first commit

2024-06-03 18:43:35 +02:00
parent 2da01a3f6e
commit f501d519af
883 changed files with 71550 additions and 2 deletions
--- a/dockers/traefik/.env
+++ b/dockers/traefik/.env
@ -0,0 +1 @@
+../../config/dockers.env
--- a/dockers/traefik/conf/dynamic/certificates.yml.tmpl
+++ b/dockers/traefik/conf/dynamic/certificates.yml.tmpl
@ -0,0 +1,20 @@
+#tls:
+#  certificates:
+#    - certFile: __SSL_CERT__
+#      keyFile: __SSL_KEY__
+#
+#  stores:
+#    default:
+#      defaultCertificate:
+#        certFile: __SSL_CERT__
+#        keyFile: __SSL_KEY__
+#  options:
+#    default:
+#      minVersion: VersionTLS12
+#      cipherSuites:
+#        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+#        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+#        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+#        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+#        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
--- a/dockers/traefik/conf/dynamic/conf.yml
+++ b/dockers/traefik/conf/dynamic/conf.yml
@ -0,0 +1,17 @@
+http:
+  middlewares:
+    hsts:
+      headers:
+        stsincludesubdomains: true
+        stspreload: true
+        stsseconds: 31536000 # 1 an
+    nextcloud-redirectregex1:
+      redirectregex:
+        permanent: true
+        regex: https?://([^/]*)/.well-known/(card|cal)dav
+        replacement: https://${1}/remote.php/dav/
+    nextcloud-redirectregex2:
+      redirectregex:
+        permanent: true
+        regex: https?://([^/]*)(/.well-known[^#]*)
+        replacement: https://${1}/index.php${2}
--- a/dockers/traefik/conf/traefik.yml.old
+++ b/dockers/traefik/conf/traefik.yml.old
@ -0,0 +1,54 @@
+providers:
+  file:
+     directory: "/etc/traefik/dynamic"
+     watch: true
+  docker: {}
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+  # Ajout d'un point d'entrée sur le port 8289
+  metrics:
+    address: ":8289"
+
+#serversTransport:
+#  rootCAs:
+#    - /etc/letsencrypt/local/rootCA.pem
+
+
+api:
+  dashboard: true
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  format: json
+
+certificatesresolvers:
+  letsencrypt:
+    acme:
+    #  email: sysadmins@kaz.bzh
+      storage: /letsencrypt/acme.json
+    #  caServer: "https://acme-staging.api.letsencrypt.org/directory"
+      httpChallenge:
+        entryPoint: web
+
+# Ajout de la partie métrique qui concerne Prometheus
+metrics:
+  prometheus:
+    # Nom du point d'entrée défini au dessus
+    entryPoint: metrics
+    # On configure la latence des métriques
+    buckets:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+    # Ajout des métriques sur les points d'entrée
+    addEntryPointsLabels: true
+    # Ajout des services
+    addServicesLabels: true
--- a/dockers/traefik/docker-compose.tmpl.yml.dist
+++ b/dockers/traefik/docker-compose.tmpl.yml.dist
@ -0,0 +1,219 @@
+version: '3'
+
+services:
+  reverse-proxy:
+    # The official v2 Traefik docker image
+    image: traefik:v2.10.7
+    container_name: ${traefikServName}
+    restart: ${restartPolicy}
+    # Enables the web UI and tells Traefik to listen to docker
+    ports:
+      # The HTTP port
+      - ${MAIN_IP}:80:80
+      - ${MAIN_IP}:443:443
+      # The Web UI (enabled by --api.insecure=true)
+      # - ${MAIN_IP}:8289:8289
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./conf:/etc/traefik/
+      - letsencrypt:/letsencrypt
+    environment:
+      - TRAEFIK_PROVIDERS_DOCKER=true
+      - TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false
+      - TRAEFIK_API=true
+      - TRAEFIK_PROVIDERS_FILE_DIRECTORY=/etc/traefik/dynamic
+      - TRAEFIK_ENTRYPOINTS_web_ADDRESS=:80
+      - TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO=websecure
+      - TRAEFIK_ENTRYPOINTS_websecure_ADDRESS=:443
+      - TRAEFIK_ENTRYPOINTS_websecure_HTTP_TLS_CERTRESOLVER=letsencrypt
+      #- TRAEFIK_ENTRYPOINTS_metrics_ADDRESS=:8289
+      #- TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT=metrics
+      - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_EMAIL=admin@${domain}
+      - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_CASERVER=${acme_server}
+      - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_STORAGE=/letsencrypt/acme.json
+      - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_TLSCHALLENGE=true
+      - TRAEFIK_LOG_LEVEL=DEBUG
+      - TRAEFIK_ENTRYPOINTS_websecure_HTTP_MIDDLEWARES=hsts@file
+      #- LEGO_CA_CERTIFICATES=/etc/traefik/root_ca.crt
+      #- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE=true
+      #- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE_ENTRYPOINT=web
+      - TRAEFIK_API_DASHBOARD=true
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`) && PathPrefix(`/api`, `/dashboard`)"
+      - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`)"
+      - "traefik.http.routers.traefik_https.entrypoints=websecure"
+      # - "traefik.http.routers.traefik_https.tls=true"
+      - "traefik.http.routers.traefik_https.service=api@internal"
+      - "traefik.http.routers.traefik_https.middlewares=test-adminipwhitelist@file,traefik-auth"
+      # - "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt"
+      - "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/etc/traefik/passfile"
+    networks:
+      - traefikNet
+{{web
+      - webNet
+}}
+{{jirafeau
+      - jirafeauNet
+}}
+{{ethercalc
+      - ethercalcNet
+}}
+{{etherpad
+      - etherpadNet
+}}
+{{framadate
+      - framadateNet
+}}
+{{ldap
+      - ldapNet
+}}
+{{mobilizon
+      - mobilizonNet
+}}
+{{cloud
+      - cloudNet
+}}
+{{collabora
+      - collaboraNet
+}}
+{{paheko
+      - pahekoNet
+}}
+{{mattermost
+      - mattermostNet
+}}
+{{roundcube
+      - roundcubeNet
+}}
+{{gitea
+      - giteaNet
+}}
+{{dokuwiki
+      - dokuwikiNet
+}}
+{{postfix
+      - postfixNet
+}}
+{{vaultwarden
+      - vaultwardenNet
+}}
+{{imapsync
+      - imapsyncNet
+}}
+{{castopod
+      - castopodNet
+}}
+{{apikaz
+      - apikazNet
+}}
+
+#### BEGIN ORGA USE_NET
+#### END ORGA USE_NET
+
+networks:
+  traefikNet:
+    external: true
+    name: traefikNet
+{{web
+  webNet:
+    external: true
+    name: webNet
+}}
+{{jirafeau
+  jirafeauNet:
+    external: true
+    name: jirafeauNet
+}}
+{{ethercalc
+  ethercalcNet:
+    external: true
+    name: ethercalcNet
+}}
+{{etherpad
+  etherpadNet:
+    external: true
+    name: etherpadNet
+}}
+{{framadate
+  framadateNet:
+    external: true
+    name: framadateNet
+}}
+{{ldap
+  ldapNet:
+    external: true
+    name: ldapNet
+}}
+{{mobilizon
+  mobilizonNet:
+    external: true
+    name: mobilizonNet
+}}
+{{cloud
+  cloudNet:
+    external: true
+    name: cloudNet
+}}
+{{collabora
+  collaboraNet:
+    external: true
+    name: collaboraNet
+}}
+{{paheko
+  pahekoNet:
+    external: true
+    name: pahekoNet
+}}
+{{mattermost
+  mattermostNet:
+    external: true
+    name: mattermostNet
+}}
+{{roundcube
+  roundcubeNet:
+    external: true
+    name: roundcubeNet
+}}
+{{gitea
+  giteaNet:
+    external: true
+    name: giteaNet
+}}
+{{dokuwiki
+  dokuwikiNet:
+    external: true
+    name: dokuwikiNet
+}}
+{{postfix
+  postfixNet:
+    external: true
+    name: postfixNet
+}}
+{{vaultwarden
+  vaultwardenNet:
+    external: true
+    name: vaultwardenNet
+}}
+{{imapsync
+  imapsyncNet:
+    external: true
+    name: imapsyncNet
+}}
+{{castopod
+  castopodNet:
+    external: true
+    name: castopodNet
+}}
+{{api
+  apikazNet:
+    external: true
+    name: apikazNet
+}}
+
+#### BEGIN ORGA DEF_NET
+#### END ORGA DEF_NET
+
+volumes:
+  letsencrypt:
--- a/dockers/traefik/proxy-gen.sh
+++ b/dockers/traefik/proxy-gen.sh
@ -0,0 +1,168 @@
+#!/bin/bash
+
+KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
+. "${KAZ_ROOT}/bin/.commonFunctions.sh"
+setKazVars
+. "${DOCKERS_ENV}"
+. "${KAZ_ROOT}/secret/SetAllPass.sh"
+
+printKazMsg "\n  *** Proxy update config"
+
+#NGINX_TMPL=config/nginx.tmpl.conf
+#NGINX_CONF=config/nginx.conf
+DOCKER_DIST=docker-compose.tmpl.yml.dist
+DOCKER_TMPL=docker-compose.tmpl.yml
+DOCKER_CONF=docker-compose.yml
+PASSFILE=conf/passfile
+
+ALLOW_ADMIN_IP_FILE="/kaz/secret/allow_admin_ip"
+ALLOW_IP_FILE="/kaz/config/proxy/allow_ip"
+
+# TODO
+# for service in agora cloud paheko wiki wp; do
+#     touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map"
+#     touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name"
+# done
+
+cd $(dirname $0)
+# update ip allowed
+TRAEFIK_ALLOW_IP_FILE=conf/dynamic/allow_ip.yml
+if [ ! -f "${TRAEFIK_ALLOW_IP_FILE}" ]; then
+    cat > "${TRAEFIK_ALLOW_IP_FILE}"  <<EOF
+http:
+  middlewares:
+    test-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          # Remove ALLOWEDIP / FINALLOWEDIP flags to prevent proxy-gen to modify this
+          #ALLOWEDIP
+          - "0.0.0.0/0"
+          #FINALLOWEDIP
+    test-adminipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          # Remove ADMINIP / FINADMINIP flags to prevent proxy-gen to modify this
+          #ADMINIP
+          - "0.0.0.0/0"
+          #FINADMINIP
+EOF
+fi
+
+# berk berk ... pour éviter d'avoir à maintenir le fichier traefik, on extrait les ip depuis les fichiers allow_admin_ip et allow_ip de nginx
+if [[ -f ${ALLOW_ADMIN_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE}) ]]; then
+    sed -i 's/#ADMINIP/#ADMINIP\n          #FINADMINIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
+    sed -i '/#DELETE/,/#FINADMINIP/d' ${TRAEFIK_ALLOW_IP_FILE}
+    grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ADMINIP/#ADMINIP\n          - \"{}\"/"  ${TRAEFIK_ALLOW_IP_FILE}
+fi
+if [[ -f ${ALLOW_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_IP_FILE}) ]]; then
+    sed -i 's/#ALLOWEDIP/#ALLOWEDIP\n          #FINALLOWEDIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
+    sed -i '/#DELETE/,/#FINALLOWEDIP/d' ${TRAEFIK_ALLOW_IP_FILE}
+    grep -e '^\s*allow' ${ALLOW_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ALLOWEDIP/#ALLOWEDIP\n          - \"{}\"/"  ${TRAEFIK_ALLOW_IP_FILE}
+fi
+
+
+CERTFILE_TMPL=conf/dynamic/certificates.yml.tmpl
+CERTFILE=conf/dynamic/certificates.yml
+if [ ! -f "${CERTFILE}" ]; then
+    cp "${CERTFILE_TMPL}" "${CERTFILE}"
+    case "${domain}" in
+     kaz.bzh)
+         SSL_CERT="/etc/ssl/certs/wildcard_${domain//./_}.chain.pem"
+         SSL_KEY="/etc/ssl/private/wildcard_${domain//./_}.key.pem"
+         ;;
+     kaz.local)
+         SSL_CERT="/etc/letsencrypt/local/_wildcard.${domain}.pem"
+         SSL_KEY="/etc/letsencrypt/local/_wildcard.${domain}-key.pem"
+         ;;
+     *)
+         SSL_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
+         SSL_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
+         ;;
+     esac
+
+    sed -i "s|__SSL_CERT__|${SSL_CERT}|g" ${CERTFILE}
+    sed -i "s|__SSL_KEY__|${SSL_KEY}|g" ${CERTFILE}
+fi
+
+#     cat > "${PROXY_PORT_CFG}"  <<EOF
+# listen 443 ssl http2;
+
+# ssl_certificate ${SSL_CERT};
+# ssl_certificate_key ${SSL_KEY};
+
+# ssl_session_timeout 1d;
+# ssl_protocols TLSv1.2 TLSv1.3;
+# ssl_early_data on;
+# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+# ssl_prefer_server_ciphers on;
+# ssl_session_cache shared:SSL:50m;
+# ssl_stapling on;
+# ssl_stapling_verify on;
+# EOF
+#fi
+
+# update redirect
+# PROXY_REDIRECT="${KAZ_CONF_PROXY_DIR}/redirect"
+# if [ ! -f "${PROXY_REDIRECT}" ]; then
+#     cat > "${PROXY_REDIRECT}"  <<EOF
+# server {
+#   listen 80;
+#   return 301 https://\$host\$request_uri;
+# }
+
+# # file
+# server {
+#   listen 80;
+#   server_name file.${domain};
+#   return 301 https://depot.${domain}\$request_uri;
+# }
+
+# # cacl
+# server {
+#   listen 80;
+#   server_name calc.${domain};
+#   return 301 https://tableur.${domain}\$request_uri;
+# }
+
+# # date
+# server {
+#   listen 80;
+#   server_name date.${domain};
+#   return 301 https://sondage.${domain}\$request_uri;
+# }
+
+# # cloud
+# server {
+#   listen 80;
+#   server_name bureau.${domain};
+#   return 301 https://cloud.${domain}\$request_uri;
+# }
+
+# # mattermost
+# server {
+#   listen 80;
+#   server_name mattermost.${domain};
+#   return 301 https://agora.${domain}\$request_uri;
+# }
+
+# # dokuwiki
+# server {
+#   listen 80;
+#   server_name dokuwiki.${domain};
+#   return 301 https://wiki.${domain}\$request_uri;
+# }
+# EOF
+# fi
+
+cd $(dirname $0)
+
+
+[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
+[[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}"
+if [ -f "conf/root_ca.crt" ]; then
+    sed -i "s|#- LEGO|- LEGO|g" ${DOCKER_TMPL}
+fi
+"${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}"
+# "${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}"
+
+#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &
--- a/dockers/traefik/reload.sh
+++ b/dockers/traefik/reload.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Do nothing 
+# Théoriquement traefik gère tout seul sauf les changements dans le traefik.yml