This commit is contained in:
Emmanuel Garette 2022-05-04 10:29:03 +02:00
parent da3e4d487d
commit 5ccb69012b
60 changed files with 384 additions and 299 deletions

View file

@ -2,6 +2,7 @@
<rougail version="0.10"> <rougail version="0.10">
<services> <services>
<service name="httpd" target="multi-user"> <service name="httpd" target="multi-user">
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file>/etc/httpd/conf/httpd.conf</file> <file>/etc/httpd/conf/httpd.conf</file>
<file>/etc/httpd/conf.d/risotto.conf</file> <file>/etc/httpd/conf.d/risotto.conf</file>
<file>/etc/httpd/conf.d/ssl.conf</file> <file>/etc/httpd/conf.d/ssl.conf</file>
@ -13,9 +14,11 @@
</service> </service>
</services> </services>
<variables> <variables>
<variable name="php_fpm_user" redefine="True" exists="True"> <family name="nginx">
<value>apache</value> <variable name="php_fpm_user" redefine="True" exists="True">
</variable> <value>apache</value>
</variable>
</family>
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache"> <family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué"> <variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
<value>300</value> <value>300</value>

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe #!/bin/bash -e
HOST_NAME=$1 HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then if [ -z "$HOST_NAME" ]; then
@ -24,4 +24,6 @@ systemctl restart systemd-resolved
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15' #nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15' #nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
echo "install host OK"
exit 0 exit 0

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe #!/bin/bash -e
HOST_NAME=$1 HOST_NAME=$1
IMAGE_NAME=$2 IMAGE_NAME=$2
@ -14,7 +14,7 @@ rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
mkdir -p "$RISOTTO_IMAGE_DIR" mkdir -p "$RISOTTO_IMAGE_DIR"
PKG="" PKG=""
BASE_DIR="" BASE_DIR=""
for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do for script in $(ls $IMAGE_NAME/manual/preinstall/*.sh 2> /dev/null); do
. "$script" . "$script"
done done
@ -46,7 +46,7 @@ function new_package_base() {
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG") OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
else else
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR" debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR" > /dev/null
chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
fi fi
} }
@ -75,6 +75,7 @@ function install_pkg() {
if [ ! -f "$BASE_LOCK" ]; then if [ ! -f "$BASE_LOCK" ]; then
echo " - reinstallation de l'image de base"
rm -rf "$BASE_DIR" rm -rf "$BASE_DIR"
new_package_base new_package_base
diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
@ -83,7 +84,7 @@ if [ ! -f "$BASE_LOCK" ]; then
install_base install_base
cd "$IMAGE_BASE_RISOTTO_BASE_DIR" cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
tar cf "$BASE_TAR" "$BASE_NAME" tar cf "$BASE_TAR" "$BASE_NAME"
cd - cd - > /dev/null
if [ -f "$BASE_PKGS_FILE" ]; then if [ -f "$BASE_PKGS_FILE" ]; then
mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
fi fi
@ -100,8 +101,8 @@ if [ -n "$COPR" ]; then
#FIXME signature... #FIXME signature...
mkdir -p "$REPO_DIR" mkdir -p "$REPO_DIR"
cd "$REPO_DIR" cd "$REPO_DIR"
wget "$COPR" wget -q "$COPR"
cd - cd - > /dev/null
fi fi
if [ "$FUSION" = true ]; then if [ "$FUSION" = true ]; then
dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR" dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR"
@ -109,19 +110,24 @@ fi
# FIXME verifier s'il y a des modifs sur pre/post # FIXME verifier s'il y a des modifs sur pre/post
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
echo "Différence(s) avec les paquets de base" echo " - différence(s) avec les paquets de base"
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
else else
NEW_BASE=true NEW_BASE=true
fi fi
new_package new_package
if [ "$NEW_BASE" = false ]; then if [ "$NEW_BASE" = false ]; then
echo "Différence(s) avec les paquets de l'image" echo " - différence(s) avec les paquets de l'image"
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
else else
INSTALL=true INSTALL=true
fi fi
find $IMAGE_NAME/manual -type f -exec md5sum '{}' \; > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new
if [ "$NEW_BASE" = false ]; then
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new && INSTALL=false || INSTALL=true
fi
if [ "$INSTALL" = true ]; then if [ "$INSTALL" = true ]; then
echo " - installation"
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version) VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
else else
@ -145,7 +151,7 @@ if [ "$INSTALL" = true ]; then
install_pkg install_pkg
sleep 2 sleep 2
for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do for script in $(ls $IMAGE_NAME/manual/postinstall/*.sh 2> /dev/null); do
. "$script" . "$script"
done done
@ -161,11 +167,13 @@ if [ "$INSTALL" = true ]; then
fi fi
tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME" tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
cd - cd - > /dev/null
cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum
VERSION=$((VERSION + 1)) VERSION=$((VERSION + 1))
echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
fi fi
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
echo " => OK"
exit 0 exit 0

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe #!/bin/bash -e
HOST_NAME=$1 HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name" echo "usage: $0 host name"
@ -8,6 +8,8 @@ fi
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
for image in *; do for image in *; do
if [ -d "$image" ]; then if [ -d "$image" ]; then
echo
echo "Install image $image"
./install_image "$HOST_NAME" "$image" ./install_image "$HOST_NAME" "$image"
fi fi
done done

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe #!/bin/bash -e
HOST_NAME=$1 HOST_NAME=$1
IMAGE_NAME=$2 IMAGE_NAME=$2
MACHINE=$3 MACHINE=$3
@ -26,19 +26,19 @@ if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || NEW_CONF=true diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || NEW_CONF=true
fi fi
if [ "$NEW_IMAGE" = true ] || [ "$NEW_CONF" = true ]; then if [ "$NEW_IMAGE" = true ] || [ "$NEW_CONF" = true ]; then
echo " - stop $IMAGE_NAME"
machinectl stop "$MACHINE" 2> /dev/null || true machinectl stop "$MACHINE" 2> /dev/null || true
while true; do while true; do
machinectl status "$MACHINE" > /dev/null 2>&1 || break machinectl status "$MACHINE" > /dev/null 2>&1 || break
sleep 1 sleep 1
echo "retry..."
done done
fi fi
if [ "$NEW_IMAGE" = true ]; then if [ "$NEW_IMAGE" = true ]; then
echo "SUPPRIME ANCIENNE IMAGE" echo " - delete old image"
rm -rf "$MACHINE_MACHINES_DIR" rm -rf "$MACHINE_MACHINES_DIR"
fi fi
if [ "$NEW_CONF" = true ]; then if [ "$NEW_CONF" = true ]; then
echo "SUPPRIME ANCIENNE CONF" echo " - delete old settings"
./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
rm -rf "$MACHINE_RISOTTO_CONFIG_DIR" rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
fi fi
@ -58,7 +58,8 @@ if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
mkdir -p "$SHA_MACHINE_DIR" mkdir -p "$SHA_MACHINE_DIR"
cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE" cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR" mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
cd - cd - > /dev/null
fi fi
echo " => OK"
exit 0 exit 0

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe #!/bin/bash -e
HOST_NAME=$1 HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name" echo "usage: $0 host name"
@ -14,6 +14,8 @@ for image in *; do
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
MACHINES="$MACHINES$osname " MACHINES="$MACHINES$osname "
fi fi
echo
echo "Install machine $image"
./install_machine "$HOST_NAME" "$image" "$osname" ./install_machine "$HOST_NAME" "$image" "$osname"
fi fi
done done

View file

@ -5,4 +5,4 @@ depends:
- relay-mail-client - relay-mail-client
- ldap-client-fedora - ldap-client-fedora
- oauth2-client - oauth2-client
- nginx-common - nginx-https

View file

@ -7,7 +7,6 @@
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file> <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
<file>/etc/postfix/main.cf</file> <file>/etc/postfix/main.cf</file>
<file>/etc/postfix/master.cf</file> <file>/etc/postfix/master.cf</file>
<file>/etc/postfix/ldapsource.cf</file>
<file>/etc/postfix/relay_passwd</file> <file>/etc/postfix/relay_passwd</file>
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file> <file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
<file>/etc/pki/tls/certs/postfix.crt</file> <file>/etc/pki/tls/certs/postfix.crt</file>
@ -22,9 +21,6 @@
</service> </service>
<service name='nginx'> <service name='nginx'>
<file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file> <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
<file file_type="variable" source="revprox.key" mode="400">revprox_key_file</file>
</service> </service>
<service name="dovecot" target="multi-user"> <service name="dovecot" target="multi-user">
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file> <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
@ -69,7 +65,7 @@
</family> </family>
<family name="mail" description="Mail domain" leadership="True"> <family name="mail" description="Mail domain" leadership="True">
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/> <variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
<variable name="mail_domains_calc" type="domainname" multi="True" hidden="True"/> <variable name="mail_domains_calc" type="domainname" hidden="True"/>
<variable name="imap_domainname" type="domainname" mandatory="True"/> <variable name="imap_domainname" type="domainname" mandatory="True"/>
<variable name="submission_domainname" type="domainname" mandatory="True"/> <variable name="submission_domainname" type="domainname" mandatory="True"/>
</family> </family>
@ -88,11 +84,11 @@
</family> </family>
</family> </family>
<family name="nginx"> <family name="nginx">
<variable name="nginx_default" redefine="True" remove_fill="True" mandatory="False"/> <family name="revprox_client">
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/> <variable name="revprox_client_location" redefine="True" mandatory="False">
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/> <value/>
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/> </variable>
<variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/> </family>
</family> </family>
</variables> </variables>
<constraints> <constraints>
@ -115,24 +111,6 @@
<param name="dynamic" type="variable">domain_name_eth0</param> <param name="dynamic" type="variable">domain_name_eth0</param>
<target>mail_domains</target> <target>mail_domains</target>
</check> </check>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_InternalReverseProxy.crt</param>
<param name="join">/</param>
<target>revprox_ca_file</target>
</fill>
<fill name="calc_value">
<param type="variable">tls_cert_directory</param>
<param>revprox.crt</param>
<param name="join">/</param>
<target>revprox_cert_file</target>
</fill>
<fill name="calc_value">
<param type="variable">tls_key_directory</param>
<param>revprox.key</param>
<param name="join">/</param>
<target>revprox_key_file</target>
</fill>
<fill name="calc_value"> <fill name="calc_value">
<param>/etc/pki/tls/certs/imap_</param> <param>/etc/pki/tls/certs/imap_</param>
<param type="variable">imap_domainname</param> <param type="variable">imap_domainname</param>
@ -159,7 +137,6 @@
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">mail_domains</param> <param type="variable">mail_domains</param>
<param name="multi" type="boolean">True</param>
<target>mail_domains_calc</target> <target>mail_domains_calc</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
@ -172,7 +149,7 @@
<target>well_known_filenames</target> <target>well_known_filenames</target>
</fill> </fill>
<check name="set_linked_multi_variables"> <check name="set_linked_multi_variables">
<param type="variable">revprox_server_domainname</param> <param type="variable">revprox_client_server_domainname</param>
<param name="linked_provider_0">revprox_clients</param> <param name="linked_provider_0">revprox_clients</param>
<param name="linked_provider_1">revprox_location</param> <param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param> <param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param>
@ -183,7 +160,7 @@
<target>mail_domains_calc</target> <target>mail_domains_calc</target>
</check> </check>
<check name="set_linked_multi_variables"> <check name="set_linked_multi_variables">
<param type="variable">revprox_server_domainname</param> <param type="variable">revprox_client_server_domainname</param>
<param name="linked_provider_0">revprox_clients</param> <param name="linked_provider_0">revprox_clients</param>
<param name="linked_provider_1">revprox_location</param> <param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/autodiscover/autodiscover.xml</param> <param name="linked_value_1">/autodiscover/autodiscover.xml</param>

View file

@ -28,7 +28,7 @@
# <doc/wiki/MailLocation.txt> # <doc/wiki/MailLocation.txt>
# #
#>GNUNUX #>GNUNUX
mail_location = maildir:/srv/mail/%u mail_location = maildir:~/
#<GNUNUX #<GNUNUX
# If you need to set multiple mailbox locations or want to change default # If you need to set multiple mailbox locations or want to change default
@ -107,8 +107,8 @@ namespace inbox {
# System user and group used to access mails. If you use multiple, userdb # System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers # can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt> # or names. <doc/wiki/UserIds.txt>
#mail_uid = mail_uid = vmail
#mail_gid = mail_gid = vmail
# Group to enable temporarily for privileged operations. Currently this is # Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails. # used only with INBOX when either its initial creation or dotlocking fails.

View file

@ -16,13 +16,14 @@ passdb {
# driver = prefetch # driver = prefetch
#} #}
# GNUNUX userdb { userdb {
# GNUNUX driver = ldap driver = ldap
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext # GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
# GNUNUX # Default fields can be used to specify defaults that LDAP may override
# GNUNUX #default_fields = home=/home/virtual/%u # Default fields can be used to specify defaults that LDAP may override
# GNUNUX } #default_fields = home=/home/virtual/%u
}
# If you don't have any user-specific settings, you can avoid the userdb LDAP # If you don't have any user-specific settings, you can avoid the userdb LDAP
# lookup by using userdb static instead of userdb ldap, for example: # lookup by using userdb static instead of userdb ldap, for example:
@ -31,9 +32,3 @@ passdb {
#driver = static #driver = static
#args = uid=vmail gid=vmail home=/var/vmail/%u #args = uid=vmail gid=vmail home=/var/vmail/%u
#} #}
#>GNUNUX
userdb {
driver = static
args = uid=vmail gid=vmail home=/srv/mail/%u
}
#<GNUNUX

View file

@ -1 +0,0 @@
%%get_chain(%%revprox_server_domainname, authority_name='InternalReverseProxy')

View file

@ -99,7 +99,7 @@ tls_require_cert = hard
#auth_bind_userdn = #auth_bind_userdn =
#>GNUNUX #>GNUNUX
auth_bind = yes auth_bind = yes
auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn auth_bind_userdn = cn=%u,%%ldapclient_base_dn
#<GNUNUX #<GNUNUX
# LDAP protocol version to use. Likely 2 or 3. # LDAP protocol version to use. Likely 2 or 3.
@ -108,7 +108,7 @@ auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
# LDAP base. %variables can be used here. # LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org # For example: dc=mail, dc=example, dc=org
# GNUNUX base = # GNUNUX base =
base = ou=users,%%ldap_base_dn base = %%ldapclient_base_dn
# Dereference: never, searching, finding, always # Dereference: never, searching, finding, always
#deref = never #deref = never
@ -126,6 +126,9 @@ base = ou=users,%%ldap_base_dn
# There are also other special fields which can be returned, see # There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields # http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
#>GNUNUX
user_attrs = homeDirectory=home
#<GNUNUX
# Filter for user lookup. Some variables can be used (see # Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list): # http://wiki2.dovecot.org/Variables for full list):

View file

@ -784,7 +784,6 @@ smtpd_use_tls = yes
mailbox_size_limit = 0 mailbox_size_limit = 0
message_size_limit = 202400000 message_size_limit = 202400000
biff = no biff = no
#virtual_maps = ldap:/etc/postfix/ldapsource.cf
smtpd_tls_loglevel = 1 smtpd_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = yes smtpd_tls_auth_only = yes
@ -804,12 +803,11 @@ dovecot_destination_recipient_limit = 1
%%domains.append(%%str(%%domain))%slurp %%domains.append(%%str(%%domain))%slurp
%end for %end for
virtual_mailbox_domains = %echo ', '.join(%%domains) virtual_mailbox_domains = %echo ', '.join(%%domains)
virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
virtual_minimum_uid = 1000 virtual_minimum_uid = 1000
#vmail uid #vmail uid
virtual_uid_maps = static:999 virtual_uid_maps = static:999
virtual_gid_maps = static:999 virtual_gid_maps = static:999
virtual_transport = dovecot virtual_transport = dovecot
virtual_mailbox_base = /srv/mail #virtual_mailbox_base = /srv/mail
#<GNUNUX #<GNUNUX

View file

@ -1,2 +0,0 @@
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type="server")
%%get_chain(%%revprox_server_domainname, 'InternalReverseProxy')

View file

@ -1 +0,0 @@
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type='server')

View file

@ -3,4 +3,4 @@ g dovenull 982 -
g vmail 999 - g vmail 999 -
u dovecot 97:97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin u dovecot 97:97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
u dovenull 984:982 "Dovecot's unauthorized user" /usr/libexec/dovecot /sbin/nologin u dovenull 984:982 "Dovecot's unauthorized user" /usr/libexec/dovecot /sbin/nologin
u vmail 999:999 "Virtual mail user" /srv/mail /sbin/nologin u vmail 999:999 "Virtual mail user" /srv/home /sbin/nologin

View file

@ -1 +1,4 @@
d /srv/dovecot 750 dovecot postfix - - d /srv/dovecot 750 dovecot postfix - -
d /srv/home 750 root vmail - -
d /srv/home/users 770 root vmail - -
d /srv/home/families 770 root vmail - -

View file

@ -1,5 +1,4 @@
d /srv/postfix 750 postfix postfix - - d /srv/postfix 750 postfix postfix - -
d /srv/postfix/data 750 postfix postfix - - d /srv/postfix/data 750 postfix postfix - -
d /srv/postfix/spool 755 root root - - d /srv/postfix/spool 755 root root - -
d /srv/mail 770 root vmail - -
d /var/lib/misc/ 755 root root - - d /var/lib/misc/ 755 root root - -

View file

@ -2,6 +2,7 @@
<rougail version="0.10"> <rougail version="0.10">
<services> <services>
<service name="gitea" target="multi-user" engine="creole"> <service name="gitea" target="multi-user" engine="creole">
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file> <file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
<file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file> <file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
<file>/etc/gitea/app.ini</file> <file>/etc/gitea/app.ini</file>

View file

@ -12,9 +12,11 @@
<variables> <variables>
<family name="annuaire"> <family name="annuaire">
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/> <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
<variable name='ldapclient_family' type='unix_user' description="L'arbre LDAP est de type famille"/>
<variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/> <variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
<variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/> <variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
<variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/> <variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True"/>
<variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/> <variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
<variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/> <variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
<variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/> <variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
@ -31,6 +33,11 @@
<check name='valid_base_dn'> <check name='valid_base_dn'>
<target>ldap_base_dn</target> <target>ldap_base_dn</target>
</check> </check>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldap_base_dn</param>
<param type="variable">ldapclient_family</param>
<target>ldapclient_base_dn</target>
</fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">tls_ca_directory</param> <param type="variable">tls_ca_directory</param>
<param>ca_LDAP.crt</param> <param>ca_LDAP.crt</param>
@ -65,13 +72,19 @@
</fill> </fill>
<fill name="get_linked_configuration"> <fill name="get_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param> <param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">LDAP_DN</param> <param name="linked_provider">ldap_dn</param>
<target>ldap_base_dn</target> <target>ldap_base_dn</target>
</fill> </fill>
<fill name="get_linked_configuration"> <fill name="get_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param> <param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">LDAP_PORT</param> <param name="linked_provider">ldap_port</param>
<target>ldap_port</target> <target>ldap_port</target>
</fill> </fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_family</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>ldapclient_family</target>
</check>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -4,3 +4,11 @@ def valid_base_dn(base_dn: str) -> None:
break break
else: else:
raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)') raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
def calc_ldapclient_base_dn(ldap_base_dn: str,
family_name: str,
) -> str:
if not family_name:
return f'ou=users,{ldap_base_dn}'
return f'ou={family_name},ou=families,{ldap_base_dn}'

View file

@ -6,7 +6,7 @@
# This file should be world readable but not world writable. # This file should be world readable but not world writable.
#BASE dc=example,dc=com #BASE dc=example,dc=com
BASE ou=users,%%ldap_base_dn BASE %%ldapclient_base_dn
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldaps://%%ldap_server_address:%%ldap_port URI ldaps://%%ldap_server_address:%%ldap_port

View file

@ -13,13 +13,14 @@ commentStartToken = §
"ldapPpolicyControl" : 1, "ldapPpolicyControl" : 1,
"ldapAllowResetExpiredPassword" : 1, "ldapAllowResetExpiredPassword" : 1,
"ldapChangePasswordAsUser" : 1, "ldapChangePasswordAsUser" : 1,
"ldapBase" : "ou=users,%%ldap_base_dn", "ldapBase" : "%%ldapclient_base_dn",
"ldapExportedVars" : { "ldapExportedVars" : {
"uid" : "uid", "uid" : "uid",
"cn" : "cn", "cn" : "cn",
"sn" : "sn", "sn" : "sn",
"mail" : "mail", "mail" : "mail",
"givenName" : "givenName" "givenName" : "givenName",
"home" : "homeDirectory"
}, },
"ldapGroupAttributeName" : "memberUid", "ldapGroupAttributeName" : "memberUid",
"ldapGroupAttributeNameUser" : "cn", "ldapGroupAttributeNameUser" : "cn",
@ -99,7 +100,8 @@ commentStartToken = §
"email" : "mail", "email" : "mail",
"family_name" : "sn", "family_name" : "sn",
"name" : "cn", "name" : "cn",
"nickname" : "uid" "nickname" : "uid",
"home" : "home"
%if %%len_app - 1 == %%idx %if %%len_app - 1 == %%idx
} }
%else %else

View file

@ -1,7 +1,7 @@
PYTHON="usr/lib/python3.10/site-packages" PYTHON="usr/lib/python3.10/site-packages"
cp -a "mailman/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/" cp -a "mailman/manual/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
cp -a "mailman/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/" cp -a "mailman/manual/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
cp -a "mailman/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius" cp -a "mailman/manual/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py" chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py" ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/" ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"

View file

@ -29,9 +29,9 @@ fi
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "ou=users,%%ldap_base_dn" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "ou=users,%%ldap_base_dn" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "ou=users,%%ldap_base_dn" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"

View file

@ -4,18 +4,26 @@
<service name='nginx' target='multi-user'> <service name='nginx' target='multi-user'>
<file>/etc/nginx/nginx.conf</file> <file>/etc/nginx/nginx.conf</file>
<file source="default">/etc/nginx/sites-available/default</file> <file source="default">/etc/nginx/sites-available/default</file>
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/risotto.conf</file> <file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
<!--file source="default-nginx-ssl.conf">/etc/nginx/conf.d/risotto-ssl.conf</file-->
<file source="nginx.index.html">/var/www/html/index.html</file> <file source="nginx.index.html">/var/www/html/index.html</file>
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file> <file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
<file>/var/www/html/error.html</file> <file>/var/www/html/error.html</file>
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file> <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file> <file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file filelist="nginx_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
<file filelist="nginx_https" mode="600">/etc/pki/tls/private/nginx.key</file>
</service> </service>
</services> </services>
<variables> <variables>
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX"> <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='True'/> <variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
<variable name="nginx_root" type="filename" mandatory='False'>
<value>/usr/share/nginx/html</value>
</variable>
<variable name="nginx_https" type="boolean" description="Activer HTTPS sur le serveur" mandatory='True' hidden="True">
<value>False</value>
</variable>
<variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice"> <variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
<value>128</value> <value>128</value>
<choice type="string">128</choice> <choice type="string">128</choice>
@ -25,13 +33,10 @@
<variable name="nginx_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)" mode="expert" mandatory="True"> <variable name="nginx_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)" mode="expert" mandatory="True">
<value>32</value> <value>32</value>
</variable> </variable>
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="calc_value">
<param type="variable">domain_name_eth0</param>
<target>nginx_default</target>
</fill>
<condition name="disabled_if_not_in" source="os_name"> <condition name="disabled_if_not_in" source="os_name">
<param>Fedora</param> <param>Fedora</param>
<target type="filelist">nginx_fedora</target> <target type="filelist">nginx_fedora</target>
@ -40,5 +45,15 @@
<param type="nil"/> <param type="nil"/>
<target type="filelist">nginx_default</target> <target type="filelist">nginx_default</target>
</condition> </condition>
<condition name="disabled_if_in" source="nginx_https">
<param type="boolean">False</param>
<target type="filelist">nginx_https</target>
</condition>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_InternalReverseProxy.crt</param>
<param name="join">/</param>
<target>revprox_ca_file</target>
</fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -1,10 +0,0 @@
#FIXME server {
#FIXME listen 443 ssl;
#FIXME ssl_certificate %%nginx_certificate[%%revprox_domainnames_all.index(%%nginx_default)];
#FIXME ssl_certificate_key %%nginx_private_key[%%revprox_domainnames_all.index(%%nginx_default)];
#FIXME ssl_client_certificate /etc/ssl/certs/ca.crt;
#FIXME server_name _ default;
#FIXME rewrite ^(.*) https://%%nginx_default$1;
#FIXME break;
#FIXME }

View file

@ -52,11 +52,12 @@ http {
# for more information. # for more information.
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
%if %%os_name == 'Fedora' %if %%os_name == 'Fedora'
%if %%nginx_default
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name _; server_name _;
root /usr/share/nginx/html; root %%nginx_root;
# Load configuration files for the default server block. # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf; include /etc/nginx/default.d/*.conf;
@ -69,35 +70,40 @@ http {
location = /50x.html { location = /50x.html {
} }
} }
%end if
# Settings for a TLS enabled server.
#
%if %%nginx_https
server {
listen 443 ssl http2;
server_name %%domain_name_eth0;
root %%nginx_root;
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
%end if
%else %else
include /etc/nginx/sites-enabled/*; include /etc/nginx/sites-enabled/*;
%end if %end if
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
} }

View file

@ -2,3 +2,4 @@ format: '0.1'
description: Nginx as reverse proxy description: Nginx as reverse proxy
depends: depends:
- nginx-common - nginx-common
- reverse-proxy-client

View file

@ -2,19 +2,38 @@
<rougail version="0.10"> <rougail version="0.10">
<services> <services>
<service name='nginx'> <service name='nginx'>
<file>/etc/nginx/conf.d/risotto.conf</file> <file filelist="nginx_default_risotto">/etc/nginx/default.d/risotto.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file mode="600">/etc/pki/tls/certs/nginx.crt</file>
<file mode="600">/etc/pki/tls/private/nginx.key</file>
</service> </service>
</services> </services>
<variables> <variables>
<variable name="nginx_root_directory" type="filename" mandatory="True"/> <family name="nginx">
<variable name="php_fpm_user" redefine="True" exists="True"> <variable name="nginx_https" redefine="True">
<value>nginx</value> <value>True</value>
</variable> </variable>
<variable name="nginx_locations" type="filename" multi="True" mandatory="True"> <variable name="php_fpm_user" redefine="True" exists="True">
<value>/</value> <value>nginx</value>
</variable> </variable>
<variable name="nginx_root_directory" type="filename"/>
<variable name="nginx_locations" type="filename" multi="True" mandatory="True">
<value>/</value>
</variable>
</family>
<family name="redis" description="Redis">
<variable name="redis_client_key_owner" redefine="True" exists="True">
<value>nginx</value>
</variable>
</family>
<family name="postgresql" description="PostgreSQL">
<variable name="pg_client_key_owner" redefine="True" exists="True">
<value>nginx</value>
</variable>
</family>
</variables> </variables>
<constraints>
<condition name="disabled_if_in" source="nginx_root_directory">
<param type="nil"/>
<target type="filelist">nginx_default_risotto</target>
<target type="variable">nginx_locations</target>
</condition>
</constraints>
</rougail> </rougail>

View file

@ -1 +0,0 @@
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy")

View file

@ -1 +1,2 @@
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy') %%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')

View file

@ -1 +1 @@
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy') %%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')

View file

@ -1,44 +1,30 @@
server { add_header X-Frame-Options "SAMEORIGIN";
listen 443 default ssl; add_header X-Content-Type-Options nosniff;
server_name %%domain_name_eth0; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
ssl_certificate /etc/pki/tls/certs/nginx.crt; add_header X-Download-Options noopen;
ssl_certificate_key /etc/pki/tls/private/nginx.key; add_header X-Permitted-Cross-Domain-Policies none;
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header Referrer-Policy no-referrer always;
error_page 403 404 502 503 504 /error.html;
location = /error.html{
root /var/www/html;
}
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header Referrer-Policy no-referrer always;
%for %%location in %%nginx_locations %for %%location in %%nginx_locations
location %%location { location %%location {
%if %%location == '/' %if %%location == '/'
root %slurp root %slurp
%else %else
alias %slurp alias %slurp
%end if %end if
%%nginx_root_directory; %%nginx_root_directory;
%if not %%getVar('php_fpm_installed', False) %if not %%getVar('php_fpm_installed', False)
index index.html; index index.html;
%else %else
index index.php; index index.php;
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
fastcgi_pass php-fpm; fastcgi_pass php-fpm;
fastcgi_index index.php; fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params; include fastcgi_params;
}
%end if
} }
%end for %end if
} }
%end for

View file

@ -5,7 +5,6 @@
<override engine="creole"/> <override engine="creole"/>
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file> <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file> <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file> <file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
<file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file> <file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
</service> </service>
@ -19,7 +18,7 @@
<variable name="ip_eth" redefine="True" provider="ip"/> <variable name="ip_eth" redefine="True" provider="ip"/>
</family> </family>
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX"> <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
<variable name="nginx_default" redefine="True" remove_fill="True"/> <variable name="nginx_default" redefine="True" mandatory="True"/>
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/> <variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
<variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/> <variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/> <variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>

View file

@ -1,11 +1,12 @@
from typing import List as _List from typing import List as _List
from os.path import join as _join, isdir as _isdir, abspath as _abspath from os.path import join as _join, isfile as _isfile, isdir as _isdir, abspath as _abspath, basename as _basename
from datetime import datetime as _datetime from datetime import datetime as _datetime
from ipaddress import ip_network, ip_address from ipaddress import ip_network, ip_address
from subprocess import run as _run from subprocess import run as _run
from os import makedirs as _makedirs, unlink as _unlink from os import makedirs as _makedirs
from shutil import rmtree as _rmtree from shutil import rmtree as _rmtree, copy2 as _copy2
from glob import glob as _glob from glob import glob as _glob
from filecmp import cmp as _cmp
_PKI_DIR = _abspath('pki/dnssec') _PKI_DIR = _abspath('pki/dnssec')
@ -98,13 +99,21 @@ def sign(zone_filename: str,
cn: str, cn: str,
) -> str: ) -> str:
authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0] authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0]
zsk, ksk = _gen_keys(cn, authority_cn) copy_file = _join(_PKI_DIR, cn, authority_cn, _basename(zone_filename))
cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk] signed_filename = f'{copy_file}.signed'
proc = _run(cmd, capture_output=True) if not _isfile(copy_file) or not _cmp(zone_filename, copy_file):
if proc.returncode != 0: _copy2(zone_filename, copy_file)
raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}') zsk, ksk = _gen_keys(cn, authority_cn)
signed_filename = f'{zone_filename}.signed' cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
proc = _run(cmd, capture_output=True)
if proc.returncode != 0:
raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
new_signed_filename = f'{zone_filename}.signed'
with open(new_signed_filename) as fh:
content = fh.read().strip()
content.replace('0000000000', nsd_serial())
with open(signed_filename, 'w') as fh:
fh.write(content)
with open(signed_filename) as fh: with open(signed_filename) as fh:
content = fh.read().strip() content = fh.read().strip()
_unlink(signed_filename)
return content return content

View file

@ -12,7 +12,7 @@ $ORIGIN %%rougail_variable
$TTL 1800 $TTL 1800
@ IN SOA %%domain_name_eth0. admin.%%name. ( @ IN SOA %%domain_name_eth0. admin.%%name. (
%%nsd_serial() ; serial number 0000000000 ; serial number
3600 ; refresh 3600 ; refresh
900 ; retry 900 ; retry
1209600 ; expire 1209600 ; expire

View file

@ -2,7 +2,7 @@ $ORIGIN %%rougail_variable.
$TTL 1800 $TTL 1800
@ IN SOA %%domain_name_eth0. admin.%%rougail_variable. ( @ IN SOA %%domain_name_eth0. admin.%%rougail_variable. (
%%nsd_serial() ; serial number 0000000000 ; serial number
3600 ; refresh 3600 ; refresh
900 ; retry 900 ; retry
1209600 ; expire 1209600 ; expire

View file

@ -20,8 +20,8 @@
<variables> <variables>
<family name="annuaire"> <family name="annuaire">
<variable name='ldap_server_address' redefine="True" hidden="True"/> <variable name='ldap_server_address' redefine="True" hidden="True"/>
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="LDAP_DN"/> <variable name='ldap_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="LDAP_PORT"> <variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="ldap_port">
<value>636</value> <value>636</value>
</variable> </variable>
<variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/> <variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
@ -47,6 +47,7 @@
<variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'> <variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
<value>/etc/openldap/schema/cosine.ldif</value> <value>/etc/openldap/schema/cosine.ldif</value>
<value>/etc/openldap/schema/inetorgperson.ldif</value> <value>/etc/openldap/schema/inetorgperson.ldif</value>
<value>/etc/openldap/schema/nis.ldif</value>
</variable> </variable>
<variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert"> <variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
<value>0</value> <value>0</value>

View file

@ -5,6 +5,7 @@
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes"> <family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
<variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/> <variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
<variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/> <variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
<variable name="family_" description="Nom de la familly" auto_save="True" hidden="True" provider="client_family"/>
<variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/> <variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
</family> </family>
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True"> <family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">

View file

@ -1,3 +1,9 @@
%set %%dns = {}
%for %%remote in %%accounts.remotes
%set %%name = %%normalize_family(%%remote)
%set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
%end for
dn: olcDatabase={2}mdb,cn=config dn: olcDatabase={2}mdb,cn=config
changetype:modify changetype:modify
replace: olcAccess replace: olcAccess
@ -5,20 +11,22 @@ olcAccess: {0}to attrs=userPassword
by self write by self write
by anonymous auth by anonymous auth
by * none by * none
olcAccess: {1}to dn.subtree="ou=users,%%ldap_base_dn"
by self read
%set %%aclidx = 1 %set %%aclidx = 1
%for %%remote in %%accounts.remotes %for %%family, %%remotes in %%dns.items()
%set %%name = %%normalize_family(%%remote) olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
by dn="%%accounts['remote_' + %%name]['dn_' + %%name]" %slurp by self read
%if %%accounts['remote_' + %%name]['read_only_' + %%name] %for %%remote in %%remotes
by dn="%%remote[0]" %slurp
%if %%remote[1]
read%slurp read%slurp
%else %else
write%slurp write%slurp
%end if %end if
%end for %end for
%set %%aclidx += 1
by * none by * none
%end for
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute) %for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
%set %%aclidx += 1 %set %%aclidx += 1
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights) olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)

View file

@ -35,8 +35,12 @@ sn: %%user.ldap_user_sn
givenName: %%user.ldap_user_gn givenName: %%user.ldap_user_gn
uid: %%user.ldap_user_uid uid: %%user.ldap_user_uid
userPassword:: %%ssha_encode(%%user.ldap_user_password) userPassword:: %%ssha_encode(%%user.ldap_user_password)
homeDirectory: /srv/home/users/%%user
uidNumber: 0
gidNumber: 0
objectClass: top objectClass: top
objectClass: inetOrgPerson objectClass: inetOrgPerson
objectClass: posixAccount
%end for %end for
# Families # Families
@ -52,15 +56,19 @@ objectClass: top
objectClass: organizationalUnit objectClass: organizationalUnit
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family] %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
dn: cn=%%user,ou=families,%%ldap_base_dn dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
cn: %%user cn: %%user
mail: %%user mail: %%user
sn: %%user['ldap_user_sn_' + %%family] sn: %%user['ldap_user_sn_' + %%family]
givenName: %%user['ldap_user_gn_' + %%family] givenName: %%user['ldap_user_gn_' + %%family]
uid: %%user['ldap_user_uid_' + %%family] uid: %%user['ldap_user_uid_' + %%family]
userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family]) userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family])
homeDirectory: /srv/home/families/%%family/%%user
uidNumber: 0
gidNumber: 0
objectClass: top objectClass: top
objectClass: inetOrgPerson objectClass: inetOrgPerson
objectClass: posixAccount
%end for %end for
%end for %end for

View file

@ -7,3 +7,20 @@ replace: userPassword
userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name]) userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
%end for %end for
## Users
#%for %%user in %%accounts.users.ldap_user_mail
#dn: cn=%%user,ou=users,%%ldap_base_dn
#changetype: modify
#replace: homeDirectory
#homeDirectory: /srv/home/users/%%user
#
#%end for
## Families
#%for %%family in %%accounts.families
# %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
#dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
#replace: homeDirectory
#homeDirectory: /srv/home/families/%%family/%%user
#
# %end for
#%end for

View file

@ -38,8 +38,8 @@
</variable> </variable>
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/> <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family> </family>
<family name="nginx" description="Reverse proxy"> <family name="nginx">
<family name="revprox_client" description="Point d'entré des clients" leadership="True"> <family name="revprox_client">
<variable name="revprox_client_location" redefine="True"> <variable name="revprox_client_location" redefine="True">
<value>/</value> <value>/</value>
</variable> </variable>

View file

@ -25,5 +25,5 @@ rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh" rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.." cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
patch -p0 < $OLDPWD/peertube/postinstall/peertube.patch patch -p0 < $OLDPWD/peertube/manual/postinstall/peertube.patch
cd - cd -

View file

@ -0,0 +1,6 @@
Debug
======
echo "log_level = debug" >> /etc/php-fpm.conf
systemctl restart php-fpm

View file

@ -9,11 +9,13 @@
</service> </service>
</services> </services>
<variables> <variables>
<variable name="php_fpm_user" type="unix_user"> <family name="nginx">
<value>root</value> <variable name="php_fpm_user" type="unix_user">
</variable> <value>root</value>
<variable name="php_fpm_installed" type="boolean"> </variable>
<value>True</value> <variable name="php_fpm_installed" type="boolean">
</variable> <value>True</value>
</variable>
</family>
</variables> </variables>
</rougail> </rougail>

View file

@ -8,4 +8,3 @@ depends:
- relay-mail-client - relay-mail-client
- nginx-https - nginx-https
- php-fpm - php-fpm
- reverse-proxy-client

View file

@ -12,9 +12,11 @@
<variables> <variables>
<variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/> <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
<variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/> <variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
<variable name="nginx_root_directory" mandatory="True" redefine="True"> <family name="nginx">
<value>/usr/local/share/piwigo</value> <variable name="nginx_root_directory" mandatory="True" redefine="True">
</variable> <value>/usr/local/share/piwigo</value>
</variable>
</family>
<variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True"> <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
<value>Album photographique</value> <value>Album photographique</value>
</variable> </variable>

View file

@ -14,10 +14,10 @@ ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php
ln -s /srv/piwigo/data piwigo/_data ln -s /srv/piwigo/data piwigo/_data
ln -s /srv/piwigo/upload piwigo/upload ln -s /srv/piwigo/upload piwigo/upload
ln -s /srv/piwigo/logs piwigo/logs ln -s /srv/piwigo/logs piwigo/logs
cp $OLDPWD/piwigo/postinstall/osmmap.php piwigo/ cp $OLDPWD/piwigo/manual/postinstall/osmmap.php piwigo/
chmod 644 piwigo/osmmap.php chmod 644 piwigo/osmmap.php
patch -p0 < $OLDPWD/piwigo/postinstall/piwigo.patch patch -p0 < $OLDPWD/piwigo/manual/postinstall/piwigo.patch
cp $OLDPWD/piwigo/postinstall/piwigo_cli.php piwigo/ cp $OLDPWD/piwigo/manual/postinstall/piwigo_cli.php piwigo/
# Plugins # Plugins
cd piwigo/plugins cd piwigo/plugins
wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip

View file

@ -9,4 +9,4 @@ def calc_postfix_relay_domains(criteria):
if '@' in lst: if '@' in lst:
lst = lst.split('@')[1] lst = lst.split('@')[1]
relay.add(lst) relay.add(lst)
return list(relay) return sorted(list(relay))

View file

@ -2,7 +2,6 @@
<rougail version="0.10"> <rougail version="0.10">
<services> <services>
<service name="nginx" manage="False"> <service name="nginx" manage="False">
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file file_type="variable" source="revprox.crt">revprox_cert_file</file> <file file_type="variable" source="revprox.crt">revprox_cert_file</file>
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file> <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
</service> </service>
@ -32,10 +31,8 @@
<variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group"> <variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
<value>root</value> <value>root</value>
</variable> </variable>
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/> <variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/> <variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
<variable name="nginx_default" exists="True" redefine="True" remove_fill="True" mandatory="False"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
@ -45,12 +42,6 @@
<param type="variable">revprox_client_local_location</param> <param type="variable">revprox_client_local_location</param>
<target>revprox_client_web_address</target> <target>revprox_client_web_address</target>
</fill> </fill>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_InternalReverseProxy.crt</param>
<param name="join">/</param>
<target>revprox_ca_file</target>
</fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">tls_cert_directory</param> <param type="variable">tls_cert_directory</param>
<param>revprox.crt</param> <param>revprox.crt</param>

View file

@ -1,3 +1,8 @@
Supprimer oauth
================
sed -i "s/'generic'/null/g" /etc/roundcubemail/config.inc.php
Debug ldap Debug ldap
========== ==========

View file

@ -3,9 +3,8 @@ description: Interface web de consultation des courriels Roundcube
depends: depends:
- base-fedora-35 - base-fedora-35
- postgresql-client - postgresql-client
- ldap-client-fedora
- imap-client - imap-client
- redis-client - redis-client
- oauth2-client - oauth2-client
- apache - nginx-https
- php-fpm - php-fpm

View file

@ -2,8 +2,8 @@
<rougail version="0.10"> <rougail version="0.10">
<services> <services>
<service name="roundcube" engine="creole" target="multi-user"> <service name="roundcube" engine="creole" target="multi-user">
<file owner="root" group="apache" mode="640">/etc/roundcubemail/config.inc.php</file> <file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
<file>/etc/httpd/conf.d/roundcubemail.conf</file> <file>/etc/nginx/default.d/roundcubemail.conf</file>
<file>/secrets/roundcube-init.php</file> <file>/secrets/roundcube-init.php</file>
<file engine="none">/static/silique_cloud.svg</file> <file engine="none">/static/silique_cloud.svg</file>
<file engine="none">/static/watermark.html</file> <file engine="none">/static/watermark.html</file>
@ -32,9 +32,15 @@
</variable> </variable>
</family> </family>
<family name="nginx"> <family name="nginx">
<variable name="revprox_client_local_location" redefine="True"> <variable name="nginx_root" redefine="True">
<value>/roundcube/</value> <value>/usr/share/roundcubemail/</value>
</variable> </variable>
<variable name="revprox_client_local_location" redefine="True">
<value>/</value>
</variable>
</family>
<family name="annuaire">
<variable name='ldapclient_family' redefine="True" exists="True" mandatory="True"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>

View file

@ -0,0 +1,8 @@
#!/bin/bash -ex
echo """#!/bin/bash -e
/usr/bin/chgrp nginx /etc/roundcubemail/*
""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"

View file

@ -1059,9 +1059,10 @@ $config['address_book_type'] = 'sql';
// Array key must contain only safe characters, ie. a-zA-Z0-9_ // Array key must contain only safe characters, ie. a-zA-Z0-9_
$config['ldap_public'] = []; $config['ldap_public'] = [];
#>GNUNUX #>GNUNUX
%if %%getVar('ldap_server_address', None)
$config['ldap_public'] = array ( $config['ldap_public'] = array (
'Local' => array ( 'Local' => array (
'name' => "Contacts", 'name' => "Ma famille",
'hosts' => array ( 'hosts' => array (
0 => 'ldaps://%%ldap_server_address', 0 => 'ldaps://%%ldap_server_address',
), ),
@ -1073,7 +1074,7 @@ $config['ldap_public'] = array (
'auth_method' => '', 'auth_method' => '',
'vlv' => false, //Samba do not support Virtual List View functions 'vlv' => false, //Samba do not support Virtual List View functions
'user_specific' => false, 'user_specific' => false,
'base_dn' => 'ou=users,%%ldap_base_dn', 'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
'writable' => false, 'writable' => false,
'required_fields' => array ( 'required_fields' => array (
0 => 'cn', 0 => 'cn',
@ -1104,6 +1105,7 @@ $config['ldap_public'] = array (
), ),
), ),
); );
%end if
#<GNUNUX #<GNUNUX
// If you are going to use LDAP for individual address books, you will need to // If you are going to use LDAP for individual address books, you will need to

View file

@ -1,7 +1,7 @@
[Unit] [Unit]
Description=Roundcube database init Description=Roundcube database init
After=postgresqlclient.service After=postgresqlclient.service
Before=apache.service php-fpm.service Before=nginx.service php-fpm.service
[Service] [Service]
Type=oneshot Type=oneshot

View file

@ -1,60 +1,51 @@
# location = / {
# Round Cube Webmail is a browser-based multilingual IMAP client alias %%nginx_root;
# }
location / {
root %%nginx_root;
index index.php;
#>GNUNUX location ~ ^/bin/(.+)$ {
Alias /roundcube/skins/elastic/risotto/ /usr/local/lib/static/ deny all;
<Directory /usr/local/lib/static/> }
Require all granted location ~ ^/plugins/enigma/home/(.+)$ {
</Directory> deny all;
#<GNUNUX }
# GNUNUX Alias /roundcubemail /usr/share/roundcubemail
Alias /roundcube /usr/share/roundcubemail
# Define who can access the Webmail # Define who can access the installer
# You can enlarge permissions once configured # keep this secured once configured
<Directory /usr/share/roundcubemail/> location ~ ^/installer/(.+\.php)$ {
Require all granted allow 127.0.0.1;
# GNUNUX <IfModule mod_authz_core.c> allow ::1;
# GNUNUX # Apache 2.4 deny all;
# GNUNUX Require local
# GNUNUX </IfModule>
# GNUNUX <IfModule !mod_authz_core.c>
# GNUNUX # Apache 2.2
# GNUNUX Order Deny,Allow
# GNUNUX Deny from all
# GNUNUX Allow from 127.0.0.1
# GNUNUX Allow from ::1
# GNUNUX </IfModule>
</Directory>
# Define who can access the installer try_files $uri =404;
# keep this secured once configured fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SERVER_NAME $host;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php-fpm;
}
<Directory /usr/share/roundcubemail/installer/> # Define who can access the Webmail
Order Allow,Deny # You can enlarge permissions once configured
Deny from all
# GNUNUX <IfModule mod_authz_core.c>
# GNUNUX # Apache 2.4
# GNUNUX Require local
# GNUNUX </IfModule>
# GNUNUX <IfModule !mod_authz_core.c>
# GNUNUX # Apache 2.2
# GNUNUX Order Deny,Allow
# GNUNUX Deny from all
# GNUNUX Allow from 127.0.0.1
# GNUNUX Allow from ::1
# GNUNUX </IfModule>
</Directory>
# Those directories should not be viewed by Web clients. location ~ ^/(.+\.php)$ {
<Directory /usr/share/roundcubemail/bin/> # GNUNUX allow 127.0.0.1;
Order Allow,Deny # GNUNUX allow ::1;
Deny from all # GNUNUX deny all;
</Directory>
<Directory /usr/share/roundcubemail/plugins/enigma/home/> try_files $uri =404;
Order Allow,Deny fastcgi_intercept_errors on;
Deny from all include fastcgi_params;
</Directory> fastcgi_param SERVER_NAME $host;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php-fpm;
}
}
location /skins/elastic/risotto {
alias /usr/local/lib/static/;
}

View file

@ -3,6 +3,7 @@
<services> <services>
<service name="vaultwarden" target="multi-user"> <service name="vaultwarden" target="multi-user">
<override/> <override/>
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file> <file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
<file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file> <file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
</service> </service>