diff --git a/files/snster-kaz/kaz2/group.yml b/files/snster-kaz/kaz2/group.yml new file mode 100644 index 0000000..3b72cbb --- /dev/null +++ b/files/snster-kaz/kaz2/group.yml @@ -0,0 +1,39 @@ +version: 1 + +header: + name: Kaz2 AS + comment: AS of the Kaz organization, 2ndary server + +hosts: + router: + master: alpine + network: + interfaces: + eth0: + bridge: transit-a + ipv4: 100.64.0.11/24 + ipv6: 2001:db8:b000::11/48 + eth1: + bridge: kaz2-lan1 + ipv4: 100.81.0.1/24 + templates: + - bgprouter: + asn: 11 + asdev: eth1 + neighbors4: 100.64.0.1 as 30 + neighbors6: 2001:db8:b000::1 as 30 + - resolv: + ns: 100.100.100.100 + domain: kaz.sns + + prod2: + network: + interfaces: + eth0: + bridge: kaz2-lan1 + ipv4: 100.81.0.2/24 + templates: + - updatecaroots: + - resolv: + domain: kaz.sns + ns: 100.100.100.100 diff --git a/files/snster-kaz/kaz2/prod2/kaz-config/container-mail.list b/files/snster-kaz/kaz2/prod2/kaz-config/container-mail.list new file mode 100644 index 0000000..b4827e3 --- /dev/null +++ b/files/snster-kaz/kaz2/prod2/kaz-config/container-mail.list @@ -0,0 +1,4 @@ +# e-mail server composer +#ldap +#postfix +#sympa diff --git a/files/snster-kaz/kaz2/prod2/kaz-config/container-orga.list b/files/snster-kaz/kaz2/prod2/kaz-config/container-orga.list new file mode 100644 index 0000000..799bea5 --- /dev/null +++ b/files/snster-kaz/kaz2/prod2/kaz-config/container-orga.list @@ -0,0 +1 @@ +# orga composer diff --git a/files/snster-kaz/kaz2/prod2/kaz-config/container-proxy.list b/files/snster-kaz/kaz2/prod2/kaz-config/container-proxy.list new file mode 100644 index 0000000..d08a437 --- /dev/null +++ b/files/snster-kaz/kaz2/prod2/kaz-config/container-proxy.list @@ -0,0 +1,2 @@ +#proxy +#traefik diff --git a/files/snster-kaz/kaz2/prod2/kaz-config/container-withMail.list b/files/snster-kaz/kaz2/prod2/kaz-config/container-withMail.list new file mode 100644 index 0000000..e3e23ed --- /dev/null +++ b/files/snster-kaz/kaz2/prod2/kaz-config/container-withMail.list @@ -0,0 +1,12 @@ +#cloud +#dokuwiki +#framadate +#garradin +#gitea +#jirafeau +#mattermost +#roundcube +#keycloak +#mobilizon +#vaultwarden +#ldap diff --git a/files/snster-kaz/kaz2/prod2/kaz-config/container-withoutMail.list b/files/snster-kaz/kaz2/prod2/kaz-config/container-withoutMail.list new file mode 100644 index 0000000..6bfbe47 --- /dev/null +++ b/files/snster-kaz/kaz2/prod2/kaz-config/container-withoutMail.list @@ -0,0 +1,9 @@ +#cachet +#jirafeau +#ethercalc +#collabora +#ethercalc +#etherpad +#quotas +#web +#vigilo diff --git a/files/snster-kaz/kaz2/prod2/kaz-config/dockers.env b/files/snster-kaz/kaz2/prod2/kaz-config/dockers.env new file mode 100644 index 0000000..8a08684 --- /dev/null +++ b/files/snster-kaz/kaz2/prod2/kaz-config/dockers.env @@ -0,0 +1,134 @@ +# Les variables d'environnements utilisées +# par les dockers via le lien : +# .env -> ../../config/dockers.env + +####################################### +# prod / dev / local +mode=local + +######################################## +# choix du domaine +# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local +domain=kaz.sns + +######################################## +# choix du domaine des mails sympa +# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local +domain_sympa=listes.kaz.sns + +######################################## +# choix d'un serveur partiel +# site=site-2 +site=site-2 + +######################################## +# Pour garradin qui met en "dure" dans +# sa config l'URL pour l'atteindre + +# prod=https (gandi) / dev=https (letsencrypt) / local=http +httpProto=https + +# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1 +MAIN_IP=100.81.0.2 + +# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2 +SYMPA_IP=100.81.1.2 + +######################################## +# noms des services + +# ou www (mais bof) +webHost= + +cachetHost=cachet +calcHost=tableur +cloudHost=cloud +dateHost=sondage +dokuwikiHost=wiki +fileHost=depot +garHost=garradin +gitHost=git +gravHost=grav +ldapHost=ldap +matterHost=agora +officeHost=office +padHost=pad +quotasHost=quotas +smtpHost=smtp +sympaHost=listes +vigiloHost=vigilo +webmailHost=webmail +wordpressHost=wp +ldapUIHost=mdp +mobilizonHost=mobilizon +vaultwardenHost=koffre +traefikHost=dashboard + +######################################## +# ports internes + +matterPort=8000 + +######################################## +# noms des containers + +cachetServName=cachetServ +dokuwikiServName=dokuwikiServ +ethercalcServName=ethercalcServ +etherpadServName=etherpadServ +framadateServName=framadateServ +garradinServName=garradinServ +gitServName=gitServ +gravServName=gravServ +jirafeauServName=jirafeauServ +ldapServName=ldapServ +mattermostServName=mattermostServ +nextcloudServName=nextcloudServ +officeServName=officeServ +proxyServName=proxyServ +traefikServName=traefikServ +quotasServName=quotasServ +roundcubeServName=roundcubeServ +smtpServName=mailServ +sympaServName=sympaServ +vigiloServName=vigiloServ +webServName=webServ +wordpressServName=wpServ +mobilizonServName=mobilizonServ +vaultwardenServName=vaultwardenServ + +cachetDBName=cachetDB +ethercalcDBName=ethercalcDB +etherpadDBName=etherpadDB +framadateDBName=framadateDB +gitDBName=gitDB +mattermostDBName=mattermostDB +nextcloudDBName=nextcloudDB +quotasDBName=quotasDB +roundcubeDBName=roundcubeDB +sympaDBName=sympaDB +vigiloDBName=vigiloDB +wordpressDBName=wpDB +mobilizonDBName=mobilizonDB +vaultwardenDBName=vaultwardenDB + +ldapUIName=ldapUI + +######################################## +# politique de redémarrage +# prod=always / test=unless-stopped / local=no +restartPolicy=no + +######################################## +# devrait être dans env-jirafeauServ +# mais seuls les variables de ".env" sont +# utilisables pour le montage des volumes + +jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/ + +ldap_root=dc=kaz,dc=sns + +######################################## +# services activés par container.sh +# variables d'environneements utilisées +# pour le tmpl du mandataire (proxy) diff --git a/files/snster-kaz/kaz2/prod2/kaz.sh b/files/snster-kaz/kaz2/prod2/kaz.sh new file mode 100644 index 0000000..eea1d65 --- /dev/null +++ b/files/snster-kaz/kaz2/prod2/kaz.sh @@ -0,0 +1,47 @@ +#!/bin/bash +if [ -z "${SNSTERGUARD}" ] ; then + exit 1 +fi + +DIR=$(cd "$(dirname $0)"; pwd) +cd "${DIR}" +set -e +export OUTPUT_DIR="/root/install" + + +mkdir -p "${OUTPUT_DIR}/log/" +export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-" +( + echo "########## ********** Start kaz.sh $(date +%D-%T)" + + docker-clean -a + rm -rf /kaz + + if [ -z "${KAZBRANCH}" ] ; then + KAZBRANCH="master" + fi + echo -e "\n #### git checkout ${KAZBRANCH}\n" + + # copie des sources + cd / + git clone https://git.kaz.bzh/KAZ/kaz.git + (cd /kaz ; git checkout "${KAZBRANCH}" ) + + cp "${DIR}/kaz-config/dockers.env" /kaz/config/dockers.env + for type in mail orga proxy withMail withoutMail ; do + [ -f "${DIR}/kaz-config/container-${type}.list" ] && + cp "${DIR}/kaz-config/container-${type}.list" /kaz/config/ + done + + echo -e "\n #### secretGen\n" + /kaz/bin/secretGen.sh + + echo -e "\n #### install\n" + /kaz/bin/install.sh + + # clear apt cache + DEBIAN_FRONTEND=noninteractive apt-get autoremove -y + DEBIAN_FRONTEND=noninteractive apt-get clean + + echo "########## ********** End kaz.sh $(date +%D-%T)" +) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2) diff --git a/files/snster-kaz/kaz2/prod2/provision.sh b/files/snster-kaz/kaz2/prod2/provision.sh new file mode 100644 index 0000000..e87eb66 --- /dev/null +++ b/files/snster-kaz/kaz2/prod2/provision.sh @@ -0,0 +1,130 @@ +#!/bin/bash +# Target DMZ +set -e +if [ -z $SNSTERGUARD ] ; then exit 1; fi +DIR=`dirname $0` +cd `dirname $0` + +# disable systemd-resolved which conflicts with nsd +echo "DNSStubListener=no" >> /etc/systemd/resolved.conf +systemctl stop systemd-resolved + +DEBIAN_FRONTEND=noninteractive apt-get update +DEBIAN_FRONTEND=noninteractive apt-get remove -y apache2 +DEBIAN_FRONTEND=noninteractive apt-get autoremove -y + + +# Go KAZ ! +# KAZ specific things +#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine + +DEBIAN_FRONTEND=noninteractive apt-get install -y dos2unix jq ldapvi argon2 docker.io docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils unaccent # fuse-overlayfs +usermod -G docker debian + +# docker-compose +curl -SL https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose +sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose +chmod +x /usr/bin/docker-compose + +# activation dans alias dans /root/.bashrc +sed -i \ +-e 's/^\# alias/alias/g' \ +-e 's/^\# export/export/g' \ +-e 's/^\# eval/eval/g' \ +/root/.bashrc + +if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then +cat >> /root/.bashrc <> /root/.bashrc + + +# On place les certifs +if [ -d letsencrypt ]; then + cp -ar letsencrypt /etc/ + cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt + /usr/sbin/update-ca-certificates --fresh +fi + +# On sauve le proxy APT +proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1) +sed -i -e "s/^proxy.*$/proxy=$proxy/" /usr/local/sbin/detect_proxy.sh +#echo "export http_proxy=\"http://$proxy:3142\"" > /etc/profile.d/proxy.sh +#echo "export https_proxy=\"http://$proxy:3142\"" >> /etc/profile.d/proxy.sh + +# Proxy pour les environnements durant les dockerbuilds +mkdir /root/.docker +echo "{ + \"proxies\": + { + \"default\": + { + \"httpProxy\": \"http://$proxy:3142\", + \"httpsProxy\": \"http://$proxy:3142\", + \"noProxy\": \"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\" + } + } +}" > /root/.docker/config.json + +# Proxy pour les docker pull -> commenté car pas de cache avec dockerhub +# echo "http_proxy=\"http://$proxy:3142\" +# https_proxy=\"http://$proxy:3142\" +# no_proxy=\"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\" +# " >> /etc/default/docker + +# On active btrfs+registry miroir pour docker +cat >> /etc/docker/daemon.json <> /etc/hosts +cp "${DIR}/kaz.sh" /root/kaz.sh +cp "${DIR}/createUser.txt" /root/ +cp -ar "${DIR}/kaz-config" /root/ +chmod +x /root/kaz.sh +bash "/root/kaz.sh" +sed -i -e "s/100.81.0.2.*//g" /etc/hosts + + +# On démarre au boot +echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local +chmod +x /etc/rc.local + + +# notes fuse-overlayfs : +#mknod -m 666 /dev/fuse c 10 229 +#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local +#chmod +x /etc/rc.local + +# lxc.cgroup2.devices.allow = b 7:* rwm +# lxc.cgroup2.devices.allow = c 10:237 rwm +# +# mknod -m 666 /dev/loop0 b 7 0 +# mknod -m 666 /dev/loop-control c 10 237 +# truncate -s 30G /root/varlibdocker.img +# mkfs.btrfs /root/varlibdocker.img +# losetup -f /root/varlibdocker.img +# mount /dev/loop0 /var/lib/docker diff --git a/files/vm-provision.sh b/files/vm-provision.sh index 60dc63f..dcd3946 100755 --- a/files/vm-provision.sh +++ b/files/vm-provision.sh @@ -221,6 +221,7 @@ auth: # crypto keys cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/ cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/ + cp -ar /etc/letsencrypt /root/snster-kaz/kaz2/prod2/ # On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod