From ec66d2bd14a2b4c534f7bae1de83da3f4fda46f9 Mon Sep 17 00:00:00 2001 From: pvincent Date: Sun, 5 May 2024 14:25:54 +0400 Subject: [PATCH] experimental service --- README.md | 7 +++ scripts/miaou | 52 +++++++++++++------ templates/monit/hosts.j2 | 8 +-- templates/nginx/snippets/banner_exp.conf | 65 ++++++++++++++++++++++++ 4 files changed, 112 insertions(+), 20 deletions(-) create mode 100644 templates/nginx/snippets/banner_exp.conf diff --git a/README.md b/README.md index 36e6677..2a030a4 100644 --- a/README.md +++ b/README.md @@ -72,3 +72,10 @@ Development mode * # requirement Codium IDE * sudo apt install y shellcheck shfmt +Different Targets + experimental +-------------------------------- + +* BETA: the 'exp' mode stands for experimental and allow bypassing the SMTP dropped connection limitation +* PROD: the 'exp' mode is not recommanded and triggers a warning issue +* DEV: the 'exp' mode is not recommanded and triggers a warning issue + diff --git a/scripts/miaou b/scripts/miaou index 710e837..a5f10a9 100755 --- a/scripts/miaou +++ b/scripts/miaou @@ -126,15 +126,35 @@ function expand_conf() { yqmi '.expanded.monitored.containers = ([ .services[] | to_entries | .[] | .value | select (.enabled == true ) | .container ] | unique)' # add monitored.hosts section - yqmi '.expanded.monitored.hosts = [( .services[][] | select (.enabled == true ) | {"domain": ( parent | key ), "subdomain": key, "fqdn": key + (parent | parent | parent | .expanded.fqdn_middlepart) + ( parent | key ), "container":.container, "port":.port, "app":.app })]' + # yqmi '.expanded.monitored.hosts = [( .services[][] | select (.enabled == true ) | {"domain": ( parent | key ), "subdomain": key, "fqdn": key + (parent | parent | parent | .expanded.fqdn_middlepart) + ( parent | key ), "container":.container, "port":.port, "app":.app })]' # add services section if [[ ${#services_app_only[@]} -gt 0 ]]; then - yqmi '.expanded.services = [( .services[][] | select (.enabled == true ) | {"domain": ( parent | key ), "subdomain": key, "fqdn": key + (parent | parent | parent | .expanded.fqdn_middlepart) + ( parent | key ), "container":.container, "port":.port, "app":.app, "name": .name // ""})]' + yqmi '.expanded.services = [( .services[][] | select (.enabled == true ) | {"domain": ( parent | key ), "subdomain": key, "fqdn": key + (parent | parent | parent | .expanded.fqdn_middlepart) + ( parent | key ), "container":.container, "port":.port, "app":.app, "name": .name // "", "exp": .exp // false })]' else yqmi '.expanded.services = []' fi + # change fqdn when exp:true found + readarray -t services < <(yqmt '.expanded.services[] | [ .[] ]') + index=0 + for i in "${services[@]}"; do + read -r -a item <<<"$i" + exp=${item[7]} + if [[ "$exp" == true ]]; then + domain=${item[0]} + subdomain=${item[1]} + fqdn=${item[2]} + if [[ $target != beta ]]; then + echowarn "experimental service <$subdomain.exp.$domain> not recommended for target <$target>" + else + echo "experimental service <$subdomain.exp.$domain> detected" + fi + yqmi ".expanded.services[$index].fqdn = \"$subdomain.exp.$domain\"" + fi + index=$((index + 1)) + done + # add firewall section, bridge_subnet + mail_passthrough if any bridge_subnet=$(lxc network get lxdbr0 ipv4.address) yqmi ".firewall.bridge_subnet = \"$bridge_subnet\"" @@ -188,13 +208,14 @@ function monit_show() { PREFIX="monit:show" : $PREFIX - readarray -t hosts < <(yqmt '.expanded.monitored.hosts[] | [ .container, .port, .fqdn, .app ]') - echo "=================" - echo "${#hosts[@]} available hosts" - echo "=================" + readarray -t services < <(yqmt '.expanded.services[] | [ .container, .port, .fqdn, .app ]') + echo "======================" + echo "${#services[@]} available services" + echo "======================" + + for service in "${services[@]}"; do + read -r -a item <<<"$service" - for host in "${hosts[@]}"; do - read -r -a item <<<"$host" container=${item[0]} port=${item[1]} fqdn=${item[2]} @@ -217,7 +238,7 @@ function build_monit() { # test whether monitored items actually run safely PREFIX="monit:build" echo -n "testing monitored hosts ..." - readarray -t hosts < <(yqmt '.expanded.monitored.hosts[] | [ .container, .port, .fqdn ]') + readarray -t hosts < <(yqmt '.expanded.services[] | [ .container, .port, .fqdn ]') for host in "${hosts[@]}"; do read -r -a item <<<"$host" container=${item[0]} @@ -225,18 +246,18 @@ function build_monit() { fqdn=${item[2]} if ! (lxc exec "$container" -- ss -tln | grep -q "\(0.0.0.0\|*\):$port"); then - echoerr + PREFIX='' echo echoerr "no HTTP server responds on <$container.lxd:$port>" echoerr "please review configuration for fqdn: $fqdn" exit 2 fi if ! curl_check_unsecure "https://$fqdn"; then - echoerr + PREFIX='' echo echoerr "DMZ does not seem to dispatch please review DMZ Nginx proxy" exit 3 elif [[ "$target" != 'dev' ]] && ! curl_check "https://$fqdn"; then - PREFIX="" echo + PREFIX='' echo echowarn "T=$target missing valid certificate for fqdn please review DMZ certbot" fi @@ -288,17 +309,17 @@ function build_nftables() { fi } -# check whether http server responds 200 OK, required , ie: http://example.com:8001, https://example.com +# check whether http server responds something, required , ie: http://example.com:8001, https://example.com function curl_check() { arg1_required "$@" # echo "curl $1" - curl -m $MAX_WAIT -sLI4 "$1" | grep -q "^HTTP.* 200" + curl -m $MAX_WAIT -sLI4 "$1" | grep -q "^HTTP.* [2|3|4].*" } # check whether https server responds 200 OK, even unsecured certificate (auto-signed in mode DEV) function curl_check_unsecure() { arg1_required "$@" - curl -m $MAX_WAIT -skLI4 "$1" | grep -q "^HTTP.* 200" + curl -m $MAX_WAIT -skLI4 "$1" | grep -q "^HTTP.* [2|3|4].*" } function get_dmz_ip() { @@ -478,6 +499,5 @@ if check_expand_conf; then build_routes build_monit else - build_routes monit_show fi diff --git a/templates/monit/hosts.j2 b/templates/monit/hosts.j2 index 49d40e2..ab025e5 100644 --- a/templates/monit/hosts.j2 +++ b/templates/monit/hosts.j2 @@ -1,6 +1,6 @@ -{% for host in expanded.monitored.hosts -%} -check host {{ host.container }}.{{ host.port }} with address {{ host.container }}.lxd - depends on {{ host.container }}.running - if failed port {{ host.port }} protocol http for 2 cycles then alert +{% for service in expanded.services -%} +check host {{ service.container }}.{{ service.port }} with address {{ service.container }}.lxd + depends on {{ service.container }}.running + if failed port {{ service.port }} protocol http for 2 cycles then alert {% endfor -%} \ No newline at end of file diff --git a/templates/nginx/snippets/banner_exp.conf b/templates/nginx/snippets/banner_exp.conf new file mode 100644 index 0000000..5ac9c95 --- /dev/null +++ b/templates/nginx/snippets/banner_exp.conf @@ -0,0 +1,65 @@ +proxy_set_header Accept-Encoding ""; + +subs_filter '' ' +
+
EXP
+
+ + + +';