add gateway automatic template and fefan vm

2026-01-19 17:05:38 +01:00
parent d98c7b8bdb
commit f851ead7cd
56 changed files with 1243 additions and 82 deletions
--- a/modules/apps/gateway/lib/scripts/env.sh
+++ b/modules/apps/gateway/lib/scripts/env.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -a
+[ -f /opt/gateway/gateway.env ] && source /opt/gateway/gateway.env
+set +a
--- a/modules/apps/gateway/lib/scripts/install-traefik.sh
+++ b/modules/apps/gateway/lib/scripts/install-traefik.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# GATEWAY_REPOSITORY_LOCATION (path on vm)
+# GATEWAY_REPOSITORY (path on gitea)
+# TRAEFIK_USER
+# TRAEFIK_BINARY
+# TRAEFIK_VERSION
+# TRAEFIK_CONF
+
+source /opt/gateway/env.sh
+
+if ! id -u $TRAEFIK_USER >/dev/null 2>&1; then
+    adduser \
+        --system \
+        --shell /bin/bash \
+        --gecos 'Traefik reverse proxy user' \
+        --group \
+        --disabled-password \
+        --home /home/$TRAEFIK_USER \
+        $TRAEFIK_USER
+fi
+
+if [ ! -f $TRAEFIK_BINARY ]; then
+    wget -O /tmp/traefik.tar.gz "https://github.com/traefik/traefik/releases/download/$TRAEFIK_VERSION/traefik_${TRAEFIK_VERSION}_linux_amd64.tar.gz"
+    tar -zxvf /tmp/traefik.tar.gz -C /usr/local/bin traefik
+    chmod +x $TRAEFIK_BINARY
+fi
+
+mkdir -p /etc/traefik/certs
+touch /etc/traefik/acme.json
+chown $TRAEFIK_USER:$TRAEFIK_USER /etc/traefik/acme.json
+chmod 600 /etc/traefik/acme.json
+setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik
+
+git clone https://gitea.aldon.fr/$GATEWAY_REPOSITORY.git $GATEWAY_REPOSITORY_LOCATION
+
+cat > "$TRAEFIK_CONF" <<EOF
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+providers:
+  file:
+    directory: $GATEWAY_REPOSITORY_LOCATION
+    watch: true
+api:
+  dashboard: false
+  insecure: false
+log:
+  level: INFO
+accessLog: {}
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: julien.aldon@wanadoo.fr
+      storage: /etc/traefik/acme.json
+      httpChallenge:
+        entryPoint: web
+EOF
+
+systemctl enable traefik.service
+systemctl start traefik.service
--- a/modules/apps/gateway/lib/scripts/pull-webhook.py
+++ b/modules/apps/gateway/lib/scripts/pull-webhook.py
@@ -0,0 +1,23 @@
+from flask import Flask, request, abort
+import subprocess
+import os
+
+SECRET = os.environ.get("WEBHOOK_SECRET")
+REPOSITORY = os.environ.get("GATEWAY_REPOSITORY_LOCATION")
+
+app = Flask(__name__)
+
+@app.route("/reload", methods=["POST"])
+def reload():
+    token = request.headers.get("X-Webhook-Token")
+    if token != SECRET:
+        abort(403)
+
+    subprocess.run(
+        ["git", "-C", REPOSITORY, "pull"],
+        check=True
+    )
+    return "ok\n"
+
+if __name__ == "__main__":
+    app.run()
--- a/modules/apps/gateway/lib/services/pull-webhook.service
+++ b/modules/apps/gateway/lib/services/pull-webhook.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Traefik config webhook
+After=network.target
+
+[Service]
+WorkingDirectory=/usr/local/bin
+ExecStart=/usr/bin/gunicorn --bind 0.0.0.0:5555 pull-webhook:app
+EnvironmentFile=/opt/gateway/gateway.env
+Restart=always
+User=root
+
+[Install]
+WantedBy=multi-user.target
--- a/modules/apps/gateway/lib/services/traefik.service
+++ b/modules/apps/gateway/lib/services/traefik.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Traefik reverse proxy
+After=network.target
+
+[Service]
+User=traefik
+Group=traefik
+ExecStart=/usr/local/bin/traefik --configFile=/home/traefik/traefik.yml
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target