Compare commits

..

No commits in common. "f5a7422f3a913067c5cafac253441699dc7793fb" and "df466d9b4d724ef9251e17edc9b56fd454f3738a" have entirely different histories.

8 changed files with 16 additions and 79 deletions

View file

@ -1,28 +0,0 @@
# FORGEJO
## OAUTH2
FORGEJO_OAUTH2_JWT_SECRET = ""
## SECURITY
FORGEJO_SECURITY_INTERNAL_TOKEN = ""
FORGEJO_SECURITY_SECRET_KEY = ""
## DB
FORGEJO_DB_HOST = ""
FORGEJO_DB_USER = ""
FORGEJO_DB_NAME = ""
FORGEJO_DB_PASSWD = ""
## SERVER
FORGEJO_SERVER_LFS_JWT_SECRET = ""
# WIREGUARD
## SERVER
WIREGUARD_SERVER_PRIVATE_KEY = ""
WIREGUARD_SERVER_PUBLIC_KEY = ""
WIREGUARD_SERVER_LISTEN_PORT = ""
## WIFI_FABLAB
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""

1
.gitignore vendored
View file

@ -1 +0,0 @@
.env

View file

@ -11,9 +11,6 @@ Cloner ce dépôts sur votre système (pas de répertoire privilégié).
git clone https://git.cohabit.fr/cohabit/server_config.git git clone https://git.cohabit.fr/cohabit/server_config.git
cd server_config cd server_config
# Decrypt secrets
gpg -d .env.gpg
# Allow execute scripts # Allow execute scripts
sudo chmod +x ./install.sh sudo chmod +x ./install.sh
sudo chmod +x ./deploy.sh sudo chmod +x ./deploy.sh
@ -22,14 +19,6 @@ sudo chmod +x ./deploy.sh
sudo ./install.sh --all && sudo ./deploy.sh --all sudo ./install.sh --all && sudo ./deploy.sh --all
``` ```
> [!WARNING]
>
> Après avoir executer `deploy.sh` tous les secrets sont écrits en clair dans
> les fichiers de configs et les scripts.\
> Ne surtout pas faire de `git commit` ou de `git push`.\
> Pour retourner à l'état d'origine faire un `git reset --hard HEAD` ou
> équivalent.
## Installation ## Installation
Pour installer les différents services/apps du serveur. Pour installer les différents services/apps du serveur.

View file

@ -3,7 +3,7 @@ cohabit.fr {
# Website entry point # Website entry point
encode zstd gzip encode zstd gzip
reverse_proxy 127.0.0.1:6060 reverse_proxy 127.0.0.1:8000
} }
www.cohabit.fr { www.cohabit.fr {

View file

@ -1,5 +1,5 @@
APP_NAME = Forgejo Fablab Cohabit APP_NAME = Forgejo Fablab Cohabit
RUN_USER = forgejo RUN_USER = git
RUN_MODE = prod RUN_MODE = prod
WORK_PATH = /var/lib/forgejo WORK_PATH = /var/lib/forgejo
@ -7,22 +7,22 @@ WORK_PATH = /var/lib/forgejo
DISABLE_REGULAR_ORG_CREATION = false DISABLE_REGULAR_ORG_CREATION = false
[oauth2] [oauth2]
JWT_SECRET = {{ FORGEJO_OAUTH2_JWT_SECRET }} JWT_SECRET = #! TODO use Secrets
[security] [security]
INTERNAL_TOKEN = {{ FORGEJO_SECURITY_INTERNAL_TOKEN }} INTERNAL_TOKEN = #! TODO use Secrets
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = {{ FORGEJO_SECURITY_SECRET_KEY }} SECRET_KEY = #! TODO use Secrets
PASSWORD_HASH_ALGO = pbkdf2 PASSWORD_HASH_ALGO = pbkdf2
# ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib) # ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
DISABLE_GIT_HOOKS = false DISABLE_GIT_HOOKS = false
[database] [database]
DB_TYPE = postgres DB_TYPE = postgres
HOST = {{ FORGEJO_DB_HOST }} HOST = #! TODO use Secrets
NAME = {{ FORGEJO_DB_NAME }} NAME = #! TODO use Secrets
USER = {{ FORGEJO_DB_USER }} USER = #! TODO use Secrets
PASSWD = {{ FORGEJO_DB_PASSWD }} PASSWD = #! TODO use Secrets
SCHEMA = SCHEMA =
SSL_MODE = disable SSL_MODE = disable
CHARSET = utf8 CHARSET = utf8
@ -48,7 +48,7 @@ SSH_LISTEN_HOST = 0.0.0.0
START_SSH_SERVER = true START_SSH_SERVER = true
LFS_START_SERVER = true LFS_START_SERVER = true
# LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs # LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
LFS_JWT_SECRET = {{ FORGEJO_SERVER_LFS_JWT_SECRET }} LFS_JWT_SECRET = # TODO use Secrets
OFFLINE_MODE = false OFFLINE_MODE = false
[mailer] [mailer]

View file

@ -1,23 +0,0 @@
# Get all config files
# FILES=$(find . -type f \ # Only files
# -wholename "./*/*" \ # Only in subdir
# -not -wholename "./.git*" \ # Not in .git/
# -not -name "_*.sh" \ # Not _install.sh or _deploy.sh
# -not -name "README.md") # Not README.md
FILES=$(find . -type f -wholename "./*/*" -not -wholename "./.git*" -not -name "_*.sh" -not -name "README.md")
cat .env | grep ".=." > .env.tmp # Clean .env entries
readarray -t SECRETS < .env.tmp # Get all .env entries
rm .env.tmp # Clean tmp file
for file in $FILES
do
for secret in "${SECRETS[@]}"
do
KEY=$(echo $secret | grep -o "\w\+")
VALUE=$(echo $secret | grep -oP '\w+\s*=\s*\K.*' | tr -d "\r")
sed -r "s/\{\{\s*$KEY\s*\}\}/$VALUE/g" $file
done
done

View file

@ -1,11 +1,11 @@
[Interface] [Interface]
Address = 10.0.0.2/24 Address = 10.0.0.2/24
PrivateKey = {{ WIREGUARD_WIFI_FABLAB_PRIVATE_KEY }} PrivateKey = #! TODO use Secrets
DNS = 208.67.222.222, 208.67.220.220 DNS = 208.67.222.222, 208.67.220.220
MTU = 1420 MTU = 1420
[Peer] [Peer]
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
Endpoint = cohabit.fr:{{ WIREGUARD_SERVER_LISTEN_PORT }} Endpoint = cohabit.fr:#! TODO use Secrets
PersistentKeepalive = 25 PersistentKeepalive = 25
PublicKey = {{ WIREGUARD_SERVER_PUBLIC_KEY }} PublicKey = #! TODO use Secrets

View file

@ -1,13 +1,13 @@
[Interface] [Interface]
PrivateKey = {{ WIREGUARD_SERVER_PRIVATE_KEY }} PrivateKey = #! TODO use Secrets
Address = 10.0.0.1/24 Address = 10.0.0.1/24
MTU = 1420 MTU = 1420
ListenPort = {{ WIREGUARD_SERVER_LISTEN_PORT }} ListenPort = #! TODO use Secrets
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
### Wifi Fablab ### ### Wifi Fablab ###
[Peer] [Peer]
PublicKey = {{ WIREGUARD_WIFI_FABLAB_PUBLIC_KEY }} PublicKey = #! TODO use Secrets
AllowedIPs = 10.0.0.2/32 AllowedIPs = 10.0.0.2/32
################### ###################