forked from Deuxfleurs/infrastructure
Initial commit
This commit is contained in:
commit
61d009f18d
166 changed files with 4972 additions and 0 deletions
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
*.retry
|
||||||
|
.git_old/
|
||||||
|
debug/gladdrinfo
|
6
.gitmodules
vendored
Normal file
6
.gitmodules
vendored
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
[submodule "docker/static/goStatic"]
|
||||||
|
path = docker/static/goStatic
|
||||||
|
url = https://github.com/PierreZ/goStatic
|
||||||
|
[submodule "docker/blog/quentin.dufour.io"]
|
||||||
|
path = docker/blog-quentin/quentin.dufour.io
|
||||||
|
url = git@gitlab.com:superboum/quentin.dufour.io.git
|
662
LICENSE
Normal file
662
LICENSE
Normal file
|
@ -0,0 +1,662 @@
|
||||||
|
GNU AFFERO GENERAL PUBLIC LICENSE
|
||||||
|
Version 3, 19 November 2007
|
||||||
|
|
||||||
|
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The GNU Affero General Public License is a free, copyleft license for
|
||||||
|
software and other kinds of works, specifically designed to ensure
|
||||||
|
cooperation with the community in the case of network server software.
|
||||||
|
|
||||||
|
The licenses for most software and other practical works are designed
|
||||||
|
to take away your freedom to share and change the works. By contrast,
|
||||||
|
our General Public Licenses are intended to guarantee your freedom to
|
||||||
|
share and change all versions of a program--to make sure it remains free
|
||||||
|
software for all its users.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
them if you wish), that you receive source code or can get it if you
|
||||||
|
want it, that you can change the software or use pieces of it in new
|
||||||
|
free programs, and that you know you can do these things.
|
||||||
|
|
||||||
|
Developers that use our General Public Licenses protect your rights
|
||||||
|
with two steps: (1) assert copyright on the software, and (2) offer
|
||||||
|
you this License which gives you legal permission to copy, distribute
|
||||||
|
and/or modify the software.
|
||||||
|
|
||||||
|
A secondary benefit of defending all users' freedom is that
|
||||||
|
improvements made in alternate versions of the program, if they
|
||||||
|
receive widespread use, become available for other developers to
|
||||||
|
incorporate. Many developers of free software are heartened and
|
||||||
|
encouraged by the resulting cooperation. However, in the case of
|
||||||
|
software used on network servers, this result may fail to come about.
|
||||||
|
The GNU General Public License permits making a modified version and
|
||||||
|
letting the public access it on a server without ever releasing its
|
||||||
|
source code to the public.
|
||||||
|
|
||||||
|
The GNU Affero General Public License is designed specifically to
|
||||||
|
ensure that, in such cases, the modified source code becomes available
|
||||||
|
to the community. It requires the operator of a network server to
|
||||||
|
provide the source code of the modified version running there to the
|
||||||
|
users of that server. Therefore, public use of a modified version, on
|
||||||
|
a publicly accessible server, gives the public access to the source
|
||||||
|
code of the modified version.
|
||||||
|
|
||||||
|
An older license, called the Affero General Public License and
|
||||||
|
published by Affero, was designed to accomplish similar goals. This is
|
||||||
|
a different license, not a version of the Affero GPL, but Affero has
|
||||||
|
released a new version of the Affero GPL which permits relicensing under
|
||||||
|
this license.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
0. Definitions.
|
||||||
|
|
||||||
|
"This License" refers to version 3 of the GNU Affero General Public License.
|
||||||
|
|
||||||
|
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||||
|
works, such as semiconductor masks.
|
||||||
|
|
||||||
|
"The Program" refers to any copyrightable work licensed under this
|
||||||
|
License. Each licensee is addressed as "you". "Licensees" and
|
||||||
|
"recipients" may be individuals or organizations.
|
||||||
|
|
||||||
|
To "modify" a work means to copy from or adapt all or part of the work
|
||||||
|
in a fashion requiring copyright permission, other than the making of an
|
||||||
|
exact copy. The resulting work is called a "modified version" of the
|
||||||
|
earlier work or a work "based on" the earlier work.
|
||||||
|
|
||||||
|
A "covered work" means either the unmodified Program or a work based
|
||||||
|
on the Program.
|
||||||
|
|
||||||
|
To "propagate" a work means to do anything with it that, without
|
||||||
|
permission, would make you directly or secondarily liable for
|
||||||
|
infringement under applicable copyright law, except executing it on a
|
||||||
|
computer or modifying a private copy. Propagation includes copying,
|
||||||
|
distribution (with or without modification), making available to the
|
||||||
|
public, and in some countries other activities as well.
|
||||||
|
|
||||||
|
To "convey" a work means any kind of propagation that enables other
|
||||||
|
parties to make or receive copies. Mere interaction with a user through
|
||||||
|
a computer network, with no transfer of a copy, is not conveying.
|
||||||
|
|
||||||
|
An interactive user interface displays "Appropriate Legal Notices"
|
||||||
|
to the extent that it includes a convenient and prominently visible
|
||||||
|
feature that (1) displays an appropriate copyright notice, and (2)
|
||||||
|
tells the user that there is no warranty for the work (except to the
|
||||||
|
extent that warranties are provided), that licensees may convey the
|
||||||
|
work under this License, and how to view a copy of this License. If
|
||||||
|
the interface presents a list of user commands or options, such as a
|
||||||
|
menu, a prominent item in the list meets this criterion.
|
||||||
|
|
||||||
|
1. Source Code.
|
||||||
|
|
||||||
|
The "source code" for a work means the preferred form of the work
|
||||||
|
for making modifications to it. "Object code" means any non-source
|
||||||
|
form of a work.
|
||||||
|
|
||||||
|
A "Standard Interface" means an interface that either is an official
|
||||||
|
standard defined by a recognized standards body, or, in the case of
|
||||||
|
interfaces specified for a particular programming language, one that
|
||||||
|
is widely used among developers working in that language.
|
||||||
|
|
||||||
|
The "System Libraries" of an executable work include anything, other
|
||||||
|
than the work as a whole, that (a) is included in the normal form of
|
||||||
|
packaging a Major Component, but which is not part of that Major
|
||||||
|
Component, and (b) serves only to enable use of the work with that
|
||||||
|
Major Component, or to implement a Standard Interface for which an
|
||||||
|
implementation is available to the public in source code form. A
|
||||||
|
"Major Component", in this context, means a major essential component
|
||||||
|
(kernel, window system, and so on) of the specific operating system
|
||||||
|
(if any) on which the executable work runs, or a compiler used to
|
||||||
|
produce the work, or an object code interpreter used to run it.
|
||||||
|
|
||||||
|
The "Corresponding Source" for a work in object code form means all
|
||||||
|
the source code needed to generate, install, and (for an executable
|
||||||
|
work) run the object code and to modify the work, including scripts to
|
||||||
|
control those activities. However, it does not include the work's
|
||||||
|
System Libraries, or general-purpose tools or generally available free
|
||||||
|
programs which are used unmodified in performing those activities but
|
||||||
|
which are not part of the work. For example, Corresponding Source
|
||||||
|
includes interface definition files associated with source files for
|
||||||
|
the work, and the source code for shared libraries and dynamically
|
||||||
|
linked subprograms that the work is specifically designed to require,
|
||||||
|
such as by intimate data communication or control flow between those
|
||||||
|
subprograms and other parts of the work.
|
||||||
|
|
||||||
|
The Corresponding Source need not include anything that users
|
||||||
|
can regenerate automatically from other parts of the Corresponding
|
||||||
|
Source.
|
||||||
|
|
||||||
|
The Corresponding Source for a work in source code form is that
|
||||||
|
same work.
|
||||||
|
|
||||||
|
2. Basic Permissions.
|
||||||
|
|
||||||
|
All rights granted under this License are granted for the term of
|
||||||
|
copyright on the Program, and are irrevocable provided the stated
|
||||||
|
conditions are met. This License explicitly affirms your unlimited
|
||||||
|
permission to run the unmodified Program. The output from running a
|
||||||
|
covered work is covered by this License only if the output, given its
|
||||||
|
content, constitutes a covered work. This License acknowledges your
|
||||||
|
rights of fair use or other equivalent, as provided by copyright law.
|
||||||
|
|
||||||
|
You may make, run and propagate covered works that you do not
|
||||||
|
convey, without conditions so long as your license otherwise remains
|
||||||
|
in force. You may convey covered works to others for the sole purpose
|
||||||
|
of having them make modifications exclusively for you, or provide you
|
||||||
|
with facilities for running those works, provided that you comply with
|
||||||
|
the terms of this License in conveying all material for which you do
|
||||||
|
not control copyright. Those thus making or running the covered works
|
||||||
|
for you must do so exclusively on your behalf, under your direction
|
||||||
|
and control, on terms that prohibit them from making any copies of
|
||||||
|
your copyrighted material outside their relationship with you.
|
||||||
|
|
||||||
|
Conveying under any other circumstances is permitted solely under
|
||||||
|
the conditions stated below. Sublicensing is not allowed; section 10
|
||||||
|
makes it unnecessary.
|
||||||
|
|
||||||
|
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||||
|
|
||||||
|
No covered work shall be deemed part of an effective technological
|
||||||
|
measure under any applicable law fulfilling obligations under article
|
||||||
|
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||||
|
similar laws prohibiting or restricting circumvention of such
|
||||||
|
measures.
|
||||||
|
|
||||||
|
When you convey a covered work, you waive any legal power to forbid
|
||||||
|
circumvention of technological measures to the extent such circumvention
|
||||||
|
is effected by exercising rights under this License with respect to
|
||||||
|
the covered work, and you disclaim any intention to limit operation or
|
||||||
|
modification of the work as a means of enforcing, against the work's
|
||||||
|
users, your or third parties' legal rights to forbid circumvention of
|
||||||
|
technological measures.
|
||||||
|
|
||||||
|
4. Conveying Verbatim Copies.
|
||||||
|
|
||||||
|
You may convey verbatim copies of the Program's source code as you
|
||||||
|
receive it, in any medium, provided that you conspicuously and
|
||||||
|
appropriately publish on each copy an appropriate copyright notice;
|
||||||
|
keep intact all notices stating that this License and any
|
||||||
|
non-permissive terms added in accord with section 7 apply to the code;
|
||||||
|
keep intact all notices of the absence of any warranty; and give all
|
||||||
|
recipients a copy of this License along with the Program.
|
||||||
|
|
||||||
|
You may charge any price or no price for each copy that you convey,
|
||||||
|
and you may offer support or warranty protection for a fee.
|
||||||
|
|
||||||
|
5. Conveying Modified Source Versions.
|
||||||
|
|
||||||
|
You may convey a work based on the Program, or the modifications to
|
||||||
|
produce it from the Program, in the form of source code under the
|
||||||
|
terms of section 4, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) The work must carry prominent notices stating that you modified
|
||||||
|
it, and giving a relevant date.
|
||||||
|
|
||||||
|
b) The work must carry prominent notices stating that it is
|
||||||
|
released under this License and any conditions added under section
|
||||||
|
7. This requirement modifies the requirement in section 4 to
|
||||||
|
"keep intact all notices".
|
||||||
|
|
||||||
|
c) You must license the entire work, as a whole, under this
|
||||||
|
License to anyone who comes into possession of a copy. This
|
||||||
|
License will therefore apply, along with any applicable section 7
|
||||||
|
additional terms, to the whole of the work, and all its parts,
|
||||||
|
regardless of how they are packaged. This License gives no
|
||||||
|
permission to license the work in any other way, but it does not
|
||||||
|
invalidate such permission if you have separately received it.
|
||||||
|
|
||||||
|
d) If the work has interactive user interfaces, each must display
|
||||||
|
Appropriate Legal Notices; however, if the Program has interactive
|
||||||
|
interfaces that do not display Appropriate Legal Notices, your
|
||||||
|
work need not make them do so.
|
||||||
|
|
||||||
|
A compilation of a covered work with other separate and independent
|
||||||
|
works, which are not by their nature extensions of the covered work,
|
||||||
|
and which are not combined with it such as to form a larger program,
|
||||||
|
in or on a volume of a storage or distribution medium, is called an
|
||||||
|
"aggregate" if the compilation and its resulting copyright are not
|
||||||
|
used to limit the access or legal rights of the compilation's users
|
||||||
|
beyond what the individual works permit. Inclusion of a covered work
|
||||||
|
in an aggregate does not cause this License to apply to the other
|
||||||
|
parts of the aggregate.
|
||||||
|
|
||||||
|
6. Conveying Non-Source Forms.
|
||||||
|
|
||||||
|
You may convey a covered work in object code form under the terms
|
||||||
|
of sections 4 and 5, provided that you also convey the
|
||||||
|
machine-readable Corresponding Source under the terms of this License,
|
||||||
|
in one of these ways:
|
||||||
|
|
||||||
|
a) Convey the object code in, or embodied in, a physical product
|
||||||
|
(including a physical distribution medium), accompanied by the
|
||||||
|
Corresponding Source fixed on a durable physical medium
|
||||||
|
customarily used for software interchange.
|
||||||
|
|
||||||
|
b) Convey the object code in, or embodied in, a physical product
|
||||||
|
(including a physical distribution medium), accompanied by a
|
||||||
|
written offer, valid for at least three years and valid for as
|
||||||
|
long as you offer spare parts or customer support for that product
|
||||||
|
model, to give anyone who possesses the object code either (1) a
|
||||||
|
copy of the Corresponding Source for all the software in the
|
||||||
|
product that is covered by this License, on a durable physical
|
||||||
|
medium customarily used for software interchange, for a price no
|
||||||
|
more than your reasonable cost of physically performing this
|
||||||
|
conveying of source, or (2) access to copy the
|
||||||
|
Corresponding Source from a network server at no charge.
|
||||||
|
|
||||||
|
c) Convey individual copies of the object code with a copy of the
|
||||||
|
written offer to provide the Corresponding Source. This
|
||||||
|
alternative is allowed only occasionally and noncommercially, and
|
||||||
|
only if you received the object code with such an offer, in accord
|
||||||
|
with subsection 6b.
|
||||||
|
|
||||||
|
d) Convey the object code by offering access from a designated
|
||||||
|
place (gratis or for a charge), and offer equivalent access to the
|
||||||
|
Corresponding Source in the same way through the same place at no
|
||||||
|
further charge. You need not require recipients to copy the
|
||||||
|
Corresponding Source along with the object code. If the place to
|
||||||
|
copy the object code is a network server, the Corresponding Source
|
||||||
|
may be on a different server (operated by you or a third party)
|
||||||
|
that supports equivalent copying facilities, provided you maintain
|
||||||
|
clear directions next to the object code saying where to find the
|
||||||
|
Corresponding Source. Regardless of what server hosts the
|
||||||
|
Corresponding Source, you remain obligated to ensure that it is
|
||||||
|
available for as long as needed to satisfy these requirements.
|
||||||
|
|
||||||
|
e) Convey the object code using peer-to-peer transmission, provided
|
||||||
|
you inform other peers where the object code and Corresponding
|
||||||
|
Source of the work are being offered to the general public at no
|
||||||
|
charge under subsection 6d.
|
||||||
|
|
||||||
|
A separable portion of the object code, whose source code is excluded
|
||||||
|
from the Corresponding Source as a System Library, need not be
|
||||||
|
included in conveying the object code work.
|
||||||
|
|
||||||
|
A "User Product" is either (1) a "consumer product", which means any
|
||||||
|
tangible personal property which is normally used for personal, family,
|
||||||
|
or household purposes, or (2) anything designed or sold for incorporation
|
||||||
|
into a dwelling. In determining whether a product is a consumer product,
|
||||||
|
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||||
|
product received by a particular user, "normally used" refers to a
|
||||||
|
typical or common use of that class of product, regardless of the status
|
||||||
|
of the particular user or of the way in which the particular user
|
||||||
|
actually uses, or expects or is expected to use, the product. A product
|
||||||
|
is a consumer product regardless of whether the product has substantial
|
||||||
|
commercial, industrial or non-consumer uses, unless such uses represent
|
||||||
|
the only significant mode of use of the product.
|
||||||
|
|
||||||
|
"Installation Information" for a User Product means any methods,
|
||||||
|
procedures, authorization keys, or other information required to install
|
||||||
|
and execute modified versions of a covered work in that User Product from
|
||||||
|
a modified version of its Corresponding Source. The information must
|
||||||
|
suffice to ensure that the continued functioning of the modified object
|
||||||
|
code is in no case prevented or interfered with solely because
|
||||||
|
modification has been made.
|
||||||
|
|
||||||
|
If you convey an object code work under this section in, or with, or
|
||||||
|
specifically for use in, a User Product, and the conveying occurs as
|
||||||
|
part of a transaction in which the right of possession and use of the
|
||||||
|
User Product is transferred to the recipient in perpetuity or for a
|
||||||
|
fixed term (regardless of how the transaction is characterized), the
|
||||||
|
Corresponding Source conveyed under this section must be accompanied
|
||||||
|
by the Installation Information. But this requirement does not apply
|
||||||
|
if neither you nor any third party retains the ability to install
|
||||||
|
modified object code on the User Product (for example, the work has
|
||||||
|
been installed in ROM).
|
||||||
|
|
||||||
|
The requirement to provide Installation Information does not include a
|
||||||
|
requirement to continue to provide support service, warranty, or updates
|
||||||
|
for a work that has been modified or installed by the recipient, or for
|
||||||
|
the User Product in which it has been modified or installed. Access to a
|
||||||
|
network may be denied when the modification itself materially and
|
||||||
|
adversely affects the operation of the network or violates the rules and
|
||||||
|
protocols for communication across the network.
|
||||||
|
|
||||||
|
Corresponding Source conveyed, and Installation Information provided,
|
||||||
|
in accord with this section must be in a format that is publicly
|
||||||
|
documented (and with an implementation available to the public in
|
||||||
|
source code form), and must require no special password or key for
|
||||||
|
unpacking, reading or copying.
|
||||||
|
|
||||||
|
7. Additional Terms.
|
||||||
|
|
||||||
|
"Additional permissions" are terms that supplement the terms of this
|
||||||
|
License by making exceptions from one or more of its conditions.
|
||||||
|
Additional permissions that are applicable to the entire Program shall
|
||||||
|
be treated as though they were included in this License, to the extent
|
||||||
|
that they are valid under applicable law. If additional permissions
|
||||||
|
apply only to part of the Program, that part may be used separately
|
||||||
|
under those permissions, but the entire Program remains governed by
|
||||||
|
this License without regard to the additional permissions.
|
||||||
|
|
||||||
|
When you convey a copy of a covered work, you may at your option
|
||||||
|
remove any additional permissions from that copy, or from any part of
|
||||||
|
it. (Additional permissions may be written to require their own
|
||||||
|
removal in certain cases when you modify the work.) You may place
|
||||||
|
additional permissions on material, added by you to a covered work,
|
||||||
|
for which you have or can give appropriate copyright permission.
|
||||||
|
|
||||||
|
Notwithstanding any other provision of this License, for material you
|
||||||
|
add to a covered work, you may (if authorized by the copyright holders of
|
||||||
|
that material) supplement the terms of this License with terms:
|
||||||
|
|
||||||
|
a) Disclaiming warranty or limiting liability differently from the
|
||||||
|
terms of sections 15 and 16 of this License; or
|
||||||
|
|
||||||
|
b) Requiring preservation of specified reasonable legal notices or
|
||||||
|
author attributions in that material or in the Appropriate Legal
|
||||||
|
Notices displayed by works containing it; or
|
||||||
|
|
||||||
|
c) Prohibiting misrepresentation of the origin of that material, or
|
||||||
|
requiring that modified versions of such material be marked in
|
||||||
|
reasonable ways as different from the original version; or
|
||||||
|
|
||||||
|
d) Limiting the use for publicity purposes of names of licensors or
|
||||||
|
authors of the material; or
|
||||||
|
|
||||||
|
e) Declining to grant rights under trademark law for use of some
|
||||||
|
trade names, trademarks, or service marks; or
|
||||||
|
|
||||||
|
f) Requiring indemnification of licensors and authors of that
|
||||||
|
material by anyone who conveys the material (or modified versions of
|
||||||
|
it) with contractual assumptions of liability to the recipient, for
|
||||||
|
any liability that these contractual assumptions directly impose on
|
||||||
|
those licensors and authors.
|
||||||
|
|
||||||
|
All other non-permissive additional terms are considered "further
|
||||||
|
restrictions" within the meaning of section 10. If the Program as you
|
||||||
|
received it, or any part of it, contains a notice stating that it is
|
||||||
|
governed by this License along with a term that is a further
|
||||||
|
restriction, you may remove that term. If a license document contains
|
||||||
|
a further restriction but permits relicensing or conveying under this
|
||||||
|
License, you may add to a covered work material governed by the terms
|
||||||
|
of that license document, provided that the further restriction does
|
||||||
|
not survive such relicensing or conveying.
|
||||||
|
|
||||||
|
If you add terms to a covered work in accord with this section, you
|
||||||
|
must place, in the relevant source files, a statement of the
|
||||||
|
additional terms that apply to those files, or a notice indicating
|
||||||
|
where to find the applicable terms.
|
||||||
|
|
||||||
|
Additional terms, permissive or non-permissive, may be stated in the
|
||||||
|
form of a separately written license, or stated as exceptions;
|
||||||
|
the above requirements apply either way.
|
||||||
|
|
||||||
|
8. Termination.
|
||||||
|
|
||||||
|
You may not propagate or modify a covered work except as expressly
|
||||||
|
provided under this License. Any attempt otherwise to propagate or
|
||||||
|
modify it is void, and will automatically terminate your rights under
|
||||||
|
this License (including any patent licenses granted under the third
|
||||||
|
paragraph of section 11).
|
||||||
|
|
||||||
|
However, if you cease all violation of this License, then your
|
||||||
|
license from a particular copyright holder is reinstated (a)
|
||||||
|
provisionally, unless and until the copyright holder explicitly and
|
||||||
|
finally terminates your license, and (b) permanently, if the copyright
|
||||||
|
holder fails to notify you of the violation by some reasonable means
|
||||||
|
prior to 60 days after the cessation.
|
||||||
|
|
||||||
|
Moreover, your license from a particular copyright holder is
|
||||||
|
reinstated permanently if the copyright holder notifies you of the
|
||||||
|
violation by some reasonable means, this is the first time you have
|
||||||
|
received notice of violation of this License (for any work) from that
|
||||||
|
copyright holder, and you cure the violation prior to 30 days after
|
||||||
|
your receipt of the notice.
|
||||||
|
|
||||||
|
Termination of your rights under this section does not terminate the
|
||||||
|
licenses of parties who have received copies or rights from you under
|
||||||
|
this License. If your rights have been terminated and not permanently
|
||||||
|
reinstated, you do not qualify to receive new licenses for the same
|
||||||
|
material under section 10.
|
||||||
|
|
||||||
|
9. Acceptance Not Required for Having Copies.
|
||||||
|
|
||||||
|
You are not required to accept this License in order to receive or
|
||||||
|
run a copy of the Program. Ancillary propagation of a covered work
|
||||||
|
occurring solely as a consequence of using peer-to-peer transmission
|
||||||
|
to receive a copy likewise does not require acceptance. However,
|
||||||
|
nothing other than this License grants you permission to propagate or
|
||||||
|
modify any covered work. These actions infringe copyright if you do
|
||||||
|
not accept this License. Therefore, by modifying or propagating a
|
||||||
|
covered work, you indicate your acceptance of this License to do so.
|
||||||
|
|
||||||
|
10. Automatic Licensing of Downstream Recipients.
|
||||||
|
|
||||||
|
Each time you convey a covered work, the recipient automatically
|
||||||
|
receives a license from the original licensors, to run, modify and
|
||||||
|
propagate that work, subject to this License. You are not responsible
|
||||||
|
for enforcing compliance by third parties with this License.
|
||||||
|
|
||||||
|
An "entity transaction" is a transaction transferring control of an
|
||||||
|
organization, or substantially all assets of one, or subdividing an
|
||||||
|
organization, or merging organizations. If propagation of a covered
|
||||||
|
work results from an entity transaction, each party to that
|
||||||
|
transaction who receives a copy of the work also receives whatever
|
||||||
|
licenses to the work the party's predecessor in interest had or could
|
||||||
|
give under the previous paragraph, plus a right to possession of the
|
||||||
|
Corresponding Source of the work from the predecessor in interest, if
|
||||||
|
the predecessor has it or can get it with reasonable efforts.
|
||||||
|
|
||||||
|
You may not impose any further restrictions on the exercise of the
|
||||||
|
rights granted or affirmed under this License. For example, you may
|
||||||
|
not impose a license fee, royalty, or other charge for exercise of
|
||||||
|
rights granted under this License, and you may not initiate litigation
|
||||||
|
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||||
|
any patent claim is infringed by making, using, selling, offering for
|
||||||
|
sale, or importing the Program or any portion of it.
|
||||||
|
|
||||||
|
11. Patents.
|
||||||
|
|
||||||
|
A "contributor" is a copyright holder who authorizes use under this
|
||||||
|
License of the Program or a work on which the Program is based. The
|
||||||
|
work thus licensed is called the contributor's "contributor version".
|
||||||
|
|
||||||
|
A contributor's "essential patent claims" are all patent claims
|
||||||
|
owned or controlled by the contributor, whether already acquired or
|
||||||
|
hereafter acquired, that would be infringed by some manner, permitted
|
||||||
|
by this License, of making, using, or selling its contributor version,
|
||||||
|
but do not include claims that would be infringed only as a
|
||||||
|
consequence of further modification of the contributor version. For
|
||||||
|
purposes of this definition, "control" includes the right to grant
|
||||||
|
patent sublicenses in a manner consistent with the requirements of
|
||||||
|
this License.
|
||||||
|
|
||||||
|
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||||
|
patent license under the contributor's essential patent claims, to
|
||||||
|
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||||
|
propagate the contents of its contributor version.
|
||||||
|
|
||||||
|
In the following three paragraphs, a "patent license" is any express
|
||||||
|
agreement or commitment, however denominated, not to enforce a patent
|
||||||
|
(such as an express permission to practice a patent or covenant not to
|
||||||
|
sue for patent infringement). To "grant" such a patent license to a
|
||||||
|
party means to make such an agreement or commitment not to enforce a
|
||||||
|
patent against the party.
|
||||||
|
|
||||||
|
If you convey a covered work, knowingly relying on a patent license,
|
||||||
|
and the Corresponding Source of the work is not available for anyone
|
||||||
|
to copy, free of charge and under the terms of this License, through a
|
||||||
|
publicly available network server or other readily accessible means,
|
||||||
|
then you must either (1) cause the Corresponding Source to be so
|
||||||
|
available, or (2) arrange to deprive yourself of the benefit of the
|
||||||
|
patent license for this particular work, or (3) arrange, in a manner
|
||||||
|
consistent with the requirements of this License, to extend the patent
|
||||||
|
license to downstream recipients. "Knowingly relying" means you have
|
||||||
|
actual knowledge that, but for the patent license, your conveying the
|
||||||
|
covered work in a country, or your recipient's use of the covered work
|
||||||
|
in a country, would infringe one or more identifiable patents in that
|
||||||
|
country that you have reason to believe are valid.
|
||||||
|
|
||||||
|
If, pursuant to or in connection with a single transaction or
|
||||||
|
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||||
|
covered work, and grant a patent license to some of the parties
|
||||||
|
receiving the covered work authorizing them to use, propagate, modify
|
||||||
|
or convey a specific copy of the covered work, then the patent license
|
||||||
|
you grant is automatically extended to all recipients of the covered
|
||||||
|
work and works based on it.
|
||||||
|
|
||||||
|
A patent license is "discriminatory" if it does not include within
|
||||||
|
the scope of its coverage, prohibits the exercise of, or is
|
||||||
|
conditioned on the non-exercise of one or more of the rights that are
|
||||||
|
specifically granted under this License. You may not convey a covered
|
||||||
|
work if you are a party to an arrangement with a third party that is
|
||||||
|
in the business of distributing software, under which you make payment
|
||||||
|
to the third party based on the extent of your activity of conveying
|
||||||
|
the work, and under which the third party grants, to any of the
|
||||||
|
parties who would receive the covered work from you, a discriminatory
|
||||||
|
patent license (a) in connection with copies of the covered work
|
||||||
|
conveyed by you (or copies made from those copies), or (b) primarily
|
||||||
|
for and in connection with specific products or compilations that
|
||||||
|
contain the covered work, unless you entered into that arrangement,
|
||||||
|
or that patent license was granted, prior to 28 March 2007.
|
||||||
|
|
||||||
|
Nothing in this License shall be construed as excluding or limiting
|
||||||
|
any implied license or other defenses to infringement that may
|
||||||
|
otherwise be available to you under applicable patent law.
|
||||||
|
|
||||||
|
12. No Surrender of Others' Freedom.
|
||||||
|
|
||||||
|
If conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot convey a
|
||||||
|
covered work so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you may
|
||||||
|
not convey it at all. For example, if you agree to terms that obligate you
|
||||||
|
to collect a royalty for further conveying from those to whom you convey
|
||||||
|
the Program, the only way you could satisfy both those terms and this
|
||||||
|
License would be to refrain entirely from conveying the Program.
|
||||||
|
|
||||||
|
13. Remote Network Interaction; Use with the GNU General Public License.
|
||||||
|
|
||||||
|
Notwithstanding any other provision of this License, if you modify the
|
||||||
|
Program, your modified version must prominently offer all users
|
||||||
|
interacting with it remotely through a computer network (if your version
|
||||||
|
supports such interaction) an opportunity to receive the Corresponding
|
||||||
|
Source of your version by providing access to the Corresponding Source
|
||||||
|
from a network server at no charge, through some standard or customary
|
||||||
|
means of facilitating copying of software. This Corresponding Source
|
||||||
|
shall include the Corresponding Source for any work covered by version 3
|
||||||
|
of the GNU General Public License that is incorporated pursuant to the
|
||||||
|
following paragraph.
|
||||||
|
|
||||||
|
Notwithstanding any other provision of this License, you have
|
||||||
|
permission to link or combine any covered work with a work licensed
|
||||||
|
under version 3 of the GNU General Public License into a single
|
||||||
|
combined work, and to convey the resulting work. The terms of this
|
||||||
|
License will continue to apply to the part which is the covered work,
|
||||||
|
but the work with which it is combined will remain governed by version
|
||||||
|
3 of the GNU General Public License.
|
||||||
|
|
||||||
|
14. Revised Versions of this License.
|
||||||
|
|
||||||
|
The Free Software Foundation may publish revised and/or new versions of
|
||||||
|
the GNU Affero General Public License from time to time. Such new versions
|
||||||
|
will be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the
|
||||||
|
Program specifies that a certain numbered version of the GNU Affero General
|
||||||
|
Public License "or any later version" applies to it, you have the
|
||||||
|
option of following the terms and conditions either of that numbered
|
||||||
|
version or of any later version published by the Free Software
|
||||||
|
Foundation. If the Program does not specify a version number of the
|
||||||
|
GNU Affero General Public License, you may choose any version ever published
|
||||||
|
by the Free Software Foundation.
|
||||||
|
|
||||||
|
If the Program specifies that a proxy can decide which future
|
||||||
|
versions of the GNU Affero General Public License can be used, that proxy's
|
||||||
|
public statement of acceptance of a version permanently authorizes you
|
||||||
|
to choose that version for the Program.
|
||||||
|
|
||||||
|
Later license versions may give you additional or different
|
||||||
|
permissions. However, no additional obligations are imposed on any
|
||||||
|
author or copyright holder as a result of your choosing to follow a
|
||||||
|
later version.
|
||||||
|
|
||||||
|
15. Disclaimer of Warranty.
|
||||||
|
|
||||||
|
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||||
|
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||||
|
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||||
|
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||||
|
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||||
|
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||||
|
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
16. Limitation of Liability.
|
||||||
|
|
||||||
|
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||||
|
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||||
|
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||||
|
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||||
|
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||||
|
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||||
|
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||||
|
SUCH DAMAGES.
|
||||||
|
|
||||||
|
17. Interpretation of Sections 15 and 16.
|
||||||
|
|
||||||
|
If the disclaimer of warranty and limitation of liability provided
|
||||||
|
above cannot be given local legal effect according to their terms,
|
||||||
|
reviewing courts shall apply local law that most closely approximates
|
||||||
|
an absolute waiver of all civil liability in connection with the
|
||||||
|
Program, unless a warranty or assumption of liability accompanies a
|
||||||
|
copy of the Program in return for a fee.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
state the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) <year> <name of author>
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU Affero General Public License as published
|
||||||
|
by the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU Affero General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU Affero General Public License
|
||||||
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If your software can interact with users remotely through a computer
|
||||||
|
network, you should also make sure that it provides a way for users to
|
||||||
|
get its source. For example, if your program is a web application, its
|
||||||
|
interface could display a "Source" link that leads users to an archive
|
||||||
|
of the code. There are many ways you could offer source, and different
|
||||||
|
solutions will be better for different programs; see section 13 for the
|
||||||
|
specific requirements.
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or school,
|
||||||
|
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||||
|
For more information on this, and how to apply and follow the GNU AGPL, see
|
||||||
|
<https://www.gnu.org/licenses/>.
|
||||||
|
|
76
README.md
Normal file
76
README.md
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
deuxfleurs.fr
|
||||||
|
=============
|
||||||
|
|
||||||
|
*Many things are still missing here, including a proper documentation. Please stay nice, it is a volunter project. Feel free to open pull/merge requests to improve it. Thanks.*
|
||||||
|
|
||||||
|
## Our abstraction stack
|
||||||
|
|
||||||
|
We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.):
|
||||||
|
|
||||||
|
* ansible (physical node conf)
|
||||||
|
* nomad (schedule containers)
|
||||||
|
* consul (distributed key value store / lock / service discovery)
|
||||||
|
* glusterfs (file storage)
|
||||||
|
* stolon + postgresql (distributed relational database)
|
||||||
|
* docker (container tool)
|
||||||
|
* bottin (LDAP server, auth)
|
||||||
|
|
||||||
|
Some services we provide:
|
||||||
|
|
||||||
|
* Chat (Matrix/Riot)
|
||||||
|
* Email (Postfix/Dovecot/Sogo)
|
||||||
|
* Storage (Seafile)
|
||||||
|
|
||||||
|
As a generic abstraction is provided, deploying new services should be easy.
|
||||||
|
|
||||||
|
## Start hacking
|
||||||
|
|
||||||
|
### Clone the repository
|
||||||
|
|
||||||
|
```
|
||||||
|
git clone https://gitlab.com/superboum/deuxfleurs.fr.git
|
||||||
|
git submodule init
|
||||||
|
git submodule update
|
||||||
|
```
|
||||||
|
|
||||||
|
### Deploying/Updating new services is done from your machine
|
||||||
|
|
||||||
|
*The following instructions are provided for ops that already have access to the servers.*
|
||||||
|
|
||||||
|
Deploy Nomad on your machine:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export NOMAD_VER=0.9.1
|
||||||
|
wget https://releases.hashicorp.com/nomad/${NOMAD_VER}/nomad_${NOMAD_VER}_linux_amd64.zip
|
||||||
|
unzip nomad_${NOMAD_VER}_linux_amd64.zip
|
||||||
|
sudo mv nomad /usr/local/bin
|
||||||
|
rm nomad_${NOMAD_VER}_linux_amd64.zip
|
||||||
|
```
|
||||||
|
|
||||||
|
Deploy Consul on your machine:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export CONSUL_VER=1.5.1
|
||||||
|
wget https://releases.hashicorp.com/consul/${CONSUL_VER}/consul_${CONSUL_VER}_linux_amd64.zip
|
||||||
|
unzip consul_${CONSUL_VER}_linux_amd64.zip
|
||||||
|
sudo mv consul /usr/local/bin
|
||||||
|
rm consul_${CONSUL_VER}_linux_amd64.zip
|
||||||
|
```
|
||||||
|
|
||||||
|
Create an alias (and put it in your `.bashrc`) to bind APIs on your machine:
|
||||||
|
|
||||||
|
```
|
||||||
|
alias bind_df="ssh \
|
||||||
|
-p110 \
|
||||||
|
-N \
|
||||||
|
-L 4646:127.0.0.1:4646 \
|
||||||
|
-L 8500:127.0.0.1:8500 \
|
||||||
|
-L 8082:traefik.service.2.cluster.deuxfleurs.fr:8082 \
|
||||||
|
<a server from the cluster>"
|
||||||
|
```
|
||||||
|
|
||||||
|
and run:
|
||||||
|
|
||||||
|
```
|
||||||
|
bind_df
|
||||||
|
```
|
52
ansible/README.md
Normal file
52
ansible/README.md
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
|
||||||
|
## Provisionning
|
||||||
|
|
||||||
|
1. Need a public IP address
|
||||||
|
2. Deploy Debian sid/buster
|
||||||
|
3. Add a DNS entry like xxxx.machine.deuxfleurs.fr A 0.0.0.0 in Cloudflare + Havelock
|
||||||
|
4. Setup the fqdn in /etc/hosts (127.0.1.1 xxxx.machine.deuxfleurs.fr)
|
||||||
|
5. Switch the SSH port to the port 110
|
||||||
|
6. Add the server to the ./production file
|
||||||
|
7. Reboot machine
|
||||||
|
8. Deploy Ansible
|
||||||
|
9. Check that everything works as intended
|
||||||
|
10. Update NS 1.cluster.deuxfleurs.fr
|
||||||
|
|
||||||
|
## Useful commands
|
||||||
|
|
||||||
|
Show every variables collected by Ansible for a given host:
|
||||||
|
|
||||||
|
```
|
||||||
|
ansible -i production villequin.machine.deuxfleurs.fr -m setup
|
||||||
|
```
|
||||||
|
|
||||||
|
Run playbook for only one host:
|
||||||
|
|
||||||
|
```
|
||||||
|
ansible-playbook -i production --limit villequin.machine.deuxfleurs.fr site.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
Dump hostvars:
|
||||||
|
|
||||||
|
```
|
||||||
|
ansible -m debug villequin.machine.deuxfleurs.fr -i ./production -a "var=hostvars"
|
||||||
|
```
|
||||||
|
|
||||||
|
Deploy only one tag:
|
||||||
|
|
||||||
|
```
|
||||||
|
ansible-playbook -i production site.yml --tags "container"
|
||||||
|
```
|
||||||
|
|
||||||
|
Redeploy everything:
|
||||||
|
|
||||||
|
```
|
||||||
|
ansible-playbook -i production site.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
Upgrade packages and force overwirte to fix bad packing done by GlusterFS:
|
||||||
|
|
||||||
|
```
|
||||||
|
apt-get -o Dpkg::Options::="--force-overwrite" dist-upgrade -y
|
||||||
|
```
|
||||||
|
|
22
ansible/cluster_nodes.yml
Normal file
22
ansible/cluster_nodes.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- hosts: cluster_nodes
|
||||||
|
#serial: 1
|
||||||
|
roles:
|
||||||
|
- role: common
|
||||||
|
tags: base
|
||||||
|
|
||||||
|
- role: users
|
||||||
|
tags: account
|
||||||
|
|
||||||
|
- role: network
|
||||||
|
tags: net
|
||||||
|
|
||||||
|
- role: consul
|
||||||
|
tags: kv
|
||||||
|
|
||||||
|
- role: nomad
|
||||||
|
tags: orchestrator
|
||||||
|
|
||||||
|
- role: storage
|
||||||
|
tags: sto
|
4
ansible/production
Normal file
4
ansible/production
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
[cluster_nodes]
|
||||||
|
veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1
|
||||||
|
silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1
|
||||||
|
wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1
|
44
ansible/roles/common/tasks/main.yml
Normal file
44
ansible/roles/common/tasks/main.yml
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
- name: "Check that host runs Debian buster/sid on armv7l or x86_64"
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "ansible_architecture == 'aarch64' or ansible_architecture == 'armv7l' or ansible_architecture == 'x86_64'"
|
||||||
|
- "ansible_os_family == 'Debian'"
|
||||||
|
- "ansible_distribution_version == 'buster/sid'"
|
||||||
|
|
||||||
|
- name: "Upgrade system"
|
||||||
|
apt:
|
||||||
|
upgrade: dist # Should we do a full uprade instead of a dist one?
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 3600
|
||||||
|
autoclean: yes
|
||||||
|
autoremove: yes
|
||||||
|
|
||||||
|
- name: "Install base tools"
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- vim
|
||||||
|
- htop
|
||||||
|
- screen
|
||||||
|
- iptables
|
||||||
|
- iptables-persistent
|
||||||
|
- nftables
|
||||||
|
- iproute2
|
||||||
|
- curl
|
||||||
|
- iputils-ping
|
||||||
|
- dnsutils
|
||||||
|
- bmon
|
||||||
|
- iftop
|
||||||
|
- iotop
|
||||||
|
- docker.io
|
||||||
|
- unzip
|
||||||
|
- tar
|
||||||
|
- tcpdump
|
||||||
|
- less
|
||||||
|
- parted
|
||||||
|
- btrfs-tools
|
||||||
|
- systemd-timesyncd
|
||||||
|
- systemd-resolved
|
||||||
|
- libnss-resolve
|
||||||
|
- net-tools
|
||||||
|
- strace
|
||||||
|
state: present
|
8
ansible/roles/consul/files/consul.service
Normal file
8
ansible/roles/consul/files/consul.service
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Consul
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
4
ansible/roles/consul/handlers/main.yml
Normal file
4
ansible/roles/consul/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: restart consul
|
||||||
|
service: name=consul state=restarted
|
49
ansible/roles/consul/tasks/main.yml
Normal file
49
ansible/roles/consul/tasks/main.yml
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
- name: "Set consul version"
|
||||||
|
set_fact:
|
||||||
|
consul_version: 1.4.0
|
||||||
|
|
||||||
|
- name: "Download and install Consul for armv7l"
|
||||||
|
unarchive:
|
||||||
|
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_arm.zip"
|
||||||
|
dest: /usr/local/bin
|
||||||
|
remote_src: yes
|
||||||
|
when:
|
||||||
|
- "ansible_architecture == 'armv7l'"
|
||||||
|
notify:
|
||||||
|
- restart consul
|
||||||
|
|
||||||
|
- name: "Download and install Consul for x86_64"
|
||||||
|
unarchive:
|
||||||
|
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
|
||||||
|
dest: /usr/local/bin
|
||||||
|
remote_src: yes
|
||||||
|
when:
|
||||||
|
- "ansible_architecture == 'x86_64'"
|
||||||
|
notify:
|
||||||
|
- restart consul
|
||||||
|
|
||||||
|
- name: "Download and install Consul for arm64"
|
||||||
|
unarchive:
|
||||||
|
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_arm64.zip"
|
||||||
|
dest: /usr/local/bin
|
||||||
|
remote_src: yes
|
||||||
|
when:
|
||||||
|
- "ansible_architecture == 'aarch64'"
|
||||||
|
notify:
|
||||||
|
- restart consul
|
||||||
|
|
||||||
|
- name: "Create consul configuration directory"
|
||||||
|
file: path=/etc/consul/ state=directory
|
||||||
|
|
||||||
|
- name: "Deploy consul configuration"
|
||||||
|
template: src=consul.json.j2 dest=/etc/consul/consul.json
|
||||||
|
notify:
|
||||||
|
- restart consul
|
||||||
|
|
||||||
|
- name: "Deploy consul systemd service"
|
||||||
|
copy: src=consul.service dest=/etc/systemd/system/consul.service
|
||||||
|
notify:
|
||||||
|
- restart consul
|
||||||
|
|
||||||
|
- name: "Enable consul systemd service at boot"
|
||||||
|
service: name=consul state=started enabled=yes daemon_reload=yes
|
27
ansible/roles/consul/templates/consul.json.j2
Normal file
27
ansible/roles/consul/templates/consul.json.j2
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{
|
||||||
|
"data_dir": "/var/lib/consul",
|
||||||
|
"bind_addr": "0.0.0.0",
|
||||||
|
"advertise_addr": "{{ public_ip }}",
|
||||||
|
"addresses": {
|
||||||
|
"dns": "0.0.0.0",
|
||||||
|
"http": "0.0.0.0"
|
||||||
|
},
|
||||||
|
"retry_join": [
|
||||||
|
{% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #}
|
||||||
|
"{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }}
|
||||||
|
{% endfor %}
|
||||||
|
],
|
||||||
|
"bootstrap_expect": 3,
|
||||||
|
"server": true,
|
||||||
|
"ui": true,
|
||||||
|
"ports": {
|
||||||
|
"dns": 53
|
||||||
|
},
|
||||||
|
"encrypt": "{{ consul_gossip_encrypt }}",
|
||||||
|
"domain": "2.cluster.deuxfleurs.fr",
|
||||||
|
"performance": {
|
||||||
|
"raft_multiplier": 10,
|
||||||
|
"rpc_hold_timeout": "30s",
|
||||||
|
"leave_drain_time": "30s"
|
||||||
|
}
|
||||||
|
}
|
1
ansible/roles/consul/vars/.gitignore
vendored
Normal file
1
ansible/roles/consul/vars/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
main.yml
|
2
ansible/roles/consul/vars/main.yml.sample
Normal file
2
ansible/roles/consul/vars/main.yml.sample
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
consul_gossip_encrypt: "<secret>"
|
22
ansible/roles/network/files/nsswitch.conf
Normal file
22
ansible/roles/network/files/nsswitch.conf
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
# /etc/nsswitch.conf
|
||||||
|
#
|
||||||
|
# Example configuration of GNU Name Service Switch functionality.
|
||||||
|
# If you have the `glibc-doc-reference' and `info' packages installed, try:
|
||||||
|
# `info libc "Name Service Switch"' for information about this file.
|
||||||
|
|
||||||
|
passwd: files systemd
|
||||||
|
group: files systemd
|
||||||
|
shadow: files
|
||||||
|
gshadow: files
|
||||||
|
|
||||||
|
#hosts: files dns
|
||||||
|
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
|
||||||
|
networks: files
|
||||||
|
|
||||||
|
protocols: db files
|
||||||
|
services: db files
|
||||||
|
ethers: db files
|
||||||
|
rpc: db files
|
||||||
|
|
||||||
|
netgroup: nis
|
||||||
|
|
6
ansible/roles/network/files/rules.v6
Normal file
6
ansible/roles/network/files/rules.v6
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
COMMIT
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
[Resolve]
|
||||||
|
DNSStubListener=no
|
12
ansible/roles/network/handlers/main.yml
Normal file
12
ansible/roles/network/handlers/main.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- name: reload iptables
|
||||||
|
shell: iptables-restore < /etc/iptables/rules.v4 && systemctl restart docker && ifdown nomad1 || true && ifup nomad1 || true
|
||||||
|
|
||||||
|
- name: reload ip6tables
|
||||||
|
shell: ip6tables-restore < /etc/iptables/rules.v6
|
||||||
|
|
||||||
|
- name: reload nomad interface
|
||||||
|
shell: ifdown nomad1 || true ; ifup nomad1
|
||||||
|
|
||||||
|
- name: reload systemd-resolved
|
||||||
|
service: name=systemd-resolved state=restarted
|
42
ansible/roles/network/tasks/main.yml
Normal file
42
ansible/roles/network/tasks/main.yml
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
- name: "Add dummy interface to handle Nomad NAT restriction nomad#2770"
|
||||||
|
template: src=nomad-interface.j2 dest=/etc/network/interfaces.d/nomad.cfg
|
||||||
|
when: public_ip != private_ip
|
||||||
|
notify:
|
||||||
|
- reload nomad interface
|
||||||
|
|
||||||
|
- name: "Deploy iptablesv4 configuration"
|
||||||
|
template: src=rules.v4.j2 dest=/etc/iptables/rules.v4
|
||||||
|
notify:
|
||||||
|
- reload iptables
|
||||||
|
|
||||||
|
- name: "Deploy iptablesv6 configuration"
|
||||||
|
copy: src=rules.v6 dest=/etc/iptables/rules.v6
|
||||||
|
notify:
|
||||||
|
- reload ip6tables
|
||||||
|
|
||||||
|
- name: "Activate IP forwarding"
|
||||||
|
sysctl:
|
||||||
|
name: net.ipv4.ip_forward
|
||||||
|
value: 1
|
||||||
|
sysctl_set: yes
|
||||||
|
|
||||||
|
- name: "Create systemd-resolved override directory"
|
||||||
|
file: path=/etc/systemd/resolved.conf.d/ state=directory
|
||||||
|
|
||||||
|
- name: "Prevent systemd-resolved from listening on port 53 (DNS)"
|
||||||
|
copy: src=systemd-resolve-no-listen.conf dest=/etc/systemd/resolved.conf.d/systemd-resolve-no-listen.conf
|
||||||
|
notify: reload systemd-resolved
|
||||||
|
|
||||||
|
- name: "Use systemd-resolved as a source for /etc/resolv.conf"
|
||||||
|
file:
|
||||||
|
src: "/run/systemd/resolve/resolv.conf"
|
||||||
|
dest: "/etc/resolv.conf"
|
||||||
|
state: link
|
||||||
|
force: yes
|
||||||
|
notify: reload systemd-resolved
|
||||||
|
|
||||||
|
- name: "Update nsswitch.conf to use systemd-resolved"
|
||||||
|
copy: src=nsswitch.conf dest=/etc/nsswitch.conf
|
||||||
|
|
||||||
|
- name: "Flush handlers"
|
||||||
|
meta: flush_handlers
|
8
ansible/roles/network/templates/nomad-interface.j2
Normal file
8
ansible/roles/network/templates/nomad-interface.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
auto nomad1
|
||||||
|
iface nomad1 inet manual
|
||||||
|
pre-up /sbin/ip link add nomad1 type dummy
|
||||||
|
up /sbin/ip addr add {{ public_ip }} dev nomad1
|
||||||
|
up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
|
||||||
|
down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
|
||||||
|
post-down /sbin/ip link del nomad1
|
||||||
|
|
72
ansible/roles/network/templates/rules.v4.j2
Normal file
72
ansible/roles/network/templates/rules.v4.j2
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
|
||||||
|
# DNS
|
||||||
|
-A INPUT -p udp --dport 53 -j ACCEPT
|
||||||
|
-A INPUT -p tcp --dport 53 -j ACCEPT
|
||||||
|
|
||||||
|
# Email
|
||||||
|
-A INPUT -p tcp --dport 993 -j ACCEPT
|
||||||
|
-A INPUT -p tcp --dport 25 -j ACCEPT
|
||||||
|
-A INPUT -p tcp --dport 465 -j ACCEPT
|
||||||
|
-A INPUT -p tcp --dport 587 -j ACCEPT
|
||||||
|
|
||||||
|
# Old SSH configuration
|
||||||
|
-A INPUT -p tcp --dport 110 -j ACCEPT
|
||||||
|
|
||||||
|
# New SSH configuration
|
||||||
|
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
|
|
||||||
|
# LDAP
|
||||||
|
-A INPUT -p tcp --dport 389 -j ACCEPT
|
||||||
|
|
||||||
|
# Web
|
||||||
|
-A INPUT -p tcp --dport 80 -j ACCEPT
|
||||||
|
-A INPUT -p tcp --dport 443 -j ACCEPT
|
||||||
|
|
||||||
|
# Coturn
|
||||||
|
-A INPUT -p tcp --dport 3478 -j ACCEPT
|
||||||
|
-A INPUT -p udp --dport 3478 -j ACCEPT
|
||||||
|
-A INPUT -p tcp --dport 3479 -j ACCEPT
|
||||||
|
-A INPUT -p udp --dport 3479 -j ACCEPT
|
||||||
|
|
||||||
|
# Cluster
|
||||||
|
{% for selected_host in groups['cluster_nodes'] %}
|
||||||
|
-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT
|
||||||
|
-A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
# Rennes
|
||||||
|
-A INPUT -s 82.253.205.190 -j ACCEPT
|
||||||
|
|
||||||
|
-A INPUT -i docker0 -j ACCEPT
|
||||||
|
|
||||||
|
-A INPUT -s 127.0.0.1/8 -j ACCEPT
|
||||||
|
|
||||||
|
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
|
COMMIT
|
||||||
|
|
||||||
|
|
||||||
|
*nat
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
|
||||||
|
COMMIT
|
||||||
|
|
||||||
|
|
||||||
|
*mangle
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
|
||||||
|
COMMIT
|
||||||
|
|
||||||
|
|
9
ansible/roles/nomad/files/nomad.service
Normal file
9
ansible/roles/nomad/files/nomad.service
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Nomad
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
5
ansible/roles/nomad/handlers/main.yml
Normal file
5
ansible/roles/nomad/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: restart nomad
|
||||||
|
service: name=nomad state=restarted
|
||||||
|
|
49
ansible/roles/nomad/tasks/main.yml
Normal file
49
ansible/roles/nomad/tasks/main.yml
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
- name: "Set nomad version"
|
||||||
|
set_fact:
|
||||||
|
nomad_version: 0.8.6
|
||||||
|
|
||||||
|
- name: "Download and install Nomad for armv7l"
|
||||||
|
unarchive:
|
||||||
|
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_arm.zip"
|
||||||
|
dest: /usr/local/bin
|
||||||
|
remote_src: yes
|
||||||
|
when:
|
||||||
|
- "ansible_architecture == 'armv7l'"
|
||||||
|
notify:
|
||||||
|
- restart nomad
|
||||||
|
|
||||||
|
- name: "Download and install Nomad for x86_64"
|
||||||
|
unarchive:
|
||||||
|
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
|
||||||
|
dest: /usr/local/bin
|
||||||
|
remote_src: yes
|
||||||
|
when:
|
||||||
|
- "ansible_architecture == 'x86_64'"
|
||||||
|
notify:
|
||||||
|
- restart nomad
|
||||||
|
|
||||||
|
- name: "Download and install Nomad for arm64"
|
||||||
|
unarchive:
|
||||||
|
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_arm64.zip"
|
||||||
|
dest: /usr/local/bin
|
||||||
|
remote_src: yes
|
||||||
|
when:
|
||||||
|
- "ansible_architecture == 'aarch64'"
|
||||||
|
notify:
|
||||||
|
- restart nomad
|
||||||
|
|
||||||
|
- name: "Create Nomad configuration directory"
|
||||||
|
file: path=/etc/nomad/ state=directory
|
||||||
|
|
||||||
|
- name: "Deploy Nomad configuration"
|
||||||
|
template: src=nomad.hcl.j2 dest=/etc/nomad/nomad.hcl
|
||||||
|
notify:
|
||||||
|
- restart nomad
|
||||||
|
|
||||||
|
- name: "Deploy Nomad systemd service"
|
||||||
|
copy: src=nomad.service dest=/etc/systemd/system/nomad.service
|
||||||
|
notify:
|
||||||
|
- restart nomad
|
||||||
|
|
||||||
|
- name: "Enable Nomad systemd service at boot"
|
||||||
|
service: name=nomad state=started enabled=yes daemon_reload=yes
|
30
ansible/roles/nomad/templates/nomad.hcl.j2
Normal file
30
ansible/roles/nomad/templates/nomad.hcl.j2
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
addresses {
|
||||||
|
http = "0.0.0.0"
|
||||||
|
rpc = "0.0.0.0"
|
||||||
|
serf = "0.0.0.0"
|
||||||
|
}
|
||||||
|
|
||||||
|
advertise {
|
||||||
|
http = "{{ public_ip }}"
|
||||||
|
rpc = "{{ public_ip }}"
|
||||||
|
serf = "{{ public_ip }}"
|
||||||
|
}
|
||||||
|
|
||||||
|
data_dir = "/var/lib/nomad"
|
||||||
|
|
||||||
|
server {
|
||||||
|
enabled = true
|
||||||
|
bootstrap_expect = 3
|
||||||
|
}
|
||||||
|
|
||||||
|
consul {
|
||||||
|
address="127.0.0.1:8500"
|
||||||
|
}
|
||||||
|
|
||||||
|
client {
|
||||||
|
enabled = true
|
||||||
|
#cpu_total_compute = 4000
|
||||||
|
servers = ["127.0.0.1:4648"]
|
||||||
|
network_interface = "{{ interface }}"
|
||||||
|
}
|
||||||
|
|
3
ansible/roles/storage/handlers/main.yml
Normal file
3
ansible/roles/storage/handlers/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
- name: umount gluster
|
||||||
|
shell: umount --force --lazy /mnt/glusterfs ; true
|
72
ansible/roles/storage/tasks/main.yml
Normal file
72
ansible/roles/storage/tasks/main.yml
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
- name: "Add GlusterFS Repo Key"
|
||||||
|
apt_key:
|
||||||
|
url: https://download.gluster.org/pub/gluster/glusterfs/5/rsa.pub
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: "Add GlusterFS official repository"
|
||||||
|
apt_repository:
|
||||||
|
repo: "deb [arch=amd64] https://download.gluster.org/pub/gluster/glusterfs/5/LATEST/Debian/buster/amd64/apt buster main"
|
||||||
|
state: present
|
||||||
|
filename: gluster
|
||||||
|
|
||||||
|
- name: "Install GlusterFS"
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- glusterfs-server
|
||||||
|
- glusterfs-client
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: "Ensure Gluster Daemon started and enabled"
|
||||||
|
service:
|
||||||
|
name: glusterd
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: "Create directory for GlusterFS bricks"
|
||||||
|
file: path=/mnt/storage/glusterfs/brick1 recurse=yes state=directory
|
||||||
|
|
||||||
|
- name: "Create GlusterFS volumes"
|
||||||
|
gluster_volume:
|
||||||
|
state: present
|
||||||
|
name: donnees
|
||||||
|
bricks: /mnt/storage/glusterfs/brick1/g1
|
||||||
|
#rebalance: yes
|
||||||
|
redundancies: 1
|
||||||
|
disperses: 3
|
||||||
|
#replicas: 3
|
||||||
|
force: yes
|
||||||
|
options:
|
||||||
|
client.event-threads: "8"
|
||||||
|
server.event-threads: "8"
|
||||||
|
performance.stat-prefetch: "on"
|
||||||
|
nfs.disable: "on"
|
||||||
|
features.cache-invalidation: "on"
|
||||||
|
performance.client-io-threads: "on"
|
||||||
|
config.transport: tcp
|
||||||
|
performance.quick-read: "on"
|
||||||
|
performance.io-cache: "on"
|
||||||
|
nfs.export-volumes: "off"
|
||||||
|
cluster.lookup-optimize: "on"
|
||||||
|
|
||||||
|
cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}"
|
||||||
|
run_once: true
|
||||||
|
|
||||||
|
- name: "Create mountpoint"
|
||||||
|
file: path=/mnt/glusterfs recurse=yes state=directory
|
||||||
|
|
||||||
|
- name: "Flush handlers (umount glusterfs and restart ganesha)"
|
||||||
|
meta: flush_handlers
|
||||||
|
|
||||||
|
- name: "Add fstab entry"
|
||||||
|
tags: gluster-fstab
|
||||||
|
mount:
|
||||||
|
path: /mnt/glusterfs
|
||||||
|
src: "{{ private_ip }}:/donnees"
|
||||||
|
fstype: glusterfs
|
||||||
|
opts: "defaults,_netdev"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Mount everything
|
||||||
|
command: mount -a
|
||||||
|
args:
|
||||||
|
warn: no
|
1
ansible/roles/users/files/erwan-key1.pub
Normal file
1
ansible/roles/users/files/erwan-key1.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ/p26O7UY7D2y6ZshqmywNf0YD90KYWT4Z9DvpgZj3iLh9o/QL7XIYT/qHYPaEBXZJOdMaZRLmdxVlybKCE0KU= Arm0nius@armonius
|
1
ansible/roles/users/files/quentin-key1.pub
Normal file
1
ansible/roles/users/files/quentin-key1.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io
|
1
ansible/roles/users/files/quentin-key2.pub
Normal file
1
ansible/roles/users/files/quentin-key2.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr
|
1
ansible/roles/users/files/valentin-key1.pub
Normal file
1
ansible/roles/users/files/valentin-key1.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLsa6M4gYCXxEnv4SY24I1Yixv9okhTlDChxr27WLsLEpKt8AX2Q456ip2o3hCe3FbyD3vnliObKsG0/QXHV7Sw= valentin@linux.home
|
39
ansible/roles/users/tasks/main.yml
Normal file
39
ansible/roles/users/tasks/main.yml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
- name: Add users in the system
|
||||||
|
user:
|
||||||
|
name: "{{ item.username }}"
|
||||||
|
#groups: docker
|
||||||
|
shell: "{{ item.shell | default('/bin/bash') }}"
|
||||||
|
append: no
|
||||||
|
loop: "{{ active_users
|
||||||
|
| selectattr('is_admin', 'defined')
|
||||||
|
| rejectattr('is_admin')
|
||||||
|
| list
|
||||||
|
| union( active_users
|
||||||
|
| selectattr('is_admin', 'undefined')
|
||||||
|
| list )}}"
|
||||||
|
|
||||||
|
- name: Set admin rights
|
||||||
|
user:
|
||||||
|
name: "{{ item.username }}"
|
||||||
|
groups: docker, sudo
|
||||||
|
shell: "{{ item.shell | default('/bin/bash') }}"
|
||||||
|
append: no
|
||||||
|
loop: "{{ active_users
|
||||||
|
| selectattr('is_admin', 'defined')
|
||||||
|
| selectattr('is_admin')
|
||||||
|
| list }}"
|
||||||
|
|
||||||
|
# [V How SSH Key works] magic is done by subelements, understand the trick at:
|
||||||
|
# https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter
|
||||||
|
- name: Add SSH keys
|
||||||
|
authorized_key:
|
||||||
|
user: "{{ item.0.username }}"
|
||||||
|
state: present
|
||||||
|
key: "{{ lookup('file', item.1) }}"
|
||||||
|
loop: "{{ active_users | subelements('ssh_keys', skip_missing=True) }}"
|
||||||
|
|
||||||
|
- name: Disable old users
|
||||||
|
user:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop: "{{ disabled_users }}"
|
18
ansible/roles/users/vars/main.yml
Normal file
18
ansible/roles/users/vars/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
active_users:
|
||||||
|
- username: 'quentin'
|
||||||
|
is_admin: true
|
||||||
|
ssh_keys:
|
||||||
|
- 'quentin-key1.pub'
|
||||||
|
- 'quentin-key2.pub'
|
||||||
|
|
||||||
|
- username: 'erwan'
|
||||||
|
ssh_keys:
|
||||||
|
- 'erwan-key1.pub'
|
||||||
|
|
||||||
|
- username: 'valentin'
|
||||||
|
ssh_keys:
|
||||||
|
- 'valentin-key1.pub'
|
||||||
|
|
||||||
|
disabled_users:
|
||||||
|
- 'john.doe'
|
2
ansible/site.yml
Normal file
2
ansible/site.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
- import_playbook: cluster_nodes.yml
|
1
bootstrap/README.md
Normal file
1
bootstrap/README.md
Normal file
|
@ -0,0 +1 @@
|
||||||
|
sudo dnf install smartmontools
|
139
bootstrap/build-installer.sh
Normal file
139
bootstrap/build-installer.sh
Normal file
|
@ -0,0 +1,139 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e # Exit on error
|
||||||
|
|
||||||
|
DEVICE=$1
|
||||||
|
|
||||||
|
[[ -z "${DEVICE}" ]] && echo "Usage $0 /dev/sdX" && exit 1
|
||||||
|
|
||||||
|
udevadm info -n ${DEVICE} -q property
|
||||||
|
echo "Selected device is ${DEVICE}"
|
||||||
|
read -p "[Press enter to continue or CTRL+C to stop]"
|
||||||
|
|
||||||
|
echo "Umount ${DEVICE}"
|
||||||
|
umount ${DEVICE}* || true
|
||||||
|
|
||||||
|
echo "Set partition table to GPT (UEFI)"
|
||||||
|
parted ${DEVICE} --script mktable gpt
|
||||||
|
|
||||||
|
echo "Create EFI partition"
|
||||||
|
parted ${DEVICE} --script mkpart EFI fat16 1MiB 10MiB
|
||||||
|
parted ${DEVICE} --script set 1 msftdata on
|
||||||
|
|
||||||
|
echo "Create OS partition"
|
||||||
|
parted ${DEVICE} --script mkpart LINUX btrfs 10MiB 4GiB
|
||||||
|
|
||||||
|
echo "Format partitions"
|
||||||
|
mkfs.vfat -n EFI ${DEVICE}1
|
||||||
|
mkfs.btrfs -f -L LINUX ${DEVICE}2
|
||||||
|
|
||||||
|
ROOTFS_UUID=$(btrfs filesystem show ${DEVICE}2 | grep -Po "uuid: [a-f0-9-]+"|cut -c 7-44)
|
||||||
|
if [[ -z ${ROOTFS_UUID} ]]; then
|
||||||
|
echo "Rootfs UUID is <<${ROOTFS_UUID}>>"
|
||||||
|
echo "WARNING! BUG! The UUID is not set in the fstab. Either because this command failed (empty UUID above) or because of chroot scoping. Please fix it."
|
||||||
|
echo "Your OS will still be able to boot normally and remount the filesystem as RW but it could crash some apps like fsck"
|
||||||
|
read -p "[Press enter to continue or CTRL+C to stop]"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Mount OS partition"
|
||||||
|
ROOTFS="/tmp/installing-rootfs"
|
||||||
|
mkdir -p ${ROOTFS}
|
||||||
|
mount ${DEVICE}2 ${ROOTFS}
|
||||||
|
|
||||||
|
echo "Debootstrap system"
|
||||||
|
debootstrap --variant=minbase --arch amd64 buster ${ROOTFS} http://deb.debian.org/debian/
|
||||||
|
|
||||||
|
echo "Mount EFI partition"
|
||||||
|
mkdir -p ${ROOTFS}/boot/efi
|
||||||
|
mount ${DEVICE}1 ${ROOTFS}/boot/efi
|
||||||
|
|
||||||
|
echo "Get ready for chroot"
|
||||||
|
mount --bind /dev ${ROOTFS}/dev
|
||||||
|
mount -t devpts /dev/pts ${ROOTFS}/dev/pts
|
||||||
|
mount -t proc proc ${ROOTFS}/proc
|
||||||
|
mount -t sysfs sysfs ${ROOTFS}/sys
|
||||||
|
mount -t tmpfs tmpfs ${ROOTFS}/tmp
|
||||||
|
|
||||||
|
echo "Entering chroot, installing Linux kernel and Grub"
|
||||||
|
cat << EOF | chroot ${ROOTFS}
|
||||||
|
set -e
|
||||||
|
export HOME=/root
|
||||||
|
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
|
||||||
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
|
debconf-set-selections <<< "grub-efi-amd64 grub2/update_nvram boolean false"
|
||||||
|
apt-get remove -y grub-efi grub-efi-amd64
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y linux-image-generic linux-headers-generic grub-efi
|
||||||
|
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-nvram --removable
|
||||||
|
update-grub
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "Install script based on dd"
|
||||||
|
cat << 'EOF' > ${ROOTFS}/usr/local/sbin/os-install
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
SOURCE=$1
|
||||||
|
TARGET=$2
|
||||||
|
# We write partitions until 4GiB = 4 * 1024^3 (https://en.wikipedia.org/wiki/Gibibyte)
|
||||||
|
# In dd, M means 1048576 bytes = 1024^2 (man dd)
|
||||||
|
# So we need to copy (4 * 1024^3) / (4 * 1024^2) = 0.5 * 1024 = 1024 blocks
|
||||||
|
dd if=${SOURCE} of=${TARGET} bs=4M status=progress count=1030
|
||||||
|
growpart ${TARGET} 2
|
||||||
|
mount ${TARGET}2 /mnt
|
||||||
|
btrfs filesystem resize max /mnt
|
||||||
|
umount /mnt
|
||||||
|
echo "you might want to run: btrfstune -u ${TARGET}2 but you will need to update the fstab"
|
||||||
|
echo "you might want to change systemd machine UUID"
|
||||||
|
echo "you might want to change /etc/systemd/network/en.network configuration"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
chmod +x ${ROOTFS}/usr/local/sbin/os-install
|
||||||
|
|
||||||
|
echo "Entering chroot (bis), installing daemon"
|
||||||
|
cat << EOF | chroot ${ROOTFS}
|
||||||
|
set -e
|
||||||
|
export HOME=/root
|
||||||
|
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
|
||||||
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
|
|
||||||
|
# Set fstab
|
||||||
|
echo "UUID=${ROOTFS_UUID} / btrfs defaults 0 0" > /etc/fstab
|
||||||
|
|
||||||
|
# Install systemd and OpenSSH
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y systemd openssh-server sudo btrfs-tools cloud-utils python
|
||||||
|
systemctl enable ssh
|
||||||
|
|
||||||
|
# Enable systemd services
|
||||||
|
systemctl enable systemd-networkd systemd-timesyncd systemd-resolved
|
||||||
|
|
||||||
|
# Listen on any ethernet interface for DHCP
|
||||||
|
tee /etc/systemd/network/en.network << EOG
|
||||||
|
[Match]
|
||||||
|
Name=en*
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
DHCP=ipv4
|
||||||
|
EOG
|
||||||
|
|
||||||
|
# Add SSH keys
|
||||||
|
mkdir -p /root/.ssh
|
||||||
|
tee /root/.ssh/authorized_keys << EOG
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io
|
||||||
|
EOG
|
||||||
|
|
||||||
|
echo "Done"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "Unmounting filesystems"
|
||||||
|
umount ${ROOTFS}/dev/pts
|
||||||
|
umount ${ROOTFS}/dev
|
||||||
|
umount ${ROOTFS}/proc
|
||||||
|
umount ${ROOTFS}/sys
|
||||||
|
umount ${ROOTFS}/tmp
|
||||||
|
umount ${ROOTFS}/boot/efi
|
||||||
|
umount ${ROOTFS}
|
||||||
|
|
||||||
|
echo "Done"
|
27
consul/configuration/.gitignore
vendored
Normal file
27
consul/configuration/.gitignore
vendored
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# Blacklist everything cleverly
|
||||||
|
*
|
||||||
|
!*/
|
||||||
|
|
||||||
|
# Whitelist some patterns
|
||||||
|
!*.sample
|
||||||
|
!*.gen
|
||||||
|
!*.tpl
|
||||||
|
!.gitignore
|
||||||
|
|
||||||
|
# Whitelist specific files
|
||||||
|
!seafile/conf/seafdav.conf
|
||||||
|
!seafile/ccnet/seafile.ini
|
||||||
|
|
||||||
|
!email/dkim/keytable
|
||||||
|
!email/dkim/signingtable
|
||||||
|
!email/dkim/trusted
|
||||||
|
!email/postfix/dynamicmaps.cf
|
||||||
|
!email/postfix/header_checks
|
||||||
|
!email/postfix/main.cf
|
||||||
|
!email/postfix/master.cf
|
||||||
|
!email/postfix/transport
|
||||||
|
!email/postfix/transport.db
|
||||||
|
|
||||||
|
!email/sogo/sogo.conf.tpl
|
||||||
|
|
||||||
|
!chat/**/*
|
19
consul/configuration/chat/coturn/turnserver.conf.tpl
Normal file
19
consul/configuration/chat/coturn/turnserver.conf.tpl
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
use-auth-secret
|
||||||
|
static-auth-secret={{ key "secrets/chat/coturn/static-auth" | trimSpace }}
|
||||||
|
realm=turn.deuxfleurs.fr
|
||||||
|
|
||||||
|
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
|
||||||
|
#no-tcp-relay
|
||||||
|
|
||||||
|
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
|
||||||
|
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
|
||||||
|
#denied-peer-ip=10.0.0.0-10.255.255.255
|
||||||
|
#denied-peer-ip=192.168.0.0-192.168.255.255
|
||||||
|
#denied-peer-ip=172.16.0.0-172.31.255.255
|
||||||
|
|
||||||
|
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
|
||||||
|
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
|
||||||
|
total-quota=1200
|
||||||
|
|
||||||
|
min-port=49152
|
||||||
|
max-port=49252
|
23
consul/configuration/chat/riot_web/config.json
Normal file
23
consul/configuration/chat/riot_web/config.json
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{
|
||||||
|
"default_hs_url": "https://im.deuxfleurs.fr",
|
||||||
|
"default_is_url": "https://vector.im",
|
||||||
|
"disable_custom_urls": false,
|
||||||
|
"disable_guests": false,
|
||||||
|
"disable_login_language_selector": false,
|
||||||
|
"disable_3pid_login": false,
|
||||||
|
"brand": "Deuxfleurs",
|
||||||
|
"integrations_ui_url": "https://scalar.vector.im/",
|
||||||
|
"integrations_rest_url": "https://scalar.vector.im/api",
|
||||||
|
"integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html",
|
||||||
|
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
|
||||||
|
"features": {
|
||||||
|
"feature_groups": "labs",
|
||||||
|
"feature_pinning": "labs"
|
||||||
|
},
|
||||||
|
"default_federate": true,
|
||||||
|
"welcomePageUrl": "home.html",
|
||||||
|
"default_theme": "light",
|
||||||
|
"roomDirectory": {
|
||||||
|
"servers": [ "im.deuxfleurs.fr", "matrix.org" ]
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1 @@
|
||||||
|
report_stats: true
|
|
@ -0,0 +1 @@
|
||||||
|
server_name: deuxfleurs.fr
|
405
consul/configuration/chat/synapse/homeserver.yaml
Normal file
405
consul/configuration/chat/synapse/homeserver.yaml
Normal file
|
@ -0,0 +1,405 @@
|
||||||
|
# vim:ft=yaml
|
||||||
|
|
||||||
|
server_name: "deuxfleurs.fr"
|
||||||
|
# PEM encoded X509 certificate for TLS.
|
||||||
|
# You can replace the self-signed certificate that synapse
|
||||||
|
# autogenerates on launch with your own SSL certificate + key pair
|
||||||
|
# if you like. Any required intermediary certificates can be
|
||||||
|
# appended after the primary certificate in hierarchical order.
|
||||||
|
tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
|
||||||
|
|
||||||
|
# PEM encoded private key for TLS
|
||||||
|
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
|
||||||
|
|
||||||
|
# PEM dh parameters for ephemeral keys
|
||||||
|
tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
|
||||||
|
|
||||||
|
# Don't bind to the https port
|
||||||
|
no_tls: True
|
||||||
|
|
||||||
|
|
||||||
|
## Server ##
|
||||||
|
|
||||||
|
# When running as a daemon, the file to store the pid in
|
||||||
|
pid_file: "/var/run/matrix-synapse.pid"
|
||||||
|
|
||||||
|
# Whether to serve a web client from the HTTP/HTTPS root resource.
|
||||||
|
web_client: False
|
||||||
|
|
||||||
|
# The public-facing base URL for the client API (not including _matrix/...)
|
||||||
|
public_baseurl: https://im.deuxfleurs.fr/
|
||||||
|
|
||||||
|
# Set the soft limit on the number of file descriptors synapse can use
|
||||||
|
# Zero is used to indicate synapse should set the soft limit to the
|
||||||
|
# hard limit.
|
||||||
|
soft_file_limit: 0
|
||||||
|
|
||||||
|
# The GC threshold parameters to pass to `gc.set_threshold`, if defined
|
||||||
|
# gc_thresholds: [700, 10, 10]
|
||||||
|
|
||||||
|
# A list of other Home Servers to fetch the public room directory from
|
||||||
|
# and include in the public room directory of this home server
|
||||||
|
# This is a temporary stopgap solution to populate new server with a
|
||||||
|
# list of rooms until there exists a good solution of a decentralized
|
||||||
|
# room directory.
|
||||||
|
# secondary_directory_servers:
|
||||||
|
# - matrix.org
|
||||||
|
# - vector.im
|
||||||
|
|
||||||
|
# List of ports that Synapse should listen on, their purpose and their
|
||||||
|
# configuration.
|
||||||
|
listeners:
|
||||||
|
# Unsecure HTTP listener,
|
||||||
|
# For when matrix traffic passes through loadbalancer that unwraps TLS.
|
||||||
|
- port: 8008
|
||||||
|
tls: false
|
||||||
|
bind_address: ''
|
||||||
|
type: http
|
||||||
|
|
||||||
|
x_forwarded: false
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- names: [client]
|
||||||
|
compress: true
|
||||||
|
- names: [federation]
|
||||||
|
compress: false
|
||||||
|
|
||||||
|
# Turn on the twisted ssh manhole service on localhost on the given
|
||||||
|
# port.
|
||||||
|
# - port: 9000
|
||||||
|
# bind_address: 127.0.0.1
|
||||||
|
# type: manhole
|
||||||
|
|
||||||
|
|
||||||
|
# Database configuration
|
||||||
|
database:
|
||||||
|
name: psycopg2
|
||||||
|
args:
|
||||||
|
user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }}
|
||||||
|
password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }}
|
||||||
|
database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }}
|
||||||
|
host: psql-proxy.service.2.cluster.deuxfleurs.fr
|
||||||
|
port: 5432
|
||||||
|
cp_min: 5
|
||||||
|
cp_max: 10
|
||||||
|
# Number of events to cache in memory.
|
||||||
|
event_cache_size: "10K"
|
||||||
|
|
||||||
|
|
||||||
|
# A yaml python logging config file
|
||||||
|
log_config: "/etc/matrix-synapse/log.yaml"
|
||||||
|
|
||||||
|
# Stop twisted from discarding the stack traces of exceptions in
|
||||||
|
# deferreds by waiting a reactor tick before running a deferred's
|
||||||
|
# callbacks.
|
||||||
|
# full_twisted_stacktraces: true
|
||||||
|
|
||||||
|
|
||||||
|
## Ratelimiting ##
|
||||||
|
|
||||||
|
# Number of messages a client can send per second
|
||||||
|
rc_messages_per_second: 0.2
|
||||||
|
|
||||||
|
# Number of message a client can send before being throttled
|
||||||
|
rc_message_burst_count: 10.0
|
||||||
|
|
||||||
|
# The federation window size in milliseconds
|
||||||
|
federation_rc_window_size: 1000
|
||||||
|
|
||||||
|
# The number of federation requests from a single server in a window
|
||||||
|
# before the server will delay processing the request.
|
||||||
|
federation_rc_sleep_limit: 10
|
||||||
|
|
||||||
|
# The duration in milliseconds to delay processing events from
|
||||||
|
# remote servers by if they go over the sleep limit.
|
||||||
|
federation_rc_sleep_delay: 500
|
||||||
|
|
||||||
|
# The maximum number of concurrent federation requests allowed
|
||||||
|
# from a single server
|
||||||
|
federation_rc_reject_limit: 50
|
||||||
|
|
||||||
|
# The number of federation requests to concurrently process from a
|
||||||
|
# single server
|
||||||
|
federation_rc_concurrent: 3
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Directory where uploaded images and attachments are stored.
|
||||||
|
media_store_path: "/var/lib/matrix-synapse/media"
|
||||||
|
uploads_path: "/var/lib/matrix-synapse/uploads"
|
||||||
|
|
||||||
|
# The largest allowed upload size in bytes
|
||||||
|
max_upload_size: "100M"
|
||||||
|
|
||||||
|
# Maximum number of pixels that will be thumbnailed
|
||||||
|
max_image_pixels: "32M"
|
||||||
|
|
||||||
|
# Whether to generate new thumbnails on the fly to precisely match
|
||||||
|
# the resolution requested by the client. If true then whenever
|
||||||
|
# a new resolution is requested by the client the server will
|
||||||
|
# generate a new thumbnail. If false the server will pick a thumbnail
|
||||||
|
# from a precalculated list.
|
||||||
|
dynamic_thumbnails: false
|
||||||
|
|
||||||
|
# List of thumbnail to precalculate when an image is uploaded.
|
||||||
|
thumbnail_sizes:
|
||||||
|
- width: 32
|
||||||
|
height: 32
|
||||||
|
method: crop
|
||||||
|
- width: 96
|
||||||
|
height: 96
|
||||||
|
method: crop
|
||||||
|
- width: 320
|
||||||
|
height: 240
|
||||||
|
method: scale
|
||||||
|
- width: 640
|
||||||
|
height: 480
|
||||||
|
method: scale
|
||||||
|
- width: 800
|
||||||
|
height: 600
|
||||||
|
method: scale
|
||||||
|
|
||||||
|
# Is the preview URL API enabled? If enabled, you *must* specify
|
||||||
|
# an explicit url_preview_ip_range_blacklist of IPs that the spider is
|
||||||
|
# denied from accessing.
|
||||||
|
url_preview_enabled: True
|
||||||
|
|
||||||
|
# List of IP address CIDR ranges that the URL preview spider is denied
|
||||||
|
# from accessing. There are no defaults: you must explicitly
|
||||||
|
# specify a list for URL previewing to work. You should specify any
|
||||||
|
# internal services in your network that you do not want synapse to try
|
||||||
|
# to connect to, otherwise anyone in any Matrix room could cause your
|
||||||
|
# synapse to issue arbitrary GET requests to your internal services,
|
||||||
|
# causing serious security issues.
|
||||||
|
#
|
||||||
|
url_preview_ip_range_blacklist:
|
||||||
|
- '127.0.0.0/8'
|
||||||
|
- '10.0.0.0/8'
|
||||||
|
- '172.16.0.0/12'
|
||||||
|
- '192.168.0.0/16'
|
||||||
|
#
|
||||||
|
# List of IP address CIDR ranges that the URL preview spider is allowed
|
||||||
|
# to access even if they are specified in url_preview_ip_range_blacklist.
|
||||||
|
# This is useful for specifying exceptions to wide-ranging blacklisted
|
||||||
|
# target IP ranges - e.g. for enabling URL previews for a specific private
|
||||||
|
# website only visible in your network.
|
||||||
|
#
|
||||||
|
# url_preview_ip_range_whitelist:
|
||||||
|
# - '192.168.1.1'
|
||||||
|
|
||||||
|
# Optional list of URL matches that the URL preview spider is
|
||||||
|
# denied from accessing. You should use url_preview_ip_range_blacklist
|
||||||
|
# in preference to this, otherwise someone could define a public DNS
|
||||||
|
# entry that points to a private IP address and circumvent the blacklist.
|
||||||
|
# This is more useful if you know there is an entire shape of URL that
|
||||||
|
# you know that will never want synapse to try to spider.
|
||||||
|
#
|
||||||
|
# Each list entry is a dictionary of url component attributes as returned
|
||||||
|
# by urlparse.urlsplit as applied to the absolute form of the URL. See
|
||||||
|
# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
|
||||||
|
# The values of the dictionary are treated as an filename match pattern
|
||||||
|
# applied to that component of URLs, unless they start with a ^ in which
|
||||||
|
# case they are treated as a regular expression match. If all the
|
||||||
|
# specified component matches for a given list item succeed, the URL is
|
||||||
|
# blacklisted.
|
||||||
|
#
|
||||||
|
# url_preview_url_blacklist:
|
||||||
|
# # blacklist any URL with a username in its URI
|
||||||
|
# - username: '*'
|
||||||
|
#
|
||||||
|
# # blacklist all *.google.com URLs
|
||||||
|
# - netloc: 'google.com'
|
||||||
|
# - netloc: '*.google.com'
|
||||||
|
#
|
||||||
|
# # blacklist all plain HTTP URLs
|
||||||
|
# - scheme: 'http'
|
||||||
|
#
|
||||||
|
# # blacklist http(s)://www.acme.com/foo
|
||||||
|
# - netloc: 'www.acme.com'
|
||||||
|
# path: '/foo'
|
||||||
|
#
|
||||||
|
# # blacklist any URL with a literal IPv4 address
|
||||||
|
# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
|
||||||
|
|
||||||
|
# The largest allowed URL preview spidering size in bytes
|
||||||
|
max_spider_size: "10M"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Captcha ##
|
||||||
|
|
||||||
|
# This Home Server's ReCAPTCHA public key.
|
||||||
|
recaptcha_public_key: "YOUR_PUBLIC_KEY"
|
||||||
|
|
||||||
|
# This Home Server's ReCAPTCHA private key.
|
||||||
|
recaptcha_private_key: "YOUR_PRIVATE_KEY"
|
||||||
|
|
||||||
|
# Enables ReCaptcha checks when registering, preventing signup
|
||||||
|
# unless a captcha is answered. Requires a valid ReCaptcha
|
||||||
|
# public/private key.
|
||||||
|
enable_registration_captcha: False
|
||||||
|
|
||||||
|
# A secret key used to bypass the captcha test entirely.
|
||||||
|
#captcha_bypass_secret: "YOUR_SECRET_HERE"
|
||||||
|
|
||||||
|
# The API endpoint to use for verifying m.login.recaptcha responses.
|
||||||
|
recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
|
||||||
|
|
||||||
|
|
||||||
|
## Turn ##
|
||||||
|
|
||||||
|
# The public URIs of the TURN server to give to clients
|
||||||
|
turn_uris: [ "turn:turn.deuxfleurs.fr:3478?transport=udp", "turn:turn.deuxfleurs.fr:3478?transport=tcp" ]
|
||||||
|
|
||||||
|
# The shared secret used to compute passwords for the TURN server
|
||||||
|
turn_shared_secret: '{{ key "secrets/chat/coturn/static-auth" | trimSpace }}'
|
||||||
|
|
||||||
|
# How long generated TURN credentials last
|
||||||
|
turn_user_lifetime: "1h"
|
||||||
|
|
||||||
|
turn_allow_guests: True
|
||||||
|
|
||||||
|
## Registration ##
|
||||||
|
|
||||||
|
# Enable registration for new users.
|
||||||
|
enable_registration: False
|
||||||
|
|
||||||
|
# If set, allows registration by anyone who also has the shared
|
||||||
|
# secret, even if registration is otherwise disabled.
|
||||||
|
registration_shared_secret: '{{ key "secrets/chat/synapse/registration_shared_secret" | trimSpace }}'
|
||||||
|
|
||||||
|
# Sets the expiry for the short term user creation in
|
||||||
|
# milliseconds. For instance the bellow duration is two weeks
|
||||||
|
# in milliseconds.
|
||||||
|
user_creation_max_duration: 1209600000
|
||||||
|
|
||||||
|
# Set the number of bcrypt rounds used to generate password hash.
|
||||||
|
# Larger numbers increase the work factor needed to generate the hash.
|
||||||
|
# The default number of rounds is 12.
|
||||||
|
bcrypt_rounds: 12
|
||||||
|
|
||||||
|
# Allows users to register as guests without a password/email/etc, and
|
||||||
|
# participate in rooms hosted on this server which have been made
|
||||||
|
# accessible to anonymous users.
|
||||||
|
allow_guest_access: True
|
||||||
|
|
||||||
|
# The list of identity servers trusted to verify third party
|
||||||
|
# identifiers by this server.
|
||||||
|
trusted_third_party_id_servers:
|
||||||
|
- matrix.org
|
||||||
|
- vector.im
|
||||||
|
|
||||||
|
|
||||||
|
## Metrics ###
|
||||||
|
|
||||||
|
# Enable collection and rendering of performance metrics
|
||||||
|
enable_metrics: False
|
||||||
|
|
||||||
|
## API Configuration ##
|
||||||
|
|
||||||
|
# A list of event types that will be included in the room_invite_state
|
||||||
|
room_invite_state_types:
|
||||||
|
- "m.room.join_rules"
|
||||||
|
- "m.room.canonical_alias"
|
||||||
|
- "m.room.avatar"
|
||||||
|
- "m.room.name"
|
||||||
|
|
||||||
|
|
||||||
|
# A list of application service config file to use
|
||||||
|
app_service_config_files: []
|
||||||
|
|
||||||
|
|
||||||
|
# macaroon_secret_key: <PRIVATE STRING>
|
||||||
|
|
||||||
|
# Used to enable access token expiration.
|
||||||
|
expire_access_token: False
|
||||||
|
|
||||||
|
## Signing Keys ##
|
||||||
|
|
||||||
|
# Path to the signing key to sign messages with
|
||||||
|
signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
|
||||||
|
|
||||||
|
# The keys that the server used to sign messages with but won't use
|
||||||
|
# to sign new messages. E.g. it has lost its private key
|
||||||
|
old_signing_keys: {}
|
||||||
|
# "ed25519:auto":
|
||||||
|
# # Base64 encoded public key
|
||||||
|
# key: "The public part of your old signing key."
|
||||||
|
# # Millisecond POSIX timestamp when the key expired.
|
||||||
|
# expired_ts: 123456789123
|
||||||
|
|
||||||
|
# How long key response published by this server is valid for.
|
||||||
|
# Used to set the valid_until_ts in /key/v2 APIs.
|
||||||
|
# Determines how quickly servers will query to check which keys
|
||||||
|
# are still valid.
|
||||||
|
key_refresh_interval: "1d" # 1 Day.
|
||||||
|
|
||||||
|
# The trusted servers to download signing keys from.
|
||||||
|
perspectives:
|
||||||
|
servers:
|
||||||
|
"matrix.org":
|
||||||
|
verify_keys:
|
||||||
|
"ed25519:auto":
|
||||||
|
key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Enable SAML2 for registration and login. Uses pysaml2
|
||||||
|
# config_path: Path to the sp_conf.py configuration file
|
||||||
|
# idp_redirect_url: Identity provider URL which will redirect
|
||||||
|
# the user back to /login/saml2 with proper info.
|
||||||
|
# See pysaml2 docs for format of config.
|
||||||
|
#saml2_config:
|
||||||
|
# enabled: true
|
||||||
|
# config_path: "/home/erikj/git/synapse/sp_conf.py"
|
||||||
|
# idp_redirect_url: "http://test/idp"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Enable CAS for registration and login.
|
||||||
|
#cas_config:
|
||||||
|
# enabled: true
|
||||||
|
# server_url: "https://cas-server.com"
|
||||||
|
# service_url: "https://homesever.domain.com:8448"
|
||||||
|
# #required_attributes:
|
||||||
|
# # name: value
|
||||||
|
|
||||||
|
|
||||||
|
# The JWT needs to contain a globally unique "sub" (subject) claim.
|
||||||
|
#
|
||||||
|
# jwt_config:
|
||||||
|
# enabled: true
|
||||||
|
# secret: "a secret"
|
||||||
|
# algorithm: "HS256"
|
||||||
|
|
||||||
|
password_providers:
|
||||||
|
- module: "ldap_auth_provider.LdapAuthProvider"
|
||||||
|
config:
|
||||||
|
enabled: true
|
||||||
|
uri: "ldap://bottin.service.2.cluster.deuxfleurs.fr:389"
|
||||||
|
start_tls: false
|
||||||
|
bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}'
|
||||||
|
bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}'
|
||||||
|
base: "ou=users,dc=deuxfleurs,dc=fr"
|
||||||
|
attributes:
|
||||||
|
uid: "cn"
|
||||||
|
name: "displayName"
|
||||||
|
mail: "mail"
|
||||||
|
|
||||||
|
# Enable password for login.
|
||||||
|
password_config:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
# Enable sending emails for notification events
|
||||||
|
#email:
|
||||||
|
# enable_notifs: false
|
||||||
|
# smtp_host: "localhost"
|
||||||
|
# smtp_port: 25
|
||||||
|
# notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
|
||||||
|
# app_name: Matrix
|
||||||
|
# template_dir: res/templates
|
||||||
|
# notif_template_html: notif_mail.html
|
||||||
|
# notif_template_text: notif_mail.txt
|
||||||
|
# notif_for_new_users: True
|
||||||
|
report_stats: false
|
41
consul/configuration/chat/synapse/log.yaml
Normal file
41
consul/configuration/chat/synapse/log.yaml
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
|
||||||
|
formatters:
|
||||||
|
precise:
|
||||||
|
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
|
||||||
|
|
||||||
|
filters:
|
||||||
|
context:
|
||||||
|
(): synapse.util.logcontext.LoggingContextFilter
|
||||||
|
request: ""
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
file:
|
||||||
|
class: logging.handlers.RotatingFileHandler
|
||||||
|
formatter: precise
|
||||||
|
filename: /var/log/matrix-synapse/homeserver.log
|
||||||
|
maxBytes: 10485760
|
||||||
|
backupCount: 3
|
||||||
|
filters: [context]
|
||||||
|
level: WARN
|
||||||
|
console:
|
||||||
|
class: logging.StreamHandler
|
||||||
|
formatter: precise
|
||||||
|
level: WARN
|
||||||
|
|
||||||
|
loggers:
|
||||||
|
synapse:
|
||||||
|
level: INFO
|
||||||
|
|
||||||
|
synapse.storage.SQL:
|
||||||
|
level: INFO
|
||||||
|
|
||||||
|
ldap3:
|
||||||
|
level: DEBUG
|
||||||
|
ldap_auth_provider:
|
||||||
|
level: DEBUG
|
||||||
|
|
||||||
|
root:
|
||||||
|
level: INFO
|
||||||
|
handlers: [file, console]
|
1
consul/configuration/email/dkim/keytable
Normal file
1
consul/configuration/email/dkim/keytable
Normal file
|
@ -0,0 +1 @@
|
||||||
|
smtp._domainkey.deuxfleurs.fr deuxfleurs.fr:smtp:/etc/dkim/smtp.private
|
2
consul/configuration/email/dkim/signingtable
Normal file
2
consul/configuration/email/dkim/signingtable
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr
|
||||||
|
*@dufour.io smtp._domainkey.deuxfleurs.fr
|
0
consul/configuration/email/dkim/smtp.private.sample
Normal file
0
consul/configuration/email/dkim/smtp.private.sample
Normal file
0
consul/configuration/email/dkim/smtp.txt.sample
Normal file
0
consul/configuration/email/dkim/smtp.txt.sample
Normal file
4
consul/configuration/email/dkim/trusted
Normal file
4
consul/configuration/email/dkim/trusted
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
127.0.0.1
|
||||||
|
localhost
|
||||||
|
192.168.1.0/24
|
||||||
|
172.16.0.0/12
|
13
consul/configuration/email/dovecot/certs.gen
Executable file
13
consul/configuration/email/dovecot/certs.gen
Executable file
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr"
|
||||||
|
openssl req \
|
||||||
|
-new \
|
||||||
|
-newkey rsa:4096 \
|
||||||
|
-days 3650 \
|
||||||
|
-nodes \
|
||||||
|
-x509 \
|
||||||
|
-subj ${TLSINFO} \
|
||||||
|
-keyout dovecot.key \
|
||||||
|
-out dovecot.crt
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
hosts = bottin.service.2.cluster.deuxfleurs.fr
|
||||||
|
dn = cn=<username>,dc=deuxfleurs,dc=fr
|
||||||
|
dnpass = <password>
|
||||||
|
base = dc=deuxfleurs,dc=fr
|
||||||
|
scope = subtree
|
||||||
|
user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))
|
||||||
|
pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))
|
||||||
|
user_attrs = mail=/var/mail/%{ldap:mail}
|
13
consul/configuration/email/postfix/certs.gen
Executable file
13
consul/configuration/email/postfix/certs.gen
Executable file
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
|
||||||
|
openssl req \
|
||||||
|
-new \
|
||||||
|
-newkey rsa:4096 \
|
||||||
|
-days 3650 \
|
||||||
|
-nodes \
|
||||||
|
-x509 \
|
||||||
|
-subj ${TLSINFO} \
|
||||||
|
-keyout postfix.key \
|
||||||
|
-out postfix.crt
|
||||||
|
|
9
consul/configuration/email/postfix/dynamicmaps.cf
Normal file
9
consul/configuration/email/postfix/dynamicmaps.cf
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# Postfix dynamic maps configuration file.
|
||||||
|
#
|
||||||
|
# The first match found is the one that is used. Wildcards are not supported
|
||||||
|
# as of postfix 2.0.2
|
||||||
|
#
|
||||||
|
#type location of .so file open function (mkmap func)
|
||||||
|
#==== ================================ ============= ============
|
||||||
|
ldap postfix-ldap.so dict_ldap_open
|
||||||
|
sqlite postfix-sqlite.so dict_sqlite_open
|
3
consul/configuration/email/postfix/header_checks
Normal file
3
consul/configuration/email/postfix/header_checks
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
/^Received:/ IGNORE
|
||||||
|
/^X-Originating-IP:/ IGNORE
|
||||||
|
/^X-Mailer:/ IGNORE
|
12
consul/configuration/email/postfix/ldap-account.cf.sample
Normal file
12
consul/configuration/email/postfix/ldap-account.cf.sample
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
bind = yes
|
||||||
|
bind_dn = cn=<user>,dc=deuxfleurs,dc=fr
|
||||||
|
bind_pw = <secret>
|
||||||
|
version = 3
|
||||||
|
timeout = 20
|
||||||
|
start_tls = no
|
||||||
|
tls_require_cert = no
|
||||||
|
server_host = ldap://bottin.service.2.cluster.deuxfleurs.fr
|
||||||
|
scope = sub
|
||||||
|
search_base = ou=users,dc=deuxfleurs,dc=fr
|
||||||
|
query_filter = mail=%s
|
||||||
|
result_attribute = mail
|
9
consul/configuration/email/postfix/ldap-alias.cf.sample
Normal file
9
consul/configuration/email/postfix/ldap-alias.cf.sample
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
server_host = bottin.service.2.cluster.deuxfleurs.fr
|
||||||
|
server_port = 389
|
||||||
|
search_base = dc=deuxfleurs,dc=fr
|
||||||
|
query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr))
|
||||||
|
result_attribute = mail
|
||||||
|
bind = yes
|
||||||
|
bind_dn = cn=<someone>,dc=deuxfleurs,dc=fr
|
||||||
|
bind_pw = <password>
|
||||||
|
version = 3
|
107
consul/configuration/email/postfix/main.cf
Normal file
107
consul/configuration/email/postfix/main.cf
Normal file
|
@ -0,0 +1,107 @@
|
||||||
|
#===
|
||||||
|
# Base configuration
|
||||||
|
#===
|
||||||
|
myhostname = smtp.deuxfleurs.fr
|
||||||
|
alias_maps = hash:/etc/aliases
|
||||||
|
alias_database = hash:/etc/aliases
|
||||||
|
myorigin = /etc/mailname
|
||||||
|
mydestination = smtp.deuxfleurs.fr
|
||||||
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
|
||||||
|
mailbox_size_limit = 0
|
||||||
|
recipient_delimiter = +
|
||||||
|
inet_protocols = all
|
||||||
|
inet_interfaces = all
|
||||||
|
message_size_limit = 204800000
|
||||||
|
smtpd_banner = $myhostname
|
||||||
|
biff = no
|
||||||
|
append_dot_mydomain = no
|
||||||
|
readme_directory = no
|
||||||
|
compatibility_level = 2
|
||||||
|
|
||||||
|
#===
|
||||||
|
# TLS parameters
|
||||||
|
#===
|
||||||
|
smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt
|
||||||
|
smtpd_tls_key_file=/etc/ssl/private/postfix.key
|
||||||
|
smtpd_use_tls=yes
|
||||||
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||||
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
|
||||||
|
smtp_tls_security_level = may
|
||||||
|
|
||||||
|
#===
|
||||||
|
# Remove privacy related content from emails
|
||||||
|
#===
|
||||||
|
mime_header_checks = regexp:/etc/postfix/header_checks
|
||||||
|
header_checks = regexp:/etc/postfix/header_checks
|
||||||
|
|
||||||
|
#===
|
||||||
|
# Handle user authentication (handled by dovecot)
|
||||||
|
#===
|
||||||
|
smtpd_sasl_auth_enable = yes
|
||||||
|
smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337
|
||||||
|
smtpd_sasl_type = dovecot
|
||||||
|
|
||||||
|
#===
|
||||||
|
# Restrictions / Checks
|
||||||
|
#===
|
||||||
|
# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists
|
||||||
|
|
||||||
|
# Require a valid HELO
|
||||||
|
smtpd_helo_required = yes
|
||||||
|
# As we use the same postfix to send and receive,
|
||||||
|
# we can't enforce a valid HELO hostname...
|
||||||
|
#smtpd_helo_restrictions =
|
||||||
|
# reject_unknown_helo_hostname
|
||||||
|
|
||||||
|
# Require that sender email has a valid domain
|
||||||
|
smtpd_sender_restrictions =
|
||||||
|
reject_unknown_sender_domain
|
||||||
|
|
||||||
|
# Delivering email policy
|
||||||
|
# MyNetwork is required by sogo
|
||||||
|
smtpd_recipient_restrictions =
|
||||||
|
permit_sasl_authenticated
|
||||||
|
permit_mynetworks
|
||||||
|
reject_unauth_destination
|
||||||
|
reject_rbl_client zen.spamhaus.org
|
||||||
|
reject_rhsbl_reverse_client dbl.spamhaus.org
|
||||||
|
reject_rhsbl_helo dbl.spamhaus.org
|
||||||
|
reject_rhsbl_sender dbl.spamhaus.org
|
||||||
|
|
||||||
|
# Sending email policy
|
||||||
|
# MyNetwork is required by sogo
|
||||||
|
smtpd_relay_restrictions =
|
||||||
|
permit_sasl_authenticated
|
||||||
|
permit_mynetworks
|
||||||
|
reject_unauth_destination
|
||||||
|
|
||||||
|
smtpd_data_restrictions = reject_unauth_pipelining
|
||||||
|
|
||||||
|
smtpd_client_connection_rate_limit = 2
|
||||||
|
|
||||||
|
#===
|
||||||
|
# Rate limiting
|
||||||
|
#===
|
||||||
|
slow_destination_recipient_limit = 20
|
||||||
|
slow_destination_concurrency_limit = 2
|
||||||
|
|
||||||
|
#====
|
||||||
|
# Transport configuration
|
||||||
|
#====
|
||||||
|
transport_maps = hash:/etc/postfix/transport
|
||||||
|
virtual_mailbox_domains = deuxfleurs.fr, dufour.io, dufour.tk
|
||||||
|
virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf
|
||||||
|
#virtual_alias_domains = deuxfleurs.fr, dufour.io, dufour.tk
|
||||||
|
virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf
|
||||||
|
virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24
|
||||||
|
#master_service_disable =
|
||||||
|
#tcp_windowsize = 1400
|
||||||
|
|
||||||
|
#===
|
||||||
|
# Mail filters
|
||||||
|
#===
|
||||||
|
milter_default_action = accept
|
||||||
|
milter_protocol = 6
|
||||||
|
smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999
|
||||||
|
non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999
|
114
consul/configuration/email/postfix/master.cf
Normal file
114
consul/configuration/email/postfix/master.cf
Normal file
|
@ -0,0 +1,114 @@
|
||||||
|
#
|
||||||
|
# Postfix master process configuration file. For details on the format
|
||||||
|
# of the file, see the master(5) manual page (command: "man 5 master").
|
||||||
|
#
|
||||||
|
# Do not forget to execute "postfix reload" after editing this file.
|
||||||
|
#
|
||||||
|
# ==========================================================================
|
||||||
|
# service type private unpriv chroot wakeup maxproc command + args
|
||||||
|
# (yes) (yes) (yes) (never) (100)
|
||||||
|
# ==========================================================================
|
||||||
|
smtp inet n - n - - smtpd
|
||||||
|
submission inet n - n - - smtpd
|
||||||
|
-o smtpd_tls_security_level=encrypt
|
||||||
|
-o smtpd_sasl_auth_enable=yes
|
||||||
|
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
||||||
|
-o milter_macro_daemon_name=ORIGINATING
|
||||||
|
smtps inet n - n - - smtpd
|
||||||
|
-o smtpd_tls_wrappermode=yes
|
||||||
|
-o smtpd_sasl_auth_enable=yes
|
||||||
|
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
||||||
|
-o milter_macro_daemon_name=ORIGINATING
|
||||||
|
slow unix - - n - 5 smtp
|
||||||
|
-o syslog_name=postfix-slow
|
||||||
|
-o smtp_destination_concurrency_limit=3
|
||||||
|
-o slow_destination_rate_delay=1
|
||||||
|
|
||||||
|
|
||||||
|
#628 inet n - - - - qmqpd
|
||||||
|
pickup fifo n - n 60 1 pickup
|
||||||
|
cleanup unix n - n - 0 cleanup
|
||||||
|
qmgr fifo n - n 300 1 qmgr
|
||||||
|
#qmgr fifo n - - 300 1 oqmgr
|
||||||
|
tlsmgr unix - - n 1000? 1 tlsmgr
|
||||||
|
rewrite unix - - n - - trivial-rewrite
|
||||||
|
bounce unix - - n - 0 bounce
|
||||||
|
defer unix - - n - 0 bounce
|
||||||
|
trace unix - - n - 0 bounce
|
||||||
|
verify unix - - n - 1 verify
|
||||||
|
flush unix n - n 1000? 0 flush
|
||||||
|
proxymap unix - - n - - proxymap
|
||||||
|
proxywrite unix - - n - 1 proxymap
|
||||||
|
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
|
||||||
|
smtp unix - - n - - smtp
|
||||||
|
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
||||||
|
relay unix - - n - - smtp
|
||||||
|
-o smtp_fallback_relay=
|
||||||
|
showq unix n - n - - showq
|
||||||
|
error unix - - n - - error
|
||||||
|
retry unix - - n - - error
|
||||||
|
discard unix - - n - - discard
|
||||||
|
local unix - n n - - local
|
||||||
|
virtual unix - n n - - virtual
|
||||||
|
lmtp unix - - n - - lmtp
|
||||||
|
anvil unix - - n - 1 anvil
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
# Interfaces to non-Postfix software. Be sure to examine the manual
|
||||||
|
# pages of the non-Postfix software to find out what options it wants.
|
||||||
|
#
|
||||||
|
# Many of the following services use the Postfix pipe(8) delivery
|
||||||
|
# agent. See the pipe(8) man page for information about ${recipient}
|
||||||
|
# and other message envelope options.
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# maildrop. See the Postfix MAILDROP_README file for details.
|
||||||
|
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
scache unix - - n - 1 scache
|
||||||
|
maildrop unix - n n - - pipe
|
||||||
|
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
|
||||||
|
#
|
||||||
|
# Specify in cyrus.conf:
|
||||||
|
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
|
||||||
|
#
|
||||||
|
# Specify in main.cf one or more of the following:
|
||||||
|
# mailbox_transport = lmtp:inet:localhost
|
||||||
|
# virtual_transport = lmtp:inet:localhost
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Cyrus 2.1.5 (Amos Gouaux)
|
||||||
|
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
#cyrus unix - n n - - pipe
|
||||||
|
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
# Old example of delivery via Cyrus.
|
||||||
|
#
|
||||||
|
#old-cyrus unix - n n - - pipe
|
||||||
|
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# See the Postfix UUCP_README file for configuration details.
|
||||||
|
#
|
||||||
|
uucp unix - n n - - pipe
|
||||||
|
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||||
|
#
|
||||||
|
# Other external delivery methods.
|
||||||
|
#
|
||||||
|
ifmail unix - n n - - pipe
|
||||||
|
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||||
|
bsmtp unix - n n - - pipe
|
||||||
|
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||||
|
scalemail-backend unix - n n - 2 pipe
|
||||||
|
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||||
|
mailman unix - n n - - pipe
|
||||||
|
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||||
|
${nexthop} ${user}
|
5
consul/configuration/email/postfix/transport
Normal file
5
consul/configuration/email/postfix/transport
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
#wanadoo.com slow:
|
||||||
|
#wanadoo.fr slow:
|
||||||
|
#orange.com slow:
|
||||||
|
#orange.fr slow:
|
||||||
|
#smtp.orange.fr slow:
|
BIN
consul/configuration/email/postfix/transport.db
Normal file
BIN
consul/configuration/email/postfix/transport.db
Normal file
Binary file not shown.
68
consul/configuration/email/sogo/sogo.conf.tpl
Normal file
68
consul/configuration/email/sogo/sogo.conf.tpl
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
{
|
||||||
|
WONoDetach = NO;
|
||||||
|
WOWorkersCount = 10;
|
||||||
|
WOPort = "127.0.0.1:20000";
|
||||||
|
SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_user_profile";
|
||||||
|
OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_folder_info";
|
||||||
|
OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_sessions_folder";
|
||||||
|
OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_alarms_folder";
|
||||||
|
OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_store";
|
||||||
|
OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_acl";
|
||||||
|
OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_cache_folder";
|
||||||
|
SOGoTimeZone = "Europe/Paris";
|
||||||
|
SOGoMailDomain = "deuxfleurs.fr";
|
||||||
|
SOGoLanguage = French;
|
||||||
|
SOGoAppointmentSendEMailNotifications = YES;
|
||||||
|
SOGoEnablePublicAccess = YES;
|
||||||
|
SOGoMailingMechanism = smtp;
|
||||||
|
SOGoSMTPServer = postfix-smtp.service.2.cluster.deuxfleurs.fr;
|
||||||
|
SOGoSMTPAuthenticationType = PLAIN;
|
||||||
|
SOGoForceExternalLoginWithEmail = YES;
|
||||||
|
SOGoIMAPAclConformsToIMAPExt = YES;
|
||||||
|
SOGoTimeZone = UTC;
|
||||||
|
SOGoSentFolderName = Sent;
|
||||||
|
SOGoTrashFolderName = Trash;
|
||||||
|
SOGoDraftsFolderName = Drafts;
|
||||||
|
SOGoIMAPServer = "imaps://dovecot-imaps.service.2.cluster.deuxfleurs.fr:993/";
|
||||||
|
SOGoSieveServer = "sieve://sieve.service.2.cluster.deuxfleurs.fr:4190/?tls=YES";
|
||||||
|
SOGoIMAPAclConformsToIMAPExt = YES;
|
||||||
|
SOGoVacationEnabled = NO;
|
||||||
|
SOGoForwardEnabled = NO;
|
||||||
|
SOGoSieveScriptsEnabled = NO;
|
||||||
|
SOGoFirstDayOfWeek = 1;
|
||||||
|
SOGoRefreshViewCheck = every_5_minutes;
|
||||||
|
SOGoMailAuxiliaryUserAccountsEnabled = NO;
|
||||||
|
SOGoPasswordChangeEnabled = YES;
|
||||||
|
SOGoPageTitle = "deuxfleurs.fr";
|
||||||
|
SOGoLoginModule = Mail;
|
||||||
|
SOGoMailAddOutgoingAddresses = YES;
|
||||||
|
SOGoSelectedAddressBook = autobook;
|
||||||
|
SOGoMailAuxiliaryUserAccountsEnabled = YES;
|
||||||
|
SOGoCalendarEventsDefaultClassification = PRIVATE;
|
||||||
|
SOGoMailReplyPlacement = above;
|
||||||
|
SOGoMailSignaturePlacement = above;
|
||||||
|
SOGoMailComposeMessageType = html;
|
||||||
|
|
||||||
|
SOGoLDAPContactInfoAttribute = "displayname";
|
||||||
|
|
||||||
|
SOGoUserSources = (
|
||||||
|
{
|
||||||
|
type = ldap;
|
||||||
|
CNFieldName = displayname;
|
||||||
|
IDFieldName = cn;
|
||||||
|
UIDFieldName = cn;
|
||||||
|
MailFieldNames = (mail, mailForwardingAddress);
|
||||||
|
SearchFieldNames = (displayname, cn, sn, mail, telephoneNumber);
|
||||||
|
IMAPLoginFieldName = mail;
|
||||||
|
baseDN = "ou=users,dc=deuxfleurs,dc=fr";
|
||||||
|
bindDN = "{{ key "secrets/email/sogo/ldap_binddn" | trimSpace }}";
|
||||||
|
bindPassword = "{{ key "secrets/email/sogo/ldap_bindpw" | trimSpace}}";
|
||||||
|
bindFields = (cn, mail);
|
||||||
|
canAuthenticate = YES;
|
||||||
|
displayName = "Bottin";
|
||||||
|
hostname = "ldap://bottin.service.2.cluster.deuxfleurs.fr:389";
|
||||||
|
id = bottin;
|
||||||
|
isAddressBook = NO;
|
||||||
|
}
|
||||||
|
);
|
||||||
|
}
|
6
consul/configuration/mariadb/main/env.tpl
Normal file
6
consul/configuration/mariadb/main/env.tpl
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
LDAP_URI = "ldap://bottin.service.2.cluster.deuxfleurs.fr"
|
||||||
|
LDAP_BASE = "ou=users,dc=deuxfleurs,dc=fr"
|
||||||
|
LDAP_VERSION = 3
|
||||||
|
LDAP_BIND_DN = "{{ key "secrets/mariadb/main/ldap_binddn" | trimSpace }}"
|
||||||
|
LDAP_BIND_PW = "{{ key "secrets/mariadb/main/ldap_bindpwd" | trimSpace }}"
|
||||||
|
MYSQL_PASSWORD = "{{ key "secrets/mariadb/main/mysql_pwd" | trimSpace }}"
|
3
consul/configuration/postgres/keeper/env.tpl
Normal file
3
consul/configuration/postgres/keeper/env.tpl
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
PG_SU_PWD={{ key "secrets/postgres/keeper/pg_su_pwd" | trimSpace }}
|
||||||
|
PG_REPL_USER={{ key "secrets/postgres/keeper/pg_repl_username" | trimSpace }}
|
||||||
|
PG_REPL_PWD={{ key "secrets/postgres/keeper/pg_repl_pwd" | trimSpace }}
|
0
consul/configuration/seafile/ccnet/mykey.peer.sample
Normal file
0
consul/configuration/seafile/ccnet/mykey.peer.sample
Normal file
1
consul/configuration/seafile/ccnet/seafile.ini
Normal file
1
consul/configuration/seafile/ccnet/seafile.ini
Normal file
|
@ -0,0 +1 @@
|
||||||
|
/mnt/seafile-data/
|
29
consul/configuration/seafile/conf/ccnet.conf.sample
Normal file
29
consul/configuration/seafile/conf/ccnet.conf.sample
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
[General]
|
||||||
|
USER_NAME = deuxfleurs
|
||||||
|
ID = <to be defined>
|
||||||
|
NAME = deuxfleurs
|
||||||
|
SERVICE_URL = https://cloud.deuxfleurs.fr
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
PORT = 10001
|
||||||
|
|
||||||
|
[Client]
|
||||||
|
PORT = 13418
|
||||||
|
|
||||||
|
[LDAP]
|
||||||
|
HOST = ldap://bottin.service.2.cluster.deuxfleurs.fr/
|
||||||
|
BASE = ou=users,dc=deuxfleurs,dc=fr
|
||||||
|
USER_DN = cn=<to be defined>,dc=deuxfleurs,dc=fr
|
||||||
|
FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr
|
||||||
|
PASSWORD = <to be defined>
|
||||||
|
LOGIN_ATTR = mail
|
||||||
|
|
||||||
|
[Database]
|
||||||
|
ENGINE = mysql
|
||||||
|
HOST = mariadb.service.2.cluster.deuxfleurs.fr
|
||||||
|
PORT = 3306
|
||||||
|
USER = seafile
|
||||||
|
PASSWD = <to be defined>
|
||||||
|
DB = ccnet-db
|
||||||
|
CONNECTION_CHARSET = utf8
|
||||||
|
|
0
consul/configuration/seafile/conf/mykey.peer.sample
Normal file
0
consul/configuration/seafile/conf/mykey.peer.sample
Normal file
5
consul/configuration/seafile/conf/seafdav.conf
Normal file
5
consul/configuration/seafile/conf/seafdav.conf
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
[WEBDAV]
|
||||||
|
enabled = true
|
||||||
|
port = 8084
|
||||||
|
fastcgi = false
|
||||||
|
share_name = /seafdav
|
19
consul/configuration/seafile/conf/seafile.conf.sample
Normal file
19
consul/configuration/seafile/conf/seafile.conf.sample
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
[network]
|
||||||
|
port = 12001
|
||||||
|
|
||||||
|
[fileserver]
|
||||||
|
port = 8082
|
||||||
|
max_upload_size=8192
|
||||||
|
max_download_dir_size=8192
|
||||||
|
|
||||||
|
[database]
|
||||||
|
type = mysql
|
||||||
|
host = mariadb.service.2.cluster.deuxfleurs.fr
|
||||||
|
port = 3306
|
||||||
|
user = seafile
|
||||||
|
password = <to be defined>
|
||||||
|
db_name = seafile-db
|
||||||
|
connection_charset = utf8
|
||||||
|
|
||||||
|
[quota]
|
||||||
|
default = 50
|
21
consul/configuration/seafile/conf/seahub_settings.py.sample
Normal file
21
consul/configuration/seafile/conf/seahub_settings.py.sample
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
SECRET_KEY = "8ep+sgi&s1-f2cq2178!ekk!0h0nw2y4z1-olbaopxmodsd8vk"
|
||||||
|
FILE_SERVER_ROOT = 'https://cloud.deuxfleurs.fr/seafhttp'
|
||||||
|
DATABASES = {
|
||||||
|
'default': {
|
||||||
|
'ENGINE': 'django.db.backends.mysql',
|
||||||
|
'NAME': 'seahub-db',
|
||||||
|
'USER': 'seafile',
|
||||||
|
'PASSWORD': '<to be defined>',
|
||||||
|
'HOST': 'mariadb.service.2.cluster.deuxfleurs.fr',
|
||||||
|
'PORT': '3306',
|
||||||
|
'OPTIONS': {
|
||||||
|
'init_command': 'SET storage_engine=INNODB',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
FILE_PREVIEW_MAX_SIZE = 100 * 1024 * 1024
|
||||||
|
ENABLE_THUMBNAIL = True
|
||||||
|
THUMBNAIL_ROOT = '/mnt/seafile-data/thumbnail/thumb/'
|
||||||
|
THUMBNAIL_EXTENSION = 'png'
|
||||||
|
THUMBNAIL_DEFAULT_SIZE = '24'
|
||||||
|
PREVIEW_DEFAULT_SIZE = '300'
|
2
consul/configuration/traefik/cloudflare.env.sample
Normal file
2
consul/configuration/traefik/cloudflare.env.sample
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
CF_API_EMAIL = "<email>"
|
||||||
|
CF_API_KEY = "<token>"
|
53
consul/configuration/traefik/traefik.toml.sample
Normal file
53
consul/configuration/traefik/traefik.toml.sample
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
InsecureSkipVerify = true
|
||||||
|
defaultEntryPoints = ["http", "https"]
|
||||||
|
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.admin]
|
||||||
|
address = ":8082"
|
||||||
|
[entryPoints.admin.auth.basic]
|
||||||
|
users = ["<username>:<hash>"]
|
||||||
|
|
||||||
|
[entryPoints.http]
|
||||||
|
address = ":80"
|
||||||
|
[entryPoints.http.redirect]
|
||||||
|
entryPoint = "https"
|
||||||
|
|
||||||
|
[entryPoints.https]
|
||||||
|
address = ":443"
|
||||||
|
compress = true
|
||||||
|
[entryPoints.https.tls]
|
||||||
|
|
||||||
|
[retry]
|
||||||
|
|
||||||
|
[acme]
|
||||||
|
email = "quentin@dufour.io"
|
||||||
|
storage = "traefik/acme/account"
|
||||||
|
entryPoint = "https"
|
||||||
|
onHostRule = true
|
||||||
|
|
||||||
|
[acme.dnsChallenge]
|
||||||
|
provider = "cloudflare"
|
||||||
|
delayBeforeCheck = 0
|
||||||
|
|
||||||
|
[acme.httpChallenge]
|
||||||
|
entryPoint = "http"
|
||||||
|
|
||||||
|
[[acme.domains]]
|
||||||
|
main = "deuxfleurs.fr"
|
||||||
|
|
||||||
|
[api]
|
||||||
|
entryPoint = "admin"
|
||||||
|
dashboard = true
|
||||||
|
|
||||||
|
[consul]
|
||||||
|
endpoint = "consul.service.2.cluster.deuxfleurs.fr:8500"
|
||||||
|
watch = true
|
||||||
|
prefix = "traefik"
|
||||||
|
|
||||||
|
[consulCatalog]
|
||||||
|
endpoint = "consul.service.2.cluster.deuxfleurs.fr:8500"
|
||||||
|
prefix = "traefik"
|
||||||
|
domain = "web.deuxfleurs.fr"
|
||||||
|
exposedByDefault = false
|
||||||
|
|
||||||
|
|
7
consul/restore_configuration.sh
Executable file
7
consul/restore_configuration.sh
Executable file
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
find {configuration,secrets} -type f \
|
||||||
|
| grep --perl-regexp --invert-match "\.sample$|\.gen$|/.gitignore$" \
|
||||||
|
| while read filename; do
|
||||||
|
consul kv put "${filename}" "@${filename}"
|
||||||
|
done
|
10
consul/secrets/.gitignore
vendored
Normal file
10
consul/secrets/.gitignore
vendored
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
# Blacklist everything cleverly
|
||||||
|
*
|
||||||
|
!*/
|
||||||
|
|
||||||
|
# Whitelist some patterns
|
||||||
|
!*.sample
|
||||||
|
!*.gen
|
||||||
|
!.gitignore
|
||||||
|
|
||||||
|
# Whitelist specific files
|
0
consul/secrets/chat/coturn/static-auth.sample
Normal file
0
consul/secrets/chat/coturn/static-auth.sample
Normal file
0
consul/secrets/chat/synapse/homeserver.tls.crt.sample
Normal file
0
consul/secrets/chat/synapse/homeserver.tls.crt.sample
Normal file
0
consul/secrets/chat/synapse/homeserver.tls.dh.sample
Normal file
0
consul/secrets/chat/synapse/homeserver.tls.dh.sample
Normal file
0
consul/secrets/chat/synapse/homeserver.tls.key.sample
Normal file
0
consul/secrets/chat/synapse/homeserver.tls.key.sample
Normal file
0
consul/secrets/chat/synapse/ldap_binddn.sample
Normal file
0
consul/secrets/chat/synapse/ldap_binddn.sample
Normal file
0
consul/secrets/chat/synapse/ldap_bindpw.sample
Normal file
0
consul/secrets/chat/synapse/ldap_bindpw.sample
Normal file
0
consul/secrets/chat/synapse/postgres_db.sample
Normal file
0
consul/secrets/chat/synapse/postgres_db.sample
Normal file
0
consul/secrets/chat/synapse/postgres_pwd.sample
Normal file
0
consul/secrets/chat/synapse/postgres_pwd.sample
Normal file
0
consul/secrets/chat/synapse/postgres_user.sample
Normal file
0
consul/secrets/chat/synapse/postgres_user.sample
Normal file
0
consul/secrets/email/sogo/ldap_binddn.sample
Normal file
0
consul/secrets/email/sogo/ldap_binddn.sample
Normal file
0
consul/secrets/email/sogo/ldap_bindpw.sample
Normal file
0
consul/secrets/email/sogo/ldap_bindpw.sample
Normal file
0
consul/secrets/email/sogo/postgre_auth.sample
Normal file
0
consul/secrets/email/sogo/postgre_auth.sample
Normal file
0
consul/secrets/mariadb/main/ldap_binddn.sample
Normal file
0
consul/secrets/mariadb/main/ldap_binddn.sample
Normal file
0
consul/secrets/mariadb/main/ldap_bindpwd.sample
Normal file
0
consul/secrets/mariadb/main/ldap_bindpwd.sample
Normal file
0
consul/secrets/mariadb/main/mysql_pwd.sample
Normal file
0
consul/secrets/mariadb/main/mysql_pwd.sample
Normal file
0
consul/secrets/postgres/keeper/pg_repl_pwd.sample
Normal file
0
consul/secrets/postgres/keeper/pg_repl_pwd.sample
Normal file
0
consul/secrets/postgres/keeper/pg_repl_username.sample
Normal file
0
consul/secrets/postgres/keeper/pg_repl_username.sample
Normal file
0
consul/secrets/postgres/keeper/pg_su_pwd.sample
Normal file
0
consul/secrets/postgres/keeper/pg_su_pwd.sample
Normal file
15
doc/create_database/README.md
Normal file
15
doc/create_database/README.md
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
```bash
|
||||||
|
ssh root@<one node of the cluster>
|
||||||
|
docker run -t -i superboum/amd64_postgres:v1
|
||||||
|
psql -h psql-proxy.service.2.cluster.deuxfleurs.fr -p 25432 -U postgres -W postgres
|
||||||
|
```
|
||||||
|
|
||||||
|
```sql
|
||||||
|
CREATE USER seafile;
|
||||||
|
CREATE DATABASE seafile ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER seafile;
|
||||||
|
-- GRANT ALL PRIVILEGES ON DATABASE seafile TO seafile;
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
consul kv import @ldapkv_seafile.json
|
||||||
|
```
|
31
doc/init_stolon/README.md
Normal file
31
doc/init_stolon/README.md
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
Spawn container:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
docker run -t -i superboum/arm32v7_postgres:v6
|
||||||
|
# OR
|
||||||
|
docker run -t -i superboum/amd64_postgres:v1
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Init with:
|
||||||
|
|
||||||
|
```
|
||||||
|
stolonctl \
|
||||||
|
--cluster-name pissenlit \
|
||||||
|
--store-backend=consul \
|
||||||
|
--store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 \
|
||||||
|
init \
|
||||||
|
'{ "initMode": "new", "pgHBA": [ "host all postgres all md5", "host replication replicator all md5", "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs, dc=fr\" ldapbinddn=\"<bind_dn>\" ldapbindpasswd=\"<bind_pwd>\" ldapsearchattribute=\"cn\"" ] }'
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Then set appropriate permission on host:
|
||||||
|
|
||||||
|
```
|
||||||
|
chown -R 102:102 /mnt/storage/postgres/
|
||||||
|
```
|
||||||
|
|
||||||
|
(102 is the id of the postgres user used in Docker)
|
||||||
|
It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command.
|
||||||
|
Moreover it would enable the usage of the user namespace that shift the UIDs.
|
||||||
|
|
0
docker/blog-quentin/.dockerenv
Executable file
0
docker/blog-quentin/.dockerenv
Executable file
16
docker/blog-quentin/Dockerfile
Normal file
16
docker/blog-quentin/Dockerfile
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
FROM amd64/debian:stretch as builder
|
||||||
|
|
||||||
|
COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile
|
||||||
|
|
||||||
|
WORKDIR /root/quentin.dufour.io
|
||||||
|
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \
|
||||||
|
bundle install
|
||||||
|
|
||||||
|
COPY ./quentin.dufour.io/ /root/quentin.dufour.io/
|
||||||
|
RUN bundle exec jekyll build
|
||||||
|
|
||||||
|
FROM superboum/amd64_webserver:v2
|
||||||
|
COPY --from=builder /root/quentin.dufour.io/_site /srv/http
|
||||||
|
|
1
docker/blog-quentin/README.md
Normal file
1
docker/blog-quentin/README.md
Normal file
|
@ -0,0 +1 @@
|
||||||
|
sudo docker build -t superboum/amd64_blog:v18 .
|
8
docker/coturn/Dockerfile
Normal file
8
docker/coturn/Dockerfile
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
FROM amd64/debian:buster
|
||||||
|
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get dist-upgrade -y && \
|
||||||
|
apt-get install -y \
|
||||||
|
coturn
|
||||||
|
|
||||||
|
CMD ["/usr/bin/turnserver"]
|
17
docker/coturn/README.md
Normal file
17
docker/coturn/README.md
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
|
||||||
|
## Génère l'image
|
||||||
|
```
|
||||||
|
sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 .
|
||||||
|
```
|
||||||
|
|
||||||
|
## Run bash dans le container
|
||||||
|
```
|
||||||
|
sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash
|
||||||
|
sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
|
||||||
|
```
|
||||||
|
|
||||||
|
## Used ports
|
||||||
|
- udp/tcp 3478 3479
|
||||||
|
|
||||||
|
## Publish
|
||||||
|
sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
|
1
docker/dovecot/.gitignore
vendored
Normal file
1
docker/dovecot/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
dovecot-ldap.conf
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue