gnunux/dataset
1
0
Fork 0
forked from stove/dataset
Code Issues Pull requests Projects Releases Wiki Activity

update documentations

Browse source
This commit is contained in:
egarette@silique.fr 2023-01-17 21:43:32 +01:00
parent f369998d15
commit c676afdb26
92 changed files with 3636 additions and 504 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
seed/README.md
View file

@ -15,8 +15,9 @@
- [dns-local](dns-local/README.md): DNS client with access to local zones
- [dotclear](dotclear/README.md): Dotclear an open-source web publishing software
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (Submission and IMAP)
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution
- [galette](galette/README.md): Galette, a membership management web application towards non profit organizations
- [gitea](gitea/README.md): Gitea, a community managed lightweight code hosting solution
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo
- [host-systemd-machined](host-systemd-machined/README.md): Host with machine started in Systemd Machined environment
- [imap-client](imap-client/README.md): Application service needs interact with an IMAP server
- [ldap-client](ldap-client/README.md): Application service needs interact with a LDAP server
@ -62,3 +63,47 @@
- [unbound](unbound/README.md): Unbound, a validating, recursive, caching DNS resolver
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager
- [znc](znc/README.md): ZNC, a bouncer IRC
# Providers and suppliers
- ExternalDNS:
- Provider: [unbound](unbound/README.md)
- Suppliers:
- [dns-external](dns-external/README.md)
- [nsd](nsd/README.md)
- Host:
- Provider: [host-systemd-machined](host-systemd-machined/README.md)
- Supplier: [provider-systemd-machined](provider-systemd-machined/README.md)
- IMAP:
- Provider: [dovecot](dovecot/README.md)
- Supplier: [imap-client](imap-client/README.md)
- LDAP:
- Provider: [openldap](openldap/README.md)
- Supplier: [ldap-client](ldap-client/README.md)
- LMTP:
- Provider: [postfix-lmtp-relay](postfix-lmtp-relay/README.md)
- Supplier: [relay-lmtp-client](relay-lmtp-client/README.md)
- LocalDNS:
- Provider: [nsd](nsd/README.md)
- Supplier: [dns-local](dns-local/README.md)
- MariaDB:
- Provider: [mariadb](mariadb/README.md)
- Supplier: [mariadb-client](mariadb-client/README.md)
- OAuth2:
- Provider: [lemonldap](lemonldap/README.md)
- Supplier: [oauth2-client](oauth2-client/README.md)
- OAuth2Client:
- Provider: [oauth2-client](oauth2-client/README.md)
- Supplier: [lemonldap](lemonldap/README.md)
- Postgresql:
- Provider: [postgresql](postgresql/README.md)
- Supplier: [postgresql-client](postgresql-client/README.md)
- Redis:
- Provider: [redis](redis/README.md)
- Supplier: [redis-client](redis-client/README.md)
- ReverseProxy:
- Provider: [nginx-reverse-proxy](nginx-reverse-proxy/README.md)
- Supplier: [reverse-proxy-client](reverse-proxy-client/README.md)
- SMTP:
- Provider: [postfix-relay](postfix-relay/README.md)
- Supplier: [relay-mail-client](relay-mail-client/README.md)

8
seed/base-fedora-36/README.md
View file

@ -24,22 +24,14 @@ Base information of a Fedora 36.
## Used by
- [galette](../galette/README.md)
- [nginx-static](../nginx-static/README.md)
- [postgresql](../postgresql/README.md)
- [peertube](../peertube/README.md)
- [piwigo](../piwigo/README.md)
- [dovecot](../dovecot/README.md)
- [unbound](../unbound/README.md)
- [redis](../redis/README.md)
- [nsd](../nsd/README.md)
- [dotclear](../dotclear/README.md)
- [speedtest-rs](../speedtest-rs/README.md)
- [nginx-reverse-proxy](../nginx-reverse-proxy/README.md)
- [sensmotdire](../sensmotdire/README.md)
- [roundcube](../roundcube/README.md)
- [znc](../znc/README.md)
- [vaultwarden](../vaultwarden/README.md)
- [mariadb](../mariadb/README.md)
- [nextcloud](../nextcloud/README.md)
- [openldap](../openldap/README.md)
- [gitea](../gitea/README.md)

11
seed/base-fedora-37/README.md
View file

@ -20,3 +20,14 @@ Base information of a Fedora 37.
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
## Used by
- [nginx-static](../nginx-static/README.md)
- [postgresql](../postgresql/README.md)
- [unbound](../unbound/README.md)
- [redis](../redis/README.md)
- [forgejo](../forgejo/README.md)
- [nsd](../nsd/README.md)
- [nginx-reverse-proxy](../nginx-reverse-proxy/README.md)
- [openldap](../openldap/README.md)

5
seed/base-machine/templates/locale.conf
View file

@ -1 +1,6 @@
# This is the fallback locale configuration provided by systemd.
#>GNUNUX
#LANG="C.UTF-8"
LANG=fr_FR.UTF-8
#<GNUNUX

2
seed/dns-local/dictionaries/13-dns-local.xml
View file

@ -2,7 +2,7 @@
<rougail version="0.10">
<services>
<service name="dns-local" manage="False">
<file>/tests/dns-local.yml</file>
<file filelist="copy_tests">/tests/dns-local.yml</file>
</service>
</services>
<variables>

14
seed/dovecot/README.md
View file

@ -61,18 +61,18 @@ This a family is a leadership.
#### IMAP mail server (*general.dovecot*)
| Description | Type | Provider |
|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
| **Adresse interne du serveur IMAP** (*[imap_internal_address](dictionaries/26_dovecot.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | IMAP |
| Description | Type | Values | Provider |
|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|------------|
| **Adresse interne du serveur IMAP** (*[imap_internal_address](dictionaries/26_dovecot.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | IMAP |
#### revprox (*general.revprox*)
##### revprox_client (*general.revprox.revprox_client*)
| Description |
|----------------------------------------------------------------------|
| *[revprox_client_external_domainnames](dictionaries/26_dovecot.xml)* |
| *[revprox_client_web_address](dictionaries/26_dovecot.xml)* |
| Description | Values |
|----------------------------------------------------------------------|--------------|
| *[revprox_client_external_domainnames](dictionaries/26_dovecot.xml)* | <calculated> |
| *[revprox_client_web_address](dictionaries/26_dovecot.xml)* | <calculated> |
#### nginx (*general.nginx*)

2
seed/dovecot/dictionaries/26_dovecot.xml
View file

@ -47,7 +47,7 @@
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
<file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
<file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
<file>/tests/imap.yml</file>
<file filelist="copy_tests">/tests/imap.yml</file>
</service>
</services>
<variables>

92
seed/forgejo/README.md Normal file
View file

@ -0,0 +1,92 @@
---
gitea: none
include_toc: true
---
# forgejo
[All applications services for this dataset.](../README.md)
## Description
Forgejo, a community managed lightweight code hosting solution.
[For more informations](https://forgejo.org/)
## Dependances
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [postgresql-client](../postgresql-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [redis-client](../redis-client/README.md)
- [oauth2-client](../oauth2-client/README.md)
## Variables
### Général (*general*)
#### network (*general.network*)
| Description | Values |
|-----------------------------------------------------|----------|
| *[**incoming_ports**](dictionaries/31_forgejo.xml)* | 2222 |
#### Redis (*general.redis*)
| Description | Values |
|-------------------------------------------------------------|----------|
| *[**redis_client_key_owner**](dictionaries/31_forgejo.xml)* | forgejo |
#### Forgejo (*general.forgejo*)
Git forge Forgejo
| Description | Values | Type |
|---------------------------------------------------------------------------------------------------------------|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
| **Titre de la forge** (*[forgejo_title](dictionaries/31_forgejo.xml)*) | Forgejo : Au-delà du développement. Nous forgeons. | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
| **Les courriels sont envoyés à partir de cet adresse** (*[forgejo_mail_sender](dictionaries/31_forgejo.xml)*) | | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
#### revprox (*general.revprox*)
| Description | Values |
|----------------------------------------------------------------|----------|
| *[**revprox_client_port**](dictionaries/31_forgejo.xml)* | 3000 |
| *[**revprox_client_cert_owner**](dictionaries/31_forgejo.xml)* | forgejo |
| *[**revprox_client_cert_group**](dictionaries/31_forgejo.xml)* | forgejo |
##### revprox_client (*general.revprox.revprox_client*)
| Description | Values |
|--------------------------------------------------------------------|----------|
| *[**revprox_client_local_location**](dictionaries/31_forgejo.xml)* | / |
#### oauth2_client (*general.oauth2_client*)
| Description | Values |
|-------------------------------------------------------------------------|------------------------|
| *[**oauth2_is_client_application**](dictionaries/31_forgejo.xml)* | True |
| *[**oauth2_client_name**](dictionaries/31_forgejo.xml)* | Forge |
| *[**oauth2_client_description**](dictionaries/31_forgejo.xml)* | Forge logiciel Forgejo |
| *[**oauth2_client_category**](dictionaries/31_forgejo.xml)* | Développement |
| *[**oauth2_client_logo**](dictionaries/31_forgejo.xml)* | silique_note.png |
| *[**oauth2_client_token_signature_algo**](dictionaries/31_forgejo.xml)* | RS256 |
##### external (*general.oauth2_client.external*)
| Description | Values |
|---------------------------------------------------------|--------------|
| *[oauth2_client_external](dictionaries/31_forgejo.xml)* | <calculated> |
- [+]: variable is multiple
- **bold**: variable is mandatory
## Used by
- [gitea](../gitea/README.md)

2
seed/forgejo/applicationservice.yml
View file

@ -2,7 +2,7 @@ format: '0.1'
description: Forgejo, a community managed lightweight code hosting solution
website: https://forgejo.org/
depends:
- base-fedora-36
- base-fedora-37
- postgresql-client
- reverse-proxy-client
- relay-mail-client

8
seed/forgejo/dictionaries/31_forgejo.xml
View file

@ -5,7 +5,7 @@
<file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
<file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
<file>/etc/forgejo/app.ini</file>
<file>/tests/forgejo.yml</file>
<file filelist="copy_tests">/tests/forgejo.yml</file>
</service>
</services>
<variables>
@ -19,9 +19,9 @@
<value>forgejo</value>
</variable>
</family>
<family name="forgejo" description="Gitea" help="Git forge Gitea">
<family name="forgejo" description="Forgejo" help="Git forge Forgejo">
<variable name="forgejo_title" mandatory="True" description="Titre de la forge">
<value>Gitea: Git avec une tasse de thé</value>
<value>Forgejo : Au-delà du développement. Nous forgeons.</value>
</variable>
<variable name="forgejo_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True"/>
<variable name="forgejo_secret_key" type="password" hidden="True"/>
@ -52,7 +52,7 @@
<value>Forge</value>
</variable>
<variable name="oauth2_client_description" redefine='True'>
<value>Forge logiciel Gitea</value>
<value>Forge logiciel Forgejo</value>
</variable>
<variable name="oauth2_client_category" redefine='True'>
<value>Développement</value>

6
seed/forgejo/manual/image/postinstall/forgejo.sh
View file

@ -4,8 +4,8 @@ set -ex
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
JSON==$(wget -q 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?draft=false&pre-release=false&limit=1' --header 'accept: application/json' -O -)
VERS=$(echo JSON| jq -r '.[0].name')
JSON=$(wget -q 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?draft=false&pre-release=false&limit=1' --header 'accept: application/json' -O -)
VERS=$(echo $JSON| jq -r '.[0].name')
mkdir -p ~/forgejo/
@ -15,7 +15,7 @@ if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz" ]; then
fi
if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ]; then
rm -rf ~/"forgejo/forgejo-*-linux-amd64.xz.asc"
wget $(echo $JSON | jq -r '.[0].assets | map(select(.name | endswith("linux-amd64.xz"))) | .[0].browser_download_url') -O ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc"
wget $(echo $JSON | jq -r '.[0].assets | map(select(.name | endswith("linux-amd64.xz.asc"))) | .[0].browser_download_url') -O ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc"
fi
gpg --verify ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ~/"forgejo/forgejo-$VERS-linux-amd64.xz"

2692
seed/forgejo/templates/app.ini
View file

File diff suppressed because it is too large Load diff

36
seed/forgejo/tests/test_forgejo.py
View file

@ -1,3 +1,4 @@
import datetime
from yaml import load, SafeLoader
from os import environ, makedirs, unlink
from os.path import expandvars, isfile, isdir, dirname, join
@ -14,12 +15,11 @@ from mookdns import MookDnsSystem
PORT = '3000'
GITEA_USERNAME = 'forgejo'
GITEA_PORT = '2222'
FORGEJO_USERNAME = 'forgejo'
FORGEJO_PORT = '2222'
KEY_FILE = '/var/lib/risotto/srv/hosts/forgejo'
# transition between gitea and forgejo
GITEA_KEY_FILE = '/var/lib/risotto/srv/hosts/gitea'
KNOWN_KEY = expandvars('$HOME/.ssh/known_hosts')
CONFIG_SSH = expandvars('$HOME/.ssh/config')
CONFIG_GIT = expandvars('$HOME/.gitconfig')
@ -99,7 +99,6 @@ def get_info(authentication,
with_data_id=False,
found_string=None
):
# <input type="hidden" name="_csrf" value="YQbVgdYHX_3VQ-KuZ5cKtr9RzXE6MTY1NzgxMzUzNTA0OTYwODQ0NQ">
pattern_csrf = r'name="_csrf" value="([a-zA-Z0-9\-\_=]+)"'
ret = authentication.get(url)
csrf = search(pattern_csrf, ret)[1]
@ -203,7 +202,7 @@ def test_repo():
with TemporaryDirectory() as tmpdirname:
username = data['username'].split('@', 1)[0]
dns = data['base_url'].split('/', 3)[2]
ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:{GITEA_PORT}/{username}/test.git'
ssh_url = f'ssh://{FORGEJO_USERNAME}@{dns}:{FORGEJO_PORT}/{username}/test.git'
with SSHConfig():
with MookDnsSystem(dns, data['ip']):
filename = join(tmpdirname, 'test.txt')
@ -268,11 +267,11 @@ def test_repo_persistent():
with TemporaryDirectory() as tmpdirname:
username = data['username'].split('@', 1)[0]
dns = data['base_url'].split('/', 3)[2]
ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:{GITEA_PORT}/{username}/test_persistent.git'
ssh_url = f'ssh://{FORGEJO_USERNAME}@{dns}:{FORGEJO_PORT}/{username}/test_persistent.git'
with SSHConfig():
with MookDnsSystem(dns, data['ip']):
filename = join(tmpdirname, 'test.txt')
if 'FIRST_RUN' in environ:
filename = join(tmpdirname, 'test.txt')
with open(filename, 'w') as fh:
fh.write('test')
repo = init(tmpdirname)
@ -284,6 +283,25 @@ def test_repo_persistent():
)
else:
repo = clone(ssh_url, tmpdirname)
with open(filename, 'r') as fh:
len_file = len(fh.readlines())
# get previous commit number
lst = list(repo.get_walker())
assert len(lst) == 1
assert lst[0].commit.message == b'test commit'
len_before_commit = len(lst)
assert len_before_commit == len_file
# add a new line in file and commit
with open(filename, 'a') as fh:
fh.write('\ntest')
add(repo, filename)
date = datetime.datetime.now()
commit_message = f'test commit {date}'.encode()
commit(repo, message=commit_message)
push(repo=repo,
remote_location=ssh_url,
refspecs='master',
)
# test if commit is added and last commit
lst = list(repo.get_walker())
len_after_commit = len(lst)
assert len_before_commit + 1 == len_after_commit
assert lst[-1].commit.message == commit_message

41
seed/gitea/README.md Normal file
View file

@ -0,0 +1,41 @@
---
gitea: none
include_toc: true
---
# gitea
[All applications services for this dataset.](../README.md)
## Description
Transitional package for Gitea to Forgejo.
## Dependances
- [forgejo](../forgejo/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [postgresql-client](../postgresql-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [redis-client](../redis-client/README.md)
- [oauth2-client](../oauth2-client/README.md)
## Variables
### Général (*general*)
#### Transitional family (*general.gitea*)
| Description | Type |
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
| Transitional variable, please do not use it (*[gitea_mail_sender](dictionaries/32_gitea.xml)*) | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
- [+]: variable is multiple
- **bold**: variable is mandatory

14
seed/host-systemd-machined/dictionaries/21-machined.xml
View file

@ -16,9 +16,10 @@
<file>/usr/local/lib/risotto-tmpfiles.d/0asystemd-nspawn.conf</file>
<file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
<file>/etc/distro.repos.d/boot.repo</file>
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
<file>/etc/sysctl.d/90-risotto.conf</file>
<file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
</service>
@ -50,6 +51,13 @@
<value>tree</value>
<value>tshark</value>
<value>vim</value>
<value>python3-pytest</value>
<value>python3-yaml</value>
<value>python3-ldap</value>
<value>python3-dnspython</value>
<value>python3-dulwich</value>
<value>python3-psycopg2</value>
<value>python3-redis</value>
</variable>
<family name="network">
<variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>

14
seed/ldap-client/README.md
View file

@ -25,13 +25,13 @@ Application service needs interact with a LDAP server.
##### Client (*general.annuaire.client*)
| Description | Type | Supplier |
|----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------|
| Nom de la famille LDAP (*[ldapclient_family](dictionaries/21_ldap-client.xml)*) | [unix_user](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:family |
| **Base DN de l'annuaire** (*[ldapclient_base_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:base_dn |
| **Base DN de l'annuaire des utilisateurs** (*[ldapclient_search_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Base DN de l'annuaire des groupes** (*[ldapclient_group_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Base DN de l'annuaire des utilisateurs n'appartenant à une famille** (*[ldapclient_user_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| Description | Type | Supplier | Values |
|----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------|--------------|
| Nom de la famille LDAP (*[ldapclient_family](dictionaries/21_ldap-client.xml)*) | [unix_user](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:family | |
| **Base DN de l'annuaire** (*[ldapclient_base_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:base_dn | <calculated> |
| **Base DN de l'annuaire des utilisateurs** (*[ldapclient_search_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
| **Base DN de l'annuaire des groupes** (*[ldapclient_group_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
| **Base DN de l'annuaire des utilisateurs n'appartenant à une famille** (*[ldapclient_user_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
- [+]: variable is multiple

8
seed/ldap-client/templates/ldap.conf
View file

@ -6,9 +6,11 @@
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
BASE %%ldapclient_search_dn
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#>GNUNUX
BASE %%ldapclient_search_dn
URI ldaps://%%ldap_server_address:%%ldap_port
#<GNUNUX
#SIZELIMIT 12
#TIMELIMIT 15
@ -18,9 +20,11 @@ URI ldaps://%%ldap_server_address:%%ldap_port
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
#>GNUNUX
TLS_KEY %%ldap_key_file
TLS_CERT %%ldap_cert_file
TLS_CACERT %%ldap_ca_file
#<GNUNUX
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
@ -31,8 +35,10 @@ TLS_CACERT %%ldap_ca_file
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
#>GNUNUX
BINDDN %%ldapclient_user
TIMELIMIT 10
NETWORK_TIMEOUT 10
TIMEOUT 10
BINDPW %%ldapclient_user_password
#<GNUNUX

16
seed/lemonldap/README.md
View file

@ -15,16 +15,16 @@ LemonLDAP, a Web Single Sign On and Access Management.
## Dependances
- [ldap-client](../ldap-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [nginx-common](../nginx-common/README.md)
- [base-debian-bullseye](../base-debian-bullseye/README.md)
- [base-debian](../base-debian/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [ldap-client](../ldap-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [nginx-common](../nginx-common/README.md)
## Variables
@ -55,10 +55,10 @@ Configuration de la solution d'authentification unique LemonLDAP::NG
### Oauth2 (*oauth2*)
| Description | Type | Provider | Supplier |
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|
| Remote clients needing to verify OAuth2 account (*[remotes](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 | |
| Remote clients (*[clients](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | OAuth2Client |
| Description | Type | Provider | Values | Supplier |
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|--------------|
| Remote clients needing to verify OAuth2 account (*[remotes](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 | | |
| Remote clients (*[clients](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> | OAuth2Client |
#### OAuth2 for (*oauth2.oauth2_*)

2
seed/lemonldap/applicationservice.yml
View file

@ -2,8 +2,8 @@ format: '0.1'
description: LemonLDAP, a Web Single Sign On and Access Management
website: https://lemonldap-ng.org/
depends:
- base-debian-bullseye
- ldap-client
- reverse-proxy-client
- relay-mail-client
- nginx-common
- base-debian-bullseye

2
seed/lemonldap/dictionaries/70_lemonldap_ng.xml
View file

@ -20,7 +20,7 @@
<file mode="750">/sbin/interne_well_known.pl</file>
<file mode="750">/sbin/wget.pl</file>
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
<file>/tests/lemonldap.yml</file>
<file filelist="copy_tests">/tests/lemonldap.yml</file>
</service>
</services>
<variables>

6
seed/mailman/README.md
View file

@ -54,9 +54,9 @@ GNU Mailman, managing electronic mail discussion and e-newsletter lists.
##### external (*general.oauth2_client.external*)
| Description |
|---------------------------------------------------------|
| *[oauth2_client_external](dictionaries/31_mailman.xml)* |
| Description | Values |
|---------------------------------------------------------|--------------|
| *[oauth2_client_external](dictionaries/31_mailman.xml)* | <calculated> |
#### nginx (*general.nginx*)

2
seed/mailman/dictionaries/31_mailman.xml
View file

@ -5,7 +5,7 @@
<!--override/-->
<file owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
<file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
<file>/tests/mailman.yml</file>
<file filelist="copy_tests">/tests/mailman.yml</file>
<!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
</service>
<service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->

2
seed/mariadb/dictionaries/20_mariadb.xml
View file

@ -6,7 +6,7 @@
<file>/etc/my.cnf.d/risotto.cnf</file>
<file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
<file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
<file>/tests/mariadb.yml</file>
<file filelist="copy_tests">/tests/mariadb.yml</file>
</service>
</services>
<variables>

9
seed/nextcloud/manual/image/postinstall/nextcloud.sh
View file

@ -1,4 +1,4 @@
CALENDAR="3.5.2"
#CALENDAR="3.5.2"
ln -s "/srv/nextcloud/data" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/nextcloud/data"
mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
@ -9,8 +9,11 @@ tar xf *tar.gz
rm -f *tar.gz
chown -R root: oidc_login
#
#app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
if [ -z "$CALENDAR" ]; then
app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
else
app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
fi
wget -q $app -O app.tar.gz
tar xf app.tar.gz
rm -f app.tar.gz

19
seed/nginx-common/dictionaries/21_nginx.xml
View file

@ -2,17 +2,15 @@
<rougail version="0.10">
<services>
<service name='nginx' target='multi-user'>
<file>/etc/nginx/nginx.conf</file>
<file source="default">/etc/nginx/sites-available/default</file>
<file source="nginx_source_conf" source_type="variable">/etc/nginx/nginx.conf</file>
<file filelist="nginx_debian">/etc/nginx/sites-available/default</file>
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
<file source="nginx.index.html">/var/www/html/index.html</file>
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
<file>/var/www/html/error.html</file>
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
<file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.crt">revprox_crt_file</file>
<file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.key">revprox_key_file</file>
<file>/tests/nginx-common.yml</file>
<file filelist="copy_tests">/tests/nginx-common.yml</file>
</service>
</services>
<variables>
@ -41,6 +39,7 @@
<variable name="revprox_key_file" type="filename" description="Reverse proxy key filename" hidden="True"/>
<variable name="nginx_owner" type="unix_user" description="Nginx process owner" mandatory="True" hidden="True"/>
<variable name="nginx_group" type="unix_user" description="Nginx process group" mandatory="True" hidden="True"/>
<variable name="nginx_source_conf" hidden="True"/>
</family>
</variables>
<constraints>
@ -49,6 +48,10 @@
<target type="filelist">nginx_fedora</target>
<target>nginx_default</target>
</condition>
<condition name="disabled_if_not_in" source="os_name">
<param>Debian</param>
<target type="filelist">nginx_debian</target>
</condition>
<condition name="disabled_if_in" source="nginx_default">
<param type="nil"/>
<target type="filelist">nginx_default</target>
@ -89,5 +92,11 @@
<param name="expected">Fedora</param>
<target>nginx_group</target>
</fill>
<fill name="calc_value">
<param>nginx.conf</param>
<param type="variable">os_name</param>
<param name="join">.</param>
<target>nginx_source_conf</target>
</fill>
</constraints>
</rougail>

1
seed/nginx-common/templates/default-nginx.conf
View file

@ -1,2 +1,3 @@
#RISOTTO: do not compare
rewrite ^(.*) http://%%nginx_default$1;
break;

1
seed/nginx-common/templates/nginx-options.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
client_max_body_size %%{nginx_post_max_size}M;
client_body_buffer_size 128k;

4
seed/nginx-common/tests/test_nginx_commmon.py
View file

@ -42,9 +42,9 @@ def test_revprox():
protocols.append('https')
# test certificate
with raises(SSLError):
# not certificat problem for https://{url}
# certificat problem for https://{url}
req(f'https://{url}', data['address'])
for protocol in protocols:
ret_code, content = req(f'{protocol}://{url}', data['address'], verify=False)
assert ret_code == 200, f'{protocol}://{url} do not returns code 200 but {ret_code}'
assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'{protocol}://{url} do not returns default fedora page'
# assert "<title>Welcome</title>" in content, f'{protocol}://{url} do not returns default fedora page'

14
seed/nginx-reverse-proxy/README.md
View file

@ -15,13 +15,13 @@ Nginx as reverse proxy.
## Dependances
- [base-fedora-36](../base-fedora-36/README.md)
- [nginx-common](../nginx-common/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [nginx-common](../nginx-common/README.md)
## Variables
@ -37,11 +37,11 @@ Nginx as reverse proxy.
Paramétrage global de NGINX
| Description | Values |
|--------------------------------------------------------|----------|
| *[**nginx_default**](dictionaries/25_nginx.xml)* | |
| *[**nginx_default_http**](dictionaries/25_nginx.xml)* | True |
| *[**nginx_default_https**](dictionaries/25_nginx.xml)* | True |
| Description | Values |
|--------------------------------------------------------|--------------|
| *[**nginx_default**](dictionaries/25_nginx.xml)* | <calculated> |
| *[**nginx_default_http**](dictionaries/25_nginx.xml)* | True |
| *[**nginx_default_https**](dictionaries/25_nginx.xml)* | True |
### Machine (*machine*)

2
seed/nginx-reverse-proxy/applicationservice.yml
View file

@ -2,5 +2,5 @@ format: '0.1'
description: Nginx as reverse proxy
website: https://nginx.org/
depends:
- base-fedora-36
- nginx-common
- base-fedora-37

6
seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
View file

@ -4,10 +4,12 @@
<service name='nginx'>
<override engine="cheetah"/>
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
<file source="revprox-nginx.conf">/etc/nginx/sites-enabled/risotto.conf</file>
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_External.crt</file>
<file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
<file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
<file>/tests/reverse-proxy.yml</file>
<file filelist="copy_tests">/tests/reverse-proxy.yml</file>
<file>/var/www/html/error.html</file>
</service>
</services>
<variables>

2
seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml
View file

@ -37,7 +37,7 @@
<target>nginx.nginx_private_key_filename</target>
</fill>
<fill name="get_first_value">
<param type="variable">nginx.remotes</param>
<param type="variable">nginx.reverse_proxy_for_.reverse_proxy_.revprox_domainnames_</param>
<target>nginx_default</target>
</fill>
</constraints>

1
seed/nginx-reverse-proxy/templates/certificate.crt
View file

@ -1,2 +1 @@
%set %%chain=%%get_chain(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret)
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

1
seed/nginx-reverse-proxy/templates/nginx-options-rp.conf
View file

@ -1,2 +1,3 @@
#RISOTTO: do not compare
# We use X-Forwarded-For header
real_ip_header X-Forwarded-For;

1
seed/nginx-reverse-proxy/templates/reverse-proxy.yml
View file

@ -10,3 +10,4 @@ urls:
%end for
%end for
%end for
ca_certificate: ../etc/pki/ca-trust/source/anchors/ca_External.crt

1
seed/nginx-reverse-proxy/templates/revprox-nginx.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
%for %%idx, %%domainname in %%enumerate(%%nginx.revprox_domainnames)
# Configuration HTTP %%domainname
server {

11
seed/nginx-reverse-proxy/tests/test_revprox.py
View file

@ -1,5 +1,6 @@
from yaml import load, SafeLoader
from os import environ
from os.path import join
import warnings
import socket
@ -19,9 +20,9 @@ def req(url, ip, verify=True):
if not verify:
with warnings.catch_warnings():
warnings.simplefilter("ignore")
ret = get(url, verify=verify)
ret = get(url, verify=verify, allow_redirects=False)
else:
ret = get(url, verify=verify)
ret = get(url, verify=verify, allow_redirects=False)
ret_code = ret.status_code
content = ret.content
socket.getaddrinfo = old_getaddrinfo
@ -34,6 +35,8 @@ def test_revprox():
data = load(yaml, Loader=SafeLoader)
# test known domains
for url in data['urls']:
ret_code, content = req(f'https://{url}', data['address'])
try:
ret_code, content = req(f'https://{url}', data['address'])
except SSLError:
ret_code, content = req(f'https://{url}', data['address'], verify=join(environ["MACHINE_TEST_DIR"], data["ca_certificate"]))
assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} do returns default fedora page'

2
seed/nginx-static/README.md
View file

@ -18,7 +18,7 @@ Nginx as static web site.
- [nginx-https](../nginx-https/README.md)
- [nginx-common](../nginx-common/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)

2
seed/nginx-static/applicationservice.yml
View file

@ -3,4 +3,4 @@ description: Nginx as static web site
website: https://nginx.org/
depends:
- nginx-https
- base-fedora-36
- base-fedora-37

1
seed/nginx-static/dictionaries/22_nginx_static.xml
View file

@ -3,6 +3,7 @@
<services>
<service name='nginx' target='multi-user'>
<file source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
<file source="index.html">/srv/static/index.html</file>
</service>
</services>
<variables>

20
seed/nsd/README.md
View file

@ -15,7 +15,7 @@ NSD, an authoritative DNS name server.
## Dependances
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
@ -28,9 +28,9 @@ NSD, an authoritative DNS name server.
#### network (*general.network*)
| Description |
|-------------------------------------|
| *[ip_dns](dictionaries/20_nsd.xml)* |
| Description | Values |
|-------------------------------------|--------------|
| *[ip_dns](dictionaries/20_nsd.xml)* | <calculated> |
#### Serveur DNS (*general.dns_server*)
@ -40,17 +40,17 @@ NSD, an authoritative DNS name server.
#### Zone DNS (*general.dns_zone*)
| Description | Type |
|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| Zones DNS (*[nsd_zones](dictionaries/20_nsd.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
| Description | Type | Values |
|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|
| Zones DNS (*[nsd_zones](dictionaries/20_nsd.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
#### Zone DNS reverse (*general.dns_reverses*)
This a family is a leadership.
| Description | Type |
|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
| Réseau pour la résolution reverse (*[nsd_reverse_network](dictionaries/20_nsd.xml)*) [+] | [network_cidr](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
| Description | Type | Values |
|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------|
| Réseau pour la résolution reverse (*[nsd_reverse_network](dictionaries/20_nsd.xml)*) [+] | [network_cidr](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
### Machine (*machine*)

2
seed/nsd/applicationservice.yml
View file

@ -3,4 +3,4 @@ description: NSD, an authoritative DNS name server
website: https://www.nlnetlabs.nl/projects/nsd/about/
service: true
depends:
- base-fedora-36
- base-fedora-37

2
seed/nsd/dictionaries/20_nsd.xml
View file

@ -11,7 +11,7 @@
<file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
<file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
<file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
<file>/tests/nsd.yml</file>
<file filelist="copy_tests">/tests/nsd.yml</file>
</service>
</services>
<variables>

1
seed/nsd/templates/nsd.signed
View file

@ -1 +1,2 @@
#RISOTTO: do not compare
%%sign(%%rougail_destination_dir + %%rougail_variable, %%domain_name_eth0)

1
seed/nsd/templates/risotto.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
server:
interface: 127.0.0.1
%for %%interface in %%range(%%len(%%zones_list))

10
seed/oauth2-client/README.md
View file

@ -31,10 +31,10 @@ Application service needs interact with a Oauth2 server.
##### external (*general.oauth2_client.external*)
| Description | Type | Supplier | Values |
|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------|----------|
| **OAuth2 client external** (*[oauth2_client_external](dictionaries/30_oauth2_client.xml)*) [+] | [web_address](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2:external | |
| **OAuth2 family** (*[oauth2_client_family](dictionaries/30_oauth2_client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2:family | users |
| Description | Type | Values | Supplier |
|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|--------------|-----------------|
| **OAuth2 client external** (*[oauth2_client_external](dictionaries/30_oauth2_client.xml)*) [+] | [web_address](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | OAuth2:external |
| **OAuth2 family** (*[oauth2_client_family](dictionaries/30_oauth2_client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | users | OAuth2:family |
- [+]: variable is multiple
@ -47,9 +47,9 @@ Application service needs interact with a Oauth2 server.
- [peertube](../peertube/README.md)
- [piwigo](../piwigo/README.md)
- [dovecot](../dovecot/README.md)
- [forgejo](../forgejo/README.md)
- [roundcube](../roundcube/README.md)
- [nextcloud](../nextcloud/README.md)
- [gitea](../gitea/README.md)
## Linked to

2
seed/odoo/dictionaries/40_odoo.xml
View file

@ -14,7 +14,7 @@
</services>
<variables>
<family name="odoo" description="Odoo">
<variable name="odoo_admin_password" description="Mot de passe de l'administrateur" hidden="True"/>
<variable name="odoo_admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
<variable name="odoo_admin_email" type="mail" description="Adresse courriel de l'administrateur" mandatory="True"/>
<variable name="odoo_company_name" description="Nom" mandatory="True"/>
<variable name="odoo_company_street" description="Adresse" mandatory="True"/>

14
seed/openldap/README.md
View file

@ -16,7 +16,7 @@ OpenLDAP, a LDAP server.
## Dependances
- [ldap-client](../ldap-client/README.md)
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
@ -60,12 +60,12 @@ OpenLDAP, a LDAP server.
##### client (*general.annuaire.client*)
| Description |
|-------------------------------------------------------------------------------------------------------|
| *[ldapclient_user](dictionaries/21_openldap-server.xml)* |
| **Base DN** (*[ldapclient_base_dn](dictionaries/21_openldap-server.xml)*) |
| **Base DN de l'annuaire des utilisateurs** (*[ldap_account_dn](dictionaries/21_openldap-server.xml)*) |
| *[ldapclient_search_dn](dictionaries/21_openldap-server.xml)* |
| Description | Values |
|-------------------------------------------------------------------------------------------------------|--------------|
| *[ldapclient_user](dictionaries/21_openldap-server.xml)* | <calculated> |
| **Base DN** (*[ldapclient_base_dn](dictionaries/21_openldap-server.xml)*) | |
| **Base DN de l'annuaire des utilisateurs** (*[ldap_account_dn](dictionaries/21_openldap-server.xml)*) | <calculated> |
| *[ldapclient_search_dn](dictionaries/21_openldap-server.xml)* | <calculated> |
### Machine (*machine*)

2
seed/openldap/applicationservice.yml
View file

@ -3,4 +3,4 @@ description: OpenLDAP, a LDAP server
website: https://www.openldap.org/
depends:
- ldap-client
- base-fedora-36
- base-fedora-37

11
seed/openldap/dictionaries/21_openldap-server.xml
View file

@ -3,18 +3,17 @@
<services>
<service name="slapd" target="multi-user">
<override/>
<file source='default.slapd'>/etc/default/slapd</file>
<file>/etc/pki/tls/certs/openldap.crt</file>
<file owner="ldap" mode="400">/etc/pki/tls/private/openldap.key</file>
<file owner="ldap">/var/lib/ldap/DB_CONFIG</file>
<file>/secrets/users.ldif</file>
<file>/secrets/users_mod.ldif</file>
<file owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
<file owner="ldap" mode="400">/etc/ldap/secrets/config_acl.ldif</file>
<file>/secrets/admin_ldap.pwd</file>
<file owner="ldap" mode="400">/etc/ldap/secrets/users.ldif</file>
<file>/secrets/users_mod.ldif</file>
<file>/secrets/config_acl.ldif</file>
<file mode="400">/secrets/admin_ldap.pwd</file>
<file engine="none">/sysusers.d/risotto-openldap.conf</file>
<file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
<file>/tests/openldap.yml</file>
<file filelist="copy_tests">/tests/openldap.yml</file>
</service>
</services>

2
seed/openldap/extras/accounts/00_account.xml
View file

@ -5,7 +5,7 @@
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
<variable name="family_" description="Nom de la familly de " hidden="True" provider="LDAP:family"/>
<variable name="dn_" description="LDAP DN de " hidden="True" provider="LDAP:dn"/>
<variable name="password_" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
<variable name="password_" type ="password" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
<variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="LDAP:base_dn"/>
</family>
<family name="users" description="Gestion des utilisateurs" leadership="True">

1
seed/openldap/templates/DB_CONFIG
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
# $OpenLDAP$
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#

1
seed/openldap/templates/config.ldif
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
dn: cn=config
objectClass: olcGlobal
#olcLogLevel: %%ldap_loglevel

1
seed/openldap/templates/config_acl.ldif
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
%set %%name_family = 'gnunux'
%set %%dns = {}
%set %%groups = []

5
seed/openldap/templates/openldap.yml
View file

@ -47,3 +47,8 @@ groups:
- cn=%%user,%%families
%end for
%end for
%if 'gnunux' not in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, 'gnunux')
gnunux:
- cn=rougail_test@gnunux.info,%%families
%end if

37
seed/openldap/templates/users.ldif
View file

@ -1,3 +1,4 @@
%set %%add_test = True
%set %%username="rougail_test@silique.fr"
%set %%username_family="rougail_test@gnunux.info"
%set %%name_family="gnunux"
@ -64,41 +65,23 @@ ou: families
objectClass: top
objectClass: organizationalUnit
%for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
%def add_family(%%family, %%families)
dn: %%families
ou: %%family
objectClass: top
objectClass: organizationalUnit
%end def
%if %%add_test and 'gnunux' not in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='gnunux')
%%add_family('gnunux', %%families)
%end if
%for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
%%add_family(%%family, %%families)
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
%set %%userdn = "cn=" + %%user + "," + %%families
%%groups.setdefault(%%family, []).append(%%userdn)%slurp
%%acc.append((%%userdn, %%user, %%user['ldap_user_password_' + %%family], %%user['ldap_user_sn_' + %%family], %%user['ldap_user_gn_' + %%family], %%user['ldap_user_uid_' + %%family], %%user['ldap_user_aliases_' + %%family], %%family))%slurp
#pouet
#dn: %%userdn
#cn: %%user
#mail: %%user
#sn:
#givenName:
#uid:
#userPassword:: %%ssha_encode()
#homeDirectory: /srv/home/families/%%family/%%user
#mailLocalAddress: %%user
# %if %%user['ldap_user_aliases_' + %%family]
# %for %%alias in
#mailLocalAddress: %%alias
# %end for
# %end if
#uidNumber: 0
#gidNumber: 0
#objectClass: top
#objectClass: inetOrgPerson
#objectClass: posixAccount
#objectClass: inetLocalMailRecipient
#
# %end for
#%end for
%end for
%end for
%for %%userdn, %%user, %%password, %%sn, %%gn, %%uid, %%aliases, %%family in %%acc

5
seed/openldap/tests/test_openldap.py
View file

@ -79,7 +79,10 @@ def test_ldap_migration():
if 'FIRST_RUN' in environ:
l.simple_bind_s(data['admin_dn'], data['admin_password'])
l.passwd_s(data['user_family_dn'], data['user_family_password'], data['user_family_password'] + "2")
l.simple_bind_s(data['user_family_dn'], data['user_family_password'] + "2")
try:
l.simple_bind_s(data['user_family_dn'], data['user_family_password'] + "2")
except INVALID_CREDENTIALS as err:
raise Exception(f'cannot find {data["user_family_dn"]} do you run script with FIRST_RUN env variables?')
def test_ldap_remote_auth():

6
seed/peertube/README.md
View file

@ -61,9 +61,9 @@ Peertube, a federated (ActivityPub) video streaming platform.
##### external (*general.oauth2_client.external*)
| Description |
|----------------------------------------------------------|
| *[oauth2_client_external](dictionaries/30_peertube.xml)* |
| Description | Values |
|----------------------------------------------------------|--------------|
| *[oauth2_client_external](dictionaries/30_peertube.xml)* | <calculated> |
#### nginx (*general.nginx*)

2
seed/postfix-relay/dictionaries/30_postfix.xml
View file

@ -42,7 +42,7 @@
</family>
<family name="postfix" description="Postfix mail server">
<variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
<variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
<variable name="postfix_relay_domains" type="domainname" description="Local LTMP domain" multi="True" hidden="True"/>
<variable name='postfix_relay_authentifications' description="Authentification sur le relai SMTP" multi="True" provider="SMTP"/>
<family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
<variable name="local_authentification_password_" type="secret" auto_save="False" provider="SMTP:password"/>

2
seed/postgresql-client/README.md
View file

@ -18,11 +18,11 @@ Application service needs interact with a Postgresql server.
- [odoo](../odoo/README.md)
- [mailman](../mailman/README.md)
- [peertube](../peertube/README.md)
- [forgejo](../forgejo/README.md)
- [dotclear](../dotclear/README.md)
- [roundcube](../roundcube/README.md)
- [vaultwarden](../vaultwarden/README.md)
- [nextcloud](../nextcloud/README.md)
- [gitea](../gitea/README.md)
## Linked to

4
seed/postgresql-client/dictionaries/23_postgresql.xml
View file

@ -12,9 +12,9 @@
<variables>
<family name="postgresql" description="PostgreSQL">
<variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql" hidden="True"/>
<variable name="pg_client_username" description="Client username" mandatory="True" hidden="True"/>
<variable name="pg_client_username" description="Client username" mandatory="True" hidden="True" supplier="Postgresql:username"/>
<variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True" supplier="Postgresql:password"/>
<variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/>
<variable name="pg_client_database" description="Client database" mandatory="True" hidden="True" supplier="Postgresql:database"/>
<variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
<value>apache</value>
</variable>

8
seed/postgresql/README.md
View file

@ -15,7 +15,7 @@ Postgresql, a database.
## Dependances
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
@ -59,9 +59,9 @@ Paramétrage du serveur de gestion de bases de données PostgreSQL
This a dynamic family generated from the variable "accounts.remotes".
| Description | Type |
|-----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
| **Remote IP** (*[remote_ip_](extras/accounts/00_accounts.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
| Description | Type | Values |
|------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------|
| **Remote IP ** (*[remote_ip_](extras/accounts/00_accounts.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
- [+]: variable is multiple

2
seed/postgresql/applicationservice.yml
View file

@ -2,4 +2,4 @@ format: '0.1'
description: Postgresql, a database
website: https://www.postgresql.org
depends:
- base-fedora-36
- base-fedora-37

2
seed/postgresql/dictionaries/22_postgresql.xml
View file

@ -14,7 +14,7 @@
<file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
<file>/etc/pki/tls/certs/postgresql.crt</file>
<file owner="root" group="postgres" mode="440">/etc/pki/tls/private/postgresql.key</file>
<file>/tests/postgresql.yml</file>
<file filelist="copy_tests">/tests/postgresql.yml</file>
</service>
</services>
<variables>

6
seed/postgresql/extras/accounts/00_accounts.xml
View file

@ -3,8 +3,10 @@
<variables>
<variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="Postgresql"/>
<family name="remote_" description="Account for " dynamic="accounts.remotes">
<variable name="remote_ip_" description="Remote IP" type="ip" mandatory="True"/>
<variable name="password_" description="Remote password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Postgresql:password"/>
<variable name="remote_ip_" description="Remote IP " type="ip" mandatory="True"/>
<variable name="database_" description="Remote database " auto_save="False" hidden="True" mandatory="True" provider="Postgresql:database"/>
<variable name="username_" description="Remote username " auto_save="False" hidden="True" type="unix_user" mandatory="True" provider="Postgresql:username"/>
<variable name="password_" description="Remote password " auto_save="False" hidden="True" type="password" mandatory="True" provider="Postgresql:password"/>
</family>
</variables>
<constraints>

35
seed/postgresql/templates/pg_hba.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: file://usr/share/pgsql/pg_hba.conf.sample
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
@ -18,12 +19,13 @@
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a
# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a
# non-GSSAPI socket.
# The first field is the connection type:
# - "local" is a Unix-domain socket
# - "host" is a TCP/IP socket (encrypted or not)
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
@ -76,29 +78,32 @@
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
#GNUNUX @authcomment@
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
#GNUNUX local all all peer
#>GNUNUX
#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
#@remove-line-for-nolocal@local all all @authmethodlocal@
local all postgres ident map=pg_map
#<GNUNUX
# IPv4 local connections:
#>GNUNUX
# host all all 127.0.0.1/32 ident
#host all all 127.0.0.1/32 @authmethodhost@
hostssl rougail_test rougail_test %%gateway_eth0/32 md5
%for %%server in %%accounts.remotes
hostssl %%normalize_family(%%server) %%normalize_family(%%server) %%server md5
%set %%name = %%normalize_family(%%server)
%set %%database = %%accounts["remote_" + %%name]["database_" + %%name]
%set %%username = %%accounts["remote_" + %%name]["username_" + %%name]
hostssl %%database %%username %%server md5
%end for
#<GNUNUX
# IPv6 local connections:
#host all all ::1/128 ident
#GNUNUX host all all ::1/128 @authmethodhost@
# Allow replication connections from localhost, by a user with the
# replication privilege.
#>GNUNUX
#local replication all peer
#host replication all 127.0.0.1/32 ident
#host replication all ::1/128 ident
#@remove-line-for-nolocal@local replication all @authmethodlocal@
#host replication all 127.0.0.1/32 @authmethodhost@
#host replication all ::1/128 @authmethodhost@
#<GNUNUX

35
seed/postgresql/templates/pg_ident.conf
View file

@ -1,12 +1,14 @@
#RISOTTO: file://usr/share/pgsql/pg_ident.conf.sample
# PostgreSQL User Name Maps
# =========================
#
# Refer to the PostgreSQL Administrator's Guide, chapter "Client
# Authentication" for a complete description. A short synopsis follows.
# Refer to the PostgreSQL documentation, chapter "Client
# Authentication" for a complete description. A short synopsis
# follows.
#
# This file controls PostgreSQL username mapping. It maps
# external user names to their corresponding
# PostgreSQL user names. Records are of the form:
# This file controls PostgreSQL user name mapping. It maps external
# user names to their corresponding PostgreSQL user names. Records
# are of the form:
#
# MAPNAME SYSTEM-USERNAME PG-USERNAME
#
@ -18,24 +20,27 @@
# existence of a record specifies that SYSTEM-USERNAME may connect as
# PG-USERNAME.
#
# If SYSTEM-USERNAME starts with a slash (/), it will be treated as
# a regular expression. Optionally this can contain a capture (a
# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
# regular expression. Optionally this can contain a capture (a
# parenthesized subexpression). The substring matching the capture
# will be substituted for \1 (backslash-one) if present in PG-USERNAME.
# will be substituted for \1 (backslash-one) if present in
# PG-USERNAME.
#
# Multiple maps may be specified in this file and used by pg_hba.conf.
#
# No map names are defined in the default configuration. If all system
# user names and PostgreSQL user names are the same, you don't need
# anything in this file.
# No map names are defined in the default configuration. If all
# system user names and PostgreSQL user names are the same, you don't
# need anything in this file.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can use
# "pg_ctl reload" to do that.
# to SIGHUP the postmaster for the changes to take effect. You can
# use "pg_ctl reload" to do that.
# Put your actual configuration here
# ----------------------------------
# MAPNAME SYSTEM-USERNAME PG-USERNAME
pg_map postgres postgres
# MAPNAME SYSTEM-USERNAME PG-USERNAME
#>GNUNUX
pg_map postgres postgres
#<GNUNUX

73
seed/postgresql/templates/postgresql.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: file://usr/share/pgsql/postgresql.conf.sample
%compiler-settings
cheetahVarStartToken = §§
directiveStartToken = §
@ -77,16 +78,16 @@ ident_file = '/etc/postgresql/pg_ident.conf'
listen_addresses = '*'
#<GNUNUX
#port = 5432 # (change requires restart)
#>GNUNUX
#max_connections = 100 # (change requires restart)
#>GNUNUX
max_connections = §§pg_max_connections
#<GNUNUX
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/var/run/postgresql, /tmp' # comma-separated list of directories
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#>GNUNUX
unix_socket_directories = '/var/run/postgresql'
#<GNUNUX
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
@ -107,6 +108,10 @@ unix_socket_directories = '/var/run/postgresql'
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
#client_connection_check_interval = 0 # time between checks for client
# disconnection while running queries;
# 0 for never
# - Authentication -
#authentication_timeout = 1min # 1s-600s
@ -126,7 +131,7 @@ authentication_timeout = §§{pg_authentication_timeout}s
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
##ssl_crl_dir = ''
#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
@ -143,15 +148,18 @@ ssl_cert_file = '/etc/pki/tls/certs/postgresql.crt' # (change requires restart)
ssl_key_file = '/etc/pki/tls/private/postgresql.key' # (change requires restart)
#<GNUNUX
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
#shared_buffers = 32MB # min 128kB
# (change requires restart)
#>GNUNUX
shared_buffers = §§{pg_shared_buffers}§§pg_shared_buffers_unit
#<GNUNUX
#huge_pages = try # on, off, or try
# (change requires restart)
#huge_page_size = 0 # zero for system default
@ -177,7 +185,7 @@ maintenance_work_mem = §§{pg_maintenance_work_mem}§§pg_maintenance_work_mem_
# sysv
# windows
# (change requires restart)
dynamic_shared_memory_type = posix # the default is the first option
#dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
@ -209,7 +217,7 @@ dynamic_shared_memory_type = posix # the default is the first option
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
#bgwriter_flush_after = 0 # measured in pages, 0 disables
# - Asynchronous Behavior -
@ -219,9 +227,9 @@ dynamic_shared_memory_type = posix # the default is the first option
#max_worker_processes = 8 # (change requires restart)
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#parallel_leader_participation = on
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
@ -268,13 +276,14 @@ wal_buffers = §§pg_wal_buffers
#checkpoint_timeout = 5min # range 30s-1d
#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
#checkpoint_flush_after = 0 # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
#>GNUNUX
#max_wal_size = 1GB
#min_wal_size = 80MB
#>GNUNUX
max_wal_size = §§{pg_max_wal_size}§§pg_max_wal_size_unit
#<GNUNUX
min_wal_size = 80MB
#<GNUNUX
# - Archiving -
@ -422,8 +431,8 @@ min_wal_size = 80MB
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
@ -440,7 +449,6 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
# query is more expensive than this;
# -1 disables
# - Genetic Query Optimizer -
#geqo = on
@ -474,6 +482,7 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#GNUNUX: logging_collector = on # Enable capturing of stderr and csvlog
# into log files. Required to be on for
@ -487,6 +496,11 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#GNUNUX: log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#GNUNUX: log_rotation_size = 0 # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
#GNUNUX: log_truncate_on_rotation = on # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
@ -495,11 +509,6 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#GNUNUX: log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#GNUNUX: log_rotation_size = 0 # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
#>GNUNUX
log_destination = 'syslog'
#<GNUNUX
@ -620,7 +629,10 @@ log_destination = 'syslog'
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
#FIXME en dure ?
#>GNUNUX
#log_timezone = 'GMT'
log_timezone = 'Europe/Paris'
#<GNUNUX
#------------------------------------------------------------------------------
@ -741,10 +753,16 @@ autovacuum = off
# - Locale and Formatting -
#datestyle = 'iso, mdy'
#>GNUNUX
datestyle = 'iso, dmy'
#<GNUNUX
#intervalstyle = 'postgres'
#timezone = 'GMT'
#>GNUNUX
#FIXME en dure ?
timezone = 'Europe/Paris'
#<GNUNUX
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
@ -758,15 +776,24 @@ timezone = 'Europe/Paris'
# encoding
# These settings are initialized by initdb, but they can be changed.
#FIXME en dure ?
lc_messages = 'fr_FR.UTF-8' # locale for system error message
#lc_messages = 'C' # locale for system error message
# strings
lc_monetary = 'fr_FR.UTF-8' # locale for monetary formatting
lc_numeric = 'fr_FR.UTF-8' # locale for number formatting
lc_time = 'fr_FR.UTF-8' # locale for time formatting
#lc_monetary = 'C' # locale for monetary formatting
#lc_numeric = 'C' # locale for number formatting
#lc_time = 'C' # locale for time formatting
#>GNUNUX
#FIXME en dure ?
lc_messages = 'fr_FR.UTF-8'
lc_monetary = 'fr_FR.UTF-8'
lc_numeric = 'fr_FR.UTF-8'
lc_time = 'fr_FR.UTF-8'
#<GNUNUX
# default configuration for text search
#>GNUNUX
#default_text_search_config = 'pg_catalog.french'
default_text_search_config = 'pg_catalog.french'
#<GNUNUX
# - Shared Library Preloading -

11
seed/postgresql/templates/postgresql.sql
View file

@ -1,12 +1,15 @@
%set %%new_accounts = [('rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
#RISOTTO: do not compare
%set %%new_accounts = [('rougail_test', 'rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
%for %%server in %%accounts.remotes
%set %%name = %%normalize_family(%%server)
%set %%database = %%accounts["remote_" + %%name]["database_" + %%name]
%set %%username = %%accounts["remote_" + %%name]["username_" + %%name]
%set %%password = %%accounts["remote_" + %%name]["password_" + %%name]
%%new_accounts.append((%%name, %%password))%slurp
%%new_accounts.append((%%database, %%username, %%password))%slurp
%end for
%for %%name, %%password in %%new_accounts
%for %%database, %%name, %%password in %%new_accounts
CREATE DATABASE "%%name";
CREATE ROLE "%%name" WITH LOGIN ENCRYPTED PASSWORD '%%password';
ALTER USER "%%name" PASSWORD '%%password';
GRANT ALL PRIVILEGES ON DATABASE "%%name" TO "%%name";
GRANT ALL PRIVILEGES ON DATABASE "%%name" TO "%%database";
%end for

12
seed/redis-client/README.md
View file

@ -19,11 +19,11 @@ Application service needs interact with a Redis server.
#### Redis (*general.redis*)
| Description | Type | Supplier |
|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------------|
| **Nom de domaine du serveur** (*[redis_client_server_domainname](dictionaries/23_redis.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis |
| **Nom d'utilisateur** (*[redis_client_username](dictionaries/23_redis.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Mot de passe de connexion** (*[redis_client_password](dictionaries/23_redis.xml)*) | [password](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis:password |
| Description | Type | Supplier | Values |
|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------------|--------------|
| **Nom de domaine du serveur** (*[redis_client_server_domainname](dictionaries/23_redis.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis | |
| **Nom d'utilisateur** (*[redis_client_username](dictionaries/23_redis.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis:username | <calculated> |
| **Mot de passe de connexion** (*[redis_client_password](dictionaries/23_redis.xml)*) | [password](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis:password | <calculated> |
- [+]: variable is multiple
@ -33,9 +33,9 @@ Application service needs interact with a Redis server.
- [peertube](../peertube/README.md)
- [piwigo](../piwigo/README.md)
- [forgejo](../forgejo/README.md)
- [roundcube](../roundcube/README.md)
- [nextcloud](../nextcloud/README.md)
- [gitea](../gitea/README.md)
## Linked to

2
seed/redis-client/dictionaries/23_redis.xml
View file

@ -11,7 +11,7 @@
<variables>
<family name="redis" description="Redis">
<variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True" supplier="Redis"/>
<variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True"/>
<variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True" supplier="Redis:username"/>
<variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" supplier="Redis:password"/>
<variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
<value>apache</value>

26
seed/redis/README.md
View file

@ -15,7 +15,7 @@ Redis, an in-memory data structure store.
## Dependances
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
@ -30,21 +30,21 @@ Redis, an in-memory data structure store.
Configuration du service de cache Redis
| Description | Values | Help | Type | Choices |
|----------------------------------------------------------------------------------------------------------------------------|------------|--------------------------|------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| **Nom de l'instance** (*[redis_instance_name](dictionaries/90_redis.xml)*) | | | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Activer la persistence des données** (*[redis_save](dictionaries/90_redis.xml)*) | False | | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Quantité de mémoire utilisable par Redis** (*[redis_max_memory](dictionaries/90_redis.xml)*) | 512 | La valeur est en Mo | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Méthode de libération de mémoire lorsque le maximum est atteint** (*[redis_memory_policy](dictionaries/90_redis.xml)*) | noeviction | | [choice](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | volatile-lru<br />allkeys-lru<br />volatile-lfu<br />allkeys-lfu<br />volatile-random<br />allkeys-random<br />volatile-ttl<br />noeviction |
| **Intervalle entre le dernier envoi de paquet TCP et la réponse ACK** (*[redis_tcp_keepalive](dictionaries/90_redis.xml)*) | 60 | La valeur est en seconde | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Nombre de client maximum autorisé** (*[redis_max_clients](dictionaries/90_redis.xml)*) | 10000 | | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| Description | Values | Help | Type | Choices |
|----------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------|------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| **Nom de l'instance** (*[redis_instance_name](dictionaries/90_redis.xml)*) | <calculated> | | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Activer la persistence des données** (*[redis_save](dictionaries/90_redis.xml)*) | False | | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Quantité de mémoire utilisable par Redis** (*[redis_max_memory](dictionaries/90_redis.xml)*) | 512 | La valeur est en Mo | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Méthode de libération de mémoire lorsque le maximum est atteint** (*[redis_memory_policy](dictionaries/90_redis.xml)*) | noeviction | | [choice](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | volatile-lru<br />allkeys-lru<br />volatile-lfu<br />allkeys-lfu<br />volatile-random<br />allkeys-random<br />volatile-ttl<br />noeviction |
| **Intervalle entre le dernier envoi de paquet TCP et la réponse ACK** (*[redis_tcp_keepalive](dictionaries/90_redis.xml)*) | 300 | La valeur est en seconde | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Nombre de client maximum autorisé** (*[redis_max_clients](dictionaries/90_redis.xml)*) | 10000 | | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
### Account (*account*)
| Description | Type | Provider |
|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
| **Remote Redis client needing an account** (*[remote](extras/account/00_account.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis |
| **Remote IP** (*[remote_ip](extras/account/00_account.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| Description | Type | Provider | Values |
|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|
| **Remote Redis client needing an account** (*[remote](extras/account/00_account.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis | |
| **Remote IP** (*[remote_ip](extras/account/00_account.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
- [+]: variable is multiple

2
seed/redis/applicationservice.yml
View file

@ -2,4 +2,4 @@ format: '0.1'
description: Redis, an in-memory data structure store
website: https://redis.io/
depends:
- base-fedora-36
- base-fedora-37

4
seed/redis/dictionaries/90_redis.xml
View file

@ -9,7 +9,7 @@
<file>/etc/pki/ca-trust/source/anchors/ca_Redis.crt</file>
<file>/etc/pki/tls/certs/redis.crt</file>
<file owner="root" group="redis" mode="440">/etc/pki/tls/private/redis.key</file>
<file>/tests/redis.yml</file>
<file filelist="copy_tests">/tests/redis.yml</file>
</service>
</services>
<variables>
@ -33,7 +33,7 @@
<choice>noeviction</choice>
</variable>
<variable name="redis_tcp_keepalive" type="number" description="Intervalle entre le dernier envoi de paquet TCP et la réponse ACK" help="La valeur est en seconde">
<value>60</value>
<value>300</value>
</variable>
<variable name="redis_max_clients" type="number" description="Nombre de client maximum autorisé">
<value>10000</value>

1
seed/redis/extras/account/00_account.xml
View file

@ -3,6 +3,7 @@
<variables>
<variable name="remote" description="Remote Redis client needing an account" type="domainname" provider="Redis" mandatory="True"/>
<variable name="remote_ip" description="Remote IP" type="ip" mandatory="True"/>
<variable name="username" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:username"/>
<variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:password"/>
</variables>
<constraints>

553
seed/redis/templates/redis.conf
View file

@ -32,8 +32,17 @@
# If instead you are interested in using includes to override configuration
# options, it is better to use include as the last line.
#
# Included paths may contain wildcards. All files matching the wildcards will
# be included in alphabetical order.
# Note that if an include path contains a wildcards but no files match it when
# the server is started, the include statement will be ignored and no error will
# be emitted. It is safe, therefore, to include wildcard files from empty
# directories.
#
# include /path/to/local.conf
# include /path/to/other.conf
# include /path/to/fragments/*.conf
#
################################## MODULES #####################################
@ -51,7 +60,7 @@
# the "bind" configuration directive, followed by one or more IP addresses.
# Each address can be prefixed by "-", which means that redis will not fail to
# start if the address is not available. Being not available only refers to
# addresses that does not correspond to any network interfece. Addresses that
# addresses that does not correspond to any network interface. Addresses that
# are already in use will always fail, and unsupported protocols will always BE
# silently skipped.
#
@ -70,36 +79,65 @@
# running on).
#
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
# JUST COMMENT OUT THE FOLLOWING LINE.
# COMMENT OUT THE FOLLOWING LINE.
#
# You will also need to set a password unless you explicitly disable protected
# mode.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#>GNUNUX
#bind 127.0.0.1 -::1
bind 0.0.0.0
#<GNUNUX
# By default, outgoing connections (from replica to master, from Sentinel to
# instances, cluster bus, etc.) are not bound to a specific local address. In
# most cases, this means the operating system will handle that based on routing
# and the interface through which the connection goes out.
#
# Using bind-source-addr it is possible to configure a specific address to bind
# to, which may also affect how the connection gets routed.
#
# Example:
#
# bind-source-addr 10.0.0.1
# Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited.
#
# When protected mode is on and if:
#
# 1) The server is not binding explicitly to a set of addresses using the
# "bind" directive.
# 2) No password is configured.
#
# The server only accepts connections from clients connecting from the
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
# sockets.
# When protected mode is on and the default user has no password, the server
# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address
# (::1) or Unix domain sockets.
#
# By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis
# even if no authentication is configured, nor a specific set of interfaces
# are explicitly listed using the "bind" directive.
#FIXMEprotected-mode yes
protected-mode no
# even if no authentication is configured.
protected-mode yes
# Redis uses default hardened security configuration directives to reduce the
# attack surface on innocent users. Therefore, several sensitive configuration
# directives are immutable, and some potentially-dangerous commands are blocked.
#
# Configuration directives that control files that Redis writes to (e.g., 'dir'
# and 'dbfilename') and that aren't usually modified during runtime
# are protected by making them immutable.
#
# Commands that can increase the attack surface of Redis and that aren't usually
# called by users are blocked by default.
#
# These can be exposed to either all connections or just local ones by setting
# each of the configs listed below to either of these values:
#
# no - Block for any connection (remain immutable)
# yes - Allow for any connection (no protection)
# local - Allow only for local connections. Ones originating from the
# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets.
#
# enable-protected-configs no
# enable-debug-command no
# enable-module-command no
# Accept connections on the specified port, default is 6379 (IANA #815344).
# If port 0 is specified Redis will not listen on a TCP socket.
# GNUNUX: for php/php-fpm
port 6379
# TCP listen() backlog.
@ -142,6 +180,17 @@ timeout 0
#tcp-keepalive 300
tcp-keepalive %%redis_tcp_keepalive
#<GNUNUX
# Apply OS-specific mechanism to mark the listening socket with the specified
# ID, to support advanced routing and filtering capabilities.
#
# On Linux, the ID represents a connection mark.
# On FreeBSD, the ID represents a socket cookie ID.
# On OpenBSD, the ID represents a route table ID.
#
# The default value is 0, which implies no marking is required.
# socket-mark-id 0
################################# TLS/SSL #####################################
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
@ -155,7 +204,7 @@ tcp-keepalive %%redis_tcp_keepalive
# server to connected clients, masters or cluster peers. These files should be
# PEM formatted.
#
# tls-cert-file redis.crt
# tls-cert-file redis.crt
# tls-key-file redis.key
#
# If the key file is encrypted using a passphrase, it can be included here
@ -384,10 +433,10 @@ proc-title-template "{title} {listen-addr} {server-mode}"
# Save the DB to disk.
#
# save <seconds> <changes>
# save <seconds> <changes> [<seconds> <changes> ...]
#
# Redis will save the DB if both the given number of seconds and the given
# number of write operations against the DB occurred.
# Redis will save the DB if the given number of seconds elapsed and it
# surpassed the given number of write operations against the DB.
#
# Snapshotting can be completely disabled with a single empty string argument
# as in following example:
@ -395,23 +444,16 @@ proc-title-template "{title} {listen-addr} {server-mode}"
# save ""
#
# Unless specified otherwise, by default Redis will save the DB:
# * After 3600 seconds (an hour) if at least 1 key changed
# * After 300 seconds (5 minutes) if at least 100 keys changed
# * After 60 seconds if at least 10000 keys changed
# * After 3600 seconds (an hour) if at least 1 change was performed
# * After 300 seconds (5 minutes) if at least 100 changes were performed
# * After 60 seconds if at least 10000 changes were performed
#
# You can set these explicitly by uncommenting the three following lines.
# You can set these explicitly by uncommenting the following line.
#
# save 3600 1
# save 300 100
# save 60 10000
# save ""
# save 3600 1 300 100 60 10000
#>GNUNUX
%if %%redis_save
save 900 1
save 300 10
save 60 10000
%else
save ""
save 900 1 300 10 60 10000
%end if
#<GNUNUX
@ -445,13 +487,13 @@ rdbcompression yes
# tell the loading code to skip the check.
rdbchecksum yes
# Enables or disables full sanitation checks for ziplist and listpack etc when
# Enables or disables full sanitization checks for ziplist and listpack etc when
# loading an RDB or RESTORE payload. This reduces the chances of a assertion or
# crash later on while processing commands.
# Options:
# no - Never perform full sanitation
# yes - Always perform full sanitation
# clients - Perform full sanitation only for user connections.
# no - Never perform full sanitization
# yes - Always perform full sanitization
# clients - Perform full sanitization only for user connections.
# Excludes: RDB files, RESTORE commands received from the master
# connection, and client connections which have the
# skip-sanitize-payload ACL flag.
@ -540,9 +582,10 @@ dir /srv/redis
# still reply to client requests, possibly with out of date data, or the
# data set may just be empty if this is the first synchronization.
#
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with
# an error "SYNC with master in progress" to all commands except:
# INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error
# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'"
# to all data access commands, excluding commands such as:
# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
# HOST and LATENCY.
#
@ -591,7 +634,7 @@ replica-read-only yes
#
# With slow disks and fast (large bandwidth) networks, diskless replication
# works better.
repl-diskless-sync no
repl-diskless-sync yes
# When diskless replication is enabled, it is possible to configure the delay
# the server waits in order to spawn the child that transfers the RDB via socket
@ -605,6 +648,12 @@ repl-diskless-sync no
# it entirely just set it to 0 seconds and the transfer will start ASAP.
repl-diskless-sync-delay 5
# When diskless replication is enabled with a delay, it is possible to let
# the replication start before the maximum delay is reached if the maximum
# number of replicas expected have connected. Default of 0 means that the
# maximum is not defined and Redis will wait the full delay.
repl-diskless-sync-max-replicas 0
# -----------------------------------------------------------------------------
# WARNING: RDB diskless load is experimental. Since in this setup the replica
# does not immediately store an RDB on disk, it may cause data loss during
@ -619,19 +668,23 @@ repl-diskless-sync-delay 5
#
# In many cases the disk is slower than the network, and storing and loading
# the RDB file may increase replication time (and even increase the master's
# Copy on Write memory and salve buffers).
# Copy on Write memory and replica buffers).
# However, parsing the RDB file directly from the socket may mean that we have
# to flush the contents of the current database before the full rdb was
# received. For this reason we have the following options:
#
# "disabled" - Don't use diskless load (store the rdb file to the disk first)
# "on-empty-db" - Use diskless load only when it is completely safe.
# "swapdb" - Keep a copy of the current db contents in RAM while parsing
# the data directly from the socket. note that this requires
# sufficient memory, if you don't have it, you risk an OOM kill.
# "swapdb" - Keep current db contents in RAM while parsing the data directly
# from the socket. Replicas in this mode can keep serving current
# data set while replication is in progress, except for cases where
# they can't recognize master as having a data set from same
# replication history.
# Note that this requires sufficient memory, if you don't have it,
# you risk an OOM kill.
repl-diskless-load disabled
# Replicas send PINGs to server in a predefined interval. It's possible to
# Master send PINGs to its replicas in a predefined interval. It's possible to
# change this interval with the repl_ping_replica_period option. The default
# value is 10 seconds.
#
@ -706,6 +759,31 @@ repl-disable-tcp-nodelay no
# By default the priority is 100.
replica-priority 100
# The propagation error behavior controls how Redis will behave when it is
# unable to handle a command being processed in the replication stream from a master
# or processed while reading from an AOF file. Errors that occur during propagation
# are unexpected, and can cause data inconsistency. However, there are edge cases
# in earlier versions of Redis where it was possible for the server to replicate or persist
# commands that would fail on future versions. For this reason the default behavior
# is to ignore such errors and continue processing commands.
#
# If an application wants to ensure there is no data divergence, this configuration
# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas'
# to only panic when a replica encounters an error on the replication stream. One of
# these two panic values will become the default value in the future once there are
# sufficient safety mechanisms in place to prevent false positive crashes.
#
# propagation-error-behavior ignore
# Replica ignore disk write errors controls the behavior of a replica when it is
# unable to persist a write command received from its master to disk. By default,
# this configuration is set to 'no' and will crash the replica in this condition.
# It is not recommended to change this default, however in order to be compatible
# with older versions of Redis this config can be toggled to 'yes' which will just
# log a warning and execute the write command it got from the master.
#
# replica-ignore-disk-write-errors no
# -----------------------------------------------------------------------------
# By default, Redis Sentinel includes all replicas in its reports. A replica
# can be excluded from Redis Sentinel's announcements. An unannounced replica
@ -837,10 +915,12 @@ replica-priority 100
# off Disable the user: it's no longer possible to authenticate
# with this user, however the already authenticated connections
# will still work.
# skip-sanitize-payload RESTORE dump-payload sanitation is skipped.
# skip-sanitize-payload RESTORE dump-payload sanitization is skipped.
# sanitize-payload RESTORE dump-payload is sanitized (default).
# +<command> Allow the execution of that command
# -<command> Disallow the execution of that command
# +<command> Allow the execution of that command.
# May be used with `|` for allowing subcommands (e.g "+config|get")
# -<command> Disallow the execution of that command.
# May be used with `|` for blocking subcommands (e.g "-config|set")
# +@<category> Allow the execution of all the commands in such category
# with valid categories are like @admin, @set, @sortedset, ...
# and so forth, see the full list in the server.c file where
@ -848,10 +928,11 @@ replica-priority 100
# The special category @all means all the commands, but currently
# present in the server, and that will be loaded in the future
# via modules.
# +<command>|subcommand Allow a specific subcommand of an otherwise
# disabled command. Note that this form is not
# allowed as negative like -DEBUG|SEGFAULT, but
# only additive starting with "+".
# +<command>|first-arg Allow a specific first argument of an otherwise
# disabled command. It is only supported on commands with
# no sub-commands, and is not allowed as negative form
# like -SELECT|1, only additive starting with "+". This
# feature is deprecated and may be removed in the future.
# allcommands Alias for +@all. Note that it implies the ability to execute
# all the future commands loaded via the modules system.
# nocommands Alias for -@all.
@ -859,6 +940,10 @@ replica-priority 100
# commands. For instance ~* allows all the keys. The pattern
# is a glob-style pattern like the one of KEYS.
# It is possible to specify multiple patterns.
# %R~<pattern> Add key read pattern that specifies which keys can be read
# from.
# %W~<pattern> Add key write pattern that specifies which keys can be
# written to.
# allkeys Alias for ~*
# resetkeys Flush the list of allowed keys patterns.
# &<pattern> Add a glob-style pattern of Pub/Sub channels that can be
@ -884,6 +969,14 @@ replica-priority 100
# reset Performs the following actions: resetpass, resetkeys, off,
# -@all. The user returns to the same state it has immediately
# after its creation.
# (<options>) Create a new selector with the options specified within the
# parentheses and attach it to the user. Each option should be
# space separated. The first character must be ( and the last
# character must be ).
# clearselectors Remove all of the currently attached selectors.
# Note this does not change the "root" user permissions,
# which are the permissions directly applied onto the
# user (outside the parentheses).
#
# ACL rules can be specified in any order: for instance you can start with
# passwords, then flags, or key patterns. However note that the additive
@ -905,17 +998,51 @@ replica-priority 100
#
# Basically ACL rules are processed left-to-right.
#
# The following is a list of command categories and their meanings:
# * keyspace - Writing or reading from keys, databases, or their metadata
# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
# key or metadata will also have `write` category. Commands that only read
# the keyspace, key or metadata will have the `read` category.
# * read - Reading from keys (values or metadata). Note that commands that don't
# interact with keys, will not have either `read` or `write`.
# * write - Writing to keys (values or metadata)
# * admin - Administrative commands. Normal applications will never need to use
# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc.
# * dangerous - Potentially dangerous (each should be considered with care for
# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS,
# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc.
# * connection - Commands affecting the connection or other connections.
# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc.
# * blocking - Potentially blocking the connection until released by another
# command.
# * fast - Fast O(1) commands. May loop on the number of arguments, but not the
# number of elements in the key.
# * slow - All commands that are not Fast.
# * pubsub - PUBLISH / SUBSCRIBE related
# * transaction - WATCH / MULTI / EXEC related commands.
# * scripting - Scripting related.
# * set - Data type: sets related.
# * sortedset - Data type: zsets related.
# * list - Data type: lists related.
# * hash - Data type: hashes related.
# * string - Data type: strings related.
# * bitmap - Data type: bitmaps related.
# * hyperloglog - Data type: hyperloglog related.
# * geo - Data type: geo related.
# * stream - Data type: streams related.
#
# For more information about ACL configuration please refer to
# the Redis web site at https://redis.io/topics/acl
#>GNUNUX
user %%normalize_family(%%account.remote) on >%%account.password ~* &* +@all
user %%account.username on >%%account.password ~* &* +@all
#<GNUNUX
# ACL LOG
#
# The ACL Log tracks failed commands and authentication events associated
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with
# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
acllog-max-len 128
@ -937,7 +1064,7 @@ acllog-max-len 128
# AUTH <password> as usually, or more explicitly with AUTH default <password>
# if they follow the new protocol: both will work.
#
# The requirepass is not compatable with aclfile option and the ACL LOAD
# The requirepass is not compatible with aclfile option and the ACL LOAD
# command, these will cause requirepass to be ignored.
#
# requirepass foobared
@ -948,21 +1075,13 @@ requirepass %%account.password
# New users are initialized with restrictive permissions by default, via the
# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it
# is possible to manage access to Pub/Sub channels with ACL rules as well. The
# default Pub/Sub channels permission if new users is controlled by the
# default Pub/Sub channels permission if new users is controlled by the
# acl-pubsub-default configuration directive, which accepts one of these values:
#
# allchannels: grants access to all Pub/Sub channels
# resetchannels: revokes access to all Pub/Sub channels
#
# To ensure backward compatibility while upgrading Redis 6.0, acl-pubsub-default
# defaults to the 'allchannels' permission.
#
# Future compatibility note: it is very likely that in a future version of Redis
# the directive's default of 'allchannels' will be changed to 'resetchannels' in
# order to provide better out-of-the-box Pub/Sub security. Therefore, it is
# recommended that you explicitly define Pub/Sub permissions for all users
# rather then rely on implicit default values. Once you've set explicit
# Pub/Sub for all existing users, you should uncomment the following line.
# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
#
# acl-pubsub-default resetchannels
@ -1087,7 +1206,7 @@ maxmemory-policy %%redis_memory_policy
# Eviction processing is designed to function well with the default setting.
# If there is an unusually large amount of write traffic, this value may need to
# be increased. Decreasing this value may reduce latency at the risk of
# be increased. Decreasing this value may reduce latency at the risk of
# eviction processing effectiveness
# 0 = minimum latency, 10 = default, 100 = process without regard to latency
#
@ -1186,7 +1305,7 @@ replica-lazy-flush no
lazyfree-lazy-user-del no
# FLUSHDB, FLUSHALL, and SCRIPT FLUSH support both asynchronous and synchronous
# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous
# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
# commands. When neither flag is passed, this directive will be used to determine
# if the data should be deleted asynchronously.
@ -1231,7 +1350,7 @@ lazyfree-lazy-user-flush no
# Usually threading reads doesn't help much.
#
# NOTE 1: This configuration directive cannot be changed at runtime via
# CONFIG SET. Aso this feature currently does not work when SSL is
# CONFIG SET. Also, this feature currently does not work when SSL is
# enabled.
#
# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
@ -1249,7 +1368,7 @@ lazyfree-lazy-user-flush no
# attempt to have background child processes killed before all others, and
# replicas killed before masters.
#
# Redis supports three options:
# Redis supports these options:
#
# no: Don't make changes to oom-score-adj (default).
# yes: Alias to "relative" see below.
@ -1305,10 +1424,39 @@ disable-thp yes
appendonly no
# The name of the append only file (default: "appendonly.aof")
# The base name of the append only file.
#
# Redis 7 and newer use a set of append-only files to persist the dataset
# and changes applied to it. There are two basic types of files in use:
#
# - Base files, which are a snapshot representing the complete state of the
# dataset at the time the file was created. Base files can be either in
# the form of RDB (binary serialized) or AOF (textual commands).
# - Incremental files, which contain additional commands that were applied
# to the dataset following the previous file.
#
# In addition, manifest files are used to track the files and the order in
# which they were created and should be applied.
#
# Append-only file names are created by Redis following a specific pattern.
# The file name's prefix is based on the 'appendfilename' configuration
# parameter, followed by additional information about the sequence and type.
#
# For example, if appendfilename is set to appendonly.aof, the following file
# names could be derived:
#
# - appendonly.aof.1.base.rdb as a base file.
# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files.
# - appendonly.aof.manifest as a manifest file.
appendfilename "appendonly.aof"
# For convenience, Redis stores all persistent append-only files in a dedicated
# directory. The name of the directory is determined by the appenddirname
# configuration parameter.
appenddirname "appendonlydir"
# The fsync() call tells the Operating System to actually write data on disk
# instead of waiting for more data in the output buffer. Some OS will really flush
# data on disk, some other OS will just try to do it ASAP.
@ -1348,7 +1496,7 @@ appendfsync everysec
# BGSAVE or BGREWRITEAOF is in progress.
#
# This means that while another child is saving, the durability of Redis is
# the same as "appendfsync none". In practical terms, this means that it is
# the same as "appendfsync no". In practical terms, this means that it is
# possible to lose up to 30 seconds of log in the worst scenario (with the
# default Linux settings).
#
@ -1401,34 +1549,69 @@ auto-aof-rewrite-min-size 64mb
# will be found.
aof-load-truncated yes
# When rewriting the AOF file, Redis is able to use an RDB preamble in the
# AOF file for faster rewrites and recoveries. When this option is turned
# on the rewritten AOF file is composed of two different stanzas:
#
# [RDB file][AOF tail]
#
# When loading, Redis recognizes that the AOF file starts with the "REDIS"
# string and loads the prefixed RDB file, then continues loading the AOF
# tail.
# Redis can create append-only base files in either RDB or AOF formats. Using
# the RDB format is always faster and more efficient, and disabling it is only
# supported for backward compatibility purposes.
aof-use-rdb-preamble yes
################################ LUA SCRIPTING ###############################
# Redis supports recording timestamp annotations in the AOF to support restoring
# the data from a specific point-in-time. However, using this capability changes
# the AOF format in a way that may not be compatible with existing AOF parsers.
aof-timestamp-enabled no
# Max execution time of a Lua script in milliseconds.
################################ SHUTDOWN #####################################
# Maximum time to wait for replicas when shutting down, in seconds.
#
# If the maximum execution time is reached Redis will log that a script is
# still in execution after the maximum allowed time and will start to
# reply to queries with an error.
# During shut down, a grace period allows any lagging replicas to catch up with
# the latest replication offset before the master exists. This period can
# prevent data loss, especially for deployments without configured disk backups.
#
# When a long running script exceeds the maximum execution time only the
# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
# used to stop a script that did not yet call any write commands. The second
# is the only way to shut down the server in the case a write command was
# already issued by the script but the user doesn't want to wait for the natural
# termination of the script.
# The 'shutdown-timeout' value is the grace period's duration in seconds. It is
# only applicable when the instance has replicas. To disable the feature, set
# the value to 0.
#
# Set it to 0 or a negative value for unlimited execution without warnings.
lua-time-limit 5000
# shutdown-timeout 10
# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default
# an RDB snapshot is written to disk in a blocking operation if save points are configured.
# The options used on signaled shutdown can include the following values:
# default: Saves RDB snapshot only if save points are configured.
# Waits for lagging replicas to catch up.
# save: Forces a DB saving operation even if no save points are configured.
# nosave: Prevents DB saving operation even if one or more save points are configured.
# now: Skips waiting for lagging replicas.
# force: Ignores any errors that would normally prevent the server from exiting.
#
# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously.
# Example: "nosave force now"
#
# shutdown-on-sigint default
# shutdown-on-sigterm default
################ NON-DETERMINISTIC LONG BLOCKING COMMANDS #####################
# Maximum time in milliseconds for EVAL scripts, functions and in some cases
# modules' commands before Redis can start processing or rejecting other clients.
#
# If the maximum execution time is reached Redis will start to reply to most
# commands with a BUSY error.
#
# In this state Redis will only allow a handful of commands to be executed.
# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some
# module specific 'allow-busy' commands.
#
# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not
# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop
# the server in the case a write command was already issued by the script when
# the user doesn't want to wait for the natural termination of the script.
#
# The default is 5 seconds. It is possible to set it to 0 or a negative value
# to disable this mechanism (uninterrupted execution). Note that in the past
# this config had a different name, which is now an alias, so both of these do
# the same:
# lua-time-limit 5000
# busy-reply-threshold 5000
################################ REDIS CLUSTER ###############################
@ -1452,6 +1635,11 @@ lua-time-limit 5000
#
# cluster-node-timeout 15000
# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
# you to specify the cluster bus port when executing cluster meet.
# cluster-port 0
# A replica of a failing master will avoid to start a failover if its data
# looks too old.
#
@ -1549,21 +1737,67 @@ lua-time-limit 5000
# cluster-replica-no-failover no
# This option, when set to yes, allows nodes to serve read traffic while the
# the cluster is in a down state, as long as it believes it owns the slots.
# cluster is in a down state, as long as it believes it owns the slots.
#
# This is useful for two cases. The first case is for when an application
# This is useful for two cases. The first case is for when an application
# doesn't require consistency of data during node failures or network partitions.
# One example of this is a cache, where as long as the node has the data it
# should be able to serve it.
# should be able to serve it.
#
# The second use case is for configurations that don't meet the recommended
# three shards but want to enable cluster mode and scale later. A
# The second use case is for configurations that don't meet the recommended
# three shards but want to enable cluster mode and scale later. A
# master outage in a 1 or 2 shard configuration causes a read/write outage to the
# entire cluster without this option set, with it set there is only a write outage.
# Without a quorum of masters, slot ownership will not change automatically.
# Without a quorum of masters, slot ownership will not change automatically.
#
# cluster-allow-reads-when-down no
# This option, when set to yes, allows nodes to serve pubsub shard traffic while
# the cluster is in a down state, as long as it believes it owns the slots.
#
# This is useful if the application would like to use the pubsub feature even when
# the cluster global stable state is not OK. If the application wants to make sure only
# one shard is serving a given channel, this feature should be kept as yes.
#
# cluster-allow-pubsubshard-when-down yes
# Cluster link send buffer limit is the limit on the memory usage of an individual
# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed
# this limit. This is to primarily prevent send buffers from growing unbounded on links
# toward slow peers (E.g. PubSub messages being piled up).
# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field
# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase.
# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single
# PubSub message by default. (client-query-buffer-limit default value is 1gb)
#
# cluster-link-sendbuf-limit 0
# Clusters can configure their announced hostname using this config. This is a common use case for
# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
# communicated along the clusterbus to all nodes, setting it to an empty string will remove
# the hostname and also propagate the removal.
#
# cluster-announce-hostname ""
# Clusters can advertise how clients should connect to them using either their IP address,
# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
# will be returned instead.
#
# When a cluster advertises itself as having an unknown endpoint, it's indicating that
# the server doesn't know how clients can reach the cluster. This can happen in certain
# networking situations where there are multiple possible routes to the node, and the
# server doesn't know which one the client took. In this case, the server is expecting
# the client to reach out on the same endpoint it used for making the last request, but use
# the port provided in the response.
#
# cluster-preferred-endpoint-type ip
# In order to setup your cluster make sure to read the documentation
# available at https://redis.io web site.
@ -1651,6 +1885,20 @@ slowlog-max-len 128
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
latency-monitor-threshold 0
################################ LATENCY TRACKING ##############################
# The Redis extended latency monitoring tracks the per command latencies and enables
# exporting the percentile distribution via the INFO latencystats command,
# and cumulative latency distributions (histograms) via the LATENCY command.
#
# By default, the extended latency monitoring is enabled since the overhead
# of keeping track of the command latency is very small.
# latency-tracking yes
# By default the exported latency percentiles via the INFO latencystats command
# are the p50, p99, and p999.
# latency-tracking-info-percentiles 50 99 99.9
############################# EVENT NOTIFICATION ##############################
# Redis can notify Pub/Sub clients about events happening in the key space.
@ -1676,6 +1924,7 @@ latency-monitor-threshold 0
# z Sorted set commands
# x Expired events (events generated every time a key expires)
# e Evicted events (events generated when a key is evicted for maxmemory)
# n New key events (Note: not included in the 'A' class)
# t Stream commands
# d Module key type events
# m Key-miss events (Note: It is not included in the 'A' class)
@ -1702,71 +1951,13 @@ latency-monitor-threshold 0
# specify at least one of K or E, no events will be delivered.
notify-keyspace-events ""
############################### GOPHER SERVER #################################
# Redis contains an implementation of the Gopher protocol, as specified in
# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
#
# The Gopher protocol was very popular in the late '90s. It is an alternative
# to the web, and the implementation both server and client side is so simple
# that the Redis server has just 100 lines of code in order to implement this
# support.
#
# What do you do with Gopher nowadays? Well Gopher never *really* died, and
# lately there is a movement in order for the Gopher more hierarchical content
# composed of just plain text documents to be resurrected. Some want a simpler
# internet, others believe that the mainstream internet became too much
# controlled, and it's cool to create an alternative space for people that
# want a bit of fresh air.
#
# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol
# as a gift.
#
# --- HOW IT WORKS? ---
#
# The Redis Gopher support uses the inline protocol of Redis, and specifically
# two kind of inline requests that were anyway illegal: an empty request
# or any request that starts with "/" (there are no Redis commands starting
# with such a slash). Normal RESP2/RESP3 requests are completely out of the
# path of the Gopher protocol implementation and are served as usual as well.
#
# If you open a connection to Redis when Gopher is enabled and send it
# a string like "/foo", if there is a key named "/foo" it is served via the
# Gopher protocol.
#
# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher
# talking), you likely need a script like the following:
#
# https://github.com/antirez/gopher2redis
#
# --- SECURITY WARNING ---
#
# If you plan to put Redis on the internet in a publicly accessible address
# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance.
# Once a password is set:
#
# 1. The Gopher server (when enabled, not by default) will still serve
# content via Gopher.
# 2. However other commands cannot be called before the client will
# authenticate.
#
# So use the 'requirepass' option to protect your instance.
#
# Note that Gopher is not currently supported when 'io-threads-do-reads'
# is enabled.
#
# To enable Gopher support, uncomment the following line and set the option
# from no (the default) to yes.
#
# gopher-enabled no
############################### ADVANCED CONFIG ###############################
# Hashes are encoded using a memory efficient data structure when they have a
# small number of entries, and the biggest entry does not exceed a given
# threshold. These thresholds can be configured using the following directives.
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
hash-max-listpack-entries 512
hash-max-listpack-value 64
# Lists are also encoded in a special way to save a lot of space.
# The number of entries allowed per internal list node can be specified
@ -1781,7 +1972,7 @@ hash-max-ziplist-value 64
# per list node.
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
# but if your use case is unique, adjust the settings as necessary.
list-max-ziplist-size -2
list-max-listpack-size -2
# Lists may also be compressed.
# Compress depth is the number of quicklist ziplist nodes from *each* side of
@ -1809,8 +2000,8 @@ set-max-intset-entries 512
# Similarly to hashes and lists, sorted sets are also specially encoded in
# order to save a lot of space. This encoding is only used when the length and
# elements of a sorted set are below the following limits:
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
zset-max-listpack-entries 128
zset-max-listpack-value 64
# HyperLogLog sparse representation bytes limit. The limit includes the
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
@ -1865,7 +2056,7 @@ activerehashing yes
# The limit can be set differently for the three different classes of clients:
#
# normal -> normal clients including MONITOR clients
# replica -> replica clients
# replica -> replica clients
# pubsub -> clients subscribed to at least one pubsub channel or pattern
#
# The syntax of every client-output-buffer-limit directive is the following:
@ -1889,6 +2080,13 @@ activerehashing yes
# Instead there is a default limit for pubsub and replica clients, since
# subscribers and replicas receive data in a push fashion.
#
# Note that it doesn't make sense to set the replica clients output buffer
# limit lower than the repl-backlog-size config (partial sync will succeed
# and then replica will get disconnected).
# Such a configuration is ignored (the size of repl-backlog-size will be used).
# This doesn't have memory consumption implications since the replica client
# will share the backlog buffers memory.
#
# Both the hard or the soft limit can be disabled by setting them to zero.
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
@ -1902,6 +2100,25 @@ client-output-buffer-limit pubsub 32mb 8mb 60
#
# client-query-buffer-limit 1gb
# In some scenarios client connections can hog up memory leading to OOM
# errors or data eviction. To avoid this we can cap the accumulated memory
# used by all client connections (all pubsub and normal clients). Once we
# reach that limit connections will be dropped by the server freeing up
# memory. The server will attempt to drop the connections using the most
# memory first. We call this mechanism "client eviction".
#
# Client eviction is configured using the maxmemory-clients setting as follows:
# 0 - client eviction is disabled (default)
#
# A memory value can be used for the client eviction threshold,
# for example:
# maxmemory-clients 1g
#
# A percentage value (between 1% and 100%) means the client eviction threshold
# is based on a percentage of the maxmemory setting. For example to set client
# eviction at 5% of maxmemory:
# maxmemory-clients 5%
# In the Redis protocol, bulk requests, that are, elements representing single
# strings, are normally limited to 512 mb. However you can change this limit
# here, but must be 1mb or greater
@ -1942,13 +2159,13 @@ hz 10
dynamic-hz yes
# When a child rewrites the AOF file, if the following option is enabled
# the file will be fsync-ed every 32 MB of data generated. This is useful
# the file will be fsync-ed every 4 MB of data generated. This is useful
# in order to commit the file to the disk more incrementally and avoid
# big latency spikes.
aof-rewrite-incremental-fsync yes
# When redis saves RDB file, if the following option is enabled
# the file will be fsync-ed every 32 MB of data generated. This is useful
# the file will be fsync-ed every 4 MB of data generated. This is useful
# in order to commit the file to the disk more incrementally and avoid
# big latency spikes.
rdb-save-incremental-fsync yes
@ -2045,7 +2262,7 @@ rdb-save-incremental-fsync yes
# defragmentation process. If you are not sure about what they mean it is
# a good idea to leave the defaults untouched.
# Enabled active defragmentation
# Active defragmentation is disabled by default
# activedefrag no
# Minimum amount of fragmentation waste to start active defrag

2
seed/redis/templates/redis.yml
View file

@ -1,3 +1,3 @@
address: %%ip_eth0
username: %%normalize_family(%%account.remote)
username: %%account.username
password: %%account.password

6
seed/relay-lmtp-client/README.md
View file

@ -19,9 +19,9 @@ Application service needs interact with a Postfix server with LMTP protocol.
### Général (*general*)
| Description | Type | Supplier |
|---------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
| **Nom de domaine du serveur LMTP** (*[lmtp_relay_address](dictionaries/30_lmtp.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LMTP |
| Description | Type | Values | Supplier |
|---------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|------------|
| **Nom de domaine du serveur LMTP** (*[lmtp_relay_address](dictionaries/30_lmtp.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | LMTP |
- [+]: variable is multiple

2
seed/relay-mail-client/README.md
View file

@ -30,11 +30,11 @@ Client SMTP.
- [odoo](../odoo/README.md)
- [peertube](../peertube/README.md)
- [piwigo](../piwigo/README.md)
- [forgejo](../forgejo/README.md)
- [vaultwarden](../vaultwarden/README.md)
- [relay-lmtp-client](../relay-lmtp-client/README.md)
- [nextcloud](../nextcloud/README.md)
- [lemonldap](../lemonldap/README.md)
- [gitea](../gitea/README.md)
## Linked to

2
seed/reverse-proxy-client/README.md
View file

@ -36,12 +36,12 @@ This a family is a leadership.
- [odoo](../odoo/README.md)
- [mailman](../mailman/README.md)
- [peertube](../peertube/README.md)
- [forgejo](../forgejo/README.md)
- [speedtest-rs](../speedtest-rs/README.md)
- [nginx-https](../nginx-https/README.md)
- [vaultwarden](../vaultwarden/README.md)
- [apache](../apache/README.md)
- [lemonldap](../lemonldap/README.md)
- [gitea](../gitea/README.md)
## Linked to

7
seed/reverse-proxy-client/dictionaries/21_revprox_client.xml
View file

@ -2,9 +2,10 @@
<rougail version="0.10">
<services>
<service name="revprox" manage="False">
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_client_ca_file</file>
<file file_type="variable" source="revprox.crt">revprox_client_cert_file</file>
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_client_key_file</file>
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_client_ca_file</file>
<file filelist="copy_tests">/tests/reverse-proxy.yml</file>
</service>
</services>
<variables>
@ -20,8 +21,8 @@
<value>False</value>
</variable>
<variable name="revprox_client_max_body_size" description="Taille maximum du corps" supplier="ReverseProxy:max_body_size"/>
<variable name="revprox_client_local_location" type="filename" description="Nom de l'arborescene racine du site localement" hidden='True'/>
<variable name="revprox_client_web_address" type="web_address" description="Nom de domaine du client du mandataire inverse" hidden='True' supplier="ReverseProxy:url"/>
<variable name="revprox_client_local_location" type="filename" description="Nom de l'arborescene racine du site localement" hidden='True'/>
<variable name="revprox_client_web_address" type="web_address" description="Nom de domaine du client du mandataire inverse" hidden='True' supplier="ReverseProxy:url"/>
</family>
<variable name="revprox_client_port" type="port" description="Port du client du mandataire inverse" hidden='True'>
<value>443</value>

6
seed/reverse-proxy-client/funcs/revprox_client.py
View file

@ -11,4 +11,8 @@ def calc_web_address(domain_name: str, port: str, local_location: str) -> str:
def get_first_value(lst: list):
if lst:
return lst[0]
if isinstance(lst[0], list):
if lst[0] and lst[0][0]:
return lst[0][0]
else:
return lst[0]

30
seed/reverse-proxy-client/tests/revprox.py
View file

@ -1,5 +1,13 @@
from requests import get, post, session
from requests.exceptions import SSLError
from mookdns import MookDns
from os import environ
from os.path import join
from yaml import load, SafeLoader
from glob import glob
VERIFY = True
class Authentication:
@ -30,7 +38,19 @@ class Authentication:
req,
url,
):
ret = req.get(url)
global VERIFY
try:
ret = req.get(url, verify=VERIFY)
except SSLError:
conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
path = join(environ["MACHINE_TEST_DIR"], data["ca_certificate"])
cert = glob(path)
if len(cert) != 1:
raise Exception(f'{path} should find one and one certificate but found: {cert}')
VERIFY=cert[0]
ret = req.get(url, verify=VERIFY)
code = ret.status_code
content = ret.content
assert code == 200, f"cannot access to lemonldap; {content}"
@ -51,7 +71,7 @@ class Authentication:
"Accept": "application/json",
}
portal_url = f'https://{portal_server}/oauth2/'
ret = req.post(portal_url, data=json, headers=headers)
ret = req.post(portal_url, data=json, headers=headers, verify=VERIFY)
json = ret.json()
assert json['error']
assert json['result'] == 1
@ -60,7 +80,7 @@ class Authentication:
# curl -X POST -d user=dwho -d password=dwho -H 'Accept: application/json' 'https://oidctest.wsweet.org/oauth2/'
# curl -s -D - -o /dev/null -b lemonldap=0640f95827111f00ba7ad5863ba819fe46cfbcecdb18ce525836369fb4c8350b 'https://oidctest.wsweet.org/oauth2/authorize?response_type=code&client_id=private&scope=openid+profile+email&redirect_uri=http://localhost' | grep '^location'
authorize_url = f'{portal_url}authorize'
ret = req.get(authorize_url)
ret = req.get(authorize_url, verify=VERIFY)
assert ret.status_code == 200
content = ret.content.decode()
assert title in content, f'cannot find {title} in {content}'
@ -70,7 +90,7 @@ class Authentication:
json=False,
):
with MookDns(self.ip):
ret = get(url, cookies=self.cookies)
ret = get(url, cookies=self.cookies, verify=VERIFY)
assert ret.status_code == 200, f'return code is {ret.status_code}'
if json:
return ret.json()
@ -82,5 +102,5 @@ class Authentication:
headers=None,
):
with MookDns(self.ip):
ret = post(url, cookies=self.cookies, data=data, headers=headers)
ret = post(url, cookies=self.cookies, data=data, headers=headers, verify=VERIFY)
assert ret.status_code == 200, f'return code is {ret.status_code}'

8
seed/roundcube/README.md
View file

@ -60,10 +60,10 @@ This a family is a leadership.
##### external (*general.oauth2_client.external*)
| Description |
|---------------------------------------------------------------|
| *[oauth2_client_external](dictionaries/31_roundcube.xml)* [+] |
| *[oauth2_client_family](dictionaries/31_roundcube.xml)* [+] |
| Description | Values |
|---------------------------------------------------------------|--------------|
| *[oauth2_client_external](dictionaries/31_roundcube.xml)* [+] | |
| *[oauth2_client_family](dictionaries/31_roundcube.xml)* [+] | <calculated> |
#### nginx (*general.nginx*)

1
seed/systemd/templates/network
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
%set %%intnb = %%rougail_index
[Match]
%if %%netwokd_interface_name_type == 'host'

2
seed/systemd/templates/systemd-firstboot.service
View file

@ -1,4 +1,4 @@
[Service]
ExecStart=
ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd
ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd --locale=fr_FR.UTF-8
ExecStart=/usr/bin/systemd-firstboot --copy

6
seed/unbound/README.md
View file

@ -15,13 +15,13 @@ Unbound, a validating, recursive, caching DNS resolver.
## Dependances
- [base-fedora-36](../base-fedora-36/README.md)
- [dns-external](../dns-external/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [dns-external](../dns-external/README.md)
## Variables
@ -31,7 +31,7 @@ Unbound, a validating, recursive, caching DNS resolver.
| Description | Values |
|---------------------------------------------------------|----------------|
| *[ip_dns](dictionaries/20_unbound.xml)* | |
| *[ip_dns](dictionaries/20_unbound.xml)* | <calculated> |
| *[**outgoing_ports**](dictionaries/20_unbound.xml)* [+] | udp:53<br />53 |
#### Résolveur DNS (*general.dns_resolver*)

2
seed/unbound/applicationservice.yml
View file

@ -3,5 +3,5 @@ description: Unbound, a validating, recursive, caching DNS resolver
website: https://www.nlnetlabs.nl/projects/unbound/about/
service: true
depends:
- base-fedora-36
- dns-external
- base-fedora-37

1
seed/unbound/templates/risotto.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
server:
%for %%interface in %%range(%%len(%%zones_list))
interface: %%getVar('ip_eth' + %%str(%%interface))

48
seed/unbound/templates/unbound.conf
View file

@ -185,6 +185,10 @@ server:
# perform connect for UDP sockets to mitigate ICMP side channel.
# udp-connect: yes
# The number of retries, per upstream nameserver in a delegation, when
# a throwaway response (also timeouts) is received.
# outbound-msg-retry: 5
# msec for waiting for an unknown server to reply. Increase if you
# are behind a slow satellite link, to eg. 1128.
# unknown-server-time-limit: 376
@ -216,6 +220,9 @@ server:
# minimum wait time for responses, increase if uplink is long. In msec.
# infra-cache-min-rtt: 50
# maximum wait time for responses. In msec.
# infra-cache-max-rtt: 120000
# enable to make server probe down hosts more frequently.
# infra-keep-probing: no
@ -393,9 +400,6 @@ server:
# enable to not answer version.server and version.bind queries.
# hide-version: no
# enable to not set the User-Agent HTTP header.
# hide-http-user-agent: no
# enable to not answer trustanchor.unbound queries.
# hide-trustanchor: no
@ -704,6 +708,7 @@ server:
# local-zone: "localhost." nodefault
# local-zone: "127.in-addr.arpa." nodefault
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
# local-zone: "home.arpa." nodefault
# local-zone: "onion." nodefault
# local-zone: "test." nodefault
# local-zone: "invalid." nodefault
@ -851,6 +856,8 @@ server:
# Add system certs to the cert bundle, from the Windows Cert Store
# tls-win-cert: no
# and on other systems, the default openssl certificates
# tls-system-cert: no
# Pad queries over TLS upstreams
# pad-queries: yes
@ -900,6 +907,10 @@ server:
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10
# Aggressive rate limit when the limit is reached and until demand has
# decreased in a 2 second rate window.
# ratelimit-backoff: no
# override the ratelimit for a specific domain name.
# give this setting multiple times to have multiple overrides.
# ratelimit-for-domain: example.com 1000
@ -920,6 +931,10 @@ server:
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10
# Aggressive rate limit when the limit is reached and until demand has
# decreased in a 2 second rate window.
# ip-ratelimit-backoff: no
# Limit the number of connections simultaneous from a netblock
# tcp-connection-limit: 192.0.2.0/24 12
@ -929,6 +944,14 @@ server:
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
ede: yes
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
# Answer as EDNS0 option to expired responses.
# Note that the ede option above needs to be enabled for this to work.
ede-serve-expired: yes
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
#
@ -1040,6 +1063,7 @@ include: /etc/unbound/conf.d/*.conf
# stub-addr: 192.0.2.68
# stub-prime: no
# stub-first: no
# stub-tcp-upstream: no
# stub-tls-upstream: no
# stub-no-cache: no
# stub-zone:
@ -1061,6 +1085,7 @@ include: /etc/unbound/conf.d/*.conf
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-tcp-upstream: no
# forward-tls-upstream: no
# forward-no-cache: no
# forward-zone:
@ -1131,6 +1156,7 @@ auth-zone:
# another crypto library
#
# DNSCrypt
# o enable, use --enable-dnscrypt to configure before compiling.
# Caveats:
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
@ -1151,7 +1177,9 @@ auth-zone:
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
# CacheDB
# Enable external backend DB as auxiliary cache. Specify the backend name
# External backend DB as auxiliary cache.
# To enable, use --enable-cachedb to configure before compiling.
# Specify the backend name
# (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be
# included in module-config, just before the iterator module.
@ -1161,6 +1189,7 @@ auth-zone:
# secret-seed: "default"
#
# # For "redis" backend:
# # (to enable, use --with-libhiredis to configure before compiling)
# # redis server's IP address or host name
# redis-server-host: 127.0.0.1
# # redis server's TCP port
@ -1172,7 +1201,9 @@ auth-zone:
# IPSet
# Add specify domain into set via ipset.
# Note: To enable ipset Unbound needs to run as root user.
# To enable:
# o use --enable-ipset to configure before compiling;
# o Unbound then needs to run as root user.
# ipset:
# # set name for ip v4 addresses
# name-v4: "list-v4"
@ -1180,9 +1211,10 @@ auth-zone:
# name-v6: "list-v6"
#
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
# to yes and also some of dnstap-log-..-messages to yes. And select an
# upstream log destination, by socket path, TCP or TLS destination.
# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
# To enable, set the dnstap-enable to yes and also some of
# dnstap-log-..-messages to yes. And select an upstream log destination, by
# socket path, TCP or TLS destination.
# dnstap:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode

2
seed/vaultwarden/dictionaries/40_vaultwarden.xml
View file

@ -5,7 +5,7 @@
<override/>
<file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
<file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
<file>/tests/vaultwarden.yml</file>
<file filelist="copy_tests">/tests/vaultwarden.yml</file>
</service>
</services>
<variables>

2
seed/znc/templates/sysuser-znc.conf
View file

@ -1,3 +1,3 @@
g znc 998 -
u znc 998:1000 "Account for ZNC to run as" /var/lib/znc /sbin/nologin
u znc 998:998 "Account for ZNC to run as" /var/lib/znc /sbin/nologin
m znc ssl-cert