From b0ed89b0abcafc97c48c333535b5bb2d2fb30a81 Mon Sep 17 00:00:00 2001
From: Alexandre CATTEAU <alexandre.catteau@gmail.com>
Date: Tue, 24 May 2022 11:42:45 +0200
Subject: [PATCH] Initial commit (non functional state)

---
 .gitignore            |  1 +
 README.md             | 20 ++++++++++++++++++++
 etc-letsencrypt.mount | 12 ++++++++++++
 etc-letsencrypt.timer | 10 ++++++++++
 install.sh            | 32 ++++++++++++++++++++++++++++++++
 lighttpd-webssh.conf  | 20 ++++++++++++++++++++
 start-lighttpd.conf   |  6 ++++++
 wait-for-dns.conf     | 11 +++++++++++
 webssh.service        | 10 ++++++++++
 9 files changed, 122 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 etc-letsencrypt.mount
 create mode 100644 etc-letsencrypt.timer
 create mode 100644 install.sh
 create mode 100644 lighttpd-webssh.conf
 create mode 100644 start-lighttpd.conf
 create mode 100644 wait-for-dns.conf
 create mode 100644 webssh.service

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a4603f7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.disabled
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b0e36a4
--- /dev/null
+++ b/README.md
@@ -0,0 +1,20 @@
+# Frontal web configuration
+
+This repository contains units and config files for our frontal web starting (at boot). We start lighttpd with a WebSSH
+instance running (for web remote access if need be). We must manually unlock certificates volume, then start nginx.
+
+### Files
+* `lighttpd-webssh.conf` is a sub-conf file for lighttpd, making it serve WebSSH.
+* `etc-letsencrypt.mount` allow to unlock and mount encrypted certificates volume.
+  * Relevant information should be added to `/etc/crypttab`.
+* `etc-letsencrypt.timer` is a timer to automatically start previous unit, **but this is currently not used**.
+* `start-lighttpd.conf` is a drop-in Systemd unit file, which starts lighttpd should nginx fail to start.
+  * This is not intended for starting process, more in case of failed (remote) restart of nginx.
+* `wait-for-dns.conf` is a drop-in Systemd unit file, which prevents nginx to start before DNS server is operational.
+* `webssh.service` is a service file for WebSSH.
+#### Installation
+* `install.sh` script copies Systemd files to their destination and sets lighttpd conf (and creates a certificate if
+needed).
+
+### TODO
+* Finish install script
diff --git a/etc-letsencrypt.mount b/etc-letsencrypt.mount
new file mode 100644
index 0000000..c21637f
--- /dev/null
+++ b/etc-letsencrypt.mount
@@ -0,0 +1,12 @@
+# ALERT nginx.service must NOT be enabled
+[Unit]
+Description=Mount Let's Encrypt data directory
+Wants=systemd-cryptsetup@lecrypt.service
+After=systemd-cryptsetup@lecrypt.service network.target
+
+[Mount]
+What=/dev/mapper/lecrypt
+Where=/etc/letsencrypt
+Type=ext4
+Options=rw,relatime
+TimeoutSec=45
diff --git a/etc-letsencrypt.timer b/etc-letsencrypt.timer
new file mode 100644
index 0000000..0385e23
--- /dev/null
+++ b/etc-letsencrypt.timer
@@ -0,0 +1,10 @@
+# WARNING not used in current setup
+[Unit]
+Description=Try to mount letsencrypt certs after boot
+
+[Timer]
+Unit=etc-letsencrypt.mount
+OnBootSec=30
+
+[Install]
+WantedBy=timers.target
diff --git a/install.sh b/install.sh
new file mode 100644
index 0000000..b2e5cb5
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+run_directory=$(dirname "$0")
+
+if [ -f $run_directory/.disabled ]; then
+  echo "Installation is disabled. Exiting..."
+  exit 0
+fi
+
+echo "Copying Systemd units and drop-ins to system directory..."
+# TODO
+
+echo "Setting up lighttpd..."
+sudo cp $run_directory/lighttpd-webssh.conf /etc/lighttpd/conf-available/99-webssh.conf
+sudo rm /etc/lighttpd/conf-enabled/*
+sudo ln -s /etc/lighttpd/conf-available/10-proxy.conf /etc/lighttpd/conf-enabled/
+sudo ln -s /etc/lighttpd/conf-available/10-ssl.conf /etc/lighttpd/conf-enabled/
+sudo ln -s /etc/lighttpd/conf-available/99-webssh.conf /etc/lighttpd/conf-enabled/
+if not server.pem; then # TODO
+  echo "Creating an SSL certificate for lighttpd:"
+  create it # TODO
+fi
+
+echo "Reloading Systemd..."
+sudo systemctl daemon-reload
+echo "Disabling nginx and enabling lighttpd..."
+sudo systemctl disable nginx
+sudo systemctl enable lighttpd
+
+echo "Finished install. Exiting..."
+echo "NOTE: Neither nginx nor lighttpd were started/stopped."
+exit 0
diff --git a/lighttpd-webssh.conf b/lighttpd-webssh.conf
new file mode 100644
index 0000000..ec83162
--- /dev/null
+++ b/lighttpd-webssh.conf
@@ -0,0 +1,20 @@
+# This is a sub-conf file for lighttpd
+# Its purpose is to serve localhost:8000 to anyone reaching https://kto.black
+# It should thus be copied to /etc/lighttpd/conf-available, and symlinked to conf-enabled
+# The other links in conf-enabled should be 10-proxy.conf and 10-ssl.conf
+# A self signed certificate with key included should be generated at /etc/lighttpd/server.pem
+
+$SERVER["socket"] == ":80" {
+  $HTTP["host"] =~ ".*" {
+    url.redirect = (".*" => "https://kto.black")
+  }
+}
+
+$SERVER["socket"] == ":443" {
+  $HTTP["host"] == "kto.black" {
+    proxy.server = ("" => (("host" => "localhost", "port" => 8000)))
+    proxy.header = (
+      "upgrade" => "enable"
+    )
+  }
+}
diff --git a/start-lighttpd.conf b/start-lighttpd.conf
new file mode 100644
index 0000000..89a6821
--- /dev/null
+++ b/start-lighttpd.conf
@@ -0,0 +1,6 @@
+# This file is a drop-in addon for standard nginx Systemd service
+# Its purpose is to start lighttpd should nginx fail to start
+
+[Unit]
+Conflicts=lighttpd.service
+OnFailure=lighttpd.service
diff --git a/wait-for-dns.conf b/wait-for-dns.conf
new file mode 100644
index 0000000..b143968
--- /dev/null
+++ b/wait-for-dns.conf
@@ -0,0 +1,11 @@
+# This file is a drop-in addon for standard nginx Systemd service
+# Its purpose is to wait for Bind9 service to start
+# NOTE: It could be replaced by static name definitions (in /etc/hosts), but we'd rather have something dynamic
+
+[Unit]
+Wants=named.service
+After=named.service
+
+[Service]
+# We use ExecCondition because we want to sleep before nginx's default ExecStartPre (conf check)
+ExecCondition=/usr/bin/sleep 2
diff --git a/webssh.service b/webssh.service
new file mode 100644
index 0000000..bf89499
--- /dev/null
+++ b/webssh.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Run Python webssh website
+After=network.target
+
+[Service]
+User=www-data
+ExecStart=/usr/bin/python3 /srv/http/webssh/run.py --address='127.0.0.1' --port=8000
+
+[Install]
+WantedBy=default.target