ajout du site 2

This commit is contained in:
Francois Lesueur 2023-05-17 10:08:25 +02:00
parent e843e6fc74
commit ca77a73d78
10 changed files with 379 additions and 0 deletions

View File

@ -0,0 +1,39 @@
version: 1
header:
name: Kaz2 AS
comment: AS of the Kaz organization, 2ndary server
hosts:
router:
master: alpine
network:
interfaces:
eth0:
bridge: transit-a
ipv4: 100.64.0.11/24
ipv6: 2001:db8:b000::11/48
eth1:
bridge: kaz2-lan1
ipv4: 100.81.0.1/24
templates:
- bgprouter:
asn: 11
asdev: eth1
neighbors4: 100.64.0.1 as 30
neighbors6: 2001:db8:b000::1 as 30
- resolv:
ns: 100.100.100.100
domain: kaz.sns
prod2:
network:
interfaces:
eth0:
bridge: kaz2-lan1
ipv4: 100.81.0.2/24
templates:
- updatecaroots:
- resolv:
domain: kaz.sns
ns: 100.100.100.100

View File

@ -0,0 +1,4 @@
# e-mail server composer
#ldap
#postfix
#sympa

View File

@ -0,0 +1 @@
# orga composer

View File

@ -0,0 +1,2 @@
#proxy
#traefik

View File

@ -0,0 +1,12 @@
#cloud
#dokuwiki
#framadate
#garradin
#gitea
#jirafeau
#mattermost
#roundcube
#keycloak
#mobilizon
#vaultwarden
#ldap

View File

@ -0,0 +1,9 @@
#cachet
#jirafeau
#ethercalc
#collabora
#ethercalc
#etherpad
#quotas
#web
#vigilo

View File

@ -0,0 +1,134 @@
# Les variables d'environnements utilisées
# par les dockers via le lien :
# .env -> ../../config/dockers.env
#######################################
# prod / dev / local
mode=local
########################################
# choix du domaine
# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
domain=kaz.sns
########################################
# choix du domaine des mails sympa
# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
domain_sympa=listes.kaz.sns
########################################
# choix d'un serveur partiel
# site=site-2
site=site-2
########################################
# Pour garradin qui met en "dure" dans
# sa config l'URL pour l'atteindre
# prod=https (gandi) / dev=https (letsencrypt) / local=http
httpProto=https
# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
MAIN_IP=100.81.0.2
# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
SYMPA_IP=100.81.1.2
########################################
# noms des services
# ou www (mais bof)
webHost=
cachetHost=cachet
calcHost=tableur
cloudHost=cloud
dateHost=sondage
dokuwikiHost=wiki
fileHost=depot
garHost=garradin
gitHost=git
gravHost=grav
ldapHost=ldap
matterHost=agora
officeHost=office
padHost=pad
quotasHost=quotas
smtpHost=smtp
sympaHost=listes
vigiloHost=vigilo
webmailHost=webmail
wordpressHost=wp
ldapUIHost=mdp
mobilizonHost=mobilizon
vaultwardenHost=koffre
traefikHost=dashboard
########################################
# ports internes
matterPort=8000
########################################
# noms des containers
cachetServName=cachetServ
dokuwikiServName=dokuwikiServ
ethercalcServName=ethercalcServ
etherpadServName=etherpadServ
framadateServName=framadateServ
garradinServName=garradinServ
gitServName=gitServ
gravServName=gravServ
jirafeauServName=jirafeauServ
ldapServName=ldapServ
mattermostServName=mattermostServ
nextcloudServName=nextcloudServ
officeServName=officeServ
proxyServName=proxyServ
traefikServName=traefikServ
quotasServName=quotasServ
roundcubeServName=roundcubeServ
smtpServName=mailServ
sympaServName=sympaServ
vigiloServName=vigiloServ
webServName=webServ
wordpressServName=wpServ
mobilizonServName=mobilizonServ
vaultwardenServName=vaultwardenServ
cachetDBName=cachetDB
ethercalcDBName=ethercalcDB
etherpadDBName=etherpadDB
framadateDBName=framadateDB
gitDBName=gitDB
mattermostDBName=mattermostDB
nextcloudDBName=nextcloudDB
quotasDBName=quotasDB
roundcubeDBName=roundcubeDB
sympaDBName=sympaDB
vigiloDBName=vigiloDB
wordpressDBName=wpDB
mobilizonDBName=mobilizonDB
vaultwardenDBName=vaultwardenDB
ldapUIName=ldapUI
########################################
# politique de redémarrage
# prod=always / test=unless-stopped / local=no
restartPolicy=no
########################################
# devrait être dans env-jirafeauServ
# mais seuls les variables de ".env" sont
# utilisables pour le montage des volumes
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
ldap_root=dc=kaz,dc=sns
########################################
# services activés par container.sh
# variables d'environneements utilisées
# pour le tmpl du mandataire (proxy)

View File

@ -0,0 +1,47 @@
#!/bin/bash
if [ -z "${SNSTERGUARD}" ] ; then
exit 1
fi
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export OUTPUT_DIR="/root/install"
mkdir -p "${OUTPUT_DIR}/log/"
export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start kaz.sh $(date +%D-%T)"
docker-clean -a
rm -rf /kaz
if [ -z "${KAZBRANCH}" ] ; then
KAZBRANCH="master"
fi
echo -e "\n #### git checkout ${KAZBRANCH}\n"
# copie des sources
cd /
git clone https://git.kaz.bzh/KAZ/kaz.git
(cd /kaz ; git checkout "${KAZBRANCH}" )
cp "${DIR}/kaz-config/dockers.env" /kaz/config/dockers.env
for type in mail orga proxy withMail withoutMail ; do
[ -f "${DIR}/kaz-config/container-${type}.list" ] &&
cp "${DIR}/kaz-config/container-${type}.list" /kaz/config/
done
echo -e "\n #### secretGen\n"
/kaz/bin/secretGen.sh
echo -e "\n #### install\n"
/kaz/bin/install.sh
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
echo "########## ********** End kaz.sh $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

View File

@ -0,0 +1,130 @@
#!/bin/bash
# Target DMZ
set -e
if [ -z $SNSTERGUARD ] ; then exit 1; fi
DIR=`dirname $0`
cd `dirname $0`
# disable systemd-resolved which conflicts with nsd
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl stop systemd-resolved
DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get remove -y apache2
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
# Go KAZ !
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y dos2unix jq ldapvi argon2 docker.io docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils unaccent # fuse-overlayfs
usermod -G docker debian
# docker-compose
curl -SL https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
chmod +x /usr/bin/docker-compose
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# On met le GUARD pour la mise au point
echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On place les certifs
if [ -d letsencrypt ]; then
cp -ar letsencrypt /etc/
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
/usr/sbin/update-ca-certificates --fresh
fi
# On sauve le proxy APT
proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)
sed -i -e "s/^proxy.*$/proxy=$proxy/" /usr/local/sbin/detect_proxy.sh
#echo "export http_proxy=\"http://$proxy:3142\"" > /etc/profile.d/proxy.sh
#echo "export https_proxy=\"http://$proxy:3142\"" >> /etc/profile.d/proxy.sh
# Proxy pour les environnements durant les dockerbuilds
mkdir /root/.docker
echo "{
\"proxies\":
{
\"default\":
{
\"httpProxy\": \"http://$proxy:3142\",
\"httpsProxy\": \"http://$proxy:3142\",
\"noProxy\": \"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
}
}
}" > /root/.docker/config.json
# Proxy pour les docker pull -> commenté car pas de cache avec dockerhub
# echo "http_proxy=\"http://$proxy:3142\"
# https_proxy=\"http://$proxy:3142\"
# no_proxy=\"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
# " >> /etc/default/docker
# On active btrfs+registry miroir pour docker
cat >> /etc/docker/daemon.json <<EOF
{ "storage-driver": "btrfs",
"registry-mirrors": ["http://$proxy:5000"] }
EOF
service docker restart
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
# On installe Kaz
ifconfig lo:0 100.81.0.2
echo "100.81.0.2 smtp imap www mail cloud cloud.kaz.sns tableur tableur.kaz.sns webmail webmail.kaz.sns garradin garradin.kaz.sns wiki wiki.kaz.sns git git.kaz.sns office office.kaz.sns depot depot.kaz.sns ldap ldap.kaz.sns mdp mdp.kaz.sns koffre koffre.kaz.sns pad pad.kaz.sns agora agora.kaz.sns dashboard dashboard.kaz.sns" >> /etc/hosts
cp "${DIR}/kaz.sh" /root/kaz.sh
cp "${DIR}/createUser.txt" /root/
cp -ar "${DIR}/kaz-config" /root/
chmod +x /root/kaz.sh
bash "/root/kaz.sh"
sed -i -e "s/100.81.0.2.*//g" /etc/hosts
# On démarre au boot
echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local
chmod +x /etc/rc.local
# notes fuse-overlayfs :
#mknod -m 666 /dev/fuse c 10 229
#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
#chmod +x /etc/rc.local
# lxc.cgroup2.devices.allow = b 7:* rwm
# lxc.cgroup2.devices.allow = c 10:237 rwm
#
# mknod -m 666 /dev/loop0 b 7 0
# mknod -m 666 /dev/loop-control c 10 237
# truncate -s 30G /root/varlibdocker.img
# mkfs.btrfs /root/varlibdocker.img
# losetup -f /root/varlibdocker.img
# mount /dev/loop0 /var/lib/docker

View File

@ -221,6 +221,7 @@ auth:
# crypto keys # crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/ cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/ cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
cp -ar /etc/letsencrypt /root/snster-kaz/kaz2/prod2/
# On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév # On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod