certs and stuff

installing/debootstrap_ordis_portables.sh

@@ -195,8 +195,14 @@ chroot_run locale-gen
 
 
 if [ -n "$data_device" ] ; then
-	section "Mounting data dir"
+	section "Mounting and encrypting data dir"
-	cryptsetup create --type plain dmcrypt-jeancloud "$data_device"	
+	run cryptsetup create --type plain dmcrypt-jeancloud "$data_device"	
+	run mkfs.ext4 dmcrypt-jeancloud
+	uuid="$(blkid | grep dmcrypt-jeancloud | grep -o 'UUID="[^"]\+"')"
+	if [ -z "$uuid" ] ; then
+		die "Error, unexpected empty uuid"
+	fi
+	line_in_file "$uuid	/data	ext4	rw,nofail	0	1" "$mnt/etc/fstab"
 fi
 
 
@@ -210,15 +216,20 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
 run echo "$hostname" > "$mnt/etc/hostname"
 
 # Prenvent suspend on lid close
-line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
+line_in_file HandleLidSwitch=ignore "$mnt/etc/systemd/logind.conf"
 
-# Fix path and remove noisy beep
+# Inform futur scripts that /data is not mounted
+touch "$mnt/data/mounted"
+
+# Fix path
 run cat > "$mnt/root/.bashrc" <<EOF
 PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
+setterm -powerdown 0
 EOF
 # Be sure this fucking beep is gone
 echo 'set bell-style none' >> "$mnt/etc/inputrc"
-# TODO find a third method to kill this doomed beep
+# TODO find a second method to kill this doomed beep
+line_in_file '@reboot root shutdownscreen.sh' "$mnt/etc/crontab"
 
 
 # boot crypted

installing/notes

@@ -2,3 +2,6 @@ blatte :
 DO NOT REBOOT IT. it sometimes fails…
 -i 'firmware-amd-graphics firmware-realtek'
 
+raku :
++ ajouter nonfree dans les sources
+-i firmware-atheros

provisioning/inventory.ini

@@ -1,9 +1,14 @@
+[shlago]
+max.jean-cloud.org
+tetede.jean-cloud.org
+raku.jean-cloud.org
+
 [servers]
-#vandamme.jean-cloud.org
 #nougaro.jean-cloud.org
-#tetede.jean-cloud.org
 #carcasse.jean-cloud.org
 #benevoles.karnaval.fr
 #montbonnot.jean-cloud.org
-max.jean-cloud.org
 #blatte.jean-cloud.org
+max.jean-cloud.org
+tetede.jean-cloud.org
+raku.jean-cloud.org

provisioning/roles/deploy_all/files/bin/deploy_service.sh

@@ -4,6 +4,8 @@
 
 set -euo pipefail
 
+[ ! -f /data/mounted ] && die "/data is not mounted"
+
 noreload=false
 deploy=true
 if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
@@ -131,15 +133,8 @@ if [ -f "/docker/$service/nginx_server.conf" ] ; then
     run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
 fi
 
-# Do we need dummy cert?
+section "Add dummy cert if needed"
-if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
+dummy_cert.sh "$service" add
-    section "Create cert dir"
-    run mkdir -p "$certs_path/$service"
-
-    section "Link dummy to cert"
-    run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
-    run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
-fi
 
 section "Testing nginx conf"
 run nginx -t -c /etc/nginx/new_nginx.conf

provisioning/roles/deploy_all/files/bin/deployall.sh

@@ -11,12 +11,9 @@ set -euo pipefail
 #                       Variables
 ###############################################################################
 
-export proxy_dir="/etc/nginx"
+set -a
-export nginx_conf_path="$proxy_dir/sites-enabled"
+. /etc/jeancloud.env
-export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
+set +a
-
-export certs_path="/etc/letsencrypt/live"
-export dummy_cert_path="$certs_path/dummy"
 
 ###############################################################################
 #                       Helpers
@@ -50,14 +47,6 @@ run chown root:root /data
 run chmod 755 /docker
 run chmod 755 /data
 
-section "Check dummy cert exists "
-#TODO check if expired
-if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
-    echo "Dummy cert generation"
-    run mkdir -p "$dummy_cert_path"
-    run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
-fi
-
 section "Create new conf directory"
 run mkdir -p "$new_nginx_conf_path"
 

provisioning/roles/deploy_all/files/bin/driglibash-base

@@ -150,8 +150,8 @@ clean() {
 
 # tells where your executable is (absolute path). Follow simlinks if any argument provided
 where() {
-  if [ -z "$1" ] ; then
+  if [ "$#" -lt 1 ] || [ -z "$1" ] ; then
-    echo "$( cd -P "$( dirname "$1" )" && pwd )"
+    echo "$( cd -P "$( dirname "$0" )" && pwd )"
   else
     SOURCE="$0"
     while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink

provisioning/roles/deploy_all/files/bin/dummy_cert.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+. driglibash-base
+. /etc/jeancloud.env
+
+if [ "$#" -ne 2 ] || [ -z "$1" ] || [ -z "$2" ] ; then
+	die "Usage: $0 <service-name> <action>"
+fi
+
+service="$1"
+action="$2"
+
+# Create dummy cert if needed
+#TODO check if expired
+if [ ! -f "$dummy_cert_path/privkey.pem" ] ; then
+    echo "Dummy cert generation"
+    run mkdir -p "$dummy_cert_path"
+    run openssl req -x509 -newkey rsa:2048 -keyout /etc/letsencrypt/live/dummy/privkey.pem -out /etc/letsencrypt/live/dummy/fullchain.pem -days 365 -nodes -subj "/C=FR/ST=France/O=IT/CN=jean-cloud.net"
+fi
+
+if [ "$action" = add ] ; then
+	# Link letsencrypt dir to dummy cert dir if there is no cert
+	if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
+	    section "Create cert dir"
+	    run mkdir -p "$certs_path/$service"
+	
+	    section "Link dummy to cert"
+	    run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
+	    run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
+	fi
+elif [ "$action" = remove ] ; then
+	# UNlink letsencrypt dir to dummy cert dir IF it is the dummy cert
+    if [ "$(readlink "$certs_path/$service_name/fullchain.pem")" = "$dummy_cert_path/fullchain.pem" ] ; then
+        rm -r "$certs_path/$service_name"
+    fi
+else
+	die "$0: Unknown action '$action'"
+fi

provisioning/roles/deploy_all/files/bin/gen_env.sh

@@ -14,6 +14,7 @@ nginx_conf_path='$proxy_dir/sites-enabled'
 new_nginx_conf_path='$proxy_dir/new-sites-enabled'
 certs_path='$certs_path'
 dummy_cert_path='$certs_path/dummy'
+servicefile=/docker/services.txt
 EOF
 	
 for dir in /docker/* ; do

provisioning/roles/deploy_all/files/bin/git_update.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+
 declare -A usage
 declare -A varia
 
@@ -17,6 +18,10 @@ usage[i]="privkey used to ssh pull"
 varia[i]=privkey
 privkey=''
 
+usage[N]="Clone to a Non-empty target. Existing files will be overwriten"
+varia[N]=nonempty_target
+nonempty_target=false
+
 
 . driglibash-args
 
@@ -35,16 +40,32 @@ fi
 cd "$dst"
 
 if [ -d .git ] ; then
-	git fetch origin "$branch"
+	run git fetch origin "$branch"
-	git checkout --force -B "$branch" "origin/$branch"
+	run git checkout --force -B "$branch" "origin/$branch"
-    git reset --hard
+    run git reset --hard
-	git clean -qffdx
+	# Preserve existing files in some cases
-	git submodule update --init --recursive --force --recommend-shallow
+	if ! "$nonempty_target" ; then
-	git submodule foreach git fetch
+		git clean -qffdx
-	git submodule foreach git checkout --force -B "$branch" "origin/$branch"
+	fi
-	git submodule foreach git reset --hard
+	run git submodule update --init --recursive --force --recommend-shallow
-	git submodule foreach git clean -fdx
+	run git submodule foreach git fetch
+	run git submodule foreach git checkout --force HEAD
+	run git submodule foreach git reset --hard
+	run git submodule foreach git clean -fdx
 else
-    git clone -b "$branch" --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
+	clone_dst='.'
+
+	# To override an existing dir, we need to clone elsewhere first
+	if "$nonempty_target" ; then
+		clone_dst="$(mktemp -d)"
+	fi
+
+    run git clone -b "$branch" --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" "$clone_dst"
+
+	# To override an existing dir, we then move everything to that dir
+	if "$nonempty_target" ; then
+		run mv "$clone_dst/"{*,.*} .
+		run rmdir "$clone_dst"
+	fi
 fi
 

provisioning/roles/deploy_all/files/bin/letsencrypt.sh

@@ -34,9 +34,7 @@ for file in "$nginx_sites_dir"* ; do
   domains="$(extract_domain_nginx_conf.sh "$file")"
   if [ -n "$domains" ] ; then
     # If using dummy cert, disabling it
-    if [ "$(readlink "/etc/letsencrypt/live/$service_name/fullchain.pem")" = "/etc/letsencrypt/live/dummy/fullchain.pem" ] ; then
+	dummy_cert.sh "$service_name" remove
-        rm -r "/etc/letsencrypt/live/$service_name"
-    fi
 
     echo "$domains"
     # adding -d before every domain
@@ -71,8 +69,10 @@ for file in "$nginx_sites_dir"* ; do
       echo "     ------------------------------------------"
       echo "$out"
       echo "     ------------------------------------------"
+	  dummy_cert.sh "$service_name" add
     else
         echo "Unknown error : $result.\n$out"
+	    dummy_cert.sh "$service_name" add
     fi
   fi
 done

provisioning/roles/deploy_all/files/bin/resolvable.sh

@@ -0,0 +1,14 @@
+#/bin/bash
+
+# Read domains form stdin and echo the ones resolved successfully
+
+server=""
+if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
+	server="$1"
+fi	
+
+while read domain; do
+	host "$domain" $server &>/dev/null
+	[ "$?" -eq 0 ] && echo "$domain"
+done
+exit 0

provisioning/roles/deploy_all/files/bin/template.sh

@@ -7,5 +7,6 @@ fi
 if [ -f "$1" ] ; then
 	bash -c 'set -a && . '"$1"' &&  envsubst "$(cat '"$1"' | grep -o ^.*= | sed "s/=//" | sed "s/^/$/")"'
 else
+	echo "No env file found, no modifications made." >&2
 	cat /dev/stdin
 fi

provisioning/roles/jean-cloud-common/files/certs.priv.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYnqsFJpr2wF3WD9QO81SIZJ1Ah7qRM+F3mOgGItYD1qjO4/0Hx8HCzebZkega3wP6Pn5ML/CANXzGnniib5khzjuecF2RU1yNqO40BmuuJ1T0AtdHLuLc6RXmpBmE2NFmSxTEAMN1/kWXoo2gwiBTFOqSnIElfRoHCxwAZFZN/wuEnZKuMV4xw8NWkkrmruSBdkOMHvZshtdzxkvi61FI/7MOWFdmiFy2YypmPUEx3h3ujykQcgVpZ7RYz8seh5v7j5P2N/xYJYEatMN7che31d6u1Nazd0kfV/9jAQNXxsKgSZdnxJpoKDjXe6DLLwQ3gybOT70ehzdG77SK/bi6KnVYrH5E/2lehHOGgKpdskt0pEJ8d0rM5hIgnyCX+S6S7H8c8Uca+UVc+/g59qW1XRyYmr/o4zljmkZA4Zx0IEk3MQYCFkT9JZQTjrgSCI01ggHxwOoQhpiJVnoUZNa3j3DMTi86A3H4XD5ByIK8k7t5MFzk6sDWYDi25CVa/HM= root@raku.jean-cloud.org

provisioning/roles/jean-cloud-common/tasks/main.yml

@@ -24,6 +24,21 @@
   when: inventory_hostname in groups["shlago"]
 
 
+# Account for deploying SSL certs
+- name: Add certs user
+  ansible.builtin.user:
+    name: certs
+    shell: /bin/bash
+    home: /data/letsencrypt.jean-cloud.org
+
+- name: Set authorized key, removing all the authorized keys already set
+  ansible.posix.authorized_key:
+    user: certs
+    key: "{{ lookup('file', 'certs.pub') }}"
+    state: present
+    exclusive: true
+
+#
 - name: Show last changed password for security
   copy:
       dest: /etc/profile.d/user_last_passwd.sh
@@ -77,6 +92,7 @@
              "max-file": "3"    
              }
          }
+
 #TODO add this to /etc/docker/daemon.json
 #{
 #        "iptables": false

provisioning/services_nougaro.yml

@@ -1,64 +0,0 @@
-# TODO ansible secrets
-# Oma-Radio host
-
-- name: Deploy specific services
-  hosts: nougaro.jean-cloud.net
-  become: no
-  roles:
-    #- role: docker-network-setup
-
-    # The proxy docker stack must be the first to be deployed
-    - role: prepare-nginx
-
-    - role: deploy
-      service_name: proxy
-      state: started
-      monitored: false
-
-    - role: deploy
-      service_name: nsslave.jean-cloud.net
-      state: started
-      monitored: false
-      
-    - role: deploy
-      service_name: registry.oma-radio.fr
-      state: started
-
-    - role: deploy
-      service_name: wordpress.inurbe.fr
-      state: started
-
-    - role: deploy
-      service_name: compagnienouvelle.fr
-      state: started
-
-    - role: deploy
-      service_name: icecast.oma-radio.fr
-      state: started
-      monitored: false
-      remote_docker_login_user: oma
-      remote_docker_login_pass: KkK8Aavmm4cN6nBM
-      remote_docker_login_registry: http://registry.oma-radio.fr
-
-    - role: deploy
-      service_name: soundbase.oma-radio.fr
-      state: started
-      monitored: false
-
-    - role: deploy
-      service_name: paj.oma-radio.fr
-      state: started
-      monitored: false
-      remote_docker_login_user: oma
-      remote_docker_login_pass: KkK8Aavmm4cN6nBM
-      remote_docker_login_registry: http://registry.oma-radio.fr
-
-        #- role: deploy
-        #  service_name: radionimaitre.oma-radio.fr
-        #  state: started
-        #  monitored: false
-        #  remote_docker_login_user: oma
-        #  remote_docker_login_pass: KkK8Aavmm4cN6nBM
-        #  remote_docker_login_registry: http://registry.oma-radio.fr
-
-    - role: restart-nginx

provisioning/services_vandamme.yml

@@ -1,132 +0,0 @@
-# The host have:
-# - /data -> every data
-# - /docker -> deployed docker-compose files
-
-- name: Deploy specific services
-  hosts: vandamme.jean-cloud.net
-  become: yes
-  roles:
-    #- role: docker-network-setup
-
-    # The proxy docker stack must be the first to be deployed
-    - role: prepare-nginx
-
-    - role: deploy
-      service_name: proxy
-      state: started
-      monitored: false
-
-    - role: deploy
-      service_name: meta-morpho.se
-      state: started
-
-    - role: deploy
-      service_name: mailer.jean-cloud.net
-      state: started
-      remote_docker_login_user: jean-cloud
-      remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
-      monitored: false
-
-    - role: deploy
-      service_name: static.jean-cloud.net
-      state: started
-
-
-    - role: deploy
-      service_name: ssh
-      state: started
-      monitored: false
-
-      #- role: deploy
-      #  service_name: myrrdel.jean-cloud.net
-      #  state: started
-
-    - role: deploy
-      service_name: collectif-arthadie.fr
-      state: started
-
-      #- role: deploy
-      #  service_name: karna.jean-cloud.net
-      #  state: started
-
-    - role: deploy
-      service_name: oma-radio.fr
-      state: started
-
-    - role: deploy
-      service_name: rpnow.jean-cloud.net
-      state: started
-
-    - role: deploy
-      service_name: ns.jean-cloud.org
-      state: started
-      monitored: false
-
-    - role: deploy
-      service_name: gmx-webmail.jean-cloud.net
-      state: started
-
-    - role: deploy
-      service_name: registry.jean-cloud.net
-      state: started
-
-    - role: deploy
-      service_name: inurbe.fr
-      state: started
-
-    - role: deploy
-      service_name: feteducourt.jean-cloud.net
-      state: started
-      remote_docker_login_user: jean-cloud
-      remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
-
-    - role: deploy
-      service_name: feteducourt2020.jean-cloud.net
-      state: started
-      remote_docker_login_user: jean-cloud
-      remote_docker_login_pass: KaJefxXiNr327EfG4suYD2PM4tYF5Jy8AhMYntfdjVhX
-
-    - role: deploy
-      service_name: leida.fr
-      state: started
-
-    - role: deploy
-      service_name: lalis.fr
-      state: started
-
-    - role: deploy
-      service_name: amaglio.fr
-      state: started
-
-    - role: deploy
-      service_name: velov.jean-cloud.net
-      state: started
-
-    - role: deploy
-      service_name: cousinades.jean-cloud.net
-      state: started
-      monitored: false # web cant pass basic auth yet
-
-    - role: deploy
-      service_name: cousinades2.jean-cloud.net
-      state: started
-      monitored: false # web cant pass basic auth yet
-
-
-    - role: deploy
-      service_name: nuage.jean-cloud.net
-      state: started
-
-    - role: deploy
-      service_name: git.jean-cloud.net
-      state: started
-
-    - role: deploy
-      service_name: wiki-cgr.jean-cloud.net
-      state: started
-    
-    - role: deploy
-      service_name: jean-cloud.net
-      state: started
-
-    - role: restart-nginx

services/_ssh/docker-compose.yml

@@ -1,15 +0,0 @@
-version: '3'
-services:
-    sshd:
-        image: atmoz/sftp
-        volumes:
-            - /data/ssh/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
-            - /data/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key
-            - /data/leida.fr:/home/leida/sftp
-            - /data/lalis.fr:/home/lalis/sftp
-            - /data/oma-radio.fr:/home/oma/sftp
-            - /data/collectif-arthadie.fr/wordpress:/home/collectifarthadie/sftp
-            - /data/ssh/users.conf:/etc/sftp/users.conf:ro
-        ports:
-            - '2222:22'
-

services/cousinades2.jean-cloud.net/Dockerfile

@@ -1,6 +0,0 @@
-FROM php:7.2-fpm-alpine
-#RUN apt-get update && apt-get install -y libpq-dev && docker-php-ext-install pdo pdo_pgsql
-RUN set -ex \
-  && apk --no-cache add \
-  postgresql-dev
-RUN docker-php-ext-install pdo_pgsql

services/cousinades2.jean-cloud.net/docker-compose.yml

@@ -1,35 +0,0 @@
-version: '3'
-services:
-  app:
-    build: .
-    volumes:
-      - /data/cousinades2.jean-cloud.net/public:/usr/src/app
-    restart: unless-stopped
-    networks:
-      default:
-        ipv4_address: 172.29.8.101
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 100M
-
-  db:
-    image: postgres:9.6-alpine
-    volumes:
-      - /data/cousinades2.jean-cloud.net/db:/var/lib/postgresql/data
-    networks:
-      default:
-        ipv4_address: 172.29.8.101
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: 100M
-
-networks:
-  default:
-    ipam:
-      config:
-        - subnet: 172.29.8.0/24
-

services/cousinades2.jean-cloud.net/nginx_server.conf

@@ -1,25 +0,0 @@
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/cousinades2.jean-cloud.net/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/cousinades2.jean-cloud.net/privkey.pem;
-  server_name cousinades2.jean-cloud.net www.cousinades2.jean-cloud.net;
-
-  index index.php;
-  root /data/cousinades2.jean-cloud.net/public;
-
-  location / {
-    #auth_basic "Restricted";
-    #auth_basic_user_file /data/cousinades2.jean-cloud.net/private/passwords.txt;
-    try_files $uri $uri/ =404;
-  }
-
-  location ~ \.php$ {
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass 172.29.8.100:9000;
-    fastcgi_index index.php;
-    include fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME /usr/src/app/$fastcgi_script_name;
-    fastcgi_param PATH_INFO $fastcgi_path_info;
-  }
-}

services/feteducourt.jean-cloud.net/deploy_http.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -euo pipefail
+
+git_update.sh -d "$HTTP_DIR" -b 2021 "https://git.jean-cloud.net/adrian/feteducourt-static.git"

services/feteducourt.jean-cloud.net/nginx_server.conf

@@ -1,20 +1,11 @@
 server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/feteducourt.jean-cloud.net/fullchain.pem;
+  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/feteducourt.jean-cloud.net/privkey.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
-  server_name feteducourt.jean-cloud.net www.feteducourt.jean-cloud.net;
+  server_name $JC_SERVICE www.$JC_SERVICE;
-  #location /static {
-  #  alias /data/feteducourt.jean-cloud.net/app/static;
-  #  try_files $uri $uri/ =404;
-  #}
-  #location / {
-  #  proxy_pass http://app.feteducourtjean-cloudnet.docker;
-  #  proxy_set_header Host $host;
-  #}
   location / {
-    root /data/feteducourt.jean-cloud.net/static;
+    root $HTTP_DIR;
     try_files $uri $uri/ =404;
   }
 }
-

services/feteducourt2020.jean-cloud.net/deploy_http.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -euo pipefail
+
+git_update.sh -d "$HTTP_DIR" -b 2020 "https://git.jean-cloud.net/adrian/feteducourt-static.git"

services/feteducourt2020.jean-cloud.net/nginx_server.conf

@@ -1,22 +1,11 @@
 server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
-  ssl_certificate /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/fullchain.pem;
+  ssl_certificate /etc/letsencrypt/live/$JC_SERVICE/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/feteducourt2020.jean-cloud.net/privkey.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$JC_SERVICE/privkey.pem;
-  server_name feteducourt2020.jean-cloud.net www.feteducourt2020.jean-cloud.net;
+  server_name $JC_SERVICE www.$JC_SERVICE;
-
-  #location /static {
-  #  alias /data/feteducourt2020.jean-cloud.net/app/static;
-  #  try_files $uri $uri/ =404;
-  #}
-  #location / {
-  #  proxy_pass http://app.feteducourt2020jean-cloudnet.docker;
-  #  proxy_set_header Host $host;
-  #}
-
   location / {
-    root /data/feteducourt2020.jean-cloud.net/static;
+    root $HTTP_DIR;
     try_files $uri $uri/ =404;
   }
 }
-

services/letsencrypt.jean-cloud.org/acme-dns.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [ "$#" -ne 1 ] ; then
+	echo "Usage: $0 <service_name>" >&2
+	exit 1
+fi
+
+service="$1"
+
+nginxfile="/docker/$service/nginx_server.conf"
+if [ -f "$nginxfile" ] ; then    
+	nginxdomains="$(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env")"
+	domains="$(echo "$service $nginxdomains" | tr ' ' '\n' | sort -u | resolvable.sh ns.jean-cloud.org | sed -z -e 's/\n$//' -e 's/\n/ -d /g' )"
+	[ -z "$domains" ] && exit 0
+	echo "--------------- -d $domains"
+	certbot certonly --config-dir "$DATA_DIR/certs" --work-dir "$tmp/work" --logs-dir "$tmp/logs" --agree-tos -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
+fi

services/letsencrypt.jean-cloud.org/deploy.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# For some variables
+. /etc/jeancloud.env
+
+apt install -y python3-certbot-dns-rfc2136

services/letsencrypt.jean-cloud.org/deploy_bind.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. /etc/jeancloud.env
+
+[ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing files" && exit 1
+
+while read line ; do
+	read -r service target < <(echo "$line")
+	echo "---- $service $target ----"
+	nginxfile="/docker/$service/nginx_server.conf"
+	if [ -f "$nginxfile" ] ; then    
+		nginxdomains="$(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env")"
+		domains="$(echo "$service $nginxdomains" | tr ' ' '\n' | sort -u | sed -z 's/\n/ -d /')"
+		echo "$domains"
+		certbot certonly -m contact@jean-cloud.org -n --cert-name "$service" --dns-rfc2136 --dns-rfc2136-credentials "$DATA_DIR/rfc2136.ini" -d $domains
+    fi
+
+done < "$servicefile"

services/letsencrypt.jean-cloud.org/run.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. driglibash-base
+here="$(where)"
+
+sudo -u bind bash -c "$here/run_bind.sh $@"

services/letsencrypt.jean-cloud.org/run_bind.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -euo pipefail
+
+. driglibash-base
+here="$(where)"
+
+# For some variables
+. /etc/jeancloud.env
+. "$here/.env"
+
+# Test secret presence
+[ ! -f "$DATA_DIR/rfc2136.ini" ] && echo "$0 Missing file '$DATA_DIR/rfc2136.ini'" && exit 1
+
+export tmp="$(mktemp -d)"
+mkdir -p "$tmp/{work,logs}"
+
+# If there is some args, populate a fake service file
+if [ "$#" -ge 1 ] && [ -n "$1" ] ; then
+	servicefile="$(mktemp)"
+	for service in "$@" ; do
+		echo "$service _" >> "$servicefile"
+	done
+fi
+
+# For each service, read all possible domains
+while read line ; do
+	read -r service target < <(echo "$line")
+
+	# removo dummy cert
+	dummy_cert.sh "$service" remove
+
+	[ -d "$DATA_DIR/certs/live/$service" ] && echo "Already exists, thats a job for renew : $service" && continue
+
+	# acme
+	"$here/acme-dns.sh" "$service"
+
+	# Replace dummy cert if letsencrypt failed
+	[ "$?" -ne 0 ] && dummy_cert.sh "$servic" remove
+done < "$servicefile"

services/metamorphosemagazine.fr/nginx_server.conf

@@ -3,7 +3,7 @@ server {
   listen [::]:443 ssl http2;
   ssl_certificate /etc/letsencrypt/live/metamorphosemagazine.fr/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/metamorphosemagazine.fr/privkey.pem;
-  server_name metamorphosemagazine.fr;
+  server_name $JC_SERVICE www.$JC_SERVICE;
   location / {
           add_header Content-language fr;
           root $HTTP_DIR/src;

services/ns.jean-cloud.org/deploy.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+
+cd ../ns1.jean-cloud.org
+. deploy.sh
+. .env
+
+# Do not run if primary exists
+[ -d "$DATA_DIR/keys" ] && echo 'ns1 found on this host. Aborting.' && exit 0
+
+export keydir=""
+run secondary

services/ns1.jean-cloud.org/deploy.sh

@@ -1,125 +1,60 @@
 #!/bin/bash
 
 . driglibash-base
+. "$(where)/helper_functions.sh"
 
 set -euo pipefail
 
 # Working variables
-debian_bind_workdir="/var/cache/bind"
 debian_bind_confdir="/etc/bind"
-keydir="$DATA_DIR/keys"
-
-# Install dependencies
-apt install -y bind9 &>/dev/null
-
-# Create Directories
-mkdir -p "$keydir"
-chown bind:bind "$keydir" -R
-chown bind:bind "$debian_bind_confdir" -R
-
-# Empty bind dir if it is not our git repo
-if [ ! -d "$debian_bind_confdir/.git" ] ; then
-	echo "lets delete $debian_bind_confdir"
-	rm -rf "$debian_bind_confdir/"{*,.*}
-fi
-
-# Sync the git repo
-sudo -u bind git_update.sh -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
-cd /etc/bind
-sudo -u bind git status
-
-### Generate zones from service directory ###
-
-servicefile="/docker/services.txt"
-
-# Function that simulate a DNS resolve by reading bind zone file
-# Returns all the record line:
-# @ IN A X.X.X.X
-fakeresolve () {
-	if [ "$#" -ne 1 ] ; then
-		die "Usage: fakeresolve <name>"
-	fi
-	name="$1"
-	
-	zonefile="$debian_bind_confdir/db.jean-cloud.org"
-	shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
-
-	grep -v -e  '^[[:space:]]*;' "$zonefile"  |grep -oP "^[[:space:]]*$shortname\K[[:space:]]*IN[[:space:]]*A{1,4}[[:space:]]*[\S;]+" | sed 's/^/@/'
-
-}
-
-# Function that add DNS record in the right file
-addbindline () {
-	if [ "$#" -ne 2 ] ; then
-		die "Usage: addbindline <name> <target_cname>"
-	fi
-
-	name="$1"
-	target="$2"
-
-	# extract the truc.com part
-	domain="$(echo "$name" | grep -o '[^\.]\+\.[^\.]\+$' || true)"	
-	[ -z "$domain" ] && return 0
-
-	# extract the subdomain part (www)
-	shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
-
-	# bind DB file
-	bindfile="$debian_bind_confdir/db.$domain"
-
-	if [ -z "$shortname" ] ; then
-		# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
-		while read line ; do
-			line_in_file "$line" "$bindfile"
-		done < <(fakeresolve "$target")
-	else
-		line_in_file "$shortname IN CNAME $target." "$bindfile"
-	fi
-
-	#XXX Add CAA records
-}
-
-
 autoconf_separator=";;; Autogeneration. Do not write under this line! ;;;"
 
-echo 'Prepare bind: Remove autogenerated part from bind conf files'
-sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/*
 
-echo 'Put the separator back'
+# File that contain "service target" lines
-for file in $( ls "$debian_bind_confdir"/db.* | grep -v '.signed$\|.jbk$\|.jnl$') ; do
+# With service a symbolic dns name and target an existing server hostname
-	echo "$autoconf_separator" >> "$file"
+servicefile="/docker/services.txt"
-done
 
-for file in "$debian_bind_confdir"/db.* ; do
+# The bind file containing server declarations
-	domain="$(basename "$file" | sed 's/db.//')"
+server_zone_file="template.db.jean-cloud.org"
 
-	# TODO fill header too?
+# Where you want your DNS keys stored
+keydir="$DATA_DIR/keys"
 
-	# If no NS record in the db file
+# IP of primary servers
-	if [ -z "$(grep '[^;].*IN.*NS' "$file")" ] ; then
+primary_ips=""
-		echo -e "@ IN NS ns.jean-cloud.org\n" >> "$file"
+
+# IP of secondary servers (for zone transfer)
+secondary_ips="37.65.119.74"
+
+# NS name
+default_dns_name="shlago.jean-cloud.org."
+
+CAA_RR='CAA 0 issue "letsencrypt.org;validationmethods=dns-01"'
+
+run () {
+	if [ "$#" -ne 1 ] ; then
+		die "Usage: run <primary|secondary>"
 	fi
 
-	echo -n "
+	prepare
-zone '$domain' {
+	primary_ips="$primary_ips;$(fakeresolve_ip_list raku)"
-    allow-update { none; };
+	secondary_ips="$secondary_ips;$(fakeresolve_ip_list shlago)"
-    type master;
-    file \"$file\";
-};" >> "$debian_bind_confdir/named.conf.local"
-done
 
-echo 'Find every used domain and add them to bind db'
+	line_in_file "primary_ips=\"$primary_ips\"" "$DOCKER_DIR/.env"
-while read line ; do
+	line_in_file "secondary_ips=\"$secondary_ips\"" "$DOCKER_DIR/.env"
-	read -r service target <<<$(echo "$line")
+
-	addbindline "$service" "$target"
+	if [ "$1" = "primary" ] ; then
-	nginxfile="/docker/$service/nginx_server.conf"
+		create_primary_files
-	if [ -f "$nginxfile" ] ; then
+	else
-		for name in $(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env") ; do
+		create_secondary_files
-			addbindline "$name" "$target"
-		done
 	fi
-done <"$servicefile"
 
+	restart
+}
 
-echo 'Restart bind9'
+main () {
-systemctl restart bind9
+	run primary
+}
+
+# Do not execute main if script is sourced
+! (return 0 2>/dev/null) && main "$@" || true # return 0 whatever happends

services/ns1.jean-cloud.org/helper_functions.sh

@@ -0,0 +1,184 @@
+set -euo pipefail
+
+fakeresolve_ip_list () {
+	if [ "$#" -ne 1 ] ; then
+		die "Usage: fakeresolve_ip_list <name>"
+	fi
+	grep -oP "^$1[[:space:]]+IN[[:space:]]+A{1,4}[[:space:]]+\K[^;\s]+" "$debian_bind_confdir/$server_zone_file" | tr '\n' ';'
+}
+
+prepare () {
+	# Install dependencies
+	apt install -y bind9 &>/dev/null
+	
+	# Create Directories
+	if [ -n "$keydir" ] ; then
+		mkdir -p "$keydir"
+		chown bind:bind "$keydir" -R
+		chown bind:bind "$debian_bind_confdir" -R
+	fi
+	
+	# Sync the git repo
+	sudo -u bind git_update.sh -N -b main -i "$DATA_DIR/gitkey" -d "$debian_bind_confdir" 'ssh://git@git.jean-cloud.net:22529/adrian/dnszones.git'
+	cd /etc/bind
+	
+	
+	echo 'Prepare bind: Remove autogenerated part from bind conf files'
+	sed -i -n "/$autoconf_separator/q;p" "$debian_bind_confdir"/*
+	
+	echo 'Put the separator back'
+	for file in $( ls "$debian_bind_confdir"/template.db.* | grep -v '.signed$\|.jbk$\|.jnl$') ; do
+		echo "$autoconf_separator" >> "$file"
+	done
+
+}
+
+restart () {
+	echo 'Restart named'
+	systemctl restart named
+}
+
+# Function that simulate a DNS resolve by reading bind zone file
+# Returns all the record line:
+# @ IN A X.X.X.X
+fakeresolve () {
+	if [ "$#" -ne 1 ] ; then
+		die "Usage: fakeresolve <name>"
+	fi
+	name="$1"
+	
+	zonefile="$debian_bind_confdir/$server_zone_file"
+
+	# Split full name if there are dots
+	shortname="$name"
+	if [ -n "$(echo "$name" | grep -o '\.')" ] ; then
+		shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
+	fi
+
+	grep -v -e  '^[[:space:]]*;' "$zonefile"  |grep -oP "^[[:space:]]*$shortname\K[[:space:]]*IN[[:space:]]*A{1,4}[[:space:]]*[\S;]+" | sed 's/^/@/'
+
+}
+
+# Function that add DNS record in the right file
+addbindline () {
+	if [ "$#" -ne 2 ] ; then
+		die "Usage: addbindline <name> <target_cname>"
+	fi
+
+	name="$1"
+	target="$2"
+
+	# extract the truc.com part
+	domain="$(echo "$name" | grep -o '[^\.]\+\.[^\.]\+$' || true)"	
+	[ -z "$domain" ] && return 0
+
+	# extract the subdomain part (www)
+	shortname="$(echo "$name" | grep -Po '^.*(?=\.[^\.]+\.[^\.]+$)' || true)"
+
+	# bind DB file
+	bindfile="$debian_bind_confdir/db.$domain"
+
+	# Only append if db file exists
+	[ ! -f "$bindfile" ] && return 0
+
+	# BTW allow ACME DNS update
+	token="#JC-ACME $domain"
+	acme_dns="grant letsencrypt.key. name _acme-challenge.$name. TXT;"
+	sed -i "s/\([[:space:]]*\)$token/\1$acme_dns\n\1$token/" "$debian_bind_confdir/named.conf.local"
+
+
+	if [ -z "$shortname" ] ; then
+		# CNAME are forbiden for empty shortnames, so we must resolve the target IPs
+		while read line ; do
+			line_in_file "$line" "$bindfile"
+		done < <(fakeresolve "$target")
+	else
+		line_in_file "$shortname IN CNAME $target." "$bindfile"
+	fi
+}
+
+list_template_db_files () {
+	ls "$debian_bind_confdir"/template.db.*
+}
+
+
+create_primary_files () {
+	# Compact the default SOA
+	SOA="$(grep -o '^[^;]*' SOA | sed -z -e 's/[[:space:]]\{2,\}/ /g' -e 's/\n/\\n/')"
+	
+	cat "$debian_bind_confdir/template.named.conf" | template.sh "$DOCKER_DIR/.env" > "$debian_bind_confdir/named.conf"
+	
+	for file in $(list_template_db_files) ; do
+		domain="$(basename "$file" | sed 's/template.db.//')"
+		new_db_file="$(echo "$file" | sed 's/template.db./db./')"
+
+		# Set the default SOA if needed
+		sed "s/^;JC_AUTOSOA$/$SOA/" "$file" > "$new_db_file"
+
+		# Set serial
+		serial="$(date '+%s')"
+		sed -i "s/\(@ IN SOA [^(]*( \)[0-9]\+/\1$serial/"  "$new_db_file"
+
+		# If no NS record in the db file
+		if [ -z "$(grep '[^;].*IN.*NS' "$new_db_file")" ] ; then
+			echo "@ IN NS $default_dns_name" >> "$new_db_file"
+		fi
+
+		# Populate named.conf.local
+		cat  >> "$debian_bind_confdir/named.conf.local" <<-EOF
+			zone "$domain" {
+				# Zone file
+			    type master;
+			    file "$new_db_file";
+
+				# Secondary conf
+			    # https://kb.isc.org/docs/aa-00723
+			    #allow-update { !{!{$secondary_ips};any;}; key update-key; };
+			    allow-transfer { $secondary_ips };
+			    also-notify { $secondary_ips };
+			    notify yes;
+
+				# DNSSEC
+			    dnssec-policy default;
+			    inline-signing yes;
+			    key-directory "$DATA_DIR/keys";
+
+				# ACME autorizations
+		        update-policy {    
+		    	    #JC-ACME $domain  
+		    	};    
+
+			};
+		EOF
+
+	
+	done
+	
+	echo 'Find every used domain and add them to bind db'
+	while read line ; do
+		read -r service target < <(echo "$line")
+		addbindline "$service" "$target"
+		nginxfile="/docker/$service/nginx_server.conf"
+		if [ -f "$nginxfile" ] ; then
+			for name in $(extract_domain_nginx_conf.sh "$nginxfile" | template.sh "/docker/$service/.env") ; do
+				addbindline "$name" "$target"
+			done
+		fi
+	done <"$servicefile"
+}
+
+create_secondary_files () {
+	primary_ips="$(echo "$primary_ips" | sed 's/^;//')"
+	for file in "$debian_bind_confdir"/template.db.* ; do
+		file="$(echo "$file" | sed 's/template.db.//')"
+		domain="$(basename "$file")"
+	
+		echo -n "
+zone \"$domain\" {
+	masters { $primary_ips };
+    type slave;
+    file \"$file\";
+};" >> "$debian_bind_confdir/named.conf.local"
+	done
+
+}

services/radiodemo-back.oma-radio.fr/.env

@@ -13,7 +13,6 @@ RADIO_NAME_SIMPLE=radiodemo
 OMA_CONFIG_NomRadio=radiodemo
 OMA_CONFIG_LogLevel=8
 RADIO_NAME_PRETTY="Radio Démo"
-RADIO_HOST=radiodemo.oma-radio.fr
 COMPOSE_NAME=radiodemo-backoma-radiofr
 DOCKER_INSTANCES_PREFIX=radiodemo-backoma-radiofr-
 DOCKER_INSTANCES_SUFIX=-1

services/radiodemo-back.oma-radio.fr/docker-compose.yml

@@ -142,7 +142,7 @@ services:
       CONFIG_PATH: /config
     restart: unless-stopped
     volumes:
-      - /tmp/uwsgi/$RADIO_HOST:/tmp/uwsgi
+      - /tmp/uwsgi/$JC_SERVICE:/tmp/uwsgi
       - /var/run/docker.sock:/var/run/docker.sock
       - $SOUNDBASE_DIR:/soundbase
     networks:

services/radiodemo-back.oma-radio.fr/nginx_server.conf

@@ -18,7 +18,7 @@
 server {
 	listen 80;
 	listen [::]:80;
-	server_name $RADIO_HOST;
+	server_name $JC_SERVICE;
 
 	root $SOUNDBASE_DIR/website;
 	index index.html;
@@ -49,7 +49,7 @@ server {
         include uwsgi_params;
         uwsgi_param PATH_INFO "/pigeindex$1";
         uwsgi_param SCRIPT_NAME /api;
-        uwsgi_pass unix:/tmp/uwsgi/$RADIO_HOST/uwsgi-api.sock;
+        uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock;
         client_max_body_size 0;
         uwsgi_connect_timeout       6000;
         uwsgi_send_timeout          6000;
@@ -70,7 +70,7 @@ server {
             include uwsgi_params;
             uwsgi_param PATH_INFO "$1";
             uwsgi_param SCRIPT_NAME /api;
-            uwsgi_pass unix:/tmp/uwsgi/$RADIO_HOST/uwsgi-api.sock;
+            uwsgi_pass unix:/tmp/uwsgi/$JC_SERVICE/uwsgi-api.sock;
             client_max_body_size 0;
             proxy_connect_timeout       6000;
             proxy_send_timeout          60000;

services/radiodemo.oma-radio.fr/wg-radiodemo.sh

@@ -30,9 +30,4 @@ PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
 [Peer]
 PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
 AllowedIPs = 10.29.0.1/32,$NET.0/24
-
-# test separation PA
-[Peer]
-PublicKey = todo
-AllowedlIPs = 10.29.0.2
 "

services/services.txt

@@ -1,34 +1,34 @@
 benevoles31.karnaval.fr max.jean-cloud.org
 chahut.jean-cloud.net max.jean-cloud.org
 collectif-arthadie.fr vandamme.jean-cloud.org
-compagnienouvelle.fr max.jean-cloud.org
+compagnienouvelle.fr nougaro.jean-cloud.org
 copaines.jean-cloud.net max.jean-cloud.org
-cousinades2.jean-cloud.net max.jean-cloud.org
 cousinades.jean-cloud.net max.jean-cloud.org
+deployer.jean-cloud.org shlago.jean-cloud.org
 etrevivant.net shlago.jean-cloud.org
 feministesucl34.jean-cloud.net tetede.jean-cloud.org
-feteducourt2020.jean-cloud.net tetede.jean-cloud.org
+feteducourt2020.jean-cloud.net shlago.jean-cloud.org
-feteducourt.jean-cloud.net tetede.jean-cloud.org
+feteducourt.jean-cloud.net shlago.jean-cloud.org
+git.jean-cloud.net vandamme.jean-cloud.org
 grapes.chahut.jean-cloud.net max.jean-cloud.org
 gypsylyonfestival.com max.jean-cloud.org
-metamorphosemagazine.fr shlago.jean-cloud.org
 inurbe.fr max.jean-cloud.org
 jean-cloud.net shlago.jean-cloud.org
+leida.fr vandamme.jean-cloud.org
+letsencrypt.jean-cloud.org max.jean-cloud.org
 lexicographe.jean-cloud.net shlago.jean-cloud.org
+metamorphosemagazine.fr shlago.jean-cloud.org
 nc-backup.jean-cloud.net raku.jean-cloud.org
-pa1.studios.oma-radio.fr tetede.jean-cloud.org
-raplacgr.jean-cloud.net tetede.jean-cloud.org
-velov.jean-cloud.net shlago.jean-cloud.org
-radionimaitre.oma-radio.fr tetede.jean-cloud.org
-paj.oma-radio.fr nougaro.jean-cloud.org
-radiodemo.oma-radio.fr tetede.jean-cloud.org
-radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
-pa1.studios.oma-radio.fr tetede.joun-cloud.org
-leida.fr shlago.jean-cloud.org
-deployer.jean-cloud.org shlago.jean-cloud.org
 ns1.jean-cloud.org raku.jean-cloud.org
-git.jean-cloud.net vandamme.jean-cloud.org
+ns.jean-cloud.org shlago.jean-cloud.org
 nuage.jean-cloud.net vandamme.jean-cloud.org
+pa1.studios.oma-radio.fr tetede.jean-cloud.org
+paj.oma-radio.fr nougaro.jean-cloud.org
+radiodemo-back.oma-radio.fr montbonnot.jean-cloud.org
+radiodemo.oma-radio.fr tetede.jean-cloud.org
+radionimaitre.oma-radio.fr tetede.jean-cloud.org
+raplacgr.jean-cloud.net tetede.jean-cloud.org
 rpnow.jean-cloud.net vandamme.jean-cloud.org
+sftp.jean-cloud.net max.jean-cloud.org
+velov.jean-cloud.net shlago.jean-cloud.org
 wiki-cgr.jean-cloud.net vandamme.jean-cloud.org
-_ssh vandamme.jean-cloud.org

services/velov.jean-cloud.net/docker-compose.yml

@@ -3,7 +3,7 @@ services:
   app:
     image: php:7.2-fpm-alpine
     volumes:
-      - /data/velov.jean-cloud.net:/usr/src/app
+      - $HTTP_DIR:/usr/src/app
     restart: unless-stopped
     networks:
       default: