Initial commit

2026-05-08 16:43:16 +08:00 · 2026-05-08 16:43:16 +08:00 · 8503b9794b
commit 8503b9794b
10 changed files with 921 additions and 0 deletions
--- a/cloud-init.yaml
+++ b/cloud-init.yaml
@ -0,0 +1,129 @@
+#cloud-config
+users:
+  - default
+package_update: true
+
+packages:
+  - ca-certificates
+  - cron
+  - docker.io
+  - jq
+  - restic
+  - syslog-ng
+  - watchdog
+
+write_files:
+  - content: |
+      {
+        #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+      }
+
+      sondages.cours-de-latin.com {
+        reverse_proxy heyform:9157 {
+          flush_interval -1
+        }
+      }
+    path: /etc/caddy/Caddyfile
+  - content: |
+      #!/bin/sh
+      export AWS_ACCESS_KEY_ID=$(cloud-init query ds.metadata.RESTIC_AWS_ACCESS_KEY_ID)
+      export AWS_SECRET_ACCESS_KEY=$(cloud-init query ds.metadata.RESTIC_AWS_SECRET_ACCESS_KEY)
+
+      export RESTIC_REPOSITORY=$(cloud-init query ds.metadata.RESTIC_REPOSITORY)
+      export RESTIC_PASSWORD=$(cloud-init query ds.metadata.RESTIC_PASSWORD)
+      export RESTIC_COMPRESSION=max
+
+      export $(docker exec mongo env | grep MONGO_INIT)
+
+      mkdir -p /var/backups/mongodb
+
+      docker exec mongo mongodump --username root --password "$MONGO_INITDB_ROOT_PASSWORD" --out /var/backups/mongodb/
+
+      restic backup /var/backups/mongodb /var/lib/heyform
+    path: /etc/cron.daily/backup_mongodb
+    permissions: 0o755
+  - content: |
+      #!/bin/sh
+      docker inspect caddy > /dev/null && {
+        docker pull caddy:latest
+        docker stop caddy
+        docker rm caddy
+      }
+
+      docker run -d --restart unless-stopped --network local \
+        -v /etc/caddy:/etc/caddy \
+        -v /var/lib/caddy:/data/caddy \
+        -p 80:80 -p 443:443 \
+        --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=caddy \
+        --name caddy \
+        caddy:latest
+    path: /root/launch_caddy.sh
+    permissions: 0o755
+  - content: |
+      #!/bin/sh
+      export SMTP_USER=$(cloud-init query ds.metadata.SMTP_USER)
+      export SMTP_PASSWORD=$(cloud-init query ds.metadata.SMTP_PASSWORD)
+      export SESSION_KEY=$(cloud-init query ds.metadata.SESSION_KEY)
+      export FORM_ENCRYPTION_KEY=$(cloud-init query ds.metadata.FORM_ENCRYPTION_KEY)
+      export OPENAI_API_KEY=$(cloud-init query ds.metadata.SENSUS_API_KEY)
+
+      docker inspect heyform > /dev/null && {
+        MONGO_PASSWORD=$(docker inspect -f "{{ json .Config.Env }}" heyform | jq -r '.[] | select(startswith("MONGO_PASSWORD="))' | cut -d = -f 2-)
+
+        docker pull heyform/community-edition:latest
+        docker stop heyform
+        docker rm heyform
+      }
+
+      docker run -d --restart unless-stopped --network local \
+        -v /var/lib/heyform/upload:/app/static/upload \
+        -e APP_HOMEPAGE_URL=https://sondages.cours-de-latin.com \
+        -e SESSION_KEY -e FORM_ENCRYPTION_KEY \
+        -e MONGO_URI="mongodb://mongo:27017/heyform?authSource=admin" \
+        -e MONGO_USER=root -e MONGO_PASSWORD \
+        -e REDIS_HOST=keydb -e REDIS_PORT=6379 \
+        -e OPENAI_BASE_URL=https://sensus.p0m.fr/v1 -e OPENAI_API_KEY -e OPENAI_GPT_MODEL=ibm-granite_granite-4.0-h-micro \
+        -e SMTP_HOST=djehouty.pomail.fr -e SMTP_PORT=465 -e SMTP_SECURE=true -e SMTP_FROM="Heyform <contact+heyform@cours-de-latin.com>" -e SMTP_USER -e SMTP_PASSWORD \
+        -e GENERIC_TIMEZONE="Europe/Paris" -e TZ="Europe/Paris" \
+        --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=heyform \
+        --name heyform --pull always \
+        heyform/community-edition:latest
+    path: /root/launch_heyform.sh
+    permissions: 0o755
+
+runcmd:
+  # Allow traffic in IPv4
+  - sed -i '/-A INPUT -j REJECT/i-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT' /etc/iptables/rules.v4
+  - iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+  - iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+
+  # Retrieve last backups
+  - export AWS_ACCESS_KEY_ID=$(cloud-init query ds.metadata.RESTIC_AWS_ACCESS_KEY_ID)
+  - export AWS_SECRET_ACCESS_KEY=$(cloud-init query ds.metadata.RESTIC_AWS_SECRET_ACCESS_KEY)
+  - export RESTIC_REPOSITORY=$(cloud-init query ds.metadata.RESTIC_REPOSITORY)
+  - export RESTIC_PASSWORD=$(cloud-init query ds.metadata.RESTIC_PASSWORD)
+  - mkdir -p /var/backups/mongodb /var/lib/heyform
+  - restic restore latest --target / --include /var/backups/mongodb
+  - restic restore latest --target / --include /var/lib/heyform
+
+  # Create docker network
+  - docker network create local
+
+  # Launch database
+  # Generate database password
+  - export MONGO_PASSWORD=$(openssl rand -base64 30)
+
+  # Launch database
+  - docker run -d --restart always --network local -v /var/backups/mongodb/:/var/backups/mongodb/ -v /var/lib/mongodb:/data/db -e MONGO_INITDB_ROOT_USERNAME=root -e MONGO_INITDB_ROOT_PASSWORD="${MONGO_PASSWORD}" --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=mongo --pull always --name mongo mongo:4.4
+
+  - docker run -d --restart always --network local -v /var/backups/keydb/:/var/backups/keydb/ -v /var/lib/keydb:/data --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=keydb --pull always --name keydb eqalpha/keydb:latest keydb-server --appendonly yes
+
+  # Launch web server
+  - /root/launch_caddy.sh
+
+  # Restore database
+  - sleep 10
+  - docker exec mongo mongorestore --username root --password "$MONGO_PASSWORD" /var/backups/mongodb/
+
+  # Launch main container
+  - /root/launch_heyform.sh