Add(module): add girasol module

Add(module): add amap module Add(module): add common lib and services Add(module): add base structure for keycloak Add(module): add base structure for rocket Add(module): add n8n and windmill modules Add(docker): add install docker script in common module Add(template): add root for aldon.fr and mathieu.wiki in traefik.service template
2026-04-21 16:52:41 +02:00
parent 905cc8b43d
commit a56911b896
65 changed files with 1893 additions and 23 deletions
--- a/modules/apps/gateway/.env.example
+++ b/modules/apps/gateway/.env.example
@@ -1,5 +1,6 @@
 # Environment files
 ENV_FILE_LOCATION=/opt/environment/.env
+USERNAME=gateway

 # Application Specifics
 #openssl rand -hex 20
@@ -8,4 +9,9 @@ TRAEFIK_BINARY=/usr/local/bin/traefik
 TRAEFIK_USER=traefik
 TRAEFIK_CONF=/home/traefik/traefik.yml
 GATEWAY_REPOSITORY=/Mop/gateway
-DYNAMIC_CONFIG_LOCATION=/home/gateway/services.yaml
+DYNAMIC_CONFIG_LOCATION=/home/gateway/services.yaml
+
+# Backup specifics
+SERVICE_BACKUPS_DIR=/backups/gateway
+SERVICE_BACKUPS_PREFIX=gateway-dump
+SERVICE_BACKUPS_EXTENSION=db
--- a/modules/apps/gateway/cloud-init/service.yaml
+++ b/modules/apps/gateway/cloud-init/service.yaml
@@ -24,6 +24,9 @@ packages:
  - curl
  - nginx

+mounts:
+  - [ "192.168.1.12:/main/backups", "/backups", "nfs", "defaults,_netdev,x-systemd.requires=network-online.target", "0", "0" ]
+
 write_files:
  - path: /opt/environment/.env
    permissions: "0644"
@@ -33,6 +36,14 @@ write_files:
    permissions: "0755"
    content: |
      ${install-traefik-script}
+  - path: /opt/gateway/install-docker.sh
+    permissions: "0755"
+    content: |
+      ${install-docker-script}
+  - path: /opt/gateway/install-crowdsec.sh
+    permissions: "0755"
+    content: |
+      ${install-crowdsec-script}
  - path: /etc/systemd/system/traefik.service
    permissions: "0755"
    content: |
@@ -40,15 +51,47 @@ write_files:
  - path: /usr/share/nginx/error-pages/502.html
    permissions: "0644"
    content: |
-      {nginx-error-502}
+      ${nginx-error-502}
  - path: /etc/nginx/sites-available/default
    permissions: "0644"
    content: |
-      {nginx-error-configuration}
+      ${nginx-error-configuration}
+  - path: /usr/local/bin/restore-backup.sh
+    permissions: "0755"
+    content: |
+      ${restore-backup-script}
+  - path: /etc/systemd/system/restore-backup.service
+    permissions: "0644"
+    content: |
+      ${restore-backup-service}
+  - path: /usr/local/bin/backup.sh
+    permissions: "0755"
+    content: | 
+      ${create-backup-script}
+  - path: /etc/systemd/system/create-backup.timer
+    permissions: "0644"
+    content: |
+      ${create-backup-timer}
+  - path: /etc/systemd/system/create-backup.service
+    permissions: "0644"
+    content: |
+      ${create-backup-service}
+
+bootcmd:
+  - hostnamectl set-hostname ${hostname}
+
 runcmd:
+  # Backup setup
+  - mkdir -p /backups
+  - mount -t nfs ${proxmox_host_ip}:/main/backups /backups
+  - systemctl enable --now create-backup.timer
+  # Crowdsec / Terraform setup
+  - /opt/gateway/install-docker.sh
+  - /opt/gateway/install-crowdsec.sh
  - /opt/gateway/install-traefik.sh
  - ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled
  - systemctl start nginx.service
+  - systemctl start restore-backup

 final_message: |
  Base system ready for ${hostname}
--- a/modules/apps/gateway/lib/scripts/create-backup.sh
+++ b/modules/apps/gateway/lib/scripts/create-backup.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euo pipefail
+
+source /opt/environment/.env
+
+TIMESTAMP=$(date +'%Y-%m-%d_%H%M%S')
+
+sudo -u $USERNAME docker cp crowdsec-metabase:/metabase-data/metabase.db/metabase.db.mv.db  $SERVICE_BACKUPS_DIR/$SERVICE_BACKUPS_PREFIX-$TIMESTAMP.$SERVICE_BACKUPS_EXTENSION
+
+ls -1dt $SERVICE_BACKUPS_DIR/$SERVICE_BACKUPS_PREFIX-*.$SERVICE_BACKUPS_EXTENSION | tail -n +5 | xargs -r rm -f
--- a/modules/apps/gateway/lib/scripts/install-crowdsec.sh
+++ b/modules/apps/gateway/lib/scripts/install-crowdsec.sh
@@ -0,0 +1,17 @@
+set -e
+
+sudo apt update
+sudo apt install -y curl gnupg lsb-release
+
+sudo apt install crowdsec
+sudo cscli collections install crowdsecurity/traefik
+sudo cscli collections install crowdsecurity/http-cve
+sudo cscli collections install crowdsecurity/base-http-scenarios
+sudo cscli parsers install crowdsecurity/geoip-enrich
+
+sudo systemctl enable crowdsec
+sudo systemctl restart crowdsec
+
+sudo cscli hub update
+
+cscli dashboard setup -l 0.0.0.0
--- a/modules/apps/gateway/lib/scripts/install-traefik.sh
+++ b/modules/apps/gateway/lib/scripts/install-traefik.sh
@@ -32,6 +32,10 @@ chown $TRAEFIK_USER:$TRAEFIK_USER /etc/traefik/acme.json
 chmod 600 /etc/traefik/acme.json
 setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik

+sudo mkdir -p /var/log/traefik
+sudo touch /var/log/traefik/access.log
+sudo chown -R traefik:adm /var/log/traefik
+
 cat > "$TRAEFIK_CONF" <<EOF
 entryPoints:
  web:
@@ -47,7 +51,9 @@ api:
  insecure: false
 log:
  level: INFO
-accessLog: {}
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  bufferingSize: 100
 certificatesResolvers:
  letsencrypt:
    acme:
@@ -58,4 +64,4 @@ certificatesResolvers:
 EOF

 systemctl enable traefik.service
-systemctl start traefik.service
+systemctl start traefik.service
--- a/modules/apps/gateway/lib/scripts/restore-backup.sh
+++ b/modules/apps/gateway/lib/scripts/restore-backup.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euo pipefail
+
+source /opt/environment/.env
+
+LATEST_BACKUP=$(ls -1 $SERVICE_BACKUPS_DIR/$SERVICE_BACKUPS_PREFIX-*.$SERVICE_BACKUPS_EXTENSION 2>/dev/null | sort | tail -n1)
+
+if [ -n "$LATEST_BACKUP" ] && [ -f "$LATEST_BACKUP" ]; then
+    sudo -u $USERNAME docker cp "$LATEST_BACKUP" "crowdsec-metabase:/metabase-data/metabase.db/metabase.db.mv.db"
+fi
--- a/modules/apps/gateway/main.tf
+++ b/modules/apps/gateway/main.tf
@@ -22,9 +22,16 @@ module "vm" {
        hostname        = var.hostname
        domain          = var.domain
        ssh_key         = var.ssh_public_key
-        proxmox_host_ip = var.proxmox_host_ip        
+        proxmox_host_ip = var.proxmox_host_ip
        traefik-service = indent(6, file("${path.module}/lib/services/traefik.service"))
        install-traefik-script = indent(6, file("${path.module}/lib/scripts/install-traefik.sh"))
+        install-crowdsec-script = indent(6, file("${path.module}/lib/scripts/install-crowdsec.sh"))
+        install-docker-script = indent(6, file("${path.module}/../common/scripts/install-docker.sh"))
+        restore-backup-script = indent(6, file("${path.module}/lib/scripts/restore-backup.sh"))
+        restore-backup-service = indent(6, file("${path.module}/../common/services/docker/restore-backup.service"))
+        create-backup-script = indent(6, file("${path.module}/lib/scripts/create-backup.sh"))
+        create-backup-service = indent(6, file("${path.module}}/../common/services/docker/create-backup.service"))
+        create-backup-timer = indent(6, file("${path.module}}/../common/services/create-backup.timer"))
        nginx-error-configuration = indent(6, file("${path.module}/lib/scripts/default"))
        nginx-error-502 = indent(6, file("${path.module}/lib/scripts/502.html"))
        env-file-content = indent(6, file("${path.module}/.env"))