Cleanup sh script

.gitattributes

@@ -0,0 +1,2 @@
+.gitignore export-ignore
+.gitattributes export-ignore

.gitea/workflows/ci.yaml

@@ -0,0 +1,13 @@
+name: Continuous Integration
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  env:
+    runs-on: linux
+    steps:
+      - name: Show env
+        run: env | sort

.gitignore

@@ -0,0 +1,2 @@
+*.swp
+*.env

Makefile

@@ -0,0 +1,35 @@
+NAME = $(shell basename $(PWD))
+VERSION = $(shell git describe | sed 's/-/./g')
+BRANCH = $(shell git branch --show-current)
+
+RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
+RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
+RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
+RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
+RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
+
+.PHONY: name
+name:
+	@echo "$(NAME)"
+
+.PHONY: version
+version:
+	@echo "$(VERSION)"
+
+$(RPM_TARBALL_PATH): *
+	git archive --format=tar.gz \
+	            --output="$@" \
+	            --prefix="$(NAME)-$(VERSION)/" \
+	            --verbose \
+	            "$(BRANCH)"
+
+.PHONY: tarball
+tarball: $(RPM_TARBALL_PATH)
+
+.PHONY: install
+install:
+	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf
+	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
+	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew

files/certbot/ovh.ini

@@ -0,0 +1,9 @@
+# OVH API credentials used by Certbot
+# To generate a new token, go to: https://www.ovh.com/auth/api/createToken
+
+dns_ovh_endpoint = "$OVH_ENDPOINT"
+dns_ovh_application_name = "$OVH_APPLICATION_NAME"
+dns_ovh_application_description = "$OVH_APPLICATION_DESCRIPTION"
+dns_ovh_application_key = "$OVH_APPLICATION_KEY"
+dns_ovh_application_secret = "$OVH_APPLICATION_SECRET"
+dns_ovh_consumer_key = "$OVH_CONSUMER_KEY"

files/nginx/0_security.conf

@@ -0,0 +1,27 @@
+# Configure secure access with letsencrypt
+ssl_certificate              /etc/letsencrypt/live/netoik.io/fullchain.pem;
+ssl_certificate_key          /etc/letsencrypt/live/netoik.io/privkey.pem;
+ssl_dhparam                  /etc/letsencrypt/ssl-dhparams.pem;
+
+# Add some ssl settings from Mozilla
+# see: https://ssl-config.mozilla.org
+ssl_protocols                TLSv1.3;
+ssl_ecdh_curve               X25519:prime256v1:secp384r1;
+ssl_prefer_server_ciphers    off;
+ssl_stapling                 on;
+ssl_stapling_verify          on;
+resolver                     127.0.0.1;
+
+# Add some basic security headers from OWASP
+# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+add_header                   Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                      always;
+add_header                   X-Frame-Options                "DENY"                                                               always;
+add_header                   X-XSS-Protection               "0"                                                                  always;
+add_header                   X-Content-Type-Options         "nosniff"                                                            always;
+add_header                   Referrer-Policy                "strict-origin-when-cross-origin"                                    always;
+add_header                   Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"    always;
+add_header                   Cross-Origin-Opener-Policy     "same-origin"                                                        always;
+add_header                   Cross-Origin-Resource-Policy   "same-site"                                                          always;
+add_header                   Permissions-Policy             "geolocation=(), camera=(), microphone=()"                           always;
+add_header                   Server                         "webserver"                                                          always;
+add_header                   X-Robots-Tag                   "noindex, nofollow"                                                  always;

files/nginx/default.conf

@@ -0,0 +1,13 @@
+server {
+	listen 443 default_server;
+	server_name _;
+
+	return 404;
+}
+
+server {
+	listen 80 default_server;
+	server_name _;
+
+	return 301 https://$host$request_uri;    
+}

files/sbin/certbot_renew

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+sleep $(($RANDOM % 3600));
+/opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh
+certbot renew --cert-name netoik.io

files/systemd/certbot-renew.service

@@ -0,0 +1,5 @@
+[Unit]
+Description=Renew certbot certificates
+
+[Service]
+ExecStart=certbot_renew

files/systemd/certbot-renew.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Daily renew certbot certificates
+
+[Timer]
+OnCalendar=Daily
+
+[Install]
+WantedBy=multi-user.target

netoik-rp.spec

@@ -0,0 +1,80 @@
+%define debug_package %{nil}
+
+Name:           %(make name)
+Version:        %(make version)
+Release:        1%{?dist}
+Summary:        Netoik Reverse Proxy
+License:        MIT
+URL:            https://git.netoik.io/samuel/netoik-rp
+
+Source0:        %{name}-%{version}.tar.gz
+Buildarch:      noarch
+BuildRequires:  make
+Requires:       nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl
+
+%description
+Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io
+
+%prep
+%autosetup -v
+
+%install
+%make_install
+
+%post
+# Replace secrets in ovh.ini
+envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.new
+if cmp --silent %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini; then
+	rm %{_sysconfdir}/certbot/.ovh.ini.new
+else
+	mv %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini
+	chmod 600 %{_sysconfdir}/certbot/ovh.ini
+fi
+
+# Create virtualenv with certot
+if [ ! -d "/opt/certbot" ]; then
+	python3 -m venv /opt/certbot
+	/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
+	ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
+fi
+
+# Create certbot certificates
+if ! certbot certificates --cert-name netoik.io | grep --quiet netoik.io; then
+	certbot certonly --cert-name netoik.io --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials %{_sysconfdir}/certbot/ovh.ini -d *.netoik.io -d *.samuel-campos.fr
+fi
+
+# Create ssl dh params if not already exists
+if [ ! -f "%{_sysconfdir}/letsencrypt/ssl-dhparams.pem" ]; then
+	openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
+fi
+
+# Restart services
+systemctl daemon-reload
+systemctl reenable --now nginx.service certbot-renew.timer
+
+%postun
+# Remove folders after uninstall
+if [ $1 == 0 ]; then
+  /opt/certbot/bin/certbot delete --cert-name netoik.io
+	rm --recursive --force /opt/certbot
+  rm --recursive --force %{_sysconfdir}/certbot
+fi
+
+%files
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/0_security.conf
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/default.conf
+
+%attr(755, root, root) %dir %{_sysconfdir}/certbot
+%attr(600, root, root) %{_sysconfdir}/certbot/ovh.ini
+
+%attr(644, root, root) %{_unitdir}/certbot-renew.timer
+%attr(644, root, root) %{_unitdir}/certbot-renew.service
+
+%attr(755, root, root) %{_sbindir}/certbot_renew
+
+%ghost %attr(755, root, root) %dir /opt/certbot
+%ghost %attr(755, root, root) %{_sbindir}/certbot
+%ghost %attr(644, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
+
+%changelog
+%autochangelog