cohabit/server_config
5
0
Fork 2
Code Issues 3 Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: cohabit:df466d9b4d724ef9251e17edc9b56fd454f3738a
Branches Tags
cohabit:main
..
compare: cohabit:f5a7422f3a913067c5cafac253441699dc7793fb
Branches Tags
cohabit:main

5 commits
df466d9b4d ... f5a7422f3a

Author SHA1 Message Date
Julien Oculi f5a7422f3a feat: implement .env (secrets) loader 2024-05-30 17:34:23 +02:00
Julien Oculi f587a7f011 doc: update install instructions and warnings 2024-05-30 15:23:38 +02:00
Julien Oculi 4c0af61306 feat: provide .env file with matcher replace for config secrets 2024-05-30 15:12:12 +02:00
Julien Oculi dd73a3efb5 chore: update website proxy internal port 2024-05-30 15:02:12 +02:00
Julien Oculi fe72e9df4f fix: update forgejo app.ini user to fit install script 2024-05-30 14:46:41 +02:00
8 changed files with 79 additions and 16 deletions
Show stats Expand all files Collapse all files

28
.env.example Normal file
View file

@ -0,0 +1,28 @@
# FORGEJO
## OAUTH2
FORGEJO_OAUTH2_JWT_SECRET = ""
## SECURITY
FORGEJO_SECURITY_INTERNAL_TOKEN = ""
FORGEJO_SECURITY_SECRET_KEY = ""
## DB
FORGEJO_DB_HOST = ""
FORGEJO_DB_USER = ""
FORGEJO_DB_NAME = ""
FORGEJO_DB_PASSWD = ""
## SERVER
FORGEJO_SERVER_LFS_JWT_SECRET = ""
# WIREGUARD
## SERVER
WIREGUARD_SERVER_PRIVATE_KEY = ""
WIREGUARD_SERVER_PUBLIC_KEY = ""
WIREGUARD_SERVER_LISTEN_PORT = ""
## WIFI_FABLAB
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
.env

11
README.md
View file

@ -11,6 +11,9 @@ Cloner ce dépôts sur votre système (pas de répertoire privilégié).
git clone https://git.cohabit.fr/cohabit/server_config.git
cd server_config
# Decrypt secrets
gpg -d .env.gpg
# Allow execute scripts
sudo chmod +x ./install.sh
sudo chmod +x ./deploy.sh
@ -19,6 +22,14 @@ sudo chmod +x ./deploy.sh
sudo ./install.sh --all && sudo ./deploy.sh --all
```
> [!WARNING]
>
> Après avoir executer `deploy.sh` tous les secrets sont écrits en clair dans
> les fichiers de configs et les scripts.\
> Ne surtout pas faire de `git commit` ou de `git push`.\
> Pour retourner à l'état d'origine faire un `git reset --hard HEAD` ou
> équivalent.
## Installation
Pour installer les différents services/apps du serveur.

2
caddy/caddy/Caddyfile
View file

@ -3,7 +3,7 @@ cohabit.fr {
# Website entry point
encode zstd gzip
reverse_proxy 127.0.0.1:8000
reverse_proxy 127.0.0.1:6060
}
www.cohabit.fr {

18
forgejo/forgejo/app.ini
View file

@ -1,5 +1,5 @@
APP_NAME = Forgejo Fablab Cohabit
RUN_USER = git
RUN_USER = forgejo
RUN_MODE = prod
WORK_PATH = /var/lib/forgejo
@ -7,22 +7,22 @@ WORK_PATH = /var/lib/forgejo
DISABLE_REGULAR_ORG_CREATION = false
[oauth2]
JWT_SECRET = #! TODO use Secrets
JWT_SECRET = {{ FORGEJO_OAUTH2_JWT_SECRET }}
[security]
INTERNAL_TOKEN = #! TODO use Secrets
INTERNAL_TOKEN = {{ FORGEJO_SECURITY_INTERNAL_TOKEN }}
INSTALL_LOCK = true
SECRET_KEY = #! TODO use Secrets
SECRET_KEY = {{ FORGEJO_SECURITY_SECRET_KEY }}
PASSWORD_HASH_ALGO = pbkdf2
# ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
DISABLE_GIT_HOOKS = false
[database]
DB_TYPE = postgres
HOST = #! TODO use Secrets
NAME = #! TODO use Secrets
USER = #! TODO use Secrets
PASSWD = #! TODO use Secrets
HOST = {{ FORGEJO_DB_HOST }}
NAME = {{ FORGEJO_DB_NAME }}
USER = {{ FORGEJO_DB_USER }}
PASSWD = {{ FORGEJO_DB_PASSWD }}
SCHEMA =
SSL_MODE = disable
CHARSET = utf8
@ -48,7 +48,7 @@ SSH_LISTEN_HOST = 0.0.0.0
START_SSH_SERVER = true
LFS_START_SERVER = true
# LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
LFS_JWT_SECRET = # TODO use Secrets
LFS_JWT_SECRET = {{ FORGEJO_SERVER_LFS_JWT_SECRET }}
OFFLINE_MODE = false
[mailer]

23
load_secrets.sh Normal file
View file

@ -0,0 +1,23 @@
# Get all config files
# FILES=$(find . -type f \ # Only files
# -wholename "./*/*" \ # Only in subdir
# -not -wholename "./.git*" \ # Not in .git/
# -not -name "_*.sh" \ # Not _install.sh or _deploy.sh
# -not -name "README.md") # Not README.md
FILES=$(find . -type f -wholename "./*/*" -not -wholename "./.git*" -not -name "_*.sh" -not -name "README.md")
cat .env | grep ".=." > .env.tmp # Clean .env entries
readarray -t SECRETS < .env.tmp # Get all .env entries
rm .env.tmp # Clean tmp file
for file in $FILES
do
for secret in "${SECRETS[@]}"
do
KEY=$(echo $secret | grep -o "\w\+")
VALUE=$(echo $secret | grep -oP '\w+\s*=\s*\K.*' | tr -d "\r")
sed -r "s/\{\{\s*$KEY\s*\}\}/$VALUE/g" $file
done
done

6
wireguard/clients/wifi_fablab.conf
View file

@ -1,11 +1,11 @@
[Interface]
Address = 10.0.0.2/24
PrivateKey = #! TODO use Secrets
PrivateKey = {{ WIREGUARD_WIFI_FABLAB_PRIVATE_KEY }}
DNS = 208.67.222.222, 208.67.220.220
MTU = 1420
[Peer]
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
Endpoint = cohabit.fr:#! TODO use Secrets
Endpoint = cohabit.fr:{{ WIREGUARD_SERVER_LISTEN_PORT }}
PersistentKeepalive = 25
PublicKey = #! TODO use Secrets
PublicKey = {{ WIREGUARD_SERVER_PUBLIC_KEY }}

6
wireguard/server/wg0.conf
View file

@ -1,13 +1,13 @@
[Interface]
PrivateKey = #! TODO use Secrets
PrivateKey = {{ WIREGUARD_SERVER_PRIVATE_KEY }}
Address = 10.0.0.1/24
MTU = 1420
ListenPort = #! TODO use Secrets
ListenPort = {{ WIREGUARD_SERVER_LISTEN_PORT }}
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
### Wifi Fablab ###
[Peer]
PublicKey = #! TODO use Secrets
PublicKey = {{ WIREGUARD_WIFI_FABLAB_PUBLIC_KEY }}
AllowedIPs = 10.0.0.2/32
###################