KazV2/dockers/traefik/proxy-gen.sh
2024-06-03 18:43:35 +02:00

169 lines
5.1 KiB
Bash
Executable File

#!/bin/bash
KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
. "${KAZ_ROOT}/bin/.commonFunctions.sh"
setKazVars
. "${DOCKERS_ENV}"
. "${KAZ_ROOT}/secret/SetAllPass.sh"
printKazMsg "\n *** Proxy update config"
#NGINX_TMPL=config/nginx.tmpl.conf
#NGINX_CONF=config/nginx.conf
DOCKER_DIST=docker-compose.tmpl.yml.dist
DOCKER_TMPL=docker-compose.tmpl.yml
DOCKER_CONF=docker-compose.yml
PASSFILE=conf/passfile
ALLOW_ADMIN_IP_FILE="/kaz/secret/allow_admin_ip"
ALLOW_IP_FILE="/kaz/config/proxy/allow_ip"
# TODO
# for service in agora cloud paheko wiki wp; do
# touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map"
# touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name"
# done
cd $(dirname $0)
# update ip allowed
TRAEFIK_ALLOW_IP_FILE=conf/dynamic/allow_ip.yml
if [ ! -f "${TRAEFIK_ALLOW_IP_FILE}" ]; then
cat > "${TRAEFIK_ALLOW_IP_FILE}" <<EOF
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
# Remove ALLOWEDIP / FINALLOWEDIP flags to prevent proxy-gen to modify this
#ALLOWEDIP
- "0.0.0.0/0"
#FINALLOWEDIP
test-adminipwhitelist:
ipWhiteList:
sourceRange:
# Remove ADMINIP / FINADMINIP flags to prevent proxy-gen to modify this
#ADMINIP
- "0.0.0.0/0"
#FINADMINIP
EOF
fi
# berk berk ... pour éviter d'avoir à maintenir le fichier traefik, on extrait les ip depuis les fichiers allow_admin_ip et allow_ip de nginx
if [[ -f ${ALLOW_ADMIN_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE}) ]]; then
sed -i 's/#ADMINIP/#ADMINIP\n #FINADMINIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
sed -i '/#DELETE/,/#FINADMINIP/d' ${TRAEFIK_ALLOW_IP_FILE}
grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ADMINIP/#ADMINIP\n - \"{}\"/" ${TRAEFIK_ALLOW_IP_FILE}
fi
if [[ -f ${ALLOW_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_IP_FILE}) ]]; then
sed -i 's/#ALLOWEDIP/#ALLOWEDIP\n #FINALLOWEDIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
sed -i '/#DELETE/,/#FINALLOWEDIP/d' ${TRAEFIK_ALLOW_IP_FILE}
grep -e '^\s*allow' ${ALLOW_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/\s*;.*//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ALLOWEDIP/#ALLOWEDIP\n - \"{}\"/" ${TRAEFIK_ALLOW_IP_FILE}
fi
CERTFILE_TMPL=conf/dynamic/certificates.yml.tmpl
CERTFILE=conf/dynamic/certificates.yml
if [ ! -f "${CERTFILE}" ]; then
cp "${CERTFILE_TMPL}" "${CERTFILE}"
case "${domain}" in
kaz.bzh)
SSL_CERT="/etc/ssl/certs/wildcard_${domain//./_}.chain.pem"
SSL_KEY="/etc/ssl/private/wildcard_${domain//./_}.key.pem"
;;
kaz.local)
SSL_CERT="/etc/letsencrypt/local/_wildcard.${domain}.pem"
SSL_KEY="/etc/letsencrypt/local/_wildcard.${domain}-key.pem"
;;
*)
SSL_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
SSL_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
;;
esac
sed -i "s|__SSL_CERT__|${SSL_CERT}|g" ${CERTFILE}
sed -i "s|__SSL_KEY__|${SSL_KEY}|g" ${CERTFILE}
fi
# cat > "${PROXY_PORT_CFG}" <<EOF
# listen 443 ssl http2;
# ssl_certificate ${SSL_CERT};
# ssl_certificate_key ${SSL_KEY};
# ssl_session_timeout 1d;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_early_data on;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# ssl_session_cache shared:SSL:50m;
# ssl_stapling on;
# ssl_stapling_verify on;
# EOF
#fi
# update redirect
# PROXY_REDIRECT="${KAZ_CONF_PROXY_DIR}/redirect"
# if [ ! -f "${PROXY_REDIRECT}" ]; then
# cat > "${PROXY_REDIRECT}" <<EOF
# server {
# listen 80;
# return 301 https://\$host\$request_uri;
# }
# # file
# server {
# listen 80;
# server_name file.${domain};
# return 301 https://depot.${domain}\$request_uri;
# }
# # cacl
# server {
# listen 80;
# server_name calc.${domain};
# return 301 https://tableur.${domain}\$request_uri;
# }
# # date
# server {
# listen 80;
# server_name date.${domain};
# return 301 https://sondage.${domain}\$request_uri;
# }
# # cloud
# server {
# listen 80;
# server_name bureau.${domain};
# return 301 https://cloud.${domain}\$request_uri;
# }
# # mattermost
# server {
# listen 80;
# server_name mattermost.${domain};
# return 301 https://agora.${domain}\$request_uri;
# }
# # dokuwiki
# server {
# listen 80;
# server_name dokuwiki.${domain};
# return 301 https://wiki.${domain}\$request_uri;
# }
# EOF
# fi
cd $(dirname $0)
[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
[[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}"
if [ -f "conf/root_ca.crt" ]; then
sed -i "s|#- LEGO|- LEGO|g" ${DOCKER_TMPL}
fi
"${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}"
# "${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}"
#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &