Compare commits

...

5 commits

8 changed files with 79 additions and 16 deletions

28
.env.example Normal file
View file

@ -0,0 +1,28 @@
# FORGEJO
## OAUTH2
FORGEJO_OAUTH2_JWT_SECRET = ""
## SECURITY
FORGEJO_SECURITY_INTERNAL_TOKEN = ""
FORGEJO_SECURITY_SECRET_KEY = ""
## DB
FORGEJO_DB_HOST = ""
FORGEJO_DB_USER = ""
FORGEJO_DB_NAME = ""
FORGEJO_DB_PASSWD = ""
## SERVER
FORGEJO_SERVER_LFS_JWT_SECRET = ""
# WIREGUARD
## SERVER
WIREGUARD_SERVER_PRIVATE_KEY = ""
WIREGUARD_SERVER_PUBLIC_KEY = ""
WIREGUARD_SERVER_LISTEN_PORT = ""
## WIFI_FABLAB
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
.env

View file

@ -11,6 +11,9 @@ Cloner ce dépôts sur votre système (pas de répertoire privilégié).
git clone https://git.cohabit.fr/cohabit/server_config.git git clone https://git.cohabit.fr/cohabit/server_config.git
cd server_config cd server_config
# Decrypt secrets
gpg -d .env.gpg
# Allow execute scripts # Allow execute scripts
sudo chmod +x ./install.sh sudo chmod +x ./install.sh
sudo chmod +x ./deploy.sh sudo chmod +x ./deploy.sh
@ -19,6 +22,14 @@ sudo chmod +x ./deploy.sh
sudo ./install.sh --all && sudo ./deploy.sh --all sudo ./install.sh --all && sudo ./deploy.sh --all
``` ```
> [!WARNING]
>
> Après avoir executer `deploy.sh` tous les secrets sont écrits en clair dans
> les fichiers de configs et les scripts.\
> Ne surtout pas faire de `git commit` ou de `git push`.\
> Pour retourner à l'état d'origine faire un `git reset --hard HEAD` ou
> équivalent.
## Installation ## Installation
Pour installer les différents services/apps du serveur. Pour installer les différents services/apps du serveur.

View file

@ -3,7 +3,7 @@ cohabit.fr {
# Website entry point # Website entry point
encode zstd gzip encode zstd gzip
reverse_proxy 127.0.0.1:8000 reverse_proxy 127.0.0.1:6060
} }
www.cohabit.fr { www.cohabit.fr {

View file

@ -1,5 +1,5 @@
APP_NAME = Forgejo Fablab Cohabit APP_NAME = Forgejo Fablab Cohabit
RUN_USER = git RUN_USER = forgejo
RUN_MODE = prod RUN_MODE = prod
WORK_PATH = /var/lib/forgejo WORK_PATH = /var/lib/forgejo
@ -7,22 +7,22 @@ WORK_PATH = /var/lib/forgejo
DISABLE_REGULAR_ORG_CREATION = false DISABLE_REGULAR_ORG_CREATION = false
[oauth2] [oauth2]
JWT_SECRET = #! TODO use Secrets JWT_SECRET = {{ FORGEJO_OAUTH2_JWT_SECRET }}
[security] [security]
INTERNAL_TOKEN = #! TODO use Secrets INTERNAL_TOKEN = {{ FORGEJO_SECURITY_INTERNAL_TOKEN }}
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = #! TODO use Secrets SECRET_KEY = {{ FORGEJO_SECURITY_SECRET_KEY }}
PASSWORD_HASH_ALGO = pbkdf2 PASSWORD_HASH_ALGO = pbkdf2
# ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib) # ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
DISABLE_GIT_HOOKS = false DISABLE_GIT_HOOKS = false
[database] [database]
DB_TYPE = postgres DB_TYPE = postgres
HOST = #! TODO use Secrets HOST = {{ FORGEJO_DB_HOST }}
NAME = #! TODO use Secrets NAME = {{ FORGEJO_DB_NAME }}
USER = #! TODO use Secrets USER = {{ FORGEJO_DB_USER }}
PASSWD = #! TODO use Secrets PASSWD = {{ FORGEJO_DB_PASSWD }}
SCHEMA = SCHEMA =
SSL_MODE = disable SSL_MODE = disable
CHARSET = utf8 CHARSET = utf8
@ -48,7 +48,7 @@ SSH_LISTEN_HOST = 0.0.0.0
START_SSH_SERVER = true START_SSH_SERVER = true
LFS_START_SERVER = true LFS_START_SERVER = true
# LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs # LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
LFS_JWT_SECRET = # TODO use Secrets LFS_JWT_SECRET = {{ FORGEJO_SERVER_LFS_JWT_SECRET }}
OFFLINE_MODE = false OFFLINE_MODE = false
[mailer] [mailer]

23
load_secrets.sh Normal file
View file

@ -0,0 +1,23 @@
# Get all config files
# FILES=$(find . -type f \ # Only files
# -wholename "./*/*" \ # Only in subdir
# -not -wholename "./.git*" \ # Not in .git/
# -not -name "_*.sh" \ # Not _install.sh or _deploy.sh
# -not -name "README.md") # Not README.md
FILES=$(find . -type f -wholename "./*/*" -not -wholename "./.git*" -not -name "_*.sh" -not -name "README.md")
cat .env | grep ".=." > .env.tmp # Clean .env entries
readarray -t SECRETS < .env.tmp # Get all .env entries
rm .env.tmp # Clean tmp file
for file in $FILES
do
for secret in "${SECRETS[@]}"
do
KEY=$(echo $secret | grep -o "\w\+")
VALUE=$(echo $secret | grep -oP '\w+\s*=\s*\K.*' | tr -d "\r")
sed -r "s/\{\{\s*$KEY\s*\}\}/$VALUE/g" $file
done
done

View file

@ -1,11 +1,11 @@
[Interface] [Interface]
Address = 10.0.0.2/24 Address = 10.0.0.2/24
PrivateKey = #! TODO use Secrets PrivateKey = {{ WIREGUARD_WIFI_FABLAB_PRIVATE_KEY }}
DNS = 208.67.222.222, 208.67.220.220 DNS = 208.67.222.222, 208.67.220.220
MTU = 1420 MTU = 1420
[Peer] [Peer]
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
Endpoint = cohabit.fr:#! TODO use Secrets Endpoint = cohabit.fr:{{ WIREGUARD_SERVER_LISTEN_PORT }}
PersistentKeepalive = 25 PersistentKeepalive = 25
PublicKey = #! TODO use Secrets PublicKey = {{ WIREGUARD_SERVER_PUBLIC_KEY }}

View file

@ -1,13 +1,13 @@
[Interface] [Interface]
PrivateKey = #! TODO use Secrets PrivateKey = {{ WIREGUARD_SERVER_PRIVATE_KEY }}
Address = 10.0.0.1/24 Address = 10.0.0.1/24
MTU = 1420 MTU = 1420
ListenPort = #! TODO use Secrets ListenPort = {{ WIREGUARD_SERVER_LISTEN_PORT }}
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
### Wifi Fablab ### ### Wifi Fablab ###
[Peer] [Peer]
PublicKey = #! TODO use Secrets PublicKey = {{ WIREGUARD_WIFI_FABLAB_PUBLIC_KEY }}
AllowedIPs = 10.0.0.2/32 AllowedIPs = 10.0.0.2/32
################### ###################