fix(forgejo/deploy): update owner and permissions of config files

Reviewed-on: cohabit/server_config#8

Dockerfile

@@ -0,0 +1,6 @@
+FROM debian
+
+RUN apt update
+RUN apt install -y git
+RUN apt install -y gpg
+RUN apt install -y vim

README.md

@@ -14,12 +14,16 @@ cd server_config
 # Decrypt secrets
 gpg -d .env.gpg > .env
 
+# Switch to sudo
+sudo su
+
 # Allow execute scripts
-sudo chmod +x ./install.sh
-sudo chmod +x ./deploy.sh
+chmod +x ./install.sh
+chmod +x ./deploy.sh
 
 # Install and deploy services
-sudo ./install.sh --all && sudo ./deploy.sh --all
+./install.sh --all | tee install.log && \
+./deploy.sh --all | tee deploy.log
 ```
 
 > [!WARNING]
@@ -73,3 +77,20 @@ sudo (bash|sh|zsh) ./deploy.sh [SERVICES...]
   ```sh
   sudo ./deploy.sh -a
   ```
+
+## Tests
+
+Pour tester la config avant déploiement un [`Dockerfile`]('./Dockerfile') est
+disponible. Le helper [`test_scripts.sh`](./test_scripts.sh) build et lance le
+conteneur (shell: `bash`, point d'entrée: `/`).
+
+> [!NOTE]
+>
+> Le helper utilise `docker`, pour utiliser `podman` vous pouvez taper
+> `docker="podman" bash ./test_scripts.sh`.
+
+## Ajout de service
+
+S'il y a le besoin de rajouter des services, il faudra penser à ajouter leurs
+configurations dans le projet ainsi que les liens vers leurs installations dans
+le script d'installation.

_requirements.sh

@@ -1,7 +1,7 @@
 # Install nala
 apt update
 apt upgrade -y
-apt install -y nala
+apt install -y nala # Good front-end for "apt-*" cli
 
 # Install base utilities
 echo "[server_config] > Installing required utilities (base)"
@@ -19,6 +19,10 @@ nala install -y \
   lsb-release \
   nmap \
   xxd \
+  inxi \
+  # nmap (network viewer/utility)
+  # xxd (bin to hexa etc...)
+  # inxi (system/hardware config viewer)
 
 # Install comfort utilities
 echo "[server_config] > Installing required utilities (comfort)"
@@ -28,9 +32,15 @@ nala install -y \
   fzf \
   tmux \
   tmate \
+  # bat (better cat)
+  # btop (TUI htop alternative)
+  # fzf (fuzzy finder)
+  # tmux (terminal multiplexer)
+  # tmate (tmux over ssh)
 
 # Install zoxide through webinstall (see zoxide install instruction on debian)
 curl -sS https://webi.sh/zoxide | sh
+# zoxide (smartter cd)
 
 # Install really necessary utilities
 echo "[server_config] > Installing required utilities (really necessary)"
@@ -41,5 +51,4 @@ nala install -y \
 
 # Install useful deb installer
 echo "[server_config] > Installing required utilites (useful .deb installer)"
-nala install -y lsb-release
 curl -sL https://raw.githubusercontent.com/wimpysworld/deb-get/main/deb-get | bash -s install deb-get

caddy/_deploy.sh

@@ -1,6 +1,8 @@
 # Setup caddy config
 mkdir -p /etc/caddy
 cp -a ./caddy/caddy/. /etc/caddy/
+# Set directory owner
+chown -R caddy:caddy /etc/caddy
 
 # Setup caddy service
 cp ./caddy/systemd/caddy.service /etc/systemd/system

deploy.sh

@@ -2,6 +2,9 @@
 echo "[server_config] > Writting secrets to source files"
 source ./load_secrets.sh
 
+# Make sure default owner of config files is root
+chown -R root:root .
+
 # Deploy services
 APPS=$@
 

fail2ban/README.md

@@ -1,3 +1,12 @@
 # Fail2Ban
 
 Prison pour bots. Gardien des connection ssh.
+
+## Configuration
+
+/etc/fail2ban/
+
+## Plus d'informations
+
+https://github.com/fail2ban/fail2ban
+

fastfetch/README.md

@@ -0,0 +1,9 @@
+# Fastfetch c'est quoi ?
+Fastfetch est un outil similaire à neofetch permettant de récupérer les informations systèmes et de les afficher agréablement à son utilisateur. Il est écrit principalement en C avec comme intention principale la performance et la personnalisation.
+
+## Emplacements
+~/. config/fastfetch/config.jsonc
+
+## Plus d'informations
+https://github.com/fastfetch-cli/fastfetch
+

forgejo/_deploy.sh

@@ -1,6 +1,6 @@
 # Setup forgejo config
 cp -a ./forgejo/forgejo/. /etc/forgejo/
-chown -R root:forgejo /etc/forgejo && chmod -R 540 /etc/forgejo
+chown -R forgejo:forgejo /etc/forgejo && chmod -R a-rwx,ug+r /etc/forgejo
 
 # Setup forgejo service
 cp ./forgejo/systemd/forgejo.service /etc/systemd/system

git/README.md

@@ -0,0 +1,12 @@
+# Git
+
+Git est un logiciel de gestion de versions décentralisé. C'est un logiciel libre et gratuit, créé en 2005 par Linus Torvalds, auteur du noyau Linux, et distribué selon les termes de la licence publique générale GNU version 2.
+
+## Configuration
+
+/etc/gitconfig
+
+## Plus d'informations
+
+https://github.com/git/git
+

install.sh

@@ -2,6 +2,9 @@
 echo "[server_config] > Installing required utilities"
 source ./_requirements.sh
 
+# Make sure default owner of config files is root
+chown -R root:root .
+
 # Install services
 APPS=$@
 

iptables/README.md

@@ -1,3 +1,12 @@
 # Configuration des `iptables`
 
 Règles de parfeux/routage du serveur cohabit.
+
+## Configuration
+
+iptables -S
+
+## Plus d'informations
+
+man iptables ou https://doc.ubuntu-fr.org/iptables
+

portfolio_server/_install.sh

@@ -18,6 +18,11 @@ else
     deno
 fi
 
-# Clone website repo
+# Remove old files if exists
+rm -rf /srv/portfolio
+# Create fs tree is missing
 mkdir -p /srv/portfolio
+# Set directory owner
+chown -R deno:deno /srv/portfolio
+# Clone website repo
 git clone -b main --depth 1 https://git.cohabit.fr/cohabit/portfolio_server.git /srv/portfolio

sshd/README.md

@@ -1,3 +1,11 @@
 # SSHD
 
 Démon SSH de cohabit.
+
+## Configuration
+/etc/ssh/sshd_config
+
+## Plus d'informations
+https://fr.wikipedia.org/wiki/SSHD
+
+

test_scripts.sh

@@ -0,0 +1,5 @@
+# Build or update container image
+docker built -t cohabit_server_config_test .
+
+# Run image in bash mode
+docker run --rm -it cohabit_server_config_test bash

vim/_install.sh

@@ -1,5 +1,6 @@
-# Install or upgrade caddy
-nala install -y caddy
+# Install or upgrade vim
+nala install -y vim
 
 # Install or upgrade vundle
+rm -rf /root/.vim/bundle/Vundle.vim
 git clone https://github.com/VundleVim/Vundle.vim.git /root/.vim/bundle/Vundle.vim

vim/vim/.vimrc

@@ -26,6 +26,9 @@ Plugin 'junegunn/fzf.vim'
 call vundle#end()            " required
 filetype plugin indent on    " required
 
+" Sudo write (écrire un fichier en sudo si ouvert en user)
+command W :execute ':silent w !sudo tee % > /dev/null' | :edit!
+
 " Active les raccourcis clavier pour fzf
 nnoremap <C-p> :FZF<CR>
 nnoremap <S-f> :Rg<CR>

website/_deploy.sh

@@ -1,10 +1,10 @@
+# Setup website service
+cp ./website/systemd/website.service /etc/systemd/system
+
 # Pull website sources
 cd /srv/www
 git pull origin main
 
-# Setup website service
-cp /srv/www/website.service /etc/systemd/system
-
 # Start website
 systemctl daemon-reload
 systemctl enable website

website/_install.sh

@@ -18,6 +18,11 @@ else
     deno
 fi
 
-# Clone website repo
+# Remove old existing files
+rm -rf /srv/www
+# Create fs structure
 mkdir -p /srv/www
+# Set directory owner
+chown -R deno:deno /srv/www
+# Clone website repo
 git clone -b main --depth 1 https://git.cohabit.fr/cohabit/website.git /srv/www

website/systemd/website.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Website Deno 1.1.1 service
+Documentation=http://deno.land
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=deno
+WorkingDirectory=/srv/www
+ExecStartPre=/usr/local/bin/deno task build
+Environment=PORT=6060
+ExecStart=/usr/local/bin/deno task serve
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

zsh/_deploy.sh

@@ -3,7 +3,11 @@ cp -a ./zsh/zsh/. /root
 chsh -s /usr/bin/zsh
 
 # Install zsh-autosuggestions plugin
-git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions
+PATH=${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions
+/usr/bin/rm -rf $PATH
+/usr/bin/git clone https://github.com/zsh-users/zsh-autosuggestions $PATH
 
 # Install zsh-syntax-highlighting
-git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting
+PATH=${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting
+/usr/bin/rm -rf $PATH
+/usr/bin/git clone https://github.com/zsh-users/zsh-syntax-highlighting $PATH

zsh/_install.sh

@@ -12,4 +12,4 @@ fi
 nala install -y zsh eza
 
 # Check if Oh-My-ZSH already installed
-which omz &> /dev/null || sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
+test -d /root/.oh-my-zsh/ || sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended

zsh/zsh/.bashrc

@@ -8,6 +8,8 @@ case $- in
       *) return;;
 esac
 
+PATH=$PATH:/usr/games
+
 # don't put duplicate lines or lines starting with space in the history.
 # See bash(1) for more options
 HISTCONTROL=ignoreboth

zsh/zsh/.zshrc

@@ -6,6 +6,12 @@ autoload -Uz compinit
 compinit
 # End of lines added by compinstall
 
+################################
+# Update path
+################################
+
+PATH=$PATH:/usr/games
+
 ################################
 # Webinstall.dev install
 ################################