forked from stove/dataset
update
This commit is contained in:
parent
43208f0968
commit
0cab627154
118 changed files with 673 additions and 519 deletions
|
@ -31,6 +31,7 @@
|
|||
<fill name="get_chain">
|
||||
<param name="authority_cn" type="variable">revprox_client_server_domainname</param>
|
||||
<param name="authority_name">InternalReverseProxy</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>server_ca</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
|
||||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
|
||||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)
|
||||
|
|
|
@ -6,10 +6,8 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="general">
|
||||
<variable name="os_version" type="string" description="OS Version" hidden="True">
|
||||
<variable name="os_version" type="string" description="Version de l'OS" hidden="True">
|
||||
<value>bullseye</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="debian" manage="False">
|
||||
<file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
|
||||
<file engine="none">/etc/default/locale</file>
|
||||
</service>
|
||||
<service name="update-ca-certificates" engine="creole" target="multi-user"/>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="general">
|
||||
<variable name="os_name" type="string" description="OS name" hidden="True">
|
||||
<value>Debian</value>
|
||||
</variable>
|
||||
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
|
||||
<value>/etc/ssl-localca</value>
|
||||
</variable>
|
||||
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
|
||||
<value>/etc/ssl/certs</value>
|
||||
</variable>
|
||||
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
|
||||
<value>/etc/ssl/private</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,15 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="debian" manage="False">
|
||||
<file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
|
||||
<file engine="none">/etc/default/locale</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
|
||||
<value>Debian</value>
|
||||
</variable>
|
||||
</variables>
|
||||
</rougail>
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="update-ca-certificates" engine="creole" target="multi-user"/>
|
||||
</services>
|
||||
<variables>
|
||||
<variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">
|
||||
<value>/etc/ssl-localca</value>
|
||||
</variable>
|
||||
<variable name="tls_cert_directory" type="filename" description="Répertoire des certificats" hidden="True">
|
||||
<value>/etc/ssl/certs</value>
|
||||
</variable>
|
||||
<variable name="tls_key_directory" type="filename" description="Répertoire des clefs privés" hidden="True">
|
||||
<value>/etc/ssl/private</value>
|
||||
</variable>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -1,10 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<family name="general">
|
||||
<variable name="os_version" type="string" description="OS Version" hidden="True">
|
||||
<value>35</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<variable name="os_version" type="string" description="Version de l'OS" hidden="True">
|
||||
<value>35</value>
|
||||
</variable>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -1,10 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<family name="general">
|
||||
<variable name="os_version" type="string" description="OS Version" hidden="True">
|
||||
<value>36</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<variable name="os_version" type="string" description="Version de l'OS" hidden="True">
|
||||
<value>36</value>
|
||||
</variable>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -1,25 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="update-ca-trust" engine="creole" target="multi-user"/>
|
||||
<service name="fedora-base" manage="False">
|
||||
<file engine="none">/tmpfiles.d/fedora.conf</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="general">
|
||||
<variable name="os_name" type="string" description="OS name" hidden="True">
|
||||
<value>Fedora</value>
|
||||
</variable>
|
||||
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
|
||||
<value>/etc/pki/ca-trust/source/anchors</value>
|
||||
</variable>
|
||||
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
|
||||
<value>/etc/pki/tls/certs</value>
|
||||
</variable>
|
||||
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
|
||||
<value>/etc/pki/tls/private</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,13 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="fedora-base" manage="False">
|
||||
<file engine="none">/tmpfiles.d/fedora.conf</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
|
||||
<value>Fedora</value>
|
||||
</variable>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,17 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="update-ca-trust" engine="creole" target="multi-user"/>
|
||||
</services>
|
||||
<variables>
|
||||
<variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">
|
||||
<value>/etc/pki/ca-trust/source/anchors</value>
|
||||
</variable>
|
||||
<variable name="tls_cert_directory" type="filename" description="Nom du répertoire des certificats" hidden="True">
|
||||
<value>/etc/pki/tls/certs</value>
|
||||
</variable>
|
||||
<variable name="tls_key_directory" type="filename" description="Nom du répertoire des clefs privés" hidden="True">
|
||||
<value>/etc/pki/tls/private</value>
|
||||
</variable>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -6,25 +6,22 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name='general' description="Général">
|
||||
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
|
||||
<variable name="number_of_interfaces" type="number" description="Nombre d'interface disponible" hidden="True"/>
|
||||
<variable name="interfaces_list" type="number" multi="True" description="Liste de toutes les interfaces" hidden="True"/>
|
||||
<variable name="server_deployed" type="boolean" description="Le serveur est déployé" hidden="True">
|
||||
<variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="dns" description="DNS">
|
||||
<variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur SMTP"/>
|
||||
<variable name="ip_dns" type="ip" description="The DNS server" hidden="True"/>
|
||||
</family>
|
||||
<family name="network" description="Réseau">
|
||||
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
|
||||
<variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True"/>
|
||||
<variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS"/>
|
||||
<variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
|
||||
<family name="interface_" description="Interface " dynamic="interfaces_list">
|
||||
<variable name="zone_name_eth" type="string" description="Zone name for interface " hidden="True"/>
|
||||
<variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True"/>
|
||||
<variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
|
||||
<variable name="network_eth" type="network_cidr" description="The zone network for interface " hidden="True"/>
|
||||
<variable name="gateway_eth" type="ip" description="The zone gateway for interface "/>
|
||||
<variable name="network_eth" type="network_cidr" description="Réseau de l'interface " hidden="True"/>
|
||||
<variable name="gateway_eth" type="ip" description="La route de l'interface "/>
|
||||
<variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="set_linked">
|
||||
|
@ -34,16 +31,12 @@
|
|||
<param name="linked_returns">ip</param>
|
||||
<target>ip_dns</target>
|
||||
</fill>
|
||||
<fill name="get_number_of_interfaces">
|
||||
<param type="information">zones_name</param>
|
||||
<target>number_of_interfaces</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="information">zones_name</param>
|
||||
<target>zones_list</target>
|
||||
</fill>
|
||||
<fill name="get_range">
|
||||
<param type="variable">number_of_interfaces</param>
|
||||
<param type="information">zones_name</param>
|
||||
<target>interfaces_list</target>
|
||||
</fill>
|
||||
<fill name="get_ip">
|
||||
|
@ -75,10 +68,6 @@
|
|||
<param name="index" type="suffix"/>
|
||||
<target>gateway_eth</target>
|
||||
</fill>
|
||||
<check name="valid_entier">
|
||||
<param name="mini" type="number">1</param>
|
||||
<target>number_of_interfaces</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
@ -1,4 +1,5 @@
|
|||
import __main__
|
||||
from typing import List
|
||||
from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
|
||||
from string import ascii_letters as _ascii_letters
|
||||
from random import choice as _choice
|
||||
|
@ -6,6 +7,9 @@ from os.path import dirname as _dirname, abspath as _abspath, join as _join, isf
|
|||
from os import makedirs as _makedirs
|
||||
|
||||
|
||||
from risotto.utils import load_domains, DOMAINS
|
||||
|
||||
|
||||
_HERE = _dirname(_abspath(__main__.__file__))
|
||||
_PASSWORD_DIR = _join(_HERE, 'password')
|
||||
|
||||
|
@ -14,9 +18,12 @@ def get_password(server_name: str,
|
|||
username: str,
|
||||
description: str,
|
||||
type: str,
|
||||
hide: bool,
|
||||
length: int=20,
|
||||
temporary: bool=True,
|
||||
) -> str:
|
||||
if hide:
|
||||
return "XXXXX"
|
||||
def gen_password():
|
||||
return _token_urlsafe(length)[:length]
|
||||
return _set_password(server_name,
|
||||
|
@ -32,8 +39,11 @@ def get_password_alpha_num(server_name,
|
|||
username: str,
|
||||
description: str,
|
||||
length,
|
||||
hide: bool,
|
||||
starts_with_char=False,
|
||||
):
|
||||
if hide:
|
||||
return "XXXXX"
|
||||
def gen_password():
|
||||
password = _token_hex()
|
||||
if starts_with_char:
|
||||
|
@ -72,14 +82,8 @@ def _set_password(server_name: str,
|
|||
return file_content
|
||||
|
||||
|
||||
def get_range(stop):
|
||||
return list(range(stop))
|
||||
|
||||
|
||||
def get_number_of_interfaces(zones):
|
||||
if zones is None:
|
||||
return 1
|
||||
return len(zones)
|
||||
def get_range(lst):
|
||||
return list(range(max(1, len(lst))))
|
||||
|
||||
|
||||
def get_zone_name(zones: list,
|
||||
|
@ -97,3 +101,13 @@ def get_domain_name(server_name: str,
|
|||
if index == 0:
|
||||
return server_name
|
||||
return extra_domainnames[index - 1]
|
||||
|
||||
|
||||
def get_ip(server_name: str,
|
||||
zones_name: List[str],
|
||||
index: str,
|
||||
) -> str:
|
||||
load_domains()
|
||||
host_name, domain_name = server_name.split('.', 1)
|
||||
domain = DOMAINS[domain_name]
|
||||
return domain[1][domain[0].index(host_name)]
|
||||
|
|
|
@ -11,6 +11,8 @@ from datetime import datetime, timezone
|
|||
os_name = argv[1]
|
||||
OLD_DIR = argv[2]
|
||||
NEW_DIR = argv[3]
|
||||
WEBSITE = len(argv) != 5
|
||||
|
||||
FILES = []
|
||||
def diff_files(dcmp):
|
||||
for name in dcmp.diff_files:
|
||||
|
@ -25,6 +27,7 @@ diff_files(dcmp)
|
|||
date = datetime.now(timezone.utc).isoformat()
|
||||
title = f"Nouvelle version de la configuration de {os_name}"
|
||||
subtitle = f"Différence entre les fichiers de configuration de {os_name}"
|
||||
if WEBSITE:
|
||||
print(f"""+++
|
||||
title = "{title}"
|
||||
description = "{subtitle}"
|
||||
|
@ -41,7 +44,15 @@ lead = "{subtitle}."
|
|||
type = "installe"
|
||||
+++
|
||||
""")
|
||||
TITLE = True
|
||||
else:
|
||||
TITLE = False
|
||||
for filename in FILES:
|
||||
if not TITLE:
|
||||
print(title)
|
||||
print("=" * len(title))
|
||||
print()
|
||||
TITLE = True
|
||||
print(f'- mise à jour du fichier {filename} :\n')
|
||||
try:
|
||||
with open(join(OLD_DIR, filename[1:]), 'r') as ori:
|
||||
|
@ -51,7 +62,9 @@ for filename in FILES:
|
|||
except UnicodeDecodeError:
|
||||
print('fichier binaire')
|
||||
else:
|
||||
if WEBSITE:
|
||||
print('```diff')
|
||||
for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
|
||||
print(line.rstrip())
|
||||
if WEBSITE:
|
||||
print('```')
|
||||
|
|
|
@ -50,11 +50,17 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="network">
|
||||
<variable name="external_ports" redefine="True">
|
||||
<value>587</value>
|
||||
<value>993</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="annuaire">
|
||||
<family name="client">
|
||||
<variable name='ldapclient_family' redefine="True">
|
||||
<value>all</value>
|
||||
</variable>
|
||||
<variable name="ldap_key_file_owner" redefine="True">
|
||||
<value>dovecot</value>
|
||||
</variable>
|
||||
|
@ -62,6 +68,7 @@
|
|||
<value>postfix</value>
|
||||
</variable>
|
||||
</family>
|
||||
</family>
|
||||
<family name="mail" description="Mail domain" leadership="True">
|
||||
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
|
||||
<variable name="mail_domains_calc" type="domainname" hidden="True"/>
|
||||
|
@ -187,12 +194,5 @@
|
|||
<param type="variable">mail_domains</param>
|
||||
<target>well_knowns</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_value">all</param>
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">client_family</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>mail_domains_calc</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_chain(%%domain_name_eth0, "IMAPServer")
|
||||
%%get_chain(%%domain_name_eth0, "IMAPServer", hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_chain(%%domain_name_eth0, "MailServer")
|
||||
%%get_chain(%%domain_name_eth0, "MailServer", hide=%%hide_secret)
|
||||
|
|
|
@ -34,8 +34,8 @@ uris = ldaps://%%ldap_server_address
|
|||
# Password for LDAP server, if dn is specified.
|
||||
#dnpass =
|
||||
#>GNUNUX
|
||||
dn = %%ldapclient_remote_user
|
||||
dnpass = %%ldapclient_remote_user_password
|
||||
dn = %%ldapclient_user
|
||||
dnpass = %%ldapclient_user_password
|
||||
#<GNUNUX
|
||||
|
||||
# Use SASL binding instead of the simple binding. Note that this changes
|
||||
|
@ -107,7 +107,7 @@ auth_bind = yes
|
|||
# LDAP base. %variables can be used here.
|
||||
# For example: dc=mail, dc=example, dc=org
|
||||
# GNUNUX base =
|
||||
base = %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
|
||||
base = %%ldapclient_base_dn
|
||||
|
||||
# Dereference: never, searching, finding, always
|
||||
#deref = never
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
%set %%extra_domainnames = []
|
||||
%for %%idx in %%range(1, %%number_of_interfaces)
|
||||
%for %%idx in %%range(%%len(%%zones_list))
|
||||
%if not idx
|
||||
%continue
|
||||
%end if
|
||||
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
|
||||
%end for
|
||||
%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames)
|
||||
%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames, hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'IMAPServer')
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_name='IMAPServer', hide=%%hide_secret)
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
|
||||
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
|
||||
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
|
||||
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
|
||||
|
|
|
@ -6,8 +6,8 @@ tls_ca_cert_file = %%ldap_ca_file
|
|||
tls_require_cert = yes
|
||||
version = 3
|
||||
bind = yes
|
||||
bind_dn = %%ldapclient_remote_user
|
||||
bind_pw = %%ldapclient_remote_user_password
|
||||
search_base = %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
|
||||
bind_dn = %%ldapclient_user
|
||||
bind_pw = %%ldapclient_user_password
|
||||
search_base = %%ldapclient_base_dn
|
||||
query_filter = (mailLocalAddress=%s)
|
||||
result_attribute = cn
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
%set %%extra_domainnames = []
|
||||
%for %%idx in %%range(1, %%number_of_interfaces)
|
||||
%for %%idx in %%range(%%len(%%zones_list))
|
||||
%if not %%idx
|
||||
%continue
|
||||
%end if
|
||||
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
|
||||
%end for
|
||||
%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames)
|
||||
%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames, hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'MailServer')
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'MailServer')
|
||||
%%get_certificate(%%domain_name_eth0, "MailServer")
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)
|
||||
%%get_certificate(cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret)
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
|
||||
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
|
||||
%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
|
||||
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
|
||||
%%cert
|
||||
|
|
|
@ -9,9 +9,11 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="network">
|
||||
<variable name="external_ports" redefine="True">
|
||||
<value>2222</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="gitea" description="Gitea" help="Git forge Gitea">
|
||||
<variable name="gitea_title" mandatory="True" description="Titre de la forge">
|
||||
<value>Gitea: Git avec une tasse de thé</value>
|
||||
|
@ -54,8 +56,10 @@
|
|||
<variable name="oauth2_client_token_signature_algo" redefine="True">
|
||||
<value>RS256</value>
|
||||
</variable>
|
||||
<family name="external">
|
||||
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="get_password">
|
||||
|
@ -63,6 +67,7 @@
|
|||
<param name="username">secret_key</param>
|
||||
<param name="description">gitea</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<param name="length" type="number">105</param>
|
||||
<target>gitea_secret_key</target>
|
||||
</fill>
|
||||
|
@ -71,6 +76,7 @@
|
|||
<param name="username">internal_token</param>
|
||||
<param name="description">gitea</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<param name="length" type="number">105</param>
|
||||
<target>gitea_internal_token</target>
|
||||
</fill>
|
||||
|
@ -79,6 +85,7 @@
|
|||
<param name="username">lfs_jwt_secret</param>
|
||||
<param name="description">gitea</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<param name="length" type="number">43</param>
|
||||
<target>gitea_lfs_jwt_secret</target>
|
||||
</fill>
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_chain(%%imap_address, 'IMAPServer')
|
||||
%%get_chain(%%imap_address, 'IMAPServer', hide=%%hide_secret)
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<family name="annuaire">
|
||||
<variable name="ldap_client_file" type="filename" description="LDAP client filename" hidden="True">
|
||||
<value>/etc/ldap/ldap.conf</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,13 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<family name="annuaire">
|
||||
<family name="client">
|
||||
<variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True">
|
||||
<value>/etc/ldap/ldap.conf</value>
|
||||
</variable>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -1,11 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<family name="annuaire">
|
||||
<variable name="ldap_client_file" type="filename" description="LDAP client filename" hidden="True">
|
||||
<value>/etc/openldap/ldap.conf</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -0,0 +1,13 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<family name="annuaire">
|
||||
<family name="client">
|
||||
<variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True">
|
||||
<value>/etc/openldap/ldap.conf</value>
|
||||
</variable>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
|
@ -10,34 +10,34 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="annuaire">
|
||||
<family name="annuaire" description="Annuaire OpenLDAP">
|
||||
<family name="server" description="Serveur">
|
||||
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
|
||||
<variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True">
|
||||
<value>636</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="client" description="Client">
|
||||
<variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP"/>
|
||||
<variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
|
||||
<variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
|
||||
<variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
|
||||
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True"/>
|
||||
<variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
|
||||
<variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
|
||||
<variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
|
||||
<variable name="ldap_key_file" type="filename" description="LDAP private key filename" hidden="True"/>
|
||||
<variable name="ldap_key_file_owner" type="unix_user" description="LDAP private key file owner" hidden="True">
|
||||
<variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True"/>
|
||||
<variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True"/>
|
||||
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="False"/>
|
||||
<variable name="ldap_ca_file" type="filename" description="Fichier de l'autorité de certification LDAP" hidden="True"/>
|
||||
<variable name="ldap_cert_file" type="filename" description="Fichier du certificate LDAP" hidden="True"/>
|
||||
<variable name="ldap_key_file" type="filename" description="Fichier de la clef privée LDAP" hidden="True"/>
|
||||
<variable name="ldap_key_file_owner" type="unix_user" description="Propriétaire du fichier de la clef privée LDAP" hidden="True">
|
||||
<value>root</value>
|
||||
</variable>
|
||||
<variable name="ldap_key_file_group" type="unix_user" description="LDAP private key file group" hidden="True">
|
||||
<variable name="ldap_key_file_group" type="unix_user" description="Groupe du fichier de la clef privée LDAP" hidden="True">
|
||||
<value>root</value>
|
||||
</variable>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<check name='valid_base_dn'>
|
||||
<target>ldap_base_dn</target>
|
||||
</check>
|
||||
<fill name="calc_ldapclient_base_dn">
|
||||
<param type="variable">ldap_base_dn</param>
|
||||
<param type="variable">ldapclient_family</param>
|
||||
<target>ldapclient_base_dn</target>
|
||||
</fill>
|
||||
</check>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
<param>ca_LDAP.crt</param>
|
||||
|
@ -56,35 +56,32 @@
|
|||
<param name="join">/</param>
|
||||
<target>ldap_key_file</target>
|
||||
</fill>
|
||||
<fill name="set_linked">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">clients</param>
|
||||
<param name="linked_value" type="variable">domain_name_eth0</param>
|
||||
<fill name="set_linked_multi_variables">
|
||||
<param type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider_0">clients</param>
|
||||
<param name="linked_value_0" type="variable">domain_name_eth0</param>
|
||||
<param name="linked_provider_1">client_family</param>
|
||||
<param name="linked_value_1" type="variable">ldapclient_family</param>
|
||||
<param name="allow_none_1" type="boolean">True</param>
|
||||
<param name="linked_returns">dn</param>
|
||||
<target>ldapclient_user</target>
|
||||
</fill>
|
||||
<fill name="get_password">
|
||||
<param name="server_name" type="variable">ldap_server_address</param>
|
||||
<param name="username" type="variable">ldapclient_user</param>
|
||||
<param name="description">remote account</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<param name="temporary" type="boolean">True</param>
|
||||
<target>ldapclient_user_password</target>
|
||||
</fill>
|
||||
<fill name="set_linked_multi_variables">
|
||||
<param type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider_0">client_password</param>
|
||||
<param name="linked_value_0" type="variable">ldapclient_user_password</param>
|
||||
<param name="linked_returns">base_dn</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>ldapclient_remote_user</target>
|
||||
<target>ldapclient_base_dn</target>
|
||||
</fill>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">client_password</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>ldapclient_remote_user_password</target>
|
||||
</fill>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">ldap_dn</param>
|
||||
<target>ldap_base_dn</target>
|
||||
</fill>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">ldap_port</param>
|
||||
<target>ldap_port</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">client_family</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>ldapclient_family</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
@ -7,15 +7,24 @@ def valid_base_dn(base_dn: str) -> None:
|
|||
|
||||
|
||||
def calc_ldapclient_base_dn(ldap_base_dn: str,
|
||||
family_name: str,
|
||||
accounts: bool=False,
|
||||
family_name: str=None,
|
||||
base: bool=False,
|
||||
group: bool=False,
|
||||
) -> str:
|
||||
base = f'ou=accounts,{ldap_base_dn}'
|
||||
if accounts:
|
||||
return base
|
||||
if family_name == 'all':
|
||||
family_name = None
|
||||
base = True
|
||||
if group:
|
||||
return f'ou=groups,{ldap_base_dn}'
|
||||
if not ldap_base_dn.startswith('ou=accounts,'):
|
||||
base_name = f'ou=accounts,{ldap_base_dn}'
|
||||
else:
|
||||
base_name = ldap_base_dn
|
||||
if base:
|
||||
return base_name
|
||||
if not family_name:
|
||||
return f'ou=users,{base}'
|
||||
families = f'ou=families,{base}'
|
||||
return f'ou=users,{base_name}'
|
||||
base_name = f'ou=families,{base_name}'
|
||||
if family_name != '-':
|
||||
return f'ou={family_name},{families}'
|
||||
return families
|
||||
base_name = f'ou={family_name},{base_name}'
|
||||
return base_name
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_chain(%%ldap_server_address, 'LDAP')
|
||||
%%get_chain(%%ldap_server_address, 'LDAP', hide=%%hide_secret)
|
||||
|
|
|
@ -31,8 +31,8 @@ TLS_CACERT %%ldap_ca_file
|
|||
# Turning this off breaks GSSAPI used with krb5 when rdns = false
|
||||
SASL_NOCANON on
|
||||
|
||||
BINDDN %%ldapclient_remote_user
|
||||
BINDDN %%ldapclient_user
|
||||
TIMELIMIT 10
|
||||
NETWORK_TIMEOUT 10
|
||||
TIMEOUT 10
|
||||
BINDPW %%ldapclient_remote_user_password
|
||||
BINDPW %%ldapclient_user_password
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client')
|
||||
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client', hide=%%hide_secret)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
%set %%key = %%get_private_key(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client')
|
||||
%set %%key = %%get_private_key(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client', hide=%%hide_secret)
|
||||
%if not %%key
|
||||
%raise Exception('empty key')
|
||||
%end if
|
||||
|
|
|
@ -28,14 +28,12 @@
|
|||
</variable>
|
||||
<variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
|
||||
</family>
|
||||
<family name="annuaire">
|
||||
<family name="client">
|
||||
<variable name='ldapclient_family' redefine="True">
|
||||
<value>all</value>
|
||||
</variable>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_value">all</param>
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">client_family</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>lemon_mail_admin</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
@ -7,6 +7,7 @@ Providers
|
|||
- oauth2_token_signature_algo : algorithme de la signature du jeton
|
||||
- oauth2_name : nom du service affiché à l'utilisateur
|
||||
- oauth2_description : description du service affiché à l'utilisateur
|
||||
- oauth2_external : adresse du service (de type https://domaine/location/) c'est une variable multiple, dans ce cas plusieurs lien peuvent être généré pour accéder à ce service (par exemple un pour les utilisateurs + un différent pour une famille)
|
||||
- oauth2_host : adresse du service (de type https://domaine/location/) c'est une variable multiple, dans ce cas plusieurs lien peuvent être généré pour accéder à ce service (par exemple un pour les utilisateurs + un différent pour une famille)
|
||||
- oauth2_family : famille autoriser à accéder
|
||||
- oauth2_logo : logo visible par l'utilisateur
|
||||
- oauth2_category : catégorie qui permet de classer le service
|
||||
|
|
|
@ -8,7 +8,12 @@
|
|||
<variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
|
||||
<variable name="category_" hidden="True" provider="oauth2_category"/>
|
||||
<variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
|
||||
<variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external" multi="True"/>
|
||||
<family name="external_" leadership="True">
|
||||
<variable name="hosts_" description="Remote external for" provider="oauth2_external" multi="True"/>
|
||||
<variable name="family_" hidden="True" provider="oauth2_family">
|
||||
<value>users</value>
|
||||
</variable>
|
||||
</family>
|
||||
<variable name="logo_" hidden="True" provider="oauth2_logo"/>
|
||||
<variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
|
||||
<choice>HS512</choice>
|
||||
|
@ -22,6 +27,7 @@
|
|||
<param name="username" type="suffix"/>
|
||||
<param name="description">remote</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>oauth2.oauth2_.secret_</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
|
|
|
@ -2,4 +2,5 @@
|
|||
After=nginx.service
|
||||
|
||||
[Service]
|
||||
ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
|
||||
ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'
|
||||
|
|
|
@ -8,12 +8,12 @@ commentStartToken = §
|
|||
"portalCustomCss": "risotto/risotto.css",
|
||||
"authentication" : "LDAP",
|
||||
"AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
|
||||
"managerDn" : "%%ldapclient_remote_user",
|
||||
"managerPassword" : "%%ldapclient_remote_user_password",
|
||||
"managerDn" : "%%ldapclient_user",
|
||||
"managerPassword" : "%%ldapclient_user_password",
|
||||
"ldapPpolicyControl" : 1,
|
||||
"ldapAllowResetExpiredPassword" : 1,
|
||||
"ldapChangePasswordAsUser" : 1,
|
||||
"ldapBase" : "%%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)",
|
||||
"ldapBase" : "%%ldapclient_base_dn",
|
||||
"ldapExportedVars" : {
|
||||
"uid" : "uid",
|
||||
"cn" : "cn",
|
||||
|
@ -22,9 +22,13 @@ commentStartToken = §
|
|||
"givenName" : "givenName",
|
||||
"home" : "homeDirectory"
|
||||
},
|
||||
"ldapGroupAttributeName" : "memberUid",
|
||||
"ldapGroupBase" : "%%ldapclient_base_dn",
|
||||
"ldapGroupAttributeName" : "member",
|
||||
"ldapGroupAttributeNameUser" : "cn",
|
||||
"ldapGroupObjectClass" : "group",
|
||||
"ldapGroupAttributeNameGroup" : "dn",
|
||||
"ldapGroupAttributeNameSearch" : "cn",
|
||||
"ldapGroupAttributeNameUser" : "dn",
|
||||
"ldapGroupObjectClass" : "groupOfNames",
|
||||
"ldapPort" : "636",
|
||||
"ldapServer" : "ldaps://%%ldap_server_address",
|
||||
"ldapVerify" : "required",
|
||||
|
@ -61,18 +65,18 @@ commentStartToken = §
|
|||
%set %%domains = []
|
||||
%for %%app in %%oauth2.remotes
|
||||
%set %%key = %%normalize_family(%%app)
|
||||
%set %%external = %%oauth2['oauth2_' + %%key]['external_' + %%key]
|
||||
§ external is somethink like https://domain/
|
||||
%if %%external
|
||||
§ somethink like ['https://domain/']
|
||||
%for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
|
||||
%set %%domain = %%str(%%external).split('/', 3)[-2]
|
||||
%if %%domain not in %%domains
|
||||
},
|
||||
"%%domain" : {
|
||||
"^/logout" : "logout_sso",
|
||||
§ FIXME "default" : "$groups eq %%external['family_' + %%key]"
|
||||
"default" : "accept"
|
||||
%%domains.append(%%domain)%slurp
|
||||
%end if
|
||||
%end if
|
||||
%end for
|
||||
%end for
|
||||
}
|
||||
},
|
||||
|
@ -148,9 +152,9 @@ commentStartToken = §
|
|||
"loa-4" : 4,
|
||||
"loa-5" : 5
|
||||
},
|
||||
%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0).split("\n"))
|
||||
%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
|
||||
"oidcServicePublicKeySig" : "%%pub",
|
||||
%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0).split("\n"))
|
||||
%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
|
||||
"oidcServicePrivateKeySig" : "%%priv",
|
||||
"passwordDB" : "LDAP",
|
||||
"persistentStorage" : "Apache::Session::File",
|
||||
|
@ -176,7 +180,7 @@ commentStartToken = §
|
|||
'description': %%description,
|
||||
'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
|
||||
'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
|
||||
'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]}
|
||||
'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
|
||||
%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
|
||||
%end for
|
||||
"applicationList" : {
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
<param type="variable">plugin_name</param>
|
||||
<param type="variable">credential_filename</param>
|
||||
<param type="variable">email</param>
|
||||
<param type="variable">hide_secret</param>
|
||||
<target>domain_names</target>
|
||||
</check>
|
||||
</constraints>
|
||||
|
|
|
@ -17,7 +17,10 @@ def letsencrypt_certif(domain: str,
|
|||
plugin_name: str,
|
||||
credential_filename: str,
|
||||
email: str,
|
||||
hide_secret: bool,
|
||||
) -> None:
|
||||
if hide_secret:
|
||||
return
|
||||
if None in (domain, authority_cn, plugin_name, credential_filename, email):
|
||||
return
|
||||
authority_name = 'External'
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
<family name="mailman" description="Gestionnaire de liste">
|
||||
<variable name="mailman_mail_owner" type="mail" description="Courriel du gestionnaire de liste du site"/>
|
||||
<variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True"/>
|
||||
<variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="True"/>
|
||||
<variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="False"/>
|
||||
</family>
|
||||
<family name="oauth2_client">
|
||||
<variable name="oauth2_is_client_application" redefine='True'>
|
||||
|
@ -43,8 +43,10 @@
|
|||
<variable name="oauth2_client_token_signature_algo" redefine="True">
|
||||
<value>RS256</value>
|
||||
</variable>
|
||||
<family name="external">
|
||||
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
|
||||
</family>
|
||||
</family>
|
||||
<family name="postgresql">
|
||||
<variable name="pg_client_key_owner" redefine="True">
|
||||
<value>mailman</value>
|
||||
|
@ -57,6 +59,7 @@
|
|||
<param name="username">postorius</param>
|
||||
<param name="description">secret_key</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>postorius_secret_key</target>
|
||||
</fill>
|
||||
<fill name="calc_oauth2_client_external">
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
|
||||
|
|
|
@ -4,4 +4,4 @@ Before=network.target
|
|||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"'
|
||||
ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"'
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
<param name="username">root_password</param>
|
||||
<param name="description">mariadb</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<param name="length" type="number">50</param>
|
||||
<target>mariadb_root_password</target>
|
||||
</fill>
|
||||
|
|
|
@ -14,9 +14,9 @@
|
|||
</services>
|
||||
<variables>
|
||||
<family name="nextcloud" description="Nextcloud">
|
||||
<variable name="nextcloud_admin_password" type="password" auto_freeze="True" hidden="True"/>
|
||||
<variable name="nextcloud_admin_password" type="password" auto_save="False" hidden="True"/>
|
||||
<variable name="nextcloud_mail_admin" type="mail" mandatory="True"/>
|
||||
<variable name="nextcloud_instance_id" type="password" auto_freeze="True" hidden="True"/>
|
||||
<variable name="nextcloud_instance_id" type="password" auto_save="False" hidden="True"/>
|
||||
<variable name="nextcloud_well_known_server" type="domainname" description="Nom de domaine du serveur hebergeant le répertoire .well-known"/>
|
||||
<variable name="nextcloud_well_known_caldav" type="web_address" hidden='True'/>
|
||||
<variable name="nextcloud_well_known_carddav" type="web_address" hidden='True'/>
|
||||
|
@ -53,6 +53,7 @@
|
|||
<param name="username">admin_password</param>
|
||||
<param name="description">nextcloud</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>nextcloud_admin_password</target>
|
||||
</fill>
|
||||
<!-- see lib/private/legacy/OC_Util.php -->
|
||||
|
@ -62,6 +63,7 @@
|
|||
<param name="description">nextcloud</param>
|
||||
<param name="length" type="number">10</param>
|
||||
<param name="starts_with_char" type="boolean">True</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>nextcloud_instance_id</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
|
|
|
@ -27,8 +27,8 @@ fi
|
|||
/usr/bin/php /usr/share/nextcloud/occ config:app:set user_ldap bgjRefreshInterval --value=300 -q
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapHost "ldaps://%%ldap_server_address"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_user"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_user_password"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn"
|
||||
|
|
|
@ -2,7 +2,7 @@ client_max_body_size %%{nginx_post_max_size}M;
|
|||
client_body_buffer_size 128k;
|
||||
|
||||
# Always trust ourself
|
||||
%for %%interface in %%range(%%number_of_interfaces)
|
||||
%for %%interface in %%range(%%len(%%zones_list))
|
||||
set_real_ip_from %%getVar('ip_eth{0}'.format(%%interface));
|
||||
%end for
|
||||
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
|
||||
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
|
||||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server", hide=%%hide_secret)
|
||||
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')
|
||||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server', hide=%%hide_secret)
|
||||
|
|
|
@ -10,10 +10,12 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="network">
|
||||
<variable name="external_ports" redefine="True">
|
||||
<value>80</value>
|
||||
<value>443</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
||||
<variable name="nginx_default" redefine="True" mandatory="True"/>
|
||||
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
%for %%idx in %%range(0, %%number_of_interfaces)
|
||||
%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy")
|
||||
%for %%idx in %%range(%%len(%%zones_list))
|
||||
%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy", hide=%%hide_secret)
|
||||
%end for
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
|
||||
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
|
||||
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="dns" description="DNS">
|
||||
<family name="network">
|
||||
<variable name="dns_client_address" redefine="True" disabled="True"/>
|
||||
<variable name="ip_dns" redefine="True" remove_fill="True">
|
||||
<value>127.0.0.1</value>
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
server:
|
||||
interface: 127.0.0.1
|
||||
%for %%interface in %%interfaces_list
|
||||
%for %%interface in %%range(%%len(%%zones_list))
|
||||
interface: %%getVar('ip_eth' + %%str(%%interface))
|
||||
%end for
|
||||
do-ip4: yes
|
||||
|
|
|
@ -9,7 +9,12 @@
|
|||
<variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True'/>
|
||||
<variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/>
|
||||
<variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login" multi="True"/>
|
||||
<family name="external">
|
||||
<variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True"/>
|
||||
<variable name="oauth2_client_family" description="OAuth2 family">
|
||||
<value>users</value>
|
||||
</variable>
|
||||
</family>
|
||||
<variable name="oauth2_client_category" description="OAuth2 category" mandatory='True'>
|
||||
<value>Défaut</value>
|
||||
</variable>
|
||||
|
@ -74,6 +79,13 @@
|
|||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_logo</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_family</param>
|
||||
<param name="leader_provider">oauth2_external</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_family</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_login</param>
|
||||
|
@ -96,6 +108,7 @@
|
|||
<target type="variable">oauth2_client_name</target>
|
||||
<target type="variable">oauth2_client_description</target>
|
||||
<target type="variable">oauth2_client_external</target>
|
||||
<target type="variable">oauth2_client_family</target>
|
||||
</condition>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
@ -13,44 +13,21 @@
|
|||
<file>/secrets/config_acl.ldif</file>
|
||||
<file>/secrets/admin_ldap.pwd</file>
|
||||
<file engine="none">/sysusers.d/risotto-openldap.conf</file>
|
||||
<file engine="none" source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
|
||||
<file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
|
||||
</service>
|
||||
</services>
|
||||
|
||||
<variables>
|
||||
<family name="annuaire">
|
||||
<family name="server">
|
||||
<variable name='ldap_server_address' redefine="True" hidden="True"/>
|
||||
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
|
||||
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="ldap_port">
|
||||
<value>636</value>
|
||||
</variable>
|
||||
<variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
|
||||
<variable name='ldap_admin_password' type="password" description="Mot de passe de l'administrateur de l'annuaire" hidden='True' auto_save='True'/>
|
||||
<family name='ldap_index_attribute' leadership='True' description="Gestion des index des attributes">
|
||||
<variable name='ldap_index_attribute' type='string' description="Attribut à indexer" multi="True">
|
||||
<value>objectClass</value>
|
||||
<value>uid</value>
|
||||
<value>cn</value>
|
||||
<value>sn</value>
|
||||
<!--value>mailLocalAddress</value-->
|
||||
<value>givenName</value>
|
||||
<value>mail</value>
|
||||
<value>entryCSN</value>
|
||||
<value>entryUUID</value>
|
||||
<value>contextCSN</value>
|
||||
</variable>
|
||||
<variable name='ldap_index_indices' type='string' description="Types d'index" multi="True">
|
||||
<value>eq</value>
|
||||
<value>pres</value>
|
||||
</variable>
|
||||
<variable name='openldap_ca_chain' description="CA certificate" hidden='True'/>
|
||||
</family>
|
||||
<variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
|
||||
<value>/etc/openldap/schema/cosine.ldif</value>
|
||||
<value>/etc/openldap/schema/inetorgperson.ldif</value>
|
||||
<value>/etc/openldap/schema/nis.ldif</value>
|
||||
<value>/etc/openldap/schema/misc.ldif</value>
|
||||
</variable>
|
||||
<family name='limits' description='Limites' mode='expert'>
|
||||
<variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
|
||||
<value>0</value>
|
||||
</variable>
|
||||
|
@ -60,8 +37,6 @@
|
|||
<variable name='ldap_timelimit' type='number' description='Temps de réponse maximum à une requête (en secondes)' mode="expert">
|
||||
<value>3600</value>
|
||||
</variable>
|
||||
<variable name='ldapclient_remote_user' redefine="True"/>
|
||||
<variable name='ldapclient_remote_user_password' redefine="True"/>
|
||||
</family>
|
||||
<family name='db_environment' description='DB environment' mode='expert'>
|
||||
<variable name='db_cache_size_g' description="Quantité de Giga-octets à utiliser pour le cache HDB" type="number">
|
||||
|
@ -83,18 +58,26 @@
|
|||
<value>2097152</value>
|
||||
</variable>
|
||||
<variable name='db_log_directory' type='filename' description='Répertoire de conservation des informations de journalisation'>
|
||||
<value>/var/lib/ldap/logs</value>
|
||||
<value>/srv/openldap/log</value>
|
||||
</variable>
|
||||
<variable name='db_lk_max_objects' type='number' description="Numbre d'objet qui peuvent être verrouillés simultanément ">
|
||||
<variable name='db_lk_max_objects' type='number' description="Nombre d'objet qui peuvent être verrouillés simultanément ">
|
||||
<value>5000</value>
|
||||
</variable>
|
||||
<variable name='db_lk_max' type='number' description='Nombre de verrous maximal'>
|
||||
<value>5000</value>
|
||||
</variable>
|
||||
<variable name='db_lk_max_lockers' type='number' description='Nombre de verrouilleur maximal'>
|
||||
<variable name='db_lk_max_lockers' type='number' description='Nombre de verroulleur maximal'>
|
||||
<value>5000</value>
|
||||
</variable>
|
||||
</family>
|
||||
</family>
|
||||
<family name="client">
|
||||
<variable name='ldapclient_user' redefine="True"/>
|
||||
<!--variable name='ldapclient_user_password' redefine="True"/-->
|
||||
<variable name='ldapclient_family' redefine="True" disabled="True"/>
|
||||
<variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<!--fill/auto-->
|
||||
|
@ -104,34 +87,13 @@
|
|||
</fill>
|
||||
<fill name='get_default_base_dn'>
|
||||
<param type="variable">domain_name_eth0</param>
|
||||
<target>ldap_base_dn</target>
|
||||
<target>ldapclient_base_dn</target>
|
||||
</fill>
|
||||
<fill name='calc_value'>
|
||||
<param>cn=admin</param>
|
||||
<param type='variable'>ldap_base_dn</param>
|
||||
<param type='variable'>ldapclient_base_dn</param>
|
||||
<param name="join">,</param>
|
||||
<target>ldap_admin_dn</target>
|
||||
</fill>
|
||||
<fill name="get_password">
|
||||
<param name="server_name" type="variable">domain_name_eth0</param>
|
||||
<param name="username">writer</param>
|
||||
<param name="description">LDAP</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="temporary" type="boolean">True</param>
|
||||
<target>ldap_admin_password</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">ldap_admin_dn</param>
|
||||
<target>ldapclient_remote_user</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">ldap_admin_password</param>
|
||||
<target>ldapclient_remote_user_password</target>
|
||||
</fill>
|
||||
<fill name="get_chain">
|
||||
<param name="authority_cn" type="variable">domain_name_eth0</param>
|
||||
<param name="authority_name">LDAP</param>
|
||||
<target>openldap_ca_chain</target>
|
||||
<target>ldapclient_user</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
@ -3,14 +3,11 @@
|
|||
<variables>
|
||||
<variable name="remotes" description="Serveurs distant ayant un compte" type="domainname" multi="True" provider="clients"/>
|
||||
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
|
||||
<variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
|
||||
<variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
|
||||
<variable name="family_" description="Nom de la familly" auto_save="True" hidden="True" provider="client_family"/>
|
||||
<variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
|
||||
</family>
|
||||
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
|
||||
<variable name='ldap_acl_attribute' type="string" description="ACL de l'attribut" multi="True"/>
|
||||
<variable name='ldap_acl_rights' type="string" description="ACL de l'attribut" multi="True"/>
|
||||
<variable name="family_" description="Nom de la familly de " hidden="True" provider="client_family"/>
|
||||
<variable name="dn_" description="LDAP DN de " hidden="True" provider="dn"/>
|
||||
<variable name="password_" description="Mot de passe de " hidden="True" provider="client_password"/>
|
||||
<variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="base_dn"/>
|
||||
<variable name="read_only_" description="Le compte est en lecture seule de " type="boolean"/>
|
||||
</family>
|
||||
<family name="users" description="Gestion des utilisateurs" leadership="True">
|
||||
<variable name='ldap_user_mail' type="mail" description="Adresse courriel du compte" multi="True"/>
|
||||
|
@ -22,38 +19,36 @@
|
|||
</family>
|
||||
<variable name="families" description="Familles" type="unix_user" multi="True"/>
|
||||
<family name="family_" description="Gestion de la famille " dynamic="accounts.families">
|
||||
<family name="users_" description="Gestion des utilisateurs" leadership="True">
|
||||
<variable name='ldap_user_mail_' type="mail" description="Adresse courriel du compte" multi="True"/>
|
||||
<variable name='ldap_user_aliases_' type="mail" description="Aliases du mail" multi="True"/>
|
||||
<variable name='ldap_user_uid_' type="unix_user" description="Nom de compte" mandatory="True"/>
|
||||
<variable name='ldap_user_sn_' type="string" description="Prénom" mandatory="True"/>
|
||||
<variable name='ldap_user_gn_' type="string" description="Nom de famille" mandatory="True"/>
|
||||
<variable name='ldap_user_password_' type="password" description="Mot de passe" mandatory="True" hidden="True"/>
|
||||
<family name="users_" description="Gestion des utilisateurs de la famille " leadership="True">
|
||||
<variable name='ldap_user_mail_' type="mail" description="Adresse courriel du compte de la famille " multi="True"/>
|
||||
<variable name='ldap_user_aliases_' type="mail" description="Aliases du mail de la famille " multi="True"/>
|
||||
<variable name='ldap_user_uid_' type="unix_user" description="Nom de compte de la famille " mandatory="True"/>
|
||||
<variable name='ldap_user_sn_' type="string" description="Prénom de la famille " mandatory="True"/>
|
||||
<variable name='ldap_user_gn_' type="string" description="Nom de famille de la famille " mandatory="True"/>
|
||||
<variable name='ldap_user_password_' type="password" description="Mot de passe de la famille " mandatory="True" hidden="True"/>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="calc_ldapclient_base_dn">
|
||||
<param type="variable">ldapclient_base_dn</param>
|
||||
<param type="variable">accounts.remote_.family_</param>
|
||||
<target>accounts.remote_.base_dn_</target>
|
||||
</fill>
|
||||
<fill name='calc_value'>
|
||||
<param>cn=</param>
|
||||
<param type='suffix'></param>
|
||||
<param>,</param>
|
||||
<param type='variable'>ldap_base_dn</param>
|
||||
<param type='variable'>ldapclient_base_dn</param>
|
||||
<param name="join"></param>
|
||||
<target>accounts.remote_.dn_</target>
|
||||
</fill>
|
||||
<fill name="get_password">
|
||||
<param name="server_name" type="variable">domain_name_eth0</param>
|
||||
<param name="username" type='suffix'/>
|
||||
<param name="description">remote account</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="temporary" type="boolean">True</param>
|
||||
<target>accounts.remote_.password_</target>
|
||||
</fill>
|
||||
<fill name="get_password">
|
||||
<param name="server_name" type="variable">domain_name_eth0</param>
|
||||
<param name="username" type='variable'>accounts.users.ldap_user_mail</param>
|
||||
<param name="description">ldap user</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<param name="temporary" type="boolean">True</param>
|
||||
<target>accounts.users.ldap_user_password</target>
|
||||
</fill>
|
||||
|
@ -62,6 +57,7 @@
|
|||
<param name="username" type='variable'>accounts.family_.users_.ldap_user_mail_</param>
|
||||
<param name="description">ldap family user</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<param name="temporary" type="boolean">True</param>
|
||||
<target>accounts.family_.users_.ldap_user_password_</target>
|
||||
</fill>
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%ldap_admin_password%slurp
|
||||
%%ldapclient_user_password%slurp
|
||||
|
|
|
@ -100,7 +100,7 @@ olcDatabase: {-1}frontend
|
|||
dn: olcDatabase={0}config,cn=config
|
||||
objectClass: olcDatabaseConfig
|
||||
olcDatabase: {0}config
|
||||
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="%%ldap_admin_dn" write by * none
|
||||
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="%%ldapclient_user" write by * none
|
||||
|
||||
dn: olcDatabase={1}monitor,cn=config
|
||||
objectClass: olcDatabaseConfig
|
||||
|
@ -112,11 +112,17 @@ objectClass: olcDatabaseConfig
|
|||
objectClass: olcMdbConfig
|
||||
olcDatabase: {2}mdb
|
||||
olcDbDirectory: /srv/openldap
|
||||
olcRootDN: %%ldap_admin_dn
|
||||
olcRootPW:: %%ssha_encode(%%ldap_admin_password)
|
||||
olcSuffix: %%ldap_base_dn
|
||||
olcRootDN: %%ldapclient_user
|
||||
olcRootPW:: %%ssha_encode(%%ldapclient_user_password)
|
||||
olcSuffix: %%ldapclient_base_dn
|
||||
olcSizeLimit: %%ldap_sizelimit
|
||||
olcTimeLimit: %%ldap_timelimit
|
||||
%for %%attribute in %%ldap_index_attribute
|
||||
olcDbIndex: %%attribute %echo ','.join(%%attribute.ldap_index_indices)
|
||||
%end for
|
||||
olcDbIndex: objectClass eq,pres
|
||||
olcDbIndex: uid eq,pres
|
||||
olcDbIndex: cn eq,pres
|
||||
olcDbIndex: sn eq,pres
|
||||
olcDbIndex: givenName eq,pres
|
||||
olcDbIndex: mail eq,pres
|
||||
olcDbIndex: entryCSN eq,pres
|
||||
olcDbIndex: entryUUID eq,pres
|
||||
olcDbIndex: contextCSN eq,pres
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
%set %%dns = {}
|
||||
%set %%groups = []
|
||||
%for %%remote in %%accounts.remotes
|
||||
%set %%name = %%normalize_family(%%remote)
|
||||
%set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
|
||||
%%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
|
||||
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
|
||||
%end for
|
||||
dn: olcDatabase={2}mdb,cn=config
|
||||
|
@ -11,27 +13,27 @@ olcAccess: {0}to attrs=userPassword
|
|||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
%set %%aclidx = 1
|
||||
olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)"
|
||||
%for group in %%groups
|
||||
by dn="%%group" read
|
||||
%end for
|
||||
by * none
|
||||
%set %%aclidx = 2
|
||||
%for %%family, %%remotes in %%dns.items()
|
||||
%if %%family == 'all'
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)"
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)"
|
||||
%else
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
|
||||
%end if
|
||||
by self read
|
||||
%for %%remote in %%remotes
|
||||
by dn="%%remote[0]" %slurp
|
||||
%if %%remote[1]
|
||||
read%slurp
|
||||
read
|
||||
%else
|
||||
write%slurp
|
||||
write
|
||||
%end if
|
||||
%end for
|
||||
%set %%aclidx += 1
|
||||
|
||||
by * none
|
||||
%end for
|
||||
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
|
||||
%set %%aclidx += 1
|
||||
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
|
||||
%end for
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
%set %%extra_domainnames = []
|
||||
%for %%idx in %%range(1, %%number_of_interfaces)
|
||||
%for %%idx in %%range(%%len(%%zones_list))
|
||||
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
|
||||
%end for
|
||||
%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
|
||||
%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames, hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'LDAP')
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_name='LDAP', hide=%%hide_secret)
|
||||
|
|
|
@ -11,6 +11,6 @@ ExecStart=
|
|||
# remove none tls port
|
||||
ExecStart=+/usr/sbin/slapd -u ldap -h ldaps:///
|
||||
#waiting for ldap server...
|
||||
ExecStartPost=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
|
||||
ExecStartPost=-/usr/bin/ldapmodify -D %%ldap_admin_dn -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
|
||||
ExecStartPost=-/usr/bin/ldapmodify -D %%ldap_admin_dn -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif
|
||||
ExecStartPost=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
|
||||
ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
|
||||
ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
d /srv/openldap 700 ldap ldap - -
|
||||
d %%db_log_directory 700 ldap ldap - -
|
||||
d /etc/openldap/slapd.d 750 ldap ldap - -
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# BaseDN
|
||||
dn: %%ldap_base_dn
|
||||
%set %%attribute, %%organization = %%ldap_base_dn.split(',', 1)[0].split('=')
|
||||
%set groups = {}
|
||||
dn: %%ldapclient_base_dn
|
||||
%set %%attribute, %%organization = %%ldapclient_base_dn.split(',', 1)[0].split('=')
|
||||
%%attribute: %%organization
|
||||
objectClass: top
|
||||
%if %%attribute == 'o'
|
||||
|
@ -22,21 +23,22 @@ objectClass: inetOrgPerson
|
|||
|
||||
%end for
|
||||
# Accounts
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
|
||||
dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
|
||||
dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)
|
||||
ou: accounts
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
## Users
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
|
||||
## Accounts users
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None)
|
||||
dn: %%users
|
||||
ou: users
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
%for %%user in %%accounts.users.ldap_user_mail
|
||||
dn: cn=%%user,%%users
|
||||
%set %%userdn = "cn=" + %%user + "," + %%users
|
||||
%%groups.setdefault('users', []).append(%%userdn)
|
||||
dn: %%userdn
|
||||
cn: %%user
|
||||
mail: %%user
|
||||
sn: %%user.ldap_user_sn
|
||||
|
@ -59,20 +61,22 @@ objectClass: inetLocalMailRecipient
|
|||
|
||||
%end for
|
||||
## Families
|
||||
dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, '-')
|
||||
dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='-')
|
||||
ou: families
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
%for %%family in %%accounts.families
|
||||
%set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
|
||||
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
|
||||
dn: %%families
|
||||
ou: %%family
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||
dn: cn=%%user,%%families
|
||||
%set %%userdn = "cn=" + %%user + "," + %%families
|
||||
%%groups.setdefault(%%family, []).append(%%userdn)
|
||||
dn: %%userdn
|
||||
cn: %%user
|
||||
mail: %%user
|
||||
sn: %%user['ldap_user_sn_' + %%family]
|
||||
|
@ -95,3 +99,20 @@ objectClass: inetLocalMailRecipient
|
|||
|
||||
%end for
|
||||
%end for
|
||||
## Groups
|
||||
%set %%groupdn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)
|
||||
dn: %%groupdn
|
||||
ou: groups
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
%for %%group, %%members in %%groups.items()
|
||||
dn: cn=%%group,%%groupdn
|
||||
cn: %%group
|
||||
objectclass: top
|
||||
objectclass: groupOfNames
|
||||
%for %%member in %%members
|
||||
member: %%member
|
||||
%end for
|
||||
|
||||
%end for
|
||||
|
|
|
@ -8,7 +8,7 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
|
|||
|
||||
%end for
|
||||
# Users
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, '')
|
||||
%for %%user in %%accounts.users.ldap_user_mail
|
||||
dn: cn=%%user,%%users
|
||||
changetype: modify
|
||||
|
@ -26,7 +26,7 @@ mailLocalAddress: %%alias
|
|||
%end for
|
||||
# Families
|
||||
%for %%family in %%accounts.families
|
||||
%set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
|
||||
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
|
||||
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||
dn: cn=%%user,%%families
|
||||
changetype: modify
|
||||
|
|
|
@ -36,8 +36,10 @@
|
|||
<variable name="oauth2_client_logo" redefine='True'>
|
||||
<value>silique_video.png</value>
|
||||
</variable>
|
||||
<family name="external">
|
||||
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
|
||||
</family>
|
||||
</family>
|
||||
<family name="nginx">
|
||||
<family name="revprox_client">
|
||||
<variable name="revprox_client_location" redefine="True">
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
</services>
|
||||
<variables>
|
||||
<variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
|
||||
<variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
|
||||
<variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
|
||||
<family name="nginx">
|
||||
<variable name="nginx_root_directory" mandatory="True" redefine="True">
|
||||
<value>/usr/local/share/piwigo</value>
|
||||
|
@ -48,6 +48,7 @@
|
|||
<param name="username">admin_password</param>
|
||||
<param name="description">piwigo</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>piwigo_admin_password</target>
|
||||
</fill>
|
||||
<fill name="get_locations">
|
||||
|
|
|
@ -36,8 +36,10 @@
|
|||
<variable name="oauth2_client_logo" redefine='True'>
|
||||
<value>silique_video.png</value>
|
||||
</variable>
|
||||
<family name="external">
|
||||
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
|
||||
</family>
|
||||
</family>
|
||||
<family name="nginx" description="Reverse proxy">
|
||||
<family name="revprox_client" description="Point d'entré des clients" leadership="True">
|
||||
<variable name="revprox_client_location" redefine="True">
|
||||
|
|
|
@ -32,16 +32,18 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="network">
|
||||
<variable name="external_ports" redefine="True">
|
||||
<value>25</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="postfix" description="Postfix mail server">
|
||||
<variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
|
||||
<variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
|
||||
<variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
|
||||
<family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
|
||||
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
|
||||
<variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
|
||||
<variable name="local_authentification_password_" type="secret" auto_save="False" provider="mail_password"/>
|
||||
</family>
|
||||
<variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
|
||||
</family>
|
||||
|
@ -63,6 +65,7 @@
|
|||
<param name="username" type="suffix"/>
|
||||
<param name="description">local authentification</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>local_authentification_password_</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer")
|
||||
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_certificate(%%domain_name_eth0, 'MailServer')
|
||||
%%get_certificate(%%domain_name_eth0, 'MailServer', hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'MailServer')
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
%for %%idx in %%range(0, %%number_of_interfaces)
|
||||
%for %%idx in %%range(%%len(%%zones_list))
|
||||
%set %%domain = %%getVar('domain_name_eth' + %%str(%%idx))
|
||||
%%domain /etc/postfix/certs/%%{domain}.pem
|
||||
%end for
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay")
|
||||
%set %%cert = %%get_certificate(%%rougail_variable, 'MailRelay')
|
||||
%%get_private_key(%%rougail_variable, 'MailRelay')
|
||||
%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay", hide=%%hide_secret)
|
||||
%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
|
||||
%%get_private_key(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
|
||||
%%cert
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
%%get_chain(authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL")
|
||||
%%get_chain(authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL", hide=%%hide_secret)
|
||||
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
|
||||
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
|
||||
|
|
|
@ -5,5 +5,5 @@ Before=network.target
|
|||
[Service]
|
||||
Type=oneshot
|
||||
Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
|
||||
ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
|
||||
ExecStart=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'
|
||||
ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
|
||||
ExecStart=/usr/bin/timeout 90 bash -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL")
|
||||
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL", hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_certificate(%%domain_name_eth0, 'PostgreSQL')
|
||||
%%get_certificate(%%domain_name_eth0, 'PostgreSQL', hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(%%domain_name_eth0, 'PostgreSQL')
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_name='PostgreSQL', hide=%%hide_secret)
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<variable name="host" type="domainname" description="Machine où est démarré le conteneur" mandatory="True"/>
|
||||
</variables>
|
||||
</rougail>
|
||||
|
|
@ -9,26 +9,28 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<variable name="link_configurations" redefine="True" disabled="True"/>
|
||||
<variable name="container_srv_path" type="filename" description="Nom du répertoire racine des données">
|
||||
<value>/var/lib/risotto/srv</value>
|
||||
</variable>
|
||||
<variable name="srv_dir" description='Nom du répertoire des données' type="filename" hidden="True"/>
|
||||
<variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations">
|
||||
<value>/var/lib/risotto/configurations</value>
|
||||
</variable>
|
||||
<variable name="config_dir" description='Nom du répertoire des configurations' type="filename" hidden="True" mandatory="True"/>
|
||||
<variable name="container_journal_path" type="filename" description="Nom du répertoire racine des journaux">
|
||||
<value>/var/lib/risotto/journals</value>
|
||||
</variable>
|
||||
<variable name="host" type="domainname" description="Machine où est démarrer le conteneur" mandatory="True"/>
|
||||
<variable name="external_ports" type="port" description="Port exposé depuis l'extérieur" multi="True"/>
|
||||
<variable name="srv_dir" type="filename" hidden="True"/>
|
||||
<variable name="journal_dir" type="filename" hidden="True" mandatory="True"/>
|
||||
<variable name="config_dir" type="filename" hidden="True" mandatory="True"/>
|
||||
<variable name="journal_dir" description='Nom du répertoire des journaux' type="filename" hidden="True" mandatory="True"/>
|
||||
<variable name="use_systemd_repart" redefine="True">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
<family name="network">
|
||||
<variable name="external_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True"/>
|
||||
<variable name="netwokd_interface_name_type" redefine="True">
|
||||
<value>host</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<condition name="disabled_if_in" source="machine.add_srv">
|
|
@ -0,0 +1,13 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<rougail version="0.10">
|
||||
<variables>
|
||||
<variable name="var_size" disabled="True" redefine="True"/>
|
||||
<variable name="srv_size" disabled="True" redefine="True"/>
|
||||
<variable name='data_disk_size' disabled="True" redefine="True"/>
|
||||
<variable name="add_tmp" disabled="True" redefine="True"/>
|
||||
<variable name="var_tmp_size" disabled="True" redefine="True"/>
|
||||
<variable name="add_swap" disabled="True" redefine="True"/>
|
||||
<variable name="swap_size" disabled="True" redefine="True"/>
|
||||
</variables>
|
||||
</rougail>
|
||||
|
|
@ -1 +1 @@
|
|||
%%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis")
|
||||
%%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
|
||||
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
|
||||
|
|
|
@ -1 +1 @@
|
|||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
%set %%ca_chain = %%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis")
|
||||
%set %%cert = %%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
|
||||
%set %%ca_chain = %%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)
|
||||
%set %%cert = %%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
|
||||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
|
||||
%%cert
|
||||
%%ca_chain
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
<variables>
|
||||
<variable name="remote" description="Remote client needing an account" type="domainname" provider="redis_client" mandatory="True"/>
|
||||
<variable name="remote_ip" description="Remote IP" type="ip" provider="redis_client_ip" mandatory="True"/>
|
||||
<variable name="password" auto_save="True" hidden="True" type="password" mandatory="True" provider="redis_client_password"/>
|
||||
<variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="redis_client_password"/>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="get_password">
|
||||
|
@ -11,6 +11,7 @@
|
|||
<param name="username" type="variable">account.remote</param>
|
||||
<param name="description">redis</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>account.password</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue