Compare commits
5 commits
df466d9b4d
...
f5a7422f3a
| Author | SHA1 | Date | |
|---|---|---|---|
 Julien Oculi
|
f5a7422f3a | ||
|
Julien Oculi
|
f587a7f011 | ||
|
Julien Oculi
|
4c0af61306 | ||
|
Julien Oculi
|
dd73a3efb5 | ||
|
Julien Oculi
|
fe72e9df4f |
28
.env.example
Normal file
28
.env.example
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
# FORGEJO
|
||||||
|
|
||||||
|
## OAUTH2
|
||||||
|
FORGEJO_OAUTH2_JWT_SECRET = ""
|
||||||
|
|
||||||
|
## SECURITY
|
||||||
|
FORGEJO_SECURITY_INTERNAL_TOKEN = ""
|
||||||
|
FORGEJO_SECURITY_SECRET_KEY = ""
|
||||||
|
|
||||||
|
## DB
|
||||||
|
FORGEJO_DB_HOST = ""
|
||||||
|
FORGEJO_DB_USER = ""
|
||||||
|
FORGEJO_DB_NAME = ""
|
||||||
|
FORGEJO_DB_PASSWD = ""
|
||||||
|
|
||||||
|
## SERVER
|
||||||
|
FORGEJO_SERVER_LFS_JWT_SECRET = ""
|
||||||
|
|
||||||
|
# WIREGUARD
|
||||||
|
|
||||||
|
## SERVER
|
||||||
|
WIREGUARD_SERVER_PRIVATE_KEY = ""
|
||||||
|
WIREGUARD_SERVER_PUBLIC_KEY = ""
|
||||||
|
WIREGUARD_SERVER_LISTEN_PORT = ""
|
||||||
|
|
||||||
|
## WIFI_FABLAB
|
||||||
|
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
|
||||||
|
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
|
||||||
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
.env
|
||||||
11
README.md
11
README.md
|
|
@ -11,6 +11,9 @@ Cloner ce dépôts sur votre système (pas de répertoire privilégié).
|
||||||
git clone https://git.cohabit.fr/cohabit/server_config.git
|
git clone https://git.cohabit.fr/cohabit/server_config.git
|
||||||
cd server_config
|
cd server_config
|
||||||
|
|
||||||
|
# Decrypt secrets
|
||||||
|
gpg -d .env.gpg
|
||||||
|
|
||||||
# Allow execute scripts
|
# Allow execute scripts
|
||||||
sudo chmod +x ./install.sh
|
sudo chmod +x ./install.sh
|
||||||
sudo chmod +x ./deploy.sh
|
sudo chmod +x ./deploy.sh
|
||||||
|
|
@ -19,6 +22,14 @@ sudo chmod +x ./deploy.sh
|
||||||
sudo ./install.sh --all && sudo ./deploy.sh --all
|
sudo ./install.sh --all && sudo ./deploy.sh --all
|
||||||
```
|
```
|
||||||
|
|
||||||
|
> [!WARNING]
|
||||||
|
>
|
||||||
|
> Après avoir executer `deploy.sh` tous les secrets sont écrits en clair dans
|
||||||
|
> les fichiers de configs et les scripts.\
|
||||||
|
> Ne surtout pas faire de `git commit` ou de `git push`.\
|
||||||
|
> Pour retourner à l'état d'origine faire un `git reset --hard HEAD` ou
|
||||||
|
> équivalent.
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
Pour installer les différents services/apps du serveur.
|
Pour installer les différents services/apps du serveur.
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@ cohabit.fr {
|
||||||
# Website entry point
|
# Website entry point
|
||||||
|
|
||||||
encode zstd gzip
|
encode zstd gzip
|
||||||
reverse_proxy 127.0.0.1:8000
|
reverse_proxy 127.0.0.1:6060
|
||||||
}
|
}
|
||||||
|
|
||||||
www.cohabit.fr {
|
www.cohabit.fr {
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
APP_NAME = Forgejo Fablab Cohabit
|
APP_NAME = Forgejo Fablab Cohabit
|
||||||
RUN_USER = git
|
RUN_USER = forgejo
|
||||||
RUN_MODE = prod
|
RUN_MODE = prod
|
||||||
WORK_PATH = /var/lib/forgejo
|
WORK_PATH = /var/lib/forgejo
|
||||||
|
|
||||||
|
|
@ -7,22 +7,22 @@ WORK_PATH = /var/lib/forgejo
|
||||||
DISABLE_REGULAR_ORG_CREATION = false
|
DISABLE_REGULAR_ORG_CREATION = false
|
||||||
|
|
||||||
[oauth2]
|
[oauth2]
|
||||||
JWT_SECRET = #! TODO use Secrets
|
JWT_SECRET = {{ FORGEJO_OAUTH2_JWT_SECRET }}
|
||||||
|
|
||||||
[security]
|
[security]
|
||||||
INTERNAL_TOKEN = #! TODO use Secrets
|
INTERNAL_TOKEN = {{ FORGEJO_SECURITY_INTERNAL_TOKEN }}
|
||||||
INSTALL_LOCK = true
|
INSTALL_LOCK = true
|
||||||
SECRET_KEY = #! TODO use Secrets
|
SECRET_KEY = {{ FORGEJO_SECURITY_SECRET_KEY }}
|
||||||
PASSWORD_HASH_ALGO = pbkdf2
|
PASSWORD_HASH_ALGO = pbkdf2
|
||||||
# ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
|
# ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
|
||||||
DISABLE_GIT_HOOKS = false
|
DISABLE_GIT_HOOKS = false
|
||||||
|
|
||||||
[database]
|
[database]
|
||||||
DB_TYPE = postgres
|
DB_TYPE = postgres
|
||||||
HOST = #! TODO use Secrets
|
HOST = {{ FORGEJO_DB_HOST }}
|
||||||
NAME = #! TODO use Secrets
|
NAME = {{ FORGEJO_DB_NAME }}
|
||||||
USER = #! TODO use Secrets
|
USER = {{ FORGEJO_DB_USER }}
|
||||||
PASSWD = #! TODO use Secrets
|
PASSWD = {{ FORGEJO_DB_PASSWD }}
|
||||||
SCHEMA =
|
SCHEMA =
|
||||||
SSL_MODE = disable
|
SSL_MODE = disable
|
||||||
CHARSET = utf8
|
CHARSET = utf8
|
||||||
|
|
@ -48,7 +48,7 @@ SSH_LISTEN_HOST = 0.0.0.0
|
||||||
START_SSH_SERVER = true
|
START_SSH_SERVER = true
|
||||||
LFS_START_SERVER = true
|
LFS_START_SERVER = true
|
||||||
# LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
|
# LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
|
||||||
LFS_JWT_SECRET = # TODO use Secrets
|
LFS_JWT_SECRET = {{ FORGEJO_SERVER_LFS_JWT_SECRET }}
|
||||||
OFFLINE_MODE = false
|
OFFLINE_MODE = false
|
||||||
|
|
||||||
[mailer]
|
[mailer]
|
||||||
|
|
|
||||||
23
load_secrets.sh
Normal file
23
load_secrets.sh
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Get all config files
|
||||||
|
# FILES=$(find . -type f \ # Only files
|
||||||
|
# -wholename "./*/*" \ # Only in subdir
|
||||||
|
# -not -wholename "./.git*" \ # Not in .git/
|
||||||
|
# -not -name "_*.sh" \ # Not _install.sh or _deploy.sh
|
||||||
|
# -not -name "README.md") # Not README.md
|
||||||
|
|
||||||
|
FILES=$(find . -type f -wholename "./*/*" -not -wholename "./.git*" -not -name "_*.sh" -not -name "README.md")
|
||||||
|
|
||||||
|
cat .env | grep ".=." > .env.tmp # Clean .env entries
|
||||||
|
readarray -t SECRETS < .env.tmp # Get all .env entries
|
||||||
|
rm .env.tmp # Clean tmp file
|
||||||
|
|
||||||
|
for file in $FILES
|
||||||
|
do
|
||||||
|
for secret in "${SECRETS[@]}"
|
||||||
|
do
|
||||||
|
KEY=$(echo $secret | grep -o "\w\+")
|
||||||
|
VALUE=$(echo $secret | grep -oP '\w+\s*=\s*\K.*' | tr -d "\r")
|
||||||
|
|
||||||
|
sed -r "s/\{\{\s*$KEY\s*\}\}/$VALUE/g" $file
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
[Interface]
|
[Interface]
|
||||||
Address = 10.0.0.2/24
|
Address = 10.0.0.2/24
|
||||||
PrivateKey = #! TODO use Secrets
|
PrivateKey = {{ WIREGUARD_WIFI_FABLAB_PRIVATE_KEY }}
|
||||||
DNS = 208.67.222.222, 208.67.220.220
|
DNS = 208.67.222.222, 208.67.220.220
|
||||||
MTU = 1420
|
MTU = 1420
|
||||||
|
|
||||||
[Peer]
|
[Peer]
|
||||||
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
|
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
|
||||||
Endpoint = cohabit.fr:#! TODO use Secrets
|
Endpoint = cohabit.fr:{{ WIREGUARD_SERVER_LISTEN_PORT }}
|
||||||
PersistentKeepalive = 25
|
PersistentKeepalive = 25
|
||||||
PublicKey = #! TODO use Secrets
|
PublicKey = {{ WIREGUARD_SERVER_PUBLIC_KEY }}
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,13 @@
|
||||||
[Interface]
|
[Interface]
|
||||||
PrivateKey = #! TODO use Secrets
|
PrivateKey = {{ WIREGUARD_SERVER_PRIVATE_KEY }}
|
||||||
Address = 10.0.0.1/24
|
Address = 10.0.0.1/24
|
||||||
MTU = 1420
|
MTU = 1420
|
||||||
ListenPort = #! TODO use Secrets
|
ListenPort = {{ WIREGUARD_SERVER_LISTEN_PORT }}
|
||||||
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
|
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
|
||||||
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
|
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
|
||||||
|
|
||||||
### Wifi Fablab ###
|
### Wifi Fablab ###
|
||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = #! TODO use Secrets
|
PublicKey = {{ WIREGUARD_WIFI_FABLAB_PUBLIC_KEY }}
|
||||||
AllowedIPs = 10.0.0.2/32
|
AllowedIPs = 10.0.0.2/32
|
||||||
###################
|
###################
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue