forked from stove/dataset
dovecot
This commit is contained in:
Emmanuel Garette
parent
da3e4d487d
commit
5ccb69012b
60 changed files with 384 additions and 299 deletions
|
|
@ -2,6 +2,7 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name="httpd" target="multi-user">
|
<service name="httpd" target="multi-user">
|
||||||
|
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||||
<file>/etc/httpd/conf/httpd.conf</file>
|
<file>/etc/httpd/conf/httpd.conf</file>
|
||||||
<file>/etc/httpd/conf.d/risotto.conf</file>
|
<file>/etc/httpd/conf.d/risotto.conf</file>
|
||||||
<file>/etc/httpd/conf.d/ssl.conf</file>
|
<file>/etc/httpd/conf.d/ssl.conf</file>
|
||||||
|
|
@ -13,9 +14,11 @@
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
<variable name="php_fpm_user" redefine="True" exists="True">
|
<family name="nginx">
|
||||||
<value>apache</value>
|
<variable name="php_fpm_user" redefine="True" exists="True">
|
||||||
</variable>
|
<value>apache</value>
|
||||||
|
</variable>
|
||||||
|
</family>
|
||||||
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
|
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
|
||||||
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
|
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
|
||||||
<value>300</value>
|
<value>300</value>
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash -xe
|
#!/bin/bash -e
|
||||||
|
|
||||||
HOST_NAME=$1
|
HOST_NAME=$1
|
||||||
if [ -z "$HOST_NAME" ]; then
|
if [ -z "$HOST_NAME" ]; then
|
||||||
|
|
@ -24,4 +24,6 @@ systemctl restart systemd-resolved
|
||||||
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
|
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
|
||||||
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
|
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
|
||||||
|
|
||||||
|
echo "install host OK"
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash -xe
|
#!/bin/bash -e
|
||||||
|
|
||||||
HOST_NAME=$1
|
HOST_NAME=$1
|
||||||
IMAGE_NAME=$2
|
IMAGE_NAME=$2
|
||||||
|
|
@ -14,7 +14,7 @@ rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
|
||||||
mkdir -p "$RISOTTO_IMAGE_DIR"
|
mkdir -p "$RISOTTO_IMAGE_DIR"
|
||||||
PKG=""
|
PKG=""
|
||||||
BASE_DIR=""
|
BASE_DIR=""
|
||||||
for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do
|
for script in $(ls $IMAGE_NAME/manual/preinstall/*.sh 2> /dev/null); do
|
||||||
. "$script"
|
. "$script"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
@ -46,7 +46,7 @@ function new_package_base() {
|
||||||
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
|
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
|
||||||
dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
|
dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
|
||||||
else
|
else
|
||||||
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR"
|
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR" > /dev/null
|
||||||
chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
|
chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
@ -75,6 +75,7 @@ function install_pkg() {
|
||||||
|
|
||||||
|
|
||||||
if [ ! -f "$BASE_LOCK" ]; then
|
if [ ! -f "$BASE_LOCK" ]; then
|
||||||
|
echo " - reinstallation de l'image de base"
|
||||||
rm -rf "$BASE_DIR"
|
rm -rf "$BASE_DIR"
|
||||||
new_package_base
|
new_package_base
|
||||||
diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
|
diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
|
||||||
|
|
@ -83,7 +84,7 @@ if [ ! -f "$BASE_LOCK" ]; then
|
||||||
install_base
|
install_base
|
||||||
cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
|
cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
|
||||||
tar cf "$BASE_TAR" "$BASE_NAME"
|
tar cf "$BASE_TAR" "$BASE_NAME"
|
||||||
cd -
|
cd - > /dev/null
|
||||||
if [ -f "$BASE_PKGS_FILE" ]; then
|
if [ -f "$BASE_PKGS_FILE" ]; then
|
||||||
mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
|
mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
|
||||||
fi
|
fi
|
||||||
|
|
@ -100,8 +101,8 @@ if [ -n "$COPR" ]; then
|
||||||
#FIXME signature...
|
#FIXME signature...
|
||||||
mkdir -p "$REPO_DIR"
|
mkdir -p "$REPO_DIR"
|
||||||
cd "$REPO_DIR"
|
cd "$REPO_DIR"
|
||||||
wget "$COPR"
|
wget -q "$COPR"
|
||||||
cd -
|
cd - > /dev/null
|
||||||
fi
|
fi
|
||||||
if [ "$FUSION" = true ]; then
|
if [ "$FUSION" = true ]; then
|
||||||
dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR"
|
dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR"
|
||||||
|
|
@ -109,19 +110,24 @@ fi
|
||||||
|
|
||||||
# FIXME verifier s'il y a des modifs sur pre/post
|
# FIXME verifier s'il y a des modifs sur pre/post
|
||||||
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
|
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
|
||||||
echo "Différence(s) avec les paquets de base"
|
echo " - différence(s) avec les paquets de base"
|
||||||
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
|
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
|
||||||
else
|
else
|
||||||
NEW_BASE=true
|
NEW_BASE=true
|
||||||
fi
|
fi
|
||||||
new_package
|
new_package
|
||||||
if [ "$NEW_BASE" = false ]; then
|
if [ "$NEW_BASE" = false ]; then
|
||||||
echo "Différence(s) avec les paquets de l'image"
|
echo " - différence(s) avec les paquets de l'image"
|
||||||
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
|
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
|
||||||
else
|
else
|
||||||
INSTALL=true
|
INSTALL=true
|
||||||
fi
|
fi
|
||||||
|
find $IMAGE_NAME/manual -type f -exec md5sum '{}' \; > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new
|
||||||
|
if [ "$NEW_BASE" = false ]; then
|
||||||
|
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new && INSTALL=false || INSTALL=true
|
||||||
|
fi
|
||||||
if [ "$INSTALL" = true ]; then
|
if [ "$INSTALL" = true ]; then
|
||||||
|
echo " - installation"
|
||||||
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
|
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
|
||||||
VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
|
VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
|
||||||
else
|
else
|
||||||
|
|
@ -145,7 +151,7 @@ if [ "$INSTALL" = true ]; then
|
||||||
install_pkg
|
install_pkg
|
||||||
sleep 2
|
sleep 2
|
||||||
|
|
||||||
for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do
|
for script in $(ls $IMAGE_NAME/manual/postinstall/*.sh 2> /dev/null); do
|
||||||
. "$script"
|
. "$script"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
@ -161,11 +167,13 @@ if [ "$INSTALL" = true ]; then
|
||||||
fi
|
fi
|
||||||
tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
|
tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
|
||||||
sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
|
sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
|
||||||
cd -
|
cd - > /dev/null
|
||||||
cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
|
cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
|
||||||
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
|
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
|
||||||
|
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum
|
||||||
VERSION=$((VERSION + 1))
|
VERSION=$((VERSION + 1))
|
||||||
echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
|
echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
|
||||||
fi
|
fi
|
||||||
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
|
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
|
||||||
|
echo " => OK"
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash -xe
|
#!/bin/bash -e
|
||||||
HOST_NAME=$1
|
HOST_NAME=$1
|
||||||
if [ -z "$HOST_NAME" ]; then
|
if [ -z "$HOST_NAME" ]; then
|
||||||
echo "usage: $0 host name"
|
echo "usage: $0 host name"
|
||||||
|
|
@ -8,6 +8,8 @@ fi
|
||||||
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
|
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
|
||||||
for image in *; do
|
for image in *; do
|
||||||
if [ -d "$image" ]; then
|
if [ -d "$image" ]; then
|
||||||
|
echo
|
||||||
|
echo "Install image $image"
|
||||||
./install_image "$HOST_NAME" "$image"
|
./install_image "$HOST_NAME" "$image"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash -xe
|
#!/bin/bash -e
|
||||||
HOST_NAME=$1
|
HOST_NAME=$1
|
||||||
IMAGE_NAME=$2
|
IMAGE_NAME=$2
|
||||||
MACHINE=$3
|
MACHINE=$3
|
||||||
|
|
@ -26,19 +26,19 @@ if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
|
||||||
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || NEW_CONF=true
|
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || NEW_CONF=true
|
||||||
fi
|
fi
|
||||||
if [ "$NEW_IMAGE" = true ] || [ "$NEW_CONF" = true ]; then
|
if [ "$NEW_IMAGE" = true ] || [ "$NEW_CONF" = true ]; then
|
||||||
|
echo " - stop $IMAGE_NAME"
|
||||||
machinectl stop "$MACHINE" 2> /dev/null || true
|
machinectl stop "$MACHINE" 2> /dev/null || true
|
||||||
while true; do
|
while true; do
|
||||||
machinectl status "$MACHINE" > /dev/null 2>&1 || break
|
machinectl status "$MACHINE" > /dev/null 2>&1 || break
|
||||||
sleep 1
|
sleep 1
|
||||||
echo "retry..."
|
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
if [ "$NEW_IMAGE" = true ]; then
|
if [ "$NEW_IMAGE" = true ]; then
|
||||||
echo "SUPPRIME ANCIENNE IMAGE"
|
echo " - delete old image"
|
||||||
rm -rf "$MACHINE_MACHINES_DIR"
|
rm -rf "$MACHINE_MACHINES_DIR"
|
||||||
fi
|
fi
|
||||||
if [ "$NEW_CONF" = true ]; then
|
if [ "$NEW_CONF" = true ]; then
|
||||||
echo "SUPPRIME ANCIENNE CONF"
|
echo " - delete old settings"
|
||||||
./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
|
./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
|
||||||
rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
|
rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
|
||||||
fi
|
fi
|
||||||
|
|
@ -58,7 +58,8 @@ if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
|
||||||
mkdir -p "$SHA_MACHINE_DIR"
|
mkdir -p "$SHA_MACHINE_DIR"
|
||||||
cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
|
cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
|
||||||
mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
|
mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
|
||||||
cd -
|
cd - > /dev/null
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
echo " => OK"
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash -xe
|
#!/bin/bash -e
|
||||||
HOST_NAME=$1
|
HOST_NAME=$1
|
||||||
if [ -z "$HOST_NAME" ]; then
|
if [ -z "$HOST_NAME" ]; then
|
||||||
echo "usage: $0 host name"
|
echo "usage: $0 host name"
|
||||||
|
|
@ -14,6 +14,8 @@ for image in *; do
|
||||||
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
|
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
|
||||||
MACHINES="$MACHINES$osname "
|
MACHINES="$MACHINES$osname "
|
||||||
fi
|
fi
|
||||||
|
echo
|
||||||
|
echo "Install machine $image"
|
||||||
./install_machine "$HOST_NAME" "$image" "$osname"
|
./install_machine "$HOST_NAME" "$image" "$osname"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
|
||||||
|
|
@ -5,4 +5,4 @@ depends:
|
||||||
- relay-mail-client
|
- relay-mail-client
|
||||||
- ldap-client-fedora
|
- ldap-client-fedora
|
||||||
- oauth2-client
|
- oauth2-client
|
||||||
- nginx-common
|
- nginx-https
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,6 @@
|
||||||
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
|
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
|
||||||
<file>/etc/postfix/main.cf</file>
|
<file>/etc/postfix/main.cf</file>
|
||||||
<file>/etc/postfix/master.cf</file>
|
<file>/etc/postfix/master.cf</file>
|
||||||
<file>/etc/postfix/ldapsource.cf</file>
|
|
||||||
<file>/etc/postfix/relay_passwd</file>
|
<file>/etc/postfix/relay_passwd</file>
|
||||||
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
|
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
|
||||||
<file>/etc/pki/tls/certs/postfix.crt</file>
|
<file>/etc/pki/tls/certs/postfix.crt</file>
|
||||||
|
|
@ -22,9 +21,6 @@
|
||||||
</service>
|
</service>
|
||||||
<service name='nginx'>
|
<service name='nginx'>
|
||||||
<file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
|
<file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
|
||||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
|
||||||
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
|
|
||||||
<file file_type="variable" source="revprox.key" mode="400">revprox_key_file</file>
|
|
||||||
</service>
|
</service>
|
||||||
<service name="dovecot" target="multi-user">
|
<service name="dovecot" target="multi-user">
|
||||||
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
|
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
|
||||||
|
|
@ -69,7 +65,7 @@
|
||||||
</family>
|
</family>
|
||||||
<family name="mail" description="Mail domain" leadership="True">
|
<family name="mail" description="Mail domain" leadership="True">
|
||||||
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
|
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
|
||||||
<variable name="mail_domains_calc" type="domainname" multi="True" hidden="True"/>
|
<variable name="mail_domains_calc" type="domainname" hidden="True"/>
|
||||||
<variable name="imap_domainname" type="domainname" mandatory="True"/>
|
<variable name="imap_domainname" type="domainname" mandatory="True"/>
|
||||||
<variable name="submission_domainname" type="domainname" mandatory="True"/>
|
<variable name="submission_domainname" type="domainname" mandatory="True"/>
|
||||||
</family>
|
</family>
|
||||||
|
|
@ -88,11 +84,11 @@
|
||||||
</family>
|
</family>
|
||||||
</family>
|
</family>
|
||||||
<family name="nginx">
|
<family name="nginx">
|
||||||
<variable name="nginx_default" redefine="True" remove_fill="True" mandatory="False"/>
|
<family name="revprox_client">
|
||||||
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
|
<variable name="revprox_client_location" redefine="True" mandatory="False">
|
||||||
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
|
<value/>
|
||||||
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
|
</variable>
|
||||||
<variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
|
</family>
|
||||||
</family>
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
|
|
@ -115,24 +111,6 @@
|
||||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||||
<target>mail_domains</target>
|
<target>mail_domains</target>
|
||||||
</check>
|
</check>
|
||||||
<fill name="calc_value">
|
|
||||||
<param type="variable">tls_ca_directory</param>
|
|
||||||
<param>ca_InternalReverseProxy.crt</param>
|
|
||||||
<param name="join">/</param>
|
|
||||||
<target>revprox_ca_file</target>
|
|
||||||
</fill>
|
|
||||||
<fill name="calc_value">
|
|
||||||
<param type="variable">tls_cert_directory</param>
|
|
||||||
<param>revprox.crt</param>
|
|
||||||
<param name="join">/</param>
|
|
||||||
<target>revprox_cert_file</target>
|
|
||||||
</fill>
|
|
||||||
<fill name="calc_value">
|
|
||||||
<param type="variable">tls_key_directory</param>
|
|
||||||
<param>revprox.key</param>
|
|
||||||
<param name="join">/</param>
|
|
||||||
<target>revprox_key_file</target>
|
|
||||||
</fill>
|
|
||||||
<fill name="calc_value">
|
<fill name="calc_value">
|
||||||
<param>/etc/pki/tls/certs/imap_</param>
|
<param>/etc/pki/tls/certs/imap_</param>
|
||||||
<param type="variable">imap_domainname</param>
|
<param type="variable">imap_domainname</param>
|
||||||
|
|
@ -159,7 +137,6 @@
|
||||||
</fill>
|
</fill>
|
||||||
<fill name="calc_value">
|
<fill name="calc_value">
|
||||||
<param type="variable">mail_domains</param>
|
<param type="variable">mail_domains</param>
|
||||||
<param name="multi" type="boolean">True</param>
|
|
||||||
<target>mail_domains_calc</target>
|
<target>mail_domains_calc</target>
|
||||||
</fill>
|
</fill>
|
||||||
<fill name="calc_value">
|
<fill name="calc_value">
|
||||||
|
|
@ -172,7 +149,7 @@
|
||||||
<target>well_known_filenames</target>
|
<target>well_known_filenames</target>
|
||||||
</fill>
|
</fill>
|
||||||
<check name="set_linked_multi_variables">
|
<check name="set_linked_multi_variables">
|
||||||
<param type="variable">revprox_server_domainname</param>
|
<param type="variable">revprox_client_server_domainname</param>
|
||||||
<param name="linked_provider_0">revprox_clients</param>
|
<param name="linked_provider_0">revprox_clients</param>
|
||||||
<param name="linked_provider_1">revprox_location</param>
|
<param name="linked_provider_1">revprox_location</param>
|
||||||
<param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param>
|
<param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param>
|
||||||
|
|
@ -183,7 +160,7 @@
|
||||||
<target>mail_domains_calc</target>
|
<target>mail_domains_calc</target>
|
||||||
</check>
|
</check>
|
||||||
<check name="set_linked_multi_variables">
|
<check name="set_linked_multi_variables">
|
||||||
<param type="variable">revprox_server_domainname</param>
|
<param type="variable">revprox_client_server_domainname</param>
|
||||||
<param name="linked_provider_0">revprox_clients</param>
|
<param name="linked_provider_0">revprox_clients</param>
|
||||||
<param name="linked_provider_1">revprox_location</param>
|
<param name="linked_provider_1">revprox_location</param>
|
||||||
<param name="linked_value_1">/autodiscover/autodiscover.xml</param>
|
<param name="linked_value_1">/autodiscover/autodiscover.xml</param>
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,7 @@
|
||||||
# <doc/wiki/MailLocation.txt>
|
# <doc/wiki/MailLocation.txt>
|
||||||
#
|
#
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
mail_location = maildir:/srv/mail/%u
|
mail_location = maildir:~/
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
# If you need to set multiple mailbox locations or want to change default
|
# If you need to set multiple mailbox locations or want to change default
|
||||||
|
|
@ -107,8 +107,8 @@ namespace inbox {
|
||||||
# System user and group used to access mails. If you use multiple, userdb
|
# System user and group used to access mails. If you use multiple, userdb
|
||||||
# can override these by returning uid or gid fields. You can use either numbers
|
# can override these by returning uid or gid fields. You can use either numbers
|
||||||
# or names. <doc/wiki/UserIds.txt>
|
# or names. <doc/wiki/UserIds.txt>
|
||||||
#mail_uid =
|
mail_uid = vmail
|
||||||
#mail_gid =
|
mail_gid = vmail
|
||||||
|
|
||||||
# Group to enable temporarily for privileged operations. Currently this is
|
# Group to enable temporarily for privileged operations. Currently this is
|
||||||
# used only with INBOX when either its initial creation or dotlocking fails.
|
# used only with INBOX when either its initial creation or dotlocking fails.
|
||||||
|
|
|
||||||
|
|
@ -16,13 +16,14 @@ passdb {
|
||||||
# driver = prefetch
|
# driver = prefetch
|
||||||
#}
|
#}
|
||||||
|
|
||||||
# GNUNUX userdb {
|
userdb {
|
||||||
# GNUNUX driver = ldap
|
driver = ldap
|
||||||
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
|
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
# GNUNUX
|
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
# GNUNUX # Default fields can be used to specify defaults that LDAP may override
|
|
||||||
# GNUNUX #default_fields = home=/home/virtual/%u
|
# Default fields can be used to specify defaults that LDAP may override
|
||||||
# GNUNUX }
|
#default_fields = home=/home/virtual/%u
|
||||||
|
}
|
||||||
|
|
||||||
# If you don't have any user-specific settings, you can avoid the userdb LDAP
|
# If you don't have any user-specific settings, you can avoid the userdb LDAP
|
||||||
# lookup by using userdb static instead of userdb ldap, for example:
|
# lookup by using userdb static instead of userdb ldap, for example:
|
||||||
|
|
@ -31,9 +32,3 @@ passdb {
|
||||||
#driver = static
|
#driver = static
|
||||||
#args = uid=vmail gid=vmail home=/var/vmail/%u
|
#args = uid=vmail gid=vmail home=/var/vmail/%u
|
||||||
#}
|
#}
|
||||||
#>GNUNUX
|
|
||||||
userdb {
|
|
||||||
driver = static
|
|
||||||
args = uid=vmail gid=vmail home=/srv/mail/%u
|
|
||||||
}
|
|
||||||
#<GNUNUX
|
|
||||||
|
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
%%get_chain(%%revprox_server_domainname, authority_name='InternalReverseProxy')
|
|
||||||
|
|
@ -99,7 +99,7 @@ tls_require_cert = hard
|
||||||
#auth_bind_userdn =
|
#auth_bind_userdn =
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
auth_bind = yes
|
auth_bind = yes
|
||||||
auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
|
auth_bind_userdn = cn=%u,%%ldapclient_base_dn
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
# LDAP protocol version to use. Likely 2 or 3.
|
# LDAP protocol version to use. Likely 2 or 3.
|
||||||
|
|
@ -108,7 +108,7 @@ auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
|
||||||
# LDAP base. %variables can be used here.
|
# LDAP base. %variables can be used here.
|
||||||
# For example: dc=mail, dc=example, dc=org
|
# For example: dc=mail, dc=example, dc=org
|
||||||
# GNUNUX base =
|
# GNUNUX base =
|
||||||
base = ou=users,%%ldap_base_dn
|
base = %%ldapclient_base_dn
|
||||||
|
|
||||||
# Dereference: never, searching, finding, always
|
# Dereference: never, searching, finding, always
|
||||||
#deref = never
|
#deref = never
|
||||||
|
|
@ -126,6 +126,9 @@ base = ou=users,%%ldap_base_dn
|
||||||
# There are also other special fields which can be returned, see
|
# There are also other special fields which can be returned, see
|
||||||
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
||||||
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
||||||
|
#>GNUNUX
|
||||||
|
user_attrs = homeDirectory=home
|
||||||
|
#<GNUNUX
|
||||||
|
|
||||||
# Filter for user lookup. Some variables can be used (see
|
# Filter for user lookup. Some variables can be used (see
|
||||||
# http://wiki2.dovecot.org/Variables for full list):
|
# http://wiki2.dovecot.org/Variables for full list):
|
||||||
|
|
|
||||||
|
|
@ -784,7 +784,6 @@ smtpd_use_tls = yes
|
||||||
mailbox_size_limit = 0
|
mailbox_size_limit = 0
|
||||||
message_size_limit = 202400000
|
message_size_limit = 202400000
|
||||||
biff = no
|
biff = no
|
||||||
#virtual_maps = ldap:/etc/postfix/ldapsource.cf
|
|
||||||
smtpd_tls_loglevel = 1
|
smtpd_tls_loglevel = 1
|
||||||
smtp_tls_note_starttls_offer = yes
|
smtp_tls_note_starttls_offer = yes
|
||||||
smtpd_tls_auth_only = yes
|
smtpd_tls_auth_only = yes
|
||||||
|
|
@ -804,12 +803,11 @@ dovecot_destination_recipient_limit = 1
|
||||||
%%domains.append(%%str(%%domain))%slurp
|
%%domains.append(%%str(%%domain))%slurp
|
||||||
%end for
|
%end for
|
||||||
virtual_mailbox_domains = %echo ', '.join(%%domains)
|
virtual_mailbox_domains = %echo ', '.join(%%domains)
|
||||||
virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
|
|
||||||
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
|
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
|
||||||
virtual_minimum_uid = 1000
|
virtual_minimum_uid = 1000
|
||||||
#vmail uid
|
#vmail uid
|
||||||
virtual_uid_maps = static:999
|
virtual_uid_maps = static:999
|
||||||
virtual_gid_maps = static:999
|
virtual_gid_maps = static:999
|
||||||
virtual_transport = dovecot
|
virtual_transport = dovecot
|
||||||
virtual_mailbox_base = /srv/mail
|
#virtual_mailbox_base = /srv/mail
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
|
||||||
|
|
@ -1,2 +0,0 @@
|
||||||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type="server")
|
|
||||||
%%get_chain(%%revprox_server_domainname, 'InternalReverseProxy')
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type='server')
|
|
||||||
|
|
@ -3,4 +3,4 @@ g dovenull 982 -
|
||||||
g vmail 999 -
|
g vmail 999 -
|
||||||
u dovecot 97:97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
|
u dovecot 97:97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
|
||||||
u dovenull 984:982 "Dovecot's unauthorized user" /usr/libexec/dovecot /sbin/nologin
|
u dovenull 984:982 "Dovecot's unauthorized user" /usr/libexec/dovecot /sbin/nologin
|
||||||
u vmail 999:999 "Virtual mail user" /srv/mail /sbin/nologin
|
u vmail 999:999 "Virtual mail user" /srv/home /sbin/nologin
|
||||||
|
|
|
||||||
|
|
@ -1 +1,4 @@
|
||||||
d /srv/dovecot 750 dovecot postfix - -
|
d /srv/dovecot 750 dovecot postfix - -
|
||||||
|
d /srv/home 750 root vmail - -
|
||||||
|
d /srv/home/users 770 root vmail - -
|
||||||
|
d /srv/home/families 770 root vmail - -
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,4 @@
|
||||||
d /srv/postfix 750 postfix postfix - -
|
d /srv/postfix 750 postfix postfix - -
|
||||||
d /srv/postfix/data 750 postfix postfix - -
|
d /srv/postfix/data 750 postfix postfix - -
|
||||||
d /srv/postfix/spool 755 root root - -
|
d /srv/postfix/spool 755 root root - -
|
||||||
d /srv/mail 770 root vmail - -
|
|
||||||
d /var/lib/misc/ 755 root root - -
|
d /var/lib/misc/ 755 root root - -
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,7 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name="gitea" target="multi-user" engine="creole">
|
<service name="gitea" target="multi-user" engine="creole">
|
||||||
|
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||||
<file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
|
<file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
|
||||||
<file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
|
<file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
|
||||||
<file>/etc/gitea/app.ini</file>
|
<file>/etc/gitea/app.ini</file>
|
||||||
|
|
|
||||||
|
|
@ -12,9 +12,11 @@
|
||||||
<variables>
|
<variables>
|
||||||
<family name="annuaire">
|
<family name="annuaire">
|
||||||
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
|
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
|
||||||
|
<variable name='ldapclient_family' type='unix_user' description="L'arbre LDAP est de type famille"/>
|
||||||
<variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
|
<variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
|
||||||
<variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
|
<variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
|
||||||
<variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
|
<variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
|
||||||
|
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True"/>
|
||||||
<variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
|
<variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
|
||||||
<variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
|
<variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
|
||||||
<variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
|
<variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
|
||||||
|
|
@ -31,6 +33,11 @@
|
||||||
<check name='valid_base_dn'>
|
<check name='valid_base_dn'>
|
||||||
<target>ldap_base_dn</target>
|
<target>ldap_base_dn</target>
|
||||||
</check>
|
</check>
|
||||||
|
<fill name="calc_ldapclient_base_dn">
|
||||||
|
<param type="variable">ldap_base_dn</param>
|
||||||
|
<param type="variable">ldapclient_family</param>
|
||||||
|
<target>ldapclient_base_dn</target>
|
||||||
|
</fill>
|
||||||
<fill name="calc_value">
|
<fill name="calc_value">
|
||||||
<param type="variable">tls_ca_directory</param>
|
<param type="variable">tls_ca_directory</param>
|
||||||
<param>ca_LDAP.crt</param>
|
<param>ca_LDAP.crt</param>
|
||||||
|
|
@ -65,13 +72,19 @@
|
||||||
</fill>
|
</fill>
|
||||||
<fill name="get_linked_configuration">
|
<fill name="get_linked_configuration">
|
||||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||||
<param name="linked_provider">LDAP_DN</param>
|
<param name="linked_provider">ldap_dn</param>
|
||||||
<target>ldap_base_dn</target>
|
<target>ldap_base_dn</target>
|
||||||
</fill>
|
</fill>
|
||||||
<fill name="get_linked_configuration">
|
<fill name="get_linked_configuration">
|
||||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||||
<param name="linked_provider">LDAP_PORT</param>
|
<param name="linked_provider">ldap_port</param>
|
||||||
<target>ldap_port</target>
|
<target>ldap_port</target>
|
||||||
</fill>
|
</fill>
|
||||||
|
<check name="set_linked_configuration">
|
||||||
|
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||||
|
<param name="linked_provider">client_family</param>
|
||||||
|
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||||
|
<target>ldapclient_family</target>
|
||||||
|
</check>
|
||||||
</constraints>
|
</constraints>
|
||||||
</rougail>
|
</rougail>
|
||||||
|
|
|
||||||
|
|
@ -4,3 +4,11 @@ def valid_base_dn(base_dn: str) -> None:
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
|
raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
|
||||||
|
|
||||||
|
|
||||||
|
def calc_ldapclient_base_dn(ldap_base_dn: str,
|
||||||
|
family_name: str,
|
||||||
|
) -> str:
|
||||||
|
if not family_name:
|
||||||
|
return f'ou=users,{ldap_base_dn}'
|
||||||
|
return f'ou={family_name},ou=families,{ldap_base_dn}'
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@
|
||||||
# This file should be world readable but not world writable.
|
# This file should be world readable but not world writable.
|
||||||
|
|
||||||
#BASE dc=example,dc=com
|
#BASE dc=example,dc=com
|
||||||
BASE ou=users,%%ldap_base_dn
|
BASE %%ldapclient_base_dn
|
||||||
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
||||||
URI ldaps://%%ldap_server_address:%%ldap_port
|
URI ldaps://%%ldap_server_address:%%ldap_port
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,13 +13,14 @@ commentStartToken = §
|
||||||
"ldapPpolicyControl" : 1,
|
"ldapPpolicyControl" : 1,
|
||||||
"ldapAllowResetExpiredPassword" : 1,
|
"ldapAllowResetExpiredPassword" : 1,
|
||||||
"ldapChangePasswordAsUser" : 1,
|
"ldapChangePasswordAsUser" : 1,
|
||||||
"ldapBase" : "ou=users,%%ldap_base_dn",
|
"ldapBase" : "%%ldapclient_base_dn",
|
||||||
"ldapExportedVars" : {
|
"ldapExportedVars" : {
|
||||||
"uid" : "uid",
|
"uid" : "uid",
|
||||||
"cn" : "cn",
|
"cn" : "cn",
|
||||||
"sn" : "sn",
|
"sn" : "sn",
|
||||||
"mail" : "mail",
|
"mail" : "mail",
|
||||||
"givenName" : "givenName"
|
"givenName" : "givenName",
|
||||||
|
"home" : "homeDirectory"
|
||||||
},
|
},
|
||||||
"ldapGroupAttributeName" : "memberUid",
|
"ldapGroupAttributeName" : "memberUid",
|
||||||
"ldapGroupAttributeNameUser" : "cn",
|
"ldapGroupAttributeNameUser" : "cn",
|
||||||
|
|
@ -99,7 +100,8 @@ commentStartToken = §
|
||||||
"email" : "mail",
|
"email" : "mail",
|
||||||
"family_name" : "sn",
|
"family_name" : "sn",
|
||||||
"name" : "cn",
|
"name" : "cn",
|
||||||
"nickname" : "uid"
|
"nickname" : "uid",
|
||||||
|
"home" : "home"
|
||||||
%if %%len_app - 1 == %%idx
|
%if %%len_app - 1 == %%idx
|
||||||
}
|
}
|
||||||
%else
|
%else
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
PYTHON="usr/lib/python3.10/site-packages"
|
PYTHON="usr/lib/python3.10/site-packages"
|
||||||
cp -a "mailman/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
|
cp -a "mailman/manual/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
|
||||||
cp -a "mailman/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
|
cp -a "mailman/manual/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
|
||||||
cp -a "mailman/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
|
cp -a "mailman/manual/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
|
||||||
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
|
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
|
||||||
ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
|
ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
|
||||||
ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
|
ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
|
||||||
|
|
|
||||||
|
|
@ -29,9 +29,9 @@ fi
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "ou=users,%%ldap_base_dn"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn"
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "ou=users,%%ldap_base_dn"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn"
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "ou=users,%%ldap_base_dn"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn"
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
|
||||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"
|
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"
|
||||||
|
|
|
||||||
|
|
@ -4,18 +4,26 @@
|
||||||
<service name='nginx' target='multi-user'>
|
<service name='nginx' target='multi-user'>
|
||||||
<file>/etc/nginx/nginx.conf</file>
|
<file>/etc/nginx/nginx.conf</file>
|
||||||
<file source="default">/etc/nginx/sites-available/default</file>
|
<file source="default">/etc/nginx/sites-available/default</file>
|
||||||
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/risotto.conf</file>
|
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
|
||||||
<!--file source="default-nginx-ssl.conf">/etc/nginx/conf.d/risotto-ssl.conf</file-->
|
|
||||||
<file source="nginx.index.html">/var/www/html/index.html</file>
|
<file source="nginx.index.html">/var/www/html/index.html</file>
|
||||||
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
|
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
|
||||||
<file>/var/www/html/error.html</file>
|
<file>/var/www/html/error.html</file>
|
||||||
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
|
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
|
||||||
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
|
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
|
||||||
|
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
||||||
|
<file filelist="nginx_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
|
||||||
|
<file filelist="nginx_https" mode="600">/etc/pki/tls/private/nginx.key</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
||||||
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='True'/>
|
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
|
||||||
|
<variable name="nginx_root" type="filename" mandatory='False'>
|
||||||
|
<value>/usr/share/nginx/html</value>
|
||||||
|
</variable>
|
||||||
|
<variable name="nginx_https" type="boolean" description="Activer HTTPS sur le serveur" mandatory='True' hidden="True">
|
||||||
|
<value>False</value>
|
||||||
|
</variable>
|
||||||
<variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
|
<variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
|
||||||
<value>128</value>
|
<value>128</value>
|
||||||
<choice type="string">128</choice>
|
<choice type="string">128</choice>
|
||||||
|
|
@ -25,13 +33,10 @@
|
||||||
<variable name="nginx_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)" mode="expert" mandatory="True">
|
<variable name="nginx_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)" mode="expert" mandatory="True">
|
||||||
<value>32</value>
|
<value>32</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
|
||||||
</family>
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
<fill name="calc_value">
|
|
||||||
<param type="variable">domain_name_eth0</param>
|
|
||||||
<target>nginx_default</target>
|
|
||||||
</fill>
|
|
||||||
<condition name="disabled_if_not_in" source="os_name">
|
<condition name="disabled_if_not_in" source="os_name">
|
||||||
<param>Fedora</param>
|
<param>Fedora</param>
|
||||||
<target type="filelist">nginx_fedora</target>
|
<target type="filelist">nginx_fedora</target>
|
||||||
|
|
@ -40,5 +45,15 @@
|
||||||
<param type="nil"/>
|
<param type="nil"/>
|
||||||
<target type="filelist">nginx_default</target>
|
<target type="filelist">nginx_default</target>
|
||||||
</condition>
|
</condition>
|
||||||
|
<condition name="disabled_if_in" source="nginx_https">
|
||||||
|
<param type="boolean">False</param>
|
||||||
|
<target type="filelist">nginx_https</target>
|
||||||
|
</condition>
|
||||||
|
<fill name="calc_value">
|
||||||
|
<param type="variable">tls_ca_directory</param>
|
||||||
|
<param>ca_InternalReverseProxy.crt</param>
|
||||||
|
<param name="join">/</param>
|
||||||
|
<target>revprox_ca_file</target>
|
||||||
|
</fill>
|
||||||
</constraints>
|
</constraints>
|
||||||
</rougail>
|
</rougail>
|
||||||
|
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
||||||
#FIXME server {
|
|
||||||
#FIXME listen 443 ssl;
|
|
||||||
#FIXME ssl_certificate %%nginx_certificate[%%revprox_domainnames_all.index(%%nginx_default)];
|
|
||||||
#FIXME ssl_certificate_key %%nginx_private_key[%%revprox_domainnames_all.index(%%nginx_default)];
|
|
||||||
#FIXME ssl_client_certificate /etc/ssl/certs/ca.crt;
|
|
||||||
#FIXME server_name _ default;
|
|
||||||
#FIXME rewrite ^(.*) https://%%nginx_default$1;
|
|
||||||
#FIXME break;
|
|
||||||
#FIXME }
|
|
||||||
|
|
||||||
|
|
@ -52,11 +52,12 @@ http {
|
||||||
# for more information.
|
# for more information.
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
%if %%os_name == 'Fedora'
|
%if %%os_name == 'Fedora'
|
||||||
|
%if %%nginx_default
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
server_name _;
|
server_name _;
|
||||||
root /usr/share/nginx/html;
|
root %%nginx_root;
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block.
|
||||||
include /etc/nginx/default.d/*.conf;
|
include /etc/nginx/default.d/*.conf;
|
||||||
|
|
@ -69,35 +70,40 @@ http {
|
||||||
location = /50x.html {
|
location = /50x.html {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
%end if
|
||||||
|
# Settings for a TLS enabled server.
|
||||||
|
#
|
||||||
|
%if %%nginx_https
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name %%domain_name_eth0;
|
||||||
|
root %%nginx_root;
|
||||||
|
|
||||||
|
# ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
|
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
|
||||||
|
ssl_certificate /etc/pki/tls/certs/nginx.crt;
|
||||||
|
ssl_certificate_key /etc/pki/tls/private/nginx.key;
|
||||||
|
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
|
||||||
|
|
||||||
|
ssl_session_cache shared:SSL:1m;
|
||||||
|
ssl_session_timeout 10m;
|
||||||
|
ssl_ciphers PROFILE=SYSTEM;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
# Load configuration files for the default server block.
|
||||||
|
include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
|
error_page 404 /404.html;
|
||||||
|
location = /40x.html {
|
||||||
|
}
|
||||||
|
|
||||||
|
error_page 500 502 503 504 /50x.html;
|
||||||
|
location = /50x.html {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
%end if
|
||||||
%else
|
%else
|
||||||
include /etc/nginx/sites-enabled/*;
|
include /etc/nginx/sites-enabled/*;
|
||||||
%end if
|
%end if
|
||||||
|
|
||||||
# Settings for a TLS enabled server.
|
|
||||||
#
|
|
||||||
# server {
|
|
||||||
# listen 443 ssl http2;
|
|
||||||
# listen [::]:443 ssl http2;
|
|
||||||
# server_name _;
|
|
||||||
# root /usr/share/nginx/html;
|
|
||||||
#
|
|
||||||
# ssl_certificate "/etc/pki/nginx/server.crt";
|
|
||||||
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
|
|
||||||
# ssl_session_cache shared:SSL:1m;
|
|
||||||
# ssl_session_timeout 10m;
|
|
||||||
# ssl_ciphers PROFILE=SYSTEM;
|
|
||||||
# ssl_prefer_server_ciphers on;
|
|
||||||
#
|
|
||||||
# # Load configuration files for the default server block.
|
|
||||||
# include /etc/nginx/default.d/*.conf;
|
|
||||||
#
|
|
||||||
# error_page 404 /404.html;
|
|
||||||
# location = /40x.html {
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# error_page 500 502 503 504 /50x.html;
|
|
||||||
# location = /50x.html {
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,3 +2,4 @@ format: '0.1'
|
||||||
description: Nginx as reverse proxy
|
description: Nginx as reverse proxy
|
||||||
depends:
|
depends:
|
||||||
- nginx-common
|
- nginx-common
|
||||||
|
- reverse-proxy-client
|
||||||
|
|
|
||||||
|
|
@ -2,19 +2,38 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name='nginx'>
|
<service name='nginx'>
|
||||||
<file>/etc/nginx/conf.d/risotto.conf</file>
|
<file filelist="nginx_default_risotto">/etc/nginx/default.d/risotto.conf</file>
|
||||||
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
|
||||||
<file mode="600">/etc/pki/tls/certs/nginx.crt</file>
|
|
||||||
<file mode="600">/etc/pki/tls/private/nginx.key</file>
|
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
<variable name="nginx_root_directory" type="filename" mandatory="True"/>
|
<family name="nginx">
|
||||||
<variable name="php_fpm_user" redefine="True" exists="True">
|
<variable name="nginx_https" redefine="True">
|
||||||
<value>nginx</value>
|
<value>True</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name="nginx_locations" type="filename" multi="True" mandatory="True">
|
<variable name="php_fpm_user" redefine="True" exists="True">
|
||||||
<value>/</value>
|
<value>nginx</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
<variable name="nginx_root_directory" type="filename"/>
|
||||||
|
<variable name="nginx_locations" type="filename" multi="True" mandatory="True">
|
||||||
|
<value>/</value>
|
||||||
|
</variable>
|
||||||
|
</family>
|
||||||
|
<family name="redis" description="Redis">
|
||||||
|
<variable name="redis_client_key_owner" redefine="True" exists="True">
|
||||||
|
<value>nginx</value>
|
||||||
|
</variable>
|
||||||
|
</family>
|
||||||
|
<family name="postgresql" description="PostgreSQL">
|
||||||
|
<variable name="pg_client_key_owner" redefine="True" exists="True">
|
||||||
|
<value>nginx</value>
|
||||||
|
</variable>
|
||||||
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
|
<constraints>
|
||||||
|
<condition name="disabled_if_in" source="nginx_root_directory">
|
||||||
|
<param type="nil"/>
|
||||||
|
<target type="filelist">nginx_default_risotto</target>
|
||||||
|
<target type="variable">nginx_locations</target>
|
||||||
|
</condition>
|
||||||
|
</constraints>
|
||||||
</rougail>
|
</rougail>
|
||||||
|
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy")
|
|
||||||
|
|
@ -1 +1,2 @@
|
||||||
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
|
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
|
||||||
|
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
|
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')
|
||||||
|
|
|
||||||
|
|
@ -1,44 +1,30 @@
|
||||||
server {
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
listen 443 default ssl;
|
add_header X-Content-Type-Options nosniff;
|
||||||
server_name %%domain_name_eth0;
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header X-Robots-Tag none;
|
||||||
ssl_certificate /etc/pki/tls/certs/nginx.crt;
|
add_header X-Download-Options noopen;
|
||||||
ssl_certificate_key /etc/pki/tls/private/nginx.key;
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
|
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
|
||||||
|
add_header Referrer-Policy no-referrer always;
|
||||||
error_page 403 404 502 503 504 /error.html;
|
|
||||||
location = /error.html{
|
|
||||||
root /var/www/html;
|
|
||||||
}
|
|
||||||
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
add_header X-Robots-Tag none;
|
|
||||||
add_header X-Download-Options noopen;
|
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
|
||||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
|
|
||||||
add_header Referrer-Policy no-referrer always;
|
|
||||||
|
|
||||||
%for %%location in %%nginx_locations
|
%for %%location in %%nginx_locations
|
||||||
location %%location {
|
location %%location {
|
||||||
%if %%location == '/'
|
%if %%location == '/'
|
||||||
root %slurp
|
root %slurp
|
||||||
%else
|
%else
|
||||||
alias %slurp
|
alias %slurp
|
||||||
%end if
|
%end if
|
||||||
%%nginx_root_directory;
|
%%nginx_root_directory;
|
||||||
%if not %%getVar('php_fpm_installed', False)
|
%if not %%getVar('php_fpm_installed', False)
|
||||||
index index.html;
|
index index.html;
|
||||||
%else
|
%else
|
||||||
index index.php;
|
index index.php;
|
||||||
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
|
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
|
||||||
fastcgi_pass php-fpm;
|
fastcgi_pass php-fpm;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
}
|
|
||||||
%end if
|
|
||||||
}
|
}
|
||||||
%end for
|
%end if
|
||||||
}
|
}
|
||||||
|
%end for
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,6 @@
|
||||||
<override engine="creole"/>
|
<override engine="creole"/>
|
||||||
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
|
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
|
||||||
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
|
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
|
||||||
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
|
||||||
<file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
|
<file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
|
||||||
<file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
|
<file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
|
||||||
</service>
|
</service>
|
||||||
|
|
@ -19,7 +18,7 @@
|
||||||
<variable name="ip_eth" redefine="True" provider="ip"/>
|
<variable name="ip_eth" redefine="True" provider="ip"/>
|
||||||
</family>
|
</family>
|
||||||
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
||||||
<variable name="nginx_default" redefine="True" remove_fill="True"/>
|
<variable name="nginx_default" redefine="True" mandatory="True"/>
|
||||||
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
|
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
|
||||||
<variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
|
<variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
|
||||||
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
|
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,12 @@
|
||||||
from typing import List as _List
|
from typing import List as _List
|
||||||
from os.path import join as _join, isdir as _isdir, abspath as _abspath
|
from os.path import join as _join, isfile as _isfile, isdir as _isdir, abspath as _abspath, basename as _basename
|
||||||
from datetime import datetime as _datetime
|
from datetime import datetime as _datetime
|
||||||
from ipaddress import ip_network, ip_address
|
from ipaddress import ip_network, ip_address
|
||||||
from subprocess import run as _run
|
from subprocess import run as _run
|
||||||
from os import makedirs as _makedirs, unlink as _unlink
|
from os import makedirs as _makedirs
|
||||||
from shutil import rmtree as _rmtree
|
from shutil import rmtree as _rmtree, copy2 as _copy2
|
||||||
from glob import glob as _glob
|
from glob import glob as _glob
|
||||||
|
from filecmp import cmp as _cmp
|
||||||
|
|
||||||
|
|
||||||
_PKI_DIR = _abspath('pki/dnssec')
|
_PKI_DIR = _abspath('pki/dnssec')
|
||||||
|
|
@ -98,13 +99,21 @@ def sign(zone_filename: str,
|
||||||
cn: str,
|
cn: str,
|
||||||
) -> str:
|
) -> str:
|
||||||
authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0]
|
authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0]
|
||||||
zsk, ksk = _gen_keys(cn, authority_cn)
|
copy_file = _join(_PKI_DIR, cn, authority_cn, _basename(zone_filename))
|
||||||
cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
|
signed_filename = f'{copy_file}.signed'
|
||||||
proc = _run(cmd, capture_output=True)
|
if not _isfile(copy_file) or not _cmp(zone_filename, copy_file):
|
||||||
if proc.returncode != 0:
|
_copy2(zone_filename, copy_file)
|
||||||
raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
|
zsk, ksk = _gen_keys(cn, authority_cn)
|
||||||
signed_filename = f'{zone_filename}.signed'
|
cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
|
||||||
|
proc = _run(cmd, capture_output=True)
|
||||||
|
if proc.returncode != 0:
|
||||||
|
raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
|
||||||
|
new_signed_filename = f'{zone_filename}.signed'
|
||||||
|
with open(new_signed_filename) as fh:
|
||||||
|
content = fh.read().strip()
|
||||||
|
content.replace('0000000000', nsd_serial())
|
||||||
|
with open(signed_filename, 'w') as fh:
|
||||||
|
fh.write(content)
|
||||||
with open(signed_filename) as fh:
|
with open(signed_filename) as fh:
|
||||||
content = fh.read().strip()
|
content = fh.read().strip()
|
||||||
_unlink(signed_filename)
|
|
||||||
return content
|
return content
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ $ORIGIN %%rougail_variable
|
||||||
$TTL 1800
|
$TTL 1800
|
||||||
|
|
||||||
@ IN SOA %%domain_name_eth0. admin.%%name. (
|
@ IN SOA %%domain_name_eth0. admin.%%name. (
|
||||||
%%nsd_serial() ; serial number
|
0000000000 ; serial number
|
||||||
3600 ; refresh
|
3600 ; refresh
|
||||||
900 ; retry
|
900 ; retry
|
||||||
1209600 ; expire
|
1209600 ; expire
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@ $ORIGIN %%rougail_variable.
|
||||||
$TTL 1800
|
$TTL 1800
|
||||||
|
|
||||||
@ IN SOA %%domain_name_eth0. admin.%%rougail_variable. (
|
@ IN SOA %%domain_name_eth0. admin.%%rougail_variable. (
|
||||||
%%nsd_serial() ; serial number
|
0000000000 ; serial number
|
||||||
3600 ; refresh
|
3600 ; refresh
|
||||||
900 ; retry
|
900 ; retry
|
||||||
1209600 ; expire
|
1209600 ; expire
|
||||||
|
|
|
||||||
|
|
@ -20,8 +20,8 @@
|
||||||
<variables>
|
<variables>
|
||||||
<family name="annuaire">
|
<family name="annuaire">
|
||||||
<variable name='ldap_server_address' redefine="True" hidden="True"/>
|
<variable name='ldap_server_address' redefine="True" hidden="True"/>
|
||||||
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="LDAP_DN"/>
|
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
|
||||||
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="LDAP_PORT">
|
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="ldap_port">
|
||||||
<value>636</value>
|
<value>636</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
|
<variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
|
||||||
|
|
@ -47,6 +47,7 @@
|
||||||
<variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
|
<variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
|
||||||
<value>/etc/openldap/schema/cosine.ldif</value>
|
<value>/etc/openldap/schema/cosine.ldif</value>
|
||||||
<value>/etc/openldap/schema/inetorgperson.ldif</value>
|
<value>/etc/openldap/schema/inetorgperson.ldif</value>
|
||||||
|
<value>/etc/openldap/schema/nis.ldif</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
|
<variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
|
||||||
<value>0</value>
|
<value>0</value>
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@
|
||||||
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
|
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
|
||||||
<variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
|
<variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
|
||||||
<variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
|
<variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
|
||||||
|
<variable name="family_" description="Nom de la familly" auto_save="True" hidden="True" provider="client_family"/>
|
||||||
<variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
|
<variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
|
||||||
</family>
|
</family>
|
||||||
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
|
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,9 @@
|
||||||
|
%set %%dns = {}
|
||||||
|
%for %%remote in %%accounts.remotes
|
||||||
|
%set %%name = %%normalize_family(%%remote)
|
||||||
|
%set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
|
||||||
|
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
|
||||||
|
%end for
|
||||||
dn: olcDatabase={2}mdb,cn=config
|
dn: olcDatabase={2}mdb,cn=config
|
||||||
changetype:modify
|
changetype:modify
|
||||||
replace: olcAccess
|
replace: olcAccess
|
||||||
|
|
@ -5,20 +11,22 @@ olcAccess: {0}to attrs=userPassword
|
||||||
by self write
|
by self write
|
||||||
by anonymous auth
|
by anonymous auth
|
||||||
by * none
|
by * none
|
||||||
olcAccess: {1}to dn.subtree="ou=users,%%ldap_base_dn"
|
|
||||||
by self read
|
|
||||||
%set %%aclidx = 1
|
%set %%aclidx = 1
|
||||||
%for %%remote in %%accounts.remotes
|
%for %%family, %%remotes in %%dns.items()
|
||||||
%set %%name = %%normalize_family(%%remote)
|
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
|
||||||
by dn="%%accounts['remote_' + %%name]['dn_' + %%name]" %slurp
|
by self read
|
||||||
%if %%accounts['remote_' + %%name]['read_only_' + %%name]
|
%for %%remote in %%remotes
|
||||||
|
by dn="%%remote[0]" %slurp
|
||||||
|
%if %%remote[1]
|
||||||
read%slurp
|
read%slurp
|
||||||
%else
|
%else
|
||||||
write%slurp
|
write%slurp
|
||||||
%end if
|
%end if
|
||||||
%end for
|
%end for
|
||||||
|
%set %%aclidx += 1
|
||||||
|
|
||||||
by * none
|
by * none
|
||||||
|
%end for
|
||||||
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
|
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
|
||||||
%set %%aclidx += 1
|
%set %%aclidx += 1
|
||||||
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
|
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
|
||||||
|
|
|
||||||
|
|
@ -35,8 +35,12 @@ sn: %%user.ldap_user_sn
|
||||||
givenName: %%user.ldap_user_gn
|
givenName: %%user.ldap_user_gn
|
||||||
uid: %%user.ldap_user_uid
|
uid: %%user.ldap_user_uid
|
||||||
userPassword:: %%ssha_encode(%%user.ldap_user_password)
|
userPassword:: %%ssha_encode(%%user.ldap_user_password)
|
||||||
|
homeDirectory: /srv/home/users/%%user
|
||||||
|
uidNumber: 0
|
||||||
|
gidNumber: 0
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: inetOrgPerson
|
objectClass: inetOrgPerson
|
||||||
|
objectClass: posixAccount
|
||||||
|
|
||||||
%end for
|
%end for
|
||||||
# Families
|
# Families
|
||||||
|
|
@ -52,15 +56,19 @@ objectClass: top
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
|
|
||||||
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||||
dn: cn=%%user,ou=families,%%ldap_base_dn
|
dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
|
||||||
cn: %%user
|
cn: %%user
|
||||||
mail: %%user
|
mail: %%user
|
||||||
sn: %%user['ldap_user_sn_' + %%family]
|
sn: %%user['ldap_user_sn_' + %%family]
|
||||||
givenName: %%user['ldap_user_gn_' + %%family]
|
givenName: %%user['ldap_user_gn_' + %%family]
|
||||||
uid: %%user['ldap_user_uid_' + %%family]
|
uid: %%user['ldap_user_uid_' + %%family]
|
||||||
userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family])
|
userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family])
|
||||||
|
homeDirectory: /srv/home/families/%%family/%%user
|
||||||
|
uidNumber: 0
|
||||||
|
gidNumber: 0
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: inetOrgPerson
|
objectClass: inetOrgPerson
|
||||||
|
objectClass: posixAccount
|
||||||
|
|
||||||
%end for
|
%end for
|
||||||
%end for
|
%end for
|
||||||
|
|
|
||||||
|
|
@ -7,3 +7,20 @@ replace: userPassword
|
||||||
userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
|
userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
|
||||||
|
|
||||||
%end for
|
%end for
|
||||||
|
## Users
|
||||||
|
#%for %%user in %%accounts.users.ldap_user_mail
|
||||||
|
#dn: cn=%%user,ou=users,%%ldap_base_dn
|
||||||
|
#changetype: modify
|
||||||
|
#replace: homeDirectory
|
||||||
|
#homeDirectory: /srv/home/users/%%user
|
||||||
|
#
|
||||||
|
#%end for
|
||||||
|
## Families
|
||||||
|
#%for %%family in %%accounts.families
|
||||||
|
# %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||||
|
#dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
|
||||||
|
#replace: homeDirectory
|
||||||
|
#homeDirectory: /srv/home/families/%%family/%%user
|
||||||
|
#
|
||||||
|
# %end for
|
||||||
|
#%end for
|
||||||
|
|
|
||||||
|
|
@ -38,8 +38,8 @@
|
||||||
</variable>
|
</variable>
|
||||||
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
|
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
|
||||||
</family>
|
</family>
|
||||||
<family name="nginx" description="Reverse proxy">
|
<family name="nginx">
|
||||||
<family name="revprox_client" description="Point d'entré des clients" leadership="True">
|
<family name="revprox_client">
|
||||||
<variable name="revprox_client_location" redefine="True">
|
<variable name="revprox_client_location" redefine="True">
|
||||||
<value>/</value>
|
<value>/</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
|
|
||||||
|
|
@ -25,5 +25,5 @@ rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
|
||||||
|
|
||||||
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
||||||
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
|
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
|
||||||
patch -p0 < $OLDPWD/peertube/postinstall/peertube.patch
|
patch -p0 < $OLDPWD/peertube/manual/postinstall/peertube.patch
|
||||||
cd -
|
cd -
|
||||||
|
|
|
||||||
6
seed/applicationservice/2022.03.08/php-fpm/DEBUG.md
Normal file
6
seed/applicationservice/2022.03.08/php-fpm/DEBUG.md
Normal file
|
|
@ -0,0 +1,6 @@
|
||||||
|
Debug
|
||||||
|
======
|
||||||
|
|
||||||
|
echo "log_level = debug" >> /etc/php-fpm.conf
|
||||||
|
systemctl restart php-fpm
|
||||||
|
|
||||||
|
|
@ -9,11 +9,13 @@
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
<variable name="php_fpm_user" type="unix_user">
|
<family name="nginx">
|
||||||
<value>root</value>
|
<variable name="php_fpm_user" type="unix_user">
|
||||||
</variable>
|
<value>root</value>
|
||||||
<variable name="php_fpm_installed" type="boolean">
|
</variable>
|
||||||
<value>True</value>
|
<variable name="php_fpm_installed" type="boolean">
|
||||||
</variable>
|
<value>True</value>
|
||||||
|
</variable>
|
||||||
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
</rougail>
|
</rougail>
|
||||||
|
|
|
||||||
|
|
@ -8,4 +8,3 @@ depends:
|
||||||
- relay-mail-client
|
- relay-mail-client
|
||||||
- nginx-https
|
- nginx-https
|
||||||
- php-fpm
|
- php-fpm
|
||||||
- reverse-proxy-client
|
|
||||||
|
|
|
||||||
|
|
@ -12,9 +12,11 @@
|
||||||
<variables>
|
<variables>
|
||||||
<variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
|
<variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
|
||||||
<variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
|
<variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
|
||||||
<variable name="nginx_root_directory" mandatory="True" redefine="True">
|
<family name="nginx">
|
||||||
<value>/usr/local/share/piwigo</value>
|
<variable name="nginx_root_directory" mandatory="True" redefine="True">
|
||||||
</variable>
|
<value>/usr/local/share/piwigo</value>
|
||||||
|
</variable>
|
||||||
|
</family>
|
||||||
<variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
|
<variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
|
||||||
<value>Album photographique</value>
|
<value>Album photographique</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
|
|
||||||
|
|
@ -14,10 +14,10 @@ ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php
|
||||||
ln -s /srv/piwigo/data piwigo/_data
|
ln -s /srv/piwigo/data piwigo/_data
|
||||||
ln -s /srv/piwigo/upload piwigo/upload
|
ln -s /srv/piwigo/upload piwigo/upload
|
||||||
ln -s /srv/piwigo/logs piwigo/logs
|
ln -s /srv/piwigo/logs piwigo/logs
|
||||||
cp $OLDPWD/piwigo/postinstall/osmmap.php piwigo/
|
cp $OLDPWD/piwigo/manual/postinstall/osmmap.php piwigo/
|
||||||
chmod 644 piwigo/osmmap.php
|
chmod 644 piwigo/osmmap.php
|
||||||
patch -p0 < $OLDPWD/piwigo/postinstall/piwigo.patch
|
patch -p0 < $OLDPWD/piwigo/manual/postinstall/piwigo.patch
|
||||||
cp $OLDPWD/piwigo/postinstall/piwigo_cli.php piwigo/
|
cp $OLDPWD/piwigo/manual/postinstall/piwigo_cli.php piwigo/
|
||||||
# Plugins
|
# Plugins
|
||||||
cd piwigo/plugins
|
cd piwigo/plugins
|
||||||
wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip
|
wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip
|
||||||
|
|
|
||||||
|
|
@ -9,4 +9,4 @@ def calc_postfix_relay_domains(criteria):
|
||||||
if '@' in lst:
|
if '@' in lst:
|
||||||
lst = lst.split('@')[1]
|
lst = lst.split('@')[1]
|
||||||
relay.add(lst)
|
relay.add(lst)
|
||||||
return list(relay)
|
return sorted(list(relay))
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,6 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name="nginx" manage="False">
|
<service name="nginx" manage="False">
|
||||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
|
||||||
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
|
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
|
||||||
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
|
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
|
||||||
</service>
|
</service>
|
||||||
|
|
@ -32,10 +31,8 @@
|
||||||
<variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
|
<variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
|
||||||
<value>root</value>
|
<value>root</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
|
|
||||||
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
|
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
|
||||||
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
|
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
|
||||||
<variable name="nginx_default" exists="True" redefine="True" remove_fill="True" mandatory="False"/>
|
|
||||||
</family>
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
|
|
@ -45,12 +42,6 @@
|
||||||
<param type="variable">revprox_client_local_location</param>
|
<param type="variable">revprox_client_local_location</param>
|
||||||
<target>revprox_client_web_address</target>
|
<target>revprox_client_web_address</target>
|
||||||
</fill>
|
</fill>
|
||||||
<fill name="calc_value">
|
|
||||||
<param type="variable">tls_ca_directory</param>
|
|
||||||
<param>ca_InternalReverseProxy.crt</param>
|
|
||||||
<param name="join">/</param>
|
|
||||||
<target>revprox_ca_file</target>
|
|
||||||
</fill>
|
|
||||||
<fill name="calc_value">
|
<fill name="calc_value">
|
||||||
<param type="variable">tls_cert_directory</param>
|
<param type="variable">tls_cert_directory</param>
|
||||||
<param>revprox.crt</param>
|
<param>revprox.crt</param>
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,8 @@
|
||||||
|
Supprimer oauth
|
||||||
|
================
|
||||||
|
|
||||||
|
sed -i "s/'generic'/null/g" /etc/roundcubemail/config.inc.php
|
||||||
|
|
||||||
Debug ldap
|
Debug ldap
|
||||||
==========
|
==========
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,8 @@ description: Interface web de consultation des courriels Roundcube
|
||||||
depends:
|
depends:
|
||||||
- base-fedora-35
|
- base-fedora-35
|
||||||
- postgresql-client
|
- postgresql-client
|
||||||
- ldap-client-fedora
|
|
||||||
- imap-client
|
- imap-client
|
||||||
- redis-client
|
- redis-client
|
||||||
- oauth2-client
|
- oauth2-client
|
||||||
- apache
|
- nginx-https
|
||||||
- php-fpm
|
- php-fpm
|
||||||
|
|
|
||||||
|
|
@ -2,8 +2,8 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name="roundcube" engine="creole" target="multi-user">
|
<service name="roundcube" engine="creole" target="multi-user">
|
||||||
<file owner="root" group="apache" mode="640">/etc/roundcubemail/config.inc.php</file>
|
<file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
|
||||||
<file>/etc/httpd/conf.d/roundcubemail.conf</file>
|
<file>/etc/nginx/default.d/roundcubemail.conf</file>
|
||||||
<file>/secrets/roundcube-init.php</file>
|
<file>/secrets/roundcube-init.php</file>
|
||||||
<file engine="none">/static/silique_cloud.svg</file>
|
<file engine="none">/static/silique_cloud.svg</file>
|
||||||
<file engine="none">/static/watermark.html</file>
|
<file engine="none">/static/watermark.html</file>
|
||||||
|
|
@ -32,9 +32,15 @@
|
||||||
</variable>
|
</variable>
|
||||||
</family>
|
</family>
|
||||||
<family name="nginx">
|
<family name="nginx">
|
||||||
<variable name="revprox_client_local_location" redefine="True">
|
<variable name="nginx_root" redefine="True">
|
||||||
<value>/roundcube/</value>
|
<value>/usr/share/roundcubemail/</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
<variable name="revprox_client_local_location" redefine="True">
|
||||||
|
<value>/</value>
|
||||||
|
</variable>
|
||||||
|
</family>
|
||||||
|
<family name="annuaire">
|
||||||
|
<variable name='ldapclient_family' redefine="True" exists="True" mandatory="True"/>
|
||||||
</family>
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/bash -ex
|
||||||
|
|
||||||
|
echo """#!/bin/bash -e
|
||||||
|
/usr/bin/chgrp nginx /etc/roundcubemail/*
|
||||||
|
""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
||||||
|
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
||||||
|
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh
|
||||||
|
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
||||||
|
|
@ -1059,9 +1059,10 @@ $config['address_book_type'] = 'sql';
|
||||||
// Array key must contain only safe characters, ie. a-zA-Z0-9_
|
// Array key must contain only safe characters, ie. a-zA-Z0-9_
|
||||||
$config['ldap_public'] = [];
|
$config['ldap_public'] = [];
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
|
%if %%getVar('ldap_server_address', None)
|
||||||
$config['ldap_public'] = array (
|
$config['ldap_public'] = array (
|
||||||
'Local' => array (
|
'Local' => array (
|
||||||
'name' => "Contacts",
|
'name' => "Ma famille",
|
||||||
'hosts' => array (
|
'hosts' => array (
|
||||||
0 => 'ldaps://%%ldap_server_address',
|
0 => 'ldaps://%%ldap_server_address',
|
||||||
),
|
),
|
||||||
|
|
@ -1073,7 +1074,7 @@ $config['ldap_public'] = array (
|
||||||
'auth_method' => '',
|
'auth_method' => '',
|
||||||
'vlv' => false, //Samba do not support Virtual List View functions
|
'vlv' => false, //Samba do not support Virtual List View functions
|
||||||
'user_specific' => false,
|
'user_specific' => false,
|
||||||
'base_dn' => 'ou=users,%%ldap_base_dn',
|
'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
|
||||||
'writable' => false,
|
'writable' => false,
|
||||||
'required_fields' => array (
|
'required_fields' => array (
|
||||||
0 => 'cn',
|
0 => 'cn',
|
||||||
|
|
@ -1104,6 +1105,7 @@ $config['ldap_public'] = array (
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
);
|
);
|
||||||
|
%end if
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
// If you are going to use LDAP for individual address books, you will need to
|
// If you are going to use LDAP for individual address books, you will need to
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Roundcube database init
|
Description=Roundcube database init
|
||||||
After=postgresqlclient.service
|
After=postgresqlclient.service
|
||||||
Before=apache.service php-fpm.service
|
Before=nginx.service php-fpm.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
|
|
||||||
|
|
@ -1,60 +1,51 @@
|
||||||
#
|
location = / {
|
||||||
# Round Cube Webmail is a browser-based multilingual IMAP client
|
alias %%nginx_root;
|
||||||
#
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
root %%nginx_root;
|
||||||
|
index index.php;
|
||||||
|
|
||||||
#>GNUNUX
|
location ~ ^/bin/(.+)$ {
|
||||||
Alias /roundcube/skins/elastic/risotto/ /usr/local/lib/static/
|
deny all;
|
||||||
<Directory /usr/local/lib/static/>
|
}
|
||||||
Require all granted
|
location ~ ^/plugins/enigma/home/(.+)$ {
|
||||||
</Directory>
|
deny all;
|
||||||
#<GNUNUX
|
}
|
||||||
# GNUNUX Alias /roundcubemail /usr/share/roundcubemail
|
|
||||||
Alias /roundcube /usr/share/roundcubemail
|
|
||||||
|
|
||||||
# Define who can access the Webmail
|
# Define who can access the installer
|
||||||
# You can enlarge permissions once configured
|
# keep this secured once configured
|
||||||
|
|
||||||
<Directory /usr/share/roundcubemail/>
|
location ~ ^/installer/(.+\.php)$ {
|
||||||
Require all granted
|
allow 127.0.0.1;
|
||||||
# GNUNUX <IfModule mod_authz_core.c>
|
allow ::1;
|
||||||
# GNUNUX # Apache 2.4
|
deny all;
|
||||||
# GNUNUX Require local
|
|
||||||
# GNUNUX </IfModule>
|
|
||||||
# GNUNUX <IfModule !mod_authz_core.c>
|
|
||||||
# GNUNUX # Apache 2.2
|
|
||||||
# GNUNUX Order Deny,Allow
|
|
||||||
# GNUNUX Deny from all
|
|
||||||
# GNUNUX Allow from 127.0.0.1
|
|
||||||
# GNUNUX Allow from ::1
|
|
||||||
# GNUNUX </IfModule>
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
# Define who can access the installer
|
try_files $uri =404;
|
||||||
# keep this secured once configured
|
fastcgi_intercept_errors on;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_param SERVER_NAME $host;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_pass php-fpm;
|
||||||
|
}
|
||||||
|
|
||||||
<Directory /usr/share/roundcubemail/installer/>
|
# Define who can access the Webmail
|
||||||
Order Allow,Deny
|
# You can enlarge permissions once configured
|
||||||
Deny from all
|
|
||||||
# GNUNUX <IfModule mod_authz_core.c>
|
|
||||||
# GNUNUX # Apache 2.4
|
|
||||||
# GNUNUX Require local
|
|
||||||
# GNUNUX </IfModule>
|
|
||||||
# GNUNUX <IfModule !mod_authz_core.c>
|
|
||||||
# GNUNUX # Apache 2.2
|
|
||||||
# GNUNUX Order Deny,Allow
|
|
||||||
# GNUNUX Deny from all
|
|
||||||
# GNUNUX Allow from 127.0.0.1
|
|
||||||
# GNUNUX Allow from ::1
|
|
||||||
# GNUNUX </IfModule>
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
# Those directories should not be viewed by Web clients.
|
location ~ ^/(.+\.php)$ {
|
||||||
<Directory /usr/share/roundcubemail/bin/>
|
# GNUNUX allow 127.0.0.1;
|
||||||
Order Allow,Deny
|
# GNUNUX allow ::1;
|
||||||
Deny from all
|
# GNUNUX deny all;
|
||||||
</Directory>
|
|
||||||
<Directory /usr/share/roundcubemail/plugins/enigma/home/>
|
try_files $uri =404;
|
||||||
Order Allow,Deny
|
fastcgi_intercept_errors on;
|
||||||
Deny from all
|
include fastcgi_params;
|
||||||
</Directory>
|
fastcgi_param SERVER_NAME $host;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_pass php-fpm;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
location /skins/elastic/risotto {
|
||||||
|
alias /usr/local/lib/static/;
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@
|
||||||
<services>
|
<services>
|
||||||
<service name="vaultwarden" target="multi-user">
|
<service name="vaultwarden" target="multi-user">
|
||||||
<override/>
|
<override/>
|
||||||
|
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||||
<file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
|
<file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
|
||||||
<file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
|
<file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
|
||||||
</service>
|
</service>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue