snster bootstrap

files/snster-kaz/kaz/group.yml

@@ -0,0 +1,48 @@
+version: 1
+
+header:
+  name: Target AS
+  comment: AS of the Target organization
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.10/24
+          ipv6: 2001:db8:b000::10/48
+        eth1:
+          bridge: kaz-lan1
+          ipv4: 100.80.0.1/24
+        eth2:
+          bridge: kaz-lan2
+          ipv4: 100.80.1.1/24
+    templates:
+      - bgprouter:
+          asn: 10
+          asdev: eth1;eth2
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          nameserver: 100.100.100.100
+          domain: kaz.milxc
+
+  prod:
+    network:
+      interfaces:
+        eth0:
+          bridge: kaz-lan1
+          ipv4: 100.80.0.2/24
+        eth1:
+          bridge: kaz-lan2
+          ipv4: 100.80.1.2/24
+      gatewayv4: 100.80.0.1
+    templates:
+      - updatecaroots:
+      - authns:
+          zonefile: dns.conf
+      - resolv:
+          domain: kaz.milxc
+          ns: 100.100.100.100

files/snster-kaz/kaz/prod/dns.conf

@@ -0,0 +1,22 @@
+$TTL	86400
+$ORIGIN kaz.milxc.
+@  1D  IN  SOA ns.kaz.milxc. hostmaster.kaz.milxc. (
+			      2002022401 ; serial
+			      3H ; refresh
+			      15 ; retry
+			      1w ; expire
+			      3h ; nxdomain ttl
+			     )
+       IN  NS     ns.kaz.milxc.
+       IN  MX  10 smtp.kaz.milxc.
+ns    IN  A      100.80.0.2
+dmz   IN A 100.80.0.2
+smtp  IN CNAME 	dmz
+imap  IN CNAME 	dmz
+www   IN CNAME 	dmz
+listes	IN	MX	listes
+listes	IN	A	100.80.1.2
+firewall   IN A 100.80.0.1
+firewall	IN	AAAA	2001:db8:80::0:1
+router		IN	A	100.80.0.1
+router		IN	AAAA	2001:db8:80::0:1

files/snster-kaz/kaz/prod/kaz.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+if [ -z "${SNSTERGUARD}" ] ; then
+    exit 1
+fi
+
+DIR=$(cd "$(dirname $0)"; pwd)
+cd "${DIR}"
+set -e
+export OUTPUT_DIR="/root/install"
+
+
+mkdir -p "${OUTPUT_DIR}/log/"
+export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
+(
+    echo "########## ********** Start kaz.sh $(date +%D-%T)"
+
+    docker-clean -a
+    rm -rf /kaz
+
+    if [ -z "${KAZBRANCH}" ] ; then
+	     KAZBRANCH="master"
+    fi
+    echo -e "\n    #### git checkout ${KAZBRANCH}\n"
+
+
+    # copie des sources
+    cd /
+    [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
+    (cd /kaz ; git checkout "${KAZBRANCH}" )
+    find /kaz -name \*.sh -exec chmod a+x {} \;
+
+    # pour ceux qui disposent d'un cache apt local et pas la fibre
+    if [ -f "${DIR}/.apt-mirror-config" ]; then
+	rsync -a "${DIR}/.apt-mirror-config" /kaz/
+    fi
+    if [ -f "${DIR}/.proxy-config" ]; then
+	rsync -a "${DIR}/.proxy-config" /etc/profile.d/proxy.sh
+	rsync -a "${DIR}/.proxy-config" /kaz/
+    fi
+    if [ -f "${DIR}/.docker-config.json" ]; then
+	mkdir -p /root/.docker
+	rsync -a "${DIR}/.docker-config.json" /root/.docker/config.json
+    fi
+
+
+
+    echo -e "\n    #### rsync download\n"
+    [ -d "${DIR}/kaz/download" ] &&
+	rsync -a "${DIR}/kaz/download/" /kaz/download/
+    [ -d "${DIR}/kaz/git" ] &&
+	rsync -a "${DIR}/kaz/git/" /kaz/git/
+    [ -f "${DIR}/kaz/config/dockers.env" ] &&
+	[ ! -f "/kaz/config/dockers.env" ] &&
+	rsync -a "${DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
+    for type in mail orga proxy withMail withoutMail ; do
+	[ -f "${DIR}/kaz/config/container-${type}.list" ] &&
+	    [ ! -f "/kaz/config/config/container-${type}.list" ] &&
+	    rsync -a  "${DIR}/kaz/config/container-${type}.list" /kaz/config/
+    done
+
+    echo -e "\n    #### secretGen\n"
+    /kaz/bin/secretGen.sh
+
+    #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
+    if [ "${NOKAZ}" == "true" ]; then
+	echo "on ne lance pas install.sh"
+    else
+	echo "on lance install.sh"
+	/kaz/bin/install.sh
+    fi
+
+    # clear apt cache
+    DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+    DEBIAN_FRONTEND=noninteractive apt-get clean
+
+    echo "########## ********** End kaz.sh $(date +%D-%T)"
+)  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

files/snster-kaz/kaz/prod/kaz/config/container-mail.list

@@ -0,0 +1,3 @@
+# e-mail server composer
+postfix
+sympa

files/snster-kaz/kaz/prod/kaz/config/container-orga.list

@@ -0,0 +1 @@
+# orga composer

files/snster-kaz/kaz/prod/kaz/config/container-proxy.list

@@ -0,0 +1 @@
+proxy

files/snster-kaz/kaz/prod/kaz/config/container-withMail.list

@@ -0,0 +1,9 @@
+cloud
+dokuwiki
+#framadate
+garradin
+gitea
+jirafeau
+#mattermost
+roundcube
+#keycloak

files/snster-kaz/kaz/prod/kaz/config/container-withoutMail.list

@@ -0,0 +1,10 @@
+cachet
+jirafeau
+ethercalc
+collabora
+ethercalc
+etherpad
+ldap
+quotas
+web
+#vigilo

files/snster-kaz/kaz/prod/kaz/config/dockers.env

@@ -0,0 +1,120 @@
+# Les variables d'environnements utilisées
+# par les dockers via le lien :
+# .env -> ../../config/dockers.env
+
+#######################################
+# prod / dev / local
+mode=prod
+
+########################################
+# choix du domaine
+# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
+domain=kaz.milxc
+
+########################################
+# choix du domaine des mails sympa
+# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
+domain_sympa=kaz.milxc
+
+########################################
+# choix d'un serveur partiel
+# site=site-2
+site=
+
+########################################
+# Pour garradin qui met en "dure" dans
+# sa config l'URL pour l'atteindre
+
+# prod=https (gandi) / dev=https (letsencrypt) / local=http
+httpProto=https
+
+# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
+MAIN_IP=100.80.0.2
+
+# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
+SYMPA_IP=100.80.1.2
+
+########################################
+# noms des services
+
+# ou www (mais bof)
+webHost=
+
+cachetHost=cachet
+calcHost=tableur
+cloudHost=cloud
+dateHost=sondage
+dokuwikiHost=wiki
+fileHost=depot
+garHost=garradin
+gitHost=git
+gravHost=grav
+ldapHost=ldap
+matterHost=agora
+officeHost=office
+padHost=pad
+quotasHost=quotas
+smtpHost=smtp
+sympaHost=listes
+vigiloHost=vigilo
+webmailHost=webmail
+wordpressHost=wp
+
+########################################
+# noms des containers
+
+cachetServName=cachetServ
+dokuwikiServName=dokuwikiServ
+ethercalcServName=ethercalcServ
+etherpadServName=etherpadServ
+framadateServName=framadateServ
+garradinServName=garradinServ
+gitServName=gitServ
+gravServName=gravServ
+jirafeauServName=jirafeauServ
+ldapServName=ldapServ
+mattermostServName=mattermostServ
+nextcloudServName=nextcloudServ
+officeServName=officeServ
+proxyServName=proxyServ
+quotasServName=quotasServ
+roundcubeServName=roundcubeServ
+smtpServName=mailServ
+sympaServName=sympaServ
+vigiloServName=vigiloServ
+webServName=webServ
+wordpressServName=wpServ
+
+cachetDBName=cachetDB
+ethercalcDBName=ethercalcDB
+etherpadDBName=etherpadDB
+framadateDBName=framadateDB
+gitDBName=gitDB
+mattermostDBName=mattermostDB
+nextcloudDBName=nextcloudDB
+quotasDBName=quotasDB
+roundcubeDBName=roundcubeDB
+sympaDBName=sympaDB
+vigiloDBName=vigiloDB
+wordpressDBName=wpDB
+
+ldapIUName=ldapIU
+
+########################################
+# politique de redémarrage
+# prod=always / test=unless-stopped / local=no
+restartPolicy=no
+
+########################################
+# devrait être dans env-jirafeauServ
+# mais seuls les variables de ".env" sont
+# utilisables pour le montage des volumes
+
+jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
+
+ldapRoot=dc=kaz,dc=milxc
+
+########################################
+# services activés par container.sh
+# variables d'environneements utilisées
+# pour le tmpl du mandataire (proxy)

files/snster-kaz/kaz/prod/provision.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+# Target DMZ
+set -e
+if [ -z $MILXCGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+apt-get update
+DEB_VERSION=`cat /etc/debian_version | cut -d'.' -f1`
+if [ $DEB_VERSION -eq "11" ] # DEB 11 aka Bullseye
+then
+  DEBIAN_FRONTEND=noninteractive apt-get install -y  certbot python3-certbot-apache
+else
+  echo "Unsupported Debian version"
+  exit 1
+fi
+
+
+# preconfig TLS and certbot
+a2enmod ssl
+a2ensite default-ssl.conf
+echo -e "
+email=admin@kaz.milxc
+agree-tos=1
+no-verify-ssl=1
+" >> /etc/letsencrypt/cli.ini
+
+# Go KAZ !
+# KAZ specific things
+#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync fuse-overlayfs
+usermod -G docker debian
+# activation dans alias dans /root/.bashrc
+sed -i \
+-e 's/^\# alias/alias/g' \
+-e 's/^\# export/export/g' \
+-e 's/^\# eval/eval/g' \
+/root/.bashrc
+
+if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
+cat >> /root/.bashrc <<EOF
+# enable bash completion in interactive shells
+if ! shopt -oq posix; then
+if [ -f /usr/share/bash-completion/bash_completion ]; then
+. /usr/share/bash-completion/bash_completion
+elif [ -f /etc/bash_completion ]; then
+. /etc/bash_completion
+fi
+fi
+for file in /kaz/bin/.*-completion.bash ; do
+source "\${file}"
+done
+EOF
+fi
+
+
+# On met le KAZGUARD pour la mise au point
+echo "export KAZGUARD='true'" >> /root/.bashrc
+
+# On active fuse-overlayfs pour docker
+cat >> /etc/docker/daemon.json <<EOF
+{ "storage-driver": "fuse-overlayfs" }
+EOF
+service docker restart
+mknod -m 666 /dev/fuse c 10 229 # + dans le rc.local ? + modprobe fuse sur l'ĥôte ?
+
+./kaz.sh
+
+# clear apt cache
+DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+DEBIAN_FRONTEND=noninteractive apt-get clean