2021-11-16 21:06:50 +01:00
|
|
|
## Machine virtuelle GESTION
|
2021-10-03 13:54:35 +02:00
|
|
|
|
|
|
|
Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association.
|
|
|
|
|
|
|
|
### Matériel virtuel
|
|
|
|
|
2021-10-12 22:38:08 +02:00
|
|
|
CPU : 4
|
|
|
|
RAM : 3000 Mio
|
2021-10-03 13:54:35 +02:00
|
|
|
Stockage de masse : 50 Gio
|
|
|
|
|
|
|
|
### Logiciel
|
|
|
|
|
|
|
|
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
|
|
|
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
|
|
|
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
|
|
|
Compta et gestion des membres : `garradin`
|
|
|
|
Mail Transfer Agent : `postfix`
|
|
|
|
|
|
|
|
### Caractéristiques notables
|
|
|
|
|
|
|
|
Domaine : gestion.a-lec.org
|
|
|
|
Adresse ipv4 publique : 80.67.179.96
|
2021-11-16 19:39:34 +01:00
|
|
|
Adresse ipv4 interne : 192.169.1.236
|
|
|
|
Adresse ipv6 publique : 2001:910:1360::1ab
|
2021-11-16 19:02:04 +01:00
|
|
|
|
|
|
|
#### Configuration réseau
|
|
|
|
|
|
|
|
##### /etc/network/interfaces
|
|
|
|
|
|
|
|
# The primary network interface
|
|
|
|
allow-hotplug enp1s0
|
|
|
|
iface enp1s0 inet dhcp
|
|
|
|
iface enp1s0 inet6 static
|
|
|
|
address 2001:910:1360::1ab/128
|
|
|
|
gateway 2001:910:1360::
|
2021-11-16 19:32:55 +01:00
|
|
|
|
|
|
|
##### /etc/host.allow
|
|
|
|
|
|
|
|
sshd: 192.169.1.0/24, [2001:910:1360::]/48
|
|
|
|
|
|
|
|
##### /etc/host/deny
|
|
|
|
|
|
|
|
sshd: ALL
|
2021-11-16 19:49:02 +01:00
|
|
|
|
|
|
|
### Configuration MTA
|
|
|
|
|
|
|
|
#### /etc/postfix/transport
|
|
|
|
|
|
|
|
a-lec.org :
|
|
|
|
* discard:
|
|
|
|
|
|
|
|
#### /etc/postfix/virtual
|
|
|
|
|
|
|
|
@localhost admin@a-lec.org
|
|
|
|
@gestion.a-lec.org admin@a-lec.org
|
2021-11-16 21:06:50 +01:00
|
|
|
|
|
|
|
### Configuration serveur web (nginx)
|
|
|
|
|
|
|
|
server {
|
|
|
|
server_name coffre.a-lec.org;
|
|
|
|
|
|
|
|
set_real_ip_from 192.169.1.1;
|
|
|
|
real_ip_header proxy_protocol;
|
|
|
|
|
|
|
|
# Allow large attachments
|
|
|
|
client_max_body_size 128M;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://127.0.0.1:8000;
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /notifications/hub {
|
|
|
|
proxy_pass http://127.0.0.1:3012;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
}
|
|
|
|
|
|
|
|
location /notifications/hub/negotiate {
|
|
|
|
proxy_pass http://127.0.0.1:8000;
|
|
|
|
}
|
|
|
|
|
|
|
|
listen 443 ssl http2 proxy_protocol; # managed by Certbot
|
|
|
|
listen [::]:443 ssl http2; # managed by Certbot
|
|
|
|
ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot
|
|
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
if ($host = coffre.a-lec.org) {
|
|
|
|
return 302 https://$host$request_uri;
|
|
|
|
} # managed by Certbot
|
|
|
|
|
|
|
|
server_name coffre.a-lec.org;
|
|
|
|
|
|
|
|
listen 80;
|
|
|
|
return 404; # managed by Certbot
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
|
|
|
|
root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian)
|
|
|
|
|
|
|
|
server_name gestion.a-lec.org; # Remplacer par votre nom de domaine
|
|
|
|
|
|
|
|
set_real_ip_from 192.169.1.1;
|
|
|
|
real_ip_header proxy_protocol;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
try_files $uri $uri/ /_route.php?$query_string;
|
|
|
|
index index.php /_route.php;
|
|
|
|
}
|
|
|
|
|
|
|
|
location ~ \.php {
|
|
|
|
try_files $uri $uri/ /_route.php?$query_string;
|
|
|
|
include fastcgi.conf;
|
|
|
|
#fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket
|
|
|
|
fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket
|
|
|
|
}
|
|
|
|
|
|
|
|
listen 443 ssl proxy_protocol; # managed by Certbot
|
|
|
|
listen [::]:443 ssl;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot
|
|
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
if ($host = gestion.a-lec.org) {
|
|
|
|
return 302 https://$host$request_uri;
|
|
|
|
} # managed by Certbot
|
|
|
|
|
|
|
|
listen 80;
|
|
|
|
listen [::]:80;
|
|
|
|
|
|
|
|
server_name gestion.a-lec.org;
|
|
|
|
return 404; # managed by Certbot
|
|
|
|
}
|