forked from stove/dataset
dovecot
This commit is contained in:
Emmanuel Garette
parent
da3e4d487d
commit
5ccb69012b
60 changed files with 384 additions and 299 deletions
|
|
@ -2,6 +2,7 @@
|
|||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="httpd" target="multi-user">
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||
<file>/etc/httpd/conf/httpd.conf</file>
|
||||
<file>/etc/httpd/conf.d/risotto.conf</file>
|
||||
<file>/etc/httpd/conf.d/ssl.conf</file>
|
||||
|
|
@ -13,9 +14,11 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<variable name="php_fpm_user" redefine="True" exists="True">
|
||||
<value>apache</value>
|
||||
</variable>
|
||||
<family name="nginx">
|
||||
<variable name="php_fpm_user" redefine="True" exists="True">
|
||||
<value>apache</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
|
||||
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
|
||||
<value>300</value>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash -xe
|
||||
#!/bin/bash -e
|
||||
|
||||
HOST_NAME=$1
|
||||
if [ -z "$HOST_NAME" ]; then
|
||||
|
|
@ -24,4 +24,6 @@ systemctl restart systemd-resolved
|
|||
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
|
||||
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
|
||||
|
||||
echo "install host OK"
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash -xe
|
||||
#!/bin/bash -e
|
||||
|
||||
HOST_NAME=$1
|
||||
IMAGE_NAME=$2
|
||||
|
|
@ -14,7 +14,7 @@ rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
|
|||
mkdir -p "$RISOTTO_IMAGE_DIR"
|
||||
PKG=""
|
||||
BASE_DIR=""
|
||||
for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do
|
||||
for script in $(ls $IMAGE_NAME/manual/preinstall/*.sh 2> /dev/null); do
|
||||
. "$script"
|
||||
done
|
||||
|
||||
|
|
@ -46,7 +46,7 @@ function new_package_base() {
|
|||
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
|
||||
dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
|
||||
else
|
||||
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR"
|
||||
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR" > /dev/null
|
||||
chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
|
||||
fi
|
||||
}
|
||||
|
|
@ -75,6 +75,7 @@ function install_pkg() {
|
|||
|
||||
|
||||
if [ ! -f "$BASE_LOCK" ]; then
|
||||
echo " - reinstallation de l'image de base"
|
||||
rm -rf "$BASE_DIR"
|
||||
new_package_base
|
||||
diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
|
||||
|
|
@ -83,7 +84,7 @@ if [ ! -f "$BASE_LOCK" ]; then
|
|||
install_base
|
||||
cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
|
||||
tar cf "$BASE_TAR" "$BASE_NAME"
|
||||
cd -
|
||||
cd - > /dev/null
|
||||
if [ -f "$BASE_PKGS_FILE" ]; then
|
||||
mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
|
||||
fi
|
||||
|
|
@ -100,8 +101,8 @@ if [ -n "$COPR" ]; then
|
|||
#FIXME signature...
|
||||
mkdir -p "$REPO_DIR"
|
||||
cd "$REPO_DIR"
|
||||
wget "$COPR"
|
||||
cd -
|
||||
wget -q "$COPR"
|
||||
cd - > /dev/null
|
||||
fi
|
||||
if [ "$FUSION" = true ]; then
|
||||
dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR"
|
||||
|
|
@ -109,19 +110,24 @@ fi
|
|||
|
||||
# FIXME verifier s'il y a des modifs sur pre/post
|
||||
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
|
||||
echo "Différence(s) avec les paquets de base"
|
||||
echo " - différence(s) avec les paquets de base"
|
||||
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
|
||||
else
|
||||
NEW_BASE=true
|
||||
fi
|
||||
new_package
|
||||
if [ "$NEW_BASE" = false ]; then
|
||||
echo "Différence(s) avec les paquets de l'image"
|
||||
echo " - différence(s) avec les paquets de l'image"
|
||||
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
|
||||
else
|
||||
INSTALL=true
|
||||
fi
|
||||
find $IMAGE_NAME/manual -type f -exec md5sum '{}' \; > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new
|
||||
if [ "$NEW_BASE" = false ]; then
|
||||
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new && INSTALL=false || INSTALL=true
|
||||
fi
|
||||
if [ "$INSTALL" = true ]; then
|
||||
echo " - installation"
|
||||
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
|
||||
VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
|
||||
else
|
||||
|
|
@ -145,7 +151,7 @@ if [ "$INSTALL" = true ]; then
|
|||
install_pkg
|
||||
sleep 2
|
||||
|
||||
for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do
|
||||
for script in $(ls $IMAGE_NAME/manual/postinstall/*.sh 2> /dev/null); do
|
||||
. "$script"
|
||||
done
|
||||
|
||||
|
|
@ -161,11 +167,13 @@ if [ "$INSTALL" = true ]; then
|
|||
fi
|
||||
tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
|
||||
sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
|
||||
cd -
|
||||
cd - > /dev/null
|
||||
cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
|
||||
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
|
||||
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum
|
||||
VERSION=$((VERSION + 1))
|
||||
echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
|
||||
fi
|
||||
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
|
||||
echo " => OK"
|
||||
exit 0
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash -xe
|
||||
#!/bin/bash -e
|
||||
HOST_NAME=$1
|
||||
if [ -z "$HOST_NAME" ]; then
|
||||
echo "usage: $0 host name"
|
||||
|
|
@ -8,6 +8,8 @@ fi
|
|||
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
|
||||
for image in *; do
|
||||
if [ -d "$image" ]; then
|
||||
echo
|
||||
echo "Install image $image"
|
||||
./install_image "$HOST_NAME" "$image"
|
||||
fi
|
||||
done
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash -xe
|
||||
#!/bin/bash -e
|
||||
HOST_NAME=$1
|
||||
IMAGE_NAME=$2
|
||||
MACHINE=$3
|
||||
|
|
@ -26,19 +26,19 @@ if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
|
|||
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || NEW_CONF=true
|
||||
fi
|
||||
if [ "$NEW_IMAGE" = true ] || [ "$NEW_CONF" = true ]; then
|
||||
echo " - stop $IMAGE_NAME"
|
||||
machinectl stop "$MACHINE" 2> /dev/null || true
|
||||
while true; do
|
||||
machinectl status "$MACHINE" > /dev/null 2>&1 || break
|
||||
sleep 1
|
||||
echo "retry..."
|
||||
done
|
||||
fi
|
||||
if [ "$NEW_IMAGE" = true ]; then
|
||||
echo "SUPPRIME ANCIENNE IMAGE"
|
||||
echo " - delete old image"
|
||||
rm -rf "$MACHINE_MACHINES_DIR"
|
||||
fi
|
||||
if [ "$NEW_CONF" = true ]; then
|
||||
echo "SUPPRIME ANCIENNE CONF"
|
||||
echo " - delete old settings"
|
||||
./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
|
||||
rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
|
||||
fi
|
||||
|
|
@ -58,7 +58,8 @@ if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
|
|||
mkdir -p "$SHA_MACHINE_DIR"
|
||||
cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
|
||||
mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
|
||||
cd -
|
||||
cd - > /dev/null
|
||||
fi
|
||||
|
||||
echo " => OK"
|
||||
exit 0
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash -xe
|
||||
#!/bin/bash -e
|
||||
HOST_NAME=$1
|
||||
if [ -z "$HOST_NAME" ]; then
|
||||
echo "usage: $0 host name"
|
||||
|
|
@ -14,6 +14,8 @@ for image in *; do
|
|||
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
|
||||
MACHINES="$MACHINES$osname "
|
||||
fi
|
||||
echo
|
||||
echo "Install machine $image"
|
||||
./install_machine "$HOST_NAME" "$image" "$osname"
|
||||
fi
|
||||
done
|
||||
|
|
|
|||
|
|
@ -5,4 +5,4 @@ depends:
|
|||
- relay-mail-client
|
||||
- ldap-client-fedora
|
||||
- oauth2-client
|
||||
- nginx-common
|
||||
- nginx-https
|
||||
|
|
|
|||
|
|
@ -7,7 +7,6 @@
|
|||
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
|
||||
<file>/etc/postfix/main.cf</file>
|
||||
<file>/etc/postfix/master.cf</file>
|
||||
<file>/etc/postfix/ldapsource.cf</file>
|
||||
<file>/etc/postfix/relay_passwd</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
|
||||
<file>/etc/pki/tls/certs/postfix.crt</file>
|
||||
|
|
@ -22,9 +21,6 @@
|
|||
</service>
|
||||
<service name='nginx'>
|
||||
<file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
|
||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
||||
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
|
||||
<file file_type="variable" source="revprox.key" mode="400">revprox_key_file</file>
|
||||
</service>
|
||||
<service name="dovecot" target="multi-user">
|
||||
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
|
||||
|
|
@ -69,7 +65,7 @@
|
|||
</family>
|
||||
<family name="mail" description="Mail domain" leadership="True">
|
||||
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
|
||||
<variable name="mail_domains_calc" type="domainname" multi="True" hidden="True"/>
|
||||
<variable name="mail_domains_calc" type="domainname" hidden="True"/>
|
||||
<variable name="imap_domainname" type="domainname" mandatory="True"/>
|
||||
<variable name="submission_domainname" type="domainname" mandatory="True"/>
|
||||
</family>
|
||||
|
|
@ -88,11 +84,11 @@
|
|||
</family>
|
||||
</family>
|
||||
<family name="nginx">
|
||||
<variable name="nginx_default" redefine="True" remove_fill="True" mandatory="False"/>
|
||||
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
|
||||
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
|
||||
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
|
||||
<variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
|
||||
<family name="revprox_client">
|
||||
<variable name="revprox_client_location" redefine="True" mandatory="False">
|
||||
<value/>
|
||||
</variable>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
|
|
@ -115,24 +111,6 @@
|
|||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>mail_domains</target>
|
||||
</check>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
<param>ca_InternalReverseProxy.crt</param>
|
||||
<param name="join">/</param>
|
||||
<target>revprox_ca_file</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_cert_directory</param>
|
||||
<param>revprox.crt</param>
|
||||
<param name="join">/</param>
|
||||
<target>revprox_cert_file</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_key_directory</param>
|
||||
<param>revprox.key</param>
|
||||
<param name="join">/</param>
|
||||
<target>revprox_key_file</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param>/etc/pki/tls/certs/imap_</param>
|
||||
<param type="variable">imap_domainname</param>
|
||||
|
|
@ -159,7 +137,6 @@
|
|||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">mail_domains</param>
|
||||
<param name="multi" type="boolean">True</param>
|
||||
<target>mail_domains_calc</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
|
|
@ -172,7 +149,7 @@
|
|||
<target>well_known_filenames</target>
|
||||
</fill>
|
||||
<check name="set_linked_multi_variables">
|
||||
<param type="variable">revprox_server_domainname</param>
|
||||
<param type="variable">revprox_client_server_domainname</param>
|
||||
<param name="linked_provider_0">revprox_clients</param>
|
||||
<param name="linked_provider_1">revprox_location</param>
|
||||
<param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param>
|
||||
|
|
@ -183,7 +160,7 @@
|
|||
<target>mail_domains_calc</target>
|
||||
</check>
|
||||
<check name="set_linked_multi_variables">
|
||||
<param type="variable">revprox_server_domainname</param>
|
||||
<param type="variable">revprox_client_server_domainname</param>
|
||||
<param name="linked_provider_0">revprox_clients</param>
|
||||
<param name="linked_provider_1">revprox_location</param>
|
||||
<param name="linked_value_1">/autodiscover/autodiscover.xml</param>
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
# <doc/wiki/MailLocation.txt>
|
||||
#
|
||||
#>GNUNUX
|
||||
mail_location = maildir:/srv/mail/%u
|
||||
mail_location = maildir:~/
|
||||
#<GNUNUX
|
||||
|
||||
# If you need to set multiple mailbox locations or want to change default
|
||||
|
|
@ -107,8 +107,8 @@ namespace inbox {
|
|||
# System user and group used to access mails. If you use multiple, userdb
|
||||
# can override these by returning uid or gid fields. You can use either numbers
|
||||
# or names. <doc/wiki/UserIds.txt>
|
||||
#mail_uid =
|
||||
#mail_gid =
|
||||
mail_uid = vmail
|
||||
mail_gid = vmail
|
||||
|
||||
# Group to enable temporarily for privileged operations. Currently this is
|
||||
# used only with INBOX when either its initial creation or dotlocking fails.
|
||||
|
|
|
|||
|
|
@ -16,13 +16,14 @@ passdb {
|
|||
# driver = prefetch
|
||||
#}
|
||||
|
||||
# GNUNUX userdb {
|
||||
# GNUNUX driver = ldap
|
||||
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||
# GNUNUX
|
||||
# GNUNUX # Default fields can be used to specify defaults that LDAP may override
|
||||
# GNUNUX #default_fields = home=/home/virtual/%u
|
||||
# GNUNUX }
|
||||
userdb {
|
||||
driver = ldap
|
||||
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||
|
||||
# Default fields can be used to specify defaults that LDAP may override
|
||||
#default_fields = home=/home/virtual/%u
|
||||
}
|
||||
|
||||
# If you don't have any user-specific settings, you can avoid the userdb LDAP
|
||||
# lookup by using userdb static instead of userdb ldap, for example:
|
||||
|
|
@ -31,9 +32,3 @@ passdb {
|
|||
#driver = static
|
||||
#args = uid=vmail gid=vmail home=/var/vmail/%u
|
||||
#}
|
||||
#>GNUNUX
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/srv/mail/%u
|
||||
}
|
||||
#<GNUNUX
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
%%get_chain(%%revprox_server_domainname, authority_name='InternalReverseProxy')
|
||||
|
|
@ -99,7 +99,7 @@ tls_require_cert = hard
|
|||
#auth_bind_userdn =
|
||||
#>GNUNUX
|
||||
auth_bind = yes
|
||||
auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
|
||||
auth_bind_userdn = cn=%u,%%ldapclient_base_dn
|
||||
#<GNUNUX
|
||||
|
||||
# LDAP protocol version to use. Likely 2 or 3.
|
||||
|
|
@ -108,7 +108,7 @@ auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
|
|||
# LDAP base. %variables can be used here.
|
||||
# For example: dc=mail, dc=example, dc=org
|
||||
# GNUNUX base =
|
||||
base = ou=users,%%ldap_base_dn
|
||||
base = %%ldapclient_base_dn
|
||||
|
||||
# Dereference: never, searching, finding, always
|
||||
#deref = never
|
||||
|
|
@ -126,6 +126,9 @@ base = ou=users,%%ldap_base_dn
|
|||
# There are also other special fields which can be returned, see
|
||||
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
||||
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
|
||||
#>GNUNUX
|
||||
user_attrs = homeDirectory=home
|
||||
#<GNUNUX
|
||||
|
||||
# Filter for user lookup. Some variables can be used (see
|
||||
# http://wiki2.dovecot.org/Variables for full list):
|
||||
|
|
|
|||
|
|
@ -784,7 +784,6 @@ smtpd_use_tls = yes
|
|||
mailbox_size_limit = 0
|
||||
message_size_limit = 202400000
|
||||
biff = no
|
||||
#virtual_maps = ldap:/etc/postfix/ldapsource.cf
|
||||
smtpd_tls_loglevel = 1
|
||||
smtp_tls_note_starttls_offer = yes
|
||||
smtpd_tls_auth_only = yes
|
||||
|
|
@ -804,12 +803,11 @@ dovecot_destination_recipient_limit = 1
|
|||
%%domains.append(%%str(%%domain))%slurp
|
||||
%end for
|
||||
virtual_mailbox_domains = %echo ', '.join(%%domains)
|
||||
virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
|
||||
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
|
||||
virtual_minimum_uid = 1000
|
||||
#vmail uid
|
||||
virtual_uid_maps = static:999
|
||||
virtual_gid_maps = static:999
|
||||
virtual_transport = dovecot
|
||||
virtual_mailbox_base = /srv/mail
|
||||
#virtual_mailbox_base = /srv/mail
|
||||
#<GNUNUX
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type="server")
|
||||
%%get_chain(%%revprox_server_domainname, 'InternalReverseProxy')
|
||||
|
|
@ -1 +0,0 @@
|
|||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type='server')
|
||||
|
|
@ -3,4 +3,4 @@ g dovenull 982 -
|
|||
g vmail 999 -
|
||||
u dovecot 97:97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
|
||||
u dovenull 984:982 "Dovecot's unauthorized user" /usr/libexec/dovecot /sbin/nologin
|
||||
u vmail 999:999 "Virtual mail user" /srv/mail /sbin/nologin
|
||||
u vmail 999:999 "Virtual mail user" /srv/home /sbin/nologin
|
||||
|
|
|
|||
|
|
@ -1 +1,4 @@
|
|||
d /srv/dovecot 750 dovecot postfix - -
|
||||
d /srv/home 750 root vmail - -
|
||||
d /srv/home/users 770 root vmail - -
|
||||
d /srv/home/families 770 root vmail - -
|
||||
|
|
|
|||
|
|
@ -1,5 +1,4 @@
|
|||
d /srv/postfix 750 postfix postfix - -
|
||||
d /srv/postfix/data 750 postfix postfix - -
|
||||
d /srv/postfix/spool 755 root root - -
|
||||
d /srv/mail 770 root vmail - -
|
||||
d /var/lib/misc/ 755 root root - -
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="gitea" target="multi-user" engine="creole">
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||
<file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
|
||||
<file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
|
||||
<file>/etc/gitea/app.ini</file>
|
||||
|
|
|
|||
|
|
@ -12,9 +12,11 @@
|
|||
<variables>
|
||||
<family name="annuaire">
|
||||
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
|
||||
<variable name='ldapclient_family' type='unix_user' description="L'arbre LDAP est de type famille"/>
|
||||
<variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
|
||||
<variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
|
||||
<variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
|
||||
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True"/>
|
||||
<variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
|
||||
<variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
|
||||
<variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
|
||||
|
|
@ -31,6 +33,11 @@
|
|||
<check name='valid_base_dn'>
|
||||
<target>ldap_base_dn</target>
|
||||
</check>
|
||||
<fill name="calc_ldapclient_base_dn">
|
||||
<param type="variable">ldap_base_dn</param>
|
||||
<param type="variable">ldapclient_family</param>
|
||||
<target>ldapclient_base_dn</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
<param>ca_LDAP.crt</param>
|
||||
|
|
@ -65,13 +72,19 @@
|
|||
</fill>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">LDAP_DN</param>
|
||||
<param name="linked_provider">ldap_dn</param>
|
||||
<target>ldap_base_dn</target>
|
||||
</fill>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">LDAP_PORT</param>
|
||||
<param name="linked_provider">ldap_port</param>
|
||||
<target>ldap_port</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">client_family</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>ldapclient_family</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
|||
|
|
@ -4,3 +4,11 @@ def valid_base_dn(base_dn: str) -> None:
|
|||
break
|
||||
else:
|
||||
raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
|
||||
|
||||
|
||||
def calc_ldapclient_base_dn(ldap_base_dn: str,
|
||||
family_name: str,
|
||||
) -> str:
|
||||
if not family_name:
|
||||
return f'ou=users,{ldap_base_dn}'
|
||||
return f'ou={family_name},ou=families,{ldap_base_dn}'
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
# This file should be world readable but not world writable.
|
||||
|
||||
#BASE dc=example,dc=com
|
||||
BASE ou=users,%%ldap_base_dn
|
||||
BASE %%ldapclient_base_dn
|
||||
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
||||
URI ldaps://%%ldap_server_address:%%ldap_port
|
||||
|
||||
|
|
|
|||
|
|
@ -13,13 +13,14 @@ commentStartToken = §
|
|||
"ldapPpolicyControl" : 1,
|
||||
"ldapAllowResetExpiredPassword" : 1,
|
||||
"ldapChangePasswordAsUser" : 1,
|
||||
"ldapBase" : "ou=users,%%ldap_base_dn",
|
||||
"ldapBase" : "%%ldapclient_base_dn",
|
||||
"ldapExportedVars" : {
|
||||
"uid" : "uid",
|
||||
"cn" : "cn",
|
||||
"sn" : "sn",
|
||||
"mail" : "mail",
|
||||
"givenName" : "givenName"
|
||||
"givenName" : "givenName",
|
||||
"home" : "homeDirectory"
|
||||
},
|
||||
"ldapGroupAttributeName" : "memberUid",
|
||||
"ldapGroupAttributeNameUser" : "cn",
|
||||
|
|
@ -99,7 +100,8 @@ commentStartToken = §
|
|||
"email" : "mail",
|
||||
"family_name" : "sn",
|
||||
"name" : "cn",
|
||||
"nickname" : "uid"
|
||||
"nickname" : "uid",
|
||||
"home" : "home"
|
||||
%if %%len_app - 1 == %%idx
|
||||
}
|
||||
%else
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
PYTHON="usr/lib/python3.10/site-packages"
|
||||
cp -a "mailman/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
|
||||
cp -a "mailman/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
|
||||
cp -a "mailman/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
|
||||
cp -a "mailman/manual/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
|
||||
cp -a "mailman/manual/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
|
||||
cp -a "mailman/manual/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
|
||||
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
|
||||
ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
|
||||
ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
|
||||
|
|
|
|||
|
|
@ -29,9 +29,9 @@ fi
|
|||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "ou=users,%%ldap_base_dn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "ou=users,%%ldap_base_dn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "ou=users,%%ldap_base_dn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
|
||||
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"
|
||||
|
|
|
|||
|
|
@ -4,18 +4,26 @@
|
|||
<service name='nginx' target='multi-user'>
|
||||
<file>/etc/nginx/nginx.conf</file>
|
||||
<file source="default">/etc/nginx/sites-available/default</file>
|
||||
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/risotto.conf</file>
|
||||
<!--file source="default-nginx-ssl.conf">/etc/nginx/conf.d/risotto-ssl.conf</file-->
|
||||
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
|
||||
<file source="nginx.index.html">/var/www/html/index.html</file>
|
||||
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
|
||||
<file>/var/www/html/error.html</file>
|
||||
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
|
||||
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
|
||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
||||
<file filelist="nginx_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
|
||||
<file filelist="nginx_https" mode="600">/etc/pki/tls/private/nginx.key</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
||||
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='True'/>
|
||||
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
|
||||
<variable name="nginx_root" type="filename" mandatory='False'>
|
||||
<value>/usr/share/nginx/html</value>
|
||||
</variable>
|
||||
<variable name="nginx_https" type="boolean" description="Activer HTTPS sur le serveur" mandatory='True' hidden="True">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
<variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
|
||||
<value>128</value>
|
||||
<choice type="string">128</choice>
|
||||
|
|
@ -25,13 +33,10 @@
|
|||
<variable name="nginx_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)" mode="expert" mandatory="True">
|
||||
<value>32</value>
|
||||
</variable>
|
||||
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">domain_name_eth0</param>
|
||||
<target>nginx_default</target>
|
||||
</fill>
|
||||
<condition name="disabled_if_not_in" source="os_name">
|
||||
<param>Fedora</param>
|
||||
<target type="filelist">nginx_fedora</target>
|
||||
|
|
@ -40,5 +45,15 @@
|
|||
<param type="nil"/>
|
||||
<target type="filelist">nginx_default</target>
|
||||
</condition>
|
||||
<condition name="disabled_if_in" source="nginx_https">
|
||||
<param type="boolean">False</param>
|
||||
<target type="filelist">nginx_https</target>
|
||||
</condition>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
<param>ca_InternalReverseProxy.crt</param>
|
||||
<param name="join">/</param>
|
||||
<target>revprox_ca_file</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
|||
|
|
@ -1,10 +0,0 @@
|
|||
#FIXME server {
|
||||
#FIXME listen 443 ssl;
|
||||
#FIXME ssl_certificate %%nginx_certificate[%%revprox_domainnames_all.index(%%nginx_default)];
|
||||
#FIXME ssl_certificate_key %%nginx_private_key[%%revprox_domainnames_all.index(%%nginx_default)];
|
||||
#FIXME ssl_client_certificate /etc/ssl/certs/ca.crt;
|
||||
#FIXME server_name _ default;
|
||||
#FIXME rewrite ^(.*) https://%%nginx_default$1;
|
||||
#FIXME break;
|
||||
#FIXME }
|
||||
|
||||
|
|
@ -52,11 +52,12 @@ http {
|
|||
# for more information.
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
%if %%os_name == 'Fedora'
|
||||
%if %%nginx_default
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name _;
|
||||
root /usr/share/nginx/html;
|
||||
root %%nginx_root;
|
||||
|
||||
# Load configuration files for the default server block.
|
||||
include /etc/nginx/default.d/*.conf;
|
||||
|
|
@ -69,35 +70,40 @@ http {
|
|||
location = /50x.html {
|
||||
}
|
||||
}
|
||||
%end if
|
||||
# Settings for a TLS enabled server.
|
||||
#
|
||||
%if %%nginx_https
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name %%domain_name_eth0;
|
||||
root %%nginx_root;
|
||||
|
||||
# ssl_certificate "/etc/pki/nginx/server.crt";
|
||||
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
|
||||
ssl_certificate /etc/pki/tls/certs/nginx.crt;
|
||||
ssl_certificate_key /etc/pki/tls/private/nginx.key;
|
||||
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
|
||||
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_ciphers PROFILE=SYSTEM;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Load configuration files for the default server block.
|
||||
include /etc/nginx/default.d/*.conf;
|
||||
|
||||
error_page 404 /404.html;
|
||||
location = /40x.html {
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
}
|
||||
}
|
||||
%end if
|
||||
%else
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
%end if
|
||||
|
||||
# Settings for a TLS enabled server.
|
||||
#
|
||||
# server {
|
||||
# listen 443 ssl http2;
|
||||
# listen [::]:443 ssl http2;
|
||||
# server_name _;
|
||||
# root /usr/share/nginx/html;
|
||||
#
|
||||
# ssl_certificate "/etc/pki/nginx/server.crt";
|
||||
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
|
||||
# ssl_session_cache shared:SSL:1m;
|
||||
# ssl_session_timeout 10m;
|
||||
# ssl_ciphers PROFILE=SYSTEM;
|
||||
# ssl_prefer_server_ciphers on;
|
||||
#
|
||||
# # Load configuration files for the default server block.
|
||||
# include /etc/nginx/default.d/*.conf;
|
||||
#
|
||||
# error_page 404 /404.html;
|
||||
# location = /40x.html {
|
||||
# }
|
||||
#
|
||||
# error_page 500 502 503 504 /50x.html;
|
||||
# location = /50x.html {
|
||||
# }
|
||||
# }
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,3 +2,4 @@ format: '0.1'
|
|||
description: Nginx as reverse proxy
|
||||
depends:
|
||||
- nginx-common
|
||||
- reverse-proxy-client
|
||||
|
|
|
|||
|
|
@ -2,19 +2,38 @@
|
|||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name='nginx'>
|
||||
<file>/etc/nginx/conf.d/risotto.conf</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||
<file mode="600">/etc/pki/tls/certs/nginx.crt</file>
|
||||
<file mode="600">/etc/pki/tls/private/nginx.key</file>
|
||||
<file filelist="nginx_default_risotto">/etc/nginx/default.d/risotto.conf</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<variable name="nginx_root_directory" type="filename" mandatory="True"/>
|
||||
<variable name="php_fpm_user" redefine="True" exists="True">
|
||||
<value>nginx</value>
|
||||
</variable>
|
||||
<variable name="nginx_locations" type="filename" multi="True" mandatory="True">
|
||||
<value>/</value>
|
||||
</variable>
|
||||
<family name="nginx">
|
||||
<variable name="nginx_https" redefine="True">
|
||||
<value>True</value>
|
||||
</variable>
|
||||
<variable name="php_fpm_user" redefine="True" exists="True">
|
||||
<value>nginx</value>
|
||||
</variable>
|
||||
<variable name="nginx_root_directory" type="filename"/>
|
||||
<variable name="nginx_locations" type="filename" multi="True" mandatory="True">
|
||||
<value>/</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="redis" description="Redis">
|
||||
<variable name="redis_client_key_owner" redefine="True" exists="True">
|
||||
<value>nginx</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="postgresql" description="PostgreSQL">
|
||||
<variable name="pg_client_key_owner" redefine="True" exists="True">
|
||||
<value>nginx</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<condition name="disabled_if_in" source="nginx_root_directory">
|
||||
<param type="nil"/>
|
||||
<target type="filelist">nginx_default_risotto</target>
|
||||
<target type="variable">nginx_locations</target>
|
||||
</condition>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy")
|
||||
|
|
@ -1 +1,2 @@
|
|||
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
|
||||
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
|
||||
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
|
||||
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')
|
||||
|
|
|
|||
|
|
@ -1,44 +1,30 @@
|
|||
server {
|
||||
listen 443 default ssl;
|
||||
server_name %%domain_name_eth0;
|
||||
|
||||
ssl_certificate /etc/pki/tls/certs/nginx.crt;
|
||||
ssl_certificate_key /etc/pki/tls/private/nginx.key;
|
||||
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
|
||||
|
||||
error_page 403 404 502 503 504 /error.html;
|
||||
location = /error.html{
|
||||
root /var/www/html;
|
||||
}
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
|
||||
add_header Referrer-Policy no-referrer always;
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
|
||||
add_header Referrer-Policy no-referrer always;
|
||||
|
||||
%for %%location in %%nginx_locations
|
||||
location %%location {
|
||||
location %%location {
|
||||
%if %%location == '/'
|
||||
root %slurp
|
||||
root %slurp
|
||||
%else
|
||||
alias %slurp
|
||||
alias %slurp
|
||||
%end if
|
||||
%%nginx_root_directory;
|
||||
%if not %%getVar('php_fpm_installed', False)
|
||||
index index.html;
|
||||
index index.html;
|
||||
%else
|
||||
index index.php;
|
||||
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
|
||||
fastcgi_pass php-fpm;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
include fastcgi_params;
|
||||
}
|
||||
%end if
|
||||
index index.php;
|
||||
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
|
||||
fastcgi_pass php-fpm;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
include fastcgi_params;
|
||||
}
|
||||
%end for
|
||||
%end if
|
||||
}
|
||||
%end for
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@
|
|||
<override engine="creole"/>
|
||||
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
|
||||
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||
<file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
|
||||
<file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
|
||||
</service>
|
||||
|
|
@ -19,7 +18,7 @@
|
|||
<variable name="ip_eth" redefine="True" provider="ip"/>
|
||||
</family>
|
||||
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
||||
<variable name="nginx_default" redefine="True" remove_fill="True"/>
|
||||
<variable name="nginx_default" redefine="True" mandatory="True"/>
|
||||
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
|
||||
<variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
|
||||
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
|
||||
|
|
|
|||
|
|
@ -1,11 +1,12 @@
|
|||
from typing import List as _List
|
||||
from os.path import join as _join, isdir as _isdir, abspath as _abspath
|
||||
from os.path import join as _join, isfile as _isfile, isdir as _isdir, abspath as _abspath, basename as _basename
|
||||
from datetime import datetime as _datetime
|
||||
from ipaddress import ip_network, ip_address
|
||||
from subprocess import run as _run
|
||||
from os import makedirs as _makedirs, unlink as _unlink
|
||||
from shutil import rmtree as _rmtree
|
||||
from os import makedirs as _makedirs
|
||||
from shutil import rmtree as _rmtree, copy2 as _copy2
|
||||
from glob import glob as _glob
|
||||
from filecmp import cmp as _cmp
|
||||
|
||||
|
||||
_PKI_DIR = _abspath('pki/dnssec')
|
||||
|
|
@ -98,13 +99,21 @@ def sign(zone_filename: str,
|
|||
cn: str,
|
||||
) -> str:
|
||||
authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0]
|
||||
zsk, ksk = _gen_keys(cn, authority_cn)
|
||||
cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
|
||||
proc = _run(cmd, capture_output=True)
|
||||
if proc.returncode != 0:
|
||||
raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
|
||||
signed_filename = f'{zone_filename}.signed'
|
||||
copy_file = _join(_PKI_DIR, cn, authority_cn, _basename(zone_filename))
|
||||
signed_filename = f'{copy_file}.signed'
|
||||
if not _isfile(copy_file) or not _cmp(zone_filename, copy_file):
|
||||
_copy2(zone_filename, copy_file)
|
||||
zsk, ksk = _gen_keys(cn, authority_cn)
|
||||
cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
|
||||
proc = _run(cmd, capture_output=True)
|
||||
if proc.returncode != 0:
|
||||
raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
|
||||
new_signed_filename = f'{zone_filename}.signed'
|
||||
with open(new_signed_filename) as fh:
|
||||
content = fh.read().strip()
|
||||
content.replace('0000000000', nsd_serial())
|
||||
with open(signed_filename, 'w') as fh:
|
||||
fh.write(content)
|
||||
with open(signed_filename) as fh:
|
||||
content = fh.read().strip()
|
||||
_unlink(signed_filename)
|
||||
return content
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ $ORIGIN %%rougail_variable
|
|||
$TTL 1800
|
||||
|
||||
@ IN SOA %%domain_name_eth0. admin.%%name. (
|
||||
%%nsd_serial() ; serial number
|
||||
0000000000 ; serial number
|
||||
3600 ; refresh
|
||||
900 ; retry
|
||||
1209600 ; expire
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ $ORIGIN %%rougail_variable.
|
|||
$TTL 1800
|
||||
|
||||
@ IN SOA %%domain_name_eth0. admin.%%rougail_variable. (
|
||||
%%nsd_serial() ; serial number
|
||||
0000000000 ; serial number
|
||||
3600 ; refresh
|
||||
900 ; retry
|
||||
1209600 ; expire
|
||||
|
|
|
|||
|
|
@ -20,8 +20,8 @@
|
|||
<variables>
|
||||
<family name="annuaire">
|
||||
<variable name='ldap_server_address' redefine="True" hidden="True"/>
|
||||
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="LDAP_DN"/>
|
||||
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="LDAP_PORT">
|
||||
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
|
||||
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="ldap_port">
|
||||
<value>636</value>
|
||||
</variable>
|
||||
<variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
|
||||
|
|
@ -47,6 +47,7 @@
|
|||
<variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
|
||||
<value>/etc/openldap/schema/cosine.ldif</value>
|
||||
<value>/etc/openldap/schema/inetorgperson.ldif</value>
|
||||
<value>/etc/openldap/schema/nis.ldif</value>
|
||||
</variable>
|
||||
<variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
|
||||
<value>0</value>
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@
|
|||
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
|
||||
<variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
|
||||
<variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
|
||||
<variable name="family_" description="Nom de la familly" auto_save="True" hidden="True" provider="client_family"/>
|
||||
<variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
|
||||
</family>
|
||||
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
|
||||
|
|
|
|||
|
|
@ -1,3 +1,9 @@
|
|||
%set %%dns = {}
|
||||
%for %%remote in %%accounts.remotes
|
||||
%set %%name = %%normalize_family(%%remote)
|
||||
%set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
|
||||
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
|
||||
%end for
|
||||
dn: olcDatabase={2}mdb,cn=config
|
||||
changetype:modify
|
||||
replace: olcAccess
|
||||
|
|
@ -5,20 +11,22 @@ olcAccess: {0}to attrs=userPassword
|
|||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
olcAccess: {1}to dn.subtree="ou=users,%%ldap_base_dn"
|
||||
by self read
|
||||
%set %%aclidx = 1
|
||||
%for %%remote in %%accounts.remotes
|
||||
%set %%name = %%normalize_family(%%remote)
|
||||
by dn="%%accounts['remote_' + %%name]['dn_' + %%name]" %slurp
|
||||
%if %%accounts['remote_' + %%name]['read_only_' + %%name]
|
||||
%for %%family, %%remotes in %%dns.items()
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
|
||||
by self read
|
||||
%for %%remote in %%remotes
|
||||
by dn="%%remote[0]" %slurp
|
||||
%if %%remote[1]
|
||||
read%slurp
|
||||
%else
|
||||
%else
|
||||
write%slurp
|
||||
%end if
|
||||
%end for
|
||||
%end if
|
||||
%end for
|
||||
%set %%aclidx += 1
|
||||
|
||||
by * none
|
||||
%end for
|
||||
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
|
||||
%set %%aclidx += 1
|
||||
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
|
||||
|
|
|
|||
|
|
@ -35,8 +35,12 @@ sn: %%user.ldap_user_sn
|
|||
givenName: %%user.ldap_user_gn
|
||||
uid: %%user.ldap_user_uid
|
||||
userPassword:: %%ssha_encode(%%user.ldap_user_password)
|
||||
homeDirectory: /srv/home/users/%%user
|
||||
uidNumber: 0
|
||||
gidNumber: 0
|
||||
objectClass: top
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: posixAccount
|
||||
|
||||
%end for
|
||||
# Families
|
||||
|
|
@ -52,15 +56,19 @@ objectClass: top
|
|||
objectClass: organizationalUnit
|
||||
|
||||
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||
dn: cn=%%user,ou=families,%%ldap_base_dn
|
||||
dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
|
||||
cn: %%user
|
||||
mail: %%user
|
||||
sn: %%user['ldap_user_sn_' + %%family]
|
||||
givenName: %%user['ldap_user_gn_' + %%family]
|
||||
uid: %%user['ldap_user_uid_' + %%family]
|
||||
userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family])
|
||||
homeDirectory: /srv/home/families/%%family/%%user
|
||||
uidNumber: 0
|
||||
gidNumber: 0
|
||||
objectClass: top
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: posixAccount
|
||||
|
||||
%end for
|
||||
%end for
|
||||
|
|
|
|||
|
|
@ -7,3 +7,20 @@ replace: userPassword
|
|||
userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
|
||||
|
||||
%end for
|
||||
## Users
|
||||
#%for %%user in %%accounts.users.ldap_user_mail
|
||||
#dn: cn=%%user,ou=users,%%ldap_base_dn
|
||||
#changetype: modify
|
||||
#replace: homeDirectory
|
||||
#homeDirectory: /srv/home/users/%%user
|
||||
#
|
||||
#%end for
|
||||
## Families
|
||||
#%for %%family in %%accounts.families
|
||||
# %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||
#dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
|
||||
#replace: homeDirectory
|
||||
#homeDirectory: /srv/home/families/%%family/%%user
|
||||
#
|
||||
# %end for
|
||||
#%end for
|
||||
|
|
|
|||
|
|
@ -38,8 +38,8 @@
|
|||
</variable>
|
||||
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
|
||||
</family>
|
||||
<family name="nginx" description="Reverse proxy">
|
||||
<family name="revprox_client" description="Point d'entré des clients" leadership="True">
|
||||
<family name="nginx">
|
||||
<family name="revprox_client">
|
||||
<variable name="revprox_client_location" redefine="True">
|
||||
<value>/</value>
|
||||
</variable>
|
||||
|
|
|
|||
|
|
@ -25,5 +25,5 @@ rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
|
|||
|
||||
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
||||
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
|
||||
patch -p0 < $OLDPWD/peertube/postinstall/peertube.patch
|
||||
patch -p0 < $OLDPWD/peertube/manual/postinstall/peertube.patch
|
||||
cd -
|
||||
|
|
|
|||
6
seed/applicationservice/2022.03.08/php-fpm/DEBUG.md
Normal file
6
seed/applicationservice/2022.03.08/php-fpm/DEBUG.md
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
Debug
|
||||
======
|
||||
|
||||
echo "log_level = debug" >> /etc/php-fpm.conf
|
||||
systemctl restart php-fpm
|
||||
|
||||
|
|
@ -9,11 +9,13 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<variable name="php_fpm_user" type="unix_user">
|
||||
<value>root</value>
|
||||
</variable>
|
||||
<variable name="php_fpm_installed" type="boolean">
|
||||
<value>True</value>
|
||||
</variable>
|
||||
<family name="nginx">
|
||||
<variable name="php_fpm_user" type="unix_user">
|
||||
<value>root</value>
|
||||
</variable>
|
||||
<variable name="php_fpm_installed" type="boolean">
|
||||
<value>True</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
</rougail>
|
||||
|
|
|
|||
|
|
@ -8,4 +8,3 @@ depends:
|
|||
- relay-mail-client
|
||||
- nginx-https
|
||||
- php-fpm
|
||||
- reverse-proxy-client
|
||||
|
|
|
|||
|
|
@ -12,9 +12,11 @@
|
|||
<variables>
|
||||
<variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
|
||||
<variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
|
||||
<variable name="nginx_root_directory" mandatory="True" redefine="True">
|
||||
<value>/usr/local/share/piwigo</value>
|
||||
</variable>
|
||||
<family name="nginx">
|
||||
<variable name="nginx_root_directory" mandatory="True" redefine="True">
|
||||
<value>/usr/local/share/piwigo</value>
|
||||
</variable>
|
||||
</family>
|
||||
<variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
|
||||
<value>Album photographique</value>
|
||||
</variable>
|
||||
|
|
|
|||
|
|
@ -14,10 +14,10 @@ ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php
|
|||
ln -s /srv/piwigo/data piwigo/_data
|
||||
ln -s /srv/piwigo/upload piwigo/upload
|
||||
ln -s /srv/piwigo/logs piwigo/logs
|
||||
cp $OLDPWD/piwigo/postinstall/osmmap.php piwigo/
|
||||
cp $OLDPWD/piwigo/manual/postinstall/osmmap.php piwigo/
|
||||
chmod 644 piwigo/osmmap.php
|
||||
patch -p0 < $OLDPWD/piwigo/postinstall/piwigo.patch
|
||||
cp $OLDPWD/piwigo/postinstall/piwigo_cli.php piwigo/
|
||||
patch -p0 < $OLDPWD/piwigo/manual/postinstall/piwigo.patch
|
||||
cp $OLDPWD/piwigo/manual/postinstall/piwigo_cli.php piwigo/
|
||||
# Plugins
|
||||
cd piwigo/plugins
|
||||
wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip
|
||||
|
|
|
|||
|
|
@ -9,4 +9,4 @@ def calc_postfix_relay_domains(criteria):
|
|||
if '@' in lst:
|
||||
lst = lst.split('@')[1]
|
||||
relay.add(lst)
|
||||
return list(relay)
|
||||
return sorted(list(relay))
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="nginx" manage="False">
|
||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
||||
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
|
||||
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
|
||||
</service>
|
||||
|
|
@ -32,10 +31,8 @@
|
|||
<variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
|
||||
<value>root</value>
|
||||
</variable>
|
||||
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
|
||||
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
|
||||
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
|
||||
<variable name="nginx_default" exists="True" redefine="True" remove_fill="True" mandatory="False"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
|
|
@ -45,12 +42,6 @@
|
|||
<param type="variable">revprox_client_local_location</param>
|
||||
<target>revprox_client_web_address</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
<param>ca_InternalReverseProxy.crt</param>
|
||||
<param name="join">/</param>
|
||||
<target>revprox_ca_file</target>
|
||||
</fill>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_cert_directory</param>
|
||||
<param>revprox.crt</param>
|
||||
|
|
|
|||
|
|
@ -1,3 +1,8 @@
|
|||
Supprimer oauth
|
||||
================
|
||||
|
||||
sed -i "s/'generic'/null/g" /etc/roundcubemail/config.inc.php
|
||||
|
||||
Debug ldap
|
||||
==========
|
||||
|
||||
|
|
|
|||
|
|
@ -3,9 +3,8 @@ description: Interface web de consultation des courriels Roundcube
|
|||
depends:
|
||||
- base-fedora-35
|
||||
- postgresql-client
|
||||
- ldap-client-fedora
|
||||
- imap-client
|
||||
- redis-client
|
||||
- oauth2-client
|
||||
- apache
|
||||
- nginx-https
|
||||
- php-fpm
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@
|
|||
<rougail version="0.10">
|
||||
<services>
|
||||
<service name="roundcube" engine="creole" target="multi-user">
|
||||
<file owner="root" group="apache" mode="640">/etc/roundcubemail/config.inc.php</file>
|
||||
<file>/etc/httpd/conf.d/roundcubemail.conf</file>
|
||||
<file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
|
||||
<file>/etc/nginx/default.d/roundcubemail.conf</file>
|
||||
<file>/secrets/roundcube-init.php</file>
|
||||
<file engine="none">/static/silique_cloud.svg</file>
|
||||
<file engine="none">/static/watermark.html</file>
|
||||
|
|
@ -32,9 +32,15 @@
|
|||
</variable>
|
||||
</family>
|
||||
<family name="nginx">
|
||||
<variable name="revprox_client_local_location" redefine="True">
|
||||
<value>/roundcube/</value>
|
||||
<variable name="nginx_root" redefine="True">
|
||||
<value>/usr/share/roundcubemail/</value>
|
||||
</variable>
|
||||
<variable name="revprox_client_local_location" redefine="True">
|
||||
<value>/</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="annuaire">
|
||||
<variable name='ldapclient_family' redefine="True" exists="True" mandatory="True"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/bash -ex
|
||||
|
||||
echo """#!/bin/bash -e
|
||||
/usr/bin/chgrp nginx /etc/roundcubemail/*
|
||||
""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
||||
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
||||
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh
|
||||
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
|
||||
|
|
@ -1059,9 +1059,10 @@ $config['address_book_type'] = 'sql';
|
|||
// Array key must contain only safe characters, ie. a-zA-Z0-9_
|
||||
$config['ldap_public'] = [];
|
||||
#>GNUNUX
|
||||
%if %%getVar('ldap_server_address', None)
|
||||
$config['ldap_public'] = array (
|
||||
'Local' => array (
|
||||
'name' => "Contacts",
|
||||
'name' => "Ma famille",
|
||||
'hosts' => array (
|
||||
0 => 'ldaps://%%ldap_server_address',
|
||||
),
|
||||
|
|
@ -1073,7 +1074,7 @@ $config['ldap_public'] = array (
|
|||
'auth_method' => '',
|
||||
'vlv' => false, //Samba do not support Virtual List View functions
|
||||
'user_specific' => false,
|
||||
'base_dn' => 'ou=users,%%ldap_base_dn',
|
||||
'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
|
||||
'writable' => false,
|
||||
'required_fields' => array (
|
||||
0 => 'cn',
|
||||
|
|
@ -1104,6 +1105,7 @@ $config['ldap_public'] = array (
|
|||
),
|
||||
),
|
||||
);
|
||||
%end if
|
||||
#<GNUNUX
|
||||
|
||||
// If you are going to use LDAP for individual address books, you will need to
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
[Unit]
|
||||
Description=Roundcube database init
|
||||
After=postgresqlclient.service
|
||||
Before=apache.service php-fpm.service
|
||||
Before=nginx.service php-fpm.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
|
|
|||
|
|
@ -1,60 +1,51 @@
|
|||
#
|
||||
# Round Cube Webmail is a browser-based multilingual IMAP client
|
||||
#
|
||||
location = / {
|
||||
alias %%nginx_root;
|
||||
}
|
||||
|
||||
location / {
|
||||
root %%nginx_root;
|
||||
index index.php;
|
||||
|
||||
#>GNUNUX
|
||||
Alias /roundcube/skins/elastic/risotto/ /usr/local/lib/static/
|
||||
<Directory /usr/local/lib/static/>
|
||||
Require all granted
|
||||
</Directory>
|
||||
#<GNUNUX
|
||||
# GNUNUX Alias /roundcubemail /usr/share/roundcubemail
|
||||
Alias /roundcube /usr/share/roundcubemail
|
||||
location ~ ^/bin/(.+)$ {
|
||||
deny all;
|
||||
}
|
||||
location ~ ^/plugins/enigma/home/(.+)$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Define who can access the Webmail
|
||||
# You can enlarge permissions once configured
|
||||
# Define who can access the installer
|
||||
# keep this secured once configured
|
||||
|
||||
<Directory /usr/share/roundcubemail/>
|
||||
Require all granted
|
||||
# GNUNUX <IfModule mod_authz_core.c>
|
||||
# GNUNUX # Apache 2.4
|
||||
# GNUNUX Require local
|
||||
# GNUNUX </IfModule>
|
||||
# GNUNUX <IfModule !mod_authz_core.c>
|
||||
# GNUNUX # Apache 2.2
|
||||
# GNUNUX Order Deny,Allow
|
||||
# GNUNUX Deny from all
|
||||
# GNUNUX Allow from 127.0.0.1
|
||||
# GNUNUX Allow from ::1
|
||||
# GNUNUX </IfModule>
|
||||
</Directory>
|
||||
location ~ ^/installer/(.+\.php)$ {
|
||||
allow 127.0.0.1;
|
||||
allow ::1;
|
||||
deny all;
|
||||
|
||||
# Define who can access the installer
|
||||
# keep this secured once configured
|
||||
try_files $uri =404;
|
||||
fastcgi_intercept_errors on;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SERVER_NAME $host;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_pass php-fpm;
|
||||
}
|
||||
|
||||
<Directory /usr/share/roundcubemail/installer/>
|
||||
Order Allow,Deny
|
||||
Deny from all
|
||||
# GNUNUX <IfModule mod_authz_core.c>
|
||||
# GNUNUX # Apache 2.4
|
||||
# GNUNUX Require local
|
||||
# GNUNUX </IfModule>
|
||||
# GNUNUX <IfModule !mod_authz_core.c>
|
||||
# GNUNUX # Apache 2.2
|
||||
# GNUNUX Order Deny,Allow
|
||||
# GNUNUX Deny from all
|
||||
# GNUNUX Allow from 127.0.0.1
|
||||
# GNUNUX Allow from ::1
|
||||
# GNUNUX </IfModule>
|
||||
</Directory>
|
||||
# Define who can access the Webmail
|
||||
# You can enlarge permissions once configured
|
||||
|
||||
# Those directories should not be viewed by Web clients.
|
||||
<Directory /usr/share/roundcubemail/bin/>
|
||||
Order Allow,Deny
|
||||
Deny from all
|
||||
</Directory>
|
||||
<Directory /usr/share/roundcubemail/plugins/enigma/home/>
|
||||
Order Allow,Deny
|
||||
Deny from all
|
||||
</Directory>
|
||||
location ~ ^/(.+\.php)$ {
|
||||
# GNUNUX allow 127.0.0.1;
|
||||
# GNUNUX allow ::1;
|
||||
# GNUNUX deny all;
|
||||
|
||||
try_files $uri =404;
|
||||
fastcgi_intercept_errors on;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SERVER_NAME $host;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_pass php-fpm;
|
||||
}
|
||||
}
|
||||
|
||||
location /skins/elastic/risotto {
|
||||
alias /usr/local/lib/static/;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
<services>
|
||||
<service name="vaultwarden" target="multi-user">
|
||||
<override/>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
|
||||
<file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
|
||||
<file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
|
||||
</service>
|
||||
|
|
|
|||
Loading…
Reference in a new issue