doc: move badges

.gitea/workflows/cd.yaml

@@ -1,4 +1,4 @@
-name: Continuous Integration
+name: Continuous Delivery
 
 on:
   push:
@@ -6,7 +6,7 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+"
 
 jobs:
-  build:
+  build_n_upload:
     runs-on: linux
     steps:
       - name: Git checkout
@@ -15,10 +15,12 @@ jobs:
           fetch-tags: true
       - name: Build tarball
         run: make tarball
+        env:
+          GIT_REFERENCE: ${{ github.ref }}
       - name: Build rpm package
         run: rpmbuild -ba "$(make name).spec"
       - name: Upload rpm package
         run: make upload
         env:
-          PACKAGES_USERNAME: ${{ vars.PACKAGES_USERNAME }}
+          GIT_PACKAGES_USERNAME: ${{ vars.GIT_PACKAGES_USERNAME }}
-          PACKAGES_TOKEN: ${{ secrets.PACKAGES_TOKEN }}
+          GIT_PACKAGES_TOKEN: ${{ secrets.GIT_PACKAGES_TOKEN }}

.gitea/workflows/ci.yaml

@@ -0,0 +1,22 @@
+name: Continuous Integration
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  lint_n_build:
+    runs-on: linux
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - name: Lint shell scripts
+        run: shellcheck files/sbin/certbot_renew
+      - name: Build tarball
+        run: make tarball
+      - name: Build rpm file
+        run: rpmbuild -ba netoik-rp.spec

.gitignore

@@ -1,2 +1,3 @@
 *.swp
 *.env
+/.idea

Makefile

@@ -1,7 +1,7 @@
 NAME = netoik-rp
-VERSION = $(shell git describe --always --tags --abbrev=0)
+VERSION = $(shell git describe --abbrev=0)
 RELEASE = $(shell git rev-parse --short HEAD)
-BRANCH = $(shell git branch --show-current)
+REFERENCE = $(if $(GIT_REFERENCE),$(GIT_REFERENCE),$(shell git branch --show-current))
 BUILD_ARCH = noarch
 
 RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
@@ -41,11 +41,11 @@ $(RPM_TARBALL_PATH): *
 	            --output="$@" \
 	            --prefix="$(NAME)-$(VERSION)/" \
 	            --verbose \
-	            "$(BRANCH)"
+	            "$(REFERENCE)"
 
 .PHONY: tarball
 tarball: $(RPM_TARBALL_PATH)
 
 .PHONY: upload
 upload:
-	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(PACKAGES_USERNAME):$(PACKAGES_TOKEN)" https://git.netoik.io/api/packages/samuel/rpm/upload
+	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(GIT_PACKAGES_USERNAME):$(GIT_PACKAGES_TOKEN)" https://git.netoik.io/api/packages/samuel/rpm/upload

README.md

@@ -1,3 +1,86 @@
-# netoik-rp
+# Netoïk reverse proxy ![badge](https://git.netoik.io/samuel/netoik-rp/actions/workflows/ci.yaml/badge.svg) ![badge](https://git.netoik.io/samuel/netoik-rp/actions/workflows/cd.yaml/badge.svg)
 
-Netoïk reverse proxy
+Build an RPM package which will install several tools.
+
+- `Nginx` with:
+    - ssl settings
+    - security headers
+    - default site configuration
+
+
+- `Certbot` certificates with:
+    - ovh configuration to renew certs
+    - a command tool certbot_renew
+    - a systemctl certbot renew timer
+
+
+# Development
+
+A `Makefile` is integrated to let you run some basic commands.
+
+- To display some information about the project
+  ```shell
+  make name
+  make version
+  make release
+  make build_arch
+  ```
+
+- To build a tarball:
+  ```shell
+  make tarball 
+  ```
+  
+- To build a rpm package:
+  ```shell
+  rpmbuild -ba netoik-rp.spec
+  ```
+  
+- To upload rpm package to Gitea repository:
+  ```shell
+  # This command needs 2 env variables:
+  # GIT_PACKAGES_USERNAME and GIT_PACKAGES_TOKEN
+  make upload
+  ```
+
+
+# CI / CD
+
+Two workflows are set up.
+
+- Continuous Integration:
+  - triggered by each push on branch `main`
+  - runs shellcheck on script `certbot_renew`
+  - builds tarball and rpm package to test everything is OK
+
+
+- Continuous Delivery:
+  - triggered by each tag pushed
+  - builds tarball
+  - builds and uploads rpm package to `Gitea` repository
+
+
+# Deployment
+
+Security Notes:
+  - no Continuous Deployment set for security reasons **(1)**
+  - no GPG signing for security reasons **(1)**
+
+**(1)** Act runner does not have sudo access, which prevents 
+from deploying via `dnf` and signing via `gpg`
+
+Some commands to deploy the RPM package on server:
+  ```shell
+  # Add Gitea repo to your repolist
+  dnf config-manager --add-repo https://git.netoik.io/api/packages/samuel/rpm.repo
+  
+  # Check Gitea repo is added
+  dnf repolist | grep gitea-samuel
+  
+  # Show available package releases
+  dnf --showduplicates netoik-rp
+  
+  # Install or upgrade package
+  dnf --nogpgcheck install netoik-rp
+  dnf --nogpgcheck upgrade netoik-rp 
+  ```

files/sbin/certbot_renew

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 
-sleep $(($RANDOM % 3600));
+sleep $((RANDOM % 3600));
 /opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh
 certbot renew --cert-name netoik.io