ci: fix typo tag name

ci: add cd
ci: try without username
2026-02-15 00:53:15 +01:00 · 2026-02-15 00:49:00 +01:00 · 2026-02-15 00:39:48 +01:00 · 2026-02-15 00:37:06 +01:00 · 2026-02-15 00:08:14 +01:00 · 2026-02-14 22:58:06 +01:00
12 changed files with 167 additions and 67 deletions
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -0,0 +1,24 @@
+name: Continuous Integration
+
+on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
+jobs:
+  build:
+    runs-on: linux
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-tags: true
+      - name: Build tarball
+        run: make tarball
+      - name: Build rpm package
+        run: rpmbuild -ba "$(make name).spec"
+      - name: Upload rpm package
+        run: make upload
+        env:
+          PACKAGES_USERNAME: ${{ vars.PACKAGES_USERNAME }}
+          PACKAGES_TOKEN: ${{ secrets.PACKAGES_TOKEN }}
--- a/33
+++ b/33
@@ -1,12 +1,16 @@
-NAME = $(shell basename $(PWD))
-VERSION = $(shell git describe | sed 's/-/./g')
+NAME = netoik-rp
+VERSION = $(shell git describe --always --tags --abbrev=0)
+RELEASE = $(shell git rev-parse --short HEAD)
 BRANCH = $(shell git branch --show-current)
+BUILD_ARCH = noarch

+RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
 RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
 RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
 RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
 RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
 RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
+RPM_BUILD_PATH = $(RPM_RPMDIR)/$(BUILD_ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(BUILD_ARCH).rpm

 .PHONY: name
 name:
@@ -16,6 +20,22 @@ name:
 version:
 	@echo "$(VERSION)"

+.PHONY: release
+release:
+	@echo "$(RELEASE)"
+
+.PHONY: build_arch
+build_arch:
+	@echo "$(BUILD_ARCH)"
+
+.PHONY: install
+install:
+	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf
+	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
+	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
+
 $(RPM_TARBALL_PATH): *
 	git archive --format=tar.gz \
 	            --output="$@" \
@@ -26,9 +46,6 @@ $(RPM_TARBALL_PATH): *
 .PHONY: tarball
 tarball: $(RPM_TARBALL_PATH)

-.PHONY: install
-install:
-	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d/ conf/security.conf
-	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/certbot
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini.tpl
+.PHONY: upload
+upload:
+	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(PACKAGES_USERNAME):$(PACKAGES_TOKEN)" https://git.netoik.io/api/packages/samuel/rpm/upload
--- a/conf/ovh.ini.tpl
+++ b/conf/ovh.ini.tpl
@@ -1,6 +0,0 @@
-# OVH API credentials used by Certbot
-# Name referenced in OVH: rasp.netoik.io
-dns_ovh_endpoint = $DNS_OVH_ENDPOINT
-dns_ovh_application_key = $DNS_OVH_APPLICATION_KEY
-dns_ovh_application_secret = $DNS_OVH_APPLICATION_SECRET
-dns_ovh_consumer_key = $DNS_OVH_CONSUMER_KEY
--- a/conf/security.conf
+++ b/conf/security.conf
@@ -1,11 +0,0 @@
-# Configure ssl module
-# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html 
-include                   /etc/letsencrypt/options-ssl-nginx.conf;
-ssl_certificate           /etc/letsencrypt/live/netoik.io/fullchain.pem;
-ssl_certificate_key       /etc/letsencrypt/live/netoik.io/privkey.pem;
-ssl_dhparam               /etc/letsencrypt/ssl-dhparams.pem;
-
-# Configure headers
-# See: https://nginx.org/en/docs/http/ngx_http_headers_module.html
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
-
--- a/files/certbot/ovh.ini
+++ b/files/certbot/ovh.ini
@@ -0,0 +1,9 @@
+# OVH API credentials used by Certbot
+# To generate a new token, go to: https://www.ovh.com/auth/api/createToken
+
+dns_ovh_endpoint = "$OVH_ENDPOINT"
+dns_ovh_application_name = "$OVH_APPLICATION_NAME"
+dns_ovh_application_description = "$OVH_APPLICATION_DESCRIPTION"
+dns_ovh_application_key = "$OVH_APPLICATION_KEY"
+dns_ovh_application_secret = "$OVH_APPLICATION_SECRET"
+dns_ovh_consumer_key = "$OVH_CONSUMER_KEY"
--- a/files/nginx/0_security.conf
+++ b/files/nginx/0_security.conf
@@ -0,0 +1,30 @@
+# Configure secure access with letsencrypt
+ssl_certificate              /etc/letsencrypt/live/netoik.io/fullchain.pem;
+ssl_certificate_key          /etc/letsencrypt/live/netoik.io/privkey.pem;
+ssl_dhparam                  /etc/letsencrypt/ssl-dhparams.pem;
+
+# Add some ssl settings from Mozilla
+# see: https://ssl-config.mozilla.org
+ssl_protocols                TLSv1.3;
+ssl_ecdh_curve               X25519:prime256v1:secp384r1;
+ssl_prefer_server_ciphers    off;
+ssl_stapling                 on;
+ssl_stapling_verify          on;
+resolver                     127.0.0.1;
+
+# Add some basic security headers from OWASP
+# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+# And Nextcloud doc
+# see: https://docs.nextcloud.com/server/31/admin_manual/installation/harden_server.html
+add_header                   Strict-Transport-Security            "max-age=63072000; includeSubDomains; preload;"                                      always;
+add_header                   X-Frame-Options                      "sameorigin"                                                                         always;
+add_header                   X-XSS-Protection                     "1;mode=block"                                                                       always;
+add_header                   X-Content-Type-Options               "nosniff"                                                                            always;
+add_header                   X-Permitted-Cross-Domain-Policies    "none"                                                                               always;
+add_header                   Referrer-Policy                      "strict-origin-when-cross-origin"                                                    always;
+add_header                   Content-Security-Policy              "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self';"    always;
+add_header                   Cross-Origin-Opener-Policy           "same-origin"                                                                        always;
+add_header                   Cross-Origin-Resource-Policy         "same-site"                                                                          always;
+add_header                   Permissions-Policy                   "geolocation=(), camera=(), microphone=()"                                           always;
+add_header                   Server                               "webserver"                                                                          always;
+add_header                   X-Robots-Tag                         "noindex, nofollow"                                                                  always;
--- a/files/nginx/default.conf
+++ b/files/nginx/default.conf
@@ -0,0 +1,13 @@
+server {
+	listen 443 default_server;
+	server_name _;
+
+	return 404;
+}
+
+server {
+	listen 80 default_server;
+	server_name _;
+
+	return 301 https://$host$request_uri;    
+}
--- a/files/sbin/certbot_renew
+++ b/files/sbin/certbot_renew
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+sleep $(($RANDOM % 3600));
+/opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh
+certbot renew --cert-name netoik.io
--- a/files/systemd/certbot-renew.service
+++ b/files/systemd/certbot-renew.service
@@ -0,0 +1,5 @@
+[Unit]
+Description=Renew certbot certificates
+
+[Service]
+ExecStart=certbot_renew
--- a/files/systemd/certbot-renew.timer
+++ b/files/systemd/certbot-renew.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Daily renew certbot certificates
+
+[Timer]
+OnCalendar=Daily
+
+[Install]
+WantedBy=multi-user.target
--- a/netoik-rp.spec
+++ b/netoik-rp.spec
@@ -2,15 +2,15 @@

 Name:           %(make name)
 Version:        %(make version)
-Release:        1%{?dist}
+Release:        %(make release)
 Summary:        Netoik Reverse Proxy
 License:        MIT
 URL:            https://git.netoik.io/samuel/netoik-rp

 Source0:        %{name}-%{version}.tar.gz
-Buildarch:      noarch
+Buildarch:      %(make build_arch)
 BuildRequires:  make
-Requires:       nginx,python3,python-devel,augeas-devel,gcc
+Requires:       nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl

 %description
 Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io
@@ -22,39 +22,59 @@ Install the reverse proxy called nginx with a predefined configuration and with
 %make_install

 %post
-# On install
-if [ $1 == 1 ]; then
 # Replace secrets in ovh.ini
-  %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini.tpl > %{_sysconfdir}/certbot/ovh.ini
-  %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini
-
-  # Create virutal env with certbot cli
-  %{_bindir}/env python3 -m venv /opt/certbot
-  /opt/certbot/bin/pip install --upgrade pip certbot certbot-dns-ovh
-	%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
-  %{_bindir}/env certbot certonly --non-interactive	--agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
-  %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab
-
-  # Stop nginx to be sure changes are taken in account
-  %{_bindir}/env systemctl stop nginx
+envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.new
+if cmp --silent %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini; then
+	rm %{_sysconfdir}/certbot/.ovh.ini.new
+else
+	mv %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini
+	chmod 600 %{_sysconfdir}/certbot/ovh.ini
 fi
-%{_bindir}/env systemctl enable nginx
-%{_bindir}/env systemctl start nginx
+
+# Create virtualenv with certot
+if [ ! -d "/opt/certbot" ]; then
+	python3 -m venv /opt/certbot
+	/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
+	ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
+fi
+
+# Create certbot certificates
+if ! certbot certificates --cert-name netoik.io | grep --quiet netoik.io; then
+	certbot certonly --cert-name netoik.io --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials %{_sysconfdir}/certbot/ovh.ini -d *.netoik.io -d *.samuel-campos.fr
+fi
+
+# Create ssl dh params if not already exists
+if [ ! -f "%{_sysconfdir}/letsencrypt/ssl-dhparams.pem" ]; then
+	openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
+fi
+
+# Restart services
+systemctl daemon-reload
+systemctl reenable --now nginx.service certbot-renew.timer

 %postun
-# On uninstall
+# Remove folders after uninstall
 if [ $1 == 0 ]; then
-  %{_bindir}/env rm --recursive --force /opt/certbot
-  %{_bindir}/env rm --recursive --force %{_sysconfdir}/certbot
+  /opt/certbot/bin/certbot delete --cert-name netoik.io --non-interactive
+	rm --recursive --force /opt/certbot
+  rm --recursive --force %{_sysconfdir}/certbot
 fi

 %files
-%attr(644, root, root) %config %{_sysconfdir}/nginx/conf.d/security.conf
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/0_security.conf
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/default.conf
+
 %attr(755, root, root) %dir %{_sysconfdir}/certbot
-%attr(600, root, root) %config %ghost %{_sysconfdir}/certbot/ovh.ini
-%attr(644, root, root) %{_sysconfdir}/certbot/ovh.ini.tpl
-%attr(755, root, root) %dir %ghost /opt/certbot
-%attr(755, root, root) %ghost %{_sbindir}/certbot
+%attr(600, root, root) %{_sysconfdir}/certbot/ovh.ini
+
+%attr(644, root, root) %{_unitdir}/certbot-renew.timer
+%attr(644, root, root) %{_unitdir}/certbot-renew.service
+
+%attr(755, root, root) %{_sbindir}/certbot_renew
+
+%ghost %attr(755, root, root) %dir /opt/certbot
+%ghost %attr(755, root, root) %{_sbindir}/certbot
+%ghost %attr(644, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem

 %changelog
 %autochangelog
--- a/services/netoik-rp.service
+++ b/services/netoik-rp.service
@@ -1,14 +0,0 @@
-[Service]
-Type=forking
-PIDFile=/run/netoik-rp.pid
-ExecStartPre=/usr/bin/env rm -f /run/netoik-rp.pid
-ExecStartPre=/usr/bin/env nginx -t -c /etc/netoik-rp/netoik-rp.conf
-ExecStart=/usr/bin/env nginx -c /etc/netoik-rp/netoik-rp.conf
-ExecReload=/usr/bin/env nginx -s reload -c /etc/netoik-rp/netoik-rp.conf
-KillSignal=SIGQUIT
-TimeoutStopSec=5
-KillMode=mixed
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target
Author	SHA1	Message	Date
samuel	0bc8c67e92	ci: fix typo tag name Some checks failed Continuous Integration / build (push) Has been cancelled Details	2026-02-15 00:53:15 +01:00
samuel	39e1037020	ci: add cd	2026-02-15 00:49:00 +01:00
samuel	1f566cf8bf	ci: try without username	2026-02-15 00:39:48 +01:00
samuel	2046dd0983	ci: try with github.token	2026-02-15 00:37:06 +01:00
samuel	f788c3a132	ci: add user and token	2026-02-15 00:08:14 +01:00
samuel	9c20ba929a	ci: fix typo	2026-02-14 22:58:06 +01:00
samuel	4b2c9268d9	ci: remove tag list	2026-02-14 22:51:27 +01:00
samuel	e1e84909f9	ci: fetch all history	2026-02-14 22:50:25 +01:00
samuel	784cef2c74	ci: add --fail-with-body	2026-02-14 22:17:36 +01:00
samuel	568dd00554	ci: shell expansion	2026-02-14 22:09:07 +01:00
samuel	f5480a12dc	ci: add --always	2026-02-14 21:57:35 +01:00
samuel	3363c3725d	ci: change git describe command	2026-02-14 21:54:24 +01:00
samuel	69d5b8aeae	ci: fetch tags	2026-02-14 21:45:25 +01:00
samuel	26c809f746	ci: add checkout step	2026-02-14 21:21:25 +01:00
samuel	eb1cefe72e	ci: list files	2026-02-14 21:19:16 +01:00
samuel	f3c441db2b	fix: ngix security headers	2026-02-14 21:15:08 +01:00
samuel	f575c4f0d9	Add mode non-interactive on delete cert	2026-01-19 15:50:45 +01:00
samuel	32f20d5443	Cleanup sh script	2026-01-19 15:40:27 +01:00
samuel	84e71bbdb9	Fix certbot command in remove step	2026-01-19 14:34:57 +01:00
samuel	21698b0ae1	Cleanup spec file	2026-01-19 14:22:13 +01:00
samuel	60e71f6fe8	Fix Makefile	2026-01-19 13:18:40 +01:00
samuel	ac194fbfc4	Fix typo	2026-01-19 13:17:06 +01:00
samuel	ea6d872a77	Refacto rpm file	2026-01-19 13:07:11 +01:00
samuel	5b0c349edb	Add missing packaged files	2026-01-18 12:53:15 +01:00
samuel	f811e72e64	Add certbot renew service	2026-01-18 12:42:37 +01:00
samuel	8e13e2004a	Add workflow	2026-01-06 12:48:19 +01:00
samuel	c9253b5d08	Fix format	2026-01-02 22:14:00 +01:00
samuel	1770301a87	Add requirement augeas-libs	2026-01-01 22:45:25 +01:00
samuel	33754a20fc	Add dh params size	2026-01-01 21:02:12 +01:00
samuel	9e8290b7df	Add certonly non interactive options	2026-01-01 20:39:58 +01:00
samuel	9f16b7e8db	Use certbot to create cert only	2026-01-01 20:36:46 +01:00
samuel	af2b40516f	Add nginx security conf	2026-01-01 15:40:05 +01:00
samuel	1ee9c0402d	Use certbot --installer option	2026-01-01 14:30:11 +01:00
samuel	76855cfa05	Use certbot with --nginx	2026-01-01 14:25:16 +01:00
samuel	206795e072	Rename variables in ovh.ini	2026-01-01 14:10:50 +01:00