goeland
/
goeland
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ajouté du contenu pour la première fois

Browse Source
master
root 4 years ago
commit 1e976da8a8
16 changed files with 657 additions and 0 deletions
Show Stats Download Patch File Download Diff File

20
.gitignore vendored
Unescape View File

@ -0,0 +1,20 @@
docker/
# Apps
apps/*/db
apps/*/data
apps/*/dump
apps/*/images
apps/*/redis
apps/*/gitea
# Env files
.env
# Private files
passphrase
key
id_rsa
id_rsa.pub
certs/

3
README.md
Unescape View File

@ -0,0 +1,3 @@
# goeland
Voici les sources et la configuration des services goe.land.

40
apps/freshrss/docker-compose.yml
Unescape View File

@ -0,0 +1,40 @@
version: '3'
services:
dbfreshrss:
image: postgres:11
restart: unless-stopped
networks:
- myweb
volumes:
- './db:/var/lib/postgresql/data'
environment:
- POSTGRES_USER=freshrss
- POSTGRES_PASSWORD=gffBsPBVWkoeoayfJhBt48LAk7wUbzy64niWYmUd
- POSTGRES_DB=freshrss
freshrss:
image: freshrss/freshrss:1.15.0
restart: unless-stopped
depends_on:
- dbfreshrss
networks:
- myweb
volumes:
- './data:/var/www/FreshRSS/data'
labels:
- "traefik.enable=true"
- "traefik.http.routers.freshrss.rule=Host(`rss.goe.land`)"
- "traefik.http.routers.freshrss.entrypoints=web"
- "traefik.http.routers.freshrsstls.rule=Host(`rss.goe.land`)"
- "traefik.http.routers.freshrsstls.entrypoints=websecure"
- "traefik.http.routers.freshrsstls.tls=true"
- "traefik.http.routers.freshrsstls.tls.certresolver=sample"
- "traefik.docker.network=myweb"
environment:
- CRON_MIN=*/10
networks:
myweb:
external: true

104
apps/funkwhale/docker-compose.yml
Unescape View File

@ -0,0 +1,104 @@
version: '3'
services:
postgresqlfunkwhale:
image: postgres:11
restart: unless-stopped
networks:
- myweb
volumes:
- './db:/var/lib/postgresql/data'
env_file: .env
redisfunkwhale:
image: redis:3
restart: unless-stopped
networks:
- myweb
volumes:
- ./redis:/data
env_file: .env
celeryworker:
image: funkwhale/funkwhale:0.20.0
restart: unless-stopped
networks:
- myweb
depends_on:
- postgresqlfunkwhale
- redisfunkwhale
env_file: .env
environment:
- C_FORCE_ROOT=true
command: celery -A funkwhale_api.taskapp worker -l INFO --concurrency=16
volumes:
- "${MUSIC_DIRECTORY_SERVE_PATH-/data/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro"
- "${MEDIA_ROOT}:${MEDIA_ROOT}"
# celerybeat:
# image: funkwhale/funkwhale:0.20.0
# restart: unless-stopped
# networks:
# - myweb
# depends_on:
# - postgresqlfunkwhale
# - redisfunkwhale
# env_file: .env
# command: celery -A funkwhale_api.taskapp beat -l INFO
#
apifunkwhale:
image: funkwhale/funkwhale:0.20.0
restart: unless-stopped
networks:
- myweb
depends_on:
- postgresqlfunkwhale
- redisfunkwhale
env_file: .env
volumes:
- "${MUSIC_DIRECTORY_SERVE_PATH-/data/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro"
- "${MEDIA_ROOT}:${MEDIA_ROOT}"
- "${STATIC_ROOT}:${STATIC_ROOT}"
- "${FUNKWHALE_FRONTEND_PATH}:/frontend"
ports:
- 5000
nginxfunkwhale:
image: nginx:1.17.4
restart: unless-stopped
networks:
- myweb
depends_on:
- apifunkwhale
env_file: .env
volumes:
- ./nginx/funkwhale.template:/etc/nginx/conf.d/funkwhale.template:ro
- ./nginx/funkwhale_proxy.conf:/etc/nginx/funkwhale_proxy.conf:ro
- "${MUSIC_DIRECTORY_SERVE_PATH-/data/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro"
- "${MEDIA_ROOT}:${MEDIA_ROOT}"
- "${STATIC_ROOT}:${STATIC_ROOT}"
- "${FUNKWHALE_FRONTEND_PATH}:/frontend"
ports:
- "${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}:80"
command: >
sh -c "envsubst \"`env | awk -F = '{printf \" $$%s\", $$1}'`\"
< /etc/nginx/conf.d/funkwhale.template
> /etc/nginx/conf.d/default.conf
&& cat /etc/nginx/conf.d/default.conf
&& nginx -g 'daemon off;'"
labels:
- "traefik.enable=true"
- "traefik.http.routers.funkwhale.rule=Host(`zik.goe.land`)"
- "traefik.http.routers.funkwhale.entrypoints=web"
- "traefik.http.routers.funkwhaletls.rule=Host(`zik.goe.land`)"
- "traefik.http.routers.funkwhaletls.entrypoints=websecure"
- "traefik.http.routers.funkwhaletls.tls=true"
- "traefik.http.routers.funkwhaletls.tls.certresolver=sample"
- "traefik.docker.network=myweb"
networks:
myweb:
external: true

112
apps/funkwhale/nginx/funkwhale.template
Unescape View File

@ -0,0 +1,112 @@
upstream funkwhale-api {
# depending on your setup, you may want to update this
server apifunkwhale:5000;
}
# required for websocket support
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name ${FUNKWHALE_HOSTNAME};
# TLS
# Feel free to use your own configuration for SSL here or simply remove the
# lines and move the configuration to the previous server block if you
# don't want to run funkwhale behind https (this is not recommended)
# have a look here for let's encrypt configuration:
# https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
root /frontend;
# If you are using S3 to host your files, remember to add your S3 URL to the
# media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location / {
include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled
client_max_body_size ${NGINX_MAX_BODY_SIZE};
proxy_pass http://funkwhale-api/;
}
location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
alias /frontend/;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
alias /frontend/embed.html;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/federation/;
}
# You can comment this if you do not plan to use the Subsonic API
location /rest/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/api/subsonic/rest/;
}
location /.well-known/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/.well-known/;
}
location /media/ {
alias ${MEDIA_ROOT}/;
}
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
location /_protected/media {
internal;
alias ${MEDIA_ROOT};
}
# Comment the previous location and uncomment this one if you're storing
# media files in a S3 bucket
# location ~ /_protected/media/(.+) {
# internal;
# # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
# proxy_set_header Authorization "";
# proxy_pass $1;
# }
location /_protected/music {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting
internal;
alias ${MUSIC_DIRECTORY_PATH};
}
location /staticfiles/ {
# django static files
alias ${STATIC_ROOT}/;
}
}

19
apps/funkwhale/nginx/funkwhale_proxy.conf
Unescape View File

@ -0,0 +1,19 @@
# use this one if you put the nginx container behind another proxy
# you will have to set some headers on this proxy as well to ensure
# everything works correctly, you can use the ones from the funkwhale_proxy.conf file
# at https://dev.funkwhale.audio/funkwhale/funkwhale/blob/develop/deploy/funkwhale_proxy.conf
# your proxy will also need to support websockets
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_redirect off;
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

40
apps/gitea/docker-compose.yml
Unescape View File

@ -0,0 +1,40 @@
version: '3'
services:
dbgitea:
image: postgres:11
restart: unless-stopped
env_file: .env
volumes:
- ./db:/var/lib/postgresql/data
- ./gitea/.ssh:/data/git/.ssh
networks:
- myweb
gitea:
image: gitea/gitea:1.9.5
restart: unless-stopped
depends_on:
- dbgitea
networks:
- myweb
volumes:
- './data:/data'
env_file: .env
# ports:
# - "222:22"
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`forge.goe.land`)"
- "traefik.http.routers.gitea.entrypoints=web"
- "traefik.http.routers.giteatls.rule=Host(`forge.goe.land`)"
- "traefik.http.routers.giteatls.entrypoints=websecure"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.http.routers.giteatls.tls=true"
- "traefik.http.routers.giteatls.tls.certresolver=sample"
- "traefik.docker.network=myweb"
networks:
myweb:
external: true

16
apps/gitea/env.example
Unescape View File

@ -0,0 +1,16 @@
POSTGRES_USER=gitea
POSTGRES_PASSWORD=password
POSTGRES_DB=gitea
DB_USER=gitea
DB_TYPE=postgres
DB_PASSWD=password
DB_NAME=gitea
DB_HOST=dbgitea
ROOT_URL=https://forge.goe.land
HTTP_PORT=3000
RUN_MODE=prod
APP_NAME="kwakGit : fabriquons notre nid ensemble"
DISABLE_REGISTRATION=true

3
apps/gitea/forward_ssh.sh
Unescape View File

@ -0,0 +1,3 @@
#!/bin/sh
ssh -p 222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

15
apps/gitea/user_gitea.sh
Unescape View File

@ -0,0 +1,15 @@
#!/bin/bash
# Create user
useradd --create-home --base-dir /srv/apps/gitea --user-group --shell /bin/bash gitea
# Tell the container what UID and GID the user is
echo "USER_UID=$(id --user gitea)" >> ./.env
echo "USER_GID=$(id --group gitea)" >> ./.env
# Create SSH keys
sudo -u gitea ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f /srv/apps/gitea/gitea/.ssh/id_rsa
ln -s /srv/apps/gitea/data/git/.ssh/authorized_keys /srv/apps/gitea/gitea/.ssh/authorized_keys
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /srv/apps/gitea/gitea/.ssh/id_rsa.pub)" >> /srv/apps/gitea/data/git/.ssh/authorized_keys
cp /srv/apps/gitea/forward_ssh.sh /srv/apps/gitea/data/gitea/gitea

59
apps/wallabag/docker-compose.yml
Unescape View File

@ -0,0 +1,59 @@
version: '3'
services:
postgresqlwallabag:
image: postgres:latest
restart: unless-stopped
networks:
- web_wallabag
volumes:
- './db:/var/lib/postgresql/data'
env_file:
- .env
environment:
- POSTGRES_USER=$DB_USER
- POSTGRES_PASSWORD=$DB_PASSWORD
- POSTGRES_DB=$DB_DB
wallabag:
image: wallabag/wallabag
restart: unless-stopped
env_file:
- .env
environment:
- POSTGRES_USER=$DB_USER
- POSTGRES_PASSWORD=$DB_PASSWORD
- SYMFONY__ENV__DATABASE_PASSWORD=$DB_PASSWORD
- SYMFONY__ENV__DATABASE_NAME=$DB_DB
- SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
- SYMFONY__ENV__DATABASE_DRIVER_CLASS=Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver
- SYMFONY__ENV__DATABASE_HOST=postgresqlwallabag
- SYMFONY__ENV__DATABASE_PORT=5432
- SYMFONY__ENV__DATABASE_USER=etisuanrunrsiet
- SYMFONY__ENV__DOMAIN_NAME=https://bag.goe.land
volumes:
- ./images:/var/www/wallabag/web/assets/images
- ./data:/var/www/wallabag/data
networks:
- web_wallabag
- default
depends_on:
- postgresqlwallabag
- rediswallabag
labels:
- "traefik.enable=true"
- "traefik.http.routers.wallabag.rule=Host(`bag.goe.land`)"
- "traefik.http.routers.wallabag.entrypoints=web"
- "traefik.http.routers.wallabagtls.rule=Host(`bag.goe.land`)"
- "traefik.http.routers.wallabagtls.entrypoints=websecure"
- "traefik.http.routers.wallabagtls.tls=true"
- "traefik.http.routers.wallabagtls.tls.certresolver=sample"
- "traefik.docker.network=web_wallabag"
rediswallabag:
image: redis:alpine
restart: always
networks:
web_wallabag:
external: true

25
config/borg/borgmatic_old.yaml
Unescape View File

@ -0,0 +1,25 @@
location:
source_directories:
- /srv/apps/
- /srv/users/
repositories:
- borg@backup.corre.bio:main
# exclude_patterns:
# - "*/*/db"
# - "*/*/redis"
storage:
encryption_passcommand: "cat /srv/config/borg/passphrase"
compression: lz4
ssh_command: ssh -i /srv/config/borg/id_rsa -p 8081
retention:
keep_within: 24H
keep_daily: 7
keep_weekly: 4
keep_monthly: 3
consistency:
checks:
- repository
- archives

118
config/borg/config.yaml
Unescape View File

@ -0,0 +1,118 @@
# Where to look for files to backup, and where to store those backups. See
# https://borgbackup.readthedocs.io/en/stable/quickstart.html and
# https://borgbackup.readthedocs.io/en/stable/usage.html#borg-create for details.
location:
source_directories:
- /srv/apps/
repositories:
- borg@cloud.corre.bio:/backup/borg/mustela
#exclude_patterns:
#- "*/*/db"
storage:
encryption_passcommand: "cat /srv/config/borg/passphrase"
compression: lz4
ssh_command: ssh -p 8081 -i /srv/config/borg/id_rsa
retention:
# Keep all archives within this time interval.
keep_within: 24H
# Number of daily archives to keep.
keep_daily: 7
# Number of weekly archives to keep.
keep_weekly: 4
# Number of monthly archives to keep.
keep_monthly: 6
consistency:
# List of one or more consistency checks to run: "repository", "archives", "data",
# and/or "extract". Defaults to "repository" and "archives". Set to "disabled" to
# disable all consistency checks. "repository" checks the consistency of the
# repository, "archives" checks all of the archives, "data" verifies the integrity
# of the data within the archives, and "extract" does an extraction dry-run of the
# most recent archive. Note that "data" implies "archives".
checks:
- disabled
# - repository
# - archives
# Options for customizing borgmatic's own output and logging.
output:
color: false
# hooks:
# List of one or more shell commands or scripts to execute before creating a
# backup, run once per configuration file.
# before_backup:
# - echo "Starting a backup."
# List of one or more shell commands or scripts to execute after creating a
# backup, run once per configuration file.
# after_backup:
# - echo "Created a backup."
# List of one or more shell commands or scripts to execute when an exception
# occurs during a backup or when running a before_backup or after_backup hook.
# on_error:
# - echo "Error while creating a backup or running a backup hook."
# List of one or more PostgreSQL databases to dump before creating a backup,
# run once per configuration file. The database dumps are added to your source
# directories at runtime, backed up, and then removed afterwards. Requires
# pg_dump/pg_dumpall/pg_restore commands. See
# https://www.postgresql.org/docs/current/app-pgdump.html for details.
# postgresql_databases:
# Database name (required if using this hook). Or "all" to dump all
# databases on the host.
# - name: users
# Database hostname to connect to. Defaults to connecting via local
# Unix socket.
# hostname: database.example.org
# Port to connect to. Defaults to 5432.
# port: 5433
# Username with which to connect to the database. Defaults to the
# username of the current user. You probably want to specify the
# "postgres" superuser here when the database name is "all".
# username: dbuser
# Password with which to connect to the database. Omitting a password
# will only work if PostgreSQL is configured to trust the configured
# username without a password, or you create a ~/.pgpass file.
# password: trustsome1
# Database dump output format. One of "plain", "custom", "directory",
# or "tar". Defaults to "custom" (unlike raw pg_dump). See
# https://www.postgresql.org/docs/current/app-pgdump.html for details.
# Note that format is ignored when the database name is "all".
# format: directory
# Additional pg_dump/pg_dumpall options to pass directly to the dump
# command, without performing any validation on them. See
# https://www.postgresql.org/docs/current/app-pgdump.html for details.
# options: --role=someone
# Healthchecks ping URL or UUID to notify when a backup begins, ends, or errors.
# Create an account at https://healthchecks.io if you'd like to use this service.
# healthchecks: https://hc-ping.com/your-uuid-here
# List of one or more shell commands or scripts to execute before running all
# actions (if one of them is "create"), run once before all configuration files.
# before_everything:
# - echo "Starting actions."
# List of one or more shell commands or scripts to execute after running all
# actions (if one of them is "create"), run once after all configuration files.
# after_everything:
# - echo "Completed actions."
# Umask used when executing hooks. Defaults to the umask that borgmatic is run with.
# umask: 0077

1
config/borg/ewen@cloud.corre.bio
Unescape View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcqd0S0ncsAf9znJ21ePktmmlXwpsTN5lfirXpVgAM/NvvtoJgRVkiV+MRARIh+LBI6NPvue3fCMRSD87APWn/IdyjLj77SeoKvTkVRL8mKKB26lJ9O5xWrtdAt19uMNEqrhHYf9E2ZYVbqxqJnCeO2BFmRtPP273oquKwys4jAbuQU6E9DOFcE+8M8fwcqtkJNQPhK34dhVkft9ArJs8GZSnCjuB/Z9MQK0btqH/BY2hysMZlk+ZVrytMDNugH/1kiM6jXeGPu9n75t28E3p5OV1nvOsZ6OdR0ZAQfJ7aGa5+VUQp9i2XgGXMDL/IZxUQ2AYuKpLEhLsudOCCOaI+ONVy3E4Xg2hT4femHM4+TCPXZMqNZobYN+WB8o6UbVcTyh1FYFE46FUQUsmvsQQGBUxLKkdrmC7qZWSvpbIwElOCLGKWfjLSqMZ1rQFf+4B0yLV03jdRq351Ng6gbg4Q3xkIdxn+nHPImi3PqZAq+b9qVLBn7qGOxv9kPmGqPiLmx/QH72TRl2EJz46QD1MdqHBTbfnDMxu3whvb0blXZBG8wwCB6k1WZjZiQByu63eAxmW/DhdfOlD7ZcasmaEFHfvCd6QOYdpjyrMgDxwQzIgv/FbzG+hBVArYjfHBGvCSb3U3wJf6OUA9i4Ur0r47qb6uX83o5g4XAU94wXmp0w== borg@corre.bio

53
core/front/docker-compose.yml
Unescape View File

@ -0,0 +1,53 @@
version: '3'
services:
traefik:
image: traefik:v2.0.1
restart: always
ports:
- 80:80
- 443:443
- 8080:8080
# - 3000:3000
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./certs:/certs
container_name: traefik
networks:
- myweb
- web_wallabag
command:
- "--log.level=info"
- "--log.filepath=/dev/stdout"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
# - "--entrypoints.webgitea.address=:3000"
- "--certificatesResolvers.sample.acme.email=ewen@corre.bio"
- "--certificatesResolvers.sample.acme.storage=/certs/acme.json"
- "--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web"
#- "--certificatesResolvers.sample.acme.tlsChallenge=true"
#- "--certificatesResolvers.sample.acme.dnsChallenge.provider=gandiv5"
environment:
- GANDIV5_API_KEY=74bBb6s2PlnjKpoE3xYbliJp
whoami:
image: containous/whoami
container_name: "simple-service"
networks:
- myweb
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`test.goe.land`)"
- "traefik.http.routers.whoami.entrypoints=web"
- "traefik.http.routers.whoamitls.rule=Host(`test.goe.land`)"
- "traefik.http.routers.whoamitls.entrypoints=websecure"
- "traefik.http.routers.whoamitls.tls=true"
- "traefik.http.routers.whoamitls.tls.certresolver=sample"
networks:
myweb:
external: true
web_wallabag:
external: true

29
core/front/traefik.toml
Unescape View File

@ -0,0 +1,29 @@
logLevel = "debug"
[traefikLog]
filePath = "/dev/stdout"
format = "json"
[accessLog]
filePath = "/dev/stdout"
format = "json"
[retry]
#[entryPoints]
# [entryPoints.web]
# address = ":80"
# [entryPoints.websecure]
# address = ":443"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
network = "web"
exposedByDefault = false
swarmMode = false
[api]
dashboard = true
insecure = true
Write Preview
Loading…
Cancel
Save