Initial commit (non functional state)
This commit is contained in:
commit
b0ed89b0ab
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.disabled
|
||||
20
README.md
Normal file
20
README.md
Normal file
@ -0,0 +1,20 @@
|
||||
# Frontal web configuration
|
||||
|
||||
This repository contains units and config files for our frontal web starting (at boot). We start lighttpd with a WebSSH
|
||||
instance running (for web remote access if need be). We must manually unlock certificates volume, then start nginx.
|
||||
|
||||
### Files
|
||||
* `lighttpd-webssh.conf` is a sub-conf file for lighttpd, making it serve WebSSH.
|
||||
* `etc-letsencrypt.mount` allow to unlock and mount encrypted certificates volume.
|
||||
* Relevant information should be added to `/etc/crypttab`.
|
||||
* `etc-letsencrypt.timer` is a timer to automatically start previous unit, **but this is currently not used**.
|
||||
* `start-lighttpd.conf` is a drop-in Systemd unit file, which starts lighttpd should nginx fail to start.
|
||||
* This is not intended for starting process, more in case of failed (remote) restart of nginx.
|
||||
* `wait-for-dns.conf` is a drop-in Systemd unit file, which prevents nginx to start before DNS server is operational.
|
||||
* `webssh.service` is a service file for WebSSH.
|
||||
#### Installation
|
||||
* `install.sh` script copies Systemd files to their destination and sets lighttpd conf (and creates a certificate if
|
||||
needed).
|
||||
|
||||
### TODO
|
||||
* Finish install script
|
||||
12
etc-letsencrypt.mount
Normal file
12
etc-letsencrypt.mount
Normal file
@ -0,0 +1,12 @@
|
||||
# ALERT nginx.service must NOT be enabled
|
||||
[Unit]
|
||||
Description=Mount Let's Encrypt data directory
|
||||
Wants=systemd-cryptsetup@lecrypt.service
|
||||
After=systemd-cryptsetup@lecrypt.service network.target
|
||||
|
||||
[Mount]
|
||||
What=/dev/mapper/lecrypt
|
||||
Where=/etc/letsencrypt
|
||||
Type=ext4
|
||||
Options=rw,relatime
|
||||
TimeoutSec=45
|
||||
10
etc-letsencrypt.timer
Normal file
10
etc-letsencrypt.timer
Normal file
@ -0,0 +1,10 @@
|
||||
# WARNING not used in current setup
|
||||
[Unit]
|
||||
Description=Try to mount letsencrypt certs after boot
|
||||
|
||||
[Timer]
|
||||
Unit=etc-letsencrypt.mount
|
||||
OnBootSec=30
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
32
install.sh
Normal file
32
install.sh
Normal file
@ -0,0 +1,32 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
run_directory=$(dirname "$0")
|
||||
|
||||
if [ -f $run_directory/.disabled ]; then
|
||||
echo "Installation is disabled. Exiting..."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Copying Systemd units and drop-ins to system directory..."
|
||||
# TODO
|
||||
|
||||
echo "Setting up lighttpd..."
|
||||
sudo cp $run_directory/lighttpd-webssh.conf /etc/lighttpd/conf-available/99-webssh.conf
|
||||
sudo rm /etc/lighttpd/conf-enabled/*
|
||||
sudo ln -s /etc/lighttpd/conf-available/10-proxy.conf /etc/lighttpd/conf-enabled/
|
||||
sudo ln -s /etc/lighttpd/conf-available/10-ssl.conf /etc/lighttpd/conf-enabled/
|
||||
sudo ln -s /etc/lighttpd/conf-available/99-webssh.conf /etc/lighttpd/conf-enabled/
|
||||
if not server.pem; then # TODO
|
||||
echo "Creating an SSL certificate for lighttpd:"
|
||||
create it # TODO
|
||||
fi
|
||||
|
||||
echo "Reloading Systemd..."
|
||||
sudo systemctl daemon-reload
|
||||
echo "Disabling nginx and enabling lighttpd..."
|
||||
sudo systemctl disable nginx
|
||||
sudo systemctl enable lighttpd
|
||||
|
||||
echo "Finished install. Exiting..."
|
||||
echo "NOTE: Neither nginx nor lighttpd were started/stopped."
|
||||
exit 0
|
||||
20
lighttpd-webssh.conf
Normal file
20
lighttpd-webssh.conf
Normal file
@ -0,0 +1,20 @@
|
||||
# This is a sub-conf file for lighttpd
|
||||
# Its purpose is to serve localhost:8000 to anyone reaching https://kto.black
|
||||
# It should thus be copied to /etc/lighttpd/conf-available, and symlinked to conf-enabled
|
||||
# The other links in conf-enabled should be 10-proxy.conf and 10-ssl.conf
|
||||
# A self signed certificate with key included should be generated at /etc/lighttpd/server.pem
|
||||
|
||||
$SERVER["socket"] == ":80" {
|
||||
$HTTP["host"] =~ ".*" {
|
||||
url.redirect = (".*" => "https://kto.black")
|
||||
}
|
||||
}
|
||||
|
||||
$SERVER["socket"] == ":443" {
|
||||
$HTTP["host"] == "kto.black" {
|
||||
proxy.server = ("" => (("host" => "localhost", "port" => 8000)))
|
||||
proxy.header = (
|
||||
"upgrade" => "enable"
|
||||
)
|
||||
}
|
||||
}
|
||||
6
start-lighttpd.conf
Normal file
6
start-lighttpd.conf
Normal file
@ -0,0 +1,6 @@
|
||||
# This file is a drop-in addon for standard nginx Systemd service
|
||||
# Its purpose is to start lighttpd should nginx fail to start
|
||||
|
||||
[Unit]
|
||||
Conflicts=lighttpd.service
|
||||
OnFailure=lighttpd.service
|
||||
11
wait-for-dns.conf
Normal file
11
wait-for-dns.conf
Normal file
@ -0,0 +1,11 @@
|
||||
# This file is a drop-in addon for standard nginx Systemd service
|
||||
# Its purpose is to wait for Bind9 service to start
|
||||
# NOTE: It could be replaced by static name definitions (in /etc/hosts), but we'd rather have something dynamic
|
||||
|
||||
[Unit]
|
||||
Wants=named.service
|
||||
After=named.service
|
||||
|
||||
[Service]
|
||||
# We use ExecCondition because we want to sleep before nginx's default ExecStartPre (conf check)
|
||||
ExecCondition=/usr/bin/sleep 2
|
||||
10
webssh.service
Normal file
10
webssh.service
Normal file
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description=Run Python webssh website
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
User=www-data
|
||||
ExecStart=/usr/bin/python3 /srv/http/webssh/run.py --address='127.0.0.1' --port=8000
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
Reference in New Issue
Block a user