ajout du site 2
This commit is contained in:
parent
e843e6fc74
commit
ca77a73d78
39
files/snster-kaz/kaz2/group.yml
Normal file
39
files/snster-kaz/kaz2/group.yml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
version: 1
|
||||||
|
|
||||||
|
header:
|
||||||
|
name: Kaz2 AS
|
||||||
|
comment: AS of the Kaz organization, 2ndary server
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
router:
|
||||||
|
master: alpine
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: transit-a
|
||||||
|
ipv4: 100.64.0.11/24
|
||||||
|
ipv6: 2001:db8:b000::11/48
|
||||||
|
eth1:
|
||||||
|
bridge: kaz2-lan1
|
||||||
|
ipv4: 100.81.0.1/24
|
||||||
|
templates:
|
||||||
|
- bgprouter:
|
||||||
|
asn: 11
|
||||||
|
asdev: eth1
|
||||||
|
neighbors4: 100.64.0.1 as 30
|
||||||
|
neighbors6: 2001:db8:b000::1 as 30
|
||||||
|
- resolv:
|
||||||
|
ns: 100.100.100.100
|
||||||
|
domain: kaz.sns
|
||||||
|
|
||||||
|
prod2:
|
||||||
|
network:
|
||||||
|
interfaces:
|
||||||
|
eth0:
|
||||||
|
bridge: kaz2-lan1
|
||||||
|
ipv4: 100.81.0.2/24
|
||||||
|
templates:
|
||||||
|
- updatecaroots:
|
||||||
|
- resolv:
|
||||||
|
domain: kaz.sns
|
||||||
|
ns: 100.100.100.100
|
@ -0,0 +1,4 @@
|
|||||||
|
# e-mail server composer
|
||||||
|
#ldap
|
||||||
|
#postfix
|
||||||
|
#sympa
|
@ -0,0 +1 @@
|
|||||||
|
# orga composer
|
@ -0,0 +1,2 @@
|
|||||||
|
#proxy
|
||||||
|
#traefik
|
@ -0,0 +1,12 @@
|
|||||||
|
#cloud
|
||||||
|
#dokuwiki
|
||||||
|
#framadate
|
||||||
|
#garradin
|
||||||
|
#gitea
|
||||||
|
#jirafeau
|
||||||
|
#mattermost
|
||||||
|
#roundcube
|
||||||
|
#keycloak
|
||||||
|
#mobilizon
|
||||||
|
#vaultwarden
|
||||||
|
#ldap
|
@ -0,0 +1,9 @@
|
|||||||
|
#cachet
|
||||||
|
#jirafeau
|
||||||
|
#ethercalc
|
||||||
|
#collabora
|
||||||
|
#ethercalc
|
||||||
|
#etherpad
|
||||||
|
#quotas
|
||||||
|
#web
|
||||||
|
#vigilo
|
134
files/snster-kaz/kaz2/prod2/kaz-config/dockers.env
Normal file
134
files/snster-kaz/kaz2/prod2/kaz-config/dockers.env
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
# Les variables d'environnements utilisées
|
||||||
|
# par les dockers via le lien :
|
||||||
|
# .env -> ../../config/dockers.env
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
# prod / dev / local
|
||||||
|
mode=local
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# choix du domaine
|
||||||
|
# prod=kaz.bzh / dev=dev.kaz.bzh / local=kaz.local
|
||||||
|
domain=kaz.sns
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# choix du domaine des mails sympa
|
||||||
|
# prod=kaz.bzh / dev=kaz2.ovh / local=kaz.local
|
||||||
|
domain_sympa=listes.kaz.sns
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# choix d'un serveur partiel
|
||||||
|
# site=site-2
|
||||||
|
site=site-2
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# Pour garradin qui met en "dure" dans
|
||||||
|
# sa config l'URL pour l'atteindre
|
||||||
|
|
||||||
|
# prod=https (gandi) / dev=https (letsencrypt) / local=http
|
||||||
|
httpProto=https
|
||||||
|
|
||||||
|
# prod=89.234.186.111 / dev=192.168.57.1 / local=127.0.0.1
|
||||||
|
MAIN_IP=100.81.0.2
|
||||||
|
|
||||||
|
# prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
|
||||||
|
SYMPA_IP=100.81.1.2
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# noms des services
|
||||||
|
|
||||||
|
# ou www (mais bof)
|
||||||
|
webHost=
|
||||||
|
|
||||||
|
cachetHost=cachet
|
||||||
|
calcHost=tableur
|
||||||
|
cloudHost=cloud
|
||||||
|
dateHost=sondage
|
||||||
|
dokuwikiHost=wiki
|
||||||
|
fileHost=depot
|
||||||
|
garHost=garradin
|
||||||
|
gitHost=git
|
||||||
|
gravHost=grav
|
||||||
|
ldapHost=ldap
|
||||||
|
matterHost=agora
|
||||||
|
officeHost=office
|
||||||
|
padHost=pad
|
||||||
|
quotasHost=quotas
|
||||||
|
smtpHost=smtp
|
||||||
|
sympaHost=listes
|
||||||
|
vigiloHost=vigilo
|
||||||
|
webmailHost=webmail
|
||||||
|
wordpressHost=wp
|
||||||
|
ldapUIHost=mdp
|
||||||
|
mobilizonHost=mobilizon
|
||||||
|
vaultwardenHost=koffre
|
||||||
|
traefikHost=dashboard
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# ports internes
|
||||||
|
|
||||||
|
matterPort=8000
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# noms des containers
|
||||||
|
|
||||||
|
cachetServName=cachetServ
|
||||||
|
dokuwikiServName=dokuwikiServ
|
||||||
|
ethercalcServName=ethercalcServ
|
||||||
|
etherpadServName=etherpadServ
|
||||||
|
framadateServName=framadateServ
|
||||||
|
garradinServName=garradinServ
|
||||||
|
gitServName=gitServ
|
||||||
|
gravServName=gravServ
|
||||||
|
jirafeauServName=jirafeauServ
|
||||||
|
ldapServName=ldapServ
|
||||||
|
mattermostServName=mattermostServ
|
||||||
|
nextcloudServName=nextcloudServ
|
||||||
|
officeServName=officeServ
|
||||||
|
proxyServName=proxyServ
|
||||||
|
traefikServName=traefikServ
|
||||||
|
quotasServName=quotasServ
|
||||||
|
roundcubeServName=roundcubeServ
|
||||||
|
smtpServName=mailServ
|
||||||
|
sympaServName=sympaServ
|
||||||
|
vigiloServName=vigiloServ
|
||||||
|
webServName=webServ
|
||||||
|
wordpressServName=wpServ
|
||||||
|
mobilizonServName=mobilizonServ
|
||||||
|
vaultwardenServName=vaultwardenServ
|
||||||
|
|
||||||
|
cachetDBName=cachetDB
|
||||||
|
ethercalcDBName=ethercalcDB
|
||||||
|
etherpadDBName=etherpadDB
|
||||||
|
framadateDBName=framadateDB
|
||||||
|
gitDBName=gitDB
|
||||||
|
mattermostDBName=mattermostDB
|
||||||
|
nextcloudDBName=nextcloudDB
|
||||||
|
quotasDBName=quotasDB
|
||||||
|
roundcubeDBName=roundcubeDB
|
||||||
|
sympaDBName=sympaDB
|
||||||
|
vigiloDBName=vigiloDB
|
||||||
|
wordpressDBName=wpDB
|
||||||
|
mobilizonDBName=mobilizonDB
|
||||||
|
vaultwardenDBName=vaultwardenDB
|
||||||
|
|
||||||
|
ldapUIName=ldapUI
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# politique de redémarrage
|
||||||
|
# prod=always / test=unless-stopped / local=no
|
||||||
|
restartPolicy=no
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# devrait être dans env-jirafeauServ
|
||||||
|
# mais seuls les variables de ".env" sont
|
||||||
|
# utilisables pour le montage des volumes
|
||||||
|
|
||||||
|
jirafeauDir=/var/jirafeauData/lkuDM16R5Sp4QHr/
|
||||||
|
|
||||||
|
ldap_root=dc=kaz,dc=sns
|
||||||
|
|
||||||
|
########################################
|
||||||
|
# services activés par container.sh
|
||||||
|
# variables d'environneements utilisées
|
||||||
|
# pour le tmpl du mandataire (proxy)
|
47
files/snster-kaz/kaz2/prod2/kaz.sh
Normal file
47
files/snster-kaz/kaz2/prod2/kaz.sh
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
if [ -z "${SNSTERGUARD}" ] ; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
DIR=$(cd "$(dirname $0)"; pwd)
|
||||||
|
cd "${DIR}"
|
||||||
|
set -e
|
||||||
|
export OUTPUT_DIR="/root/install"
|
||||||
|
|
||||||
|
|
||||||
|
mkdir -p "${OUTPUT_DIR}/log/"
|
||||||
|
export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
|
||||||
|
(
|
||||||
|
echo "########## ********** Start kaz.sh $(date +%D-%T)"
|
||||||
|
|
||||||
|
docker-clean -a
|
||||||
|
rm -rf /kaz
|
||||||
|
|
||||||
|
if [ -z "${KAZBRANCH}" ] ; then
|
||||||
|
KAZBRANCH="master"
|
||||||
|
fi
|
||||||
|
echo -e "\n #### git checkout ${KAZBRANCH}\n"
|
||||||
|
|
||||||
|
# copie des sources
|
||||||
|
cd /
|
||||||
|
git clone https://git.kaz.bzh/KAZ/kaz.git
|
||||||
|
(cd /kaz ; git checkout "${KAZBRANCH}" )
|
||||||
|
|
||||||
|
cp "${DIR}/kaz-config/dockers.env" /kaz/config/dockers.env
|
||||||
|
for type in mail orga proxy withMail withoutMail ; do
|
||||||
|
[ -f "${DIR}/kaz-config/container-${type}.list" ] &&
|
||||||
|
cp "${DIR}/kaz-config/container-${type}.list" /kaz/config/
|
||||||
|
done
|
||||||
|
|
||||||
|
echo -e "\n #### secretGen\n"
|
||||||
|
/kaz/bin/secretGen.sh
|
||||||
|
|
||||||
|
echo -e "\n #### install\n"
|
||||||
|
/kaz/bin/install.sh
|
||||||
|
|
||||||
|
# clear apt cache
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get clean
|
||||||
|
|
||||||
|
echo "########## ********** End kaz.sh $(date +%D-%T)"
|
||||||
|
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
|
130
files/snster-kaz/kaz2/prod2/provision.sh
Normal file
130
files/snster-kaz/kaz2/prod2/provision.sh
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Target DMZ
|
||||||
|
set -e
|
||||||
|
if [ -z $SNSTERGUARD ] ; then exit 1; fi
|
||||||
|
DIR=`dirname $0`
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
# disable systemd-resolved which conflicts with nsd
|
||||||
|
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
|
||||||
|
systemctl stop systemd-resolved
|
||||||
|
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get update
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get remove -y apache2
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||||
|
|
||||||
|
|
||||||
|
# Go KAZ !
|
||||||
|
# KAZ specific things
|
||||||
|
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
|
||||||
|
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y dos2unix jq ldapvi argon2 docker.io docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils unaccent # fuse-overlayfs
|
||||||
|
usermod -G docker debian
|
||||||
|
|
||||||
|
# docker-compose
|
||||||
|
curl -SL https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
|
||||||
|
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
|
||||||
|
chmod +x /usr/bin/docker-compose
|
||||||
|
|
||||||
|
# activation dans alias dans /root/.bashrc
|
||||||
|
sed -i \
|
||||||
|
-e 's/^\# alias/alias/g' \
|
||||||
|
-e 's/^\# export/export/g' \
|
||||||
|
-e 's/^\# eval/eval/g' \
|
||||||
|
/root/.bashrc
|
||||||
|
|
||||||
|
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
|
||||||
|
cat >> /root/.bashrc <<EOF
|
||||||
|
# enable bash completion in interactive shells
|
||||||
|
if ! shopt -oq posix; then
|
||||||
|
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
||||||
|
. /usr/share/bash-completion/bash_completion
|
||||||
|
elif [ -f /etc/bash_completion ]; then
|
||||||
|
. /etc/bash_completion
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
for file in /kaz/bin/.*-completion.bash ; do
|
||||||
|
source "\${file}"
|
||||||
|
done
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# On met le GUARD pour la mise au point
|
||||||
|
echo "export SNSTERGUARD='true'" >> /root/.bashrc
|
||||||
|
|
||||||
|
|
||||||
|
# On place les certifs
|
||||||
|
if [ -d letsencrypt ]; then
|
||||||
|
cp -ar letsencrypt /etc/
|
||||||
|
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
|
||||||
|
/usr/sbin/update-ca-certificates --fresh
|
||||||
|
fi
|
||||||
|
|
||||||
|
# On sauve le proxy APT
|
||||||
|
proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)
|
||||||
|
sed -i -e "s/^proxy.*$/proxy=$proxy/" /usr/local/sbin/detect_proxy.sh
|
||||||
|
#echo "export http_proxy=\"http://$proxy:3142\"" > /etc/profile.d/proxy.sh
|
||||||
|
#echo "export https_proxy=\"http://$proxy:3142\"" >> /etc/profile.d/proxy.sh
|
||||||
|
|
||||||
|
# Proxy pour les environnements durant les dockerbuilds
|
||||||
|
mkdir /root/.docker
|
||||||
|
echo "{
|
||||||
|
\"proxies\":
|
||||||
|
{
|
||||||
|
\"default\":
|
||||||
|
{
|
||||||
|
\"httpProxy\": \"http://$proxy:3142\",
|
||||||
|
\"httpsProxy\": \"http://$proxy:3142\",
|
||||||
|
\"noProxy\": \"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}" > /root/.docker/config.json
|
||||||
|
|
||||||
|
# Proxy pour les docker pull -> commenté car pas de cache avec dockerhub
|
||||||
|
# echo "http_proxy=\"http://$proxy:3142\"
|
||||||
|
# https_proxy=\"http://$proxy:3142\"
|
||||||
|
# no_proxy=\"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
|
||||||
|
# " >> /etc/default/docker
|
||||||
|
|
||||||
|
# On active btrfs+registry miroir pour docker
|
||||||
|
cat >> /etc/docker/daemon.json <<EOF
|
||||||
|
{ "storage-driver": "btrfs",
|
||||||
|
"registry-mirrors": ["http://$proxy:5000"] }
|
||||||
|
EOF
|
||||||
|
service docker restart
|
||||||
|
|
||||||
|
# clear apt cache
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get clean
|
||||||
|
|
||||||
|
# On installe Kaz
|
||||||
|
ifconfig lo:0 100.81.0.2
|
||||||
|
echo "100.81.0.2 smtp imap www mail cloud cloud.kaz.sns tableur tableur.kaz.sns webmail webmail.kaz.sns garradin garradin.kaz.sns wiki wiki.kaz.sns git git.kaz.sns office office.kaz.sns depot depot.kaz.sns ldap ldap.kaz.sns mdp mdp.kaz.sns koffre koffre.kaz.sns pad pad.kaz.sns agora agora.kaz.sns dashboard dashboard.kaz.sns" >> /etc/hosts
|
||||||
|
cp "${DIR}/kaz.sh" /root/kaz.sh
|
||||||
|
cp "${DIR}/createUser.txt" /root/
|
||||||
|
cp -ar "${DIR}/kaz-config" /root/
|
||||||
|
chmod +x /root/kaz.sh
|
||||||
|
bash "/root/kaz.sh"
|
||||||
|
sed -i -e "s/100.81.0.2.*//g" /etc/hosts
|
||||||
|
|
||||||
|
|
||||||
|
# On démarre au boot
|
||||||
|
echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local
|
||||||
|
chmod +x /etc/rc.local
|
||||||
|
|
||||||
|
|
||||||
|
# notes fuse-overlayfs :
|
||||||
|
#mknod -m 666 /dev/fuse c 10 229
|
||||||
|
#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
|
||||||
|
#chmod +x /etc/rc.local
|
||||||
|
|
||||||
|
# lxc.cgroup2.devices.allow = b 7:* rwm
|
||||||
|
# lxc.cgroup2.devices.allow = c 10:237 rwm
|
||||||
|
#
|
||||||
|
# mknod -m 666 /dev/loop0 b 7 0
|
||||||
|
# mknod -m 666 /dev/loop-control c 10 237
|
||||||
|
# truncate -s 30G /root/varlibdocker.img
|
||||||
|
# mkfs.btrfs /root/varlibdocker.img
|
||||||
|
# losetup -f /root/varlibdocker.img
|
||||||
|
# mount /dev/loop0 /var/lib/docker
|
@ -221,6 +221,7 @@ auth:
|
|||||||
# crypto keys
|
# crypto keys
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
|
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
|
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
|
||||||
|
cp -ar /etc/letsencrypt /root/snster-kaz/kaz2/prod2/
|
||||||
|
|
||||||
# On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
|
# On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
|
||||||
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
|
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
|
||||||
|
Loading…
Reference in New Issue
Block a user