Compare commits
No commits in common. "f5a7422f3a913067c5cafac253441699dc7793fb" and "df466d9b4d724ef9251e17edc9b56fd454f3738a" have entirely different histories.
f5a7422f3a
...
df466d9b4d
28
.env.example
28
.env.example
|
@ -1,28 +0,0 @@
|
||||||
# FORGEJO
|
|
||||||
|
|
||||||
## OAUTH2
|
|
||||||
FORGEJO_OAUTH2_JWT_SECRET = ""
|
|
||||||
|
|
||||||
## SECURITY
|
|
||||||
FORGEJO_SECURITY_INTERNAL_TOKEN = ""
|
|
||||||
FORGEJO_SECURITY_SECRET_KEY = ""
|
|
||||||
|
|
||||||
## DB
|
|
||||||
FORGEJO_DB_HOST = ""
|
|
||||||
FORGEJO_DB_USER = ""
|
|
||||||
FORGEJO_DB_NAME = ""
|
|
||||||
FORGEJO_DB_PASSWD = ""
|
|
||||||
|
|
||||||
## SERVER
|
|
||||||
FORGEJO_SERVER_LFS_JWT_SECRET = ""
|
|
||||||
|
|
||||||
# WIREGUARD
|
|
||||||
|
|
||||||
## SERVER
|
|
||||||
WIREGUARD_SERVER_PRIVATE_KEY = ""
|
|
||||||
WIREGUARD_SERVER_PUBLIC_KEY = ""
|
|
||||||
WIREGUARD_SERVER_LISTEN_PORT = ""
|
|
||||||
|
|
||||||
## WIFI_FABLAB
|
|
||||||
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
|
|
||||||
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
|
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1 +0,0 @@
|
||||||
.env
|
|
11
README.md
11
README.md
|
@ -11,9 +11,6 @@ Cloner ce dépôts sur votre système (pas de répertoire privilégié).
|
||||||
git clone https://git.cohabit.fr/cohabit/server_config.git
|
git clone https://git.cohabit.fr/cohabit/server_config.git
|
||||||
cd server_config
|
cd server_config
|
||||||
|
|
||||||
# Decrypt secrets
|
|
||||||
gpg -d .env.gpg
|
|
||||||
|
|
||||||
# Allow execute scripts
|
# Allow execute scripts
|
||||||
sudo chmod +x ./install.sh
|
sudo chmod +x ./install.sh
|
||||||
sudo chmod +x ./deploy.sh
|
sudo chmod +x ./deploy.sh
|
||||||
|
@ -22,14 +19,6 @@ sudo chmod +x ./deploy.sh
|
||||||
sudo ./install.sh --all && sudo ./deploy.sh --all
|
sudo ./install.sh --all && sudo ./deploy.sh --all
|
||||||
```
|
```
|
||||||
|
|
||||||
> [!WARNING]
|
|
||||||
>
|
|
||||||
> Après avoir executer `deploy.sh` tous les secrets sont écrits en clair dans
|
|
||||||
> les fichiers de configs et les scripts.\
|
|
||||||
> Ne surtout pas faire de `git commit` ou de `git push`.\
|
|
||||||
> Pour retourner à l'état d'origine faire un `git reset --hard HEAD` ou
|
|
||||||
> équivalent.
|
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
Pour installer les différents services/apps du serveur.
|
Pour installer les différents services/apps du serveur.
|
||||||
|
|
|
@ -3,7 +3,7 @@ cohabit.fr {
|
||||||
# Website entry point
|
# Website entry point
|
||||||
|
|
||||||
encode zstd gzip
|
encode zstd gzip
|
||||||
reverse_proxy 127.0.0.1:6060
|
reverse_proxy 127.0.0.1:8000
|
||||||
}
|
}
|
||||||
|
|
||||||
www.cohabit.fr {
|
www.cohabit.fr {
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
APP_NAME = Forgejo Fablab Cohabit
|
APP_NAME = Forgejo Fablab Cohabit
|
||||||
RUN_USER = forgejo
|
RUN_USER = git
|
||||||
RUN_MODE = prod
|
RUN_MODE = prod
|
||||||
WORK_PATH = /var/lib/forgejo
|
WORK_PATH = /var/lib/forgejo
|
||||||
|
|
||||||
|
@ -7,22 +7,22 @@ WORK_PATH = /var/lib/forgejo
|
||||||
DISABLE_REGULAR_ORG_CREATION = false
|
DISABLE_REGULAR_ORG_CREATION = false
|
||||||
|
|
||||||
[oauth2]
|
[oauth2]
|
||||||
JWT_SECRET = {{ FORGEJO_OAUTH2_JWT_SECRET }}
|
JWT_SECRET = #! TODO use Secrets
|
||||||
|
|
||||||
[security]
|
[security]
|
||||||
INTERNAL_TOKEN = {{ FORGEJO_SECURITY_INTERNAL_TOKEN }}
|
INTERNAL_TOKEN = #! TODO use Secrets
|
||||||
INSTALL_LOCK = true
|
INSTALL_LOCK = true
|
||||||
SECRET_KEY = {{ FORGEJO_SECURITY_SECRET_KEY }}
|
SECRET_KEY = #! TODO use Secrets
|
||||||
PASSWORD_HASH_ALGO = pbkdf2
|
PASSWORD_HASH_ALGO = pbkdf2
|
||||||
# ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
|
# ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
|
||||||
DISABLE_GIT_HOOKS = false
|
DISABLE_GIT_HOOKS = false
|
||||||
|
|
||||||
[database]
|
[database]
|
||||||
DB_TYPE = postgres
|
DB_TYPE = postgres
|
||||||
HOST = {{ FORGEJO_DB_HOST }}
|
HOST = #! TODO use Secrets
|
||||||
NAME = {{ FORGEJO_DB_NAME }}
|
NAME = #! TODO use Secrets
|
||||||
USER = {{ FORGEJO_DB_USER }}
|
USER = #! TODO use Secrets
|
||||||
PASSWD = {{ FORGEJO_DB_PASSWD }}
|
PASSWD = #! TODO use Secrets
|
||||||
SCHEMA =
|
SCHEMA =
|
||||||
SSL_MODE = disable
|
SSL_MODE = disable
|
||||||
CHARSET = utf8
|
CHARSET = utf8
|
||||||
|
@ -48,7 +48,7 @@ SSH_LISTEN_HOST = 0.0.0.0
|
||||||
START_SSH_SERVER = true
|
START_SSH_SERVER = true
|
||||||
LFS_START_SERVER = true
|
LFS_START_SERVER = true
|
||||||
# LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
|
# LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
|
||||||
LFS_JWT_SECRET = {{ FORGEJO_SERVER_LFS_JWT_SECRET }}
|
LFS_JWT_SECRET = # TODO use Secrets
|
||||||
OFFLINE_MODE = false
|
OFFLINE_MODE = false
|
||||||
|
|
||||||
[mailer]
|
[mailer]
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
# Get all config files
|
|
||||||
# FILES=$(find . -type f \ # Only files
|
|
||||||
# -wholename "./*/*" \ # Only in subdir
|
|
||||||
# -not -wholename "./.git*" \ # Not in .git/
|
|
||||||
# -not -name "_*.sh" \ # Not _install.sh or _deploy.sh
|
|
||||||
# -not -name "README.md") # Not README.md
|
|
||||||
|
|
||||||
FILES=$(find . -type f -wholename "./*/*" -not -wholename "./.git*" -not -name "_*.sh" -not -name "README.md")
|
|
||||||
|
|
||||||
cat .env | grep ".=." > .env.tmp # Clean .env entries
|
|
||||||
readarray -t SECRETS < .env.tmp # Get all .env entries
|
|
||||||
rm .env.tmp # Clean tmp file
|
|
||||||
|
|
||||||
for file in $FILES
|
|
||||||
do
|
|
||||||
for secret in "${SECRETS[@]}"
|
|
||||||
do
|
|
||||||
KEY=$(echo $secret | grep -o "\w\+")
|
|
||||||
VALUE=$(echo $secret | grep -oP '\w+\s*=\s*\K.*' | tr -d "\r")
|
|
||||||
|
|
||||||
sed -r "s/\{\{\s*$KEY\s*\}\}/$VALUE/g" $file
|
|
||||||
done
|
|
||||||
done
|
|
|
@ -1,11 +1,11 @@
|
||||||
[Interface]
|
[Interface]
|
||||||
Address = 10.0.0.2/24
|
Address = 10.0.0.2/24
|
||||||
PrivateKey = {{ WIREGUARD_WIFI_FABLAB_PRIVATE_KEY }}
|
PrivateKey = #! TODO use Secrets
|
||||||
DNS = 208.67.222.222, 208.67.220.220
|
DNS = 208.67.222.222, 208.67.220.220
|
||||||
MTU = 1420
|
MTU = 1420
|
||||||
|
|
||||||
[Peer]
|
[Peer]
|
||||||
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
|
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
|
||||||
Endpoint = cohabit.fr:{{ WIREGUARD_SERVER_LISTEN_PORT }}
|
Endpoint = cohabit.fr:#! TODO use Secrets
|
||||||
PersistentKeepalive = 25
|
PersistentKeepalive = 25
|
||||||
PublicKey = {{ WIREGUARD_SERVER_PUBLIC_KEY }}
|
PublicKey = #! TODO use Secrets
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
[Interface]
|
[Interface]
|
||||||
PrivateKey = {{ WIREGUARD_SERVER_PRIVATE_KEY }}
|
PrivateKey = #! TODO use Secrets
|
||||||
Address = 10.0.0.1/24
|
Address = 10.0.0.1/24
|
||||||
MTU = 1420
|
MTU = 1420
|
||||||
ListenPort = {{ WIREGUARD_SERVER_LISTEN_PORT }}
|
ListenPort = #! TODO use Secrets
|
||||||
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
|
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
|
||||||
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
|
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
|
||||||
|
|
||||||
### Wifi Fablab ###
|
### Wifi Fablab ###
|
||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = {{ WIREGUARD_WIFI_FABLAB_PUBLIC_KEY }}
|
PublicKey = #! TODO use Secrets
|
||||||
AllowedIPs = 10.0.0.2/32
|
AllowedIPs = 10.0.0.2/32
|
||||||
###################
|
###################
|
||||||
|
|
Loading…
Reference in a new issue