adrian/jean-cloud-services
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: adrian:f7ed1c51ebe7c0b8b8c65e9e7e77d61fb2689c01
Branches Tags
adrian:master
adrian:v2024
...
compare: adrian:01c3e5374d1cbcdb9e2a851d39b408a219a239b2
Branches Tags
adrian:v2024
adrian:master

2 Commits
f7ed1c51eb ... 01c3e5374d

Author SHA1 Message Date
Adrian Amaglio
01c3e5374d certs and stuff 2023-09-15 10:57:47 +02:00
Adrian Amaglio
13a9891e71 pouloulou… 2023-09-13 10:46:02 +02:00
39 changed files with 510 additions and 485 deletions
Show Stats Expand all files Collapse all files

21
installing/debootstrap_ordis_portables.sh
View File

@ -195,8 +195,14 @@ chroot_run locale-gen
if [ -n "$data_device" ] ; then
section "Mounting data dir"
cryptsetup create --type plain dmcrypt-jeancloud "$data_device"
section "Mounting and encrypting data dir"
run cryptsetup create --type plain dmcrypt-jeancloud "$data_device"
run mkfs.ext4 dmcrypt-jeancloud
uuid="$(blkid | grep dmcrypt-jeancloud | grep -o 'UUID="[^"]\+"')"
if [ -z "$uuid" ] ; then
die "Error, unexpected empty uuid"
fi
line_in_file "$uuid /data ext4 rw,nofail 0 1" "$mnt/etc/fstab"
fi
@ -210,15 +216,20 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
run echo "$hostname" > "$mnt/etc/hostname"
# Prenvent suspend on lid close
line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
line_in_file HandleLidSwitch=ignore "$mnt/etc/systemd/logind.conf"
# Fix path and remove noisy beep
# Inform futur scripts that /data is not mounted
touch "$mnt/data/mounted"
# Fix path
run cat > "$mnt/root/.bashrc" <<EOF
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
setterm -powerdown 0
EOF
# Be sure this fucking beep is gone
echo 'set bell-style none' >> "$mnt/etc/inputrc"
# TODO find a third method to kill this doomed beep
# TODO find a second method to kill this doomed beep
line_in_file '@reboot root shutdownscreen.sh' "$mnt/etc/crontab"
# boot crypted

3
installing/notes
View File

@ -2,3 +2,6 @@ blatte :
DO NOT REBOOT IT. it sometimes fails…
-i 'firmware-amd-graphics firmware-realtek'
raku :
+ ajouter nonfree dans les sources
-i firmware-atheros

11
provisioning/inventory.ini
View File

@ -1,9 +1,14 @@
[shlago]
max.jean-cloud.org
tetede.jean-cloud.org
raku.jean-cloud.org
[servers]
#vandamme.jean-cloud.org
#nougaro.jean-cloud.org
#tetede.jean-cloud.org
#carcasse.jean-cloud.org
#benevoles.karnaval.fr
#montbonnot.jean-cloud.org
max.jean-cloud.org
#blatte.jean-cloud.org
max.jean-cloud.org
tetede.jean-cloud.org
raku.jean-cloud.org

13
provisioning/roles/deploy_all/files/bin/deploy_service.sh
View File

@ -4,6 +4,8 @@
set -euo pipefail
[ ! -f /data/mounted ] && die "/data is not mounted"
noreload=false
deploy=true
if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
@ -131,15 +133,8 @@ if [ -f "/docker/$service/nginx_server.conf" ] ; then
run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
fi
# Do we need dummy cert?
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
section "Add dummy cert if needed"
dummy_cert.sh "$service" add
section "Testing nginx conf"
run nginx -t -c /etc/nginx/new_nginx.conf

17
provisioning/roles/deploy_all/files/bin/deployall.sh
View File

@ -11,12 +11,9 @@ set -euo pipefail
# Variables
###############################################################################
export proxy_dir="/etc/nginx"
export nginx_conf_path="$proxy_dir/sites-enabled"
export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
export certs_path="/etc/letsencrypt/live"
export dummy_cert_path="$certs_path/dummy"
set -a
. /etc/jeancloud.env
set +a
###############################################################################
# Helpers
@ -50,14 +47,6 @@ run chown root:root /data
run chmod 755 /docker
run chmod 755 /data
section "Check dummy cert exists "
#TODO check if expired
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
echo "Dummy cert generation"
run mkdir -p "$dummy_cert_path"
run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
fi
section "Create new conf directory"
run mkdir -p "$new_nginx_conf_path"

4
provisioning/roles/deploy_all/files/bin/driglibash-base
View File

@ -150,8 +150,8 @@ clean() {
# tells where your executable is (absolute path). Follow simlinks if any argument provided
where() {
if [ -z "$1" ] ; then
echo "$( cd -P "$( dirname "$1" )" && pwd )"
if [ "$#" -lt 1 ] || [ -z "$1" ] ; then
echo "$( cd -P "$( dirname "$0" )" && pwd )"
else
SOURCE="$0"
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink

38
provisioning/roles/deploy_all/files/bin/dummy_cert.sh Executable file
View File

@ -0,0 +1,38 @@
#!/bin/bash
. driglibash-base
. /etc/jeancloud.env
if [ "$#" -ne 2 ] || [ -z "$1" ] || [ -z "$2" ] ; then
die "Usage: $0 <service-name> <action>"
fi
service="$1"
action="$2"
# Create dummy cert if needed
#TODO check if expired
if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
echo "Dummy cert generation"
run mkdir -p "$dummy_cert_path"
run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
fi
if [ "$action" = add ] ; then
# Link letsencrypt dir to dummy cert dir if there is no cert
if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
section "Create cert dir"
run mkdir -p "$certs_path/$service"
section "Link dummy to cert"
run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
fi
elif [ "$action" = remove ] ; then
# UNlink letsencrypt dir to dummy cert dir IF it is the dummy cert
if [ "$(readlink "$certs_path/$service_name/fullchain.pem")" = "$dummy_cert_path/fullchain.pem" ] ; then
rm -r "$certs_path/$service_name"
fi
else
die "$0: Unknown action '$action'"
fi

1
provisioning/roles/deploy_all/files/bin/gen_env.sh
View File

@ -14,6 +14,7 @@ nginx_conf_path='$proxy_dir/sites-enabled'
new_nginx_conf_path='$proxy_dir/new-sites-enabled'
certs_path='$certs_path'
dummy_cert_path='$certs_path/dummy'
servicefile=/docker/services.txt
EOF
for dir in /docker/* ; do

41
provisioning/roles/deploy_all/files/bin/git_update.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash
declare -A usage
declare -A varia
@ -17,6 +18,10 @@ usage[i]="privkey used to ssh pull"
varia[i]=privkey
privkey=''
usage[N]="Clone to a Non-empty target. Existing files will be overwriten"
varia[N]=nonempty_target
nonempty_target=false
. driglibash-args
@ -35,16 +40,32 @@ fi
cd "$dst"
if [ -d .git ] ; then
git fetch origin "$branch"
git checkout --force -B "$branch" "origin/$branch"
git reset --hard
git clean -qffdx
git submodule update --init --recursive --force --recommend-shallow
git submodule foreach git fetch
git submodule foreach git checkout --force -B "$branch" "origin/$branch"
git submodule foreach git reset --hard
git submodule foreach git clean -fdx
run git fetch origin "$branch"
run git checkout --force -B "$branch" "origin/$branch"
run git reset --hard
# Preserve existing files in some cases
if ! "$nonempty_target" ; then
git clean -qffdx
fi
run git submodule update --init --recursive --force --recommend-shallow
run git submodule foreach git fetch
run git submodule foreach git checkout --force HEAD
run git submodule foreach git reset --hard
run git submodule foreach git clean -fdx
else
git clone -b "$branch" --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
clone_dst='.'
# To override an existing dir, we need to clone elsewhere first
if "$nonempty_target" ; then
clone_dst="$(mktemp -d)"
fi
run git clone -b "$branch" --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" "$clone_dst"
# To override an existing dir, we then move everything to that dir
if "$nonempty_target" ; then
run mv "$clone_dst/"{*,.*} .
run rmdir "$clone_dst"
fi
fi

6
provisioning/roles/deploy_all/files/bin/letsencrypt.sh
View File

@ -34,9 +34,7 @@ for file in "$nginx_sites_dir"* ; do
domains="$(extract_domain_nginx_conf.sh "$file")"
if [ -n "$domains" ] ; then
# If using dummy cert, disabling it
if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then
rm -r "/etc/letsencrypt/live/$service_name"
fi
dummy_cert.sh "$service_name" remove
echo "$domains"
# adding -d before every domain
@ -71,8 +69,10 @@ for file in "$nginx_sites_dir"* ; do
echo " ------------------------------------------"
echo "$out"
echo " ------------------------------------------"
dummy_cert.sh "$service_name" add
else
echo "Unknown error : $result.\n$out"
dummy_cert.sh "$service_name" add
fi
fi
done

14
provisioning/roles/deploy_all/files/bin/resolvable.sh Executable file
View File

@ -0,0 +1,14 @@
#/bin/bash
# Read domains form stdin and echo the ones resolved successfully
server=""
if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
server="$1"
fi
while read domain; do
host "$domain" $server &>/dev/null
[ "$?" -eq 0 ] && echo "$domain"
done
exit 0

1
provisioning/roles/deploy_all/files/bin/template.sh
View File

@ -7,5 +7,6 @@ fi
if [ -f "$1" ] ; then
bash -c 'set -a && . '"$1"' && envsubst "$(cat '"$1"' | grep -o ^.*= | sed "s/=//" | sed "s/^/$/")"'
else
echo "No env file found, no modifications made." >&2
cat /dev/stdin
fi

1
provisioning/roles/jean-cloud-common/files/certs.priv.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYnqsFJpr2wF3WD9QO81SIZJ1Ah7qRM+F3mOgGItYD1qjO4/0Hx8HCzebZkega3wP6Pn5ML/CANXzGnniib5khzjuecF2RU1yNqO40BmuuJ1T0AtdHLuLc6RXmpBmE2NFmSxTEAMN1/kWXoo2gwiBTFOqSnIElfRoHCxwAZFZN/wuEnZKuMV4xw8NWkkrmruSBdkOMHvZshtdzxkvi61FI/7MOWFdmiFy2YypmPUEx3h3ujykQcgVpZ7RYz8seh5v7j5P2N/xYJYEatMN7che31d6u1Nazd0kfV/9jAQNXxsKgSZdnxJpoKDjXe6DLLwQ3gybOT70ehzdG77SK/bi6KnVYrH5E/2lehHOGgKpdskt0pEJ8d0rM5hIgnyCX+S6S7H8c8Uca+UVc+/g59qW1XRyYmr/o4zljmkZA4Zx0IEk3MQYCFkT9JZQTjrgSCI01ggHxwOoQhpiJVnoUZNa3j3DMTi86A3H4XD5ByIK8k7t5MFzk6sDWYDi25CVa/HM= root@raku.jean-cloud.org

16
provisioning/roles/jean-cloud-common/tasks/main.yml
View File

@ -24,6 +24,21 @@
when: inventory_hostname in groups["shlago"]
# Account for deploying SSL certs
- name: Add certs user
ansible.builtin.user:
name: certs
shell: /bin/bash
home: /data/letsencrypt.jean-cloud.org
- name: Set authorized key, removing all the authorized keys already set
ansible.posix.authorized_key:
user: certs
key: "{{ lookup('file', 'certs.pub') }}"
state: present
exclusive: true
#
- name: Show last changed password for security
copy:
dest: /etc/profile.d/user_last_passwd.sh
@ -77,6 +92,7 @@
"max-file": "3"
}
}
#TODO add this to /etc/docker/daemon.json
#{
# "iptables": false

64
provisioning/services_nougaro.yml
View File

@ -1,64 +0,0 @@
# TODO ansible secrets
# Oma-Radio host
- name: Deploy specific services
hosts: nougaro.jean-cloud.net
become: no
roles:
#- role: docker-network-setup
# The proxy docker stack must be the first to be deployed
- role: prepare-nginx
- role: deploy
service_name: proxy
state: started
monitored: false
- role: deploy
service_name: nsslave.jean-cloud.net
state: started
monitored: false
- role: deploy
service_name: registry.oma-radio.fr
state: started
- role: deploy
service_name: wordpress.inurbe.fr
state: started
- role: deploy
service_name: compagnienouvelle.fr
state: started
- role: deploy
service_name: icecast.oma-radio.fr
state: started
monitored: false
remote_docker_login_user: oma
remote_docker_login_pass: KkK8Aavmm4cN6nBM
remote_docker_login_registry: http://registry.oma-radio.fr
- role: deploy
service_name: soundbase.oma-radio.fr
state: started
monitored: false
- role: deploy
service_name: paj.oma-radio.fr
state: started
monitored: false
remote_docker_login_user: oma
remote_docker_login_pass: KkK8Aavmm4cN6nBM
remote_docker_login_registry: http://registry.oma-radio.fr
#- role: deploy
# service_name: radionimaitre.oma-radio.fr
# state: started
# monitored: false
# remote_docker_login_user: oma
# remote_docker_login_pass: KkK8Aavmm4cN6nBM
# remote_docker_login_registry: http://registry.oma-radio.fr
- role: restart-nginx

132
provisioning/services_vandamme.yml
View File

@ -1,132 +0,0 @@
# The host have:
# - /data -> every data
# - /docker -> deployed docker-compose files
- name: Deploy specific services
hosts: vandamme.jean-cloud.net
become: yes
roles:
#- role: docker-network-setup
# The proxy docker stack must be the first to be deployed
- role: prepare-nginx
- role: deploy
service_name: proxy
state: started
monitored: false
- role: deploy
service_name: meta-morpho.se
state: started
- role: deploy
service_name: mailer.jean-cloud.net
state: started
remote_docker_login_user: jean-cloud
remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
monitored: false
- role: deploy
service_name: static.jean-cloud.net
state: started
- role: deploy
service_name: ssh
state: started
monitored: false
#- role: deploy
# service_name: myrrdel.jean-cloud.net
# state: started
- role: deploy
service_name: collectif-arthadie.fr
state: started
#- role: deploy
# service_name: karna.jean-cloud.net
# state: started
- role: deploy
service_name: oma-radio.fr
state: started
- role: deploy
service_name: rpnow.jean-cloud.net
state: started
- role: deploy
service_name: ns.jean-cloud.org
state: started
monitored: false
- role: deploy
service_name: gmx-webmail.jean-cloud.net
state: started
- role: deploy
service_name: registry.jean-cloud.net
state: started
- role: deploy
service_name: inurbe.fr
state: started
- role: deploy
service_name: feteducourt.jean-cloud.net
state: started
remote_docker_login_user: jean-cloud
remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
- role: deploy
service_name: feteducourt2020.jean-cloud.net
state: started
remote_docker_login_user: jean-cloud
remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
- role: deploy
service_name: leida.fr
state: started
- role: deploy
service_name: lalis.fr
state: started
- role: deploy
service_name: amaglio.fr
state: started
- role: deploy
service_name: velov.jean-cloud.net
state: started
- role: deploy
service_name: cousinades.jean-cloud.net
state: started
monitored: false # web cant pass basic auth yet
- role: deploy
service_name: cousinades2.jean-cloud.net
state: started
monitored: false # web cant pass basic auth yet
- role: deploy
service_name: nuage.jean-cloud.net
state: started
- role: deploy
service_name: git.jean-cloud.net
state: started
- role: deploy
service_name: wiki-cgr.jean-cloud.net
state: started
- role: deploy
service_name: jean-cloud.net
state: started
- role: restart-nginx

15
services/_ssh/docker-compose.yml
View File

@ -1,15 +0,0 @@
version: '3'
services:
sshd:
image: atmoz/sftp
volumes:
- /data/ssh/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
- /data/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key
- /data/leida.fr:/home/leida/sftp
- /data/lalis.fr:/home/lalis/sftp
- /data/oma-radio.fr:/home/oma/sftp
- /data/collectif-arthadie.fr/wordpress:/home/collectifarthadie/sftp
- /data/ssh/users.conf:/etc/sftp/users.conf:ro
ports:
- '2222:22'

6
services/cousinades2.jean-cloud.net/Dockerfile
View File

@ -1,6 +0,0 @@
FROM php:7.2-fpm-alpine
#RUN apt-get update && apt-get install -y libpq-dev && docker-php-ext-install pdo pdo_pgsql
RUN set -ex \
&& apk --no-cache add \
postgresql-dev
RUN docker-php-ext-install pdo_pgsql

35
services/cousinades2.jean-cloud.net/docker-compose.yml
View File

@ -1,35 +0,0 @@
version: '3'
services:
app:
build: .
volumes:
- /data/cousinades2.jean-cloud.net/public:/usr/src/app
restart: unless-stopped
networks:
default:
ipv4_address: 172.29.8.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
db:
image: postgres:9.6-alpine
volumes:
- /data/cousinades2.jean-cloud.net/db:/var/lib/postgresql/data
networks:
default:
ipv4_address: 172.29.8.101
deploy:
resources:
limits:
cpus: '0.50'
memory: 100M
networks:
default:
ipam:
config:
- subnet: 172.29.8.0/24

25
services/cousinades2.jean-cloud.net/nginx_server.conf
View File

@ -1,25 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/cousinades2.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cousinades2.jean-cloud.net/privkey.pem;
server_name cousinades2.jean-cloud.net www.cousinades2.jean-cloud.net;
index index.php;
root /data/cousinades2.jean-cloud.net/public;
location / {
#auth_basic "Restricted";
#auth_basic_user_file /data/cousinades2.jean-cloud.net/private/passwords.txt;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 172.29.8.100:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}

4
services/feteducourt.jean-cloud.net/deploy_http.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
set -euo pipefail
git_update.sh -d "$HTTP_DIR" -b 2021 "https://git.jean-cloud.net/adrian/feteducourt-static.git"

17
services/feteducourt.jean-cloud.net/nginx_server.conf
View File

@ -1,20 +1,11 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/feteducourt.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feteducourt.jean-cloud.net/privkey.pem;
server_name feteducourt.jean-cloud.net www.feteducourt.jean-cloud.net;
#location /static {
# alias /data/feteducourt.jean-cloud.net/app/static;
# try_files $uri $uri/ =404;
#}
#location / {
# proxy_pass http://app.feteducourtjean-cloudnet.docker;
# proxy_set_header Host $host;
#}
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
location / {
root /data/feteducourt.jean-cloud.net/static;
root $HTTP_DIR;
try_files $uri $uri/ =404;
}
}

4
services/feteducourt2020.jean-cloud.net/deploy_http.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
set -euo pipefail
git_update.sh -d "$HTTP_DIR" -b 2020 "https://git.jean-cloud.net/adrian/feteducourt-static.git"

19
services/feteducourt2020.jean-cloud.net/nginx_server.conf
View File

@ -1,22 +1,11 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/privkey.pem;
server_name feteducourt2020.jean-cloud.net www.feteducourt2020.jean-cloud.net;
#location /static {
# alias /data/feteducourt2020.jean-cloud.net/app/static;
# try_files $uri $uri/ =404;
#}
#location / {
# proxy_pass http://app.feteducourt2020jean-cloudnet.docker;
# proxy_set_header Host $host;
#}
ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
server_name $JC_SERVICE www.$JC_SERVICE;
location / {
root /data/feteducourt2020.jean-cloud.net/static;
root $HTTP_DIR;
try_files $uri $uri/ =404;
}
}

17
services/letsencrypt.jean-cloud.org/acme-dns.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
if [ "$#" -ne 1 ] ; then
echo "Usage: $0 <service_name>" >&2
exit 1
fi
service="$1"
nginxfile="/docker/$service/nginx_server.conf"
if [ -f "$nginxfile" ] ; then
nginxdomains="$(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env")"
domains="$(echo "$service $nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
[ -z "$domains" ] && exit 0
echo "--------------- -d $domains"
certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
fi

8
services/letsencrypt.jean-cloud.org/deploy.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
set -euo pipefail
# For some variables
. /etc/jeancloud.env
apt install -y python3-certbot-dns-rfc2136

20
services/letsencrypt.jean-cloud.org/deploy_bind.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/bash
set -euo pipefail
. /etc/jeancloud.env
[ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing files" && exit 1
while read line ; do
read -r service target < <(echo "$line")
echo "---- $service $target ----"
nginxfile="/docker/$service/nginx_server.conf"
if [ -f "$nginxfile" ] ; then
nginxdomains="$(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env")"
domains="$(echo "$service $nginxdomains" | tr ' ' '\n' | sort -u | sed -z 's/\n/ -d /')"
echo "$domains"
certbot certonly -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
fi
done < "$servicefile"

8
services/letsencrypt.jean-cloud.org/run.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
set -euo pipefail
. driglibash-base
here="$(where)"
sudo -u bind bash -c "$here/run_bind.sh $@"

40
services/letsencrypt.jean-cloud.org/run_bind.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/bash
set -euo pipefail
. driglibash-base
here="$(where)"
# For some variables
. /etc/jeancloud.env
. "$here/.env"
# Test secret presence
[ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1
export tmp="$(mktemp -d)"
mkdir -p "$tmp/{work,logs}"
# If there is some args, populate a fake service file
if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
servicefile="$(mktemp)"
for service in "$@" ; do
echo "$service _" >> "$servicefile"
done
fi
# For each service, read all possible domains
while read line ; do
read -r service target < <(echo "$line")
# removo dummy cert
dummy_cert.sh "$service" remove
[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
# acme
"$here/acme-dns.sh" "$service"
# Replace dummy cert if letsencrypt failed
[ "$?" -ne 0 ] && dummy_cert.sh "$servic" remove
done < "$servicefile"

2
services/metamorphosemagazine.fr/nginx_server.conf
View File

@ -3,7 +3,7 @@ server {
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/metamorphosemagazine.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/metamorphosemagazine.fr/privkey.pem;
server_name metamorphosemagazine.fr;
server_name $JC_SERVICE www.$JC_SERVICE;
location / {
add_header Content-language fr;
root $HTTP_DIR/src;

13
services/ns.jean-cloud.org/deploy.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
set -euo pipefail
cd ../ns1.jean-cloud.org
. deploy.sh
. .env
# Do not run if primary exists
[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0
export keydir=""
run secondary

145
services/ns1.jean-cloud.org/deploy.sh
View File

@ -1,125 +1,60 @@
#!/bin/bash
. driglibash-base
. "$(where)/helper_functions.sh"
set -euo pipefail
# Working variables
debian_bind_workdir="/var/cache/bind"
debian_bind_confdir="/etc/bind"
keydir="$DATA_DIR/keys"
# Install dependencies
apt install -y bind9 &>/dev/null
# Create Directories
mkdir -p "$keydir"
chown bind:bind "$keydir" -R
chown bind:bind "$debian_bind_confdir" -R
# Empty bind dir if it is not our git repo
if [ ! -d "$debian_bind_confdir/.git" ] ; then
echo "lets delete $debian_bind_confdir"
rm -rf "$debian_bind_confdir/"{*,.*}
fi
# Sync the git repo
sudo -u bind git_update.sh -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
cd /etc/bind
sudo -u bind git status
### Generate zones from service directory ###
servicefile="/docker/services.txt"
# Function that simulate a DNS resolve by reading bind zone file
# Returns all the record line:
# @ IN A X.X.X.X
fakeresolve () {
if [ "$#" -ne 1 ] ; then
die "Usage: fakeresolve <name>"
fi
name="$1"
zonefile="$debian_bind_confdir/db.jean-cloud.org"
shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
grep -v -e '^[[:space:]]*;' "$zonefile" |grep -oP "^[[:space:]]*$shortname\K[[:space:]]*IN[[:space:]]*A{1,4}[[:space:]]*[\S;]+" | sed 's/^/@/'
}
# Function that add DNS record in the right file
addbindline () {
if [ "$#" -ne 2 ] ; then
die "Usage: addbindline <name> <target_cname>"
fi
name="$1"
target="$2"
# extract the truc.com part
domain="$(echo "$name" | grep -o '[^\.]\+\.[^\.]\+$' || true)"
[ -z "$domain" ] && return 0
# extract the subdomain part (www)
shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
# bind DB file
bindfile="$debian_bind_confdir/db.$domain"
if [ -z "$shortname" ] ; then
# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
while read line ; do
line_in_file "$line" "$bindfile"
done < <(fakeresolve "$target")
else
line_in_file "$shortname IN CNAME $target." "$bindfile"
fi
#XXX Add CAA records
}
autoconf_separator=";;; Autogeneration. Do not write under this line! ;;;"
echo 'Prepare bind: Remove autogenerated part from bind conf files'
sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/*
echo 'Put the separator back'
for file in $( ls "$debian_bind_confdir"/db.* | grep -v '.signed$\|.jbk$\|.jnl$') ; do
echo "$autoconf_separator" >> "$file"
done
# File that contain "service target" lines
# With service a symbolic dns name and target an existing server hostname
servicefile="/docker/services.txt"
for file in "$debian_bind_confdir"/db.* ; do
domain="$(basename "$file" | sed 's/db.//')"
# The bind file containing server declarations
server_zone_file="template.db.jean-cloud.org"
# TODO fill header too?
# Where you want your DNS keys stored
keydir="$DATA_DIR/keys"
# If no NS record in the db file
if [ -z "$(grep '[^;].*IN.*NS' "$file")" ] ; then
echo -e "@ IN NS ns.jean-cloud.org\n" >> "$file"
# IP of primary servers
primary_ips=""
# IP of secondary servers (for zone transfer)
secondary_ips="37.65.119.74"
# NS name
default_dns_name="shlago.jean-cloud.org."
CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'
run () {
if [ "$#" -ne 1 ] ; then
die "Usage: run <primary|secondary>"
fi
echo -n "
zone '$domain' {
allow-update { none; };
type master;
file \"$file\";
};" >> "$debian_bind_confdir/named.conf.local"
done
prepare
primary_ips="$primary_ips;$(fakeresolve_ip_list raku)"
secondary_ips="$secondary_ips;$(fakeresolve_ip_list shlago)"
echo 'Find every used domain and add them to bind db'
while read line ; do
read -r service target <<<$(echo "$line")
addbindline "$service" "$target"
nginxfile="/docker/$service/nginx_server.conf"
if [ -f "$nginxfile" ] ; then
for name in $(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env") ; do
addbindline "$name" "$target"
done
line_in_file "primary_ips=\"$primary_ips\"" "$DOCKER_DIR/.env"
line_in_file "secondary_ips=\"$secondary_ips\"" "$DOCKER_DIR/.env"
if [ "$1" = "primary" ] ; then
create_primary_files
else
create_secondary_files
fi
done <"$servicefile"
restart
}
echo 'Restart bind9'
systemctl restart bind9
main () {
run primary
}
# Do not execute main if script is sourced
! (return 0 2>/dev/null) && main "$@" || true # return 0 whatever happends

184
services/ns1.jean-cloud.org/helper_functions.sh Normal file
View File

@ -0,0 +1,184 @@
set -euo pipefail
fakeresolve_ip_list () {
if [ "$#" -ne 1 ] ; then
die "Usage: fakeresolve_ip_list <name>"
fi
grep -oP "^$1[[:space:]]+IN[[:space:]]+A{1,4}[[:space:]]+\K[^;\s]+" "$debian_bind_confdir/$server_zone_file" | tr '\n' ';'
}
prepare () {
# Install dependencies
apt install -y bind9 &>/dev/null
# Create Directories
if [ -n "$keydir" ] ; then
mkdir -p "$keydir"
chown bind:bind "$keydir" -R
chown bind:bind "$debian_bind_confdir" -R
fi
# Sync the git repo
sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
cd /etc/bind
echo 'Prepare bind: Remove autogenerated part from bind conf files'
sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/*
echo 'Put the separator back'
for file in $( ls "$debian_bind_confdir"/template.db.* | grep -v '.signed$\|.jbk$\|.jnl$') ; do
echo "$autoconf_separator" >> "$file"
done
}
restart () {
echo 'Restart named'
systemctl restart named
}
# Function that simulate a DNS resolve by reading bind zone file
# Returns all the record line:
# @ IN A X.X.X.X
fakeresolve () {
if [ "$#" -ne 1 ] ; then
die "Usage: fakeresolve <name>"
fi
name="$1"
zonefile="$debian_bind_confdir/$server_zone_file"
# Split full name if there are dots
shortname="$name"
if [ -n "$(echo "$name" | grep -o '\.')" ] ; then
shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
fi
grep -v -e '^[[:space:]]*;' "$zonefile" |grep -oP "^[[:space:]]*$shortname\K[[:space:]]*IN[[:space:]]*A{1,4}[[:space:]]*[\S;]+" | sed 's/^/@/'
}
# Function that add DNS record in the right file
addbindline () {
if [ "$#" -ne 2 ] ; then
die "Usage: addbindline <name> <target_cname>"
fi
name="$1"
target="$2"
# extract the truc.com part
domain="$(echo "$name" | grep -o '[^\.]\+\.[^\.]\+$' || true)"
[ -z "$domain" ] && return 0
# extract the subdomain part (www)
shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
# bind DB file
bindfile="$debian_bind_confdir/db.$domain"
# Only append if db file exists
[ ! -f "$bindfile" ] && return 0
# BTW allow ACME DNS update
token="#JC-ACME $domain"
acme_dns="grant letsencrypt.key. name _acme-challenge.$name. TXT;"
sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"
if [ -z "$shortname" ] ; then
# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
while read line ; do
line_in_file "$line" "$bindfile"
done < <(fakeresolve "$target")
else
line_in_file "$shortname IN CNAME $target." "$bindfile"
fi
}
list_template_db_files () {
ls "$debian_bind_confdir"/template.db.*
}
create_primary_files () {
# Compact the default SOA
SOA="$(grep -o '^[^;]*' SOA | sed -z -e 's/[[:space:]]\{2,\}/ /g' -e 's/\n/\\n/')"
cat "$debian_bind_confdir/template.named.conf" | template.sh "$DOCKER_DIR/.env" > "$debian_bind_confdir/named.conf"
for file in $(list_template_db_files) ; do
domain="$(basename "$file" | sed 's/template.db.//')"
new_db_file="$(echo "$file" | sed 's/template.db./db./')"
# Set the default SOA if needed
sed "s/^;JC_AUTOSOA$/$SOA/" "$file" > "$new_db_file"
# Set serial
serial="$(date '+%s')"
sed -i "s/\(@ IN SOA [^(]*( \)[0-9]\+/\1$serial/" "$new_db_file"
# If no NS record in the db file
if [ -z "$(grep '[^;].*IN.*NS' "$new_db_file")" ] ; then
echo "@ IN NS $default_dns_name" >> "$new_db_file"
fi
# Populate named.conf.local
cat >> "$debian_bind_confdir/named.conf.local" <<-EOF
zone "$domain" {
# Zone file
type master;
file "$new_db_file";
# Secondary conf
# https://kb.isc.org/docs/aa-00723
#allow-update { !{!{$secondary_ips};any;}; key update-key; };
allow-transfer { $secondary_ips };
also-notify { $secondary_ips };
notify yes;
# DNSSEC
dnssec-policy default;
inline-signing yes;
key-directory "$DATA_DIR/keys";
# ACME autorizations
update-policy {
#JC-ACME $domain
};
};
EOF
done
echo 'Find every used domain and add them to bind db'
while read line ; do
read -r service target < <(echo "$line")
addbindline "$service" "$target"
nginxfile="/docker/$service/nginx_server.conf"
if [ -f "$nginxfile" ] ; then
for name in $(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env") ; do
addbindline "$name" "$target"
done
fi
done <"$servicefile"
}
create_secondary_files () {
primary_ips="$(echo "$primary_ips" | sed 's/^;//')"
for file in "$debian_bind_confdir"/template.db.* ; do
file="$(echo "$file" | sed 's/template.db.//')"
domain="$(basename "$file")"
echo -n "
zone \"$domain\" {
masters { $primary_ips };
type slave;
file \"$file\";
};" >> "$debian_bind_confdir/named.conf.local"
done
}

1
services/radiodemo-back.oma-radio.fr/.env
View File

@ -13,7 +13,6 @@ RADIO_NAME_SIMPLE=radiodemo
OMA_CONFIG_NomRadio=radiodemo
OMA_CONFIG_LogLevel=8
RADIO_NAME_PRETTY="Radio Démo"
RADIO_HOST=radiodemo.oma-radio.fr
COMPOSE_NAME=radiodemo-backoma-radiofr
DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
DOCKER_INSTANCES_SUFIX=-1

2
services/radiodemo-back.oma-radio.fr/docker-compose.yml
View File

@ -142,7 +142,7 @@ services:
CONFIG_PATH: /config
restart: unless-stopped
volumes:
- /tmp/uwsgi/$RADIO_HOST:/tmp/uwsgi
- /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
- /var/run/docker.sock:/var/run/docker.sock
- $SOUNDBASE_DIR:/soundbase
networks:

6
services/radiodemo-back.oma-radio.fr/nginx_server.conf
View File

@ -18,7 +18,7 @@
server {
listen 80;
listen [::]:80;
server_name $RADIO_HOST;
server_name $JC_SERVICE;
root $SOUNDBASE_DIR/website;
index index.html;
@ -49,7 +49,7 @@ server {
include uwsgi_params;
uwsgi_param PATH_INFO "/pigeindex$1";
uwsgi_param SCRIPT_NAME /api;
uwsgi_pass unix:/tmp/uwsgi/$RADIO_HOST/uwsgi-api.sock;
uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock;
client_max_body_size 0;
uwsgi_connect_timeout 6000;
uwsgi_send_timeout 6000;
@ -70,7 +70,7 @@ server {
include uwsgi_params;
uwsgi_param PATH_INFO "$1";
uwsgi_param SCRIPT_NAME /api;
uwsgi_pass unix:/tmp/uwsgi/$RADIO_HOST/uwsgi-api.sock;
uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock;
client_max_body_size 0;
proxy_connect_timeout 6000;
proxy_send_timeout 60000;

5
services/radiodemo.oma-radio.fr/wg-radiodemo.sh
View File

@ -30,9 +30,4 @@ PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
[Peer]
PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
AllowedIPs = 10.29.0.1/32,$NET.0/24
# test separation PA
[Peer]
PublicKey = todo
AllowedlIPs = 10.29.0.2
"

34
services/services.txt
View File

@ -1,34 +1,34 @@
benevoles31.karnaval.fr max.jean-cloud.org
chahut.jean-cloud.net max.jean-cloud.org
collectif-arthadie.fr vandamme.jean-cloud.org
compagnienouvelle.fr max.jean-cloud.org
compagnienouvelle.fr nougaro.jean-cloud.org
copaines.jean-cloud.net max.jean-cloud.org
cousinades2.jean-cloud.net max.jean-cloud.org
cousinades.jean-cloud.net max.jean-cloud.org
deployer.jean-cloud.org shlago.jean-cloud.org
etrevivant.net shlago.jean-cloud.org
feministesucl34.jean-cloud.net tetede.jean-cloud.org
feteducourt2020.jean-cloud.net tetede.jean-cloud.org
feteducourt.jean-cloud.net tetede.jean-cloud.org
feteducourt2020.jean-cloud.net shlago.jean-cloud.org
feteducourt.jean-cloud.net shlago.jean-cloud.org
git.jean-cloud.net vandamme.jean-cloud.org
grapes.chahut.jean-cloud.net max.jean-cloud.org
gypsylyonfestival.com max.jean-cloud.org
metamorphosemagazine.fr shlago.jean-cloud.org
inurbe.fr max.jean-cloud.org
jean-cloud.net shlago.jean-cloud.org
leida.fr vandamme.jean-cloud.org
letsencrypt.jean-cloud.org max.jean-cloud.org
lexicographe.jean-cloud.net shlago.jean-cloud.org
metamorphosemagazine.fr shlago.jean-cloud.org
nc-backup.jean-cloud.net raku.jean-cloud.org
pa1.studios.oma-radio.fr tetede.jean-cloud.org
raplacgr.jean-cloud.net tetede.jean-cloud.org
velov.jean-cloud.net shlago.jean-cloud.org
radionimaitre.oma-radio.fr tetede.jean-cloud.org
paj.oma-radio.fr nougaro.jean-cloud.org
radiodemo.oma-radio.fr tetede.jean-cloud.org
radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
pa1.studios.oma-radio.fr tetede.joun-cloud.org
leida.fr shlago.jean-cloud.org
deployer.jean-cloud.org shlago.jean-cloud.org
ns1.jean-cloud.org raku.jean-cloud.org
git.jean-cloud.net vandamme.jean-cloud.org
ns.jean-cloud.org shlago.jean-cloud.org
nuage.jean-cloud.net vandamme.jean-cloud.org
pa1.studios.oma-radio.fr tetede.jean-cloud.org
paj.oma-radio.fr nougaro.jean-cloud.org
radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
radiodemo.oma-radio.fr tetede.jean-cloud.org
radionimaitre.oma-radio.fr tetede.jean-cloud.org
raplacgr.jean-cloud.net tetede.jean-cloud.org
rpnow.jean-cloud.net vandamme.jean-cloud.org
sftp.jean-cloud.net max.jean-cloud.org
velov.jean-cloud.net shlago.jean-cloud.org
wiki-cgr.jean-cloud.net vandamme.jean-cloud.org
_ssh vandamme.jean-cloud.org

2
services/velov.jean-cloud.net/docker-compose.yml
View File

@ -3,7 +3,7 @@ services:
app:
image: php:7.2-fpm-alpine
volumes:
- /data/velov.jean-cloud.net:/usr/src/app
- $HTTP_DIR:/usr/src/app
restart: unless-stopped
networks:
default: