forked from stove/dataset
smtp and postgresql tls path
This commit is contained in:
Emmanuel Garette
parent
d06e4bc9ee
commit
e5f53eda0d
15 changed files with 48 additions and 28 deletions
|
|
@ -16,7 +16,8 @@
|
||||||
<file>/tests/mailman.yml</file>
|
<file>/tests/mailman.yml</file>
|
||||||
</service>
|
</service>
|
||||||
<service name="postgresqlclient" target="multi-user" engine="creole">
|
<service name="postgresqlclient" target="multi-user" engine="creole">
|
||||||
<file owner="postorius" mode="400">/etc/pki/tls/private/postgresql_postorius.key</file>
|
<!-- mailman and postorius have differents username -->
|
||||||
|
<file owner="postorius" mode="400" source="postgresql.key">/etc/pki/tls/private/postgresql_postorius.key</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ layout: fhs
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
[database]
|
[database]
|
||||||
class: mailman.database.postgresql.PostgreSQLDatabase
|
class: mailman.database.postgresql.PostgreSQLDatabase
|
||||||
url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt
|
url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file
|
||||||
|
|
||||||
[mta]
|
[mta]
|
||||||
lmtp_host: %%ip_eth0
|
lmtp_host: %%ip_eth0
|
||||||
|
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
|
|
||||||
|
|
@ -10,7 +10,7 @@ DATABASES = {
|
||||||
'HOST': '%%pg_client_server_domainname', # Database server
|
'HOST': '%%pg_client_server_domainname', # Database server
|
||||||
'PORT': '', # Database port (leave blank for default)
|
'PORT': '', # Database port (leave blank for default)
|
||||||
'CONN_MAX_AGE': 300, # Max database connection age
|
'CONN_MAX_AGE': 300, # Max database connection age
|
||||||
'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '/etc/pki/tls/certs/postgresql.crt', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'},
|
'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '%%pg_client_crt_file', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '%%pg_client_ca_file'},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ALLOWED_HOSTS = ['%%{revprox_client_external_domainnames[0]}']
|
ALLOWED_HOSTS = ['%%{revprox_client_external_domainnames[0]}']
|
||||||
|
|
|
||||||
|
|
@ -40,9 +40,9 @@ $CONFIG = array (
|
||||||
'dbdriveroptions' =>
|
'dbdriveroptions' =>
|
||||||
array (
|
array (
|
||||||
'sslmode' => 'verify-full',
|
'sslmode' => 'verify-full',
|
||||||
'sslcert' => '/etc/pki/tls/certs/postgresql.crt',
|
'sslcert' => '%%pg_client_crt_file',
|
||||||
'sslkey' => '/etc/pki/tls/private/postgresql.key',
|
'sslkey' => '%%pg_client_key_file',
|
||||||
'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt',
|
'sslrootcert' => '%%pg_client_ca_file',
|
||||||
),
|
),
|
||||||
'passwordsalt' => '{{SALT}}',
|
'passwordsalt' => '{{SALT}}',
|
||||||
'secret' => '{{SECRET}}',
|
'secret' => '{{SECRET}}',
|
||||||
|
|
|
||||||
|
|
@ -2,9 +2,9 @@
|
||||||
After=risotto.target
|
After=risotto.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Environment="PGSSLROOTCERT=/etc/pki/tls/certs/postgresql.crt"
|
Environment="PGSSLROOTCERT=%%pg_client_crt_file"
|
||||||
Environment="PGSSLCERT=/etc/pki/tls/certs/postgresql.crt"
|
Environment="PGSSLCERT=%%pg_client_crt_file"
|
||||||
Environment="PGSSLKEY=/etc/pki/tls/private/postgresql.key"
|
Environment="PGSSLKEY=%%pg_client_key_file"
|
||||||
Environment="PGPASSFILE=/etc/odoo/postgresql.pass"
|
Environment="PGPASSFILE=/etc/odoo/postgresql.pass"
|
||||||
|
|
||||||
#if database not imported, imported it active addons
|
#if database not imported, imported it active addons
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,3 @@
|
||||||
g odoo 1000 -
|
g odoo 1000 -
|
||||||
u odoo 998:1000 "ODOO" /srv/odoo /bin/bash
|
u odoo 998:1000 "ODOO" /srv/odoo /bin/bash
|
||||||
|
m odoo ssl-cert
|
||||||
|
|
|
||||||
|
|
@ -1 +1,2 @@
|
||||||
d /srv/odoo 750 odoo odoo - -
|
d /srv/odoo 750 odoo odoo - -
|
||||||
|
d /etc/ssl/private 750 root ssl-cert - -
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,7 @@ smtp:
|
||||||
password: '%%smtp_relay_password'
|
password: '%%smtp_relay_password'
|
||||||
tls: false # If you use StartTLS: false
|
tls: false # If you use StartTLS: false
|
||||||
disable_starttls: false
|
disable_starttls: false
|
||||||
ca_file: '/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt' # Used for self signed certificates
|
ca_file: '%%smtp_ca_file' # Used for self signed certificates
|
||||||
from_address: '%%peertube_admin_email'
|
from_address: '%%peertube_admin_email'
|
||||||
|
|
||||||
email:
|
email:
|
||||||
|
|
|
||||||
|
|
@ -68,7 +68,7 @@ smtp:
|
||||||
password: '%%smtp_relay_password'
|
password: '%%smtp_relay_password'
|
||||||
tls: false # If you use StartTLS: false
|
tls: false # If you use StartTLS: false
|
||||||
disable_starttls: false
|
disable_starttls: false
|
||||||
ca_file: '/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt' # Used for self signed certificates
|
ca_file: '%%smtp_ca_file' # Used for self signed certificates
|
||||||
from_address: '%%peertube_admin_email'
|
from_address: '%%peertube_admin_email'
|
||||||
|
|
||||||
email:
|
email:
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,9 @@
|
||||||
<services>
|
<services>
|
||||||
<service name="postgresqlclient" target="risotto" engine="creole">
|
<service name="postgresqlclient" target="risotto" engine="creole">
|
||||||
<file mode="400">/secrets/postgresql.pass</file>
|
<file mode="400">/secrets/postgresql.pass</file>
|
||||||
<file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
|
<file file_type="variable" source="ca_PostgreSQL.crt">pg_client_ca_file</file>
|
||||||
<file>/etc/pki/tls/certs/postgresql.crt</file>
|
<file file_type="variable" owner_type="variable" owner="pg_client_key_owner" mode="444" source="postgresql.crt">pg_client_crt_file</file>
|
||||||
<file owner_type="variable" owner="pg_client_key_owner" mode="400">/etc/pki/tls/private/postgresql.key</file>
|
<file file_type="variable" owner_type="variable" owner="pg_client_key_owner" mode="400" source="postgresql.key">pg_client_key_file</file>
|
||||||
<file filelist="postgresql_debian" engine="none" source="sysuser-postgresql-client.conf">/sysusers.d/0postgresqlclient.conf</file>
|
<file filelist="postgresql_debian" engine="none" source="sysuser-postgresql-client.conf">/sysusers.d/0postgresqlclient.conf</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
|
|
@ -18,6 +18,9 @@
|
||||||
<variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
|
<variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
|
||||||
<value>apache</value>
|
<value>apache</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
<variable name="pg_client_ca_file" type="filename" description="Postgresql CA filename" hidden="True"/>
|
||||||
|
<variable name="pg_client_crt_file" type="filename" description="Postgresql cert filename" hidden="True"/>
|
||||||
|
<variable name="pg_client_key_file" type="filename" description="Postgresql key filename" hidden="True"/>
|
||||||
</family>
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
|
|
@ -42,6 +45,24 @@
|
||||||
<param type="variable">pg_client_username</param>
|
<param type="variable">pg_client_username</param>
|
||||||
<target>pg_client_database</target>
|
<target>pg_client_database</target>
|
||||||
</fill>
|
</fill>
|
||||||
|
<fill name="calc_value">
|
||||||
|
<param type="variable">tls_ca_directory</param>
|
||||||
|
<param>ca_PostgreSQL.crt</param>
|
||||||
|
<param name="join">/</param>
|
||||||
|
<target>pg_client_ca_file</target>
|
||||||
|
</fill>
|
||||||
|
<fill name="calc_value">
|
||||||
|
<param type="variable">tls_cert_directory</param>
|
||||||
|
<param>postgresql.crt</param>
|
||||||
|
<param name="join">/</param>
|
||||||
|
<target>pg_client_crt_file</target>
|
||||||
|
</fill>
|
||||||
|
<fill name="calc_value">
|
||||||
|
<param type="variable">tls_key_directory</param>
|
||||||
|
<param>postgresql.key</param>
|
||||||
|
<param name="join">/</param>
|
||||||
|
<target>pg_client_key_file</target>
|
||||||
|
</fill>
|
||||||
<condition name="disabled_if_not_in" source="os_name">
|
<condition name="disabled_if_not_in" source="os_name">
|
||||||
<param>Debian</param>
|
<param>Debian</param>
|
||||||
<target type="filelist">postgresql_debian</target>
|
<target type="filelist">postgresql_debian</target>
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name="smtp" manage="False">
|
<service name="smtp" manage="False">
|
||||||
<file>/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt</file>
|
<file file_type="variable" source="ca_MailRelay.crt">smtp_ca_file</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
@ -10,6 +10,7 @@
|
||||||
<variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True" supplier="SMTP"/>
|
<variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True" supplier="SMTP"/>
|
||||||
<variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/>
|
<variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/>
|
||||||
<variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True" supplier="SMTP:password"/>
|
<variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True" supplier="SMTP:password"/>
|
||||||
|
<variable name="smtp_ca_file" type="filename" description="SMTP CA filename" hidden="True"/>
|
||||||
</family>
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
|
|
@ -25,5 +26,11 @@
|
||||||
<param name="hide" type="variable">hide_secret</param>
|
<param name="hide" type="variable">hide_secret</param>
|
||||||
<target>smtp_relay_password</target>
|
<target>smtp_relay_password</target>
|
||||||
</fill>
|
</fill>
|
||||||
|
<fill name="calc_value">
|
||||||
|
<param type="variable">tls_ca_directory</param>
|
||||||
|
<param>ca_MailRelay.crt</param>
|
||||||
|
<param name="join">/</param>
|
||||||
|
<target>smtp_ca_file</target>
|
||||||
|
</fill>
|
||||||
</constraints>
|
</constraints>
|
||||||
</rougail>
|
</rougail>
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ $config = [];
|
||||||
// e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
|
// e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
|
||||||
// GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
|
// GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
|
||||||
//>GNUNUX
|
//>GNUNUX
|
||||||
$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt';
|
$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file';
|
||||||
//<GNUNUX
|
//<GNUNUX
|
||||||
|
|
||||||
// Database DSN for read-only operations (if empty write database will be used)
|
// Database DSN for read-only operations (if empty write database will be used)
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,2 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
After=risotto.target
|
After=risotto.target
|
||||||
|
|
||||||
[Service]
|
|
||||||
PrivateDevices=false
|
|
||||||
ProtectHome=false
|
|
||||||
ProtectSystem=false
|
|
||||||
LimitNOFILE=
|
|
||||||
LimitNPROC=
|
|
||||||
WorkingDirectory=/srv/vaultwarden
|
|
||||||
ReadWriteDirectories=
|
|
||||||
ReadWriteDirectories=
|
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@ DATA_FOLDER=/srv/vaultwarden
|
||||||
## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
|
## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
|
||||||
# DATABASE_URL=postgresql://user:password@host[:port]/database_name
|
# DATABASE_URL=postgresql://user:password@host[:port]/database_name
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt
|
DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
## Database max connections
|
## Database max connections
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue