forked from Deuxfleurs/infrastructure
Compare commits
379 commits
feature/bi
...
main
Author | SHA1 | Date | |
---|---|---|---|
ab6db28ada | |||
46e29828b1 | |||
a6742bcf53 | |||
653e170fb2 | |||
b449e83870 | |||
b575b2b486 | |||
015c372532 | |||
ec597541c8 | |||
ed82071223 | |||
18610f9a9a | |||
11a2ffa89d | |||
ae91f66fac | |||
145f3a8499 | |||
638f775742 | |||
38a0feffe0 | |||
1e003461bd | |||
2e872eb87f | |||
ef265b87de | |||
64172fc999 | |||
ceae80d87c | |||
0e81c9f23b | |||
39e3ecce64 | |||
51482e16e4 | |||
6c31560c7b | |||
72b41408ef | |||
7dd2aeb63b | |||
a17640d606 | |||
241dd1e175 | |||
d712c08dbc | |||
415075b010 | |||
2021b7d08c | |||
99a4f51166 | |||
653e45f192 | |||
f0ead6efed | |||
f27636dd14 | |||
d7164c7d90 | |||
5b861cd652 | |||
79d68c4aa3 | |||
4cb1dbe663 | |||
d21c010da1 | |||
60ad398c44 | |||
2695a79e8a | |||
1e9a538be9 | |||
c69923f104 | |||
d62f87fa71 | |||
501fbb5553 | |||
b2b26879cb | |||
83745f737a | |||
8cf1b0c3e4 | |||
9701b863fd | |||
1183583fdf | |||
1e5e4af35c | |||
ce36e7e09b | |||
68607d567c | |||
b5137f6665 | |||
3f73721ad5 | |||
0e6aa95754 | |||
306974a163 | |||
9883d85c2a | |||
a1c6c33d73 | |||
1322dae8da | |||
e7329a0202 | |||
b359601d2d | |||
8ce62ddca1 | |||
0b16fd1c08 | |||
41e1a31bb9 | |||
1410f2f8d8 | |||
f74651a0c3 | |||
5ecab67379 | |||
f3dbf47547 | |||
37bea48d45 | |||
89937f2107 | |||
2775eeb0fe | |||
715c3d3a9f | |||
84b26f347d | |||
3baa511fce | |||
00d7106a18 | |||
831ddd3055 | |||
a13a02c45c | |||
453b633268 | |||
a68a1e1da7 | |||
3563fb5994 | |||
7cede37e6d | |||
f229d58467 | |||
87986ff3cf | |||
85eb4d5b82 | |||
59ce079a52 | |||
582882286e | |||
fa75e0012c | |||
e9ba2243e7 | |||
3df786a5f5 | |||
50a09980c5 | |||
f73d8dab93 | |||
c00f0fefe7 | |||
2fc9276be2 | |||
c6819c8d4a | |||
d64fe28143 | |||
783894b60d | |||
854da5b984 | |||
8d178815d6 | |||
2d2e7bb5c6 | |||
ea55c9b12b | |||
3693d9f36b | |||
a4982c6cd6 | |||
7f08d5f324 | |||
2c2ee6c903 | |||
3297135a58 | |||
8846421cc4 | |||
fff6f1db20 | |||
ef2fa848f1 | |||
4cc6a0182c | |||
7113a3ae56 | |||
5df7058c84 | |||
9ce6c7ad6e | |||
0268f63f66 | |||
948a916c2f | |||
289359cedc | |||
627c89b545 | |||
e20b903bc0 | |||
489cc492d5 | |||
779aea8f11 | |||
76d160f9af | |||
f362d57965 | |||
2734f79c0d | |||
b8420756b4 | |||
6c90a00f04 | |||
7fc001a92f | |||
c51b654dd6 | |||
6093ec74f2 | |||
7ee2f8aa2c | |||
83bd5f2cdd | |||
6d4be5fb83 | |||
e8474d52a2 | |||
1f15cfa420 | |||
5b1f775513 | |||
39f1e983bf | |||
bebd6eaab6 | |||
88a7c04cee | |||
136d176176 | |||
2a0610658d | |||
6db8495bbf | |||
4ea2494bd5 | |||
acd46fde80 | |||
6716687fd7 | |||
a2a25e2ea4 | |||
e74bda617c | |||
2dfd006dc5 | |||
9c4f78619d | |||
8fe0a78b0c | |||
e66b1c2c54 | |||
d40c41004d | |||
09269e8497 | |||
e26f57c8eb | |||
d25f4d18aa | |||
b8470be123 | |||
9d5b490fd9 | |||
9304997d84 | |||
2f37aaaf76 | |||
69f063e406 | |||
8302595f65 | |||
4fdc4a5144 | |||
2b39a896a7 | |||
e97496e09d | |||
2670c8f8f1 | |||
0a6ffcacd2 | |||
2d61f1449d | |||
80c2f1f701 | |||
e640f82eb8 | |||
455e4db784 | |||
576ac2772e | |||
1277d94bec | |||
b9f0f012bd | |||
4b68522721 | |||
3c8cd4ca1c | |||
784efbcc9b | |||
2d30e1a9c7 | |||
42c020e00b | |||
7e82b0d94d | |||
efcdef7856 | |||
62fa15390b | |||
a26d41259a | |||
73d30b9aa5 | |||
8c213bc7ba | |||
1edc5f37a2 | |||
4f506422e3 | |||
3bb2cf9e93 | |||
1f15d29eab | |||
6754cfef81 | |||
3df53eaa94 | |||
51b5295ba8 | |||
925639b678 | |||
68575d2654 | |||
338a8ec7da | |||
3135c38505 | |||
87303033d1 | |||
9dfff86cd2 | |||
b851ca0c95 | |||
fae36c7ef6 | |||
4ecda8cc8d | |||
2ef1a9df5d | |||
1df83c6064 | |||
0b4c61dfe1 | |||
e979434970 | |||
474c4575f4 | |||
5126868e30 | |||
4ad6376aa8 | |||
e197429531 | |||
|
d67a6c363a | ||
573a86b87c | |||
c586633613 | |||
e806e24fea | |||
a84f4c8f87 | |||
b42e42faaa | |||
d6bdfbed5f | |||
255e3fd2d7 | |||
eb3f64df41 | |||
35ddbd9f20 | |||
4f296808e8 | |||
4d7470b2fd | |||
b608567648 | |||
a69efd9b31 | |||
96f2978a7f | |||
224c0a23a3 | |||
c0d86cb0a1 | |||
d1a4ed0f79 | |||
27963ca089 | |||
1c5b1f2e5b | |||
fada3f6ed1 | |||
987cefeba0 | |||
71971143c4 | |||
89133ddbea | |||
59623243c8 | |||
2958fbae1b | |||
c2d3c543b9 | |||
9c2232cebc | |||
9c060b3c28 | |||
b6b812c011 | |||
5fb05f0b7e | |||
5babe6fad1 | |||
34c5544ef5 | |||
847540f7b7 | |||
9337129336 | |||
088c9df20c | |||
0a87d26e47 | |||
cb69a1123c | |||
c2960f75b7 | |||
56cf9c1e55 | |||
a3f62d1f30 | |||
09e1e641a7 | |||
9ea066d6df | |||
59ca97e2a9 | |||
83d8668a59 | |||
952d7c0510 | |||
7bdea77811 | |||
cee95ad061 | |||
|
24dcc09695 | ||
|
d286da23d8 | ||
|
9a263b762b | ||
|
8f0cb24246 | ||
982efd1b49 | |||
5b53cf1673 | |||
47bcdaaf0d | |||
0e848bb2d0 | |||
4809e27220 | |||
7b57ff72a9 | |||
ebb772e5ba | |||
07765e8456 | |||
6adb551db4 | |||
3e7dc8b49d | |||
031f31e91e | |||
5dfca7a713 | |||
bd9c854a12 | |||
d3a3867180 | |||
b879be2156 | |||
46dce5d917 | |||
6b91db048d | |||
8eaa7914d0 | |||
2a0e9720b7 | |||
2e25e150d4 | |||
a2eec38de4 | |||
1c814f002a | |||
9560f80852 | |||
a847a9683f | |||
|
6e1940061a | ||
af2b8b06ba | |||
|
98280c8628 | ||
|
2a346f5430 | ||
|
65421d947e | ||
eb925049ac | |||
0be20b22a6 | |||
7e637a070c | |||
2c2efdc276 | |||
6c8c861dd5 | |||
ad6017eea0 | |||
c642370def | |||
cffd902815 | |||
79b7273ff2 | |||
850ccbf1c7 | |||
d4d0b100ad | |||
c74dc92feb | |||
0c4ee40e01 | |||
a6b23f5713 | |||
52c141e5fc | |||
464b990e19 | |||
969ee58b7d | |||
4456fb56c1 | |||
ba3d84a1de | |||
|
a5a56b6f70 | ||
7508a10a71 | |||
c4c4d6f8a6 | |||
fc518df1c1 | |||
a2f8e11d06 | |||
48db0185a4 | |||
4f23adfbb9 | |||
1624b348df | |||
8625a9af75 | |||
f75497af11 | |||
6913655316 | |||
80dc6ec803 | |||
9117616f02 | |||
b29028405d | |||
9f6f0fb53c | |||
a2adaa2101 | |||
bb5a82b056 | |||
e628dc44ba | |||
846449b238 | |||
b6ccf06d8a | |||
685bc45802 | |||
55f93cc5ad | |||
41e33f40ad | |||
|
94ee5d3e5c | ||
|
91ffdc732c | ||
3ff113ceab | |||
|
bcb3964417 | ||
|
ad064dddbc | ||
|
2b3df5b6ee | ||
9c947a458f | |||
e370380a3f | |||
d1332a2d42 | |||
6402119511 | |||
365849760d | |||
de3e21101d | |||
|
da1d381068 | ||
|
fd38cbf744 | ||
d241948034 | |||
e2bb0e1b4e | |||
cfab2346cf | |||
f544c202be | |||
804078b3f4 | |||
9f41d95dcf | |||
33f769c747 | |||
c19cadf353 | |||
1bb9c7ce19 | |||
f931dd939c | |||
e2a0c40e6b | |||
2051a21662 | |||
f14777e1b6 | |||
7e111783fe | |||
e1f171e19c | |||
9981ea0286 | |||
0191926455 | |||
2452e87509 | |||
bf58bd2a2c | |||
ed3ed5e2e4 | |||
c32bd6df1d | |||
03680a992b | |||
aba3ba723c | |||
f9013d9ca5 | |||
9fef7ae777 | |||
e74737e6e3 | |||
1f53e2061e | |||
d8d0d74920 | |||
2ef6ab1881 | |||
f4a88fa565 | |||
2557793cee | |||
bf9a9128b8 | |||
5902805ac9 | |||
e465d65a27 | |||
3b75213d40 |
356 changed files with 7144 additions and 4030 deletions
3
.gitmodules
vendored
3
.gitmodules
vendored
|
@ -1,6 +1,3 @@
|
||||||
[submodule "docker/static/goStatic"]
|
[submodule "docker/static/goStatic"]
|
||||||
path = app/build/static/goStatic
|
path = app/build/static/goStatic
|
||||||
url = https://github.com/PierreZ/goStatic
|
url = https://github.com/PierreZ/goStatic
|
||||||
[submodule "docker/blog/quentin.dufour.io"]
|
|
||||||
path = docker/blog-quentin/quentin.dufour.io
|
|
||||||
url = git@gitlab.com:superboum/quentin.dufour.io.git
|
|
||||||
|
|
75
README.md
75
README.md
|
@ -1,27 +1,8 @@
|
||||||
deuxfleurs.fr
|
deuxfleurs.fr
|
||||||
=============
|
=============
|
||||||
|
|
||||||
*Many things are still missing here, including a proper documentation. Please stay nice, it is a volunter project. Feel free to open pull/merge requests to improve it. Thanks.*
|
**OBSOLETION NOTICE:** We are progressively migrating our stack to NixOS, to replace Ansible. Most of the files present in this repository are outdated or obsolete,
|
||||||
|
the current code for our infrastructure is at: <https://git.deuxfleurs.fr/Deuxfleurs/nixcfg>.
|
||||||
## Our abstraction stack
|
|
||||||
|
|
||||||
We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.):
|
|
||||||
|
|
||||||
* ansible (physical node conf)
|
|
||||||
* nomad (schedule containers)
|
|
||||||
* consul (distributed key value store / lock / service discovery)
|
|
||||||
* garage/glusterfs (file storage)
|
|
||||||
* stolon + postgresql (distributed relational database)
|
|
||||||
* docker (container tool)
|
|
||||||
* bottin (LDAP server, auth)
|
|
||||||
|
|
||||||
Some services we provide:
|
|
||||||
|
|
||||||
* Chat (Matrix/Riot)
|
|
||||||
* Email (Postfix/Dovecot/Sogo)
|
|
||||||
* Storage (Seafile)
|
|
||||||
|
|
||||||
As a generic abstraction is provided, deploying new services should be easy.
|
|
||||||
|
|
||||||
## I am lost, how this repo works?
|
## I am lost, how this repo works?
|
||||||
|
|
||||||
|
@ -38,55 +19,3 @@ To ease the development, we make the choice of a fully integrated environment
|
||||||
3. `op_guide`: Guides to explain you operations you can do cluster wide (like configuring postgres)
|
3. `op_guide`: Guides to explain you operations you can do cluster wide (like configuring postgres)
|
||||||
|
|
||||||
|
|
||||||
## Start hacking
|
|
||||||
|
|
||||||
### Clone the repository
|
|
||||||
|
|
||||||
```
|
|
||||||
git clone https://gitlab.com/superboum/deuxfleurs.fr.git
|
|
||||||
git submodule init
|
|
||||||
git submodule update
|
|
||||||
```
|
|
||||||
|
|
||||||
### Deploying/Updating new services is done from your machine
|
|
||||||
|
|
||||||
*The following instructions are provided for ops that already have access to the servers.*
|
|
||||||
|
|
||||||
Deploy Nomad on your machine:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
export NOMAD_VER=0.9.1
|
|
||||||
wget https://releases.hashicorp.com/nomad/${NOMAD_VER}/nomad_${NOMAD_VER}_linux_amd64.zip
|
|
||||||
unzip nomad_${NOMAD_VER}_linux_amd64.zip
|
|
||||||
sudo mv nomad /usr/local/bin
|
|
||||||
rm nomad_${NOMAD_VER}_linux_amd64.zip
|
|
||||||
```
|
|
||||||
|
|
||||||
Deploy Consul on your machine:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
export CONSUL_VER=1.5.1
|
|
||||||
wget https://releases.hashicorp.com/consul/${CONSUL_VER}/consul_${CONSUL_VER}_linux_amd64.zip
|
|
||||||
unzip consul_${CONSUL_VER}_linux_amd64.zip
|
|
||||||
sudo mv consul /usr/local/bin
|
|
||||||
rm consul_${CONSUL_VER}_linux_amd64.zip
|
|
||||||
```
|
|
||||||
|
|
||||||
Create an alias (and put it in your `.bashrc`) to bind APIs on your machine:
|
|
||||||
|
|
||||||
```
|
|
||||||
alias bind_df="ssh \
|
|
||||||
-p110 \
|
|
||||||
-N \
|
|
||||||
-L 4646:127.0.0.1:4646 \
|
|
||||||
-L 8500:127.0.0.1:8500 \
|
|
||||||
-L 8082:traefik.service.2.cluster.deuxfleurs.fr:8082 \
|
|
||||||
-L 5432:psql-proxy.service.2.cluster.deuxfleurs.fr:5432 \
|
|
||||||
<a server from the cluster>"
|
|
||||||
```
|
|
||||||
|
|
||||||
and run:
|
|
||||||
|
|
||||||
```
|
|
||||||
bind_df
|
|
||||||
```
|
|
||||||
|
|
2
app/.gitignore
vendored
Normal file
2
app/.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
env/
|
||||||
|
__pycache__
|
66
app/README.md
Normal file
66
app/README.md
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
# Folder hierarchy
|
||||||
|
|
||||||
|
- `<module>/build/<image_name>/`: folders with dockerfiles and other necessary resources for building container images
|
||||||
|
- `<module>/config/`: folder containing configuration files, referenced by deployment file
|
||||||
|
- `<module>/secrets/`: folder containing secrets, which can be synchronized with Consul using `secretmgr.py`
|
||||||
|
- `<module>/deploy/`: folder containing the HCL file(s) necessary for deploying the module
|
||||||
|
- `<module>/integration/`: folder containing files for integration testing using docker-compose
|
||||||
|
|
||||||
|
# Secret Manager `secretmgr.py`
|
||||||
|
|
||||||
|
The Secret Manager ensures that all secrets are present where they should in the cluster.
|
||||||
|
|
||||||
|
**You need access to the cluster** (SSH port forwarding) for it to find any secret on the cluster. Refer to the previous directory's [README](../README.md), at the bottom of the file.
|
||||||
|
|
||||||
|
## How to install `secretmgr.py` dependencies
|
||||||
|
|
||||||
|
```bash
|
||||||
|
### Install system dependencies first:
|
||||||
|
## On fedora
|
||||||
|
|
||||||
|
dnf install -y openldap-devel cyrus-sasl-devel
|
||||||
|
## On ubuntu
|
||||||
|
apt-get install -y libldap2-dev libsasl2-dev
|
||||||
|
|
||||||
|
### Now install the Python dependencies from requirements.txt:
|
||||||
|
|
||||||
|
## Either using a virtual environment
|
||||||
|
# (requires virtualenv python module)
|
||||||
|
python3 -m virtualenv env
|
||||||
|
# Must be done everytime you create a new terminal window in this folder:
|
||||||
|
. env/bin/activate
|
||||||
|
# Install the deps
|
||||||
|
pip install -r requirements.txt
|
||||||
|
|
||||||
|
## Either by installing the dependencies for your system user:
|
||||||
|
pip3 install --user -r requirements.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to use `secretmgr.py`
|
||||||
|
|
||||||
|
Check that all secrets are correctly deployed for app `dummy`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./secretmgr.py check dummy
|
||||||
|
```
|
||||||
|
|
||||||
|
Generate secrets for app `dummy` if they don't already exist:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./secretmgr.py gen dummy
|
||||||
|
```
|
||||||
|
|
||||||
|
Rotate secrets for app `dummy`, overwriting existing ones (be careful, this is dangerous!):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./secretmgr.py regen dummy
|
||||||
|
```
|
||||||
|
|
||||||
|
# Upgrading one of our packaged apps to a new version
|
||||||
|
|
||||||
|
1. Edit `docker-compose.yml`
|
||||||
|
2. Change the `VERSION` variable to the desired version
|
||||||
|
3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
|
||||||
|
4. Run `docker-compose build`
|
||||||
|
5. Run `docker-compose push`
|
||||||
|
6. Done
|
28
app/backup/build/backup-consul/Dockerfile
Normal file
28
app/backup/build/backup-consul/Dockerfile
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
FROM golang:buster as builder
|
||||||
|
|
||||||
|
WORKDIR /root
|
||||||
|
RUN git clone https://filippo.io/age && cd age/cmd/age && go build -o age .
|
||||||
|
|
||||||
|
FROM amd64/debian:buster
|
||||||
|
|
||||||
|
COPY --from=builder /root/age/cmd/age/age /usr/local/bin/age
|
||||||
|
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get -qq -y full-upgrade && \
|
||||||
|
apt-get install -y rsync wget openssh-client unzip && \
|
||||||
|
apt-get clean && \
|
||||||
|
rm -f /var/lib/apt/lists/*_*
|
||||||
|
|
||||||
|
RUN mkdir -p /root/.ssh
|
||||||
|
WORKDIR /root
|
||||||
|
|
||||||
|
RUN wget https://releases.hashicorp.com/consul/1.8.5/consul_1.8.5_linux_amd64.zip && \
|
||||||
|
unzip consul_1.8.5_linux_amd64.zip && \
|
||||||
|
chmod +x consul && \
|
||||||
|
mv consul /usr/local/bin && \
|
||||||
|
rm consul_1.8.5_linux_amd64.zip
|
||||||
|
|
||||||
|
COPY do_backup.sh /root/do_backup.sh
|
||||||
|
|
||||||
|
CMD "/root/do_backup.sh"
|
||||||
|
|
20
app/backup/build/backup-consul/do_backup.sh
Executable file
20
app/backup/build/backup-consul/do_backup.sh
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -x -e
|
||||||
|
|
||||||
|
cd /root
|
||||||
|
|
||||||
|
chmod 0600 .ssh/id_ed25519
|
||||||
|
|
||||||
|
cat > .ssh/config <<EOF
|
||||||
|
Host backuphost
|
||||||
|
HostName $TARGET_SSH_HOST
|
||||||
|
Port $TARGET_SSH_PORT
|
||||||
|
User $TARGET_SSH_USER
|
||||||
|
EOF
|
||||||
|
|
||||||
|
consul kv export | \
|
||||||
|
gzip | \
|
||||||
|
age -r "$(cat /root/.ssh/id_ed25519.pub)" | \
|
||||||
|
ssh backuphost "cat > $TARGET_SSH_DIR/consul/$(date --iso-8601=minute)_consul_kv_export.gz.age"
|
||||||
|
|
1
app/backup/build/backup-psql/.gitignore
vendored
Normal file
1
app/backup/build/backup-psql/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
result
|
8
app/backup/build/backup-psql/README.md
Normal file
8
app/backup/build/backup-psql/README.md
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
## Build
|
||||||
|
|
||||||
|
```bash
|
||||||
|
docker load < $(nix-build docker.nix)
|
||||||
|
docker push superboum/backup-psql:???
|
||||||
|
```
|
||||||
|
|
||||||
|
|
106
app/backup/build/backup-psql/backup-psql.py
Executable file
106
app/backup/build/backup-psql/backup-psql.py
Executable file
|
@ -0,0 +1,106 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
import shutil,sys,os,datetime,minio,subprocess
|
||||||
|
|
||||||
|
working_directory = "."
|
||||||
|
if 'CACHE_DIR' in os.environ: working_directory = os.environ['CACHE_DIR']
|
||||||
|
required_space_in_bytes = 20 * 1024 * 1024 * 1024
|
||||||
|
bucket = os.environ['AWS_BUCKET']
|
||||||
|
key = os.environ['AWS_ACCESS_KEY_ID']
|
||||||
|
secret = os.environ['AWS_SECRET_ACCESS_KEY']
|
||||||
|
endpoint = os.environ['AWS_ENDPOINT']
|
||||||
|
pubkey = os.environ['CRYPT_PUBLIC_KEY']
|
||||||
|
psql_host = os.environ['PSQL_HOST']
|
||||||
|
psql_user = os.environ['PSQL_USER']
|
||||||
|
s3_prefix = str(datetime.datetime.now())
|
||||||
|
files = [ "backup_manifest", "base.tar.gz", "pg_wal.tar.gz" ]
|
||||||
|
clear_paths = [ os.path.join(working_directory, f) for f in files ]
|
||||||
|
crypt_paths = [ os.path.join(working_directory, f) + ".age" for f in files ]
|
||||||
|
s3_keys = [ s3_prefix + "/" + f for f in files ]
|
||||||
|
|
||||||
|
def abort(msg):
|
||||||
|
for p in clear_paths + crypt_paths:
|
||||||
|
if os.path.exists(p):
|
||||||
|
print(f"Remove {p}")
|
||||||
|
os.remove(p)
|
||||||
|
|
||||||
|
if msg: sys.exit(msg)
|
||||||
|
else: print("success")
|
||||||
|
|
||||||
|
# Check we have enough space on disk
|
||||||
|
if shutil.disk_usage(working_directory).free < required_space_in_bytes:
|
||||||
|
abort(f"Not enough space on disk at path {working_directory} to perform a backup, aborting")
|
||||||
|
|
||||||
|
# Check postgres password is set
|
||||||
|
if 'PGPASSWORD' not in os.environ:
|
||||||
|
abort(f"You must pass postgres' password through the environment variable PGPASSWORD")
|
||||||
|
|
||||||
|
# Check our working directory is empty
|
||||||
|
if len(os.listdir(working_directory)) != 0:
|
||||||
|
abort(f"Working directory {working_directory} is not empty, aborting")
|
||||||
|
|
||||||
|
# Check Minio
|
||||||
|
client = minio.Minio(endpoint, key, secret)
|
||||||
|
if not client.bucket_exists(bucket):
|
||||||
|
abort(f"Bucket {bucket} does not exist or its access is forbidden, aborting")
|
||||||
|
|
||||||
|
# Perform the backup locally
|
||||||
|
try:
|
||||||
|
ret = subprocess.run(["pg_basebackup",
|
||||||
|
f"--host={psql_host}",
|
||||||
|
f"--username={psql_user}",
|
||||||
|
f"--pgdata={working_directory}",
|
||||||
|
f"--format=tar",
|
||||||
|
"--wal-method=stream",
|
||||||
|
"--gzip",
|
||||||
|
"--compress=6",
|
||||||
|
"--progress",
|
||||||
|
"--max-rate=5M",
|
||||||
|
])
|
||||||
|
if ret.returncode != 0:
|
||||||
|
abort(f"pg_basebackup exited, expected return code 0, got {ret.returncode}. aborting")
|
||||||
|
except Exception as e:
|
||||||
|
abort(f"pg_basebackup raised exception {e}. aborting")
|
||||||
|
|
||||||
|
# Check that the expected files are here
|
||||||
|
for p in clear_paths:
|
||||||
|
print(f"Checking that {p} exists locally")
|
||||||
|
if not os.path.exists(p):
|
||||||
|
abort(f"File {p} expected but not found, aborting")
|
||||||
|
|
||||||
|
# Cipher them
|
||||||
|
for c, e in zip(clear_paths, crypt_paths):
|
||||||
|
print(f"Ciphering {c} to {e}")
|
||||||
|
try:
|
||||||
|
ret = subprocess.run(["age", "-r", pubkey, "-o", e, c])
|
||||||
|
if ret.returncode != 0:
|
||||||
|
abort(f"age exit code is {ret}, 0 expected. aborting")
|
||||||
|
except Exception as e:
|
||||||
|
abort(f"aged raised an exception. {e}. aborting")
|
||||||
|
|
||||||
|
# Upload the backup to S3
|
||||||
|
for p, k in zip(crypt_paths, s3_keys):
|
||||||
|
try:
|
||||||
|
print(f"Uploading {p} to {k}")
|
||||||
|
result = client.fput_object(bucket, k, p)
|
||||||
|
print(
|
||||||
|
"created {0} object; etag: {1}, version-id: {2}".format(
|
||||||
|
result.object_name, result.etag, result.version_id,
|
||||||
|
),
|
||||||
|
)
|
||||||
|
except Exception as e:
|
||||||
|
abort(f"Exception {e} occured while upload {p}. aborting")
|
||||||
|
|
||||||
|
# Check that the files have been uploaded
|
||||||
|
for k in s3_keys:
|
||||||
|
try:
|
||||||
|
print(f"Checking that {k} exists remotely")
|
||||||
|
result = client.stat_object(bucket, k)
|
||||||
|
print(
|
||||||
|
"last-modified: {0}, size: {1}".format(
|
||||||
|
result.last_modified, result.size,
|
||||||
|
),
|
||||||
|
)
|
||||||
|
except Exception as e:
|
||||||
|
abort(f"{k} not found on S3. {e}. aborting")
|
||||||
|
|
||||||
|
abort(None)
|
8
app/backup/build/backup-psql/common.nix
Normal file
8
app/backup/build/backup-psql/common.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
pkgsSrc = fetchTarball {
|
||||||
|
# Latest commit on https://github.com/NixOS/nixpkgs/tree/nixos-21.11
|
||||||
|
# As of 2022-04-15
|
||||||
|
url ="https://github.com/NixOS/nixpkgs/archive/2f06b87f64bc06229e05045853e0876666e1b023.tar.gz";
|
||||||
|
sha256 = "sha256:1d7zg96xw4qsqh7c89pgha9wkq3rbi9as3k3d88jlxy2z0ns0cy2";
|
||||||
|
};
|
||||||
|
}
|
37
app/backup/build/backup-psql/default.nix
Normal file
37
app/backup/build/backup-psql/default.nix
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
let
|
||||||
|
common = import ./common.nix;
|
||||||
|
pkgs = import common.pkgsSrc {};
|
||||||
|
python-with-my-packages = pkgs.python3.withPackages (p: with p; [
|
||||||
|
minio
|
||||||
|
]);
|
||||||
|
in
|
||||||
|
pkgs.stdenv.mkDerivation {
|
||||||
|
name = "backup-psql";
|
||||||
|
src = pkgs.lib.sourceFilesBySuffices ./. [ ".py" ];
|
||||||
|
|
||||||
|
buildInputs = [
|
||||||
|
python-with-my-packages
|
||||||
|
pkgs.age
|
||||||
|
pkgs.postgresql_14
|
||||||
|
];
|
||||||
|
|
||||||
|
buildPhase = ''
|
||||||
|
cat > backup-psql <<EOF
|
||||||
|
#!${pkgs.bash}/bin/bash
|
||||||
|
|
||||||
|
export PYTHONPATH=${python-with-my-packages}/${python-with-my-packages.sitePackages}
|
||||||
|
export PATH=${python-with-my-packages}/bin:${pkgs.age}/bin:${pkgs.postgresql_14}/bin
|
||||||
|
|
||||||
|
${python-with-my-packages}/bin/python3 $out/lib/backup-psql.py
|
||||||
|
EOF
|
||||||
|
|
||||||
|
chmod +x backup-psql
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/{bin,lib}
|
||||||
|
cp *.py $out/lib/backup-psql.py
|
||||||
|
cp backup-psql $out/bin/backup-psql
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
|
11
app/backup/build/backup-psql/docker.nix
Normal file
11
app/backup/build/backup-psql/docker.nix
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
let
|
||||||
|
common = import ./common.nix;
|
||||||
|
app = import ./default.nix;
|
||||||
|
pkgs = import common.pkgsSrc {};
|
||||||
|
in
|
||||||
|
pkgs.dockerTools.buildImage {
|
||||||
|
name = "superboum/backup-psql-docker";
|
||||||
|
config = {
|
||||||
|
Cmd = [ "${app}/bin/backup-psql" ];
|
||||||
|
};
|
||||||
|
}
|
171
app/backup/deploy/backup-daily.hcl
Normal file
171
app/backup/deploy/backup-daily.hcl
Normal file
|
@ -0,0 +1,171 @@
|
||||||
|
job "backup_daily" {
|
||||||
|
datacenters = ["dc1"]
|
||||||
|
type = "batch"
|
||||||
|
|
||||||
|
priority = "60"
|
||||||
|
|
||||||
|
periodic {
|
||||||
|
cron = "@daily"
|
||||||
|
// Do not allow overlapping runs.
|
||||||
|
prohibit_overlap = true
|
||||||
|
}
|
||||||
|
|
||||||
|
group "backup-dovecot" {
|
||||||
|
constraint {
|
||||||
|
attribute = "${attr.unique.hostname}"
|
||||||
|
operator = "="
|
||||||
|
value = "digitale"
|
||||||
|
}
|
||||||
|
|
||||||
|
task "main" {
|
||||||
|
driver = "docker"
|
||||||
|
|
||||||
|
config {
|
||||||
|
image = "restic/restic:0.12.1"
|
||||||
|
entrypoint = [ "/bin/sh", "-c" ]
|
||||||
|
args = [ "restic backup /mail && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
|
||||||
|
volumes = [
|
||||||
|
"/mnt/ssd/mail:/mail"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
AWS_ACCESS_KEY_ID={{ key "secrets/email/dovecot/backup_aws_access_key_id" }}
|
||||||
|
AWS_SECRET_ACCESS_KEY={{ key "secrets/email/dovecot/backup_aws_secret_access_key" }}
|
||||||
|
RESTIC_REPOSITORY={{ key "secrets/email/dovecot/backup_restic_repository" }}
|
||||||
|
RESTIC_PASSWORD={{ key "secrets/email/dovecot/backup_restic_password" }}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
destination = "secrets/env_vars"
|
||||||
|
env = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resources {
|
||||||
|
cpu = 500
|
||||||
|
memory = 200
|
||||||
|
}
|
||||||
|
|
||||||
|
restart {
|
||||||
|
attempts = 2
|
||||||
|
interval = "30m"
|
||||||
|
delay = "15s"
|
||||||
|
mode = "fail"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
group "backup-plume" {
|
||||||
|
constraint {
|
||||||
|
attribute = "${attr.unique.hostname}"
|
||||||
|
operator = "="
|
||||||
|
value = "digitale"
|
||||||
|
}
|
||||||
|
|
||||||
|
task "main" {
|
||||||
|
driver = "docker"
|
||||||
|
|
||||||
|
config {
|
||||||
|
image = "restic/restic:0.12.1"
|
||||||
|
entrypoint = [ "/bin/sh", "-c" ]
|
||||||
|
args = [ "restic backup /plume && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
|
||||||
|
volumes = [
|
||||||
|
"/mnt/ssd/plume/media:/plume"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
AWS_ACCESS_KEY_ID={{ key "secrets/plume/backup_aws_access_key_id" }}
|
||||||
|
AWS_SECRET_ACCESS_KEY={{ key "secrets/plume/backup_aws_secret_access_key" }}
|
||||||
|
RESTIC_REPOSITORY={{ key "secrets/plume/backup_restic_repository" }}
|
||||||
|
RESTIC_PASSWORD={{ key "secrets/plume/backup_restic_password" }}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
destination = "secrets/env_vars"
|
||||||
|
env = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resources {
|
||||||
|
cpu = 500
|
||||||
|
memory = 200
|
||||||
|
}
|
||||||
|
|
||||||
|
restart {
|
||||||
|
attempts = 2
|
||||||
|
interval = "30m"
|
||||||
|
delay = "15s"
|
||||||
|
mode = "fail"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
group "backup-consul" {
|
||||||
|
task "consul-kv-export" {
|
||||||
|
driver = "docker"
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
hook = "prestart"
|
||||||
|
sidecar = false
|
||||||
|
}
|
||||||
|
|
||||||
|
config {
|
||||||
|
image = "consul:1.11.2"
|
||||||
|
network_mode = "host"
|
||||||
|
entrypoint = [ "/bin/sh", "-c" ]
|
||||||
|
args = [ "/bin/consul kv export > $NOMAD_ALLOC_DIR/consul.json" ]
|
||||||
|
}
|
||||||
|
|
||||||
|
env {
|
||||||
|
CONSUL_HTTP_ADDR = "http://consul.service.2.cluster.deuxfleurs.fr:8500"
|
||||||
|
}
|
||||||
|
|
||||||
|
resources {
|
||||||
|
cpu = 200
|
||||||
|
memory = 200
|
||||||
|
}
|
||||||
|
|
||||||
|
restart {
|
||||||
|
attempts = 2
|
||||||
|
interval = "30m"
|
||||||
|
delay = "15s"
|
||||||
|
mode = "fail"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
task "restic-backup" {
|
||||||
|
driver = "docker"
|
||||||
|
|
||||||
|
config {
|
||||||
|
image = "restic/restic:0.12.1"
|
||||||
|
entrypoint = [ "/bin/sh", "-c" ]
|
||||||
|
args = [ "restic backup $NOMAD_ALLOC_DIR/consul.json && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
AWS_ACCESS_KEY_ID={{ key "secrets/backup/consul/backup_aws_access_key_id" }}
|
||||||
|
AWS_SECRET_ACCESS_KEY={{ key "secrets/backup/consul/backup_aws_secret_access_key" }}
|
||||||
|
RESTIC_REPOSITORY={{ key "secrets/backup/consul/backup_restic_repository" }}
|
||||||
|
RESTIC_PASSWORD={{ key "secrets/backup/consul/backup_restic_password" }}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
destination = "secrets/env_vars"
|
||||||
|
env = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resources {
|
||||||
|
cpu = 200
|
||||||
|
memory = 200
|
||||||
|
}
|
||||||
|
|
||||||
|
restart {
|
||||||
|
attempts = 2
|
||||||
|
interval = "30m"
|
||||||
|
delay = "15s"
|
||||||
|
mode = "fail"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
55
app/backup/deploy/backup-weekly.hcl
Normal file
55
app/backup/deploy/backup-weekly.hcl
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
job "backup_weekly" {
|
||||||
|
datacenters = ["dc1"]
|
||||||
|
type = "batch"
|
||||||
|
|
||||||
|
priority = "60"
|
||||||
|
|
||||||
|
periodic {
|
||||||
|
cron = "@weekly"
|
||||||
|
// Do not allow overlapping runs.
|
||||||
|
prohibit_overlap = true
|
||||||
|
}
|
||||||
|
|
||||||
|
group "backup-psql" {
|
||||||
|
task "main" {
|
||||||
|
driver = "docker"
|
||||||
|
|
||||||
|
config {
|
||||||
|
image = "superboum/backup-psql-docker:gyr3aqgmhs0hxj0j9hkrdmm1m07i8za2"
|
||||||
|
volumes = [
|
||||||
|
// Mount a cache on the hard disk to avoid filling the SSD
|
||||||
|
"/mnt/storage/tmp_bckp_psql:/mnt/cache"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
CACHE_DIR=/mnt/cache
|
||||||
|
AWS_BUCKET=backups-pgbasebackup
|
||||||
|
AWS_ENDPOINT=s3.deuxfleurs.shirokumo.net
|
||||||
|
AWS_ACCESS_KEY_ID={{ key "secrets/backup/psql/aws_access_key_id" }}
|
||||||
|
AWS_SECRET_ACCESS_KEY={{ key "secrets/backup/psql/aws_secret_access_key" }}
|
||||||
|
CRYPT_PUBLIC_KEY={{ key "secrets/backup/psql/crypt_public_key" }}
|
||||||
|
PSQL_HOST=psql-proxy.service.2.cluster.deuxfleurs.fr
|
||||||
|
PSQL_USER={{ key "secrets/postgres/keeper/pg_repl_username" }}
|
||||||
|
PGPASSWORD={{ key "secrets/postgres/keeper/pg_repl_pwd" }}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
destination = "secrets/env_vars"
|
||||||
|
env = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resources {
|
||||||
|
cpu = 200
|
||||||
|
memory = 200
|
||||||
|
}
|
||||||
|
|
||||||
|
restart {
|
||||||
|
attempts = 2
|
||||||
|
interval = "30m"
|
||||||
|
delay = "15s"
|
||||||
|
mode = "fail"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
67
app/backup/deploy/backup.hcl
Normal file
67
app/backup/deploy/backup.hcl
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
job "backup_periodic" {
|
||||||
|
datacenters = ["dc1"]
|
||||||
|
|
||||||
|
type = "batch"
|
||||||
|
|
||||||
|
periodic {
|
||||||
|
// Launch every hour
|
||||||
|
cron = "0 * * * * *"
|
||||||
|
|
||||||
|
// Do not allow overlapping runs.
|
||||||
|
prohibit_overlap = true
|
||||||
|
}
|
||||||
|
|
||||||
|
task "backup-consul" {
|
||||||
|
driver = "docker"
|
||||||
|
|
||||||
|
config {
|
||||||
|
image = "lxpz/backup_consul:12"
|
||||||
|
volumes = [
|
||||||
|
"secrets/id_ed25519:/root/.ssh/id_ed25519",
|
||||||
|
"secrets/id_ed25519.pub:/root/.ssh/id_ed25519.pub",
|
||||||
|
"secrets/known_hosts:/root/.ssh/known_hosts"
|
||||||
|
]
|
||||||
|
network_mode = "host"
|
||||||
|
}
|
||||||
|
|
||||||
|
env {
|
||||||
|
CONSUL_HTTP_ADDR = "http://consul.service.2.cluster.deuxfleurs.fr:8500"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
TARGET_SSH_USER={{ key "secrets/backup/target_ssh_user" }}
|
||||||
|
TARGET_SSH_PORT={{ key "secrets/backup/target_ssh_port" }}
|
||||||
|
TARGET_SSH_HOST={{ key "secrets/backup/target_ssh_host" }}
|
||||||
|
TARGET_SSH_DIR={{ key "secrets/backup/target_ssh_dir" }}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
destination = "secrets/env_vars"
|
||||||
|
env = true
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/backup/id_ed25519\" }}"
|
||||||
|
destination = "secrets/id_ed25519"
|
||||||
|
}
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/backup/id_ed25519.pub\" }}"
|
||||||
|
destination = "secrets/id_ed25519.pub"
|
||||||
|
}
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/backup/target_ssh_fingerprint\" }}"
|
||||||
|
destination = "secrets/known_hosts"
|
||||||
|
}
|
||||||
|
|
||||||
|
resources {
|
||||||
|
memory = 200
|
||||||
|
}
|
||||||
|
|
||||||
|
restart {
|
||||||
|
attempts = 2
|
||||||
|
interval = "30m"
|
||||||
|
delay = "15s"
|
||||||
|
mode = "fail"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1 @@
|
||||||
|
USER Backup AWS access key ID
|
|
@ -0,0 +1 @@
|
||||||
|
USER Backup AWS secret access key
|
1
app/backup/secrets/backup/consul/backup_restic_password
Normal file
1
app/backup/secrets/backup/consul/backup_restic_password
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Restic password to encrypt backups
|
|
@ -0,0 +1 @@
|
||||||
|
USER Restic repository, eg. s3:https://s3.garage.tld
|
1
app/backup/secrets/backup/id_ed25519
Normal file
1
app/backup/secrets/backup/id_ed25519
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER_LONG Private ed25519 key of the container doing the backup
|
1
app/backup/secrets/backup/id_ed25519.pub
Normal file
1
app/backup/secrets/backup/id_ed25519.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host)
|
1
app/backup/secrets/backup/psql/aws_access_key_id
Normal file
1
app/backup/secrets/backup/psql/aws_access_key_id
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Minio access key
|
1
app/backup/secrets/backup/psql/aws_secret_access_key
Normal file
1
app/backup/secrets/backup/psql/aws_secret_access_key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Minio secret key
|
1
app/backup/secrets/backup/psql/crypt_private_key
Normal file
1
app/backup/secrets/backup/psql/crypt_private_key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER a private key to decript backups from age
|
1
app/backup/secrets/backup/psql/crypt_public_key
Normal file
1
app/backup/secrets/backup/psql/crypt_public_key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER A public key to encypt backups with age
|
1
app/backup/secrets/backup/target_ssh_dir
Normal file
1
app/backup/secrets/backup/target_ssh_dir
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Directory where to store backups on target host
|
1
app/backup/secrets/backup/target_ssh_fingerprint
Normal file
1
app/backup/secrets/backup/target_ssh_fingerprint
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file)
|
1
app/backup/secrets/backup/target_ssh_host
Normal file
1
app/backup/secrets/backup/target_ssh_host
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER Hostname of the backup target host
|
1
app/backup/secrets/backup/target_ssh_port
Normal file
1
app/backup/secrets/backup/target_ssh_port
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER SSH port number to connect to the target host
|
1
app/backup/secrets/backup/target_ssh_user
Normal file
1
app/backup/secrets/backup/target_ssh_user
Normal file
|
@ -0,0 +1 @@
|
||||||
|
USER SSH username to log in as on the target host
|
83
app/bagage/deploy/bagage.hcl
Normal file
83
app/bagage/deploy/bagage.hcl
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
job "bagage" {
|
||||||
|
datacenters = ["dc1"]
|
||||||
|
type = "service"
|
||||||
|
priority = 90
|
||||||
|
|
||||||
|
constraint {
|
||||||
|
attribute = "${attr.cpu.arch}"
|
||||||
|
value = "amd64"
|
||||||
|
}
|
||||||
|
|
||||||
|
group "main" {
|
||||||
|
count = 1
|
||||||
|
|
||||||
|
network {
|
||||||
|
port "web_port" { to = 8080 }
|
||||||
|
port "ssh_port" {
|
||||||
|
static = 2222
|
||||||
|
to = 2222
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
task "server" {
|
||||||
|
driver = "docker"
|
||||||
|
config {
|
||||||
|
image = "superboum/amd64_bagage:v11"
|
||||||
|
readonly_rootfs = false
|
||||||
|
volumes = [
|
||||||
|
"secrets/id_rsa:/id_rsa"
|
||||||
|
]
|
||||||
|
ports = [ "web_port", "ssh_port" ]
|
||||||
|
}
|
||||||
|
|
||||||
|
env {
|
||||||
|
BAGAGE_LDAP_ENDPOINT = "bottin2.service.2.cluster.deuxfleurs.fr:389"
|
||||||
|
}
|
||||||
|
|
||||||
|
resources {
|
||||||
|
memory = 500
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/bagage/id_rsa\" }}"
|
||||||
|
destination = "secrets/id_rsa"
|
||||||
|
}
|
||||||
|
|
||||||
|
service {
|
||||||
|
name = "bagage-ssh"
|
||||||
|
port = "ssh_port"
|
||||||
|
address_mode = "host"
|
||||||
|
tags = [
|
||||||
|
"bagage",
|
||||||
|
"(diplonat (tcp_port 2222))"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
service {
|
||||||
|
name = "bagage-webdav"
|
||||||
|
tags = [
|
||||||
|
"bagage",
|
||||||
|
"traefik.enable=true",
|
||||||
|
"traefik.frontend.entryPoints=https,http",
|
||||||
|
"traefik.frontend.rule=Host:bagage.deuxfleurs.fr",
|
||||||
|
"tricot bagage.deuxfleurs.fr",
|
||||||
|
]
|
||||||
|
port = "web_port"
|
||||||
|
address_mode = "host"
|
||||||
|
check {
|
||||||
|
type = "tcp"
|
||||||
|
port = "web_port"
|
||||||
|
address_mode = "host"
|
||||||
|
interval = "60s"
|
||||||
|
timeout = "5s"
|
||||||
|
check_restart {
|
||||||
|
limit = 3
|
||||||
|
grace = "90s"
|
||||||
|
ignore_warnings = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
1
app/bagage/secrets/bagage/id_rsa
Normal file
1
app/bagage/secrets/bagage/id_rsa
Normal file
|
@ -0,0 +1 @@
|
||||||
|
CMD ssh-keygen -q -f >(cat) -N "" <<< y 2>/dev/null 1>&2 ; true
|
|
@ -1,8 +0,0 @@
|
||||||
## How to upgrade our packaged apps to a new version?
|
|
||||||
|
|
||||||
1. Edit `docker-compose.yml`
|
|
||||||
2. Change the `VERSION` variable to the desired version
|
|
||||||
3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
|
|
||||||
4. Run `docker-compose build`
|
|
||||||
5. Run `docker-compose push`
|
|
||||||
6. Done
|
|
|
@ -1,16 +0,0 @@
|
||||||
FROM amd64/debian:stretch as builder
|
|
||||||
|
|
||||||
COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile
|
|
||||||
|
|
||||||
WORKDIR /root/quentin.dufour.io
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \
|
|
||||||
bundle install
|
|
||||||
|
|
||||||
COPY ./quentin.dufour.io/ /root/quentin.dufour.io/
|
|
||||||
RUN bundle exec jekyll build
|
|
||||||
|
|
||||||
FROM superboum/amd64_webserver:v2
|
|
||||||
COPY --from=builder /root/quentin.dufour.io/_site /srv/http
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
sudo docker build -t superboum/amd64_blog:v19 .
|
|
|
@ -1,8 +0,0 @@
|
||||||
FROM amd64/debian:buster
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get dist-upgrade -y && \
|
|
||||||
apt-get install -y \
|
|
||||||
coturn
|
|
||||||
|
|
||||||
CMD ["/usr/bin/turnserver"]
|
|
|
@ -1,17 +0,0 @@
|
||||||
|
|
||||||
## Génère l'image
|
|
||||||
```
|
|
||||||
sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 .
|
|
||||||
```
|
|
||||||
|
|
||||||
## Run bash dans le container
|
|
||||||
```
|
|
||||||
sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash
|
|
||||||
sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
|
|
||||||
```
|
|
||||||
|
|
||||||
## Used ports
|
|
||||||
- udp/tcp 3478 3479
|
|
||||||
|
|
||||||
## Publish
|
|
||||||
sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
|
|
|
@ -1,70 +0,0 @@
|
||||||
version: '3.4'
|
|
||||||
services:
|
|
||||||
|
|
||||||
# Instant Messaging
|
|
||||||
riot:
|
|
||||||
build:
|
|
||||||
context: ./riotweb
|
|
||||||
args:
|
|
||||||
# https://github.com/vector-im/riot-web/releases
|
|
||||||
VERSION: 1.7.9
|
|
||||||
image: superboum/amd64_riotweb:v17
|
|
||||||
|
|
||||||
synapse:
|
|
||||||
build:
|
|
||||||
context: ./matrix-synapse
|
|
||||||
args:
|
|
||||||
# https://github.com/matrix-org/synapse/releases
|
|
||||||
VERSION: 1.21.0
|
|
||||||
image: superboum/amd64_synapse:v36
|
|
||||||
|
|
||||||
# Email
|
|
||||||
sogo:
|
|
||||||
build:
|
|
||||||
context: ./sogo
|
|
||||||
args:
|
|
||||||
# fake for now
|
|
||||||
VERSION: 5.0.0
|
|
||||||
image: superboum/amd64_sogo:v7
|
|
||||||
|
|
||||||
# VoIP
|
|
||||||
jitsi-meet:
|
|
||||||
build:
|
|
||||||
context: ./jitsi-meet
|
|
||||||
args:
|
|
||||||
# https://github.com/jitsi/jitsi-meet
|
|
||||||
PREFIXV: stable/jitsi-meet_
|
|
||||||
VERSION: 4966
|
|
||||||
image: superboum/amd64_jitsi_meet:v1
|
|
||||||
|
|
||||||
jitsi-conference-focus:
|
|
||||||
build:
|
|
||||||
context: ./jitsi-conference-focus
|
|
||||||
args:
|
|
||||||
# https://github.com/jitsi/jicofo
|
|
||||||
PREFIXV: stable/jitsi-meet_
|
|
||||||
VERSION: 4966
|
|
||||||
image: superboum/amd64_jitsi_conference_focus:v5
|
|
||||||
|
|
||||||
jitsi-videobridge:
|
|
||||||
build:
|
|
||||||
context: ./jitsi-videobridge
|
|
||||||
args:
|
|
||||||
# https://github.com/jitsi/jitsi-videobridge
|
|
||||||
PREFIXV: stable/jitsi-meet_
|
|
||||||
VERSION: 4966
|
|
||||||
image: superboum/amd64_jitsi_videobridge:v15
|
|
||||||
|
|
||||||
jitsi-xmpp:
|
|
||||||
build:
|
|
||||||
context: ./jitsi-xmpp
|
|
||||||
args:
|
|
||||||
VERSION: fake-1
|
|
||||||
image: superboum/amd64_jitsi_xmpp:v4
|
|
||||||
|
|
||||||
plume:
|
|
||||||
build:
|
|
||||||
context: ./plume
|
|
||||||
args:
|
|
||||||
VERSION: 0cd26dfbf4ab7be467325ed77230cf371147a98e
|
|
||||||
image: superboum/plume:v1
|
|
|
@ -1,27 +0,0 @@
|
||||||
FROM debian:buster AS builder
|
|
||||||
|
|
||||||
ARG PREFIXV
|
|
||||||
ARG VERSION
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y openjdk-11-jdk maven wget unzip && \
|
|
||||||
wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip
|
|
||||||
|
|
||||||
RUN unzip jicofo.zip && \
|
|
||||||
mv jicofo*${VERSION} jicofo && \
|
|
||||||
cd jicofo && \
|
|
||||||
mvn package -DskipTests -Dassembly.skipAssembly=false && \
|
|
||||||
unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \
|
|
||||||
mv jicofo-1.1-SNAPSHOT /srv/build
|
|
||||||
|
|
||||||
FROM debian:buster
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y openjdk-11-jre-headless ca-certificates
|
|
||||||
|
|
||||||
ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi"
|
|
||||||
|
|
||||||
COPY --from=builder /srv/build /srv/jicofo
|
|
||||||
COPY jicofo /usr/local/bin/jicofo
|
|
||||||
COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties
|
|
||||||
|
|
||||||
CMD ["/usr/local/bin/jicofo"]
|
|
|
@ -1,16 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
|
|
||||||
update-ca-certificates -f
|
|
||||||
|
|
||||||
cat >> /etc/hosts <<EOF
|
|
||||||
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
|
|
||||||
127.0.0.1 `hostname`
|
|
||||||
EOF
|
|
||||||
|
|
||||||
/srv/jicofo/jicofo.sh \
|
|
||||||
--host=${JITSI_PROSODY_HOST} \
|
|
||||||
--domain=jitsi.deuxfleurs.fr \
|
|
||||||
--secret=${JITSI_SECRET_JICOFO_COMPONENT} \
|
|
||||||
--user_domain=auth.jitsi.deuxfleurs.fr \
|
|
||||||
--user_password=${JITSI_SECRET_JICOFO_USER}
|
|
|
@ -1,2 +0,0 @@
|
||||||
org.jitsi.jicofo.SHORT_ID=1
|
|
||||||
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
|
|
|
@ -1,28 +0,0 @@
|
||||||
FROM debian:buster AS builder
|
|
||||||
|
|
||||||
ARG PREFIXV
|
|
||||||
ARG VERSION
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y curl && \
|
|
||||||
curl -sL https://deb.nodesource.com/setup_14.x | bash - && \
|
|
||||||
apt-get install -y git nodejs make wget unzip && \
|
|
||||||
wget https://github.com/jitsi/jitsi-meet/archive/${PREFIXV}${VERSION}.zip -O jitsi-meet.zip
|
|
||||||
|
|
||||||
RUN unzip jitsi-meet.zip && \
|
|
||||||
mv jitsi-meet-*${VERSION} jitsi-meet && \
|
|
||||||
cd jitsi-meet && \
|
|
||||||
npm install && \
|
|
||||||
make
|
|
||||||
|
|
||||||
FROM debian:buster
|
|
||||||
|
|
||||||
COPY --from=builder /jitsi-meet /srv/jitsi-meet
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y nginx && \
|
|
||||||
rm /etc/nginx/sites-enabled/*
|
|
||||||
|
|
||||||
COPY config.js /srv/jitsi-meet/config.js
|
|
||||||
COPY entrypoint.sh /usr/local/bin/entrypoint
|
|
||||||
ENTRYPOINT ["/usr/local/bin/entrypoint"]
|
|
||||||
CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
|
|
|
@ -1,517 +0,0 @@
|
||||||
/* eslint-disable no-unused-vars, no-var */
|
|
||||||
|
|
||||||
var config = {
|
|
||||||
// Connection
|
|
||||||
//
|
|
||||||
|
|
||||||
hosts: {
|
|
||||||
// XMPP domain.
|
|
||||||
domain: 'jitsi.deuxfleurs.fr',
|
|
||||||
|
|
||||||
// When using authentication, domain for guest users.
|
|
||||||
// anonymousdomain: 'guest.example.com',
|
|
||||||
|
|
||||||
// Domain for authenticated users. Defaults to <domain>.
|
|
||||||
// authdomain: 'jitsi-meet.example.com',
|
|
||||||
|
|
||||||
// Jirecon recording component domain.
|
|
||||||
// jirecon: 'jirecon.jitsi-meet.example.com',
|
|
||||||
|
|
||||||
// Call control component (Jigasi).
|
|
||||||
// call_control: 'callcontrol.jitsi-meet.example.com',
|
|
||||||
|
|
||||||
// Focus component domain. Defaults to focus.<domain>.
|
|
||||||
// focus: 'focus.jitsi-meet.example.com',
|
|
||||||
|
|
||||||
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
|
|
||||||
muc: 'conference.jitsi.deuxfleurs.fr'
|
|
||||||
},
|
|
||||||
|
|
||||||
// BOSH URL. FIXME: use XEP-0156 to discover it.
|
|
||||||
bosh: '//jitsi.deuxfleurs.fr/http-bind',
|
|
||||||
|
|
||||||
// Websocket URL
|
|
||||||
// websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',
|
|
||||||
|
|
||||||
// The name of client node advertised in XEP-0115 'c' stanza
|
|
||||||
clientNode: 'http://jitsi.org/jitsimeet',
|
|
||||||
|
|
||||||
// The real JID of focus participant - can be overridden here
|
|
||||||
// focusUserJid: 'focus@auth.jitsi-meet.example.com',
|
|
||||||
|
|
||||||
|
|
||||||
// Testing / experimental features.
|
|
||||||
//
|
|
||||||
|
|
||||||
testing: {
|
|
||||||
// Enables experimental simulcast support on Firefox.
|
|
||||||
enableFirefoxSimulcast: false,
|
|
||||||
|
|
||||||
// P2P test mode disables automatic switching to P2P when there are 2
|
|
||||||
// participants in the conference.
|
|
||||||
p2pTestMode: false
|
|
||||||
|
|
||||||
// Enables the test specific features consumed by jitsi-meet-torture
|
|
||||||
// testMode: false
|
|
||||||
|
|
||||||
// Disables the auto-play behavior of *all* newly created video element.
|
|
||||||
// This is useful when the client runs on a host with limited resources.
|
|
||||||
// noAutoPlayVideo: false
|
|
||||||
},
|
|
||||||
|
|
||||||
// Disables ICE/UDP by filtering out local and remote UDP candidates in
|
|
||||||
// signalling.
|
|
||||||
// webrtcIceUdpDisable: false,
|
|
||||||
|
|
||||||
// Disables ICE/TCP by filtering out local and remote TCP candidates in
|
|
||||||
// signalling.
|
|
||||||
// webrtcIceTcpDisable: false,
|
|
||||||
|
|
||||||
|
|
||||||
// Media
|
|
||||||
//
|
|
||||||
|
|
||||||
// Audio
|
|
||||||
|
|
||||||
// Disable measuring of audio levels.
|
|
||||||
// disableAudioLevels: false,
|
|
||||||
// audioLevelsInterval: 200,
|
|
||||||
|
|
||||||
// Enabling this will run the lib-jitsi-meet no audio detection module which
|
|
||||||
// will notify the user if the current selected microphone has no audio
|
|
||||||
// input and will suggest another valid device if one is present.
|
|
||||||
enableNoAudioDetection: true,
|
|
||||||
|
|
||||||
// Enabling this will run the lib-jitsi-meet noise detection module which will
|
|
||||||
// notify the user if there is noise, other than voice, coming from the current
|
|
||||||
// selected microphone. The purpose it to let the user know that the input could
|
|
||||||
// be potentially unpleasant for other meeting participants.
|
|
||||||
enableNoisyMicDetection: true,
|
|
||||||
|
|
||||||
// Start the conference in audio only mode (no video is being received nor
|
|
||||||
// sent).
|
|
||||||
// startAudioOnly: false,
|
|
||||||
|
|
||||||
// Every participant after the Nth will start audio muted.
|
|
||||||
// startAudioMuted: 10,
|
|
||||||
|
|
||||||
// Start calls with audio muted. Unlike the option above, this one is only
|
|
||||||
// applied locally. FIXME: having these 2 options is confusing.
|
|
||||||
// startWithAudioMuted: false,
|
|
||||||
|
|
||||||
// Enabling it (with #params) will disable local audio output of remote
|
|
||||||
// participants and to enable it back a reload is needed.
|
|
||||||
// startSilent: false
|
|
||||||
|
|
||||||
// Video
|
|
||||||
|
|
||||||
// Sets the preferred resolution (height) for local video. Defaults to 720.
|
|
||||||
resolution: 480,
|
|
||||||
|
|
||||||
// w3c spec-compliant video constraints to use for video capture. Currently
|
|
||||||
// used by browsers that return true from lib-jitsi-meet's
|
|
||||||
// util#browser#usesNewGumFlow. The constraints are independency from
|
|
||||||
// this config's resolution value. Defaults to requesting an ideal aspect
|
|
||||||
// ratio of 16:9 with an ideal resolution of 720.
|
|
||||||
constraints: {
|
|
||||||
video: {
|
|
||||||
aspectRatio: 16 / 9,
|
|
||||||
height: {
|
|
||||||
ideal: 480,
|
|
||||||
max: 720,
|
|
||||||
min: 240
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
|
|
||||||
// Enable / disable simulcast support.
|
|
||||||
// disableSimulcast: false,
|
|
||||||
|
|
||||||
// Enable / disable layer suspension. If enabled, endpoints whose HD
|
|
||||||
// layers are not in use will be suspended (no longer sent) until they
|
|
||||||
// are requested again.
|
|
||||||
// enableLayerSuspension: false,
|
|
||||||
|
|
||||||
// Every participant after the Nth will start video muted.
|
|
||||||
// startVideoMuted: 10,
|
|
||||||
|
|
||||||
// Start calls with video muted. Unlike the option above, this one is only
|
|
||||||
// applied locally. FIXME: having these 2 options is confusing.
|
|
||||||
// startWithVideoMuted: false,
|
|
||||||
|
|
||||||
// If set to true, prefer to use the H.264 video codec (if supported).
|
|
||||||
// Note that it's not recommended to do this because simulcast is not
|
|
||||||
// supported when using H.264. For 1-to-1 calls this setting is enabled by
|
|
||||||
// default and can be toggled in the p2p section.
|
|
||||||
// preferH264: true,
|
|
||||||
|
|
||||||
// If set to true, disable H.264 video codec by stripping it out of the
|
|
||||||
// SDP.
|
|
||||||
// disableH264: false,
|
|
||||||
|
|
||||||
// Desktop sharing
|
|
||||||
|
|
||||||
// The ID of the jidesha extension for Chrome.
|
|
||||||
desktopSharingChromeExtId: null,
|
|
||||||
|
|
||||||
// Whether desktop sharing should be disabled on Chrome.
|
|
||||||
// desktopSharingChromeDisabled: false,
|
|
||||||
|
|
||||||
// The media sources to use when using screen sharing with the Chrome
|
|
||||||
// extension.
|
|
||||||
desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
|
|
||||||
|
|
||||||
// Required version of Chrome extension
|
|
||||||
desktopSharingChromeMinExtVersion: '0.1',
|
|
||||||
|
|
||||||
// Whether desktop sharing should be disabled on Firefox.
|
|
||||||
// desktopSharingFirefoxDisabled: false,
|
|
||||||
|
|
||||||
// Optional desktop sharing frame rate options. Default value: min:5, max:5.
|
|
||||||
// desktopSharingFrameRate: {
|
|
||||||
// min: 5,
|
|
||||||
// max: 5
|
|
||||||
// },
|
|
||||||
|
|
||||||
// Try to start calls with screen-sharing instead of camera video.
|
|
||||||
// startScreenSharing: false,
|
|
||||||
|
|
||||||
// Recording
|
|
||||||
|
|
||||||
// Whether to enable file recording or not.
|
|
||||||
// fileRecordingsEnabled: false,
|
|
||||||
// Enable the dropbox integration.
|
|
||||||
// dropbox: {
|
|
||||||
// appKey: '<APP_KEY>' // Specify your app key here.
|
|
||||||
// // A URL to redirect the user to, after authenticating
|
|
||||||
// // by default uses:
|
|
||||||
// // 'https://jitsi-meet.example.com/static/oauth.html'
|
|
||||||
// redirectURI:
|
|
||||||
// 'https://jitsi-meet.example.com/subfolder/static/oauth.html'
|
|
||||||
// },
|
|
||||||
// When integrations like dropbox are enabled only that will be shown,
|
|
||||||
// by enabling fileRecordingsServiceEnabled, we show both the integrations
|
|
||||||
// and the generic recording service (its configuration and storage type
|
|
||||||
// depends on jibri configuration)
|
|
||||||
// fileRecordingsServiceEnabled: false,
|
|
||||||
// Whether to show the possibility to share file recording with other people
|
|
||||||
// (e.g. meeting participants), based on the actual implementation
|
|
||||||
// on the backend.
|
|
||||||
// fileRecordingsServiceSharingEnabled: false,
|
|
||||||
|
|
||||||
// Whether to enable live streaming or not.
|
|
||||||
// liveStreamingEnabled: false,
|
|
||||||
|
|
||||||
// Transcription (in interface_config,
|
|
||||||
// subtitles and buttons can be configured)
|
|
||||||
// transcribingEnabled: false,
|
|
||||||
|
|
||||||
// Enables automatic turning on captions when recording is started
|
|
||||||
// autoCaptionOnRecord: false,
|
|
||||||
|
|
||||||
// Misc
|
|
||||||
|
|
||||||
// Default value for the channel "last N" attribute. -1 for unlimited.
|
|
||||||
channelLastN: -1,
|
|
||||||
|
|
||||||
// Disables or enables RTX (RFC 4588) (defaults to false).
|
|
||||||
// disableRtx: false,
|
|
||||||
|
|
||||||
// Disables or enables TCC (the default is in Jicofo and set to true)
|
|
||||||
// (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
|
|
||||||
// affects congestion control, it practically enables send-side bandwidth
|
|
||||||
// estimations.
|
|
||||||
// enableTcc: true,
|
|
||||||
|
|
||||||
// Disables or enables REMB (the default is in Jicofo and set to false)
|
|
||||||
// (draft-alvestrand-rmcat-remb-03). This setting affects congestion
|
|
||||||
// control, it practically enables recv-side bandwidth estimations. When
|
|
||||||
// both TCC and REMB are enabled, TCC takes precedence. When both are
|
|
||||||
// disabled, then bandwidth estimations are disabled.
|
|
||||||
// enableRemb: false,
|
|
||||||
|
|
||||||
// Defines the minimum number of participants to start a call (the default
|
|
||||||
// is set in Jicofo and set to 2).
|
|
||||||
// minParticipants: 2,
|
|
||||||
|
|
||||||
// Use XEP-0215 to fetch STUN and TURN servers.
|
|
||||||
// useStunTurn: true,
|
|
||||||
|
|
||||||
// Enable IPv6 support.
|
|
||||||
// useIPv6: true,
|
|
||||||
|
|
||||||
// Enables / disables a data communication channel with the Videobridge.
|
|
||||||
// Values can be 'datachannel', 'websocket', true (treat it as
|
|
||||||
// 'datachannel'), undefined (treat it as 'datachannel') and false (don't
|
|
||||||
// open any channel).
|
|
||||||
// openBridgeChannel: true,
|
|
||||||
|
|
||||||
|
|
||||||
// UI
|
|
||||||
//
|
|
||||||
|
|
||||||
// Use display name as XMPP nickname.
|
|
||||||
// useNicks: false,
|
|
||||||
|
|
||||||
// Require users to always specify a display name.
|
|
||||||
// requireDisplayName: true,
|
|
||||||
|
|
||||||
// Whether to use a welcome page or not. In case it's false a random room
|
|
||||||
// will be joined when no room is specified.
|
|
||||||
enableWelcomePage: true,
|
|
||||||
|
|
||||||
// Enabling the close page will ignore the welcome page redirection when
|
|
||||||
// a call is hangup.
|
|
||||||
// enableClosePage: false,
|
|
||||||
|
|
||||||
// Disable hiding of remote thumbnails when in a 1-on-1 conference call.
|
|
||||||
// disable1On1Mode: false,
|
|
||||||
|
|
||||||
// Default language for the user interface.
|
|
||||||
defaultLanguage: 'fr',
|
|
||||||
|
|
||||||
// If true all users without a token will be considered guests and all users
|
|
||||||
// with token will be considered non-guests. Only guests will be allowed to
|
|
||||||
// edit their profile.
|
|
||||||
enableUserRolesBasedOnToken: false,
|
|
||||||
|
|
||||||
// Whether or not some features are checked based on token.
|
|
||||||
// enableFeaturesBasedOnToken: false,
|
|
||||||
|
|
||||||
// Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
|
|
||||||
// lockRoomGuestEnabled: false,
|
|
||||||
|
|
||||||
// When enabled the password used for locking a room is restricted to up to the number of digits specified
|
|
||||||
// roomPasswordNumberOfDigits: 10,
|
|
||||||
// default: roomPasswordNumberOfDigits: false,
|
|
||||||
|
|
||||||
// Message to show the users. Example: 'The service will be down for
|
|
||||||
// maintenance at 01:00 AM GMT,
|
|
||||||
// noticeMessage: '',
|
|
||||||
|
|
||||||
// Enables calendar integration, depends on googleApiApplicationClientID
|
|
||||||
// and microsoftApiApplicationClientID
|
|
||||||
// enableCalendarIntegration: false,
|
|
||||||
|
|
||||||
// Stats
|
|
||||||
//
|
|
||||||
|
|
||||||
// Whether to enable stats collection or not in the TraceablePeerConnection.
|
|
||||||
// This can be useful for debugging purposes (post-processing/analysis of
|
|
||||||
// the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
|
|
||||||
// estimation tests.
|
|
||||||
// gatherStats: false,
|
|
||||||
|
|
||||||
// The interval at which PeerConnection.getStats() is called. Defaults to 10000
|
|
||||||
// pcStatsInterval: 10000,
|
|
||||||
|
|
||||||
// To enable sending statistics to callstats.io you must provide the
|
|
||||||
// Application ID and Secret.
|
|
||||||
// callStatsID: '',
|
|
||||||
// callStatsSecret: '',
|
|
||||||
|
|
||||||
// enables sending participants display name to callstats
|
|
||||||
// enableDisplayNameInStats: false
|
|
||||||
|
|
||||||
// enables sending participants email if available to callstats and other analytics
|
|
||||||
// enableEmailInStats: false
|
|
||||||
|
|
||||||
// Privacy
|
|
||||||
//
|
|
||||||
|
|
||||||
// If third party requests are disabled, no other server will be contacted.
|
|
||||||
// This means avatars will be locally generated and callstats integration
|
|
||||||
// will not function.
|
|
||||||
// disableThirdPartyRequests: false,
|
|
||||||
|
|
||||||
|
|
||||||
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
|
|
||||||
//
|
|
||||||
|
|
||||||
p2p: {
|
|
||||||
// Enables peer to peer mode. When enabled the system will try to
|
|
||||||
// establish a direct connection when there are exactly 2 participants
|
|
||||||
// in the room. If that succeeds the conference will stop sending data
|
|
||||||
// through the JVB and use the peer to peer connection instead. When a
|
|
||||||
// 3rd participant joins the conference will be moved back to the JVB
|
|
||||||
// connection.
|
|
||||||
enabled: true,
|
|
||||||
|
|
||||||
// Use XEP-0215 to fetch STUN and TURN servers.
|
|
||||||
// useStunTurn: true,
|
|
||||||
|
|
||||||
// The STUN servers that will be used in the peer to peer connections
|
|
||||||
stunServers: [
|
|
||||||
|
|
||||||
// { urls: 'stun:jitsi-meet.example.com:443' },
|
|
||||||
{ urls: 'stun:stun.l.google.com:19302' },
|
|
||||||
{ urls: 'stun:stun1.l.google.com:19302' },
|
|
||||||
{ urls: 'stun:stun2.l.google.com:19302' }
|
|
||||||
],
|
|
||||||
|
|
||||||
// Sets the ICE transport policy for the p2p connection. At the time
|
|
||||||
// of this writing the list of possible values are 'all' and 'relay',
|
|
||||||
// but that is subject to change in the future. The enum is defined in
|
|
||||||
// the WebRTC standard:
|
|
||||||
// https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
|
|
||||||
// If not set, the effective value is 'all'.
|
|
||||||
// iceTransportPolicy: 'all',
|
|
||||||
|
|
||||||
// If set to true, it will prefer to use H.264 for P2P calls (if H.264
|
|
||||||
// is supported).
|
|
||||||
preferH264: true,
|
|
||||||
|
|
||||||
// If set to true, disable H.264 video codec by stripping it out of the
|
|
||||||
// SDP.
|
|
||||||
// disableH264: false,
|
|
||||||
|
|
||||||
// How long we're going to wait, before going back to P2P after the 3rd
|
|
||||||
// participant has left the conference (to filter out page reload).
|
|
||||||
backToP2PDelay: 60
|
|
||||||
},
|
|
||||||
|
|
||||||
analytics: {
|
|
||||||
// The Google Analytics Tracking ID:
|
|
||||||
// googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
|
|
||||||
|
|
||||||
// The Amplitude APP Key:
|
|
||||||
// amplitudeAPPKey: '<APP_KEY>'
|
|
||||||
|
|
||||||
// Array of script URLs to load as lib-jitsi-meet "analytics handlers".
|
|
||||||
// scriptURLs: [
|
|
||||||
// "libs/analytics-ga.min.js", // google-analytics
|
|
||||||
// "https://example.com/my-custom-analytics.js"
|
|
||||||
// ],
|
|
||||||
},
|
|
||||||
|
|
||||||
// Information about the jitsi-meet instance we are connecting to, including
|
|
||||||
// the user region as seen by the server.
|
|
||||||
deploymentInfo: {
|
|
||||||
// shard: "shard1",
|
|
||||||
// region: "europe",
|
|
||||||
// userRegion: "asia"
|
|
||||||
}
|
|
||||||
|
|
||||||
// Information for the chrome extension banner
|
|
||||||
// chromeExtensionBanner: {
|
|
||||||
// // The chrome extension to be installed address
|
|
||||||
// url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
|
|
||||||
|
|
||||||
// // Extensions info which allows checking if they are installed or not
|
|
||||||
// chromeExtensionsInfo: [
|
|
||||||
// {
|
|
||||||
// id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
|
|
||||||
// path: 'jitsi-logo-48x48.png'
|
|
||||||
// }
|
|
||||||
// ]
|
|
||||||
// }
|
|
||||||
|
|
||||||
// Local Recording
|
|
||||||
//
|
|
||||||
|
|
||||||
// localRecording: {
|
|
||||||
// Enables local recording.
|
|
||||||
// Additionally, 'localrecording' (all lowercase) needs to be added to
|
|
||||||
// TOOLBAR_BUTTONS in interface_config.js for the Local Recording
|
|
||||||
// button to show up on the toolbar.
|
|
||||||
//
|
|
||||||
// enabled: true,
|
|
||||||
//
|
|
||||||
|
|
||||||
// The recording format, can be one of 'ogg', 'flac' or 'wav'.
|
|
||||||
// format: 'flac'
|
|
||||||
//
|
|
||||||
|
|
||||||
// }
|
|
||||||
|
|
||||||
// Options related to end-to-end (participant to participant) ping.
|
|
||||||
// e2eping: {
|
|
||||||
// // The interval in milliseconds at which pings will be sent.
|
|
||||||
// // Defaults to 10000, set to <= 0 to disable.
|
|
||||||
// pingInterval: 10000,
|
|
||||||
//
|
|
||||||
// // The interval in milliseconds at which analytics events
|
|
||||||
// // with the measured RTT will be sent. Defaults to 60000, set
|
|
||||||
// // to <= 0 to disable.
|
|
||||||
// analyticsInterval: 60000,
|
|
||||||
// }
|
|
||||||
|
|
||||||
// If set, will attempt to use the provided video input device label when
|
|
||||||
// triggering a screenshare, instead of proceeding through the normal flow
|
|
||||||
// for obtaining a desktop stream.
|
|
||||||
// NOTE: This option is experimental and is currently intended for internal
|
|
||||||
// use only.
|
|
||||||
// _desktopSharingSourceDevice: 'sample-id-or-label'
|
|
||||||
|
|
||||||
// If true, any checks to handoff to another application will be prevented
|
|
||||||
// and instead the app will continue to display in the current browser.
|
|
||||||
// disableDeepLinking: false
|
|
||||||
|
|
||||||
// A property to disable the right click context menu for localVideo
|
|
||||||
// the menu has option to flip the locally seen video for local presentations
|
|
||||||
// disableLocalVideoFlip: false
|
|
||||||
|
|
||||||
// Deployment specific URLs.
|
|
||||||
// deploymentUrls: {
|
|
||||||
// // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
|
|
||||||
// // user documentation.
|
|
||||||
// userDocumentationURL: 'https://docs.example.com/video-meetings.html',
|
|
||||||
// // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
|
|
||||||
// // to the specified URL for an app download page.
|
|
||||||
// downloadAppsUrl: 'https://docs.example.com/our-apps.html'
|
|
||||||
// }
|
|
||||||
|
|
||||||
// List of undocumented settings used in jitsi-meet
|
|
||||||
/**
|
|
||||||
_immediateReloadThreshold
|
|
||||||
autoRecord
|
|
||||||
autoRecordToken
|
|
||||||
debug
|
|
||||||
debugAudioLevels
|
|
||||||
deploymentInfo
|
|
||||||
dialInConfCodeUrl
|
|
||||||
dialInNumbersUrl
|
|
||||||
dialOutAuthUrl
|
|
||||||
dialOutCodesUrl
|
|
||||||
disableRemoteControl
|
|
||||||
displayJids
|
|
||||||
etherpad_base
|
|
||||||
externalConnectUrl
|
|
||||||
firefox_fake_device
|
|
||||||
googleApiApplicationClientID
|
|
||||||
iAmRecorder
|
|
||||||
iAmSipGateway
|
|
||||||
microsoftApiApplicationClientID
|
|
||||||
peopleSearchQueryTypes
|
|
||||||
peopleSearchUrl
|
|
||||||
requireDisplayName
|
|
||||||
tokenAuthUrl
|
|
||||||
*/
|
|
||||||
|
|
||||||
// List of undocumented settings used in lib-jitsi-meet
|
|
||||||
/**
|
|
||||||
_peerConnStatusOutOfLastNTimeout
|
|
||||||
_peerConnStatusRtcMuteTimeout
|
|
||||||
abTesting
|
|
||||||
avgRtpStatsN
|
|
||||||
callStatsConfIDNamespace
|
|
||||||
callStatsCustomScriptUrl
|
|
||||||
desktopSharingSources
|
|
||||||
disableAEC
|
|
||||||
disableAGC
|
|
||||||
disableAP
|
|
||||||
disableHPF
|
|
||||||
disableNS
|
|
||||||
enableLipSync
|
|
||||||
enableTalkWhileMuted
|
|
||||||
forceJVB121Ratio
|
|
||||||
hiddenDomain
|
|
||||||
ignoreStartMuted
|
|
||||||
nick
|
|
||||||
startBitrate
|
|
||||||
*/
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
/* eslint-enable no-unused-vars, no-var */
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
cat > /etc/nginx/sites-available/jitsi <<EOF
|
|
||||||
server_names_hash_bucket_size 64;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 0.0.0.0:443 ssl http2 default_server;
|
|
||||||
listen [::]:443 ssl http2 default_server;
|
|
||||||
server_name _;
|
|
||||||
ssl_certificate ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.crt;
|
|
||||||
ssl_certificate_key ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.key;
|
|
||||||
root /srv/jitsi-meet;
|
|
||||||
index index.html;
|
|
||||||
location ~ ^/([a-zA-Z0-9=\?]+)$ {
|
|
||||||
rewrite ^/(.*)$ / break;
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
ssi on;
|
|
||||||
}
|
|
||||||
# BOSH, Bidirectional-streams Over Synchronous HTTP
|
|
||||||
# https://en.wikipedia.org/wiki/BOSH_(protocol)
|
|
||||||
location /http-bind {
|
|
||||||
proxy_pass http://${JITSI_PROSODY_BOSH_HOST}:${JITSI_PROSODY_BOSH_PORT}/http-bind;
|
|
||||||
proxy_set_header X-Forwarded-For \$remote_addr;
|
|
||||||
proxy_set_header Host \$http_host;
|
|
||||||
}
|
|
||||||
# external_api.js must be accessible from the root of the
|
|
||||||
# installation for the electron version of Jitsi Meet to work
|
|
||||||
# https://github.com/jitsi/jitsi-meet-electron
|
|
||||||
location /external_api.js {
|
|
||||||
alias /srv/jitsi-meet/libs/external_api.min.js;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
ln -sf /etc/nginx/sites-available/jitsi /etc/nginx/sites-enabled/jitsi
|
|
||||||
|
|
||||||
exec "$@"
|
|
|
@ -1,30 +0,0 @@
|
||||||
FROM debian:buster AS builder
|
|
||||||
|
|
||||||
ARG PREFIXV
|
|
||||||
ARG VERSION
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y wget unzip maven openjdk-11-jdk && \
|
|
||||||
wget https://github.com/jitsi/jitsi-videobridge/archive/${PREFIXV}${VERSION}.zip -O jvb.zip
|
|
||||||
|
|
||||||
RUN unzip jvb.zip && \
|
|
||||||
mv jitsi-videobridge*${VERSION} jvb && \
|
|
||||||
cd jvb && \
|
|
||||||
mvn package -DskipTests && \
|
|
||||||
ls jvb/target && \
|
|
||||||
unzip jvb/target/jitsi-videobridge*.zip && \
|
|
||||||
mv jitsi-videobridge-*-SNAPSHOT build
|
|
||||||
|
|
||||||
FROM debian:buster
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y openjdk-11-jre-headless
|
|
||||||
|
|
||||||
COPY --from=builder /jvb/build /srv/jvb
|
|
||||||
ENV HOME=/root
|
|
||||||
WORKDIR /root
|
|
||||||
COPY jvb_run /usr/local/bin/jvb_run
|
|
||||||
|
|
||||||
ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi"
|
|
||||||
|
|
||||||
CMD ["/usr/local/bin/jvb_run"]
|
|
|
@ -1,54 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
cat >> /etc/hosts <<EOF
|
|
||||||
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
|
|
||||||
127.0.0.1 `hostname`
|
|
||||||
EOF
|
|
||||||
|
|
||||||
mkdir -p /root/.sip-communicator
|
|
||||||
|
|
||||||
cat > /root/.sip-communicator/sip-communicator.properties <<EOF
|
|
||||||
# Enable broadcasting stats/presence in a MUC
|
|
||||||
org.jitsi.videobridge.ENABLE_STATISTICS=true
|
|
||||||
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
|
|
||||||
|
|
||||||
# Connect to the first XMPP server
|
|
||||||
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=jitsi.deuxfleurs.fr
|
|
||||||
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.jitsi.deuxfleurs.fr
|
|
||||||
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
|
|
||||||
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=${JITSI_SECRET_VIDEOBRIDGE}
|
|
||||||
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
|
|
||||||
org.jitsi.videobridge.xmpp.user.shard.MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
|
|
||||||
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=singleton
|
|
||||||
org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
|
|
||||||
|
|
||||||
# Do we need it? @FIXME
|
|
||||||
org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
|
|
||||||
|
|
||||||
# NAT things, two times just in case...
|
|
||||||
org.ice4j.ice.harvest.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP}
|
|
||||||
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP}
|
|
||||||
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP}
|
|
||||||
org.jitsi.videobridge.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP}
|
|
||||||
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP}
|
|
||||||
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP}
|
|
||||||
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false
|
|
||||||
EOF
|
|
||||||
|
|
||||||
[ -v JITSI_DEBUG ] && cat >> /root/.sip-communicator/sip-communicator.properties <<EOF
|
|
||||||
net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=true
|
|
||||||
net.java.sip.communicator.packetlogging.PACKET_LOGGING_ARBITRARY_ENABLED=true
|
|
||||||
net.java.sip.communicator.packetlogging.PACKET_LOGGING_SIP_ENABLED=true
|
|
||||||
net.java.sip.communicator.packetlogging.PACKET_LOGGING_JABBER_ENABLED=true
|
|
||||||
net.java.sip.communicator.packetlogging.PACKET_LOGGING_RTP_ENABLED=true
|
|
||||||
net.java.sip.communicator.packetlogging.PACKET_LOGGING_ICE4j_ENABLED=true
|
|
||||||
net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_COUNT=1
|
|
||||||
net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_SIZE=-1
|
|
||||||
EOF
|
|
||||||
|
|
||||||
/srv/jvb/jvb.sh \
|
|
||||||
--host=${JITSI_PROSODY_HOST} \
|
|
||||||
--domain=jitsi.deuxfleurs.fr \
|
|
||||||
--port=5347 \
|
|
||||||
--secret=${JITSI_SECRET_VIDEOBRIDGE} \
|
|
||||||
--apis=xmpp,rest
|
|
|
@ -1,11 +0,0 @@
|
||||||
FROM debian:buster
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y prosody
|
|
||||||
|
|
||||||
COPY external_components.cfg.lua /etc/prosody/conf.d/external_components.cfg.lua
|
|
||||||
COPY xmpp_conf /usr/local/bin/xmpp_conf
|
|
||||||
COPY xmpp_gen /usr/local/bin/xmpp_gen
|
|
||||||
COPY xmpp_run /usr/local/bin/xmpp_run
|
|
||||||
|
|
||||||
CMD ["/usr/local/bin/xmpp_run"]
|
|
|
@ -1,2 +0,0 @@
|
||||||
component_ports = { 5347 }
|
|
||||||
component_interface = "0.0.0.0"
|
|
|
@ -1,47 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
cat >> /etc/hosts <<EOF
|
|
||||||
${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
|
|
||||||
127.0.0.1 `hostname`
|
|
||||||
EOF
|
|
||||||
|
|
||||||
mkdir -p /etc/prosody/conf.{d,avail}/
|
|
||||||
cat > /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua <<EOF
|
|
||||||
VirtualHost "jitsi.deuxfleurs.fr"
|
|
||||||
authentication = "anonymous"
|
|
||||||
ssl = {
|
|
||||||
key = "/var/lib/prosody/jitsi.deuxfleurs.fr.key";
|
|
||||||
certificate = "/var/lib/prosody/jitsi.deuxfleurs.fr.crt";
|
|
||||||
}
|
|
||||||
modules_enabled = {
|
|
||||||
"bosh";
|
|
||||||
"pubsub";
|
|
||||||
}
|
|
||||||
c2s_require_encryption = false
|
|
||||||
|
|
||||||
VirtualHost "auth.jitsi.deuxfleurs.fr"
|
|
||||||
ssl = {
|
|
||||||
key = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.key";
|
|
||||||
certificate = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt";
|
|
||||||
}
|
|
||||||
authentication = "internal_plain"
|
|
||||||
admins = { "focus@auth.jitsi.deuxfleurs.fr"}
|
|
||||||
|
|
||||||
Component "conference.jitsi.deuxfleurs.fr" "muc"
|
|
||||||
Component "internal.auth.jitsi.deuxfleurs.fr" "muc"
|
|
||||||
storage = "memory"
|
|
||||||
modules_enabled = { "ping"; }
|
|
||||||
admins = { "focus@auth.jitsi.deuxfleurs.fr", "jvb@auth.jitsi.deuxfleurs.fr" }
|
|
||||||
|
|
||||||
Component "jitsi-videobridge.jitsi.deuxfleurs.fr"
|
|
||||||
component_secret = "${JITSI_SECRET_VIDEOBRIDGE}"
|
|
||||||
Component "focus.jitsi.deuxfleurs.fr"
|
|
||||||
component_secret = "${JITSI_SECRET_JICOFO_COMPONENT}"
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
ln -sf \
|
|
||||||
/etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua \
|
|
||||||
/etc/prosody/conf.d/jitsi.deuxfleurs.fr.cfg.lua
|
|
||||||
|
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
/usr/local/bin/xmpp_conf
|
|
||||||
|
|
||||||
prosodyctl cert generate jitsi.deuxfleurs.fr
|
|
||||||
prosodyctl cert generate auth.jitsi.deuxfleurs.fr
|
|
||||||
|
|
||||||
cp /var/lib/prosody/*.crt ${JITSI_CERTS_FOLDER}
|
|
||||||
cp /var/lib/prosody/*.key ${JITSI_CERTS_FOLDER}
|
|
|
@ -1,20 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
/usr/local/bin/xmpp_conf
|
|
||||||
cp ${JITSI_CERTS_FOLDER}/* /var/lib/prosody/
|
|
||||||
chown -R prosody:prosody /var/lib/prosody
|
|
||||||
|
|
||||||
mkdir -p /usr/local/share/ca-certificates/
|
|
||||||
ln -sf \
|
|
||||||
/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt \
|
|
||||||
/usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
|
|
||||||
|
|
||||||
prosodyctl register focus auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_JICOFO_USER}
|
|
||||||
prosodyctl register jvb auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_VIDEOBRIDGE}
|
|
||||||
|
|
||||||
mkdir /run/prosody
|
|
||||||
touch /run/prosody/prosody.pid
|
|
||||||
chown -R prosody:prosody /run/prosody
|
|
||||||
|
|
||||||
cd /var/lib/prosody
|
|
||||||
su - prosody -s /bin/bash -c prosody
|
|
|
@ -1,3 +0,0 @@
|
||||||
```
|
|
||||||
docker build -t superboum/amd64_landing:v8 .
|
|
||||||
```
|
|
|
@ -1,3 +0,0 @@
|
||||||
[mariadb]
|
|
||||||
pam_use_cleartext_plugin
|
|
||||||
bind-address = 0.0.0.0
|
|
|
@ -1,3 +0,0 @@
|
||||||
[mariadb]
|
|
||||||
plugin-load=auth_pam.so
|
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
[mysqld]
|
|
||||||
bind-address = 0.0.0.0
|
|
|
@ -1,14 +0,0 @@
|
||||||
FROM debian:stretch
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get dist-upgrade -y && \
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y mariadb-server mariadb-client libnss-ldapd
|
|
||||||
|
|
||||||
COPY 60-ldap.cnf /etc/mysql/mariadb.conf.d/60-ldap.cnf
|
|
||||||
COPY 60-remote.cnf /etc/mysql/mariadb.conf.d/60-remote.cnf
|
|
||||||
COPY 60-disable-dialog.cnf /etc/mysql/mariadb.conf.d/60-disable-dialog.cnf
|
|
||||||
COPY pam-mariadb /etc/pam.d/mariadb
|
|
||||||
COPY nsswitch.conf /etc/nsswitch.conf
|
|
||||||
COPY entrypoint.sh /usr/local/bin/entrypoint
|
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/local/bin/entrypoint"]
|
|
|
@ -1,19 +0,0 @@
|
||||||
```
|
|
||||||
sudo docker build -t superboum/amd64_mariadb:v3 .
|
|
||||||
|
|
||||||
sudo docker run \
|
|
||||||
-t -i \
|
|
||||||
-p 3306:3306 \
|
|
||||||
-v /tmp/mysql:/var/lib/mysql \
|
|
||||||
-e LDAP_URI='ldap://bottin.service.2.cluster.deuxfleurs.fr' \
|
|
||||||
-e LDAP_BASE='ou=users,dc=deuxfleurs,dc=fr' \
|
|
||||||
-e LDAP_VERSION=3 \
|
|
||||||
-e LDAP_BIND_DN='cn=admin,dc=deuxfleurs,dc=fr' \
|
|
||||||
-e LDAP_BIND_PW='xxxx' \
|
|
||||||
-e MYSQL_PASSWORD='xxxx' \
|
|
||||||
superboum/amd64_mariadb:v1 \
|
|
||||||
tail -f /var/log/mysql/error.log
|
|
||||||
|
|
||||||
CREATE USER quentin@localhost IDENTIFIED VIA pam USING 'mariadb';
|
|
||||||
|
|
||||||
```
|
|
|
@ -1,50 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
cat > /etc/nslcd.conf <<EOF
|
|
||||||
# /etc/nslcd.conf
|
|
||||||
# nslcd configuration file. See nslcd.conf(5)
|
|
||||||
# for details.
|
|
||||||
|
|
||||||
# The user and group nslcd should run as.
|
|
||||||
uid nslcd
|
|
||||||
gid nslcd
|
|
||||||
|
|
||||||
# The location at which the LDAP server(s) should be reachable.
|
|
||||||
uri ${LDAP_URI}
|
|
||||||
|
|
||||||
# The search base that will be used for all queries.
|
|
||||||
base ${LDAP_BASE}
|
|
||||||
|
|
||||||
# The LDAP protocol version to use.
|
|
||||||
ldap_version ${LDAP_VERSION}
|
|
||||||
|
|
||||||
# The DN to bind with for normal lookups.
|
|
||||||
binddn ${LDAP_BIND_DN}
|
|
||||||
bindpw ${LDAP_BIND_PW}
|
|
||||||
|
|
||||||
# The DN used for password modifications by root.
|
|
||||||
#rootpwmoddn cn=admin,dc=example,dc=com
|
|
||||||
|
|
||||||
# SSL options
|
|
||||||
#ssl off
|
|
||||||
#tls_reqcert never
|
|
||||||
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
|
|
||||||
|
|
||||||
# The search scope.
|
|
||||||
#scope sub
|
|
||||||
EOF
|
|
||||||
|
|
||||||
/usr/sbin/nslcd
|
|
||||||
|
|
||||||
chown mysql:mysql /var/lib/mysql
|
|
||||||
[ -z "$(ls -A /var/lib/mysql)" ] && mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
|
|
||||||
|
|
||||||
/usr/bin/mysqld_safe &
|
|
||||||
|
|
||||||
until ls /var/run/mysqld/mysqld.sock; do sleep 1; done
|
|
||||||
/usr/bin/mysqladmin -u root password ${MYSQL_PASSWORD} || true
|
|
||||||
|
|
||||||
exec "$@"
|
|
||||||
|
|
|
@ -1,21 +0,0 @@
|
||||||
# /etc/nsswitch.conf
|
|
||||||
#
|
|
||||||
# Example configuration of GNU Name Service Switch functionality.
|
|
||||||
# If you have the `glibc-doc-reference' and `info' packages installed, try:
|
|
||||||
# `info libc "Name Service Switch"' for information about this file.
|
|
||||||
|
|
||||||
passwd: files ldap
|
|
||||||
group: files ldap
|
|
||||||
shadow: files ldap
|
|
||||||
gshadow: files
|
|
||||||
|
|
||||||
hosts: files dns
|
|
||||||
networks: files
|
|
||||||
|
|
||||||
protocols: db files
|
|
||||||
services: db files
|
|
||||||
ethers: db files
|
|
||||||
rpc: db files
|
|
||||||
|
|
||||||
netgroup: nis
|
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
auth required pam_ldap.so
|
|
||||||
account required pam_ldap.so
|
|
|
@ -1,27 +0,0 @@
|
||||||
FROM debian:10
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get -qq -y full-upgrade
|
|
||||||
|
|
||||||
RUN apt-get install -y apache2 php php-gd php-mbstring php-pgsql php-curl php-dom php-xml php-zip \
|
|
||||||
php-intl php-ldap php-fileinfo php-exif php-apcu php-redis php-imagick unzip curl wget && \
|
|
||||||
phpenmod gd && \
|
|
||||||
phpenmod curl && \
|
|
||||||
phpenmod mbstring && \
|
|
||||||
phpenmod pgsql && \
|
|
||||||
phpenmod dom && \
|
|
||||||
phpenmod zip && \
|
|
||||||
phpenmod intl && \
|
|
||||||
phpenmod ldap && \
|
|
||||||
phpenmod fileinfo && \
|
|
||||||
phpenmod exif && \
|
|
||||||
phpenmod apcu && \
|
|
||||||
phpenmod redis && \
|
|
||||||
phpenmod imagick && \
|
|
||||||
phpenmod xml
|
|
||||||
|
|
||||||
COPY container-setup.sh /tmp
|
|
||||||
RUN /tmp/container-setup.sh
|
|
||||||
|
|
||||||
COPY entrypoint.sh /
|
|
||||||
CMD /entrypoint.sh
|
|
|
@ -1,37 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -ex
|
|
||||||
|
|
||||||
curl https://download.nextcloud.com/server/releases/nextcloud-19.0.0.zip > /tmp/nextcloud.zip
|
|
||||||
cd /var/www
|
|
||||||
unzip /tmp/nextcloud.zip
|
|
||||||
rm /tmp/nextcloud.zip
|
|
||||||
mv html html.old
|
|
||||||
mv nextcloud html
|
|
||||||
|
|
||||||
cd html
|
|
||||||
mkdir data
|
|
||||||
|
|
||||||
cd apps
|
|
||||||
wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz
|
|
||||||
tar xf tasks.tar.gz
|
|
||||||
wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz
|
|
||||||
tar xf maps-0.1.6.tar.gz
|
|
||||||
wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz
|
|
||||||
tar xf calendar.tar.gz
|
|
||||||
wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz
|
|
||||||
tar xf news.tar.gz
|
|
||||||
wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz
|
|
||||||
tar xf notes.tar.gz
|
|
||||||
wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz
|
|
||||||
tar xf contacts.tar.gz
|
|
||||||
wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz
|
|
||||||
tar xf mail.tar.gz
|
|
||||||
wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz
|
|
||||||
tar xf groupfolders.tar.gz
|
|
||||||
rm *.tar.gz
|
|
||||||
|
|
||||||
chown -R www-data:www-data /var/www/html
|
|
||||||
|
|
||||||
cd /var/www/html
|
|
||||||
php occ
|
|
|
@ -1,8 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -xe
|
|
||||||
|
|
||||||
chown www-data:www-data /var/www/html/config/config.php
|
|
||||||
touch /var/www/html/data/.ocdata
|
|
||||||
|
|
||||||
exec apachectl -DFOREGROUND
|
|
Binary file not shown.
|
@ -1,4 +0,0 @@
|
||||||
FROM amd64/openjdk:13-alpine
|
|
||||||
|
|
||||||
COPY pithos-0.7.5-standalone.jar /srv/pithos.jar
|
|
||||||
ENTRYPOINT ["/opt/openjdk-13/bin/java", "-jar", "/srv/pithos.jar"]
|
|
|
@ -1,9 +0,0 @@
|
||||||
This project is considered as "dangerous" as it is tagged as "Project not under active development".
|
|
||||||
Consequently, just in case, I am backuping the .jar and the sources in this git repo.
|
|
||||||
Better safe than sorry or pretty.
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo docker build -t superboum/amd64_pithos:v1 .
|
|
||||||
sudo docker push superboum/amd64_pithos:v1
|
|
||||||
sudo docker run --rm -it -p 8080:8080 -v pithos.yaml:/etc/pithos/pithos.yaml superboum/amd64_pithos:v1
|
|
||||||
```
|
|
Binary file not shown.
|
@ -1,9 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
until plm migration run;
|
|
||||||
do sleep 2;
|
|
||||||
done
|
|
||||||
plm search init
|
|
||||||
plm instance new --domain "$DOMAIN_NAME" --name "$INSTANCE_NAME" --private
|
|
||||||
|
|
||||||
plume
|
|
|
@ -1,19 +0,0 @@
|
||||||
FROM amd64/debian:stretch
|
|
||||||
|
|
||||||
RUN echo "deb http://deb.debian.org/debian stretch-backports main contrib non-free # available after stretch release" > /etc/apt/sources.list.d/stretch-backports.list && \
|
|
||||||
apt-get update && \
|
|
||||||
apt-get -qq -y full-upgrade && \
|
|
||||||
apt-get install -y postgresql-all golang-1.11 git && \
|
|
||||||
export GOPATH=/usr/local/go && \
|
|
||||||
mkdir -p /usr/local/go/src/github.com/sorintlab && \
|
|
||||||
cd /usr/local/go/src/github.com/sorintlab && \
|
|
||||||
git clone --depth=1 https://github.com/sorintlab/stolon && \
|
|
||||||
ln -s /usr/lib/go-1.11/bin/go /usr/bin/go && \
|
|
||||||
ln -s /usr/lib/go-1.11/bin/gofmt /usr/bin/gofmt && \
|
|
||||||
cd ./stolon && \
|
|
||||||
./build && \
|
|
||||||
mv /usr/local/go/src/github.com/sorintlab/stolon/bin/* /usr/local/bin/ && \
|
|
||||||
rm -rf /usr/local/go
|
|
||||||
|
|
||||||
USER postgres
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
```
|
|
||||||
docker build -t superboum/arm32v7_postgres .
|
|
||||||
docker build -t superboum/amd64_postgres:v2 .
|
|
||||||
```
|
|
|
@ -1,22 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
if [ -f /local/pg_hba.conf ]; then
|
|
||||||
echo "Copying Nomad configuration..."
|
|
||||||
cp /local/pg_hba.conf /etc/postgresql/9.6/main/
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
if [ -z "$(ls -A /var/lib/postgresql/9.6/main)" ]; then
|
|
||||||
echo "Copying base"
|
|
||||||
cp -r /var/lib/postgresql/9.6/base/* /var/lib/postgresql/9.6/main
|
|
||||||
echo "Done"
|
|
||||||
fi
|
|
||||||
|
|
||||||
chmod -R 700 /var/lib/postgresql/9.6/main
|
|
||||||
chown -R postgres /var/lib/postgresql/9.6/main
|
|
||||||
|
|
||||||
echo "Starting postgres..."
|
|
||||||
. /usr/share/postgresql-common/init.d-functions
|
|
||||||
start 9.6
|
|
||||||
tail -f /var/log/postgresql/postgresql-9.6-main.log
|
|
|
@ -1,46 +0,0 @@
|
||||||
FROM amd64/debian:buster as builder
|
|
||||||
|
|
||||||
ENV VERSION 7.0.5
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get dist-upgrade -y && \
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar && \
|
|
||||||
wget https://download.seadrive.org/seafile-server_${VERSION}_x86-64.tar.gz -O ./seafile.tar.gz && \
|
|
||||||
tar xf ./seafile.tar.gz && \
|
|
||||||
mv seafile-server-${VERSION} seafile-server
|
|
||||||
|
|
||||||
FROM amd64/debian:buster
|
|
||||||
|
|
||||||
COPY --from=builder ./seafile-server /srv/webstore/seafile-server
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get dist-upgrade -y && \
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y \
|
|
||||||
python \
|
|
||||||
mariadb-client \
|
|
||||||
python2.7 \
|
|
||||||
libpython2.7 \
|
|
||||||
python-setuptools \
|
|
||||||
python-ldap \
|
|
||||||
python-urllib3 \
|
|
||||||
ffmpeg \
|
|
||||||
python-pip \
|
|
||||||
python-mysqldb \
|
|
||||||
python-memcache \
|
|
||||||
procps \
|
|
||||||
python-requests && \
|
|
||||||
pip install Pillow==4.3.0 && \
|
|
||||||
pip install moviepy && \
|
|
||||||
useradd -u 1000 -d /srv/webstore seauser && \
|
|
||||||
chown -R seauser:1000 /srv/webstore/
|
|
||||||
|
|
||||||
RUN mkdir -p /usr/local/lib/mariadb/plugin/ && \
|
|
||||||
ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/mysql_clear_password.so /usr/local/lib/mariadb/plugin/ && \
|
|
||||||
ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/dialog.so /usr/local/lib/mariadb/plugin/
|
|
||||||
|
|
||||||
WORKDIR /srv/webstore/seafile-server
|
|
||||||
COPY seadocker /usr/local/bin/seadocker
|
|
||||||
COPY seaenv /usr/local/bin/seaenv
|
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/local/bin/seaenv"]
|
|
||||||
CMD ["/usr/local/bin/seadocker"]
|
|
|
@ -1,27 +0,0 @@
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo docker build -t superboum/amd64_seafile:v5 .
|
|
||||||
```
|
|
||||||
|
|
||||||
When upgrading, connect on a production server and run:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
nomad stop seafile
|
|
||||||
sudo docker build -t superboum/amd64_seafile:v6 .
|
|
||||||
|
|
||||||
sudo docker run -t -i \
|
|
||||||
-v /mnt/glusterfs/seafile:/mnt/seafile-data \
|
|
||||||
-v /mnt/glusterfs/seaconf/conf:/srv/webstore/conf \
|
|
||||||
-v /mnt/glusterfs/seaconf/ccnet:/srv/webstore/ccnet \
|
|
||||||
superboum/amd64_seafile:v5
|
|
||||||
|
|
||||||
# See:
|
|
||||||
# * https://download.seafile.com/published/seafile-manual/deploy/upgrade.md
|
|
||||||
# * https://download.seafile.com/published/seafile-manual/changelog/server-changelog.md
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
nomad start seafile.hcl
|
|
||||||
```
|
|
||||||
|
|
||||||
when upgrading, change the command on start
|
|
|
@ -1,4 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
/srv/webstore/seafile-server/seafile.sh start
|
|
||||||
/srv/webstore/seafile-server/seahub.sh start
|
|
||||||
tail -f /srv/webstore/logs/*
|
|
|
@ -1,7 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
chown seauser /srv/webstore
|
|
||||||
chown seauser -R /srv/webstore/ccnet
|
|
||||||
chown seauser -R /srv/webstore/conf
|
|
||||||
|
|
||||||
runuser -u seauser -- "$@"
|
|
|
@ -1,9 +0,0 @@
|
||||||
FROM golang:1.11.1-stretch as builder
|
|
||||||
|
|
||||||
COPY ./goStatic /goStatic
|
|
||||||
WORKDIR /goStatic
|
|
||||||
RUN CGO_ENABLED=0 go build -a -o web-server .
|
|
||||||
|
|
||||||
FROM scratch
|
|
||||||
COPY --from=builder /goStatic/web-server /
|
|
||||||
ENTRYPOINT ["/web-server"]
|
|
|
@ -1,5 +0,0 @@
|
||||||
|
|
||||||
```
|
|
||||||
sudo docker build -t superboum/amd64_webserver:v3 .
|
|
||||||
sudo docker push superboum/amd64_webserver:v3
|
|
||||||
```
|
|
|
@ -1 +0,0 @@
|
||||||
Subproject commit 3f97f57aaee09a142afe3ca0f1a5d51acd856436
|
|
1
app/build/webpull/.gitignore
vendored
1
app/build/webpull/.gitignore
vendored
|
@ -1 +0,0 @@
|
||||||
main
|
|
|
@ -1,9 +0,0 @@
|
||||||
FROM node:13.8-buster
|
|
||||||
|
|
||||||
RUN apt-get update && \
|
|
||||||
apt-get install -y git
|
|
||||||
|
|
||||||
COPY ./main /srv/httpd
|
|
||||||
WORKDIR /srv
|
|
||||||
CMD ["/srv/httpd"]
|
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
FROM fedora:32
|
|
||||||
|
|
||||||
ENV LC_ALL=C.UTF-8
|
|
||||||
ENV LANG=C.UTF-8
|
|
||||||
ENV LANGUAGE=en_US.UTF-8
|
|
||||||
ENV RUBYOPT --disable-did_you_mean
|
|
||||||
|
|
||||||
RUN dnf install -y git ruby ruby-devel rubygems rubygem-bundler @development-tools redhat-rpm-config gcc-c++ zlib-devel
|
|
||||||
|
|
||||||
COPY ./main /srv/httpd
|
|
||||||
WORKDIR /srv
|
|
||||||
CMD ["/srv/httpd"]
|
|
|
@ -1,23 +0,0 @@
|
||||||
# webpull
|
|
||||||
|
|
||||||
Webpull allows you to update your live website without deploying a new docker container but by simply calling an URL
|
|
||||||
|
|
||||||
You need to specify a secret token at boot:
|
|
||||||
|
|
||||||
```
|
|
||||||
WEBPULL_TOKEN=s3cr3et ./webpull
|
|
||||||
```
|
|
||||||
|
|
||||||
## Node.js version
|
|
||||||
|
|
||||||
```
|
|
||||||
go build ./main.go
|
|
||||||
sudo docker build -f ./Dockerfile.nodejs -t superboum/amd64_webpull_pug:v1 .
|
|
||||||
```
|
|
||||||
|
|
||||||
## Ruby version
|
|
||||||
|
|
||||||
```
|
|
||||||
go build ./main.go
|
|
||||||
sudo docker build -f ./Dockerfile.ruby -t superboum/amd64_webpull_ruby:v1 .
|
|
||||||
```
|
|
|
@ -1,100 +0,0 @@
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"errors"
|
|
||||||
"io"
|
|
||||||
"os/exec"
|
|
||||||
"os"
|
|
||||||
"log"
|
|
||||||
"net/http"
|
|
||||||
"strings"
|
|
||||||
)
|
|
||||||
|
|
||||||
func myexec(w io.Writer, main string, params ...string) error {
|
|
||||||
cmd := exec.Command(main, params...)
|
|
||||||
cmd.Stdout = w
|
|
||||||
cmd.Stderr = w
|
|
||||||
err := cmd.Run()
|
|
||||||
if err != nil {
|
|
||||||
fmt.Fprintf(w, "Failed to run: %s %s\n", main, strings.Join(params, " "))
|
|
||||||
}
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
func update(w io.Writer) error {
|
|
||||||
fmt.Fprintf(w, "Start update...\n")
|
|
||||||
_, err := os.Stat("./.git")
|
|
||||||
if err != nil {
|
|
||||||
fmt.Fprintf(w, ".git folder does not exist, creating it...\n")
|
|
||||||
err := myexec(w, "git", "init")
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
err = myexec(w, "git", "remote", "get-url", "origin")
|
|
||||||
if err != nil {
|
|
||||||
repo, exists := os.LookupEnv("WEBPULL_REPO")
|
|
||||||
if !exists {
|
|
||||||
fmt.Fprintf(w, "You must define WEBPULL_REPO env variable...\n")
|
|
||||||
return errors.New("Missing environment variable WEBPULL_REPO")
|
|
||||||
}
|
|
||||||
fmt.Fprintf(w, "git remote is not yet set...\n")
|
|
||||||
err := myexec(w, "git", "remote", "add", "origin", repo)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
err = myexec(w, "git", "pull", "origin", "master")
|
|
||||||
if err != nil {
|
|
||||||
fmt.Fprintf(w, "Failed to pull...\n")
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = os.Stat("./.webpull")
|
|
||||||
if err != nil {
|
|
||||||
fmt.Fprintf(w, "You must create an executable file named '.webpull' at the root of your repository.\nIf you have nothing to run, just create an empty bash script...\n")
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
err = myexec(w, "./.webpull")
|
|
||||||
if err != nil {
|
|
||||||
fmt.Fprintf(w, "An error occured during script execution\n")
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
fmt.Fprintf(w, "Success.\n")
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func main() {
|
|
||||||
token, exists := os.LookupEnv("WEBPULL_TOKEN")
|
|
||||||
if !exists {
|
|
||||||
log.Fatal("Environment variable 'WEBPULL_TOKEN' must be defined")
|
|
||||||
}
|
|
||||||
|
|
||||||
if update(os.Stdout) != nil {
|
|
||||||
log.Fatal("Initial 'update' failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
fs := http.FileServer(http.Dir("./static"))
|
|
||||||
http.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) {
|
|
||||||
keys, ok := r.URL.Query()["token"]
|
|
||||||
if !ok || len(keys[0]) < 1 {
|
|
||||||
http.Error(w, "Missing 'token' query parameter", 401)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if keys[0] != token {
|
|
||||||
http.Error(w, "Wrong token", 401)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
update(w)
|
|
||||||
})
|
|
||||||
http.Handle("/", fs)
|
|
||||||
|
|
||||||
log.Fatal(http.ListenAndServe(":8080", nil))
|
|
||||||
}
|
|
33
app/config/configuration/.gitignore
vendored
33
app/config/configuration/.gitignore
vendored
|
@ -1,33 +0,0 @@
|
||||||
# Blacklist everything cleverly
|
|
||||||
*
|
|
||||||
!*/
|
|
||||||
|
|
||||||
# Whitelist some patterns
|
|
||||||
!*.sample
|
|
||||||
!*.gen
|
|
||||||
!*.tpl
|
|
||||||
!.gitignore
|
|
||||||
|
|
||||||
# Whitelist specific files
|
|
||||||
!seafile/conf/seafdav.conf
|
|
||||||
!seafile/ccnet/seafile.ini
|
|
||||||
|
|
||||||
!email/dkim/keytable
|
|
||||||
!email/dkim/signingtable
|
|
||||||
!email/dkim/trusted
|
|
||||||
!email/postfix/dynamicmaps.cf
|
|
||||||
!email/postfix/header_checks
|
|
||||||
!email/postfix/main.cf
|
|
||||||
!email/postfix/master.cf
|
|
||||||
!email/postfix/transport
|
|
||||||
!email/postfix/transport.db
|
|
||||||
|
|
||||||
!email/sogo/sogo.conf.tpl
|
|
||||||
|
|
||||||
!chat/**/*
|
|
||||||
!plume/**/*
|
|
||||||
!directory/*/*
|
|
||||||
|
|
||||||
!traefik/traefik.toml
|
|
||||||
|
|
||||||
!garage/config.toml
|
|
|
@ -1,133 +0,0 @@
|
||||||
# Homeserver details
|
|
||||||
homeserver:
|
|
||||||
# The address that this appservice can use to connect to the homeserver.
|
|
||||||
address: https://im.deuxfleurs.fr
|
|
||||||
# The domain of the homeserver (for MXIDs, etc).
|
|
||||||
domain: deuxfleurs.fr
|
|
||||||
# Whether or not to verify the SSL certificate of the homeserver.
|
|
||||||
# Only applies if address starts with https://
|
|
||||||
verify_ssl: true
|
|
||||||
|
|
||||||
# Application service host/registration related details
|
|
||||||
# Changing these values requires regeneration of the registration.
|
|
||||||
appservice:
|
|
||||||
# The address that the homeserver can use to connect to this appservice.
|
|
||||||
address: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319
|
|
||||||
|
|
||||||
# The hostname and port where this appservice should listen.
|
|
||||||
hostname: 0.0.0.0
|
|
||||||
port: 29319
|
|
||||||
# The maximum body size of appservice API requests (from the homeserver) in mebibytes
|
|
||||||
# Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
|
|
||||||
max_body_size: 1
|
|
||||||
|
|
||||||
# The full URI to the database. SQLite and Postgres are fully supported.
|
|
||||||
# Other DBMSes supported by SQLAlchemy may or may not work.
|
|
||||||
# Format examples:
|
|
||||||
# SQLite: sqlite:///filename.db
|
|
||||||
# Postgres: postgres://username:password@hostname/dbname
|
|
||||||
database: '{{ key "secrets/chat/fb2mx/db_url" | trimSpace }}'
|
|
||||||
|
|
||||||
# The unique ID of this appservice.
|
|
||||||
id: facebook
|
|
||||||
# Username of the appservice bot.
|
|
||||||
bot_username: facebookbot
|
|
||||||
# Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
|
|
||||||
# to leave display name/avatar as-is.
|
|
||||||
bot_displayname: Facebook bridge bot
|
|
||||||
bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv
|
|
||||||
|
|
||||||
# Community ID for bridged users (changes registration file) and rooms.
|
|
||||||
# Must be created manually.
|
|
||||||
community_id: "+fbusers:deuxfleurs.fr"
|
|
||||||
|
|
||||||
# Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
|
|
||||||
as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}'
|
|
||||||
hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}'
|
|
||||||
|
|
||||||
# Bridge config
|
|
||||||
bridge:
|
|
||||||
# Localpart template of MXIDs for Facebook users.
|
|
||||||
# {userid} is replaced with the user ID of the Facebook user.
|
|
||||||
username_template: "facebook_{userid}"
|
|
||||||
# Localpart template for per-user room grouping community IDs.
|
|
||||||
# The bridge will create these communities and add all of the specific user's portals to the community.
|
|
||||||
# {localpart} is the MXID localpart and {server} is the MXID server part of the user.
|
|
||||||
#
|
|
||||||
# `facebook_{localpart}={server}` is a good value.
|
|
||||||
community_template: "facebook_{localpart}={server}"
|
|
||||||
# Displayname template for Facebook users.
|
|
||||||
# {displayname} is replaced with the display name of the Facebook user
|
|
||||||
# as defined below in displayname_preference.
|
|
||||||
# Keys available for displayname_preference are also available here.
|
|
||||||
displayname_template: "{displayname} (FB)"
|
|
||||||
# Available keys:
|
|
||||||
# "name" (full name)
|
|
||||||
# "first_name"
|
|
||||||
# "last_name"
|
|
||||||
# "nickname"
|
|
||||||
# "own_nickname" (user-specific!)
|
|
||||||
displayname_preference:
|
|
||||||
- name
|
|
||||||
|
|
||||||
# The prefix for commands. Only required in non-management rooms.
|
|
||||||
command_prefix: "!fb"
|
|
||||||
|
|
||||||
# Number of chats to sync (and create portals for) on startup/login.
|
|
||||||
# Maximum 20, set 0 to disable automatic syncing.
|
|
||||||
initial_chat_sync: 10
|
|
||||||
# Whether or not the Facebook users of logged in Matrix users should be
|
|
||||||
# invited to private chats when the user sends a message from another client.
|
|
||||||
invite_own_puppet_to_pm: false
|
|
||||||
# Whether or not to use /sync to get presence, read receipts and typing notifications when using
|
|
||||||
# your own Matrix account as the Matrix puppet for your Facebook account.
|
|
||||||
sync_with_custom_puppets: true
|
|
||||||
# Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
|
|
||||||
# presence, but then it won't send other users' presence to the client.
|
|
||||||
presence: true
|
|
||||||
# Whether or not to update avatars when syncing all contacts at startup.
|
|
||||||
update_avatar_initial_sync: true
|
|
||||||
|
|
||||||
# Permissions for using the bridge.
|
|
||||||
# Permitted values:
|
|
||||||
# user - Use the bridge with puppeting.
|
|
||||||
# admin - Use and administrate the bridge.
|
|
||||||
# Permitted keys:
|
|
||||||
# * - All Matrix users
|
|
||||||
# domain - All users on that homeserver
|
|
||||||
# mxid - Specific user
|
|
||||||
permissions:
|
|
||||||
"deuxfleurs.fr": "user"
|
|
||||||
|
|
||||||
# Python logging configuration.
|
|
||||||
#
|
|
||||||
# See section 16.7.2 of the Python documentation for more info:
|
|
||||||
# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
|
|
||||||
logging:
|
|
||||||
version: 1
|
|
||||||
formatters:
|
|
||||||
colored:
|
|
||||||
(): mautrix_facebook.util.ColorFormatter
|
|
||||||
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
|
|
||||||
normal:
|
|
||||||
format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
|
|
||||||
handlers:
|
|
||||||
file:
|
|
||||||
class: logging.handlers.RotatingFileHandler
|
|
||||||
formatter: normal
|
|
||||||
filename: ./mautrix-facebook.log
|
|
||||||
maxBytes: 10485760
|
|
||||||
backupCount: 10
|
|
||||||
console:
|
|
||||||
class: logging.StreamHandler
|
|
||||||
formatter: colored
|
|
||||||
loggers:
|
|
||||||
mau:
|
|
||||||
level: DEBUG
|
|
||||||
fbchat:
|
|
||||||
level: DEBUG
|
|
||||||
aiohttp:
|
|
||||||
level: INFO
|
|
||||||
root:
|
|
||||||
level: DEBUG
|
|
||||||
handlers: [file, console]
|
|
|
@ -1,11 +0,0 @@
|
||||||
id: facebook
|
|
||||||
as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}'
|
|
||||||
hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}'
|
|
||||||
namespaces:
|
|
||||||
users:
|
|
||||||
- exclusive: true
|
|
||||||
regex: '@facebook_.+:deuxfleurs.fr'
|
|
||||||
group_id: '+fbusers:deuxfleurs.fr'
|
|
||||||
url: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319
|
|
||||||
sender_localpart: facebookbot
|
|
||||||
rate_limited: false
|
|
|
@ -1,6 +0,0 @@
|
||||||
LDAP_URI = "ldap://bottin2.service.2.cluster.deuxfleurs.fr"
|
|
||||||
LDAP_BASE = "ou=users,dc=deuxfleurs,dc=fr"
|
|
||||||
LDAP_VERSION = 3
|
|
||||||
LDAP_BIND_DN = "{{ key "secrets/mariadb/main/ldap_binddn" | trimSpace }}"
|
|
||||||
LDAP_BIND_PW = "{{ key "secrets/mariadb/main/ldap_bindpwd" | trimSpace }}"
|
|
||||||
MYSQL_PASSWORD = "{{ key "secrets/mariadb/main/mysql_pwd" | trimSpace }}"
|
|
|
@ -1,49 +0,0 @@
|
||||||
<?php
|
|
||||||
$CONFIG = array (
|
|
||||||
'appstoreenabled' => false,
|
|
||||||
'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}',
|
|
||||||
'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}',
|
|
||||||
'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}',
|
|
||||||
'trusted_domains' => array (
|
|
||||||
0 => 'nextcloud.deuxfleurs.fr',
|
|
||||||
),
|
|
||||||
'memcache.local' => '\\OC\\Memcache\\APCu',
|
|
||||||
|
|
||||||
'objectstore' => array(
|
|
||||||
'class' => '\\OC\\Files\\ObjectStore\\S3',
|
|
||||||
'arguments' => array(
|
|
||||||
'bucket' => 'nextcloud',
|
|
||||||
'autocreate' => false,
|
|
||||||
'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}',
|
|
||||||
'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}',
|
|
||||||
'hostname' => 'garage.deuxfleurs.fr',
|
|
||||||
'port' => 443,
|
|
||||||
'use_ssl' => true,
|
|
||||||
'region' => 'garage',
|
|
||||||
// required for some non Amazon S3 implementations
|
|
||||||
'use_path_style' => true
|
|
||||||
),
|
|
||||||
),
|
|
||||||
|
|
||||||
'dbtype' => 'pgsql',
|
|
||||||
'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr',
|
|
||||||
'dbname' => 'nextcloud',
|
|
||||||
'dbtableprefix' => 'nc_',
|
|
||||||
'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}',
|
|
||||||
'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}',
|
|
||||||
|
|
||||||
'default_language' => 'fr',
|
|
||||||
'default_locale' => 'fr_FR',
|
|
||||||
|
|
||||||
'mail_domain' => 'deuxfleurs.fr',
|
|
||||||
'mail_from_address' => 'nextcloud@deuxfleurs.fr',
|
|
||||||
// TODO SMTP CONFIG
|
|
||||||
|
|
||||||
// TODO REDIS CACHE
|
|
||||||
|
|
||||||
'version' => '19.0.0.12',
|
|
||||||
'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr',
|
|
||||||
|
|
||||||
'installed' => true,
|
|
||||||
);
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
/mnt/seafile-data/
|
|
|
@ -1,29 +0,0 @@
|
||||||
[General]
|
|
||||||
USER_NAME = deuxfleurs
|
|
||||||
ID = {{ key "secrets/seafile/ccnet/seafile_id" | trimSpace }}
|
|
||||||
NAME = deuxfleurs
|
|
||||||
SERVICE_URL = https://cloud.deuxfleurs.fr
|
|
||||||
|
|
||||||
[Network]
|
|
||||||
PORT = 10001
|
|
||||||
|
|
||||||
[Client]
|
|
||||||
PORT = 13418
|
|
||||||
|
|
||||||
[LDAP]
|
|
||||||
HOST = ldap://bottin2.service.2.cluster.deuxfleurs.fr/
|
|
||||||
BASE = ou=users,dc=deuxfleurs,dc=fr
|
|
||||||
USER_DN = {{ key "secrets/seafile/ccnet/ldap_binddn" | trimSpace }}
|
|
||||||
FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr
|
|
||||||
PASSWORD = {{ key "secrets/seafile/ccnet/ldap_bindpwd" | trimSpace }}
|
|
||||||
LOGIN_ATTR = mail
|
|
||||||
|
|
||||||
[Database]
|
|
||||||
ENGINE = mysql
|
|
||||||
HOST = mariadb.service.2.cluster.deuxfleurs.fr
|
|
||||||
PORT = 3306
|
|
||||||
USER = seafile
|
|
||||||
PASSWD = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}
|
|
||||||
DB = ccnet-db
|
|
||||||
CONNECTION_CHARSET = utf8
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
[WEBDAV]
|
|
||||||
enabled = true
|
|
||||||
port = 8084
|
|
||||||
fastcgi = false
|
|
||||||
share_name = /seafdav
|
|
|
@ -1,19 +0,0 @@
|
||||||
[network]
|
|
||||||
port = 12001
|
|
||||||
|
|
||||||
[fileserver]
|
|
||||||
port = 8082
|
|
||||||
max_upload_size=8192
|
|
||||||
max_download_dir_size=8192
|
|
||||||
|
|
||||||
[database]
|
|
||||||
type = mysql
|
|
||||||
host = mariadb.service.2.cluster.deuxfleurs.fr
|
|
||||||
port = 3306
|
|
||||||
user = seafile
|
|
||||||
password = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}
|
|
||||||
db_name = seafile-db
|
|
||||||
connection_charset = utf8
|
|
||||||
|
|
||||||
[quota]
|
|
||||||
default = 50
|
|
|
@ -1,21 +0,0 @@
|
||||||
SECRET_KEY = "8ep+sgi&s1-f2cq2178!ekk!0h0nw2y4z1-olbaopxmodsd8vk"
|
|
||||||
FILE_SERVER_ROOT = 'https://cloud.deuxfleurs.fr/seafhttp'
|
|
||||||
DATABASES = {
|
|
||||||
'default': {
|
|
||||||
'ENGINE': 'django.db.backends.mysql',
|
|
||||||
'NAME': 'seahub-db',
|
|
||||||
'USER': 'seafile',
|
|
||||||
'PASSWORD': '{{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}',
|
|
||||||
'HOST': 'mariadb.service.2.cluster.deuxfleurs.fr',
|
|
||||||
'PORT': '3306',
|
|
||||||
'OPTIONS': {
|
|
||||||
'init_command': 'SET storage_engine=INNODB',
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
FILE_PREVIEW_MAX_SIZE = 100 * 1024 * 1024
|
|
||||||
ENABLE_THUMBNAIL = True
|
|
||||||
THUMBNAIL_ROOT = '/mnt/seafile-data/thumbnail/thumb/'
|
|
||||||
THUMBNAIL_EXTENSION = 'png'
|
|
||||||
THUMBNAIL_DEFAULT_SIZE = '24'
|
|
||||||
PREVIEW_DEFAULT_SIZE = '300'
|
|
|
@ -1,45 +0,0 @@
|
||||||
InsecureSkipVerify = true
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.admin]
|
|
||||||
address = ":8082"
|
|
||||||
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.redirect]
|
|
||||||
entryPoint = "https"
|
|
||||||
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
compress = true
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
|
|
||||||
[ping]
|
|
||||||
entrypoint = "admin"
|
|
||||||
|
|
||||||
[retry]
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "quentin@dufour.io"
|
|
||||||
storage = "traefik/acme/account"
|
|
||||||
entryPoint = "https"
|
|
||||||
onHostRule = true
|
|
||||||
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
|
|
||||||
[api]
|
|
||||||
entryPoint = "admin"
|
|
||||||
dashboard = true
|
|
||||||
|
|
||||||
[consul]
|
|
||||||
endpoint = "172.17.0.1:8500"
|
|
||||||
watch = true
|
|
||||||
prefix = "traefik"
|
|
||||||
|
|
||||||
[consulCatalog]
|
|
||||||
endpoint = "172.17.0.1:8500"
|
|
||||||
prefix = "traefik"
|
|
||||||
domain = "web.deuxfleurs.fr"
|
|
||||||
exposedByDefault = false
|
|
|
@ -1,7 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
find {configuration,secrets}/$1 -type f \
|
|
||||||
| grep --perl-regexp --invert-match "\.sample$|\.gen$|\.gitignore|\.sh$" \
|
|
||||||
| while read filename; do
|
|
||||||
consul kv put "${filename}" "@${filename}"
|
|
||||||
done
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue