Commit f3c17011 authored by Daniel STAN's avatar Daniel STAN

Merge branch 'master' into doc

Conflicts:
	testing.sh
parents 0bcd2de6 ee688f8d
......@@ -140,7 +140,7 @@ if __name__ == "__main__":
#print ".forward non-accessible : %s" % e
pass
except IndexError as e:
print "Home existant mais pas d'adhérent ldap : %s" % e
print "Home %s existant mais pas d'adhérent ldap : %s" % (uid, e)
a_imprimer = []
a_verifier = []
......@@ -180,7 +180,7 @@ if __name__ == "__main__":
print " * Recherche de %s ..." % adresse
# Est-ce un .forward ?
if addresse in forwards.iterkeys():
if adresse in forwards.iterkeys():
res = ldap.search(u"uid=%s" % forwards[adresse], mode='rw')
if len(res) == 0:
print "*** Erreur : aucun résultat pour uid=%s" % forwards[adresse]
......
#!/bin/bash
# oneliner destiné à être symlinké depuis /usr/bin/irc
# pour que tout le monde puisse facilement utiliser
# WeeChat dans un screen
screen -rd IRC || screen -S IRC weechat
......@@ -702,17 +702,6 @@ accueil_route = {
'zamok.crans.org',
],
},
'138.231.136.67' : {
'tcp' : [
'80',
'443',
],
'hosts' : [
'www.crans.org',
'wiki.crans.org',
'wifi.crans.org',
],
},
'138.231.136.98' : {
'tcp' : [
'20',
......@@ -729,7 +718,7 @@ accueil_route = {
'ftp.crans.org',
],
},
'138.231.136.130' : {
'138.231.136.145' : {
'tcp' : [
'80',
'443',
......@@ -737,17 +726,13 @@ accueil_route = {
'hosts' : [
'intranet2.crans.org',
'intranet.crans.org',
],
},
'138.231.136.18' : {
'tcp' : [
'80',
'443',
],
'hosts' : [
'cas.crans.org',
'login.crans.org',
'auth.crans.org',
'wifi.crans.org',
'ftps.crans.org',
'www.crans.org',
'wiki.crans.org',
],
},
'213.154.225.236' : {
......
......@@ -59,6 +59,7 @@ zones_direct = [
'clubs.ens-cachan.fr',
'adm.crans.org',
'crans.eu',
'crans.fr',
'wifi.crans.eu',
'tv.crans.org',
'ap.crans.org',
......@@ -84,6 +85,7 @@ zones_dnssec = [
zone_alias = {
'crans.org' : [
'crans.eu',
'crans.fr',
],
}
......
......@@ -17,7 +17,7 @@ decouvert = 0.
## Variables de prix (tout est exprimé en centimes)
#: Coût de l'imprimante
#: Coût de l'imprimante rabbatu sur 600k impressions
#:
#: Donc ammortissement
amm = 2.16
......
config_template = """# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# server = https://acme-v01.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = root@crans.org
# Uncomment to use a text interface instead of ncurses
text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = %(authenticator)s
webroot-path = /usr/share/nginx/html/
standalone-supported-challenges = http-01
domains = %(domains)s
"""
......@@ -6,10 +6,98 @@
#### Conf nginx des proxy gérées à la main
non_sites_auto = [u"discourse.crans.org", u"impression.crans.org", u"factures.crans.org", u"accounts.crans.org", u"intranet2.crans.org"]
non_sites_auto = {
u"discourse.crans.org",
}
max_upload = {
u"intranet.crans.org" : "160M",
u"owncloud.crans.org" : "10G",
}
#: Redirection "host": "url"
sites_redirect = {
"impression.crans.org": "https://intranet.crans.org/impressions",
"factures.crans.org": "https://intranet.crans.org/factures",
"accounts.crans.org": "https://intranet.crans.org/compte",
"intranet2.crans.org": "https://intranet.crans.org",
"autostatus.crans.org": "https://www.crans.org/CransNounous/AutoStatus",
"wikipedia.crans.org": "https://wiki.crans.org",
"crans.org": "https://www.crans.org",
"install-party.ens-cachan.fr": "https://install-party.crans.org",
"www.install-party.ens-cachan.fr": "https://install-party.crans.org",
"adopteunpingouin.crans.org": "https://install-party.crans.org",
"i-p.crans.org": "https://install-party.crans.org",
"hostnames-a-m.crans.org": "https://proxy.crans.org",
"hostnames-n-z.crans.org": "https://proxy.crans.org",
"task.crans.org": "https://phabricator.crans.org",
}
def server_name_to_cert_name(serveur):
"""
A un nom de domain, on associe le certificat correspondant.
Retourne None si le certificat n'est pas trouvé.
"""
if serveur.endswith(".ens-cachan.fr") or serveur == "ens-cachan.fr":
return "crans.ens-cachan.fr"
elif serveur.endswith(".crans.org") or serveur == "crans.org":
if serveur[0] <= 'm' and serveur != "hostnames-n-z.crans.org":
return "hostnames-a-m.crans.org"
else:
return "hostnames-n-z.crans.org"
elif serveur.endswith(".crans.fr") or serveur == "crans.fr":
if serveur[0] <= 'm' and serveur != "hostnames-n-z.crans.fr":
return "hostnames-a-m.crans.fr"
else:
return "hostnames-n-z.crans.fr"
elif serveur.endswith(".crans.eu") or serveur == "crans.eu":
if serveur[0] <= 'm' and serveur != "hostnames-n-z.crans.eu":
return "hostnames-a-m.crans.eu"
else:
return "hostnames-n-z.crans.eu"
site_template = """server {
server_name %(serveur)s;
include "snippets/proxy-common.conf";
return 302 https://$host$request_uri;
}
server {
include "snippets/proxy-common-ssl.conf";
server_name %(serveur)s;
ssl_certificate /etc/letsencrypt/live/%(cert_name)s/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/%(cert_name)s/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/%(cert_name)s/chain.pem;
%(max_body_size)s
location / {
proxy_redirect off;
proxy_pass http://%(proxy_pass)s;
proxy_set_header Host %(serveur)s;
proxy_set_header P-Real-IP $remote_addr;
}
}
"""
site_redirect_template = """server {
server_name %(serveur)s;
include "snippets/proxy-common.conf";
return 302 %(redirect)s$request_uri;
}
server {
include "snippets/proxy-common-ssl.conf";
server_name %(serveur)s;
ssl_certificate /etc/letsencrypt/live/%(cert_name)s/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/%(cert_name)s/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/%(cert_name)s/chain.pem;
return 302 %(redirect)s$request_uri;
}
"""
......@@ -6,7 +6,7 @@ SAP_MCAST_PORT = 9875
SAP_FILE_TXT = "/usr/scripts/var/tv/sap.txt"
SAP_FILE_PIC = "/usr/scripts/var/tv/sap.pickel"
BASE_IMAGE_URL = "http://tv.crans.org/images/"
BASE_IMAGE_URL = "https://tv.crans.org/images/"
IMAGE_SUFFIX = ".jpg"
SMALL_IMAGE_SUFFIX = "_petites.jpg"
This diff is collapsed.
......@@ -27,8 +27,8 @@ hostname = gethostname().split(".")[0]
class dydhcp:
def __init__(self, server):
self.dhcp_omapi_keyname = secrets.get('dhcp_omapi_keyname')
self.dhcp_omapi_key = secrets.get('dhcp_omapi_keys')[server]
self.dhcp_omapi_keyname = str(secrets.get('dhcp_omapi_keyname'))
self.dhcp_omapi_key = str(secrets.get('dhcp_omapi_keys')[server])
self.server = server.lower()
def add_host(self, ip, mac,name=None):
......
......@@ -27,6 +27,7 @@ class firewall(base.firewall_routeur):
'limitation_debit' : self.limitation_debit,
'limit_ssh_connexion' : self.limit_ssh_connexion,
'tunnel_6in4' : self.tunnel_6in4,
'challenge_letsencrypt': self.challenge_letsencrypt,
})
self.use_ipset.extend([self.blacklist_soft, self.blacklist_upload, self.reseaux_non_routable])
......@@ -43,7 +44,7 @@ class firewall(base.firewall_routeur):
})
# Portail captif/blacklist soft: ipset des gens ayant cliqué pour continuer à naviguer
self.ipset['confirmation'] = base.Ipset("CONFIRMATION", "hash:ip", "")
self.ipset['confirmation'] = base.Ipset("CONFIRMATION", "hash:ip", "timeout 3600")
# Ouvertures de ports temporaires
self.ipset['ip_port_tmp'] = base.Ipset("IP-PORT-TMP", "hash:ip,port", "timeout 3600")
......@@ -130,6 +131,7 @@ class firewall(base.firewall_routeur):
chain = 'PREROUTING'
self.add(table, chain, '-j %s' % self.ssh_on_https(table))
self.add(table, chain, '-j %s' % self.challenge_letsencrypt(table))
self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-j %s' % self.blacklist_soft(table))
self.add(table, chain, '-j %s' % self.blacklist_hard(table))
......@@ -284,6 +286,26 @@ class firewall(base.firewall_routeur):
self.apply(table, chain)
return chain
def challenge_letsencrypt(self, table=None, apply=False):
"""PNAT des request de challenge letsencrypt vers bakdaur ou frontdaurk"""
chain = "CHALLENGE-LESENCRYPT"
if table == 'nat':
pretty_print(table, chain)
bakdaur = self.conn.search(u"host=bakdaur.crans.org")[0]
frontdaur = self.conn.search(u"host=frontdaur.crans.org")[0]
self.add(table, chain, '-m condition ! --condition challenge-letsencrypt -j RETURN')
for net in (base.config.NETs['serveurs'] + base.config.NETs['wifi-serveurs']):
self.add(table, chain, '-p tcp -d %s --dport 80 -m condition --condition challenge-letsencrypt-bakdaur -j DNAT --to-destination %s:81' % (net, bakdaur['ipHostNumber'][0]))
self.add(table, chain, '-p tcp -d %s --dport 80 -m condition ! --condition challenge-letsencrypt-bakdaur -j DNAT --to-destination %s:81' % (net, frontdaur['ipHostNumber'][0]))
print OK
if apply:
self.apply(table, chain)
return chain
def connexion_appartement(self, table=None, apply=False):
"""PNAT les appartements derrière appartement.crans.org"""
chain = 'CONNEXION-APPARTEMENT'
......
......@@ -16,26 +16,17 @@ WGETOPT="-4"
OWN_IP="$1"
/etc/init.d/nfs-kernel-server stop
# Définitions spécifiques au Sys Rescue CD
SYSRCCD_ARCHS=""
SYSRCCD_FTP="http://ftp.crans.org/pub/distributions/linux/systemrescuecd"
# Définitions spécifiques à Debian
DEBIAN_DISTS="squeeze wheezy jessie"
DEBIAN_DISTS="wheezy jessie"
DEBIAN_ARCHS="i386 amd64"
DEBIAN_FTP="ftp://ftp.crans.org/debian/dists"
#Image debian custom avec plus de drivers : http://kmuto.jp/debian/d-i/
DEBIAN_BACKPORT_DISTS=""
DEBIAN_BACKPORT_ARCHS="i386 amd64"
DEBIAN_BACKPORT_FTP="ftp://cdimage.debian.org/cdimage/unofficial/backports/"
# Définitions spécifiques à Ubuntu
UBUNTU_DISTS="precise trusty vivid wily"
UBUNTU_DISTS="trusty vivid wily"
UBUNTU_ARCHS="i386 amd64"
UBUNTU_FTP="ftp://ftp.crans.org/ubuntu/dists"
UBUNTU_LIVE="12.04 14.04 15.04 15.10"
UBUNTU_LIVE="14.04 15.04 15.10"
# il faut modifier le nfs (ajouter la sortie de export_ubuntu_live
# à /etc/exports) et mettre les images dans $ISODIR/ubuntu/ puis
# les monter dans $TFTPROOT/livecd/ubuntu/$dist-$arch avec
......@@ -45,11 +36,6 @@ UBUNTU_LIVE="12.04 14.04 15.04 15.10"
UBUNTU_LIVE_TYPE="ubuntu xubuntu kubuntu"
UBUNTU_LIVE_ARCHS="i386 amd64"
# Définitions spécifiques à Mandriva
MANDRIVA_DISTS=""
MANDRIVA_ARCHS="i586 x86_64"
MANDRIVA_FTP="ftp://ftp.free.fr/mirrors/ftp.mandriva.com/MandrivaLinux/official"
# Définitions spécifiques à CentOS
CENTOS_DISTS="6.5 6.6"
CENTOS_ARCHS="i386 x86_64"
......@@ -59,23 +45,3 @@ CENTOS_FTP="ftp://mirror.in2p3.fr/pub/linux/CentOS"
FEDORA_DISTS="23"
FEDORA_ARCHS="i386 x86_64"
FEDORA_FTP="ftp://ftp.free.fr/mirrors/fedora.redhat.com/fedora/linux/"
#
## Définitions spécifiques à OpenSuse
#OPENSUSE_DISTS="12.2 12.3 13.1 13.2"
#OPENSUSE_ARCHS="i386 x86_64"
#OPENSUSE_FTP="ftp://ftp.free.fr/mirrors/ftp.opensuse.org/opensuse/distribution/"
# Définitions spécifiques à FreeBSD
FREEBSD_DISTS=""
FREEBSD_ARCHS="i386 amd64"
FREEBSD_FTP="ftp://ftp.fr.freebsd.org/pub/FreeBSD/"
# Définition spécifiques à NetBSD
#~ NETBSD_DIST="5.1 6.0"
#~ NETBSD_ARCHS="i386 amd64"
#~ NETBSD_FTP="ftp://iso.fr.netbsd.org/pub/NetBSD"
# Définitions spécifiques à OpenBSD
OPENBSD_DIST=""
OPENBSD_ARCHS="i386 amd64"
OPENBSD_FTP="ftp://ftp.crans.org/pub/OpenBSD"
#!/bin/bash
mount charybde.adm:/var/lib/tftpboot/ /var/lib/tftpboot/
for i in /var/lib/tftpboot/livecd/ubuntu/*; do mount charybde:$i $i; done
/etc/init.d/tftpd-hpa restart
......@@ -31,13 +31,15 @@ mkdir -vp $TMPDIR
#mkdir -vp $TFTPROOT/pxelinux.cfg
#
##############################################
#cp $SKELETON/pxelinux.0 $TFTPROOT/
# Copie des fichiers de base pour le PXE
cp -ra $SKELETON $TFTPROOT
#On redémarre de tftp
# On redémarre de tftp
/etc/init.d/tftpd-hpa restart
##############################################
# Génération du fichier de configuration PXELINUX pour BIOS
cat > $TFTPROOT/pxelinux.cfg/default << EOF
include /boot-screens/menu.cfg
default /boot-screens/vesamenu.c32
......@@ -70,40 +72,35 @@ label bootlocal
EOF
###########################
# sysrescuecd #
###########################
for arch in $SYSRCCD_ARCHS; do
mkdir -p $TFTPROOT/sysrescuecd/$arch/
wget $WGETOPT -c $SYSRCCD_FTP/image/isolinux/initram.igz -O $TFTPROOT/sysrescuecd/$arch/initram.igz
wget $WGETOPT -c $SYSRCCD_FTP/image/isolinux/rescue`echo $arch | sed -n 's/amd64/64/p'` -O $TFTPROOT/sysrescuecd/$arch/rescue
done
# Génération du fichier de configuration GRUB pour le PXE avec UEFI
if [[ $SYSRCCD_ARCHS != "" ]]; then
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu begin sysrescuecd
menu title Sysrescue Cd
label mainmenu
menu label ^Back..
menu exit
EOF
cat > $TFTPROOT/efi/grub.cfg << EOF
set default="0"
for arch in $SYSRCCD_ARCHS; do
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
label Sysrescuecd $arch
kernel sysrescuecd/$arch/rescue
append initrd=sysrescuecd/$arch/initram.igz dodhcp setkmap=fr boothttp=$SYSRCCD_HTTP/image/sysrcd.dat --
EOF
done
function load_video {
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
}
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu end
EOF
fi
###########################
# Fin sysrescuecd #
###########################
load_video
set gfxmode=auto
terminal_output gfxterm
insmod gzio
insmod part_gpt
insmod ext2
set timeout=-1
insmod font
loadfont /efi/unicode.pf2
set lang=fr_FR.UTF-8
EOF
###########################
# DEBIAN #
......@@ -131,6 +128,8 @@ for dist in $DEBIAN_DISTS; do
done
done
# Ajout des options PXE pour Debian (Legacy)
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu begin debian
menu title Debian
......@@ -219,83 +218,41 @@ done
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu end
EOF
###########################
# fin DEBIAN #
###########################
###########################
# DEBIAN BACKPORT #
###########################
# Ajout des options PXE pour Debian (UEFI)
#rm -r $TMPDIR/netboot-debian-backport-* || true;
for dist in $DEBIAN_BACKPORT_DISTS; do
for arch in $DEBIAN_BACKPORT_ARCHS; do
url=`wget $WGETOPT $DEBIAN_BACKPORT_FTP/$dist/ -O- | grep netboot | grep $arch | sort | tail -n 1 | sed 's/">/ /g;s/href="//;s@</a>@@' | awk '{print $6}'`
wget $WGETOPT -c $url -O $TMPDIR/netboot-debian-backport-$dist-$arch.tar.gz
mkdir -p $TMPDIR/netboot-debian-backport-$dist-$arch/
tar zxf $TMPDIR/netboot-debian-backport-$dist-$arch.tar.gz -C $TMPDIR/netboot-debian-backport-$dist-$arch/
mkdir -p $TFTPROOT/debian-backport-$dist/$arch
cp $TMPDIR/netboot-debian-backport-$dist-$arch/debian-installer/$arch/initrd.gz $TFTPROOT/debian-backport-$dist/$arch
cp $TMPDIR/netboot-debian-backport-$dist-$arch/debian-installer/$arch/linux $TFTPROOT/debian-backport-$dist/$arch
done
done
cat >> $TFTPROOT/efi/grub.cfg << EOF
if [[ $DEBIAN_BACKPORT_DISTS != "" ]]; then
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu begin debian-backport
menu title Debian Backport
label mainmenu
menu label ^Back..
menu exit
submenu 'Debian GNU/Linux --->' {
EOF
for dist in $DEBIAN_BACKPORT_DISTS; do
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu begin debian-backport-$dist
menu title Debian Backport $dist
label mainmenu
menu label ^Back..
menu exit
for dist in $DEBIAN_DISTS ; do
cat >> $TFTPROOT/efi/grub.cfg << EOF
submenu 'Debian $dist -->' {
EOF
for arch in $DEBIAN_BACKPORT_ARCHS; do
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu begin debian-backport-$dist-$arch
menu $arch
label mainmenu
menu label ^Back..
menu exit
DEFAULT install
LABEL install
kernel debian-backport-$dist/$arch/linux
append vga=normal initrd=debian-backport-$dist/$arch/initrd.gz --
LABEL expert
kernel debian-backport-$dist/$arch/linux
append priority=low vga=normal initrd=debian-backport-$dist/$arch/initrd.gz --
LABEL rescue
kernel debian-backport-$dist/$arch/linux
append vga=normal initrd=debian-backport-$dist/$arch/initrd.gz rescue/enable=true --
LABEL auto
kernel debian-backport-$dist/$arch/linux
append auto=true priority=critical vga=normal initrd=debian-backport-$dist/$arch/initrd.gz --
menu end
for arch in $DEBIAN_ARCHS ; do
cat >> $TFTPROOT/efi/grub.cfg << EOF
menuentry 'Debian $dist $arch' {
echo 'Chargement du noyau Linux ...'
linuxefi /debian-$dist/$arch/linux vmwgfx.enable_fbdev=1
echo 'Chargement du disque mémoire initial ...'
initrdefi /debian-$dist/$arch/initrd.gz
}
EOF
done
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu end
done
cat >> $TFTPROOT/efi/grub.cfg << EOF
}
EOF
done
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu end
cat >> $TFTPROOT/efi/grub.cfg << EOF
}
EOF
fi;
###########################
# fin DEBIAN BACKPORT #
# fin DEBIAN #
###########################
###########################
# UBUNTU #
###########################
......@@ -369,21 +326,6 @@ cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu end
EOF
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu begin ubuntu
menu title Ubuntu
......@@ -432,73 +374,64 @@ done
cat >> $TFTPROOT/boot-screens/menu.cfg << EOF
menu end
EOF
###########################
# fin UBUNTU #
###########################
###########################
# Mandriva #
###########################
# Ajout des options PXE pour Ubuntu (UEFI)
cat >> $TFTPROOT/efi/grub.cfg << EOF
if [[ $MANDRIVA_DISTS != "" ]]; then
for dist in $MANDRIVA_DISTS; do
for arch in $MANDRIVA_ARCHS; do
mkdir -p $TFTPROOT/mandriva-$dist/$arch/
wget $WGETOPT -c $MANDRIVA_FTP/$dist/$arch/isolinux/alt0/all.rdz -O