Compare commits

..

399 commits

Author SHA1 Message Date
ab6db28ada add Adrien@Lille to ifconfig 2023-03-15 18:19:58 +01:00
46e29828b1 add missing iptables rules 2023-02-12 16:40:14 +01:00
a6742bcf53
fix io 2023-02-02 07:45:38 +01:00
653e170fb2
remove outdated info 2022-12-24 23:00:33 +01:00
b449e83870
Notice that repo is obsolete 2022-12-22 17:59:51 +01:00
b575b2b486
Remove all files from op_guide, now migrated to guide.deuxfleurs.fr 2022-12-22 17:46:19 +01:00
015c372532
Add allowed ipv6 prefix 2022-09-09 17:25:34 +02:00
ec597541c8
Fix create db doc 2022-08-25 02:02:40 +02:00
ed82071223
Upgrade Stolon doc 2022-08-24 17:09:40 +02:00
18610f9a9a
Add Quentin@Lyon (orion) to iptables v6 rules 2022-08-24 16:29:02 +02:00
11a2ffa89d
Upgrade Stolon to Posgtgres 14 2022-08-24 15:58:21 +02:00
ae91f66fac
Disable guichet on old cluster 2022-08-24 15:51:29 +02:00
145f3a8499
Matrix is so weird... 2022-08-19 18:27:43 +02:00
638f775742
Hot fix 2022-08-19 18:01:19 +02:00
38a0feffe0
Add zorun 2022-08-18 22:31:34 +02:00
1e003461bd
Add the net target to io 2022-08-17 12:26:23 +02:00
2e872eb87f
Update max@bruxelles IP addresses 2022-08-17 11:50:48 +02:00
ef265b87de
Update doc 2022-07-28 17:34:49 +02:00
64172fc999
update runners' doc 2022-07-25 15:20:21 +02:00
ceae80d87c
Use Tricot certificates instead of self-signed ones 2022-07-06 13:16:50 +02:00
0e81c9f23b
Upgrade Matrix 2022-07-01 14:17:33 +02:00
39e3ecce64
Upgrade Synapse + Element Web 2022-07-01 13:59:50 +02:00
51482e16e4
Drop allow unsafe locale 2022-06-06 10:52:18 +02:00
6c31560c7b
Forced to allow unsafe local 2022-06-06 09:08:51 +02:00
72b41408ef
Upgrade synapse+element web in Nomad 2022-06-06 09:03:51 +02:00
7dd2aeb63b
Upgrade matrix+riot 2022-06-06 08:42:57 +02:00
a17640d606
update bottin config 2022-06-01 12:41:38 +02:00
241dd1e175
Drone update 2022-05-31 11:53:42 +02:00
d712c08dbc
Update the doc 2022-05-10 15:42:41 +02:00
415075b010
Garage v0.7.1 2022-05-09 16:25:15 +02:00
2021b7d08c
New ipv6 prefix for lx@orsay 2022-05-09 00:10:21 +02:00
99a4f51166
Simplify the build 2022-05-06 10:49:28 +02:00
653e45f192
Packaging try on Cryptpad 2022-05-06 10:32:41 +02:00
f0ead6efed
WIP Cryptpad packaging 2022-05-05 17:45:15 +02:00
f27636dd14
Add headers in Garage 2022-05-05 08:50:33 +02:00
d7164c7d90
remove obsolete admin_port 2022-05-04 17:33:43 +02:00
5b861cd652
Remove unused Traefik config 2022-05-04 17:28:39 +02:00
79d68c4aa3
Update tricot 2022-05-04 17:27:54 +02:00
4cb1dbe663
Add a security HTTPS header to Garage web 2022-05-04 09:20:07 +02:00
d21c010da1
Set plume log verbosity to info 2022-04-24 13:45:32 +02:00
60ad398c44
Upgrade Plume + debug info 2022-04-23 22:04:14 +02:00
2695a79e8a
Add garage backup info 2022-04-23 13:27:52 +02:00
1e9a538be9
add concrete examples 2022-04-19 14:41:03 +02:00
c69923f104
Add missing doc 2022-04-19 14:38:29 +02:00
d62f87fa71
Update guide 2022-04-19 14:32:44 +02:00
501fbb5553
Add doc for secrets 2022-04-19 13:46:12 +02:00
b2b26879cb replace os.system with subprocess.run 2022-04-15 14:57:54 +02:00
83745f737a Deployment on Nomad 2022-04-15 14:24:41 +02:00
8cf1b0c3e4 Build image via Nix 2022-04-15 12:36:49 +02:00
9701b863fd Create a backup script 2022-04-14 17:50:17 +02:00
1183583fdf
make adrien admin 2022-04-06 12:17:15 +02:00
1e5e4af35c Ajout de Publii dans le postmortem 2022-03-30 10:04:54 +02:00
ce36e7e09b Ajout coupure élec + SSD lent 2022-03-28 11:59:37 +02:00
68607d567c Ajout de matrix 2022-03-28 11:55:25 +02:00
b5137f6665 Ajout de GlusterFS 2022-03-28 11:51:49 +02:00
3f73721ad5
documentation de petits incidents techniques plus ou moins évitables 2022-03-28 11:43:47 +02:00
0e6aa95754
Update Garage to 0.7.0-rc1 2022-03-28 10:59:24 +02:00
306974a163 Change Plume restart policy 2022-03-18 11:37:14 +01:00
9883d85c2a Small postfix modifications 2022-03-14 10:02:22 +01:00
a1c6c33d73 Maintenance du 2022-03-09 2022-03-09 16:54:19 +01:00
1322dae8da Upgrade Matrix 2022-03-09 11:52:36 +01:00
e7329a0202 Add zstd 2022-03-09 11:32:43 +01:00
b359601d2d Documentation for Drone 2022-03-07 11:02:37 +01:00
8ce62ddca1
Close drone registrations 2022-02-21 14:54:42 +01:00
0b16fd1c08
Update Garage and change a few config parameters 2022-02-10 14:34:18 +01:00
41e1a31bb9
fix typo 2022-02-09 16:06:23 +01:00
1410f2f8d8
Add LX@Orsay to trusted net 2022-02-09 15:53:45 +01:00
f74651a0c3
Upgrade garage to 0.6 RC1 2022-02-01 15:33:33 +01:00
5ecab67379 Use a list to organize ref 2022-01-28 19:14:39 +01:00
f3dbf47547 Ajout de pg_verifybackup 2022-01-28 19:11:58 +01:00
37bea48d45 Finalize manual backup 2022-01-28 18:44:07 +01:00
89937f2107 Update guide 2022-01-28 17:00:50 +01:00
2775eeb0fe WIP manual backup 2022-01-27 18:26:02 +01:00
715c3d3a9f Use ampersand in backup instead of semi colon 2022-01-27 16:58:22 +01:00
84b26f347d Add consul backup with restic 2022-01-27 16:56:02 +01:00
3baa511fce Plume backup + WIP consul 2022-01-27 16:32:57 +01:00
00d7106a18 Redeploy plume 2022-01-27 13:31:25 +01:00
831ddd3055 Some fixes 2022-01-27 09:57:49 +01:00
a13a02c45c Add a backup script for emails 2022-01-26 21:48:48 +01:00
453b633268 Update guide 2022-01-26 19:31:44 +01:00
a68a1e1da7 Migrate jitsi + WIP backup doc 2022-01-26 19:09:26 +01:00
3563fb5994 Change how email is stored 2022-01-26 17:20:20 +01:00
7cede37e6d Mises à jour du cluster 2022-01-25 12:12:58 +01:00
f229d58467
Update tricot and increase RAM allocation 2022-01-11 15:07:33 +01:00
87986ff3cf
Move out .hcl files specific to Neptune cluster 2021-12-25 19:40:30 +01:00
85eb4d5b82
Revert garage to 0.5.0 temporarily to fix winscp bug 2021-12-15 11:18:04 +01:00
59ce079a52
Update tricot 2021-12-14 11:43:18 +01:00
582882286e
latest s3 provider version is required 2021-12-14 11:19:09 +01:00
fa75e0012c
Also upgrade async upload 2021-12-14 11:12:40 +01:00
e9ba2243e7
Update Matrix 2021-12-14 11:05:41 +01:00
3df786a5f5
Don't use ipv6 in garage staging cluster 2021-12-13 11:44:27 +01:00
50a09980c5 Update jitsi's nomad service 2021-12-12 13:21:49 +01:00
f73d8dab93 log4shell mitigation 2021-12-12 13:03:45 +01:00
c00f0fefe7 Update bagage 2021-12-12 12:49:48 +01:00
2fc9276be2
fixed tricot with compression now 2021-12-10 00:26:51 +01:00
c6819c8d4a
Revert for now 2021-12-09 16:52:16 +01:00
d64fe28143
upgrade tricot to enable compression 2021-12-09 16:14:17 +01:00
783894b60d
Tricot 19 2021-12-09 12:24:18 +01:00
854da5b984
Different tricot config for neptune dc 2021-12-09 11:04:56 +01:00
8d178815d6
Only one frontend 2021-12-09 10:51:58 +01:00
2d2e7bb5c6
fix tricot 2021-12-08 23:48:08 +01:00
ea55c9b12b
synapse on dummy infrastructure for tricot test 2021-12-08 18:05:17 +01:00
3693d9f36b
Traefik on all servers 2021-12-08 13:32:47 +01:00
a4982c6cd6
last tricot version 2021-12-08 13:28:22 +01:00
7f08d5f324
Add tricot tags to everything 2021-12-08 12:42:48 +01:00
2c2ee6c903
Rename tricot+traefik to frontend 2021-12-08 12:21:50 +01:00
3297135a58
Add tricot to replace traefik 2021-12-08 12:19:08 +01:00
8846421cc4
Deploy core on neptune as well 2021-12-08 11:41:07 +01:00
fff6f1db20
garage with new s3_router 2021-12-06 22:10:26 +01:00
ef2fa848f1
single region staging cluster 2021-12-04 21:56:15 +01:00
4cc6a0182c
Bump synapse to 1.47.1 to fix CVE 2021-11-23 13:48:12 +01:00
7113a3ae56 Add secrets 2021-11-20 14:58:09 +01:00
5df7058c84 Working SFTP deployment of Garage 2021-11-20 14:56:56 +01:00
9ce6c7ad6e
Add config files for garage staging cluster 2021-11-18 17:14:30 +01:00
0268f63f66
Upgrade garage to 0.5 2021-11-17 16:42:13 +01:00
948a916c2f
Add missing options for discord bridge 2021-11-16 12:57:15 +01:00
289359cedc
Prepare to add Discord bridge 2021-11-16 12:05:28 +01:00
627c89b545
make config file clearer 2021-11-15 23:05:01 +01:00
e20b903bc0
Add matterbridge to bridge RFID channel 2021-11-15 17:53:59 +01:00
489cc492d5
Deploy garage v0.4.0 2021-11-10 14:19:23 +01:00
779aea8f11 Merge pull request 'ajout machine Spoutnik, lien vers cluster de test dans readme' (#55) from machine/spoutnik into main
Reviewed-on: Deuxfleurs/infrastructure#55
2021-11-06 19:41:59 +01:00
76d160f9af ajout machine Spoutnik, lien vers cluster de test dans readme 2021-11-06 19:39:06 +01:00
f362d57965
Update garage to v0.4-rc2 2021-11-05 11:41:16 +01:00
2734f79c0d
Updated Garage version that eats less RAM under load 2021-11-04 10:55:37 +01:00
b8420756b4
Updated garage definition 2021-11-02 13:48:00 +01:00
6c90a00f04 Merge pull request 'Migration to garage 0.4' (#53) from garage04 into main
Reviewed-on: Deuxfleurs/infrastructure#53
2021-10-26 16:17:59 +02:00
7fc001a92f
Migration to garage 0.4 2021-10-26 16:14:29 +02:00
c51b654dd6
Add a docker compose for runners 2021-10-19 12:55:51 +02:00
6093ec74f2
Drone 2.0.4 -> 2.4.0 2021-10-12 10:21:18 +02:00
7ee2f8aa2c
Update garage (ListObjects fix) 2021-10-11 13:48:00 +02:00
83bd5f2cdd Increase RAM for Plume 2021-09-30 22:23:17 +02:00
6d4be5fb83 Migrate to riot web 1.9.0 2021-09-28 22:17:24 +02:00
e8474d52a2
Alps build: add missing plugin directory for html and js files 2021-09-28 17:53:49 +02:00
1f15cfa420 Update io parameters 2021-09-28 17:26:27 +02:00
5b1f775513 Change IP address 2021-09-28 16:51:58 +02:00
39f1e983bf Merge pull request 'os/users: Add kokakiwi (jill) user and keys' (#52) from KokaKiwi/infrastructure:add-jill-keys into main
Reviewed-on: Deuxfleurs/infrastructure#52
2021-09-28 16:50:37 +02:00
bebd6eaab6
os/users: Add kokakiwi (jill) user and keys
Signed-off-by: Jill <kokakiwi@deuxfleurs.fr>
2021-09-28 15:36:59 +02:00
88a7c04cee
media-async-upload must be in the matrix group
note: the group stanza is not mandatory
2021-09-20 09:52:13 +02:00
136d176176
Synapse does not use GlusterFS anymore 2021-09-17 18:49:45 +02:00
2a0610658d Upgrade synapse+riot web 2021-09-17 18:24:00 +02:00
6db8495bbf
Remove fb2nx that never worked 2021-09-17 17:42:16 +02:00
4ea2494bd5
Update bottin 2021-09-17 17:41:57 +02:00
acd46fde80
Remove connection limit dovecot 2021-09-14 17:46:06 +02:00
6716687fd7
Finally fix dovecot 2021-09-14 14:02:50 +02:00
a2a25e2ea4
Use cn instead of mail to store emails 2021-09-14 11:33:29 +02:00
e74bda617c
Merge branch 'main' of git.deuxfleurs.fr:Deuxfleurs/infrastructure 2021-09-10 18:33:07 +02:00
2dfd006dc5
Upgrade bagage and fix mem leak 2021-09-10 18:32:50 +02:00
9c4f78619d
Update guichet config: remove useless default groups nextcloud and seafile 2021-09-10 15:32:17 +02:00
8fe0a78b0c
Upgrade Bagage 2021-09-03 11:02:22 +02:00
e66b1c2c54
Upgrade Plume 2021-09-02 15:35:59 +02:00
d40c41004d Add bagage deployment 2021-08-20 17:39:07 +02:00
09269e8497 Merge pull request 'bump diplonat version 2->3' (#39) from bump-diplonat into main
Reviewed-on: Deuxfleurs/infrastructure#39
2021-08-19 11:43:28 +02:00
e26f57c8eb bump diplonat version 2->3 2021-08-19 11:33:36 +02:00
d25f4d18aa
update guichet 2021-08-18 14:17:31 +02:00
b8470be123
Update guichet 2021-08-16 16:45:04 +02:00
9d5b490fd9
add restart with mode "delay" stance to diplonat 2021-07-26 22:58:51 +02:00
9304997d84
Upgrade guichet & postgres 2021-07-22 11:03:36 +02:00
2f37aaaf76
update drone server to 2.0.4 2021-07-08 11:12:05 +02:00
69f063e406
Update garage to handle ed25519 keys for TLS 2021-07-08 11:07:45 +02:00
8302595f65
Merge branch 'main' of git.deuxfleurs.fr:Deuxfleurs/infrastructure 2021-07-02 17:07:19 +02:00
4fdc4a5144
Add pv for psql + upgrade postgres to 13.3 2021-07-02 17:06:58 +02:00
2b39a896a7 Postgres can not be run as root 2021-07-02 14:45:59 +02:00
e97496e09d fix entrypoint 2021-07-02 14:16:33 +02:00
2670c8f8f1 libc is needed fos stolon 2021-07-02 14:08:22 +02:00
0a6ffcacd2 Merge branch 'main' of git.deuxfleurs.fr:Deuxfleurs/infrastructure into main 2021-07-02 13:11:29 +02:00
2d61f1449d Upgrade postgresql 2021-07-02 13:10:49 +02:00
80c2f1f701
Merge branch 'main' of git.deuxfleurs.fr:Deuxfleurs/infrastructure 2021-07-01 23:49:08 +02:00
e640f82eb8
Add 500Mo x3 more RAM to postgres and 2Go less RAM to Matrix 2021-07-01 23:48:11 +02:00
455e4db784
update guichet 2021-07-01 16:30:21 +02:00
576ac2772e
Update config to add more time to pull images 2021-07-01 15:53:41 +02:00
1277d94bec
Remove easybridge + increase nomad docker timeout when pulling images 2021-07-01 15:36:54 +02:00
b9f0f012bd
Update synapse configuration 2021-07-01 14:25:04 +02:00
4b68522721
Add locales 2021-07-01 14:23:33 +02:00
3c8cd4ca1c
Deactivate guests + expose _synapse api 2021-06-30 16:24:03 +02:00
784efbcc9b
Add a restart policy 2021-06-30 12:57:13 +02:00
2d30e1a9c7
Log to journald 2021-06-29 13:57:01 +02:00
42c020e00b
Fix typo 2021-06-04 21:39:44 +02:00
7e82b0d94d Add git 2021-06-04 21:32:45 +02:00
efcdef7856
Matrix 1.35.1 + S3 backend 2021-06-04 19:48:50 +02:00
62fa15390b
Update easybridge 2021-06-01 23:44:57 +02:00
a26d41259a
Update garage to v0.3.0 2021-05-28 15:55:52 +02:00
73d30b9aa5
Disable syslog as it is not present in the container 2021-05-19 09:44:36 +02:00
8c213bc7ba
Update garage 2021-05-19 09:44:17 +02:00
1edc5f37a2
Upgrade Matrix configuration 2021-05-19 09:43:45 +02:00
4f506422e3 Upgrade matrix 2021-05-18 15:26:41 +02:00
3bb2cf9e93 Allow only cipher suites recommended by Mozilla
Check https://ssl-config.mozilla.org/#server=traefik&version=1.7&config=intermediate&guideline=5.6
2021-05-07 20:01:31 +02:00
1f15d29eab
Update garage to v0.2.1.6 2021-05-04 13:28:04 +02:00
6754cfef81 Merge branch 'main' of git.deuxfleurs.fr:Deuxfleurs/infrastructure into main 2021-05-03 19:10:16 +02:00
3df53eaa94 Upgrade plume build scripts 2021-05-03 19:09:50 +02:00
51b5295ba8 Allow Garage to use 800MB of RAM instead of 500MB 2021-05-03 17:27:06 +02:00
925639b678
update garage 2021-04-28 01:16:35 +02:00
68575d2654
Migrate from Plume from v0.6.0 to v0.7.0RC 2021-04-19 10:50:38 +02:00
338a8ec7da
Try to migrate to pg_basebackup 2021-04-17 12:21:13 +02:00
3135c38505
Upgrade stolon 2021-04-15 13:05:21 +02:00
87303033d1
Debug stolon backup 2021-04-15 12:38:31 +02:00
9dfff86cd2
Target a replicated server and not the main one 2021-04-14 19:10:46 +02:00
b851ca0c95
Update matrix HCL + document stolon conf change 2021-04-14 18:15:45 +02:00
fae36c7ef6 Upgrade synapse+riot images 2021-04-09 14:11:26 +02:00
4ecda8cc8d
Updated version of Drone 2021-04-07 14:06:02 +02:00
2ef1a9df5d
Update garage 2021-04-05 20:48:33 +02:00
1df83c6064
Add iptables rules allowing new IPv6 2021-04-05 18:28:45 +02:00
0b4c61dfe1 Try to optimize Consul 2021-04-04 20:04:25 +02:00
e979434970 Fix Jitsi's IP address 2021-04-04 19:15:29 +02:00
474c4575f4 Rename postgres 2021-04-01 19:04:50 +02:00
5126868e30 update garage to v0.2.1 2021-03-19 14:00:48 +01:00
4ad6376aa8 Document how to repair Traefik/ACME 2021-03-18 10:17:05 +01:00
e197429531 Update bottin; remove drone runner 2021-03-16 14:59:10 +01:00
mricher
d67a6c363a
Set prometheus node_exporter version to v1.1.2 2021-03-09 00:15:55 +01:00
573a86b87c Change resource allocation 2021-03-08 23:01:11 +01:00
c586633613 Add node-exporter for metrics collection 2021-03-08 22:55:55 +01:00
e806e24fea Add SSL certificates in ALPS image 2021-03-08 17:49:22 +01:00
a84f4c8f87 Use patched Alps from git.deuxfleurs.fr/Deuxfleurs/alps 2021-03-08 17:32:05 +01:00
b42e42faaa Improve resource allocation 2021-03-08 16:34:41 +01:00
d6bdfbed5f Expose prometheus metrics on Consul 2021-03-07 21:36:27 +01:00
255e3fd2d7 Debug stolon proxy 2021-03-07 18:29:56 +01:00
eb3f64df41 Merge branch 'master' of git.deuxfleurs.fr:Deuxfleurs/infrastructure 2021-03-07 17:07:52 +01:00
35ddbd9f20 Upgrade Stolon 2021-03-07 17:07:35 +01:00
4f296808e8 Refactor stolon Dockerfile 2021-03-07 12:54:03 +01:00
4d7470b2fd Draft stolon update 2021-03-07 12:18:08 +01:00
b608567648 Add a new parameter to stolon 2021-03-07 11:43:46 +01:00
a69efd9b31 Add gzip compression 2021-03-06 21:43:55 +01:00
96f2978a7f Change target image 2021-03-06 20:09:16 +01:00
224c0a23a3 Increment image 2021-03-06 20:08:17 +01:00
c0d86cb0a1 Mount backup directory + export PGPASSWORD 2021-03-06 20:06:57 +01:00
d1a4ed0f79 Matrix backup draft 2021-03-06 19:52:13 +01:00
27963ca089 Upgraded matrix/element to 1.28.0/1.7.22 2021-03-05 17:44:05 +01:00
1c5b1f2e5b Upgrade matrix image 2021-03-05 17:40:40 +01:00
fada3f6ed1 Don't always restart stolon keeper if it is failed (let stolon do its job) 2021-02-24 14:54:18 +01:00
987cefeba0 bump garage 2021-02-24 14:54:10 +01:00
71971143c4 Fix drone DB (why did it work before???) 2021-02-24 14:53:58 +01:00
89133ddbea Change l'adresse d'expéditeur pour les invites 2021-02-18 14:02:18 +01:00
59623243c8 Deactivate test endpoint 2021-02-11 11:57:23 +01:00
2958fbae1b Port nginx's configuration from integration to deployment 2021-02-11 11:56:30 +01:00
c2d3c543b9 Jitsi add missing mimetypes 2021-02-11 11:54:06 +01:00
9c2232cebc Add Drone CI 2021-02-08 14:52:13 +01:00
9c060b3c28 Add tools 2021-02-01 19:56:16 +01:00
b6b812c011 Upgrade jitsi nginx conf to make ADRN happy! 2021-02-01 18:19:43 +01:00
5fb05f0b7e Add CORS for our load testing frontend 2021-02-01 12:42:29 +01:00
5babe6fad1 Fix port binding 2021-02-01 11:22:16 +01:00
34c5544ef5 Fix prosody listening 2021-02-01 11:06:45 +01:00
847540f7b7 Add trimSpace to secrets to prevent a parsing bug 2021-02-01 10:29:13 +01:00
9337129336 Fix typos in the service file 2021-02-01 10:26:26 +01:00
088c9df20c Prepare Nomad deployment 2021-02-01 09:50:38 +01:00
0a87d26e47 Polish configuration 2021-02-01 08:40:59 +01:00
cb69a1123c Stabilize build scripts 2021-02-01 07:48:50 +01:00
c2960f75b7 Add curl to the dockerfile 2021-01-31 18:17:37 +01:00
56cf9c1e55 Videobridge doc + debug 2021-01-31 18:03:55 +01:00
a3f62d1f30 Overide logging + some doc to debug java processes 2021-01-31 15:47:01 +01:00
09e1e641a7 Working on meet frontend 2021-01-30 12:06:14 +01:00
9ea066d6df Only old configuration can be used for ice4 harvester 2021-01-29 19:22:16 +01:00
59ca97e2a9 Migrate JVB to the new packaging 2021-01-29 18:59:19 +01:00
83d8668a59 Jicofo might work as intended! 2021-01-29 17:47:09 +01:00
952d7c0510 Improve jitsi config 2021-01-29 17:30:43 +01:00
7bdea77811 WIP debugging jitsi 2021-01-29 17:17:28 +01:00
cee95ad061 Merge pull request 'Upgrade Synapse & Element-web, réécriture de l'OP guide, et ajout du secret turn.zinz.dev' (#33) from adrien/infrastructure:master into master
Reviewed-on: Deuxfleurs/infrastructure#33
2021-01-29 15:53:37 +01:00
LUXEY Adrien
24dcc09695 Upgraded Synapse and Element-web on cluster's nomad, and the OP guide 2021-01-29 12:11:43 +01:00
LUXEY Adrien
d286da23d8 pushed Synapse and Element-web to latest version, and rewrote the OP guide a bit 2021-01-29 11:53:03 +01:00
LUXEY Adrien
9a263b762b Merge branch 'master' of git.deuxfleurs.fr:Deuxfleurs/infrastructure 2021-01-29 10:57:42 +01:00
LUXEY Adrien
8f0cb24246 added zinz.dev static auth secret declaration 2021-01-29 10:56:42 +01:00
982efd1b49 Still so broken... 2021-01-28 23:02:37 +01:00
5b53cf1673 Trying to switch on a development version 2021-01-28 21:47:35 +01:00
47bcdaaf0d Rework prosody's configuration 2021-01-28 21:05:10 +01:00
0e848bb2d0 Polished prosody 2021-01-28 19:28:15 +01:00
4809e27220 WIP integration jitsi 2021-01-28 18:55:56 +01:00
7b57ff72a9 Simplify prosody too 2021-01-28 17:52:41 +01:00
ebb772e5ba Fix ansible inventory + Fix jicofo's hocon conf + fix jicofo's dockerfile 2021-01-28 17:02:10 +01:00
07765e8456 Add resources 2021-01-21 10:11:43 +01:00
6adb551db4 More info in README 2021-01-20 16:02:58 +01:00
3e7dc8b49d Fix conf links 2021-01-20 15:54:17 +01:00
031f31e91e WIP modernize jitsi conf 2021-01-20 15:44:42 +01:00
5dfca7a713 fix naming 2021-01-20 12:53:23 +01:00
bd9c854a12 change port due to a strange bug 2021-01-20 11:35:54 +01:00
d3a3867180 Public IP changed 2021-01-20 10:51:25 +01:00
b879be2156 Enrichir le postmortem 2021-01-20 10:49:29 +01:00
46dce5d917 fix indent postmortem 2021-01-20 10:34:53 +01:00
6b91db048d Ajout du postmortem 2021-01-20 10:34:16 +01:00
8eaa7914d0 Merge branch 'master' of git.deuxfleurs.fr:Deuxfleurs/infrastructure 2021-01-20 10:21:42 +01:00
2a0e9720b7 React to Free changing my IP address 2021-01-20 10:21:18 +01:00
2e25e150d4 Merge pull request 'secretmgr retourne une erreur bien formatée face à un fichier vide' (#32) from adrien/infrastructure:master into master
Reviewed-on: Deuxfleurs/infrastructure#32
2021-01-19 18:48:31 +01:00
a2eec38de4 Add a few missing secrets 2021-01-19 18:02:00 +01:00
1c814f002a Add CMD_ONCE secret type and fill in/change secret definitions 2021-01-19 17:53:53 +01:00
9560f80852 mention secretmgr.py in create_database 2021-01-19 17:29:37 +01:00
a847a9683f Cleanup op_guide folder 2021-01-19 17:27:32 +01:00
LUXEY Adrien
6e1940061a coturn retourne une erreur bien formatée face à un fichier vide (il pourrait renvoyer autre chose), plus bug nom de variable 2021-01-19 17:16:58 +01:00
af2b8b06ba Merge pull request 'master' (#30) from adrien/infrastructure:master into master
Reviewed-on: Deuxfleurs/infrastructure#30
2021-01-19 15:49:11 +01:00
LUXEY Adrien
98280c8628 updated READMEs 2021-01-19 15:21:23 +01:00
LUXEY Adrien
2a346f5430 coquille 2021-01-19 14:40:14 +01:00
LUXEY Adrien
65421d947e merge from upstream 2021-01-19 14:33:44 +01:00
eb925049ac Remove web_static 2021-01-19 13:47:50 +01:00
0be20b22a6 Upgrade garage description 2021-01-18 16:51:06 +01:00
7e637a070c Add guichet in our readme
Signed-off-by: Quentin Dufour <quentin@deuxfleurs.fr>
2021-01-18 16:49:46 +01:00
2c2efdc276 Merge branch 'master' of git.deuxfleurs.fr:Deuxfleurs/infrastructure 2021-01-18 16:46:21 +01:00
6c8c861dd5 Update README 2021-01-18 16:46:08 +01:00
ad6017eea0 Merge pull request 'Reorganize app/ and add script for secret management' (#29) from test_reorganize into master
Reviewed-on: Deuxfleurs/infrastructure#29
2021-01-18 08:18:21 +01:00
c642370def Add hierarchy to the README 2021-01-18 08:08:48 +01:00
cffd902815 Add some documentation + add a requirements file 2021-01-18 08:06:19 +01:00
79b7273ff2 Remove my blog 2021-01-18 06:51:19 +01:00
850ccbf1c7 secretmgr.py does quite a few things! 2021-01-16 20:03:00 +01:00
d4d0b100ad Document secrets and add stub utility to manage them 2021-01-16 17:37:34 +01:00
c74dc92feb Proposal: reorganize app/ folder by modules 2021-01-16 17:07:01 +01:00
0c4ee40e01 Update garage 2021-01-16 16:21:25 +01:00
a6b23f5713 upgrade garage to 0.1.1 2021-01-15 19:34:33 +01:00
52c141e5fc Update Riot+Matrix 2021-01-13 19:17:28 +01:00
464b990e19 Upgrade jitsi 2021-01-13 14:42:14 +01:00
969ee58b7d WIP nextcloud tests 2021-01-07 21:37:29 +01:00
4456fb56c1 Upgrade nomad+consul 2021-01-07 21:36:47 +01:00
ba3d84a1de Upgrade plume 2021-01-07 11:09:29 +01:00
LUXEY Adrien
a5a56b6f70 wrote a redirection to deuxfleurs.fr in Treafik config's comments 2020-12-28 12:04:08 +01:00
7508a10a71 WIP redirect regex 2020-12-28 11:55:29 +01:00
c4c4d6f8a6 Fix URL 2020-12-28 11:05:05 +01:00
fc518df1c1 Migrate Traefik 2020-12-28 11:02:33 +01:00
a2f8e11d06 Migrate plume+diagnet+web_static 2020-12-28 10:49:09 +01:00
48db0185a4 Migrate postgres 2020-12-25 12:16:18 +01:00
4f23adfbb9 Migrated plume 2020-12-25 11:48:52 +01:00
1624b348df Migrate platoo 2020-12-25 11:21:41 +01:00
8625a9af75 Upgrade seafile + discard unused services 2020-12-25 11:16:11 +01:00
f75497af11 Fix service addressing 2020-12-24 10:01:42 +01:00
6913655316 We do not use pithos 2020-12-23 19:42:30 +01:00
80dc6ec803 Migrate jitsi 2020-12-23 15:55:17 +01:00
9117616f02 Migrate Synapse + Email hack
Nomad seemed to dislike the 'auth_port' label, replaced by 'zauthentication_port'
2020-12-22 18:24:33 +01:00
b29028405d Migrate Garage 2020-12-22 17:48:27 +01:00
9f6f0fb53c Migrate Nomad job for emails 2020-12-22 16:40:36 +01:00
a2adaa2101 Migrate directory to new Nomad syntax 2020-12-22 14:52:49 +01:00
bb5a82b056 Fix seafile 2020-12-22 14:40:04 +01:00
e628dc44ba Migrate seafile 2020-12-22 14:31:42 +01:00
846449b238 Migrate Nextcloud to Nomad 1.0.1 2020-12-22 10:46:26 +01:00
b6ccf06d8a Set priorities 2020-12-18 10:32:44 +01:00
685bc45802 Activate pg_rewind on stolon 2020-12-18 10:23:45 +01:00
55f93cc5ad First step to integrate io to the cluster 2020-12-16 19:14:45 +01:00
41e33f40ad Merge pull request 'Add traefik v1 prometheus metrics configuration' (#27) from feature/enable-traefik-metrics into master
Reviewed-on: Deuxfleurs/infrastructure#27
2020-12-14 17:08:34 +01:00
mricher
94ee5d3e5c
Remove traefik v2 options and fix endpoint to admin 2020-12-14 17:07:44 +01:00
mricher
91ffdc732c
Add traefik v1 prometheus metrics configuration 2020-12-14 00:19:01 +01:00
3ff113ceab Merge pull request 'Upgraded to Synapse v1.24.0' (#26) from adrien/infrastructure:master into master
Reviewed-on: Deuxfleurs/infrastructure#26
2020-12-11 11:00:38 +01:00
LUXEY Adrien
bcb3964417 Nomad config for synapse v1.24.0 2020-12-10 09:32:16 +01:00
LUXEY Adrien
ad064dddbc Merge branch 'master' of git.deuxfleurs.fr:Deuxfleurs/infrastructure 2020-12-10 09:09:34 +01:00
LUXEY Adrien
2b3df5b6ee upped synapse to v1.24.0 2020-12-10 09:09:17 +01:00
9c947a458f Merge branch 'feature/alps' into master 2020-12-04 13:54:02 +01:00
e370380a3f Alps is now deployed 2020-12-04 13:53:30 +01:00
d1332a2d42 Add alps container 2020-12-04 13:42:20 +01:00
6402119511 Set Jitsi videobridge max memory 2020-12-02 12:28:19 +01:00
365849760d Upgrade Nomad and expose telemetry 2020-11-30 08:31:17 +01:00
de3e21101d Merge pull request 'Pushed synapse version to 1.23.0 and riotweb to 1.7.14, incl. nomad deployment' (#25) from adrien/infrastructure:master into master
Reviewed-on: Deuxfleurs/infrastructure#25
2020-11-29 23:19:44 +01:00
LUXEY Adrien
da1d381068 pushed synapse to 1.23.0 and riotweb to 1.7.14 and deployed through nomad 2020-11-29 23:13:17 +01:00
LUXEY Adrien
fd38cbf744 pushed synapse to 1.23.0 and riotweb to 1.7.14 2020-11-29 22:51:38 +01:00
d241948034 Add missing dovecot conf files 2020-11-27 14:41:57 +01:00
e2bb0e1b4e Fix tab again 2020-11-22 13:02:14 +01:00
cfab2346cf Another another try 2020-11-22 13:01:05 +01:00
f544c202be Another try? 2020-11-22 13:00:42 +01:00
804078b3f4 Try to fix lists 2020-11-22 13:00:15 +01:00
9f41d95dcf New line 2020-11-22 12:59:52 +01:00
33f769c747 A guide to update Matrix 2020-11-22 12:59:07 +01:00
c19cadf353 Fix sogo conf to match RAM usage
To do the math:
SoGo SxVMemLimit * SoGo WOWorkersCount < Nomad Memory Limit
Before we had 384 * 10 >>> 1000
Now we have 300 * 3 < 1000
2020-11-22 12:40:51 +01:00
1bb9c7ce19 Add timestamp to backup 2020-11-15 20:14:19 +01:00
f931dd939c Add cryptography to consul backup 2020-11-15 19:43:33 +01:00
e2a0c40e6b Script to backup Consul KV store 2020-11-15 19:27:57 +01:00
2051a21662 Bump bottin 2020-11-13 13:02:22 +01:00
f14777e1b6 Merge pull request 'ansible-users' (#23) from ansible-users into master
Reviewed-on: Deuxfleurs/deuxfleurs.fr#23
2020-11-13 12:37:10 +01:00
7e111783fe Add LX key3 2020-11-13 12:34:07 +01:00
e1f171e19c use ansible_become instead of ansible_user: root 2020-11-13 12:33:23 +01:00
9981ea0286 Fix memory 2020-11-03 21:12:01 +01:00
0191926455 Seafile fails with OOM when trying to synchronize a 2GB folder 2020-11-03 19:42:08 +01:00
2452e87509 Migrate synapse to 1.22.1 2020-10-30 19:16:23 +01:00
bf58bd2a2c Some Seafile wizardry to bypass ipv4 only limitations 2020-10-28 22:57:41 +01:00
ed3ed5e2e4 Add max prefix 2020-10-28 17:55:03 +01:00
c32bd6df1d Add some doc 2020-10-28 17:07:55 +01:00
03680a992b Switch Matrix+Plume to IPv6, Add Trusted Net to ip6tables 2020-10-28 16:55:11 +01:00
aba3ba723c Nomad now speaks IPv6 2020-10-28 15:53:22 +01:00
f9013d9ca5 Fix seafdav 2020-10-28 15:14:29 +01:00
9fef7ae777 Port seafile 2020-10-28 15:09:51 +01:00
e74737e6e3 mariadb migrated to host 2020-10-28 14:50:22 +01:00
1f53e2061e backport a hack to enable jitsi 2020-10-28 14:41:19 +01:00
d8d0d74920 rework jitsi service 2020-10-28 14:12:15 +01:00
2ef6ab1881 Simplify configuration 2020-10-28 12:08:23 +01:00
f4a88fa565 Docker does not use IPv6, switching to "network=host" 2020-10-27 23:25:30 +01:00
2557793cee switch consul to ipv6 2020-10-27 22:39:00 +01:00
bf9a9128b8 Disable IPv6 Router Advertisement (RA) as it provision an additional IP address that we do not want to use and breaks things 2020-10-27 21:52:46 +01:00
5902805ac9 Reintroduce resolv.conf, it is needed + change DNS from FDN (broken) to Free 2020-10-22 20:22:57 +02:00
e465d65a27 This file is not needed anymore 2020-10-22 18:57:25 +02:00
3b75213d40 We now have IPv6 activated on our network interfaces! 2020-10-22 18:55:29 +02:00
b53b71f750 Fix some bugs 2020-10-22 18:29:37 +02:00
6858f17766 Rework Ansible to support ipv6 2020-10-22 17:57:02 +02:00
5c31fbf0b1 Add plume config template 2020-10-19 20:29:15 +02:00
3ef7b6775b Plume loves LDAP now 2020-10-19 20:27:54 +02:00
e4c15e9d71 Plume integration is working 2020-10-19 20:07:15 +02:00
6b667af32b Remove unrelated content 2020-10-19 12:02:50 +02:00
4af75bd8b8 WIP plume 2020-10-15 21:20:11 +02:00
25ec221248 WIP plume container 2020-10-14 21:27:43 +02:00
fcbb788de6 Readd Florian 2020-10-14 18:27:20 +02:00
948e4fb94e Upgrade chat 2020-10-13 11:59:02 +02:00
8fb283d502 upgrade easybridge 2020-10-10 00:03:51 +02:00
cc57e0b353 Bump easybridge version 2020-10-04 21:31:58 +02:00
c5eee91b12 WIP plume dockerfile 2020-10-01 15:25:04 +02:00
3afe80b158 Upgrade synapse 1.20.0 2020-09-23 11:25:59 +02:00
9460862c18 Add guide 2020-09-22 11:50:03 +02:00
6467a5ab31 Merge branch 'master' of git.deuxfleurs.fr:Deuxfleurs/deuxfleurs.fr 2020-09-21 16:30:23 +02:00
9e4e2f7b99 Add plume 2020-09-21 16:29:49 +02:00
f8682668c2 Upgrade Element Web to new config.json
- Display deuxfleurs.fr and not im.deuxfleurs.fr on login screen
  - Remove broken welcome page on login
  - Set our jitsi instance
  - Add more servers in the room discovery page
2020-09-18 19:55:48 +02:00
09fc30214d Upgrade synapse as proposed 2020-09-16 15:52:19 +02:00
e9bc6fe7f1 Merge pull request 'ajout de adrien dans la config de l'os' (#20) from ajout-adrien into master
Reviewed-on: Deuxfleurs/deuxfleurs.fr#20
2020-09-14 23:20:47 +02:00
360 changed files with 7474 additions and 4171 deletions

3
.gitmodules vendored
View file

@ -1,6 +1,3 @@
[submodule "docker/static/goStatic"] [submodule "docker/static/goStatic"]
path = app/build/static/goStatic path = app/build/static/goStatic
url = https://github.com/PierreZ/goStatic url = https://github.com/PierreZ/goStatic
[submodule "docker/blog/quentin.dufour.io"]
path = docker/blog-quentin/quentin.dufour.io
url = git@gitlab.com:superboum/quentin.dufour.io.git

View file

@ -1,27 +1,8 @@
deuxfleurs.fr deuxfleurs.fr
============= =============
*Many things are still missing here, including a proper documentation. Please stay nice, it is a volunter project. Feel free to open pull/merge requests to improve it. Thanks.* **OBSOLETION NOTICE:** We are progressively migrating our stack to NixOS, to replace Ansible. Most of the files present in this repository are outdated or obsolete,
the current code for our infrastructure is at: <https://git.deuxfleurs.fr/Deuxfleurs/nixcfg>.
## Our abstraction stack
We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.):
* ansible (physical node conf)
* nomad (schedule containers)
* consul (distributed key value store / lock / service discovery)
* garage/glusterfs (file storage)
* stolon + postgresql (distributed relational database)
* docker (container tool)
* bottin (LDAP server, auth)
Some services we provide:
* Chat (Matrix/Riot)
* Email (Postfix/Dovecot/Sogo)
* Storage (Seafile)
As a generic abstraction is provided, deploying new services should be easy.
## I am lost, how this repo works? ## I am lost, how this repo works?
@ -38,54 +19,3 @@ To ease the development, we make the choice of a fully integrated environment
3. `op_guide`: Guides to explain you operations you can do cluster wide (like configuring postgres) 3. `op_guide`: Guides to explain you operations you can do cluster wide (like configuring postgres)
## Start hacking
### Clone the repository
```
git clone https://gitlab.com/superboum/deuxfleurs.fr.git
git submodule init
git submodule update
```
### Deploying/Updating new services is done from your machine
*The following instructions are provided for ops that already have access to the servers.*
Deploy Nomad on your machine:
```bash
export NOMAD_VER=0.9.1
wget https://releases.hashicorp.com/nomad/${NOMAD_VER}/nomad_${NOMAD_VER}_linux_amd64.zip
unzip nomad_${NOMAD_VER}_linux_amd64.zip
sudo mv nomad /usr/local/bin
rm nomad_${NOMAD_VER}_linux_amd64.zip
```
Deploy Consul on your machine:
```bash
export CONSUL_VER=1.5.1
wget https://releases.hashicorp.com/consul/${CONSUL_VER}/consul_${CONSUL_VER}_linux_amd64.zip
unzip consul_${CONSUL_VER}_linux_amd64.zip
sudo mv consul /usr/local/bin
rm consul_${CONSUL_VER}_linux_amd64.zip
```
Create an alias (and put it in your `.bashrc`) to bind APIs on your machine:
```
alias bind_df="ssh \
-p110 \
-N \
-L 4646:127.0.0.1:4646 \
-L 8500:127.0.0.1:8500 \
-L 8082:traefik.service.2.cluster.deuxfleurs.fr:8082 \
<a server from the cluster>"
```
and run:
```
bind_df
```

View file

@ -1,5 +0,0 @@
*.aux
*.fdb_latexmk
*.fls
*.log
*.pdf

View file

@ -1,68 +0,0 @@
\documentclass[a4paper,DIV=12]{scrartcl}
\usepackage[french]{babel}
% On abuse komafont pour réduire la place prise par le titre
\addtokomafont{title}{\vspace*{-3em}}
\addtokomafont{author}{\vspace*{-1em}}
\addtokomafont{date}{\vspace*{-0.5em}}
% On ajoute "Article" devant les sections
\renewcommand\sectionformat{Article\enskip\thesection~:\hspace{1em}}
% On réduit la taille des sections
\addtokomafont{section}{\large}
% On rajoute un peu d'espace entre les paragraphes
\setlength{\parskip}{.8em}
% On enlève de la place après les titres
% (je n'ai pas pu utiliser le paquet dédié titlesec car il cause plein d'erreurs)
%\titlespacing\section{1pt}{*4}{*1.5}
\let\oldsection\section
\renewcommand{\section}[1]{\oldsection{#1}\vspace{-1em}}
\title{Procès-verbal de lassemblée générale constitutive de l'association Deuxfleurs}
\date{13 janvier 2020}
\author{Association Deuxfleurs\\10A Allée de Lanvaux, 35700 Rennes}
\begin{document}
\maketitle
Le 13 janvier 2020 à 19 heures, les fondateurs de lassociation Deuxfleurs se sont réunis en assemblée générale constitutive au 24 rue des Tanneurs à Rennes. Sont présents Adrien, Alex, Anaïs, Axelle, Louison, Maximilien, Quentin, Rémi et Vincent.
Lassemblée générale désigne Adrien Luxey en qualité de président de séance et Quentin Dufour en qualité de secrétaire de séance.
Le président de séance met à la disposition des présents le projet de statuts de lassociation et létat des actes passés pour le compte de lassociation en formation.
Puis il rappelle que lassemblée générale constitutive est appelée à statuer sur lordre du jour suivant :
\begin{itemize}
\item présentation du projet de constitution de lassociation ;
\item présentation du projet de statuts ;
\item adoption des statuts ;
\item désignation des premiers membres du conseil ;
\item pouvoirs en vue des formalités de déclaration et publication.
\end{itemize}
Enfin, le président de séance expose les motifs du projet de création de lassociation et commente le projet de statuts.
Il ouvre la discussion. Un débat sinstaure entre les membres de lassemblée.
Après quoi, personne ne demandant plus la parole, le président met successivement aux voix les délibérations suivantes.
\paragraph{1\iere~délibération} Lassemblée générale adopte les statuts dont le projet lui a été soumis.
Cette délibération est adoptée à lunanimité.
\paragraph{2\ieme~délibération} Lassemblée générale constitutive désigne en qualité de premiers membres du conseil d'administration :
\begin{itemize}
\item Adrien Luxey
\item Alex Auvolat
\item Maximilien Richer
\item Quentin Dufour
\item Vincent Giraud
\end{itemize}
Conformément aux statuts, cette désignation est faite pour une durée expirant lors de lassemblée générale qui sera appelée à statuer sur les comptes de lexercice clos le 13 janvier 2021.
Les membres du conseil ainsi désignés acceptent leurs fonctions
Nom, prénom et signature du président et du secrétaire de séance
\end{document}

View file

@ -1,104 +0,0 @@
\documentclass[a4paper,DIV=12]{scrartcl}
\usepackage[frenchb]{babel}
% On abuse komafont pour réduire la place prise par le titre
\addtokomafont{title}{\vspace*{-3em}}
\addtokomafont{author}{\vspace*{-1em}}
\addtokomafont{date}{\vspace*{-2em}}
% On ajoute "Article" devant les sections
\renewcommand\sectionformat{Article\enskip\thesection~:\hspace{1em}}
% On réduit la taille des sections
\addtokomafont{section}{\large}
% On rajoute un peu d'espace entre les paragraphes
\setlength{\parskip}{.8em}
% On enlève de la place après les titres
% (je n'ai pas pu utiliser le paquet dédié titlesec car il cause plein d'erreurs)
%\titlespacing\section{1pt}{*4}{*1.5}
\let\oldsection\section
\renewcommand{\section}[1]{\oldsection{#1}\vspace{-1em}}
\title{Statuts de l'association Deuxfleurs}
\date{13 janvier 2020}
\begin{document}
\maketitle
\section{Constitution et dénomination}
Il est fondé entre les adhérents aux présents statuts une association régie par la loi 1901, ayant pour titre Deuxfleurs.
\section{Buts}
Cette association a pour but de défendre et promouvoir les libertés individuelles et collectives à travers la mise en place d'infrastuctures numériques libres.
\section{Siège social}
Le siège social est fixé au 10A, Allée de Lanvaux, 35700 Rennes.
Il pourra être transféré suite à un vote par l'assemblée générale.
\section{Durée de l'association}
L'association perdure tant qu'elle possède au moins un membre, ou jusqu'à sa dissolution décidée en assemblée générale.
\section{Admission et adhésion}\label{article:admission}
Pour faire partie de l'association, il faut être coopté par un membre de l'association, adhérer aux présents statuts et s'acquitter de la cotisation annuelle dont le montant est de 10 euros.
\section{Composition de l'association}
L'association se compose exclusivement de membres admis selon les dispositions de l'article~\ref{article:admission} et à jour de leur cotisation.
Tout membre actif possède une voix lors des votes en assemblée générale.
Est considéré actif tout membre présent à l'assemblée générale (physiquement, par visioconférence ou par procuration écrite donnée à un autre membre de l'association).
\section{Perte de la qualité de membre}
La qualité de membre se perd par :
\begin{itemize}
\item la démission,
\item le non-renouvelement de la cotisation dans un délai de deux mois après le 1er Janvier de l'année courante,
\item le décès,
\item la radiation prononcée aux deux tiers des votes exprimés, lors d'un vote extraordinaire ou de l'assemblée générale.
\end{itemize}
\section{L'assemblée générale}\label{article:ag}
L'assemblée générale ordinaire se réunit au moins une fois par an, convoquée par le conseil d'administration.
Lassemblée générale extraordinaire est convoquée par le conseil dadministration, à la demande de celui-ci ou à la demande du quart au moins des membres de l'association.
L'assemblée générale (ordinaire ou extraordinaire) comprend tous les membres de l'association à jour de leur cotisation.
Quinze jours au moins avant la date fixée, les membres de l'association sont convoqués via la liste de diffusion de l'association et l'ordre du jour est inscrit sur les convocations.
Le conseil dadministration anime lassemblée générale.
Lassemblée générale, après avoir délibéré, se prononce sur le rapport moral et/ou d'activités.
Le conseil dadministration rend compte de l'exercice financier clos et soumet le bilan de lexercice clos à lapprobation de lassemblée dans un délai de six mois après la clôture des comptes.
Lassemblée générale délibère sur les orientations à venir et se prononce sur le budget prévisionnel de lannée en cours.
Elle pourvoit, au scrutin secret, à la nomination ou au renouvellement des membres du conseil d'administration via un scrutin de Condorcet Randomisé.
Elle fixe le montant de la cotisation annuelle.
Les décisions de l'assemblée sont prises à la majorité des membres présents ou représentés.
Chaque membre présent ne peut détenir plus d'une procuration.
\section{Membres mineurs}
Les mineurs peuvent adhérer à lassociation sous réserve dun accord tacite ou dune autorisation écrite de leurs parents ou tuteurs légaux.
Ils sont membres à part entière de lassociation.
Seuls les membres âgés de 16 ans au moins au jour dune élection sont autorisés à y voter, notamment au cours d'une assemblée générale.
Pour les autres, leur droit de vote est transmis à leur représentant légal.
\section{Le conseil d'administration}
L'association est administrée par un conseil d'administration composé de 3 à 6 membres, élus pour 1 an dans les conditions fixées à larticle~\ref{article:ag}.
Tous les membres de lassociation à jour de leur cotisation sont éligibles.
En cas de vacance de poste, le conseil d'administration peut pourvoir provisoirement au remplacement de ses membres. Ce remplacement est obligatoire quand le conseil d'administration compte moins de 3 membres.
Il est procédé à leur remplacement définitif à la plus prochaine assemblée générale.
Les pouvoirs des membres ainsi élus prennent fin à l'époque où devrait normalement expirer le mandat des membres remplacés.
Le conseil dadministration met en œuvre les décisions de lassemblée générale, organise et anime la vie de lassociation, dans le cadre fixé par les statuts.
Chacun de ses membres peut être habilité par le conseil à remplir toutes les formalités de déclaration et de publication prescrites par la législation et tout autre acte nécessaire au fonctionnement de lassociation et décidé par le conseil dadministration.
Tous les membres du conseil dadministration sont responsables des engagements contractés par lassociation.
Tout contrat ou convention passé entre lassociation d'une part, et un membre du conseil d'administration, son conjoint ou un proche, d'autre part, est soumis pour autorisation au conseil d'administration et présenté pour information à la plus prochaine assemblée générale.
Le conseil dadministration se réunit au moins 4 fois par an et toutes les fois qu'il est convoqué par le tiers de ses membres.
La présence de la moitié au moins des membres du conseil est nécessaire pour que le conseil d'administration puisse délibérer valablement.
Les décisions sont prises au consensus et, à défaut, à la majorité des voix des présents. Le vote par procuration n'est pas autorisé.
\section{Modification des statuts de l'association}
Sur demande d'un tiers des membres actifs, ou sur demande du conseil d'administration, des amendements aux statuts de l'association peuvent être discutés et soumis au vote lors d'une assemblée générale, selon les modalités de l'article~\ref{article:ag}.
\end{document}

View file

@ -1,3 +0,0 @@
# Documents administatifs
__Statuts__ : Pour compiler les statuts, faites `latexmk -pdf statuts.tex`

2
app/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
env/
__pycache__

66
app/README.md Normal file
View file

@ -0,0 +1,66 @@
# Folder hierarchy
- `<module>/build/<image_name>/`: folders with dockerfiles and other necessary resources for building container images
- `<module>/config/`: folder containing configuration files, referenced by deployment file
- `<module>/secrets/`: folder containing secrets, which can be synchronized with Consul using `secretmgr.py`
- `<module>/deploy/`: folder containing the HCL file(s) necessary for deploying the module
- `<module>/integration/`: folder containing files for integration testing using docker-compose
# Secret Manager `secretmgr.py`
The Secret Manager ensures that all secrets are present where they should in the cluster.
**You need access to the cluster** (SSH port forwarding) for it to find any secret on the cluster. Refer to the previous directory's [README](../README.md), at the bottom of the file.
## How to install `secretmgr.py` dependencies
```bash
### Install system dependencies first:
## On fedora
dnf install -y openldap-devel cyrus-sasl-devel
## On ubuntu
apt-get install -y libldap2-dev libsasl2-dev
### Now install the Python dependencies from requirements.txt:
## Either using a virtual environment
# (requires virtualenv python module)
python3 -m virtualenv env
# Must be done everytime you create a new terminal window in this folder:
. env/bin/activate
# Install the deps
pip install -r requirements.txt
## Either by installing the dependencies for your system user:
pip3 install --user -r requirements.txt
```
## How to use `secretmgr.py`
Check that all secrets are correctly deployed for app `dummy`:
```bash
./secretmgr.py check dummy
```
Generate secrets for app `dummy` if they don't already exist:
```bash
./secretmgr.py gen dummy
```
Rotate secrets for app `dummy`, overwriting existing ones (be careful, this is dangerous!):
```bash
./secretmgr.py regen dummy
```
# Upgrading one of our packaged apps to a new version
1. Edit `docker-compose.yml`
2. Change the `VERSION` variable to the desired version
3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
4. Run `docker-compose build`
5. Run `docker-compose push`
6. Done

View file

@ -0,0 +1,28 @@
FROM golang:buster as builder
WORKDIR /root
RUN git clone https://filippo.io/age && cd age/cmd/age && go build -o age .
FROM amd64/debian:buster
COPY --from=builder /root/age/cmd/age/age /usr/local/bin/age
RUN apt-get update && \
apt-get -qq -y full-upgrade && \
apt-get install -y rsync wget openssh-client unzip && \
apt-get clean && \
rm -f /var/lib/apt/lists/*_*
RUN mkdir -p /root/.ssh
WORKDIR /root
RUN wget https://releases.hashicorp.com/consul/1.8.5/consul_1.8.5_linux_amd64.zip && \
unzip consul_1.8.5_linux_amd64.zip && \
chmod +x consul && \
mv consul /usr/local/bin && \
rm consul_1.8.5_linux_amd64.zip
COPY do_backup.sh /root/do_backup.sh
CMD "/root/do_backup.sh"

View file

@ -0,0 +1,20 @@
#!/bin/sh
set -x -e
cd /root
chmod 0600 .ssh/id_ed25519
cat > .ssh/config <<EOF
Host backuphost
HostName $TARGET_SSH_HOST
Port $TARGET_SSH_PORT
User $TARGET_SSH_USER
EOF
consul kv export | \
gzip | \
age -r "$(cat /root/.ssh/id_ed25519.pub)" | \
ssh backuphost "cat > $TARGET_SSH_DIR/consul/$(date --iso-8601=minute)_consul_kv_export.gz.age"

View file

@ -0,0 +1 @@
result

View file

@ -0,0 +1,8 @@
## Build
```bash
docker load < $(nix-build docker.nix)
docker push superboum/backup-psql:???
```

View file

@ -0,0 +1,106 @@
#!/usr/bin/env python3
import shutil,sys,os,datetime,minio,subprocess
working_directory = "."
if 'CACHE_DIR' in os.environ: working_directory = os.environ['CACHE_DIR']
required_space_in_bytes = 20 * 1024 * 1024 * 1024
bucket = os.environ['AWS_BUCKET']
key = os.environ['AWS_ACCESS_KEY_ID']
secret = os.environ['AWS_SECRET_ACCESS_KEY']
endpoint = os.environ['AWS_ENDPOINT']
pubkey = os.environ['CRYPT_PUBLIC_KEY']
psql_host = os.environ['PSQL_HOST']
psql_user = os.environ['PSQL_USER']
s3_prefix = str(datetime.datetime.now())
files = [ "backup_manifest", "base.tar.gz", "pg_wal.tar.gz" ]
clear_paths = [ os.path.join(working_directory, f) for f in files ]
crypt_paths = [ os.path.join(working_directory, f) + ".age" for f in files ]
s3_keys = [ s3_prefix + "/" + f for f in files ]
def abort(msg):
for p in clear_paths + crypt_paths:
if os.path.exists(p):
print(f"Remove {p}")
os.remove(p)
if msg: sys.exit(msg)
else: print("success")
# Check we have enough space on disk
if shutil.disk_usage(working_directory).free < required_space_in_bytes:
abort(f"Not enough space on disk at path {working_directory} to perform a backup, aborting")
# Check postgres password is set
if 'PGPASSWORD' not in os.environ:
abort(f"You must pass postgres' password through the environment variable PGPASSWORD")
# Check our working directory is empty
if len(os.listdir(working_directory)) != 0:
abort(f"Working directory {working_directory} is not empty, aborting")
# Check Minio
client = minio.Minio(endpoint, key, secret)
if not client.bucket_exists(bucket):
abort(f"Bucket {bucket} does not exist or its access is forbidden, aborting")
# Perform the backup locally
try:
ret = subprocess.run(["pg_basebackup",
f"--host={psql_host}",
f"--username={psql_user}",
f"--pgdata={working_directory}",
f"--format=tar",
"--wal-method=stream",
"--gzip",
"--compress=6",
"--progress",
"--max-rate=5M",
])
if ret.returncode != 0:
abort(f"pg_basebackup exited, expected return code 0, got {ret.returncode}. aborting")
except Exception as e:
abort(f"pg_basebackup raised exception {e}. aborting")
# Check that the expected files are here
for p in clear_paths:
print(f"Checking that {p} exists locally")
if not os.path.exists(p):
abort(f"File {p} expected but not found, aborting")
# Cipher them
for c, e in zip(clear_paths, crypt_paths):
print(f"Ciphering {c} to {e}")
try:
ret = subprocess.run(["age", "-r", pubkey, "-o", e, c])
if ret.returncode != 0:
abort(f"age exit code is {ret}, 0 expected. aborting")
except Exception as e:
abort(f"aged raised an exception. {e}. aborting")
# Upload the backup to S3
for p, k in zip(crypt_paths, s3_keys):
try:
print(f"Uploading {p} to {k}")
result = client.fput_object(bucket, k, p)
print(
"created {0} object; etag: {1}, version-id: {2}".format(
result.object_name, result.etag, result.version_id,
),
)
except Exception as e:
abort(f"Exception {e} occured while upload {p}. aborting")
# Check that the files have been uploaded
for k in s3_keys:
try:
print(f"Checking that {k} exists remotely")
result = client.stat_object(bucket, k)
print(
"last-modified: {0}, size: {1}".format(
result.last_modified, result.size,
),
)
except Exception as e:
abort(f"{k} not found on S3. {e}. aborting")
abort(None)

View file

@ -0,0 +1,8 @@
{
pkgsSrc = fetchTarball {
# Latest commit on https://github.com/NixOS/nixpkgs/tree/nixos-21.11
# As of 2022-04-15
url ="https://github.com/NixOS/nixpkgs/archive/2f06b87f64bc06229e05045853e0876666e1b023.tar.gz";
sha256 = "sha256:1d7zg96xw4qsqh7c89pgha9wkq3rbi9as3k3d88jlxy2z0ns0cy2";
};
}

View file

@ -0,0 +1,37 @@
let
common = import ./common.nix;
pkgs = import common.pkgsSrc {};
python-with-my-packages = pkgs.python3.withPackages (p: with p; [
minio
]);
in
pkgs.stdenv.mkDerivation {
name = "backup-psql";
src = pkgs.lib.sourceFilesBySuffices ./. [ ".py" ];
buildInputs = [
python-with-my-packages
pkgs.age
pkgs.postgresql_14
];
buildPhase = ''
cat > backup-psql <<EOF
#!${pkgs.bash}/bin/bash
export PYTHONPATH=${python-with-my-packages}/${python-with-my-packages.sitePackages}
export PATH=${python-with-my-packages}/bin:${pkgs.age}/bin:${pkgs.postgresql_14}/bin
${python-with-my-packages}/bin/python3 $out/lib/backup-psql.py
EOF
chmod +x backup-psql
'';
installPhase = ''
mkdir -p $out/{bin,lib}
cp *.py $out/lib/backup-psql.py
cp backup-psql $out/bin/backup-psql
'';
}

View file

@ -0,0 +1,11 @@
let
common = import ./common.nix;
app = import ./default.nix;
pkgs = import common.pkgsSrc {};
in
pkgs.dockerTools.buildImage {
name = "superboum/backup-psql-docker";
config = {
Cmd = [ "${app}/bin/backup-psql" ];
};
}

View file

@ -0,0 +1,171 @@
job "backup_daily" {
datacenters = ["dc1"]
type = "batch"
priority = "60"
periodic {
cron = "@daily"
// Do not allow overlapping runs.
prohibit_overlap = true
}
group "backup-dovecot" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "digitale"
}
task "main" {
driver = "docker"
config {
image = "restic/restic:0.12.1"
entrypoint = [ "/bin/sh", "-c" ]
args = [ "restic backup /mail && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
volumes = [
"/mnt/ssd/mail:/mail"
]
}
template {
data = <<EOH
AWS_ACCESS_KEY_ID={{ key "secrets/email/dovecot/backup_aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/email/dovecot/backup_aws_secret_access_key" }}
RESTIC_REPOSITORY={{ key "secrets/email/dovecot/backup_restic_repository" }}
RESTIC_PASSWORD={{ key "secrets/email/dovecot/backup_restic_password" }}
EOH
destination = "secrets/env_vars"
env = true
}
resources {
cpu = 500
memory = 200
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
}
group "backup-plume" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "digitale"
}
task "main" {
driver = "docker"
config {
image = "restic/restic:0.12.1"
entrypoint = [ "/bin/sh", "-c" ]
args = [ "restic backup /plume && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
volumes = [
"/mnt/ssd/plume/media:/plume"
]
}
template {
data = <<EOH
AWS_ACCESS_KEY_ID={{ key "secrets/plume/backup_aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/plume/backup_aws_secret_access_key" }}
RESTIC_REPOSITORY={{ key "secrets/plume/backup_restic_repository" }}
RESTIC_PASSWORD={{ key "secrets/plume/backup_restic_password" }}
EOH
destination = "secrets/env_vars"
env = true
}
resources {
cpu = 500
memory = 200
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
}
group "backup-consul" {
task "consul-kv-export" {
driver = "docker"
lifecycle {
hook = "prestart"
sidecar = false
}
config {
image = "consul:1.11.2"
network_mode = "host"
entrypoint = [ "/bin/sh", "-c" ]
args = [ "/bin/consul kv export > $NOMAD_ALLOC_DIR/consul.json" ]
}
env {
CONSUL_HTTP_ADDR = "http://consul.service.2.cluster.deuxfleurs.fr:8500"
}
resources {
cpu = 200
memory = 200
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
task "restic-backup" {
driver = "docker"
config {
image = "restic/restic:0.12.1"
entrypoint = [ "/bin/sh", "-c" ]
args = [ "restic backup $NOMAD_ALLOC_DIR/consul.json && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
}
template {
data = <<EOH
AWS_ACCESS_KEY_ID={{ key "secrets/backup/consul/backup_aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/backup/consul/backup_aws_secret_access_key" }}
RESTIC_REPOSITORY={{ key "secrets/backup/consul/backup_restic_repository" }}
RESTIC_PASSWORD={{ key "secrets/backup/consul/backup_restic_password" }}
EOH
destination = "secrets/env_vars"
env = true
}
resources {
cpu = 200
memory = 200
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
}
}

View file

@ -0,0 +1,55 @@
job "backup_weekly" {
datacenters = ["dc1"]
type = "batch"
priority = "60"
periodic {
cron = "@weekly"
// Do not allow overlapping runs.
prohibit_overlap = true
}
group "backup-psql" {
task "main" {
driver = "docker"
config {
image = "superboum/backup-psql-docker:gyr3aqgmhs0hxj0j9hkrdmm1m07i8za2"
volumes = [
// Mount a cache on the hard disk to avoid filling the SSD
"/mnt/storage/tmp_bckp_psql:/mnt/cache"
]
}
template {
data = <<EOH
CACHE_DIR=/mnt/cache
AWS_BUCKET=backups-pgbasebackup
AWS_ENDPOINT=s3.deuxfleurs.shirokumo.net
AWS_ACCESS_KEY_ID={{ key "secrets/backup/psql/aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/backup/psql/aws_secret_access_key" }}
CRYPT_PUBLIC_KEY={{ key "secrets/backup/psql/crypt_public_key" }}
PSQL_HOST=psql-proxy.service.2.cluster.deuxfleurs.fr
PSQL_USER={{ key "secrets/postgres/keeper/pg_repl_username" }}
PGPASSWORD={{ key "secrets/postgres/keeper/pg_repl_pwd" }}
EOH
destination = "secrets/env_vars"
env = true
}
resources {
cpu = 200
memory = 200
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
}
}

View file

@ -0,0 +1,67 @@
job "backup_periodic" {
datacenters = ["dc1"]
type = "batch"
periodic {
// Launch every hour
cron = "0 * * * * *"
// Do not allow overlapping runs.
prohibit_overlap = true
}
task "backup-consul" {
driver = "docker"
config {
image = "lxpz/backup_consul:12"
volumes = [
"secrets/id_ed25519:/root/.ssh/id_ed25519",
"secrets/id_ed25519.pub:/root/.ssh/id_ed25519.pub",
"secrets/known_hosts:/root/.ssh/known_hosts"
]
network_mode = "host"
}
env {
CONSUL_HTTP_ADDR = "http://consul.service.2.cluster.deuxfleurs.fr:8500"
}
template {
data = <<EOH
TARGET_SSH_USER={{ key "secrets/backup/target_ssh_user" }}
TARGET_SSH_PORT={{ key "secrets/backup/target_ssh_port" }}
TARGET_SSH_HOST={{ key "secrets/backup/target_ssh_host" }}
TARGET_SSH_DIR={{ key "secrets/backup/target_ssh_dir" }}
EOH
destination = "secrets/env_vars"
env = true
}
template {
data = "{{ key \"secrets/backup/id_ed25519\" }}"
destination = "secrets/id_ed25519"
}
template {
data = "{{ key \"secrets/backup/id_ed25519.pub\" }}"
destination = "secrets/id_ed25519.pub"
}
template {
data = "{{ key \"secrets/backup/target_ssh_fingerprint\" }}"
destination = "secrets/known_hosts"
}
resources {
memory = 200
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
}

View file

@ -0,0 +1 @@
USER Backup AWS access key ID

View file

@ -0,0 +1 @@
USER Backup AWS secret access key

View file

@ -0,0 +1 @@
USER Restic password to encrypt backups

View file

@ -0,0 +1 @@
USER Restic repository, eg. s3:https://s3.garage.tld

View file

@ -0,0 +1 @@
USER_LONG Private ed25519 key of the container doing the backup

View file

@ -0,0 +1 @@
USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)

View file

@ -0,0 +1 @@
USER Minio access key

View file

@ -0,0 +1 @@
USER Minio secret key

View file

@ -0,0 +1 @@
USER a private key to decript backups from age

View file

@ -0,0 +1 @@
USER A public key to encypt backups with age

View file

@ -0,0 +1 @@
USER Directory where to store backups on target host

View file

@ -0,0 +1 @@
USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)

View file

@ -0,0 +1 @@
USER Hostname of the backup target host

View file

@ -0,0 +1 @@
USER SSH port number to connect to the target host

View file

@ -0,0 +1 @@
USER SSH username to log in as on the target host

View file

@ -0,0 +1,83 @@
job "bagage" {
datacenters = ["dc1"]
type = "service"
priority = 90
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "main" {
count = 1
network {
port "web_port" { to = 8080 }
port "ssh_port" {
static = 2222
to = 2222
}
}
task "server" {
driver = "docker"
config {
image = "superboum/amd64_bagage:v11"
readonly_rootfs = false
volumes = [
"secrets/id_rsa:/id_rsa"
]
ports = [ "web_port", "ssh_port" ]
}
env {
BAGAGE_LDAP_ENDPOINT = "bottin2.service.2.cluster.deuxfleurs.fr:389"
}
resources {
memory = 500
}
template {
data = "{{ key \"secrets/bagage/id_rsa\" }}"
destination = "secrets/id_rsa"
}
service {
name = "bagage-ssh"
port = "ssh_port"
address_mode = "host"
tags = [
"bagage",
"(diplonat (tcp_port 2222))"
]
}
service {
name = "bagage-webdav"
tags = [
"bagage",
"traefik.enable=true",
"traefik.frontend.entryPoints=https,http",
"traefik.frontend.rule=Host:bagage.deuxfleurs.fr",
"tricot bagage.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
check {
type = "tcp"
port = "web_port"
address_mode = "host"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}

View file

@ -0,0 +1 @@
CMD ssh-keygen -q -f >(cat) -N "" <<< y 2>/dev/null 1>&2 ; true

View file

@ -1,8 +0,0 @@
## How to upgrade our packaged apps to a new version?
1. Edit `docker-compose.yml`
2. Change the `VERSION` variable to the desired version
3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
4. Run `docker-compose build`
5. Run `docker-compose push`
6. Done

View file

@ -1,16 +0,0 @@
FROM amd64/debian:stretch as builder
COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile
WORKDIR /root/quentin.dufour.io
RUN apt-get update && \
apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \
bundle install
COPY ./quentin.dufour.io/ /root/quentin.dufour.io/
RUN bundle exec jekyll build
FROM superboum/amd64_webserver:v2
COPY --from=builder /root/quentin.dufour.io/_site /srv/http

View file

@ -1 +0,0 @@
sudo docker build -t superboum/amd64_blog:v19 .

View file

@ -1,8 +0,0 @@
FROM amd64/debian:buster
RUN apt-get update && \
apt-get dist-upgrade -y && \
apt-get install -y \
coturn
CMD ["/usr/bin/turnserver"]

View file

@ -1,17 +0,0 @@
## Génère l'image
```
sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 .
```
## Run bash dans le container
```
sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash
sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
```
## Used ports
- udp/tcp 3478 3479
## Publish
sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1

View file

@ -1,63 +0,0 @@
version: '3.4'
services:
# Instant Messaging
riot:
build:
context: ./riotweb
args:
# https://github.com/vector-im/riot-web/releases
VERSION: 1.7.5
image: superboum/amd64_riotweb:v15
synapse:
build:
context: ./matrix-synapse
args:
# https://github.com/matrix-org/synapse/releases
VERSION: 1.19.1
image: superboum/amd64_synapse:v33
# Email
sogo:
build:
context: ./sogo
args:
# fake for now
VERSION: 5.0.0
image: superboum/amd64_sogo:v7
# VoIP
jitsi-meet:
build:
context: ./jitsi-meet
args:
# https://github.com/jitsi/jitsi-meet
PREFIXV: stable/jitsi-meet_
VERSION: 4966
image: superboum/amd64_jitsi_meet:v1
jitsi-conference-focus:
build:
context: ./jitsi-conference-focus
args:
# https://github.com/jitsi/jicofo
PREFIXV: stable/jitsi-meet_
VERSION: 4966
image: superboum/amd64_jitsi_conference_focus:v5
jitsi-videobridge:
build:
context: ./jitsi-videobridge
args:
# https://github.com/jitsi/jitsi-videobridge
PREFIXV: stable/jitsi-meet_
VERSION: 4966
image: superboum/amd64_jitsi_videobridge:v15
jitsi-xmpp:
build:
context: ./jitsi-xmpp
args:
VERSION: fake-1
image: superboum/amd64_jitsi_xmpp:v4

View file

@ -1,27 +0,0 @@
FROM debian:buster AS builder
ARG PREFIXV
ARG VERSION
RUN apt-get update && \
apt-get install -y openjdk-11-jdk maven wget unzip && \
wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip
RUN unzip jicofo.zip && \
mv jicofo*${VERSION} jicofo && \
cd jicofo && \
mvn package -DskipTests -Dassembly.skipAssembly=false && \
unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \
mv jicofo-1.1-SNAPSHOT /srv/build
FROM debian:buster
RUN apt-get update && \
apt-get install -y openjdk-11-jre-headless ca-certificates
ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi"
COPY --from=builder /srv/build /srv/jicofo
COPY jicofo /usr/local/bin/jicofo
COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties
CMD ["/usr/local/bin/jicofo"]

View file

@ -1,16 +0,0 @@
#!/bin/bash
cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
update-ca-certificates -f
cat >> /etc/hosts <<EOF
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
127.0.0.1 `hostname`
EOF
/srv/jicofo/jicofo.sh \
--host=${JITSI_PROSODY_HOST} \
--domain=jitsi.deuxfleurs.fr \
--secret=${JITSI_SECRET_JICOFO_COMPONENT} \
--user_domain=auth.jitsi.deuxfleurs.fr \
--user_password=${JITSI_SECRET_JICOFO_USER}

View file

@ -1,2 +0,0 @@
org.jitsi.jicofo.SHORT_ID=1
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr

View file

@ -1,28 +0,0 @@
FROM debian:buster AS builder
ARG PREFIXV
ARG VERSION
RUN apt-get update && \
apt-get install -y curl && \
curl -sL https://deb.nodesource.com/setup_14.x | bash - && \
apt-get install -y git nodejs make wget unzip && \
wget https://github.com/jitsi/jitsi-meet/archive/${PREFIXV}${VERSION}.zip -O jitsi-meet.zip
RUN unzip jitsi-meet.zip && \
mv jitsi-meet-*${VERSION} jitsi-meet && \
cd jitsi-meet && \
npm install && \
make
FROM debian:buster
COPY --from=builder /jitsi-meet /srv/jitsi-meet
RUN apt-get update && \
apt-get install -y nginx && \
rm /etc/nginx/sites-enabled/*
COPY config.js /srv/jitsi-meet/config.js
COPY entrypoint.sh /usr/local/bin/entrypoint
ENTRYPOINT ["/usr/local/bin/entrypoint"]
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]

View file

@ -1,517 +0,0 @@
/* eslint-disable no-unused-vars, no-var */
var config = {
// Connection
//
hosts: {
// XMPP domain.
domain: 'jitsi.deuxfleurs.fr',
// When using authentication, domain for guest users.
// anonymousdomain: 'guest.example.com',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: 'jitsi-meet.example.com',
// Jirecon recording component domain.
// jirecon: 'jirecon.jitsi-meet.example.com',
// Call control component (Jigasi).
// call_control: 'callcontrol.jitsi-meet.example.com',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.jitsi-meet.example.com',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.jitsi.deuxfleurs.fr'
},
// BOSH URL. FIXME: use XEP-0156 to discover it.
bosh: '//jitsi.deuxfleurs.fr/http-bind',
// Websocket URL
// websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',
// The name of client node advertised in XEP-0115 'c' stanza
clientNode: 'http://jitsi.org/jitsimeet',
// The real JID of focus participant - can be overridden here
// focusUserJid: 'focus@auth.jitsi-meet.example.com',
// Testing / experimental features.
//
testing: {
// Enables experimental simulcast support on Firefox.
enableFirefoxSimulcast: false,
// P2P test mode disables automatic switching to P2P when there are 2
// participants in the conference.
p2pTestMode: false
// Enables the test specific features consumed by jitsi-meet-torture
// testMode: false
// Disables the auto-play behavior of *all* newly created video element.
// This is useful when the client runs on a host with limited resources.
// noAutoPlayVideo: false
},
// Disables ICE/UDP by filtering out local and remote UDP candidates in
// signalling.
// webrtcIceUdpDisable: false,
// Disables ICE/TCP by filtering out local and remote TCP candidates in
// signalling.
// webrtcIceTcpDisable: false,
// Media
//
// Audio
// Disable measuring of audio levels.
// disableAudioLevels: false,
// audioLevelsInterval: 200,
// Enabling this will run the lib-jitsi-meet no audio detection module which
// will notify the user if the current selected microphone has no audio
// input and will suggest another valid device if one is present.
enableNoAudioDetection: true,
// Enabling this will run the lib-jitsi-meet noise detection module which will
// notify the user if there is noise, other than voice, coming from the current
// selected microphone. The purpose it to let the user know that the input could
// be potentially unpleasant for other meeting participants.
enableNoisyMicDetection: true,
// Start the conference in audio only mode (no video is being received nor
// sent).
// startAudioOnly: false,
// Every participant after the Nth will start audio muted.
// startAudioMuted: 10,
// Start calls with audio muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithAudioMuted: false,
// Enabling it (with #params) will disable local audio output of remote
// participants and to enable it back a reload is needed.
// startSilent: false
// Video
// Sets the preferred resolution (height) for local video. Defaults to 720.
resolution: 480,
// w3c spec-compliant video constraints to use for video capture. Currently
// used by browsers that return true from lib-jitsi-meet's
// util#browser#usesNewGumFlow. The constraints are independency from
// this config's resolution value. Defaults to requesting an ideal aspect
// ratio of 16:9 with an ideal resolution of 720.
constraints: {
video: {
aspectRatio: 16 / 9,
height: {
ideal: 480,
max: 720,
min: 240
}
}
},
// Enable / disable simulcast support.
// disableSimulcast: false,
// Enable / disable layer suspension. If enabled, endpoints whose HD
// layers are not in use will be suspended (no longer sent) until they
// are requested again.
// enableLayerSuspension: false,
// Every participant after the Nth will start video muted.
// startVideoMuted: 10,
// Start calls with video muted. Unlike the option above, this one is only
// applied locally. FIXME: having these 2 options is confusing.
// startWithVideoMuted: false,
// If set to true, prefer to use the H.264 video codec (if supported).
// Note that it's not recommended to do this because simulcast is not
// supported when using H.264. For 1-to-1 calls this setting is enabled by
// default and can be toggled in the p2p section.
// preferH264: true,
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// Desktop sharing
// The ID of the jidesha extension for Chrome.
desktopSharingChromeExtId: null,
// Whether desktop sharing should be disabled on Chrome.
// desktopSharingChromeDisabled: false,
// The media sources to use when using screen sharing with the Chrome
// extension.
desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
// Required version of Chrome extension
desktopSharingChromeMinExtVersion: '0.1',
// Whether desktop sharing should be disabled on Firefox.
// desktopSharingFirefoxDisabled: false,
// Optional desktop sharing frame rate options. Default value: min:5, max:5.
// desktopSharingFrameRate: {
// min: 5,
// max: 5
// },
// Try to start calls with screen-sharing instead of camera video.
// startScreenSharing: false,
// Recording
// Whether to enable file recording or not.
// fileRecordingsEnabled: false,
// Enable the dropbox integration.
// dropbox: {
// appKey: '<APP_KEY>' // Specify your app key here.
// // A URL to redirect the user to, after authenticating
// // by default uses:
// // 'https://jitsi-meet.example.com/static/oauth.html'
// redirectURI:
// 'https://jitsi-meet.example.com/subfolder/static/oauth.html'
// },
// When integrations like dropbox are enabled only that will be shown,
// by enabling fileRecordingsServiceEnabled, we show both the integrations
// and the generic recording service (its configuration and storage type
// depends on jibri configuration)
// fileRecordingsServiceEnabled: false,
// Whether to show the possibility to share file recording with other people
// (e.g. meeting participants), based on the actual implementation
// on the backend.
// fileRecordingsServiceSharingEnabled: false,
// Whether to enable live streaming or not.
// liveStreamingEnabled: false,
// Transcription (in interface_config,
// subtitles and buttons can be configured)
// transcribingEnabled: false,
// Enables automatic turning on captions when recording is started
// autoCaptionOnRecord: false,
// Misc
// Default value for the channel "last N" attribute. -1 for unlimited.
channelLastN: -1,
// Disables or enables RTX (RFC 4588) (defaults to false).
// disableRtx: false,
// Disables or enables TCC (the default is in Jicofo and set to true)
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
// affects congestion control, it practically enables send-side bandwidth
// estimations.
// enableTcc: true,
// Disables or enables REMB (the default is in Jicofo and set to false)
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
// control, it practically enables recv-side bandwidth estimations. When
// both TCC and REMB are enabled, TCC takes precedence. When both are
// disabled, then bandwidth estimations are disabled.
// enableRemb: false,
// Defines the minimum number of participants to start a call (the default
// is set in Jicofo and set to 2).
// minParticipants: 2,
// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,
// Enable IPv6 support.
// useIPv6: true,
// Enables / disables a data communication channel with the Videobridge.
// Values can be 'datachannel', 'websocket', true (treat it as
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
// open any channel).
// openBridgeChannel: true,
// UI
//
// Use display name as XMPP nickname.
// useNicks: false,
// Require users to always specify a display name.
// requireDisplayName: true,
// Whether to use a welcome page or not. In case it's false a random room
// will be joined when no room is specified.
enableWelcomePage: true,
// Enabling the close page will ignore the welcome page redirection when
// a call is hangup.
// enableClosePage: false,
// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
// disable1On1Mode: false,
// Default language for the user interface.
defaultLanguage: 'fr',
// If true all users without a token will be considered guests and all users
// with token will be considered non-guests. Only guests will be allowed to
// edit their profile.
enableUserRolesBasedOnToken: false,
// Whether or not some features are checked based on token.
// enableFeaturesBasedOnToken: false,
// Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
// lockRoomGuestEnabled: false,
// When enabled the password used for locking a room is restricted to up to the number of digits specified
// roomPasswordNumberOfDigits: 10,
// default: roomPasswordNumberOfDigits: false,
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// noticeMessage: '',
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID
// enableCalendarIntegration: false,
// Stats
//
// Whether to enable stats collection or not in the TraceablePeerConnection.
// This can be useful for debugging purposes (post-processing/analysis of
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
// estimation tests.
// gatherStats: false,
// The interval at which PeerConnection.getStats() is called. Defaults to 10000
// pcStatsInterval: 10000,
// To enable sending statistics to callstats.io you must provide the
// Application ID and Secret.
// callStatsID: '',
// callStatsSecret: '',
// enables sending participants display name to callstats
// enableDisplayNameInStats: false
// enables sending participants email if available to callstats and other analytics
// enableEmailInStats: false
// Privacy
//
// If third party requests are disabled, no other server will be contacted.
// This means avatars will be locally generated and callstats integration
// will not function.
// disableThirdPartyRequests: false,
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
//
p2p: {
// Enables peer to peer mode. When enabled the system will try to
// establish a direct connection when there are exactly 2 participants
// in the room. If that succeeds the conference will stop sending data
// through the JVB and use the peer to peer connection instead. When a
// 3rd participant joins the conference will be moved back to the JVB
// connection.
enabled: true,
// Use XEP-0215 to fetch STUN and TURN servers.
// useStunTurn: true,
// The STUN servers that will be used in the peer to peer connections
stunServers: [
// { urls: 'stun:jitsi-meet.example.com:443' },
{ urls: 'stun:stun.l.google.com:19302' },
{ urls: 'stun:stun1.l.google.com:19302' },
{ urls: 'stun:stun2.l.google.com:19302' }
],
// Sets the ICE transport policy for the p2p connection. At the time
// of this writing the list of possible values are 'all' and 'relay',
// but that is subject to change in the future. The enum is defined in
// the WebRTC standard:
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
// If not set, the effective value is 'all'.
// iceTransportPolicy: 'all',
// If set to true, it will prefer to use H.264 for P2P calls (if H.264
// is supported).
preferH264: true,
// If set to true, disable H.264 video codec by stripping it out of the
// SDP.
// disableH264: false,
// How long we're going to wait, before going back to P2P after the 3rd
// participant has left the conference (to filter out page reload).
backToP2PDelay: 60
},
analytics: {
// The Google Analytics Tracking ID:
// googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
// The Amplitude APP Key:
// amplitudeAPPKey: '<APP_KEY>'
// Array of script URLs to load as lib-jitsi-meet "analytics handlers".
// scriptURLs: [
// "libs/analytics-ga.min.js", // google-analytics
// "https://example.com/my-custom-analytics.js"
// ],
},
// Information about the jitsi-meet instance we are connecting to, including
// the user region as seen by the server.
deploymentInfo: {
// shard: "shard1",
// region: "europe",
// userRegion: "asia"
}
// Information for the chrome extension banner
// chromeExtensionBanner: {
// // The chrome extension to be installed address
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
// // Extensions info which allows checking if they are installed or not
// chromeExtensionsInfo: [
// {
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
// path: 'jitsi-logo-48x48.png'
// }
// ]
// }
// Local Recording
//
// localRecording: {
// Enables local recording.
// Additionally, 'localrecording' (all lowercase) needs to be added to
// TOOLBAR_BUTTONS in interface_config.js for the Local Recording
// button to show up on the toolbar.
//
// enabled: true,
//
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
// format: 'flac'
//
// }
// Options related to end-to-end (participant to participant) ping.
// e2eping: {
// // The interval in milliseconds at which pings will be sent.
// // Defaults to 10000, set to <= 0 to disable.
// pingInterval: 10000,
//
// // The interval in milliseconds at which analytics events
// // with the measured RTT will be sent. Defaults to 60000, set
// // to <= 0 to disable.
// analyticsInterval: 60000,
// }
// If set, will attempt to use the provided video input device label when
// triggering a screenshare, instead of proceeding through the normal flow
// for obtaining a desktop stream.
// NOTE: This option is experimental and is currently intended for internal
// use only.
// _desktopSharingSourceDevice: 'sample-id-or-label'
// If true, any checks to handoff to another application will be prevented
// and instead the app will continue to display in the current browser.
// disableDeepLinking: false
// A property to disable the right click context menu for localVideo
// the menu has option to flip the locally seen video for local presentations
// disableLocalVideoFlip: false
// Deployment specific URLs.
// deploymentUrls: {
// // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
// // user documentation.
// userDocumentationURL: 'https://docs.example.com/video-meetings.html',
// // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
// // to the specified URL for an app download page.
// downloadAppsUrl: 'https://docs.example.com/our-apps.html'
// }
// List of undocumented settings used in jitsi-meet
/**
_immediateReloadThreshold
autoRecord
autoRecordToken
debug
debugAudioLevels
deploymentInfo
dialInConfCodeUrl
dialInNumbersUrl
dialOutAuthUrl
dialOutCodesUrl
disableRemoteControl
displayJids
etherpad_base
externalConnectUrl
firefox_fake_device
googleApiApplicationClientID
iAmRecorder
iAmSipGateway
microsoftApiApplicationClientID
peopleSearchQueryTypes
peopleSearchUrl
requireDisplayName
tokenAuthUrl
*/
// List of undocumented settings used in lib-jitsi-meet
/**
_peerConnStatusOutOfLastNTimeout
_peerConnStatusRtcMuteTimeout
abTesting
avgRtpStatsN
callStatsConfIDNamespace
callStatsCustomScriptUrl
desktopSharingSources
disableAEC
disableAGC
disableAP
disableHPF
disableNS
enableLipSync
enableTalkWhileMuted
forceJVB121Ratio
hiddenDomain
ignoreStartMuted
nick
startBitrate
*/
};
/* eslint-enable no-unused-vars, no-var */

View file

@ -1,38 +0,0 @@
#!/bin/bash
cat > /etc/nginx/sites-available/jitsi <<EOF
server_names_hash_bucket_size 64;
server {
listen 0.0.0.0:443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
ssl_certificate ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.crt;
ssl_certificate_key ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.key;
root /srv/jitsi-meet;
index index.html;
location ~ ^/([a-zA-Z0-9=\?]+)$ {
rewrite ^/(.*)$ / break;
}
location / {
ssi on;
}
# BOSH, Bidirectional-streams Over Synchronous HTTP
# https://en.wikipedia.org/wiki/BOSH_(protocol)
location /http-bind {
proxy_pass http://${JITSI_PROSODY_BOSH_HOST}:${JITSI_PROSODY_BOSH_PORT}/http-bind;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_set_header Host \$http_host;
}
# external_api.js must be accessible from the root of the
# installation for the electron version of Jitsi Meet to work
# https://github.com/jitsi/jitsi-meet-electron
location /external_api.js {
alias /srv/jitsi-meet/libs/external_api.min.js;
}
}
EOF
ln -sf /etc/nginx/sites-available/jitsi /etc/nginx/sites-enabled/jitsi
exec "$@"

View file

@ -1,30 +0,0 @@
FROM debian:buster AS builder
ARG PREFIXV
ARG VERSION
RUN apt-get update && \
apt-get install -y wget unzip maven openjdk-11-jdk && \
wget https://github.com/jitsi/jitsi-videobridge/archive/${PREFIXV}${VERSION}.zip -O jvb.zip
RUN unzip jvb.zip && \
mv jitsi-videobridge*${VERSION} jvb && \
cd jvb && \
mvn package -DskipTests && \
ls jvb/target && \
unzip jvb/target/jitsi-videobridge*.zip && \
mv jitsi-videobridge-*-SNAPSHOT build
FROM debian:buster
RUN apt-get update && \
apt-get install -y openjdk-11-jre-headless
COPY --from=builder /jvb/build /srv/jvb
ENV HOME=/root
WORKDIR /root
COPY jvb_run /usr/local/bin/jvb_run
ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi"
CMD ["/usr/local/bin/jvb_run"]

View file

@ -1,54 +0,0 @@
#!/bin/bash
cat >> /etc/hosts <<EOF
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
127.0.0.1 `hostname`
EOF
mkdir -p /root/.sip-communicator
cat > /root/.sip-communicator/sip-communicator.properties <<EOF
# Enable broadcasting stats/presence in a MUC
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
# Connect to the first XMPP server
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=jitsi.deuxfleurs.fr
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.jitsi.deuxfleurs.fr
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=${JITSI_SECRET_VIDEOBRIDGE}
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
org.jitsi.videobridge.xmpp.user.shard.MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=singleton
org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
# Do we need it? @FIXME
org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
# NAT things, two times just in case...
org.ice4j.ice.harvest.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP}
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP}
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP}
org.jitsi.videobridge.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP}
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP}
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP}
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false
EOF
[ -v JITSI_DEBUG ] && cat >> /root/.sip-communicator/sip-communicator.properties <<EOF
net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=true
net.java.sip.communicator.packetlogging.PACKET_LOGGING_ARBITRARY_ENABLED=true
net.java.sip.communicator.packetlogging.PACKET_LOGGING_SIP_ENABLED=true
net.java.sip.communicator.packetlogging.PACKET_LOGGING_JABBER_ENABLED=true
net.java.sip.communicator.packetlogging.PACKET_LOGGING_RTP_ENABLED=true
net.java.sip.communicator.packetlogging.PACKET_LOGGING_ICE4j_ENABLED=true
net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_COUNT=1
net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_SIZE=-1
EOF
/srv/jvb/jvb.sh \
--host=${JITSI_PROSODY_HOST} \
--domain=jitsi.deuxfleurs.fr \
--port=5347 \
--secret=${JITSI_SECRET_VIDEOBRIDGE} \
--apis=xmpp,rest

View file

@ -1,11 +0,0 @@
FROM debian:buster
RUN apt-get update && \
apt-get install -y prosody
COPY external_components.cfg.lua /etc/prosody/conf.d/external_components.cfg.lua
COPY xmpp_conf /usr/local/bin/xmpp_conf
COPY xmpp_gen /usr/local/bin/xmpp_gen
COPY xmpp_run /usr/local/bin/xmpp_run
CMD ["/usr/local/bin/xmpp_run"]

View file

@ -1,2 +0,0 @@
component_ports = { 5347 }
component_interface = "0.0.0.0"

View file

@ -1,47 +0,0 @@
#!/bin/bash
cat >> /etc/hosts <<EOF
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
127.0.0.1 `hostname`
EOF
mkdir -p /etc/prosody/conf.{d,avail}/
cat > /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua <<EOF
VirtualHost "jitsi.deuxfleurs.fr"
authentication = "anonymous"
ssl = {
key = "/var/lib/prosody/jitsi.deuxfleurs.fr.key";
certificate = "/var/lib/prosody/jitsi.deuxfleurs.fr.crt";
}
modules_enabled = {
"bosh";
"pubsub";
}
c2s_require_encryption = false
VirtualHost "auth.jitsi.deuxfleurs.fr"
ssl = {
key = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.key";
certificate = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt";
}
authentication = "internal_plain"
admins = { "focus@auth.jitsi.deuxfleurs.fr"}
Component "conference.jitsi.deuxfleurs.fr" "muc"
Component "internal.auth.jitsi.deuxfleurs.fr" "muc"
storage = "memory"
modules_enabled = { "ping"; }
admins = { "focus@auth.jitsi.deuxfleurs.fr", "jvb@auth.jitsi.deuxfleurs.fr" }
Component "jitsi-videobridge.jitsi.deuxfleurs.fr"
component_secret = "${JITSI_SECRET_VIDEOBRIDGE}"
Component "focus.jitsi.deuxfleurs.fr"
component_secret = "${JITSI_SECRET_JICOFO_COMPONENT}"
EOF
ln -sf \
/etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua \
/etc/prosody/conf.d/jitsi.deuxfleurs.fr.cfg.lua

View file

@ -1,9 +0,0 @@
#!/bin/bash
/usr/local/bin/xmpp_conf
prosodyctl cert generate jitsi.deuxfleurs.fr
prosodyctl cert generate auth.jitsi.deuxfleurs.fr
cp /var/lib/prosody/*.crt ${JITSI_CERTS_FOLDER}
cp /var/lib/prosody/*.key ${JITSI_CERTS_FOLDER}

View file

@ -1,20 +0,0 @@
#!/bin/bash
/usr/local/bin/xmpp_conf
cp ${JITSI_CERTS_FOLDER}/* /var/lib/prosody/
chown -R prosody:prosody /var/lib/prosody
mkdir -p /usr/local/share/ca-certificates/
ln -sf \
/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt \
/usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
prosodyctl register focus auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_JICOFO_USER}
prosodyctl register jvb auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_VIDEOBRIDGE}
mkdir /run/prosody
touch /run/prosody/prosody.pid
chown -R prosody:prosody /run/prosody
cd /var/lib/prosody
su - prosody -s /bin/bash -c prosody

View file

@ -1,3 +0,0 @@
```
docker build -t superboum/amd64_landing:v8 .
```

View file

@ -1,3 +0,0 @@
[mariadb]
pam_use_cleartext_plugin
bind-address = 0.0.0.0

View file

@ -1,3 +0,0 @@
[mariadb]
plugin-load=auth_pam.so

View file

@ -1,2 +0,0 @@
[mysqld]
bind-address = 0.0.0.0

View file

@ -1,14 +0,0 @@
FROM debian:stretch
RUN apt-get update && \
apt-get dist-upgrade -y && \
DEBIAN_FRONTEND=noninteractive apt-get install -y mariadb-server mariadb-client libnss-ldapd
COPY 60-ldap.cnf /etc/mysql/mariadb.conf.d/60-ldap.cnf
COPY 60-remote.cnf /etc/mysql/mariadb.conf.d/60-remote.cnf
COPY 60-disable-dialog.cnf /etc/mysql/mariadb.conf.d/60-disable-dialog.cnf
COPY pam-mariadb /etc/pam.d/mariadb
COPY nsswitch.conf /etc/nsswitch.conf
COPY entrypoint.sh /usr/local/bin/entrypoint
ENTRYPOINT ["/usr/local/bin/entrypoint"]

View file

@ -1,19 +0,0 @@
```
sudo docker build -t superboum/amd64_mariadb:v3 .
sudo docker run \
-t -i \
-p 3306:3306 \
-v /tmp/mysql:/var/lib/mysql \
-e LDAP_URI='ldap://bottin.service.2.cluster.deuxfleurs.fr' \
-e LDAP_BASE='ou=users,dc=deuxfleurs,dc=fr' \
-e LDAP_VERSION=3 \
-e LDAP_BIND_DN='cn=admin,dc=deuxfleurs,dc=fr' \
-e LDAP_BIND_PW='xxxx' \
-e MYSQL_PASSWORD='xxxx' \
superboum/amd64_mariadb:v1 \
tail -f /var/log/mysql/error.log
CREATE USER quentin@localhost IDENTIFIED VIA pam USING 'mariadb';
```

View file

@ -1,50 +0,0 @@
#!/bin/bash
set -e
cat > /etc/nslcd.conf <<EOF
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ${LDAP_URI}
# The search base that will be used for all queries.
base ${LDAP_BASE}
# The LDAP protocol version to use.
ldap_version ${LDAP_VERSION}
# The DN to bind with for normal lookups.
binddn ${LDAP_BIND_DN}
bindpw ${LDAP_BIND_PW}
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
EOF
/usr/sbin/nslcd
chown mysql:mysql /var/lib/mysql
[ -z "$(ls -A /var/lib/mysql)" ] && mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
/usr/bin/mysqld_safe &
until ls /var/run/mysqld/mysqld.sock; do sleep 1; done
/usr/bin/mysqladmin -u root password ${MYSQL_PASSWORD} || true
exec "$@"

View file

@ -1,21 +0,0 @@
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

View file

@ -1,2 +0,0 @@
auth required pam_ldap.so
account required pam_ldap.so

View file

@ -1,27 +0,0 @@
FROM debian:10
RUN apt-get update && \
apt-get -qq -y full-upgrade
RUN apt-get install -y apache2 php php-gd php-mbstring php-pgsql php-curl php-dom php-xml php-zip \
php-intl php-ldap php-fileinfo php-exif php-apcu php-redis php-imagick unzip curl wget && \
phpenmod gd && \
phpenmod curl && \
phpenmod mbstring && \
phpenmod pgsql && \
phpenmod dom && \
phpenmod zip && \
phpenmod intl && \
phpenmod ldap && \
phpenmod fileinfo && \
phpenmod exif && \
phpenmod apcu && \
phpenmod redis && \
phpenmod imagick && \
phpenmod xml
COPY container-setup.sh /tmp
RUN /tmp/container-setup.sh
COPY entrypoint.sh /
CMD /entrypoint.sh

View file

@ -1,37 +0,0 @@
#!/bin/sh
set -ex
curl https://download.nextcloud.com/server/releases/nextcloud-19.0.0.zip > /tmp/nextcloud.zip
cd /var/www
unzip /tmp/nextcloud.zip
rm /tmp/nextcloud.zip
mv html html.old
mv nextcloud html
cd html
mkdir data
cd apps
wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz
tar xf tasks.tar.gz
wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz
tar xf maps-0.1.6.tar.gz
wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz
tar xf calendar.tar.gz
wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz
tar xf news.tar.gz
wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz
tar xf notes.tar.gz
wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz
tar xf contacts.tar.gz
wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz
tar xf mail.tar.gz
wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz
tar xf groupfolders.tar.gz
rm *.tar.gz
chown -R www-data:www-data /var/www/html
cd /var/www/html
php occ

View file

@ -1,8 +0,0 @@
#!/bin/sh
set -xe
chown www-data:www-data /var/www/html/config/config.php
touch /var/www/html/data/.ocdata
exec apachectl -DFOREGROUND

Binary file not shown.

View file

@ -1,4 +0,0 @@
FROM amd64/openjdk:13-alpine
COPY pithos-0.7.5-standalone.jar /srv/pithos.jar
ENTRYPOINT ["/opt/openjdk-13/bin/java", "-jar", "/srv/pithos.jar"]

View file

@ -1,9 +0,0 @@
This project is considered as "dangerous" as it is tagged as "Project not under active development".
Consequently, just in case, I am backuping the .jar and the sources in this git repo.
Better safe than sorry or pretty.
```
sudo docker build -t superboum/amd64_pithos:v1 .
sudo docker push superboum/amd64_pithos:v1
sudo docker run --rm -it -p 8080:8080 -v pithos.yaml:/etc/pithos/pithos.yaml superboum/amd64_pithos:v1
```

View file

@ -1,19 +0,0 @@
FROM amd64/debian:stretch
RUN echo "deb http://deb.debian.org/debian stretch-backports main contrib non-free # available after stretch release" > /etc/apt/sources.list.d/stretch-backports.list && \
apt-get update && \
apt-get -qq -y full-upgrade && \
apt-get install -y postgresql-all golang-1.11 git && \
export GOPATH=/usr/local/go && \
mkdir -p /usr/local/go/src/github.com/sorintlab && \
cd /usr/local/go/src/github.com/sorintlab && \
git clone --depth=1 https://github.com/sorintlab/stolon && \
ln -s /usr/lib/go-1.11/bin/go /usr/bin/go && \
ln -s /usr/lib/go-1.11/bin/gofmt /usr/bin/gofmt && \
cd ./stolon && \
./build && \
mv /usr/local/go/src/github.com/sorintlab/stolon/bin/* /usr/local/bin/ && \
rm -rf /usr/local/go
USER postgres

View file

@ -1,4 +0,0 @@
```
docker build -t superboum/arm32v7_postgres .
docker build -t superboum/amd64_postgres:v2 .
```

View file

@ -1,22 +0,0 @@
#!/bin/bash
if [ -f /local/pg_hba.conf ]; then
echo "Copying Nomad configuration..."
cp /local/pg_hba.conf /etc/postgresql/9.6/main/
echo "Done"
fi
if [ -z "$(ls -A /var/lib/postgresql/9.6/main)" ]; then
echo "Copying base"
cp -r /var/lib/postgresql/9.6/base/* /var/lib/postgresql/9.6/main
echo "Done"
fi
chmod -R 700 /var/lib/postgresql/9.6/main
chown -R postgres /var/lib/postgresql/9.6/main
echo "Starting postgres..."
. /usr/share/postgresql-common/init.d-functions
start 9.6
tail -f /var/log/postgresql/postgresql-9.6-main.log

View file

@ -1,24 +0,0 @@
{
"default_hs_url": "https://im.deuxfleurs.fr",
"default_is_url": "https://vector.im",
"disable_custom_urls": false,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Deuxfleurs",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html",
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"features": {
"feature_groups": "labs",
"feature_pinning": "labs"
},
"default_federate": true,
"welcomePageUrl": "home.html",
"default_theme": "light",
"roomDirectory": {
"servers": [ "im.deuxfleurs.fr", "matrix.org" ]
}
}

View file

@ -1,46 +0,0 @@
FROM amd64/debian:buster as builder
ENV VERSION 7.0.5
RUN apt-get update && \
apt-get dist-upgrade -y && \
DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar && \
wget https://download.seadrive.org/seafile-server_${VERSION}_x86-64.tar.gz -O ./seafile.tar.gz && \
tar xf ./seafile.tar.gz && \
mv seafile-server-${VERSION} seafile-server
FROM amd64/debian:buster
COPY --from=builder ./seafile-server /srv/webstore/seafile-server
RUN apt-get update && \
apt-get dist-upgrade -y && \
DEBIAN_FRONTEND=noninteractive apt-get install -y \
python \
mariadb-client \
python2.7 \
libpython2.7 \
python-setuptools \
python-ldap \
python-urllib3 \
ffmpeg \
python-pip \
python-mysqldb \
python-memcache \
procps \
python-requests && \
pip install Pillow==4.3.0 && \
pip install moviepy && \
useradd -u 1000 -d /srv/webstore seauser && \
chown -R seauser:1000 /srv/webstore/
RUN mkdir -p /usr/local/lib/mariadb/plugin/ && \
ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/mysql_clear_password.so /usr/local/lib/mariadb/plugin/ && \
ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/dialog.so /usr/local/lib/mariadb/plugin/
WORKDIR /srv/webstore/seafile-server
COPY seadocker /usr/local/bin/seadocker
COPY seaenv /usr/local/bin/seaenv
ENTRYPOINT ["/usr/local/bin/seaenv"]
CMD ["/usr/local/bin/seadocker"]

View file

@ -1,27 +0,0 @@
```bash
sudo docker build -t superboum/amd64_seafile:v5 .
```
When upgrading, connect on a production server and run:
```bash
nomad stop seafile
sudo docker build -t superboum/amd64_seafile:v6 .
sudo docker run -t -i \
-v /mnt/glusterfs/seafile:/mnt/seafile-data \
-v /mnt/glusterfs/seaconf/conf:/srv/webstore/conf \
-v /mnt/glusterfs/seaconf/ccnet:/srv/webstore/ccnet \
superboum/amd64_seafile:v5
# See:
# * https://download.seafile.com/published/seafile-manual/deploy/upgrade.md
# * https://download.seafile.com/published/seafile-manual/changelog/server-changelog.md
nomad start seafile.hcl
```
when upgrading, change the command on start

View file

@ -1,4 +0,0 @@
#!/bin/bash
/srv/webstore/seafile-server/seafile.sh start
/srv/webstore/seafile-server/seahub.sh start
tail -f /srv/webstore/logs/*

View file

@ -1,7 +0,0 @@
#!/bin/bash
chown seauser /srv/webstore
chown seauser -R /srv/webstore/ccnet
chown seauser -R /srv/webstore/conf
runuser -u seauser -- "$@"

View file

@ -1,9 +0,0 @@
FROM golang:1.11.1-stretch as builder
COPY ./goStatic /goStatic
WORKDIR /goStatic
RUN CGO_ENABLED=0 go build -a -o web-server .
FROM scratch
COPY --from=builder /goStatic/web-server /
ENTRYPOINT ["/web-server"]

View file

@ -1,5 +0,0 @@
```
sudo docker build -t superboum/amd64_webserver:v3 .
sudo docker push superboum/amd64_webserver:v3
```

@ -1 +0,0 @@
Subproject commit 3f97f57aaee09a142afe3ca0f1a5d51acd856436

View file

@ -1 +0,0 @@
main

View file

@ -1,9 +0,0 @@
FROM node:13.8-buster
RUN apt-get update && \
apt-get install -y git
COPY ./main /srv/httpd
WORKDIR /srv
CMD ["/srv/httpd"]

View file

@ -1,12 +0,0 @@
FROM fedora:32
ENV LC_ALL=C.UTF-8
ENV LANG=C.UTF-8
ENV LANGUAGE=en_US.UTF-8
ENV RUBYOPT --disable-did_you_mean
RUN dnf install -y git ruby ruby-devel rubygems rubygem-bundler @development-tools redhat-rpm-config gcc-c++ zlib-devel
COPY ./main /srv/httpd
WORKDIR /srv
CMD ["/srv/httpd"]

View file

@ -1,23 +0,0 @@
# webpull
Webpull allows you to update your live website without deploying a new docker container but by simply calling an URL
You need to specify a secret token at boot:
```
WEBPULL_TOKEN=s3cr3et ./webpull
```
## Node.js version
```
go build ./main.go
sudo docker build -f ./Dockerfile.nodejs -t superboum/amd64_webpull_pug:v1 .
```
## Ruby version
```
go build ./main.go
sudo docker build -f ./Dockerfile.ruby -t superboum/amd64_webpull_ruby:v1 .
```

View file

@ -1,100 +0,0 @@
package main
import (
"fmt"
"errors"
"io"
"os/exec"
"os"
"log"
"net/http"
"strings"
)
func myexec(w io.Writer, main string, params ...string) error {
cmd := exec.Command(main, params...)
cmd.Stdout = w
cmd.Stderr = w
err := cmd.Run()
if err != nil {
fmt.Fprintf(w, "Failed to run: %s %s\n", main, strings.Join(params, " "))
}
return err
}
func update(w io.Writer) error {
fmt.Fprintf(w, "Start update...\n")
_, err := os.Stat("./.git")
if err != nil {
fmt.Fprintf(w, ".git folder does not exist, creating it...\n")
err := myexec(w, "git", "init")
if err != nil {
return err
}
}
err = myexec(w, "git", "remote", "get-url", "origin")
if err != nil {
repo, exists := os.LookupEnv("WEBPULL_REPO")
if !exists {
fmt.Fprintf(w, "You must define WEBPULL_REPO env variable...\n")
return errors.New("Missing environment variable WEBPULL_REPO")
}
fmt.Fprintf(w, "git remote is not yet set...\n")
err := myexec(w, "git", "remote", "add", "origin", repo)
if err != nil {
return err
}
}
err = myexec(w, "git", "pull", "origin", "master")
if err != nil {
fmt.Fprintf(w, "Failed to pull...\n")
return err
}
_, err = os.Stat("./.webpull")
if err != nil {
fmt.Fprintf(w, "You must create an executable file named '.webpull' at the root of your repository.\nIf you have nothing to run, just create an empty bash script...\n")
return err
}
err = myexec(w, "./.webpull")
if err != nil {
fmt.Fprintf(w, "An error occured during script execution\n")
return err
}
fmt.Fprintf(w, "Success.\n")
return nil
}
func main() {
token, exists := os.LookupEnv("WEBPULL_TOKEN")
if !exists {
log.Fatal("Environment variable 'WEBPULL_TOKEN' must be defined")
}
if update(os.Stdout) != nil {
log.Fatal("Initial 'update' failed")
}
fs := http.FileServer(http.Dir("./static"))
http.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) {
keys, ok := r.URL.Query()["token"]
if !ok || len(keys[0]) < 1 {
http.Error(w, "Missing 'token' query parameter", 401)
return
}
if keys[0] != token {
http.Error(w, "Wrong token", 401)
return
}
update(w)
})
http.Handle("/", fs)
log.Fatal(http.ListenAndServe(":8080", nil))
}

View file

@ -1,33 +0,0 @@
# Blacklist everything cleverly
*
!*/
# Whitelist some patterns
!*.sample
!*.gen
!*.tpl
!.gitignore
# Whitelist specific files
!seafile/conf/seafdav.conf
!seafile/ccnet/seafile.ini
!email/dkim/keytable
!email/dkim/signingtable
!email/dkim/trusted
!email/postfix/dynamicmaps.cf
!email/postfix/header_checks
!email/postfix/main.cf
!email/postfix/master.cf
!email/postfix/transport
!email/postfix/transport.db
!email/sogo/sogo.conf.tpl
!chat/**/*
!directory/*/*
!traefik/traefik.toml
!garage/config.toml

View file

@ -1,133 +0,0 @@
# Homeserver details
homeserver:
# The address that this appservice can use to connect to the homeserver.
address: https://im.deuxfleurs.fr
# The domain of the homeserver (for MXIDs, etc).
domain: deuxfleurs.fr
# Whether or not to verify the SSL certificate of the homeserver.
# Only applies if address starts with https://
verify_ssl: true
# Application service host/registration related details
# Changing these values requires regeneration of the registration.
appservice:
# The address that the homeserver can use to connect to this appservice.
address: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319
# The hostname and port where this appservice should listen.
hostname: 0.0.0.0
port: 29319
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
max_body_size: 1
# The full URI to the database. SQLite and Postgres are fully supported.
# Other DBMSes supported by SQLAlchemy may or may not work.
# Format examples:
# SQLite: sqlite:///filename.db
# Postgres: postgres://username:password@hostname/dbname
database: '{{ key "secrets/chat/fb2mx/db_url" | trimSpace }}'
# The unique ID of this appservice.
id: facebook
# Username of the appservice bot.
bot_username: facebookbot
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
# to leave display name/avatar as-is.
bot_displayname: Facebook bridge bot
bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv
# Community ID for bridged users (changes registration file) and rooms.
# Must be created manually.
community_id: "+fbusers:deuxfleurs.fr"
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}'
hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}'
# Bridge config
bridge:
# Localpart template of MXIDs for Facebook users.
# {userid} is replaced with the user ID of the Facebook user.
username_template: "facebook_{userid}"
# Localpart template for per-user room grouping community IDs.
# The bridge will create these communities and add all of the specific user's portals to the community.
# {localpart} is the MXID localpart and {server} is the MXID server part of the user.
#
# `facebook_{localpart}={server}` is a good value.
community_template: "facebook_{localpart}={server}"
# Displayname template for Facebook users.
# {displayname} is replaced with the display name of the Facebook user
# as defined below in displayname_preference.
# Keys available for displayname_preference are also available here.
displayname_template: "{displayname} (FB)"
# Available keys:
# "name" (full name)
# "first_name"
# "last_name"
# "nickname"
# "own_nickname" (user-specific!)
displayname_preference:
- name
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!fb"
# Number of chats to sync (and create portals for) on startup/login.
# Maximum 20, set 0 to disable automatic syncing.
initial_chat_sync: 10
# Whether or not the Facebook users of logged in Matrix users should be
# invited to private chats when the user sends a message from another client.
invite_own_puppet_to_pm: false
# Whether or not to use /sync to get presence, read receipts and typing notifications when using
# your own Matrix account as the Matrix puppet for your Facebook account.
sync_with_custom_puppets: true
# Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
# presence, but then it won't send other users' presence to the client.
presence: true
# Whether or not to update avatars when syncing all contacts at startup.
update_avatar_initial_sync: true
# Permissions for using the bridge.
# Permitted values:
# user - Use the bridge with puppeting.
# admin - Use and administrate the bridge.
# Permitted keys:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
"deuxfleurs.fr": "user"
# Python logging configuration.
#
# See section 16.7.2 of the Python documentation for more info:
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
logging:
version: 1
formatters:
colored:
(): mautrix_facebook.util.ColorFormatter
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
normal:
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: normal
filename: ./mautrix-facebook.log
maxBytes: 10485760
backupCount: 10
console:
class: logging.StreamHandler
formatter: colored
loggers:
mau:
level: DEBUG
fbchat:
level: DEBUG
aiohttp:
level: INFO
root:
level: DEBUG
handlers: [file, console]

View file

@ -1,11 +0,0 @@
id: facebook
as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}'
hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}'
namespaces:
users:
- exclusive: true
regex: '@facebook_.+:deuxfleurs.fr'
group_id: '+fbusers:deuxfleurs.fr'
url: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319
sender_localpart: facebookbot
rate_limited: false

View file

@ -1,25 +0,0 @@
{
"default_hs_url": "https://im.deuxfleurs.fr",
"default_is_url": "https://vector.im",
"disable_custom_urls": false,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Deuxfleurs",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"features": {
"feature_groups": "labs",
"feature_pinning": "labs"
},
"default_federate": true,
"welcomePageUrl": "home.html",
"default_theme": "light",
"roomDirectory": {
"servers": [ "im.deuxfleurs.fr", "matrix.org" ]
},
"jitsi": {
"preferredDomain": "jitsi.deuxfleurs.fr"
}
}

View file

@ -1,6 +0,0 @@
LDAP_URI = "ldap://bottin2.service.2.cluster.deuxfleurs.fr"
LDAP_BASE = "ou=users,dc=deuxfleurs,dc=fr"
LDAP_VERSION = 3
LDAP_BIND_DN = "{{ key "secrets/mariadb/main/ldap_binddn" | trimSpace }}"
LDAP_BIND_PW = "{{ key "secrets/mariadb/main/ldap_bindpwd" | trimSpace }}"
MYSQL_PASSWORD = "{{ key "secrets/mariadb/main/mysql_pwd" | trimSpace }}"

View file

@ -1,49 +0,0 @@
<?php
$CONFIG = array (
'appstoreenabled' => false,
'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}',
'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}',
'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}',
'trusted_domains' => array (
0 => 'nextcloud.deuxfleurs.fr',
),
'memcache.local' => '\\OC\\Memcache\\APCu',
'objectstore' => array(
'class' => '\\OC\\Files\\ObjectStore\\S3',
'arguments' => array(
'bucket' => 'nextcloud',
'autocreate' => false,
'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}',
'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}',
'hostname' => 'garage.deuxfleurs.fr',
'port' => 443,
'use_ssl' => true,
'region' => 'garage',
// required for some non Amazon S3 implementations
'use_path_style' => true
),
),
'dbtype' => 'pgsql',
'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr',
'dbname' => 'nextcloud',
'dbtableprefix' => 'nc_',
'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}',
'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}',
'default_language' => 'fr',
'default_locale' => 'fr_FR',
'mail_domain' => 'deuxfleurs.fr',
'mail_from_address' => 'nextcloud@deuxfleurs.fr',
// TODO SMTP CONFIG
// TODO REDIS CACHE
'version' => '19.0.0.12',
'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr',
'installed' => true,
);

View file

@ -1 +0,0 @@
/mnt/seafile-data/

View file

@ -1,29 +0,0 @@
[General]
USER_NAME = deuxfleurs
ID = {{ key "secrets/seafile/ccnet/seafile_id" | trimSpace }}
NAME = deuxfleurs
SERVICE_URL = https://cloud.deuxfleurs.fr
[Network]
PORT = 10001
[Client]
PORT = 13418
[LDAP]
HOST = ldap://bottin2.service.2.cluster.deuxfleurs.fr/
BASE = ou=users,dc=deuxfleurs,dc=fr
USER_DN = {{ key "secrets/seafile/ccnet/ldap_binddn" | trimSpace }}
FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr
PASSWORD = {{ key "secrets/seafile/ccnet/ldap_bindpwd" | trimSpace }}
LOGIN_ATTR = mail
[Database]
ENGINE = mysql
HOST = mariadb.service.2.cluster.deuxfleurs.fr
PORT = 3306
USER = seafile
PASSWD = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}
DB = ccnet-db
CONNECTION_CHARSET = utf8

Some files were not shown because too many files have changed in this diff Show more