adminconf/frontal-web-conf
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit (non functional state)

Browse Source
This commit is contained in:
Alexandre CATTEAU 2022-05-24 11:42:45 +02:00
commit b0ed89b0ab
9 changed files with 122 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.disabled

20
README.md Normal file
View File

@ -0,0 +1,20 @@
# Frontal web configuration
This repository contains units and config files for our frontal web starting (at boot). We start lighttpd with a WebSSH
instance running (for web remote access if need be). We must manually unlock certificates volume, then start nginx.
### Files
* `lighttpd-webssh.conf` is a sub-conf file for lighttpd, making it serve WebSSH.
* `etc-letsencrypt.mount` allow to unlock and mount encrypted certificates volume.
* Relevant information should be added to `/etc/crypttab`.
* `etc-letsencrypt.timer` is a timer to automatically start previous unit, **but this is currently not used**.
* `start-lighttpd.conf` is a drop-in Systemd unit file, which starts lighttpd should nginx fail to start.
* This is not intended for starting process, more in case of failed (remote) restart of nginx.
* `wait-for-dns.conf` is a drop-in Systemd unit file, which prevents nginx to start before DNS server is operational.
* `webssh.service` is a service file for WebSSH.
#### Installation
* `install.sh` script copies Systemd files to their destination and sets lighttpd conf (and creates a certificate if
needed).
### TODO
* Finish install script

12
etc-letsencrypt.mount Normal file
View File

@ -0,0 +1,12 @@
# ALERT nginx.service must NOT be enabled
[Unit]
Description=Mount Let's Encrypt data directory
Wants=systemd-cryptsetup@lecrypt.service
After=systemd-cryptsetup@lecrypt.service network.target
[Mount]
What=/dev/mapper/lecrypt
Where=/etc/letsencrypt
Type=ext4
Options=rw,relatime
TimeoutSec=45

10
etc-letsencrypt.timer Normal file
View File

@ -0,0 +1,10 @@
# WARNING not used in current setup
[Unit]
Description=Try to mount letsencrypt certs after boot
[Timer]
Unit=etc-letsencrypt.mount
OnBootSec=30
[Install]
WantedBy=timers.target

32
install.sh Normal file
View File

@ -0,0 +1,32 @@
#!/usr/bin/env bash
run_directory=$(dirname "$0")
if [ -f $run_directory/.disabled ]; then
echo "Installation is disabled. Exiting..."
exit 0
fi
echo "Copying Systemd units and drop-ins to system directory..."
# TODO
echo "Setting up lighttpd..."
sudo cp $run_directory/lighttpd-webssh.conf /etc/lighttpd/conf-available/99-webssh.conf
sudo rm /etc/lighttpd/conf-enabled/*
sudo ln -s /etc/lighttpd/conf-available/10-proxy.conf /etc/lighttpd/conf-enabled/
sudo ln -s /etc/lighttpd/conf-available/10-ssl.conf /etc/lighttpd/conf-enabled/
sudo ln -s /etc/lighttpd/conf-available/99-webssh.conf /etc/lighttpd/conf-enabled/
if not server.pem; then # TODO
echo "Creating an SSL certificate for lighttpd:"
create it # TODO
fi
echo "Reloading Systemd..."
sudo systemctl daemon-reload
echo "Disabling nginx and enabling lighttpd..."
sudo systemctl disable nginx
sudo systemctl enable lighttpd
echo "Finished install. Exiting..."
echo "NOTE: Neither nginx nor lighttpd were started/stopped."
exit 0

20
lighttpd-webssh.conf Normal file
View File

@ -0,0 +1,20 @@
# This is a sub-conf file for lighttpd
# Its purpose is to serve localhost:8000 to anyone reaching https://kto.black
# It should thus be copied to /etc/lighttpd/conf-available, and symlinked to conf-enabled
# The other links in conf-enabled should be 10-proxy.conf and 10-ssl.conf
# A self signed certificate with key included should be generated at /etc/lighttpd/server.pem
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://kto.black")
}
}
$SERVER["socket"] == ":443" {
$HTTP["host"] == "kto.black" {
proxy.server = ("" => (("host" => "localhost", "port" => 8000)))
proxy.header = (
"upgrade" => "enable"
)
}
}

6
start-lighttpd.conf Normal file
View File

@ -0,0 +1,6 @@
# This file is a drop-in addon for standard nginx Systemd service
# Its purpose is to start lighttpd should nginx fail to start
[Unit]
Conflicts=lighttpd.service
OnFailure=lighttpd.service

11
wait-for-dns.conf Normal file
View File

@ -0,0 +1,11 @@
# This file is a drop-in addon for standard nginx Systemd service
# Its purpose is to wait for Bind9 service to start
# NOTE: It could be replaced by static name definitions (in /etc/hosts), but we'd rather have something dynamic
[Unit]
Wants=named.service
After=named.service
[Service]
# We use ExecCondition because we want to sleep before nginx's default ExecStartPre (conf check)
ExecCondition=/usr/bin/sleep 2

10
webssh.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=Run Python webssh website
After=network.target
[Service]
User=www-data
ExecStart=/usr/bin/python3 /srv/http/webssh/run.py --address='127.0.0.1' --port=8000
[Install]
WantedBy=default.target