samuel/netoik-rp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: samuel:v0.1.34
Branches Tags
samuel:main
samuel:v0.1.57 samuel:v0.1.56 samuel:v0.1.55 samuel:v0.1.54 samuel:v0.1.53 samuel:v0.1.52 samuel:v0.1.51 samuel:v0.1.50 samuel:v0.1.49 samuel:v0.1.48 samuel:v0.1.47 samuel:v0.1.46 samuel:v0.1.45 samuel:v0.1.44 samuel:v0.1.43 samuel:v0.1.42 samuel:v0.1.41 samuel:v0.1.40 samuel:v0.1.39 samuel:v0.1.38 samuel:v0.1.9 samuel:v0.1.8 samuel:v0.1.7 samuel:v0.1.6 samuel:v0.1.5 samuel:v0.1.4 samuel:v0.1.37 samuel:v0.1.36 samuel:v0.1.35 samuel:v0.1.34 samuel:v0.1.33 samuel:v0.1.32 samuel:v0.1.31 samuel:v0.1.30 samuel:v0.1.3 samuel:v0.1.29 samuel:v0.1.28 samuel:v0.1.27 samuel:v0.1.26 samuel:v0.1.25 samuel:v0.1.24 samuel:v0.1.23 samuel:v0.1.22 samuel:v0.1.21 samuel:v0.1.20 samuel:v0.1.2 samuel:v0.1.19 samuel:v0.1.18 samuel:v0.1.17 samuel:v0.1.16 samuel:v0.1.15 samuel:v0.1.14 samuel:v0.1.13 samuel:v0.1.12 samuel:v0.1.11 samuel:v0.1.10 samuel:v0.1.1 samuel:v0.1.0
...
compare: samuel:v0.1.57
Branches Tags
samuel:main
samuel:v0.1.57 samuel:v0.1.56 samuel:v0.1.55 samuel:v0.1.54 samuel:v0.1.53 samuel:v0.1.52 samuel:v0.1.51 samuel:v0.1.50 samuel:v0.1.49 samuel:v0.1.48 samuel:v0.1.47 samuel:v0.1.46 samuel:v0.1.45 samuel:v0.1.44 samuel:v0.1.43 samuel:v0.1.42 samuel:v0.1.41 samuel:v0.1.40 samuel:v0.1.39 samuel:v0.1.38 samuel:v0.1.9 samuel:v0.1.8 samuel:v0.1.7 samuel:v0.1.6 samuel:v0.1.5 samuel:v0.1.4 samuel:v0.1.37 samuel:v0.1.36 samuel:v0.1.35 samuel:v0.1.34 samuel:v0.1.33 samuel:v0.1.32 samuel:v0.1.31 samuel:v0.1.30 samuel:v0.1.3 samuel:v0.1.29 samuel:v0.1.28 samuel:v0.1.27 samuel:v0.1.26 samuel:v0.1.25 samuel:v0.1.24 samuel:v0.1.23 samuel:v0.1.22 samuel:v0.1.21 samuel:v0.1.20 samuel:v0.1.2 samuel:v0.1.19 samuel:v0.1.18 samuel:v0.1.17 samuel:v0.1.16 samuel:v0.1.15 samuel:v0.1.14 samuel:v0.1.13 samuel:v0.1.12 samuel:v0.1.11 samuel:v0.1.10 samuel:v0.1.1 samuel:v0.1.0

60 Commits
v0.1.34 ... v0.1.57

Author SHA1 Message Date
samuel
d8b747e315 fix: make install rights
All checks were successful
Continuous Integration / lint_n_build (push) Successful in 20s
Details
Continuous Delivery / build_n_upload (push) Successful in 22s
Details
2026-03-15 16:43:26 +01:00
samuel
0c92b1072a doc: improve makefile
All checks were successful
Continuous Integration / lint_n_build (push) Successful in 19s
Details
2026-03-08 22:26:17 +01:00
samuel
37d6ea9e4a doc: add make help
All checks were successful
Continuous Integration / lint_n_build (push) Successful in 21s
Details
2026-03-08 21:28:35 +01:00
samuel
6ddea566f3 fix: separate systemctl restart and reenable commands
All checks were successful
Continuous Integration / lint_n_build (push) Successful in 21s
Details
Continuous Delivery / build_n_upload (push) Successful in 22s
Details
2026-03-08 16:45:36 +01:00
samuel
844e727b7d doc: update readme
All checks were successful
Continuous Integration / lint_n_build (push) Successful in 19s
Details
Continuous Delivery / build_n_upload (push) Successful in 19s
Details
2026-03-08 16:39:06 +01:00
samuel
7e59f820a3 feat: add csp data type
All checks were successful
Continuous Integration / lint_n_build (push) Successful in 21s
Details
Continuous Delivery / build_n_upload (push) Successful in 22s
Details
2026-03-08 16:08:13 +01:00
samuel
89e3d510df fix: rename nginx default file 2026-03-08 16:07:59 +01:00
samuel
99067e5ead ci: fix upload pkg command
All checks were successful
Continuous Integration / lint_n_build (push) Successful in 21s
Details
Continuous Delivery / build_n_upload (push) Successful in 22s
Details
2026-03-08 02:55:17 +01:00
samuel
16b36fe751 ci: typo depth
Some checks failed
Continuous Integration / lint_n_build (push) Successful in 1m16s
Details
Continuous Delivery / build_n_upload (push) Failing after 19s
Details
2026-03-08 02:49:03 +01:00
samuel
781a21a209 ci: set depth 0
Some checks failed
Continuous Integration / lint_n_build (push) Failing after 13s
Details
2026-03-08 02:45:49 +01:00
samuel
bb08a22ad5 ci: add .gitea folder
Some checks failed
Continuous Integration / lint_n_build (push) Failing after 1m11s
Details
2026-03-08 02:43:22 +01:00
samuel
571a660b75 ci: come back to gitea 2026-03-08 01:40:06 +01:00
samuel
378a44a7a5 ci: trigger actions 2026-03-07 13:41:36 +01:00
samuel
786a340122 fix: runner label 2026-03-07 12:52:11 +01:00
samuel
dc894293b6 refactor: migrate to forgejo 2026-03-07 12:50:53 +01:00
samuel
995b60af81 doc: improve sections 2026-02-17 14:28:39 +01:00
samuel
b1f6a731a7 doc: add security notes section 2026-02-17 14:23:29 +01:00
samuel
60ff95c8f7 doc: remove cd badge 2026-02-17 14:17:23 +01:00
samuel
09d04cc063 doc: move badges
Some checks failed
Continuous Delivery / build_n_upload (push) Has been cancelled
Details
2026-02-17 14:13:10 +01:00
samuel
e351eaea47 doc: fix badges 2026-02-17 14:12:00 +01:00
samuel
2c20d96e99 doc: improve readme 2026-02-17 14:03:52 +01:00
samuel
84e97fe190 ci: fetch depth 0
Some checks failed
Continuous Delivery / build_n_upload (push) Has been cancelled
Details
2026-02-17 02:09:28 +01:00
samuel
d97626ffd2 ci: fetch tags 2026-02-17 02:08:15 +01:00
samuel
5c57534ab9 ci: fix shellcheck target 2026-02-17 02:04:42 +01:00
samuel
051c806332 ci: fix shellcheck targets 2026-02-17 02:02:59 +01:00
samuel
34279dd21c ci: add shellcheck targets 2026-02-17 02:01:57 +01:00
samuel
6b5679e3fe ci: remove systemdlint 2026-02-17 01:07:13 +01:00
samuel
82fd911427 ci: add rpm build 2026-02-17 00:15:48 +01:00
samuel
c2401ee8da ci: add ci workflow 2026-02-17 00:13:05 +01:00
samuel
4c0fbbfe97 ci: add git ref
Some checks failed
Continuous Integration / build (push) Has been cancelled
Details
2026-02-15 01:10:12 +01:00
samuel
0bc8c67e92 ci: fix typo tag name
Some checks failed
Continuous Integration / build (push) Has been cancelled
Details
2026-02-15 00:53:15 +01:00
samuel
39e1037020 ci: add cd 2026-02-15 00:49:00 +01:00
samuel
1f566cf8bf ci: try without username 2026-02-15 00:39:48 +01:00
samuel
2046dd0983 ci: try with github.token 2026-02-15 00:37:06 +01:00
samuel
f788c3a132 ci: add user and token 2026-02-15 00:08:14 +01:00
samuel
9c20ba929a ci: fix typo 2026-02-14 22:58:06 +01:00
samuel
4b2c9268d9 ci: remove tag list 2026-02-14 22:51:27 +01:00
samuel
e1e84909f9 ci: fetch all history 2026-02-14 22:50:25 +01:00
samuel
784cef2c74 ci: add --fail-with-body 2026-02-14 22:17:36 +01:00
samuel
568dd00554 ci: shell expansion 2026-02-14 22:09:07 +01:00
samuel
f5480a12dc ci: add --always 2026-02-14 21:57:35 +01:00
samuel
3363c3725d ci: change git describe command 2026-02-14 21:54:24 +01:00
samuel
69d5b8aeae ci: fetch tags 2026-02-14 21:45:25 +01:00
samuel
26c809f746 ci: add checkout step 2026-02-14 21:21:25 +01:00
samuel
eb1cefe72e ci: list files 2026-02-14 21:19:16 +01:00
samuel
f3c441db2b fix: ngix security headers 2026-02-14 21:15:08 +01:00
samuel
f575c4f0d9 Add mode non-interactive on delete cert 2026-01-19 15:50:45 +01:00
samuel
32f20d5443 Cleanup sh script 2026-01-19 15:40:27 +01:00
samuel
84e71bbdb9 Fix certbot command in remove step 2026-01-19 14:34:57 +01:00
samuel
21698b0ae1 Cleanup spec file 2026-01-19 14:22:13 +01:00
samuel
60e71f6fe8 Fix Makefile 2026-01-19 13:18:40 +01:00
samuel
ac194fbfc4 Fix typo 2026-01-19 13:17:06 +01:00
samuel
ea6d872a77 Refacto rpm file 2026-01-19 13:07:11 +01:00
samuel
5b0c349edb Add missing packaged files 2026-01-18 12:53:15 +01:00
samuel
f811e72e64 Add certbot renew service 2026-01-18 12:42:37 +01:00
samuel
8e13e2004a Add workflow 2026-01-06 12:48:19 +01:00
samuel
c9253b5d08 Fix format 2026-01-02 22:14:00 +01:00
samuel
1770301a87 Add requirement augeas-libs 2026-01-01 22:45:25 +01:00
samuel
33754a20fc Add dh params size 2026-01-01 21:02:12 +01:00
samuel
9e8290b7df Add certonly non interactive options 2026-01-01 20:39:58 +01:00
13 changed files with 324 additions and 85 deletions
Expand all files Collapse all files

20
.gitea/workflows/cd.yaml Normal file
View File

@@ -0,0 +1,20 @@
name: Continuous Delivery
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
jobs:
build_n_upload:
runs-on: self-hosted
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
fetch-tags: true
- run: make tarball
- run: rpmbuild -ba "$(make name).spec"
- run: make upload
env:
PKG_TOKEN: ${{ secrets.PKG_TOKEN }}

18
.gitea/workflows/ci.yaml Normal file
View File

@@ -0,0 +1,18 @@
name: Continuous Integration
on:
push:
branches:
- main
jobs:
lint_n_build:
runs-on: self-hosted
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
fetch-tags: true
- run: shellcheck files/sbin/certbot_renew
- run: make tarball
- run: rpmbuild -ba "$(make name).spec"

1
.gitignore vendored
View File

@@ -1,2 +1,3 @@
*.swp *.swp
*.env *.env
/.idea

80
Makefile
View File

@@ -1,34 +1,88 @@
NAME = $(shell basename $(PWD)) NAME = netoik-rp
VERSION = $(shell git describe | sed 's/-/./g') VERSION = $(shell git describe --abbrev=0)
BRANCH = $(shell git branch --show-current) RELEASE = $(shell git rev-parse --short HEAD)
ARCH = noarch
OWNER = samuel
SUMMARY = "Netoïk Reverse Proxy"
LICENSE = "MIT"
URL = "https://git.netoik.io/$(OWNER)/$(NAME)"
SOURCE0 = "$(NAME)-$(VERSION)-$(RELEASE).tar.gz"
RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}') RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}') RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}') RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}') RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(SOURCE0)
RPM_BUILD_PATH = $(RPM_RPMDIR)/$(ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(ARCH).rpm
.PHONY: help
help:
@grep -E '^[a-zA-Z0-9_-]+:.*?## .*' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
.PHONY: name .PHONY: name
name: name: ## Show project name
@echo "$(NAME)" @echo "$(NAME)"
.PHONY: version .PHONY: version
version: version: ## Show current project version
@echo "$(VERSION)" @echo "$(VERSION)"
.PHONY: release
release: ## Show current project release
@echo "$(RELEASE)"
.PHONY: arch
arch: ## Show rpm arch target
@echo "$(ARCH)"
.PHONY: owner
owner: ## Show project owner name
@echo "$(OWNER)"
.PHONY: summary
summary: ## Show project summary
@echo "$(SUMMARY)"
.PHONY: license
license: ## Show project license
@echo "$(LICENSE)"
.PHONY: url
url: ## Show project homepage URL
@echo "$(URL)"
.PHONY: source0
source0: ## Show rpm source0 file name
@echo "$(SOURCE0)"
$(RPM_TARBALL_PATH): * $(RPM_TARBALL_PATH): *
git archive --format=tar.gz \ git archive --format=tar.gz \
--output="$@" \ --output="$@" \
--prefix="$(NAME)-$(VERSION)/" \ --prefix="$(NAME)-$(VERSION)/" \
--verbose \ --verbose \
"$(BRANCH)" HEAD
.PHONY: tarball .PHONY: tarball
tarball: $(RPM_TARBALL_PATH) tarball: $(RPM_TARBALL_PATH) ## Build rpm tarball
.PHONY: install .PHONY: install
install: install: ## Install files into rpm dest (requires env var DESTDIR)
install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d @if [ -z "$(DESTDIR)" ]; then \
install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/_security.conf printf "[CRITICAL] Missing env var DESTDIR\n[CRITICAL] This command is designed to be called by rpmbuild only!\n" 1>&2; \
install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/certbot exit 1; \
install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini fi
install --mode=755 --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/z_default.conf
install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
.PHONY: upload
upload: ## Upload rpm package to Gitea repository (requires env var PKG_TOKEN)
@if [ -z "$(PKG_TOKEN)" ]; then \
printf "[CRITICAL] Missing env var PKG_TOKEN\n[CRITICAL] This command is designed to be called by Gitea Actions only!\n" 1>&2; \
exit 1; \
fi
curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(OWNER):$(PKG_TOKEN)" https://git.netoik.io/api/packages/$(OWNER)/rpm/upload

107
README.md
View File

@@ -1,3 +1,106 @@
# netoik-rp # Netoïk reverse proxy ![badge](https://git.netoik.io/samuel/netoik-rp/actions/workflows/ci.yaml/badge.svg)
Netoïk reverse proxy Build an RPM package which will install several tools.
- `Nginx` with:
- ssl settings
- security headers
- default site configuration
- `Certbot` certificates with:
- ovh configuration to renew certs
- a command tool certbot_renew
- a systemctl certbot renew timer
# Development
A `Makefile` is integrated to let you run some basic commands.
- Display some information about the project
```shell
make help
make name
make version
make release
make arch
```
- Build a tarball:
```shell
make tarball
```
- Build an rpm package:
```shell
rpmbuild -ba netoik-rp.spec
```
- Upload rpm package to Gitea repository (env var `PKG_TOKEN` is required):
```shell
make upload
```
# CI / CD
Two workflows are set up.
- Continuous Integration:
- triggered by each push event on branch `main`
- runs shellcheck
- builds tarball
- builds rpm package
- Continuous Delivery:
- triggered by each tag push event
- builds tarball
- builds rpm package
- uploads rpm package to repository
# Deployment
Some commands to deploy the RPM package on server
- Add Gitea repo to your repo list:
```shell
dnf config-manager --add-repo https://git.netoik.io/api/packages/samuel/rpm.repo
dnf repolist | grep gitea-samuel
```
- Show available versions:
```shell
dnf --showduplicates netoik-rp
```
- Create certbot ovh credentials here:
[www.ovh.com/auth/api/createToken](https://www.ovh.com/auth/api/createToken)
- Setup environemnt file (fill values):
```shell
cat > ~/.netoik-rp.env << EOF
OVH_ENDPOINT=""
OVH_APPLICATION_NAME=""
OVH_APPLICATION_DESCRIPTION=""
OVH_APPLICATION_KEY=""
OVH_APPLICATION_SECRET=""
OVH_CONSUMER_KEY=""
EOF
```
- Install or upgrade package:
```shell
set -a
source ~/.netoik-rp.env
dnf --nogpgcheck --refresh --assumeyes --best install netoik-rp
set +a
```
# Security Notes
For security reasons, act runners does not have sudo privileges and so there is:
- **no** Continuous Deployment because act runners cannot use `dnf`
- **no** GPG signing because act runners cannot use `gpg`

29
conf/_security.conf
View File

@@ -1,29 +0,0 @@
# Configure secure access with letsencrypt
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Add some ssl settings from Mozilla
# see: https://ssl-config.mozilla.org
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1;
# Add some basic security headers from OWASP
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "0" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-site" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
add_header Server "webserver" always;
add_header X-Robots-Tag "noindex, nofollow" always;

2
conf/ovh.ini → files/certbot/ovh.ini
View File

@@ -1,5 +1,5 @@
# OVH API credentials used by Certbot # OVH API credentials used by Certbot
# To generate a new token, go to: https://www.ovh.com/auth/api/createToken # To generate new credentials, go to: https://www.ovh.com/auth/api/createToken
dns_ovh_endpoint = "$OVH_ENDPOINT" dns_ovh_endpoint = "$OVH_ENDPOINT"
dns_ovh_application_name = "$OVH_APPLICATION_NAME" dns_ovh_application_name = "$OVH_APPLICATION_NAME"

30
files/nginx/0_security.conf Normal file
View File

@@ -0,0 +1,30 @@
# Configure secure access with letsencrypt
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Add some ssl settings from Mozilla
# see: https://ssl-config.mozilla.org
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1;
# Add some basic security headers from OWASP
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
# And Nextcloud doc
# see: https://docs.nextcloud.com/server/31/admin_manual/installation/harden_server.html
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1;mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data:; frame-ancestors 'self'; form-action 'self';" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-site" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
add_header Server "webserver" always;
add_header X-Robots-Tag "noindex, nofollow" always;

13
files/nginx/z_default.conf Normal file
View File

@@ -0,0 +1,13 @@
server {
listen 443 default_server;
server_name _;
return 404;
}
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}

5
files/sbin/certbot_renew Normal file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/env bash
sleep $((RANDOM % 3600));
/opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh
certbot renew --cert-name netoik.io

5
files/systemd/certbot-renew.service Normal file
View File

@@ -0,0 +1,5 @@
[Unit]
Description=Renew certbot certificates
[Service]
ExecStart=certbot_renew

8
files/systemd/certbot-renew.timer Normal file
View File

@@ -0,0 +1,8 @@
[Unit]
Description=Daily renew certbot certificates
[Timer]
OnCalendar=Daily
[Install]
WantedBy=multi-user.target

89
netoik-rp.spec
View File

@@ -2,15 +2,15 @@
Name: %(make name) Name: %(make name)
Version: %(make version) Version: %(make version)
Release: 1%{?dist} Release: %(make release)
Summary: Netoik Reverse Proxy Summary: %(make summary)
License: MIT License: %(make license)
URL: https://git.netoik.io/samuel/netoik-rp URL: %(make url)
Source0: %{name}-%{version}.tar.gz Source0: %(make source0)
Buildarch: noarch Buildarch: %(make arch)
BuildRequires: make BuildRequires: make
Requires: nginx python3 python-devel augeas-devel gcc openssl Requires: nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl
%description %description
Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io
@@ -22,49 +22,60 @@ Install the reverse proxy called nginx with a predefined configuration and with
%make_install %make_install
%post %post
# After install
if [ $1 == 1 ]; then
# Replace secrets in ovh.ini # Replace secrets in ovh.ini
%{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.swp envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.new
%{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini if cmp --silent %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini; then
%{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini rm %{_sysconfdir}/certbot/.ovh.ini.new
else
# Create virutal env with certbot mv %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini
%{_bindir}/env python3 -m venv /opt/certbot chmod 600 %{_sysconfdir}/certbot/ovh.ini
/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
# Create certificate with certbot
%{_bindir}/env certbot certonly --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
# Add crontab rule for automatic renew
%{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab
# Create ssl dh params
%{_bindir}/env openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
# Stop nginx to be sure changes are taken in account
%{_bindir}/env systemctl stop nginx
fi fi
%{_bindir}/env systemctl enable nginx
%{_bindir}/env systemctl start nginx # Create virtualenv with certot
if [ ! -d "/opt/certbot" ]; then
python3 -m venv /opt/certbot
/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
fi
# Create certbot certificates
if ! certbot certificates --cert-name netoik.io | grep --quiet netoik.io; then
certbot certonly --cert-name netoik.io --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials %{_sysconfdir}/certbot/ovh.ini -d *.netoik.io -d *.samuel-campos.fr
fi
# Create ssl dh params if not already exists
if [ ! -f "%{_sysconfdir}/letsencrypt/ssl-dhparams.pem" ]; then
openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
fi
# Restart services
systemctl daemon-reload
systemctl reenable nginx.service certbot-renew.timer
systemctl restart nginx.service certbot-renew.timer
%postun %postun
# After uninstall # Remove folders after uninstall
if [ $1 == 0 ]; then if [ $1 == 0 ]; then
%{_bindir}/env rm --recursive --force /opt/certbot /opt/certbot/bin/certbot delete --cert-name netoik.io --non-interactive
%{_bindir}/env rm --recursive --force %{_sysconfdir}/certbot rm --recursive --force /opt/certbot
%{_bindir}/env rm --recursive --force %{_sysconfdir}/letsencrypt rm --recursive --force %{_sysconfdir}/certbot
fi fi
%files %files
%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/_security.conf %attr(644, root, root) %{_sysconfdir}/nginx/conf.d/0_security.conf
%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/z_default.conf
%attr(755, root, root) %dir %{_sysconfdir}/certbot %attr(755, root, root) %dir %{_sysconfdir}/certbot
%attr(600, root, root) %config %{_sysconfdir}/certbot/ovh.ini %attr(600, root, root) %{_sysconfdir}/certbot/ovh.ini
%attr(644, root, root) %{_unitdir}/certbot-renew.timer
%attr(644, root, root) %{_unitdir}/certbot-renew.service
%attr(755, root, root) %{_sbindir}/certbot_renew
%ghost %attr(755, root, root) %dir /opt/certbot %ghost %attr(755, root, root) %dir /opt/certbot
%ghost %attr(755, root, root) %{_sbindir}/certbot %ghost %attr(755, root, root) %{_sbindir}/certbot
%ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt %ghost %attr(644, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
%ghost %attr(755, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
%changelog %changelog
%autochangelog %autochangelog