;
|
|
||||||
}
|
|
||||||
location = /direct.mp3 {
|
|
||||||
proxy_pass http://172.29.0.110:8000/direct.mp3;
|
|
||||||
# kill cache
|
|
||||||
add_header Last-Modified $date_gmt;
|
|
||||||
add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
|
|
||||||
if_modified_since off;
|
|
||||||
expires off;
|
|
||||||
etag off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location = /api { rewrite ^ /api/; }
|
location = /api { rewrite ^ /api/; }
|
||||||
location ~ /api/pigeindex(/.*) {
|
location ~ /api/pigeindex(/.*) {
|
||||||
@ -210,14 +192,4 @@ server {
|
|||||||
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
auth_basic_user_file $SOUNDBASE_DIR/users.htpasswd;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
location = /favicon.ico {
|
|
||||||
return 301 /favicon.webp;
|
|
||||||
}
|
|
||||||
|
|
||||||
# for js, css, html — dynamic site, players
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
add_header Cache-Control 'public must-revalidate';
|
|
||||||
add_header Access-Control-Allow-Origin https://radio.karnaval.fr;
|
|
||||||
}
|
|
||||||
}
|
}
|
20
services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh
Executable file
20
services/soundbase.radiodemo.oma-radio.fr/wg-radiodemo.sh
Executable file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
. .env
|
||||||
|
|
||||||
|
[ -f "$DATA_DIR/radiodemo-soundbase.wgkey" ] || { echo 'No privatekey found' >&2 && exit 1 ; }
|
||||||
|
|
||||||
|
echo "
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = $(cat "$DATA_DIR/radiodemo-soundbase.wgkey")
|
||||||
|
Address = 10.29.0.1/32
|
||||||
|
ListenPort = 55820
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = iwIsUriF4CT/Jpu29VXlj43hT3bUjG67FeEgCTcQCVc=
|
||||||
|
AllowedIPs = 10.29.0.254/32
|
||||||
|
Endpoint = mux.radiodemo.oma-radio.fr:55820
|
||||||
|
PersistentKeepalive = 30
|
||||||
|
"
|
15
services/static.jean-cloud.net/nginx_server.conf
Executable file
15
services/static.jean-cloud.net/nginx_server.conf
Executable file
@ -0,0 +1,15 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
ssl_certificate $JC_CERT/fullchain.pem;
|
||||||
|
ssl_certificate_key $JC_CERT/privkey.pem;
|
||||||
|
server_name static.oma-radio.fr www.static.oma-radio.fr $JC_SERVICE www.$JC_SERVICE;
|
||||||
|
root $HTTP_DIR/public/;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
add_header 'Access-Control-Allow-Origin' '*';
|
||||||
|
add_header 'Access-Control-Allow-Methods' 'GET';
|
||||||
|
index index.html;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
@ -5,15 +5,15 @@ services:
|
|||||||
wp:
|
wp:
|
||||||
image: wordpress:5.8-apache
|
image: wordpress:5.8-apache
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
env_file: /data/feministesucl34.jean-cloud.net/env
|
env_file: $DATA_DIR/env
|
||||||
environment:
|
environment:
|
||||||
WORDPRESS_DB_HOST: db
|
WORDPRESS_DB_HOST: db
|
||||||
WORDPRESS_DB_USER: wpdbuser
|
WORDPRESS_DB_USER: wpdbuser
|
||||||
WORDPRESS_DB_NAME: wpdb
|
WORDPRESS_DB_NAME: wpdb
|
||||||
#WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );"
|
#WORDPRESS_CONFIG_EXTRA: "define( 'WP_HOME', 'https://feministesucl34.jean-cloud.net/wordpress' ); define( 'WP_SITEURL', 'https://feministesucl34.jean-cloud.net/wordpress' );"
|
||||||
volumes:
|
volumes:
|
||||||
- /data/feministesucl34.jean-cloud.net/wordpress:/var/www/html
|
- $DATA_DIR/wordpress:/var/www/html
|
||||||
- /data/feministesucl34.jean-cloud.net/static:/var/www/html/static
|
- $DATA_DIR/static:/var/www/html/static
|
||||||
networks:
|
networks:
|
||||||
default:
|
default:
|
||||||
ipv4_address: 172.29.9.100
|
ipv4_address: 172.29.9.100
|
||||||
@ -25,13 +25,13 @@ services:
|
|||||||
db:
|
db:
|
||||||
image: mariadb:10.4
|
image: mariadb:10.4
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
env_file: /data/feministesucl34.jean-cloud.net/env
|
env_file: $DATA_DIR/env
|
||||||
environment:
|
environment:
|
||||||
MYSQL_DATABASE: wpdb
|
MYSQL_DATABASE: wpdb
|
||||||
MYSQL_USER: wpdbuser
|
MYSQL_USER: wpdbuser
|
||||||
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
|
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
|
||||||
volumes:
|
volumes:
|
||||||
- /data/feministesucl34.jean-cloud.net/db:/var/lib/mysql
|
- $DATA_DIR/db:/var/lib/mysql
|
||||||
networks:
|
networks:
|
||||||
default:
|
default:
|
||||||
ipv4_address: 172.29.9.101
|
ipv4_address: 172.29.9.101
|
@ -1,8 +1,8 @@
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERTS/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERTS/privkey.pem;
|
||||||
server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net;
|
server_name wordpress.feministesucl34.jean-cloud.net www.wordpress.feministesucl34.jean-cloud.net;
|
||||||
location / {
|
location / {
|
||||||
client_max_body_size 2G;
|
client_max_body_size 2G;
|
||||||
@ -17,9 +17,9 @@ server {
|
|||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
ssl_certificate /etc/letsencrypt/live/feministesucl34.jean-cloud.net/fullchain.pem;
|
ssl_certificate $JC_CERTS/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/feministesucl34.jean-cloud.net/privkey.pem;
|
ssl_certificate_key $JC_CERTS/privkey.pem;
|
||||||
server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net feministesucl34.communisteslibertaires.org;
|
server_name feministesucl34.jean-cloud.net www.feministesucl34.jean-cloud.net;
|
||||||
|
|
||||||
location = /wp-login.php {
|
location = /wp-login.php {
|
||||||
return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
|
return 301 https://wordpress.feministesucl34.jean-cloud.net/wp-login.php;
|
Loading…
Reference in New Issue
Block a user