ajout du site 2

files/snster-kaz/kaz2/group.yml

@@ -0,0 +1,39 @@
+version: 1
+
+header:
+  name: Kaz2 AS
+  comment: AS of the Kaz organization, 2ndary server
+
+hosts:
+  router:
+    master: alpine
+    network:
+      interfaces:
+        eth0:
+          bridge: transit-a
+          ipv4: 100.64.0.11/24
+          ipv6: 2001:db8:b000::11/48
+        eth1:
+          bridge: kaz2-lan1
+          ipv4: 100.81.0.1/24
+    templates:
+      - bgprouter:
+          asn: 11
+          asdev: eth1
+          neighbors4: 100.64.0.1 as 30
+          neighbors6: 2001:db8:b000::1 as 30
+      - resolv:
+          ns: 100.100.100.100
+          domain: kaz.sns
+
+  prod2:
+    network:
+      interfaces:
+        eth0:
+          bridge: kaz2-lan1
+          ipv4: 100.81.0.2/24
+    templates:
+      - updatecaroots:
+      - resolv:
+          domain: kaz.sns
+          ns: 100.100.100.100

files/snster-kaz/kaz2/prod2/kaz-config/container-mail.list

@@ -0,0 +1,4 @@
+# e-mail server composer
+#ldap
+#postfix
+#sympa

files/snster-kaz/kaz2/prod2/kaz-config/container-orga.list

@@ -0,0 +1 @@
+# orga composer

files/snster-kaz/kaz2/prod2/kaz-config/container-proxy.list

@@ -0,0 +1,2 @@
+#proxy
+#traefik

files/snster-kaz/kaz2/prod2/kaz-config/container-withMail.list

@@ -0,0 +1,12 @@
+#cloud
+#dokuwiki
+#framadate
+#garradin
+#gitea
+#jirafeau
+#mattermost
+#roundcube
+#keycloak
+#mobilizon
+#vaultwarden
+#ldap

files/snster-kaz/kaz2/prod2/kaz-config/container-withoutMail.list

@@ -0,0 +1,9 @@
+#cachet
+#jirafeau
+#ethercalc
+#collabora
+#ethercalc
+#etherpad
+#quotas
+#web
+#vigilo

files/snster-kaz/kaz2/prod2/kaz-config/dockers.env

@@ -0,0 +1,134 @@
+# Les variables d'environnements utilisées
+# par les dockers via le lien :
+# .env -> ../../config/dockers.env
+
+#######################################
+# prod / dev / local
+mode=local
+
+########################################
+# choix du domaine
+# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
+domain=kaz.sns
+
+########################################
+# choix du domaine des mails sympa
+# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
+domain_sympa=listes.kaz.sns
+
+########################################
+# choix d'un serveur partiel
+# site=site-2
+site=site-2
+
+########################################
+# Pour garradin qui met en "dure" dans
+# sa config l'URL pour l'atteindre
+
+# prod=https (gandi) / dev=https (letsencrypt) / local=http
+httpProto=https
+
+# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
+MAIN_IP=100.81.0.2
+
+# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
+SYMPA_IP=100.81.1.2
+
+########################################
+# noms des services
+
+# ou www (mais bof)
+webHost=
+
+cachetHost=cachet
+calcHost=tableur
+cloudHost=cloud
+dateHost=sondage
+dokuwikiHost=wiki
+fileHost=depot
+garHost=garradin
+gitHost=git
+gravHost=grav
+ldapHost=ldap
+matterHost=agora
+officeHost=office
+padHost=pad
+quotasHost=quotas
+smtpHost=smtp
+sympaHost=listes
+vigiloHost=vigilo
+webmailHost=webmail
+wordpressHost=wp
+ldapUIHost=mdp
+mobilizonHost=mobilizon
+vaultwardenHost=koffre
+traefikHost=dashboard
+
+########################################
+# ports internes
+
+matterPort=8000
+
+########################################
+# noms des containers
+
+cachetServName=cachetServ
+dokuwikiServName=dokuwikiServ
+ethercalcServName=ethercalcServ
+etherpadServName=etherpadServ
+framadateServName=framadateServ
+garradinServName=garradinServ
+gitServName=gitServ
+gravServName=gravServ
+jirafeauServName=jirafeauServ
+ldapServName=ldapServ
+mattermostServName=mattermostServ
+nextcloudServName=nextcloudServ
+officeServName=officeServ
+proxyServName=proxyServ
+traefikServName=traefikServ
+quotasServName=quotasServ
+roundcubeServName=roundcubeServ
+smtpServName=mailServ
+sympaServName=sympaServ
+vigiloServName=vigiloServ
+webServName=webServ
+wordpressServName=wpServ
+mobilizonServName=mobilizonServ
+vaultwardenServName=vaultwardenServ
+
+cachetDBName=cachetDB
+ethercalcDBName=ethercalcDB
+etherpadDBName=etherpadDB
+framadateDBName=framadateDB
+gitDBName=gitDB
+mattermostDBName=mattermostDB
+nextcloudDBName=nextcloudDB
+quotasDBName=quotasDB
+roundcubeDBName=roundcubeDB
+sympaDBName=sympaDB
+vigiloDBName=vigiloDB
+wordpressDBName=wpDB
+mobilizonDBName=mobilizonDB
+vaultwardenDBName=vaultwardenDB
+
+ldapUIName=ldapUI
+
+########################################
+# politique de redémarrage
+# prod=always / test=unless-stopped / local=no
+restartPolicy=no
+
+########################################
+# devrait être dans env-jirafeauServ
+# mais seuls les variables de ".env" sont
+# utilisables pour le montage des volumes
+
+jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
+
+ldap_root=dc=kaz,dc=sns
+
+########################################
+# services activés par container.sh
+# variables d'environneements utilisées
+# pour le tmpl du mandataire (proxy)

files/snster-kaz/kaz2/prod2/kaz.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+if [ -z "${SNSTERGUARD}" ] ; then
+    exit 1
+fi
+
+DIR=$(cd "$(dirname $0)"; pwd)
+cd "${DIR}"
+set -e
+export OUTPUT_DIR="/root/install"
+
+
+mkdir -p "${OUTPUT_DIR}/log/"
+export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
+(
+    echo "########## ********** Start kaz.sh $(date +%D-%T)"
+
+    docker-clean -a
+    rm -rf /kaz
+
+    if [ -z "${KAZBRANCH}" ] ; then
+	     KAZBRANCH="master"
+    fi
+    echo -e "\n    #### git checkout ${KAZBRANCH}\n"
+
+    # copie des sources
+    cd /
+    git clone https://git.kaz.bzh/KAZ/kaz.git
+    (cd /kaz ; git checkout "${KAZBRANCH}" )
+
+    cp "${DIR}/kaz-config/dockers.env" /kaz/config/dockers.env
+    for type in mail orga proxy withMail withoutMail ; do
+	     [ -f "${DIR}/kaz-config/container-${type}.list" ] &&
+       cp  "${DIR}/kaz-config/container-${type}.list" /kaz/config/
+    done
+
+    echo -e "\n    #### secretGen\n"
+    /kaz/bin/secretGen.sh
+
+    echo -e "\n    #### install\n"
+	  /kaz/bin/install.sh
+
+    # clear apt cache
+    DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+    DEBIAN_FRONTEND=noninteractive apt-get clean
+
+    echo "########## ********** End kaz.sh $(date +%D-%T)"
+)  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

files/snster-kaz/kaz2/prod2/provision.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+# Target DMZ
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+# disable systemd-resolved which conflicts with nsd
+echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+systemctl stop systemd-resolved
+
+DEBIAN_FRONTEND=noninteractive apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get remove -y apache2
+DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+
+
+# Go KAZ !
+# KAZ specific things
+#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y dos2unix jq ldapvi argon2 docker.io docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils unaccent # fuse-overlayfs
+usermod -G docker debian
+
+# docker-compose
+curl -SL https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
+sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
+chmod +x /usr/bin/docker-compose
+
+# activation dans alias dans /root/.bashrc
+sed -i \
+-e 's/^\# alias/alias/g' \
+-e 's/^\# export/export/g' \
+-e 's/^\# eval/eval/g' \
+/root/.bashrc
+
+if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
+cat >> /root/.bashrc <<EOF
+# enable bash completion in interactive shells
+if ! shopt -oq posix; then
+if [ -f /usr/share/bash-completion/bash_completion ]; then
+. /usr/share/bash-completion/bash_completion
+elif [ -f /etc/bash_completion ]; then
+. /etc/bash_completion
+fi
+fi
+for file in /kaz/bin/.*-completion.bash ; do
+source "\${file}"
+done
+EOF
+fi
+
+
+# On met le GUARD pour la mise au point
+echo "export SNSTERGUARD='true'" >> /root/.bashrc
+
+
+# On place les certifs
+if  [ -d letsencrypt ]; then
+  cp -ar letsencrypt /etc/
+  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
+  /usr/sbin/update-ca-certificates --fresh
+fi
+
+# On sauve le proxy APT
+proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)
+sed -i -e "s/^proxy.*$/proxy=$proxy/" /usr/local/sbin/detect_proxy.sh
+#echo "export http_proxy=\"http://$proxy:3142\"" > /etc/profile.d/proxy.sh
+#echo "export https_proxy=\"http://$proxy:3142\"" >> /etc/profile.d/proxy.sh
+
+# Proxy pour les environnements durant les dockerbuilds
+mkdir /root/.docker
+echo "{
+ \"proxies\":
+ {
+   \"default\":
+   {
+     \"httpProxy\": \"http://$proxy:3142\",
+     \"httpsProxy\": \"http://$proxy:3142\",
+     \"noProxy\": \"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
+   }
+ }
+}" > /root/.docker/config.json
+
+# Proxy pour les docker pull -> commenté car pas de cache avec dockerhub
+# echo "http_proxy=\"http://$proxy:3142\"
+# https_proxy=\"http://$proxy:3142\"
+# no_proxy=\"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
+# " >> /etc/default/docker
+
+# On active btrfs+registry miroir pour docker
+cat >> /etc/docker/daemon.json <<EOF
+{ "storage-driver": "btrfs",
+"registry-mirrors": ["http://$proxy:5000"] }
+EOF
+service docker restart
+
+# clear apt cache
+DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
+DEBIAN_FRONTEND=noninteractive apt-get clean
+
+# On installe Kaz
+ifconfig lo:0 100.81.0.2
+echo "100.81.0.2 smtp imap www mail cloud cloud.kaz.sns tableur tableur.kaz.sns webmail webmail.kaz.sns garradin garradin.kaz.sns wiki wiki.kaz.sns git git.kaz.sns office office.kaz.sns depot depot.kaz.sns ldap ldap.kaz.sns mdp mdp.kaz.sns koffre koffre.kaz.sns pad pad.kaz.sns agora agora.kaz.sns dashboard dashboard.kaz.sns" >> /etc/hosts
+cp "${DIR}/kaz.sh" /root/kaz.sh
+cp "${DIR}/createUser.txt" /root/
+cp -ar "${DIR}/kaz-config" /root/
+chmod +x /root/kaz.sh
+bash "/root/kaz.sh"
+sed -i -e "s/100.81.0.2.*//g" /etc/hosts
+
+
+# On démarre au boot
+echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local
+chmod +x /etc/rc.local
+
+
+# notes fuse-overlayfs :
+#mknod -m 666 /dev/fuse c 10 229
+#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
+#chmod +x /etc/rc.local
+
+# lxc.cgroup2.devices.allow = b 7:* rwm
+# lxc.cgroup2.devices.allow = c 10:237 rwm
+#
+# mknod -m 666 /dev/loop0 b 7 0
+# mknod -m 666 /dev/loop-control c 10 237
+# truncate -s 30G /root/varlibdocker.img
+# mkfs.btrfs /root/varlibdocker.img
+# losetup -f /root/varlibdocker.img
+# mount /dev/loop0 /var/lib/docker

files/vm-provision.sh

@@ -221,6 +221,7 @@ auth:
     # crypto keys
     cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
     cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
+    cp -ar /etc/letsencrypt /root/snster-kaz/kaz2/prod2/
 
     # On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
     ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod