Compare commits
14 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 844e727b7d | |||
| 7e59f820a3 | |||
| 89e3d510df | |||
| 99067e5ead | |||
| 16b36fe751 | |||
| 781a21a209 | |||
| bb08a22ad5 | |||
| 571a660b75 | |||
| 378a44a7a5 | |||
| 786a340122 | |||
| dc894293b6 | |||
| 995b60af81 | |||
| b1f6a731a7 | |||
| 60ff95c8f7 |
@@ -7,20 +7,14 @@ on:
|
||||
|
||||
jobs:
|
||||
build_n_upload:
|
||||
runs-on: linux
|
||||
runs-on: self-hosted
|
||||
steps:
|
||||
- name: Git checkout
|
||||
uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
fetch-tags: true
|
||||
- name: Build tarball
|
||||
run: make tarball
|
||||
- run: make tarball
|
||||
- run: rpmbuild -ba "$(make name).spec"
|
||||
- run: make upload
|
||||
env:
|
||||
GIT_REFERENCE: ${{ github.ref }}
|
||||
- name: Build rpm package
|
||||
run: rpmbuild -ba "$(make name).spec"
|
||||
- name: Upload rpm package
|
||||
run: make upload
|
||||
env:
|
||||
GIT_PACKAGES_USERNAME: ${{ vars.GIT_PACKAGES_USERNAME }}
|
||||
GIT_PACKAGES_TOKEN: ${{ secrets.GIT_PACKAGES_TOKEN }}
|
||||
PKG_TOKEN: ${{ secrets.PKG_TOKEN }}
|
||||
|
||||
@@ -7,16 +7,12 @@ on:
|
||||
|
||||
jobs:
|
||||
lint_n_build:
|
||||
runs-on: linux
|
||||
runs-on: self-hosted
|
||||
steps:
|
||||
- name: Git checkout
|
||||
uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
fetch-tags: true
|
||||
- name: Lint shell scripts
|
||||
run: shellcheck files/sbin/certbot_renew
|
||||
- name: Build tarball
|
||||
run: make tarball
|
||||
- name: Build rpm file
|
||||
run: rpmbuild -ba netoik-rp.spec
|
||||
- run: shellcheck files/sbin/certbot_renew
|
||||
- run: make tarball
|
||||
- run: rpmbuild -ba "$(make name).spec"
|
||||
|
||||
45
Makefile
45
Makefile
@@ -1,16 +1,21 @@
|
||||
NAME = netoik-rp
|
||||
VERSION = $(shell git describe --abbrev=0)
|
||||
RELEASE = $(shell git rev-parse --short HEAD)
|
||||
REFERENCE = $(if $(GIT_REFERENCE),$(GIT_REFERENCE),$(shell git branch --show-current))
|
||||
BUILD_ARCH = noarch
|
||||
ARCH = noarch
|
||||
OWNER = samuel
|
||||
SUMMARY = "Netoïk Reverse Proxy"
|
||||
LICENSE = "MIT"
|
||||
URL = "https://git.netoik.io/$(OWNER)/$(NAME)"
|
||||
SOURCE0 = "$(NAME)-$(VERSION)-$(RELEASE).tar.gz"
|
||||
|
||||
RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
|
||||
RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
|
||||
RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
|
||||
RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
|
||||
RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
|
||||
RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
|
||||
RPM_BUILD_PATH = $(RPM_RPMDIR)/$(BUILD_ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(BUILD_ARCH).rpm
|
||||
|
||||
RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(SOURCE0)
|
||||
RPM_BUILD_PATH = $(RPM_RPMDIR)/$(ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(ARCH).rpm
|
||||
|
||||
.PHONY: name
|
||||
name:
|
||||
@@ -24,14 +29,34 @@ version:
|
||||
release:
|
||||
@echo "$(RELEASE)"
|
||||
|
||||
.PHONY: build_arch
|
||||
build_arch:
|
||||
@echo "$(BUILD_ARCH)"
|
||||
.PHONY: arch
|
||||
arch:
|
||||
@echo "$(ARCH)"
|
||||
|
||||
.PHONY: owner
|
||||
owner:
|
||||
@echo "$(OWNER)"
|
||||
|
||||
.PHONY: summary
|
||||
summary:
|
||||
@echo "$(SUMMARY)"
|
||||
|
||||
.PHONY: license
|
||||
license:
|
||||
@echo "$(LICENSE)"
|
||||
|
||||
.PHONY: url
|
||||
url:
|
||||
@echo "$(URL)"
|
||||
|
||||
.PHONY: source0
|
||||
source0:
|
||||
@echo "$(SOURCE0)"
|
||||
|
||||
.PHONY: install
|
||||
install:
|
||||
install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
|
||||
install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf
|
||||
install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/z_default.conf
|
||||
install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
|
||||
install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
|
||||
install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
|
||||
@@ -41,11 +66,11 @@ $(RPM_TARBALL_PATH): *
|
||||
--output="$@" \
|
||||
--prefix="$(NAME)-$(VERSION)/" \
|
||||
--verbose \
|
||||
"$(REFERENCE)"
|
||||
HEAD
|
||||
|
||||
.PHONY: tarball
|
||||
tarball: $(RPM_TARBALL_PATH)
|
||||
|
||||
.PHONY: upload
|
||||
upload:
|
||||
curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(GIT_PACKAGES_USERNAME):$(GIT_PACKAGES_TOKEN)" https://git.netoik.io/api/packages/samuel/rpm/upload
|
||||
curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(OWNER):$(PKG_TOKEN)" https://git.netoik.io/api/packages/$(OWNER)/rpm/upload
|
||||
|
||||
61
README.md
61
README.md
@@ -1,4 +1,4 @@
|
||||
# Netoïk reverse proxy  
|
||||
# Netoïk reverse proxy 
|
||||
|
||||
Build an RPM package which will install several tools.
|
||||
|
||||
@@ -36,10 +36,9 @@ A `Makefile` is integrated to let you run some basic commands.
|
||||
rpmbuild -ba netoik-rp.spec
|
||||
```
|
||||
|
||||
- To upload rpm package to Gitea repository:
|
||||
- To upload rpm package to Gitea repository
|
||||
(env vars `GIT_PACKAGES_USERNAME` and `GIT_PACKAGES_TOKEN` needed):
|
||||
```shell
|
||||
# This command needs 2 env variables:
|
||||
# GIT_PACKAGES_USERNAME and GIT_PACKAGES_TOKEN
|
||||
make upload
|
||||
```
|
||||
|
||||
@@ -62,25 +61,45 @@ Two workflows are set up.
|
||||
|
||||
# Deployment
|
||||
|
||||
Security Notes:
|
||||
- no Continuous Deployment set for security reasons **(1)**
|
||||
- no GPG signing for security reasons **(1)**
|
||||
Some commands to deploy the RPM package on server
|
||||
|
||||
**(1)** Act runner does not have sudo access, which prevents
|
||||
from deploying via `dnf` and signing via `gpg`
|
||||
|
||||
Some commands to deploy the RPM package on server:
|
||||
- Add Gitea repo to your repo list:
|
||||
```shell
|
||||
# Add Gitea repo to your repolist
|
||||
dnf config-manager --add-repo https://git.netoik.io/api/packages/samuel/rpm.repo
|
||||
|
||||
# Check Gitea repo is added
|
||||
dnf repolist | grep gitea-samuel
|
||||
|
||||
# Show available package releases
|
||||
dnf --showduplicates netoik-rp
|
||||
|
||||
# Install or upgrade package
|
||||
dnf --nogpgcheck install netoik-rp
|
||||
dnf --nogpgcheck upgrade netoik-rp
|
||||
```
|
||||
|
||||
- Show available versions:
|
||||
```shell
|
||||
dnf --showduplicates netoik-rp
|
||||
```
|
||||
|
||||
- Create certbot ovh credentials here:
|
||||
[www.ovh.com/auth/api/createToken](https://www.ovh.com/auth/api/createToken)
|
||||
|
||||
- Setup environemnt file (fill values):
|
||||
```shell
|
||||
cat > ~/.netoik-rp.env << EOF
|
||||
OVH_ENDPOINT=""
|
||||
OVH_APPLICATION_NAME=""
|
||||
OVH_APPLICATION_DESCRIPTION=""
|
||||
OVH_APPLICATION_KEY=""
|
||||
OVH_APPLICATION_SECRET=""
|
||||
OVH_CONSUMER_KEY=""
|
||||
EOF
|
||||
```
|
||||
|
||||
- Install or upgrade package:
|
||||
```shell
|
||||
set -a
|
||||
source ~/.netoik-rp.env
|
||||
dnf --nogpgcheck --refresh --assumeyes --best install netoik-rp
|
||||
set +a
|
||||
```
|
||||
|
||||
|
||||
# Security Notes
|
||||
|
||||
For security reasons, act runners does not have sudo privileges and so there is:
|
||||
- **no** Continuous Deployment because act runners cannot use `dnf`
|
||||
- **no** GPG signing because act runners cannot use `gpg`
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# OVH API credentials used by Certbot
|
||||
# To generate a new token, go to: https://www.ovh.com/auth/api/createToken
|
||||
# To generate new credentials, go to: https://www.ovh.com/auth/api/createToken
|
||||
|
||||
dns_ovh_endpoint = "$OVH_ENDPOINT"
|
||||
dns_ovh_application_name = "$OVH_APPLICATION_NAME"
|
||||
|
||||
@@ -22,7 +22,7 @@ add_header X-XSS-Protection "1;mode=block"
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self';" always;
|
||||
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data:; frame-ancestors 'self'; form-action 'self';" always;
|
||||
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
||||
add_header Cross-Origin-Resource-Policy "same-site" always;
|
||||
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
|
||||
|
||||
@@ -3,12 +3,12 @@
|
||||
Name: %(make name)
|
||||
Version: %(make version)
|
||||
Release: %(make release)
|
||||
Summary: Netoik Reverse Proxy
|
||||
License: MIT
|
||||
URL: https://git.netoik.io/samuel/netoik-rp
|
||||
Summary: %(make summary)
|
||||
License: %(make license)
|
||||
URL: %(make url)
|
||||
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Buildarch: %(make build_arch)
|
||||
Source0: %(make source0)
|
||||
Buildarch: %(make arch)
|
||||
BuildRequires: make
|
||||
Requires: nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl
|
||||
|
||||
@@ -62,7 +62,7 @@ fi
|
||||
|
||||
%files
|
||||
%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/0_security.conf
|
||||
%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/default.conf
|
||||
%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/z_default.conf
|
||||
|
||||
%attr(755, root, root) %dir %{_sysconfdir}/certbot
|
||||
%attr(600, root, root) %{_sysconfdir}/certbot/ovh.ini
|
||||
|
||||
Reference in New Issue
Block a user