first commit

dockers/traefik/proxy-gen.sh

@@ -0,0 +1,168 @@
+#!/bin/bash
+
+KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
+. "${KAZ_ROOT}/bin/.commonFunctions.sh"
+setKazVars
+. "${DOCKERS_ENV}"
+. "${KAZ_ROOT}/secret/SetAllPass.sh"
+
+printKazMsg "\n  *** Proxy update config"
+
+#NGINX_TMPL=config/nginx.tmpl.conf
+#NGINX_CONF=config/nginx.conf
+DOCKER_DIST=docker-compose.tmpl.yml.dist
+DOCKER_TMPL=docker-compose.tmpl.yml
+DOCKER_CONF=docker-compose.yml
+PASSFILE=conf/passfile
+
+ALLOW_ADMIN_IP_FILE="/kaz/secret/allow_admin_ip"
+ALLOW_IP_FILE="/kaz/config/proxy/allow_ip"
+
+# TODO
+# for service in agora cloud paheko wiki wp; do
+#     touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map"
+#     touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name"
+# done
+
+cd $(dirname $0)
+# update ip allowed
+TRAEFIK_ALLOW_IP_FILE=conf/dynamic/allow_ip.yml
+if [ ! -f "${TRAEFIK_ALLOW_IP_FILE}" ]; then
+    cat > "${TRAEFIK_ALLOW_IP_FILE}"  <<EOF
+http:
+  middlewares:
+    test-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          # Remove ALLOWEDIP / FINALLOWEDIP flags to prevent proxy-gen to modify this
+          #ALLOWEDIP
+          - "0.0.0.0/0"
+          #FINALLOWEDIP
+    test-adminipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          # Remove ADMINIP / FINADMINIP flags to prevent proxy-gen to modify this
+          #ADMINIP
+          - "0.0.0.0/0"
+          #FINADMINIP
+EOF
+fi
+
+# berk berk ... pour éviter d'avoir à maintenir le fichier traefik, on extrait les ip depuis les fichiers allow_admin_ip et allow_ip de nginx
+if [[ -f ${ALLOW_ADMIN_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE}) ]]; then
+    sed -i 's/#ADMINIP/#ADMINIP\n          #FINADMINIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
+    sed -i '/#DELETE/,/#FINADMINIP/d' ${TRAEFIK_ALLOW_IP_FILE}
+    grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ADMINIP/#ADMINIP\n          - \"{}\"/"  ${TRAEFIK_ALLOW_IP_FILE}
+fi
+if [[ -f ${ALLOW_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_IP_FILE}) ]]; then
+    sed -i 's/#ALLOWEDIP/#ALLOWEDIP\n          #FINALLOWEDIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
+    sed -i '/#DELETE/,/#FINALLOWEDIP/d' ${TRAEFIK_ALLOW_IP_FILE}
+    grep -e '^\s*allow' ${ALLOW_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ALLOWEDIP/#ALLOWEDIP\n          - \"{}\"/"  ${TRAEFIK_ALLOW_IP_FILE}
+fi
+
+
+CERTFILE_TMPL=conf/dynamic/certificates.yml.tmpl
+CERTFILE=conf/dynamic/certificates.yml
+if [ ! -f "${CERTFILE}" ]; then
+    cp "${CERTFILE_TMPL}" "${CERTFILE}"
+    case "${domain}" in
+     kaz.bzh)
+         SSL_CERT="/etc/ssl/certs/wildcard_${domain//./_}.chain.pem"
+         SSL_KEY="/etc/ssl/private/wildcard_${domain//./_}.key.pem"
+         ;;
+     kaz.local)
+         SSL_CERT="/etc/letsencrypt/local/_wildcard.${domain}.pem"
+         SSL_KEY="/etc/letsencrypt/local/_wildcard.${domain}-key.pem"
+         ;;
+     *)
+         SSL_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
+         SSL_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
+         ;;
+     esac
+
+    sed -i "s|__SSL_CERT__|${SSL_CERT}|g" ${CERTFILE}
+    sed -i "s|__SSL_KEY__|${SSL_KEY}|g" ${CERTFILE}
+fi
+
+#     cat > "${PROXY_PORT_CFG}"  <<EOF
+# listen 443 ssl http2;
+
+# ssl_certificate ${SSL_CERT};
+# ssl_certificate_key ${SSL_KEY};
+
+# ssl_session_timeout 1d;
+# ssl_protocols TLSv1.2 TLSv1.3;
+# ssl_early_data on;
+# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+# ssl_prefer_server_ciphers on;
+# ssl_session_cache shared:SSL:50m;
+# ssl_stapling on;
+# ssl_stapling_verify on;
+# EOF
+#fi
+
+# update redirect
+# PROXY_REDIRECT="${KAZ_CONF_PROXY_DIR}/redirect"
+# if [ ! -f "${PROXY_REDIRECT}" ]; then
+#     cat > "${PROXY_REDIRECT}"  <<EOF
+# server {
+#   listen 80;
+#   return 301 https://\$host\$request_uri;
+# }
+
+# # file
+# server {
+#   listen 80;
+#   server_name file.${domain};
+#   return 301 https://depot.${domain}\$request_uri;
+# }
+
+# # cacl
+# server {
+#   listen 80;
+#   server_name calc.${domain};
+#   return 301 https://tableur.${domain}\$request_uri;
+# }
+
+# # date
+# server {
+#   listen 80;
+#   server_name date.${domain};
+#   return 301 https://sondage.${domain}\$request_uri;
+# }
+
+# # cloud
+# server {
+#   listen 80;
+#   server_name bureau.${domain};
+#   return 301 https://cloud.${domain}\$request_uri;
+# }
+
+# # mattermost
+# server {
+#   listen 80;
+#   server_name mattermost.${domain};
+#   return 301 https://agora.${domain}\$request_uri;
+# }
+
+# # dokuwiki
+# server {
+#   listen 80;
+#   server_name dokuwiki.${domain};
+#   return 301 https://wiki.${domain}\$request_uri;
+# }
+# EOF
+# fi
+
+cd $(dirname $0)
+
+
+[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
+[[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}"
+if [ -f "conf/root_ca.crt" ]; then
+    sed -i "s|#- LEGO|- LEGO|g" ${DOCKER_TMPL}
+fi
+"${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}"
+# "${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}"
+
+#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &