Fix typo

Refacto rpm file
Add missing packaged files
2026-01-19 13:17:06 +01:00 · 2026-01-19 13:07:11 +01:00 · 2026-01-18 12:53:15 +01:00 · 2026-01-18 12:42:37 +01:00 · 2026-01-06 12:48:19 +01:00 · 2026-01-02 22:14:00 +01:00
10 changed files with 117 additions and 48 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -0,0 +1,13 @@
+name: Continuous Integration
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  env:
+    runs-on: linux
+    steps:
+      - name: Show env
+        run: env | sort
--- a/9
+++ b/9
@@ -28,7 +28,8 @@ tarball: $(RPM_TARBALL_PATH)

 .PHONY: install
 install:
-	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/_security.conf
-	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/certbot
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini
+	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/nginx/0_security.conf conf/nginx/default.conf
+	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot conf/certbot/ovh.ini
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) conf/systemd/certbot-renew.service conf/systemd/certbot-renew.timer
+	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) conf/sbin/certbot_renew
--- a/conf/_security.conf
+++ b/conf/_security.conf
@@ -1,22 +0,0 @@
-# Configure secure access with letsencrypt
-ssl_certificate           /etc/letsencrypt/live/netoik.io/fullchain.pem;
-ssl_certificate_key       /etc/letsencrypt/live/netoik.io/privkey.pem;
-include                   /etc/letsencrypt/options-ssl-nginx.conf;
-ssl_dhparam               /etc/letsencrypt/ssl-dhparams.pem;
-ssl_session_cache         shared:SSL:1m;
-
-# Add some basic security headers from OWASP
-# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
-add_header                Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                    always;
-add_header                X-Frame-Options                "DENY"                                                             always;
-add_header                X-XSS-Protection               "0"                                                                always;
-add_header                X-Content-Type-Options         "nosniff"                                                          always;
-add_header                Referrer-Policy                "strict-origin-when-cross-origin"                                  always;
-add_header                Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"  always;
-add_header                Cross-Origin-Opener-Policy     "same-origin"                                                      always;
-add_header                Cross-Origin-Resource-Policy   "same-site"                                                        always;
-add_header                Permissions-Policy             "geolocation=(), camera=(), microphone=()"                         always;
-add_header                Server                         "webserver"                                                        always;
-add_header                X-Robots-Tag                   "noindex, nofollow"                                                always;
-
-
--- a/files/certbot/ovh.ini
+++ b/files/certbot/ovh.ini
--- a/files/nginx/0_security.conf
+++ b/files/nginx/0_security.conf
@@ -0,0 +1,27 @@
+# Configure secure access with letsencrypt
+ssl_certificate              /etc/letsencrypt/live/netoik.io/fullchain.pem;
+ssl_certificate_key          /etc/letsencrypt/live/netoik.io/privkey.pem;
+ssl_dhparam                  /etc/letsencrypt/ssl-dhparams.pem;
+
+# Add some ssl settings from Mozilla
+# see: https://ssl-config.mozilla.org
+ssl_protocols                TLSv1.3;
+ssl_ecdh_curve               X25519:prime256v1:secp384r1;
+ssl_prefer_server_ciphers    off;
+ssl_stapling                 on;
+ssl_stapling_verify          on;
+resolver                     127.0.0.1;
+
+# Add some basic security headers from OWASP
+# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+add_header                   Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                      always;
+add_header                   X-Frame-Options                "DENY"                                                               always;
+add_header                   X-XSS-Protection               "0"                                                                  always;
+add_header                   X-Content-Type-Options         "nosniff"                                                            always;
+add_header                   Referrer-Policy                "strict-origin-when-cross-origin"                                    always;
+add_header                   Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"    always;
+add_header                   Cross-Origin-Opener-Policy     "same-origin"                                                        always;
+add_header                   Cross-Origin-Resource-Policy   "same-site"                                                          always;
+add_header                   Permissions-Policy             "geolocation=(), camera=(), microphone=()"                           always;
+add_header                   Server                         "webserver"                                                          always;
+add_header                   X-Robots-Tag                   "noindex, nofollow"                                                  always;
--- a/files/nginx/default.conf
+++ b/files/nginx/default.conf
@@ -0,0 +1,13 @@
+server {
+	listen 443 default_server;
+	server_name _;
+
+	return 404;
+}
+
+server {
+	listen 80 default_server;
+	server_name _;
+
+	return 301 https://$host$request_uri;    
+}
--- a/files/sbin/certbot_renew
+++ b/files/sbin/certbot_renew
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+/usr/bin/env sleep $(($RANDOM % 3600));
+/opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh
+/usr/bin/env certbot renew
--- a/files/systemd/certbot-renew.service
+++ b/files/systemd/certbot-renew.service
@@ -0,0 +1,5 @@
+[Unit]
+Description=Renew certbot certificates
+
+[Service]
+ExecStart=certbot_renew
--- a/files/systemd/certbot-renew.timer
+++ b/files/systemd/certbot-renew.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Daily renew certbot certificates
+
+[Timer]
+OnCalendar=Daily
+
+[Install]
+WantedBy=multi-user.target
--- a/netoik-rp.spec
+++ b/netoik-rp.spec
@@ -10,7 +10,7 @@ URL:            https://git.netoik.io/samuel/netoik-rp
 Source0:        %{name}-%{version}.tar.gz
 Buildarch:      noarch
 BuildRequires:  make
-Requires:       nginx,python3,python-devel,augeas-devel,gcc
+Requires:       nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl

 %description
 Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io
@@ -22,28 +22,38 @@ Install the reverse proxy called nginx with a predefined configuration and with
 %make_install

 %post
-# After install
-if [ $1 == 1 ]; then
-  # Replace secrets in ovh.ini
-  %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.swp
-  %{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini
-  %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini
-
-  # Create virutal env with certbot cli
-  %{_bindir}/env python3 -m venv /opt/certbot
-  /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
-	%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
-  %{_bindir}/env certbot certonly --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
-  %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab
-
-  # Stop nginx to be sure changes are taken in account
-  %{_bindir}/env systemctl stop nginx
+# Replace secrets in ovh.ini
+%{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.new
+if %{_bindir}/env cmp --silent %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini; then
+	%{_bindir}/env rm %{_sysconfdir}/certbot/.ovh.ini.new
+else
+	%{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini
+	%{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini
 fi
-%{_bindir}/env systemctl enable nginx
-%{_bindir}/env systemctl start nginx
+
+# Create virtualenv with certot
+if [ ! -d "/opt/certbot" ]; then
+	%{_bindir}/env python3 -m venv /opt/certbot
+	/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
+	%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
+fi
+
+# Create certbot certificates
+if [ ! -d "%{_sysconfdir}/letsencrypt/live/netoik.io" ] || [ ! -d "%{_sysconfdir}/letsencrypt/live/samuel-campos.fr" ]; then
+	%{_bindir}/env certbot certonly --non-interactive --agree-tos --email "samuel.campos@netoik.io" --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
+fi
+
+# Create ssl dh params if not already exists
+if [ ! -f "%{_sysconfdir}/letsencrypt/ssl-dhparams.pem" ]; then
+	%{_bindir}/env openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
+fi
+
+# Restart services
+%{_bindir}/env systemctl daemon-reload
+%{_bindir}/env systemctl reenable --now nginx.service certbot-renew.timer

 %postun
-# After uninstall
+# Remove folders after uninstall
 if [ $1 == 0 ]; then
  %{_bindir}/env rm --recursive --force /opt/certbot
  %{_bindir}/env rm --recursive --force %{_sysconfdir}/certbot
@@ -51,12 +61,21 @@ if [ $1 == 0 ]; then
 fi

 %files
-%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/_security.conf
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/0_security.conf
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/default.conf
+
 %attr(755, root, root) %dir %{_sysconfdir}/certbot
-%attr(600, root, root) %config %{_sysconfdir}/certbot/ovh.ini
+%attr(600, root, root) %{_sysconfdir}/certbot/ovh.ini
+
+%attr(644, root, root) %{_unitdir}/certbot-renew.timer
+%attr(644, root, root) %{_unitdir}/certbot-renew.service
+
+%attr(755, root, root) %{_sbindir}/certbot_renew
+
 %ghost %attr(755, root, root) %dir /opt/certbot
 %ghost %attr(755, root, root) %{_sbindir}/certbot
 %ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt
+%ghost %attr(644, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem

 %changelog
 %autochangelog
Author	SHA1	Message	Date
samuel	ac194fbfc4	Fix typo	2026-01-19 13:17:06 +01:00
samuel	ea6d872a77	Refacto rpm file	2026-01-19 13:07:11 +01:00
samuel	5b0c349edb	Add missing packaged files All checks were successful Continuous Integration / env (push) Successful in 0s Details	2026-01-18 12:53:15 +01:00
samuel	f811e72e64	Add certbot renew service All checks were successful Continuous Integration / env (push) Successful in 0s Details	2026-01-18 12:42:37 +01:00
samuel	8e13e2004a	Add workflow All checks were successful Continuous Integration / env (push) Successful in 1s Details	2026-01-06 12:48:19 +01:00
samuel	c9253b5d08	Fix format	2026-01-02 22:14:00 +01:00
samuel	1770301a87	Add requirement augeas-libs	2026-01-01 22:45:25 +01:00
samuel	33754a20fc	Add dh params size	2026-01-01 21:02:12 +01:00
samuel	9e8290b7df	Add certonly non interactive options	2026-01-01 20:39:58 +01:00
samuel	9f16b7e8db	Use certbot to create cert only	2026-01-01 20:36:46 +01:00