Compare commits
No commits in common. "f5a7422f3a913067c5cafac253441699dc7793fb" and "df466d9b4d724ef9251e17edc9b56fd454f3738a" have entirely different histories.
f5a7422f3a
...
df466d9b4d
28
.env.example
28
.env.example
|
|
@ -1,28 +0,0 @@
|
|||
# FORGEJO
|
||||
|
||||
## OAUTH2
|
||||
FORGEJO_OAUTH2_JWT_SECRET = ""
|
||||
|
||||
## SECURITY
|
||||
FORGEJO_SECURITY_INTERNAL_TOKEN = ""
|
||||
FORGEJO_SECURITY_SECRET_KEY = ""
|
||||
|
||||
## DB
|
||||
FORGEJO_DB_HOST = ""
|
||||
FORGEJO_DB_USER = ""
|
||||
FORGEJO_DB_NAME = ""
|
||||
FORGEJO_DB_PASSWD = ""
|
||||
|
||||
## SERVER
|
||||
FORGEJO_SERVER_LFS_JWT_SECRET = ""
|
||||
|
||||
# WIREGUARD
|
||||
|
||||
## SERVER
|
||||
WIREGUARD_SERVER_PRIVATE_KEY = ""
|
||||
WIREGUARD_SERVER_PUBLIC_KEY = ""
|
||||
WIREGUARD_SERVER_LISTEN_PORT = ""
|
||||
|
||||
## WIFI_FABLAB
|
||||
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
|
||||
WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -1 +0,0 @@
|
|||
.env
|
||||
11
README.md
11
README.md
|
|
@ -11,9 +11,6 @@ Cloner ce dépôts sur votre système (pas de répertoire privilégié).
|
|||
git clone https://git.cohabit.fr/cohabit/server_config.git
|
||||
cd server_config
|
||||
|
||||
# Decrypt secrets
|
||||
gpg -d .env.gpg
|
||||
|
||||
# Allow execute scripts
|
||||
sudo chmod +x ./install.sh
|
||||
sudo chmod +x ./deploy.sh
|
||||
|
|
@ -22,14 +19,6 @@ sudo chmod +x ./deploy.sh
|
|||
sudo ./install.sh --all && sudo ./deploy.sh --all
|
||||
```
|
||||
|
||||
> [!WARNING]
|
||||
>
|
||||
> Après avoir executer `deploy.sh` tous les secrets sont écrits en clair dans
|
||||
> les fichiers de configs et les scripts.\
|
||||
> Ne surtout pas faire de `git commit` ou de `git push`.\
|
||||
> Pour retourner à l'état d'origine faire un `git reset --hard HEAD` ou
|
||||
> équivalent.
|
||||
|
||||
## Installation
|
||||
|
||||
Pour installer les différents services/apps du serveur.
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ cohabit.fr {
|
|||
# Website entry point
|
||||
|
||||
encode zstd gzip
|
||||
reverse_proxy 127.0.0.1:6060
|
||||
reverse_proxy 127.0.0.1:8000
|
||||
}
|
||||
|
||||
www.cohabit.fr {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
APP_NAME = Forgejo Fablab Cohabit
|
||||
RUN_USER = forgejo
|
||||
RUN_USER = git
|
||||
RUN_MODE = prod
|
||||
WORK_PATH = /var/lib/forgejo
|
||||
|
||||
|
|
@ -7,22 +7,22 @@ WORK_PATH = /var/lib/forgejo
|
|||
DISABLE_REGULAR_ORG_CREATION = false
|
||||
|
||||
[oauth2]
|
||||
JWT_SECRET = {{ FORGEJO_OAUTH2_JWT_SECRET }}
|
||||
JWT_SECRET = #! TODO use Secrets
|
||||
|
||||
[security]
|
||||
INTERNAL_TOKEN = {{ FORGEJO_SECURITY_INTERNAL_TOKEN }}
|
||||
INTERNAL_TOKEN = #! TODO use Secrets
|
||||
INSTALL_LOCK = true
|
||||
SECRET_KEY = {{ FORGEJO_SECURITY_SECRET_KEY }}
|
||||
SECRET_KEY = #! TODO use Secrets
|
||||
PASSWORD_HASH_ALGO = pbkdf2
|
||||
# ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
|
||||
DISABLE_GIT_HOOKS = false
|
||||
|
||||
[database]
|
||||
DB_TYPE = postgres
|
||||
HOST = {{ FORGEJO_DB_HOST }}
|
||||
NAME = {{ FORGEJO_DB_NAME }}
|
||||
USER = {{ FORGEJO_DB_USER }}
|
||||
PASSWD = {{ FORGEJO_DB_PASSWD }}
|
||||
HOST = #! TODO use Secrets
|
||||
NAME = #! TODO use Secrets
|
||||
USER = #! TODO use Secrets
|
||||
PASSWD = #! TODO use Secrets
|
||||
SCHEMA =
|
||||
SSL_MODE = disable
|
||||
CHARSET = utf8
|
||||
|
|
@ -48,7 +48,7 @@ SSH_LISTEN_HOST = 0.0.0.0
|
|||
START_SSH_SERVER = true
|
||||
LFS_START_SERVER = true
|
||||
# LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
|
||||
LFS_JWT_SECRET = {{ FORGEJO_SERVER_LFS_JWT_SECRET }}
|
||||
LFS_JWT_SECRET = # TODO use Secrets
|
||||
OFFLINE_MODE = false
|
||||
|
||||
[mailer]
|
||||
|
|
|
|||
|
|
@ -1,23 +0,0 @@
|
|||
# Get all config files
|
||||
# FILES=$(find . -type f \ # Only files
|
||||
# -wholename "./*/*" \ # Only in subdir
|
||||
# -not -wholename "./.git*" \ # Not in .git/
|
||||
# -not -name "_*.sh" \ # Not _install.sh or _deploy.sh
|
||||
# -not -name "README.md") # Not README.md
|
||||
|
||||
FILES=$(find . -type f -wholename "./*/*" -not -wholename "./.git*" -not -name "_*.sh" -not -name "README.md")
|
||||
|
||||
cat .env | grep ".=." > .env.tmp # Clean .env entries
|
||||
readarray -t SECRETS < .env.tmp # Get all .env entries
|
||||
rm .env.tmp # Clean tmp file
|
||||
|
||||
for file in $FILES
|
||||
do
|
||||
for secret in "${SECRETS[@]}"
|
||||
do
|
||||
KEY=$(echo $secret | grep -o "\w\+")
|
||||
VALUE=$(echo $secret | grep -oP '\w+\s*=\s*\K.*' | tr -d "\r")
|
||||
|
||||
sed -r "s/\{\{\s*$KEY\s*\}\}/$VALUE/g" $file
|
||||
done
|
||||
done
|
||||
|
|
@ -1,11 +1,11 @@
|
|||
[Interface]
|
||||
Address = 10.0.0.2/24
|
||||
PrivateKey = {{ WIREGUARD_WIFI_FABLAB_PRIVATE_KEY }}
|
||||
PrivateKey = #! TODO use Secrets
|
||||
DNS = 208.67.222.222, 208.67.220.220
|
||||
MTU = 1420
|
||||
|
||||
[Peer]
|
||||
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
|
||||
Endpoint = cohabit.fr:{{ WIREGUARD_SERVER_LISTEN_PORT }}
|
||||
Endpoint = cohabit.fr:#! TODO use Secrets
|
||||
PersistentKeepalive = 25
|
||||
PublicKey = {{ WIREGUARD_SERVER_PUBLIC_KEY }}
|
||||
PublicKey = #! TODO use Secrets
|
||||
|
|
|
|||
|
|
@ -1,13 +1,13 @@
|
|||
[Interface]
|
||||
PrivateKey = {{ WIREGUARD_SERVER_PRIVATE_KEY }}
|
||||
PrivateKey = #! TODO use Secrets
|
||||
Address = 10.0.0.1/24
|
||||
MTU = 1420
|
||||
ListenPort = {{ WIREGUARD_SERVER_LISTEN_PORT }}
|
||||
ListenPort = #! TODO use Secrets
|
||||
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
|
||||
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
|
||||
|
||||
### Wifi Fablab ###
|
||||
[Peer]
|
||||
PublicKey = {{ WIREGUARD_WIFI_FABLAB_PUBLIC_KEY }}
|
||||
PublicKey = #! TODO use Secrets
|
||||
AllowedIPs = 10.0.0.2/32
|
||||
###################
|
||||
|
|
|
|||
Loading…
Reference in a new issue