gnunux/dataset
1
0
Fork 0
forked from stove/dataset
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: gnunux:main
Branches Tags
gnunux:main
gnunux:develop
stove:main
..
compare: gnunux:f979aa993d21ac19f8ac006738d8e12632a74b97
Branches Tags
gnunux:main
gnunux:develop
stove:main

No commits in common. "main" and "f979aa993d21ac19f8ac006738d8e12632a74b97" have entirely different histories.
main ... f979aa993d

946 changed files with 6602 additions and 26778 deletions
Show stats Expand all files Collapse all files

1
README.md
View file

@ -1,3 +1,2 @@
# dataset
[This dataset application services](seed/README.md)

103
doc/certificates.md
View file

@ -1,73 +1,68 @@
# Généré des certificats via la PKI interne de mini_risotto
## Génération du certificate sur le serveur
## Génération des certificates sur le serveur
### Sous Fedora
Création la variable contenant la chain :
```
<file>/etc/pki/ca-trust/source/anchors/ca_<AUTHORITY_NAME>.crt</file>
<file>/etc/pki/tls/certs/<SERVICE>.crt</file>
<file owner="root" group="<SERVICE>" mode="440">/etc/pki/tls/private/<SERVICE>.key</file>
```
### Les templates
Dans le template ca_<AUTHORITY_NAME>.crt :
```
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="<AUTHORITY_NAME>")
```
Dans le template <SERVICE>.crt :
```
%%get_certificate(%%domain_name_eth0, '<AUTHORITY_NAME>')
```
Dans le template <SERVICE>.key :
```
%%get_private_key(%%domain_name_eth0, '<AUTHORITY_NAME>')
```
## Génération du certificat client
### Sous Fedora
```
<services>
<service name="<SERVICE>client" manage="False">
<file>/etc/pki/ca-trust/source/anchors/ca_<AUTHORITY_NAME>.crt</file>
<file>/etc/pki/tls/certs/<SERVICE>.crt</file>
<file owner_type="variable" owner="<VARIABLE_NAME>" mode="400">/etc/pki/tls/private/<SERVICE>.key</file>
</service>
</services>
```
### La variable
```
<variable name="<VARIABLE_NAME>" type="unix_user" description="Key owner" mandatory="True">
<value>DEFAULT_VALUE</value>
<variables>
<variable name='service_ca_chain' description="CA certificate" hidden='True'/>
</variable>
```
### Les templates
Dans le template ca_<AUTHORITY_NAME>.crt :
Création d'une autorité avec le nom "AuthorityName" (le nom est un terme en CamelCase) :
```
%%get_chain(authority_cn=<SERVER_DOMAINNAME>, authority_name="<AUTHORITY_NAME>")
<fill name="get_chain">
<param name="cn" type="information">server_name</param>
<param name="authority_cn" type="information">server_name</param>
<param name="authority_name">AuthorityName</param>
<target>service_chain</target>
</fill>
```
Dans le template <SERVICE>.crt :
La création du fichier de CA est simple, il suffit d'utiliser la variable "service_ca_chain".
Puis il faut créer le certificat avec un template qui contient :
```
%%get_certificate(cn=%%domain_name_eth0, authority_cn=<SERVER_DOMAINNAME>, authority_name='<AUTHORITY_NAME>', type="client")
%%get_certificate(%%domain_name_eth0, authority_name="AuthorityName")
```
Dans le template <SERVICE>.key :
Si l'autorité n'est pas gérer par le serveur courant, il faut précicer le nom du serveur responsable de l'autorité :
```
%%get_private_key(cn=%%domain_name_eth0, authority_cn=<SERVER_DOMAINNAME>, authority_name='<AUTHORITY_NAME>', type="client")
%%get_certificate(%%domain_name_eth0, authority_cn=%%server, authority_name="AuthorityName")
```
Enfin, le certificat peut avoir plusieurs nom de domaine, dans ce cas on peut le gérer par exemple en faisant :
```
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
```
Enfin on peut récupérer la clef privée (attention APRÉS avoir récupérer le certificat) :
```
%get_private_key(%%domain_name_eth0, %%server)
```
Comme le certificat, l'autorité peut ne pas être de la responsabilité du serveur courant :
```
%get_private_key(%%domain_name_eth0, authority_cn=%%server, authority_name="ReverseProxy")
```
## PKI sous Fedora
Création des fichiers pour l'autorité "AuthorityName" pour le service "service" :
```
<file>/etc/pki/ca-trust/source/anchors/ca_AuthorityName.crt</file>
<file>/etc/pki/tls/certs/service.crt</file>
<file owner="root" group="root" mode="400">/etc/pki/tls/private/service.key</file>
```

182
doc/link.md
View file

@ -1,13 +1,177 @@
CAS 1 (Redis et RedisClient) :
# Configuration liée
application service "serveur" :
Une configuration liée est un ensemble d'élément partagé entre deux serveurs différents.
provider="xxx" : variable multiple qui récupère tous les noms de domaine des suppliers
provider="xxx:yyy" : variable dans une famille dynamique qui récupère les infos de yyy
supplier="xxx:zzz" : variable dans la famille dynamique qui transmet l'info de zzz (généralement par un calcul)
## Lier un client à un serveur
application service "client" :
```
<check name="set_linked">
<param name="linked_provider">clients</param>
<param name="linked_value" type="variable">service_variable</param>
<target>service_variable_2</target>
</check>
```
supplier="xxx" : variable qui récupère le nom de domaine du provider
supplier="xxx:yyy" : variable qui transmet les infos de yyy (généralement par un calcul)
provider="xxx:zzz" : variable récupère les infos de zzz
## Lier un client à un serveur avec un nom d'utilisateur issu du nom de domaine
Il faut commencer de créer une variable côté serveur :
```
<variable name="remotes" description="All clients" type="domainname" multi="True" provider="clients"/>
```
Le nom d'utilisateur sera ici le nom de domaine du serveur avec l'application de la fonction 'normalize_family'.
Pour lier deux configurations il faut créer deux variables côté client :
```
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
```
Enfin il faut lier les deux configurations :
```
<fill name="set_linked">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="information">server_name</param>
<target>service_remote_user</target>
</fill>
```
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera ajouter à la variable "remotes" du serveur.
En retour la variable "service_remote_user" aura comme valeur "normalize_family(service_server_address)".
## Lier un client unique à un serveur avec un nom d'utilisateur calculé sur le serveur
Il faut commencer de créer les variables côté serveur :
```
<variables>
<variable name="remote" description="The client" type="domainname" provider="client"/>
<variable name="username" hidden="True" provider="client_name"/>
</variables>
<constraints>
<fill name="gen_user_name">
<target>username</target>
</fill>
</constraints>
```
Côté client :
```
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
```
```
<fill name="set_linked">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="information">server_name</param>
<param name="linked_returns">client_name</param>
<target>service_remote_user</target>
</fill>
```
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera la variable "remote" du serveur.
Un nom d'utilisateur sera alors généré côté serveur, la valeur de ce nom sera retourner au client comme valeur de 'service_remote_user'.
## Lier plusieurs clients à un serveur avec un nom d'utilisateur calculé sur le serveur
Il faut commencer de créer les variables côté serveur :
```
<variables>
<variable name="remotes" description="All clients" type="domainname" multi="True" provider="clients"/>
<family name="remote_" description="Compte pour " dynamic="remotes">
<variable name="username_" hidden="True" provider="client_name"/>
</family>
</variables>
<constraints>
<fill name="gen_user_name">
<target>username_</target>
</fill>
</constraints>
```
Côté client :
```
<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
```
```
<fill name="set_linked">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="information">server_name</param>
<param name="linked_returns">client_name</param>
<param name="dynamic" type="information">server_name</param>
<target>service_remote_user</target>
</fill>
```
Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera ajouter à la variable "remotes" du serveur.
Un nom d'utilisateur sera alors généré côté serveur, la valeur de ce nom sera retourner au client comme valeur de 'service_remote_user'.
## Caculer une variable d'un client par rapport à la valeur d'un serveur
Il faut commencer de créer une nouvelle variables côté serveur par exemple dans une famille dynamique :
```
<variables>
<family name="remote_" description="Compte pour " dynamic="remotes">
<variable name="password_" description="Password " auto_save="True" hidden="True" type="password" provider="client_password"/>
</family>
</variables>
<constraints>
<fill name="gen_password">
<target>password_</target>
</fill>
</constraints>
```
Côté client on veut récupérer ce mot de passe dans une variable :
```
<variable name='service_remote_user_password' type='password' description="Remote password" mandatory='True' hidden="True"/>
```
Et calculer cette valeur :
```
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">client_password</param>
<param name="dynamic" type="variable">service_remote_user</param>
<target>service_remote_user_password</target>
</fill>
```
## Propoger la valeur d'une variable d'un client vers un serveur
```
<check name="set_linked_configuration">
<param name="linked_server" type="variable">service_server_address</param>
<param name="linked_provider">client_var</param>
<param name="dynamic" type="variable">service_remote_user</param>
<target>service_variable</target>
</check>
```
## Propoger la valeur d'une variable d'un client vers un variable esclave du serveur
```
<check name="set_linked_configuration">
<param name="linked_server" type="variable">service_server_address</param>
<param name="leader_provider">client_var</param>
<param name="leader_value" type="variable">service_variable</param>
<param name="linked_provider">slave</param>
<param name="dynamic" type="variable">service_server_address</param>
<target>service_variable_2</target>
</check>
```

29
seed/README.ExternalDNS.md
View file

@ -1,29 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# ExternalDNS
## Synopsis
DNS forwarder for all DNS zones.<br/>This provider is able to answer query for external and internal domain name.
## Variables
| Parameter | Comment |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|
| **ExternalDNS:authority_zones**<br/>multiple<br/>**Type:** [`domainname`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Local DNS server can export own authority zones. |
## Provider
[unbound](unbound/README.md): Unbound, a validating, recursive, caching DNS resolver.
## Suppliers
- [postfix-relay](postfix-relay/README.md): Postfix, the mail server, as relay.
- [peertube](peertube/README.md): Peertube, a federated (ActivityPub) video streaming platform.
- [znc](znc/README.md): ZNC, a bouncer IRC.
- [nsd-local](nsd-local/README.md): NSD, an authoritative DNS name server for local resolution.

23
seed/README.IMAP.md
View file

@ -1,23 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# IMAP
## Synopsis
IMAP server connexion.
## Variables
## Provider
[dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission).
## Supplier
[roundcube](roundcube/README.md): Roundcube, a webmail.

54
seed/README.Journald.md
View file

@ -1,54 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# Journald
## Synopsis
Concentrate journal messages on one host.
## Variables
| Parameter | Comment |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
| **Journald:message**<br/>mandatory, multiple<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Message to exclude for *supplier name*. |
| **Journald:service**<br/>mandatory, multiple<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Log from this service to exclude for *supplier name*. |
| **Journald:function**<br/>multiple<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Function use to compare message (if not defined, exlude same message) for *supplier name*. |
## Provider
[vector](vector/README.md): Vector, a lightweight, ultra-fast tool for building observability pipelines.
## Suppliers
- [odoo](odoo/README.md): Odoo, an ERP and CRM.
- [nginx-static](nginx-static/README.md): Nginx as static web site.
- [grafana](grafana/README.md): Grafana is an analytics and interactive visualization web application.
- [postgresql](postgresql/README.md): Postgresql, a database.
- [postfix-relay](postfix-relay/README.md): Postfix, the mail server, as relay.
- [mailman](mailman/README.md): GNU Mailman, managing electronic mail discussion and e-newsletter lists.
- [peertube](peertube/README.md): Peertube, a federated (ActivityPub) video streaming platform.
- [piwigo](piwigo/README.md): Piwigo, a photo management software.
- [vector](vector/README.md): Vector, a lightweight, ultra-fast tool for building observability pipelines.
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission).
- [unbound](unbound/README.md): Unbound, a validating, recursive, caching DNS resolver.
- [redis](redis/README.md): Redis, an in-memory data structure store.
- [loki](loki/README.md): Loki, a log aggregation platform.
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
- [nsd](nsd/README.md): NSD, an authoritative DNS name server.
- [speedtest-rs](speedtest-rs/README.md): Speedtest-rs, a very lightweight Speedtest.
- [nginx-reverse-proxy](nginx-reverse-proxy/README.md): Nginx as reverse proxy.
- [roundcube](roundcube/README.md): Roundcube, a webmail.
- [znc](znc/README.md): ZNC, a bouncer IRC.
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager.
- [prometheus](prometheus/README.md): Prometheus, an event monitoring.
- [mariadb](mariadb/README.md): MariaDB, a relational database.
- [nsd-local](nsd-local/README.md): NSD, an authoritative DNS name server for local resolution.
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform.
- [lemonldap](lemonldap/README.md): LemonLDAP, a Web Single Sign On and Access Management.
- [openldap](openldap/README.md): OpenLDAP, the LDAP server.
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo.

34
seed/README.LDAP.md
View file

@ -1,34 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# LDAP
## Synopsis
Create account and connexion to a LDAP server.
## Variables
| Parameter | Comment |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
| **LDAP:family**<br/>**Type:** [`unix_user`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP family name for *supplier name*. |
| **LDAP:dn**<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP account DN for *supplier name*. |
| **LDAP:password**<br/>mandatory<br/>**Type:** [`password`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP passowrd for *supplier name*. |
| **LDAP:base_dn**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP base DN for *supplier name*. |
## Provider
[openldap](openldap/README.md): OpenLDAP, the LDAP server.
## Suppliers
- [odoo](odoo/README.md): Odoo, an ERP and CRM.
- [piwigo](piwigo/README.md): Piwigo, a photo management software.
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission).
- [roundcube](roundcube/README.md): Roundcube, a webmail.
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform.
- [lemonldap](lemonldap/README.md): LemonLDAP, a Web Single Sign On and Access Management.

27
seed/README.LMTP.md
View file

@ -1,27 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# LMTP
## Synopsis
LMTP remote server.<br/>A service needs send email with LMTP protocol.
## Variables
| Parameter | Comment |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|
| **LMTP:criteria**<br/>mandatory, multiple<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Domain name allowes to send email with LMTP protocol for *supplier name*. |
## Provider
[postfix-relay](postfix-relay/README.md): Postfix, the mail server, as relay.
## Suppliers
- [mailman](mailman/README.md): GNU Mailman, managing electronic mail discussion and e-newsletter lists.
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission).

48
seed/README.LocalDNS.md
View file

@ -1,48 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# LocalDNS
## Synopsis
DNS forwarder for local domain name.
## Variables
| Parameter | Comment |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| **LocalDNS:DNSSEC_DS**<br/>multiple<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | DNSSEC DS informations. |
## Provider
[nsd-local](nsd-local/README.md): NSD, an authoritative DNS name server for local resolution.
## Suppliers
- [odoo](odoo/README.md): Odoo, an ERP and CRM.
- [nginx-static](nginx-static/README.md): Nginx as static web site.
- [grafana](grafana/README.md): Grafana is an analytics and interactive visualization web application.
- [postgresql](postgresql/README.md): Postgresql, a database.
- [mailman](mailman/README.md): GNU Mailman, managing electronic mail discussion and e-newsletter lists.
- [piwigo](piwigo/README.md): Piwigo, a photo management software.
- [vector](vector/README.md): Vector, a lightweight, ultra-fast tool for building observability pipelines.
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission).
- [redis](redis/README.md): Redis, an in-memory data structure store.
- [loki](loki/README.md): Loki, a log aggregation platform.
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
- [nsd](nsd/README.md): NSD, an authoritative DNS name server.
- [speedtest-rs](speedtest-rs/README.md): Speedtest-rs, a very lightweight Speedtest.
- [nginx-reverse-proxy](nginx-reverse-proxy/README.md): Nginx as reverse proxy.
- [roundcube](roundcube/README.md): Roundcube, a webmail.
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager.
- [prometheus](prometheus/README.md): Prometheus, an event monitoring.
- [mariadb](mariadb/README.md): MariaDB, a relational database.
- [nsd-local](nsd-local/README.md): NSD, an authoritative DNS name server for local resolution.
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform.
- [lemonldap](lemonldap/README.md): LemonLDAP, a Web Single Sign On and Access Management.
- [openldap](openldap/README.md): OpenLDAP, the LDAP server.
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo.

23
seed/README.Loki.md
View file

@ -1,23 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# Loki
## Synopsis
Concentrate log messages.
## Variables
## Provider
[loki](loki/README.md): Loki, a log aggregation platform.
## Supplier
[vector](vector/README.md): Vector, a lightweight, ultra-fast tool for building observability pipelines.

28
seed/README.MariaDB.md
View file

@ -1,28 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# MariaDB
## Synopsis
Create account and connexion to a MariaDB server.
## Variables
| Parameter | Comment |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|
| **MariaDB:username**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | MariaDB user name for *supplier name*. |
| **MariaDB:password**<br/>mandatory<br/>**Type:** [`secret`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | MariaDB password for *supplier name*. |
| **MariaDB:database**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | MariaDB database name for *supplier name*. |
## Provider
[mariadb](mariadb/README.md): MariaDB, a relational database.
## Supplier
[piwigo](piwigo/README.md): Piwigo, a photo management software.

45
seed/README.OAuth2.md
View file

@ -1,45 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# OAuth2
## Synopsis
Remote clients needing to verify OAuth2 account.
## Variables
| Parameter | Comment |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
| **OAuth2:name**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Remote name for *supplier name*. |
| **OAuth2:description**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Remote description for *supplier name*. |
| **OAuth2:login**<br/>**Type:** [`web_address`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Remote URL to login for *supplier name*. |
| **OAuth2:external**<br/>mandatory, multiple<br/>**Type:** [`web_address`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Remote external for *supplier name*. |
| **OAuth2:family**<br/>mandatory, multiple<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Remote family for *supplier name*. |
| **OAuth2:category**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Remode category for *supplier name*. |
| **OAuth2:logo**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Logo for *supplier name*. |
| **OAuth2:client_id**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Remote client id for *supplier name*. |
| **OAuth2:secret**<br/>mandatory<br/>**Type:** [`password`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Remote secret for *supplier name*. |
| **OAuth2:token_signature_algo**<br/>mandatory<br/>**Type:** [`choice`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 token signature algorithm for *supplier name*.<br/>**Choices:**<br/>- `HS512`<br/>- `RS256` |
| **OAuth2:external_domain**<br/>**Type:** [`domainname`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 server domain name. |
## Provider
[lemonldap](lemonldap/README.md): LemonLDAP, a Web Single Sign On and Access Management.
## Suppliers
- [odoo](odoo/README.md): Odoo, an ERP and CRM.
- [grafana](grafana/README.md): Grafana is an analytics and interactive visualization web application.
- [mailman](mailman/README.md): GNU Mailman, managing electronic mail discussion and e-newsletter lists.
- [peertube](peertube/README.md): Peertube, a federated (ActivityPub) video streaming platform.
- [piwigo](piwigo/README.md): Piwigo, a photo management software.
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission).
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
- [roundcube](roundcube/README.md): Roundcube, a webmail.
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform.
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo.

36
seed/README.Postgresql.md
View file

@ -1,36 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# Postgresql
## Synopsis
Create account and connexion to a PostgreSQL server.
## Variables
| Parameter | Comment |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------|
| **Postgresql:username**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Postgresql username for *supplier name*. |
| **Postgresql:password**<br/>mandatory<br/>**Type:** [`password`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Postgresql password for *supplier name*. |
| **Postgresql:database**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Postgresql database name for *supplier name*. |
## Provider
[postgresql](postgresql/README.md): Postgresql, a database.
## Suppliers
- [odoo](odoo/README.md): Odoo, an ERP and CRM.
- [grafana](grafana/README.md): Grafana is an analytics and interactive visualization web application.
- [mailman](mailman/README.md): GNU Mailman, managing electronic mail discussion and e-newsletter lists.
- [peertube](peertube/README.md): Peertube, a federated (ActivityPub) video streaming platform.
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
- [roundcube](roundcube/README.md): Roundcube, a webmail.
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager.
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform.
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo.

19
seed/README.Prometheus.md
View file

@ -1,19 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# Prometheus
## Synopsis
Configure Prometheus exporter.
## Variables
## Provider
[prometheus](prometheus/README.md): Prometheus, an event monitoring.

33
seed/README.Redis.md
View file

@ -1,33 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# Redis
## Synopsis
Create account and connexion to a Redis server.
## Variables
| Parameter | Comment |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
| **Redis:username**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis user name for *supplier name*. |
| **Redis:password**<br/>mandatory<br/>**Type:** [`password`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis password for *supplier name*. |
| **Redis:index**<br/>mandatory<br/>**Type:** [`number`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis database index.<br/>Only index 0 is allowed, Redis project discourage to use the server with several database. |
## Provider
[redis](redis/README.md): Redis, an in-memory data structure store.
## Suppliers
- [peertube](peertube/README.md): Peertube, a federated (ActivityPub) video streaming platform.
- [piwigo](piwigo/README.md): Piwigo, a photo management software.
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
- [roundcube](roundcube/README.md): Roundcube, a webmail.
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform.
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo.

44
seed/README.ReverseProxy.md
View file

@ -1,44 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# ReverseProxy
## Synopsis
Register to service to a reverse proxy server.
## Variables
| Parameter | Comment |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
| **ReverseProxy:external**<br/>mandatory, multiple<br/>**Type:** [`domainname`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | External domain name for *supplier name*. |
| **ReverseProxy:location**<br/>mandatory<br/>**Type:** [`filename`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | URI to redirect for *supplier name*.<br/>Relative redirected URI (without domaine name).<br/>**Example:** /mail |
| **ReverseProxy:max_body_size**<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Body size max for *supplier name*. |
| **ReverseProxy:websocket**<br/>mandatory<br/>**Type:** [`boolean`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | The entry point is a websocket for *supplier name*.<br/>**Default:** [True] |
| **ReverseProxy:url**<br/>mandatory<br/>**Type:** [`web_address`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Internal URL for *supplier name*. |
| **ReverseProxy:http**<br/>mandatory<br/>**Type:** [`boolean`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | The website is in HTTP for *supplier name*.<br/>**Default:** True |
## Provider
[nginx-reverse-proxy](nginx-reverse-proxy/README.md): Nginx as reverse proxy.
## Suppliers
- [odoo](odoo/README.md): Odoo, an ERP and CRM.
- [nginx-static](nginx-static/README.md): Nginx as static web site.
- [grafana](grafana/README.md): Grafana is an analytics and interactive visualization web application.
- [mailman](mailman/README.md): GNU Mailman, managing electronic mail discussion and e-newsletter lists.
- [peertube](peertube/README.md): Peertube, a federated (ActivityPub) video streaming platform.
- [piwigo](piwigo/README.md): Piwigo, a photo management software.
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission).
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
- [speedtest-rs](speedtest-rs/README.md): Speedtest-rs, a very lightweight Speedtest.
- [roundcube](roundcube/README.md): Roundcube, a webmail.
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager.
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform.
- [lemonldap](lemonldap/README.md): LemonLDAP, a Web Single Sign On and Access Management.
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo.

37
seed/README.SMTP.md
View file

@ -1,37 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# SMTP
## Synopsis
Create a SMTP relay account and authorize sending email.<br/>A service needs send email with SMTP protocol, so an account is created and SMTP relay accept sending mail by this account.
## Variables
| Parameter | Comment |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------|
| **SMTP:username**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | User account to send email for *supplier name*. |
| **SMTP:password**<br/>mandatory<br/>**Type:** [`secret`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Password to send email for *supplier name*. |
## Provider
[postfix-relay](postfix-relay/README.md): Postfix, the mail server, as relay.
## Suppliers
- [odoo](odoo/README.md): Odoo, an ERP and CRM.
- [grafana](grafana/README.md): Grafana is an analytics and interactive visualization web application.
- [mailman](mailman/README.md): GNU Mailman, managing electronic mail discussion and e-newsletter lists.
- [peertube](peertube/README.md): Peertube, a federated (ActivityPub) video streaming platform.
- [piwigo](piwigo/README.md): Piwigo, a photo management software.
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission).
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager.
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform.
- [lemonldap](lemonldap/README.md): LemonLDAP, a Web Single Sign On and Access Management.
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo.

22
seed/README.Vector.md
View file

@ -1,22 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](README.md)
# Vector
## Synopsis
Collect observability data from another Vector instance.
## Variables
| Parameter | Comment |
|-------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
| **Vector:address**<br/>**Type:** [`ip`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Send Journal on this IP address.<br/>Vector must listen on this address, clients are configured to use this destination IP. |
## Provider
[vector](vector/README.md): Vector, a lightweight, ultra-fast tool for building observability pipelines.

91
seed/README.md
View file

@ -1,91 +0,0 @@
# Application services
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (IMAP and submission)
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo
- [grafana](grafana/README.md): Grafana is an analytics and interactive visualization web application
- [lemonldap](lemonldap/README.md): LemonLDAP, a Web Single Sign On and Access Management
- [loki](loki/README.md): Loki, a log aggregation platform
- [mailman](mailman/README.md): GNU Mailman, managing electronic mail discussion and e-newsletter lists
- [mariadb](mariadb/README.md): MariaDB, a relational database
- [nextcloud](nextcloud/README.md): Nextcloud, Online collaboration platform
- nginx:
- [nginx-reverse-proxy](nginx-reverse-proxy/README.md): Nginx as reverse proxy
- [nginx-static](nginx-static/README.md): Nginx as static web site
- nsd:
- [nsd](nsd/README.md): NSD, an authoritative DNS name server
- [nsd-local](nsd-local/README.md): NSD, an authoritative DNS name server for local resolution
- [odoo](odoo/README.md): Odoo, an ERP and CRM
- [openldap](openldap/README.md): OpenLDAP, the LDAP server
- [peertube](peertube/README.md): Peertube, a federated (ActivityPub) video streaming platform
- [piwigo](piwigo/README.md): Piwigo, a photo management software
- [postfix-relay](postfix-relay/README.md): Postfix, the mail server, as relay
- [postgresql](postgresql/README.md): Postgresql, a database
- [prometheus](prometheus/README.md): Prometheus, an event monitoring
- [redis](redis/README.md): Redis, an in-memory data structure store
- [roundcube](roundcube/README.md): Roundcube, a webmail
- [speedtest-rs](speedtest-rs/README.md): Speedtest-rs, a very lightweight Speedtest
- [unbound](unbound/README.md): Unbound, a validating, recursive, caching DNS resolver
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager
- [vector](vector/README.md): Vector, a lightweight, ultra-fast tool for building observability pipelines
- [znc](znc/README.md): ZNC, a bouncer IRC
# Application dependencies
- [apache](apache/README.md): Apache as web server
- base:
- [base](base/README.md): Base of all application services
- [base-debian](base-debian/README.md): Base information of a Debian server
- [base-debian-bullseye](base-debian-bullseye/README.md): Base information of a Debian Bulleye server
- [base-fedora](base-fedora/README.md): Base information of a Fedora
- [base-fedora-35](base-fedora-35/README.md): Base information of a Fedora 35
- [base-fedora-36](base-fedora-36/README.md): Base information of a Fedora 36
- [base-fedora-37](base-fedora-37/README.md): Base information of a Fedora 37
- [base-fedora-38](base-fedora-38/README.md): Base information of a Fedora 38
- [base-machine](base-machine/README.md): Base information for a machine
- dns:
- [dns-external](dns-external/README.md): DNS client with resolution on all zones (especially outside)
- [dns-local](dns-local/README.md): DNS client with access to local zones
- [host-systemd-machined](host-systemd-machined/README.md): Host with machine started in Systemd Machined environment
- [imap-client](imap-client/README.md): Application service needs interact with an IMAP server
- [journald](journald/README.md): Journald
- [journald_remote](journald_remote/README.md): Journald remote
- [ldap-client](ldap-client/README.md): Application service needs interact with a LDAP server
- [mariadb-client](mariadb-client/README.md): Application service needs interact with a MariaDB server
- nginx:
- [nginx-common](nginx-common/README.md): Nginx common configuration
- [nginx-https](nginx-https/README.md): Nginx as HTTPS web site
- [oauth2-client](oauth2-client/README.md): Application service needs interact with a Oauth2 server
- php:
- [php](php/README.md): PHP, a popular general-purpose scripting language
- [php-fpm](php-fpm/README.md): PHP FPM
- [pki-tls](pki-tls/README.md): Autosign PKI or Let's encrypt support for TLS certificates
- [postfix-lmtp-relay](postfix-lmtp-relay/README.md): Postfix, the mail server, as LMTP relay
- [postgresql-client](postgresql-client/README.md): Application service needs interact with a Postgresql server
- [provider-systemd-machined](provider-systemd-machined/README.md): Machine started in Systemd Machined environment
- redis:
- [redis-client](redis-client/README.md): Application service needs interact with a Redis server
- [redis-common](redis-common/README.md): Redis, an in-memory data structure store
- relay:
- [relay-lmtp-client](relay-lmtp-client/README.md): Application service needs interact with a Postfix server with LMTP protocol
- [relay-mail-client](relay-mail-client/README.md): Client SMTP
- [resolved](resolved/README.md): Resolved
- [reverse-proxy-client](reverse-proxy-client/README.md): Application service needs interact with a a reverse proxy server
- [systemd](systemd/README.md): Systemd, a system and service manager
# Providers
- [ExternalDNS](README.ExternalDNS.md): DNS forwarder for all DNS zones.
- [IMAP](README.IMAP.md): IMAP server connexion.
- [Journald](README.Journald.md): Concentrate journal messages on one host.
- [LDAP](README.LDAP.md): Create account and connexion to a LDAP server.
- [LMTP](README.LMTP.md): LMTP remote server.
- [LocalDNS](README.LocalDNS.md): DNS forwarder for local domain name.
- [Loki](README.Loki.md): Concentrate log messages.
- [MariaDB](README.MariaDB.md): Create account and connexion to a MariaDB server.
- [OAuth2](README.OAuth2.md): Remote clients needing to verify OAuth2 account.
- [Postgresql](README.Postgresql.md): Create account and connexion to a PostgreSQL server.
- [Prometheus](README.Prometheus.md): Configure Prometheus exporter.
- [Redis](README.Redis.md): Create account and connexion to a Redis server.
- [ReverseProxy](README.ReverseProxy.md): Register to service to a reverse proxy server.
- [SMTP](README.SMTP.md): Create a SMTP relay account and authorize sending email.
- [Vector](README.Vector.md): Collect observability data from another Vector instance.

36
seed/apache/README.md
View file

@ -1,36 +0,0 @@
---
gitea: none
include_toc: true
---
[Return to the list of application services.](../README.md)
# apache
## Synopsis
[Apache as web server.](https://httpd.apache.org/)
## Variables for expert
### General
#### Apache
Advance Apache web server settings.
| Parameter | Comments |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| **[general.apache.apache_timeout](dictionaries/20_web.xml)**<br/>mandatory<br/>**Type:** [`number`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Amount of time the server will wait for certain events before failing a request.<br/>Time in seconds.<br/>**Default:** 300 |
| **[general.apache.apache_keepalive](dictionaries/20_web.xml)**<br/>mandatory<br/>**Type:** [`boolean`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Enables HTTP persistent connections.<br/>**Default:** True |
## Dependances
- [reverse-proxy-client](../reverse-proxy-client/README.md): Application service needs interact with a a reverse proxy server.
## Used by
[nextcloud](../nextcloud/README.md)

6
seed/apache/applicationservice.yml
View file

@ -1,6 +0,0 @@
---
format: '0.1'
description: Apache as web server
website: https://httpd.apache.org/
depends:
- reverse-proxy-client

23
seed/apache/dictionaries/20_web.yml
View file

@ -1,23 +0,0 @@
---
version: 1.1
nginx:
php_fpm_user:
redefine: true
exists: true
default: apache
apache:
description: Apache
help: Advance Apache web server settings
mode: advanced
apache_timeout:
description: >-
Amount of time the server will wait for certain events before failing a
request
help: Time in seconds
default: 300
apache_keepalive: true # Enables HTTP persistent connections

1
seed/apache/manual/image/preinstall/apache.sh
View file

@ -1 +0,0 @@
PKG="$PKG httpd mod_ssl"

15
seed/apache/templates/risotto.conf
View file

@ -1,15 +0,0 @@
# Timeout
Timeout {{ general.apache.apache_timeout }}
# Keepalive
{% if general.apache.apache_keepalive %}
KeepAlive On
{% else %}
KeepAlive Off
{% endif %}
MaxKeepAliveRequests 50
KeepAliveTimeout {{ general.apache.apache_timeout }}
# RemoteIp
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy {{ general.revprox.revprox_client_server_ip }}

0
seed/apache/FIXME → seed/applicationservice/2022.03.08/apache/FIXME
View file

5
seed/applicationservice/2022.03.08/apache/applicationservice.yml Normal file
View file

@ -0,0 +1,5 @@
format: '0.1'
description: Apache configuration
depends:
- base-fedora-35
- reverse-proxy-client

31
seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml Normal file
View file

@ -0,0 +1,31 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="httpd" target="multi-user">
<file>/etc/httpd/conf/httpd.conf</file>
<file>/etc/httpd/conf.d/risotto.conf</file>
<file>/etc/httpd/conf.d/ssl.conf</file>
<file>/etc/httpd/ssl/server.ca</file>
<file>/etc/httpd/ssl/server.key</file>
<file>/etc/httpd/ssl/server.crt</file>
<file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
<file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
</service>
</services>
<variables>
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
<value>300</value>
</variable>
<variable name="apache_keepalive" type="boolean" description="Autoriser les connexions persistantes"/>
<variable name="server_ca" hidden="True"/>
</family>
</variables>
<constraints>
<fill name="get_chain">
<param name="authority_cn" type="variable">revprox_client_server_domainname</param>
<param name="authority_name">InternalReverseProxy</param>
<target>server_ca</target>
</fill>
</constraints>
</rougail>

0
seed/apache/templates/httpd.conf → seed/applicationservice/2022.03.08/apache/templates/httpd.conf
View file

15
seed/applicationservice/2022.03.08/apache/templates/risotto.conf Normal file
View file

@ -0,0 +1,15 @@
# Timeout
Timeout %%apache_timeout
# Keepalive
%if %%apache_keepalive
KeepAlive On
%else
KeepAlive Off
%end if
MaxKeepAliveRequests 50
KeepAliveTimeout %%apache_timeout
# RemoteIp
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy %%revprox_client_server_ip

1
seed/applicationservice/2022.03.08/apache/templates/server.ca Normal file
View file

@ -0,0 +1 @@
%%server_ca

1
seed/applicationservice/2022.03.08/apache/templates/server.crt Normal file
View file

@ -0,0 +1 @@
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")

1
seed/applicationservice/2022.03.08/apache/templates/server.key Normal file
View file

@ -0,0 +1 @@
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")

6
seed/apache/templates/ssl.conf → seed/applicationservice/2022.03.08/apache/templates/ssl.conf
View file

@ -100,7 +100,7 @@ SSLProxyCipherSuite PROFILE=SYSTEM
# require an ECC certificate which can also be configured in
# parallel.
# GNUNUX SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile {{ general.tls_cert_directory }}/revprox.crt
SSLCertificateFile /etc/httpd/ssl/server.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
@ -109,7 +109,7 @@ SSLCertificateFile {{ general.tls_cert_directory }}/revprox.crt
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
# GNUNUX SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile {{ general.tls_key_directory }}/revprox.key
SSLCertificateKeyFile /etc/httpd/ssl/server.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@ -126,7 +126,7 @@ SSLCertificateKeyFile {{ general.tls_key_directory }}/revprox.key
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#>GNUNUX
SSLCACertificateFile {{ general.tls_ca_directory }}/InternalReverseProxy.crt
SSLCACertificateFile /etc/httpd/ssl/server.ca
#<GNUNUX
# Client Authentication (Type):

0
seed/apache/templates/sysuser-httpd.conf → seed/applicationservice/2022.03.08/apache/templates/sysuser-httpd.conf
View file

0
seed/apache/templates/tmpfile-httpd.conf → seed/applicationservice/2022.03.08/apache/templates/tmpfile-httpd.conf
View file

4
seed/applicationservice/2022.03.08/base-debian-bullseye/applicationservice.yml Normal file
View file

@ -0,0 +1,4 @@
format: '0.1'
description: Information de base d'un serveur Debian Buster
depends:
- base-debian

15
seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml Normal file
View file

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="dnssec" manage="False">
<file>/etc/dnssec-trust-anchors.d/local.negative</file>
</service>
</services>
<variables>
<family name="general">
<variable name="os_version" type="string" description="OS Version" hidden="True">
<value>bullseye</value>
</variable>
</family>
</variables>
</rougail>

0
seed/base-debian-bullseye/manual/image/preinstall/base_debian_bullseye.sh → seed/applicationservice/2022.03.08/base-debian-bullseye/manual/image/preinstall/base_debian_bullseye.sh
View file

2
seed/applicationservice/2022.03.08/base-debian-bullseye/templates/local.negative Normal file
View file

@ -0,0 +1,2 @@
%set %%domain=%%domain_name_eth0.split('.', 1)[1]
%%domain

5
seed/applicationservice/2022.03.08/base-debian/applicationservice.yml Normal file
View file

@ -0,0 +1,5 @@
format: '0.1'
description: Information de base d'un serveur Debian
depends:
- base
- systemd

26
seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml Normal file
View file

@ -0,0 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="debian" manage="False">
<file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
<file engine="none">/etc/default/locale</file>
</service>
<service name="update-ca-certificates" engine="creole" target="multi-user"/>
</services>
<variables>
<family name="general">
<variable name="os_name" type="string" description="OS name" hidden="True">
<value>Debian</value>
</variable>
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
<value>/etc/ssl-localca</value>
</variable>
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
<value>/etc/ssl/certs</value>
</variable>
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
<value>/etc/ssl/private</value>
</variable>
</family>
</variables>
</rougail>

2
seed/applicationservice/2022.03.08/base-debian/manual/image/postinstall/debian.sh Normal file
View file

@ -0,0 +1,2 @@
rm -f $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
ln -s ../run/systemd/resolve/stub-resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf

0
seed/base-debian/manual/image/preinstall/base_debian.sh → seed/applicationservice/2022.03.08/base-debian/manual/image/preinstall/base_debian.sh
View file

0
seed/base-debian/templates/locale → seed/applicationservice/2022.03.08/base-debian/templates/locale
View file

1
seed/applicationservice/2022.03.08/base-debian/templates/tmpfile-tmp.conf Normal file
View file

@ -0,0 +1 @@
q /var/tmp 1777 root root 30d

2
seed/base-debian/templates/update-ca-certificates.service → seed/applicationservice/2022.03.08/base-debian/templates/update-ca-certificates.service
View file

@ -4,7 +4,7 @@ Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/update-ca-certificates --localcertsdir {{ general.tls_ca_directory }}
ExecStart=/usr/sbin/update-ca-certificates --localcertsdir %%tls_ca_directory
[Install]
WantedBy=multi-user.target

4
seed/applicationservice/2022.03.08/base-fedora-35/applicationservice.yml Normal file
View file

@ -0,0 +1,4 @@
format: '0.1'
description: Information de base d'un serveur fedora version 35
depends:
- base-fedora

10
seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/00-fedora-35.xml Normal file
View file

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<family name="general">
<variable name="os_version" type="string" description="OS Version" hidden="True">
<value>35</value>
</variable>
</family>
</variables>
</rougail>

7
seed/applicationservice/2022.03.08/base-fedora-35/manual/image/postinstall/base_fedora_35.sh Normal file
View file

@ -0,0 +1,7 @@
# ACTIVE NETWORKD
mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

0
seed/base-fedora-35/manual/image/preinstall/base_fedora_35.sh → seed/applicationservice/2022.03.08/base-fedora-35/manual/image/preinstall/base_fedora_35.sh
View file

0
seed/base-fedora/infos.md → seed/applicationservice/2022.03.08/base-fedora/README.md
View file

5
seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml Normal file
View file

@ -0,0 +1,5 @@
format: '0.1'
description: Information de base d'un serveur Fedora
depends:
- base
- systemd

25
seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml Normal file
View file

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="update-ca-trust" engine="creole" target="multi-user"/>
<service name="fedora-base" manage="False">
<file engine="none">/tmpfiles.d/fedora.conf</file>
</service>
</services>
<variables>
<family name="general">
<variable name="os_name" type="string" description="OS name" hidden="True">
<value>Fedora</value>
</variable>
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
<value>/etc/pki/ca-trust/source/anchors</value>
</variable>
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
<value>/etc/pki/tls/certs</value>
</variable>
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
<value>/etc/pki/tls/private</value>
</variable>
</family>
</variables>
</rougail>

4
seed/applicationservice/2022.03.08/base-fedora/manual/image/preinstall/base_fedora.sh Normal file
View file

@ -0,0 +1,4 @@
BASE_PKG="systemd systemd-networkd systemd-resolved fedora-release-container lsof strace glibc-langpack-fr"
INSTALL_TOOL="dnf"
OS_NAME='fedora'
REPO_DIR="$IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/yum.repos.d/"

0
seed/base-fedora/templates/fedora.conf → seed/applicationservice/2022.03.08/base-fedora/templates/fedora.conf
View file

1
seed/base-fedora/templates/update-ca-trust.service → seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service
View file

@ -8,3 +8,4 @@ ExecStart=/usr/bin/update-ca-trust
[Install]
WantedBy=multi-user.target

2
seed/applicationservice/2022.03.08/base/applicationservice.yml Normal file
View file

@ -0,0 +1,2 @@
format: '0.1'
description: Information de base d'un serveur

84
seed/applicationservice/2022.03.08/base/dictionaries/00-base.xml Normal file
View file

@ -0,0 +1,84 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="base" manage="False">
<file engine="none">/etc/locale.conf</file>
</service>
</services>
<variables>
<family name='general' description="Général">
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
<variable name="number_of_interfaces" type="number" description="Nombre d'interface disponible" hidden="True"/>
<variable name="interfaces_list" type="number" multi="True" description="Liste de toutes les interfaces" hidden="True"/>
<variable name="server_deployed" type="boolean" description="Le serveur est déployé" hidden="True">
<value>False</value>
</variable>
</family>
<family name="dns" description="DNS">
<variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur SMTP"/>
<variable name="ip_dns" type="ip" description="The DNS server" hidden="True"/>
</family>
<family name="interface_" description="Interface " dynamic="interfaces_list">
<variable name="zone_name_eth" type="string" description="Zone name for interface " hidden="True"/>
<variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
<variable name="network_eth" type="network_cidr" description="The zone network for interface " hidden="True"/>
<variable name="gateway_eth" type="ip" description="The zone gateway for interface "/>
<variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/>
</family>
</variables>
<constraints>
<fill name="set_linked">
<param name="linked_server" type="variable">dns_client_address</param>
<param name="linked_provider">dns</param>
<param name="linked_value" type="variable">ip_eth0</param>
<param name="linked_returns">ip</param>
<target>ip_dns</target>
</fill>
<fill name="get_number_of_interfaces">
<param type="information">zones_name</param>
<target>number_of_interfaces</target>
</fill>
<fill name="calc_value">
<param type="information">zones_name</param>
<target>zones_list</target>
</fill>
<fill name="get_range">
<param type="variable">number_of_interfaces</param>
<target>interfaces_list</target>
</fill>
<fill name="get_ip">
<param name="server_name" type="information">server_name</param>
<param name="zones_name" type="information">zones_name</param>
<param name="index" type="suffix"/>
<target>ip_eth</target>
</fill>
<!-- Return "server_name" only for domain_name_eth0 -->
<fill name="get_domain_name">
<param type="information">server_name</param>
<param type="information">extra_domainnames</param>
<param type="suffix"/>
<target>domain_name_eth</target>
</fill>
<fill name="get_zone_name">
<param type="information">zones_name</param>
<param name="index" type="suffix"/>
<target>zone_name_eth</target>
</fill>
<fill name="zone_information">
<param type="variable">zone_name_eth</param>
<param>network</param>
<target>network_eth</target>
</fill>
<fill name="zone_information">
<param type="variable">zone_name_eth</param>
<param>gateway</param>
<param name="index" type="suffix"/>
<target>gateway_eth</target>
</fill>
<check name="valid_entier">
<param name="mini" type="number">1</param>
<target>number_of_interfaces</target>
</check>
</constraints>
</rougail>

14
seed/applicationservice/2022.03.08/base/extras/machine/00_base.xml Normal file
View file

@ -0,0 +1,14 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<variable name='name' description="Machine name" type="domainname" hidden="True"/>
<variable name='data_disk_size' description="Data disk size" type="number"/>
</variables>
<constraints>
<fill name="calc_value">
<param type="variable">domain_name_eth0</param>
<target>machine.name</target>
</fill>
</constraints>
</rougail>

53
seed/base-machine/funcs/funcs.py → seed/applicationservice/2022.03.08/base/funcs/funcs.py
View file

@ -2,24 +2,23 @@ import __main__
from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
from string import ascii_letters as _ascii_letters
from random import choice as _choice
from os.path import join as _join, isfile as _isfile, isdir as _isdir
from os import makedirs as _makedirs, environ as _environ
from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile, isdir as _isdir
from os import makedirs as _makedirs
_HERE = _environ['PWD']
_HERE = _dirname(_abspath(__main__.__file__))
_PASSWORD_DIR = _join(_HERE, 'password')
def get_password(username: str,
def get_password(server_name: str,
username: str,
description: str,
type: str,
hide: bool,
server_name: str='none',
length: int=20,
temporary: bool=True,
) -> str:
if hide:
return "XXXXX"
if type != 'cleartext':
raise Exception('only cleartext is supported')
def gen_password():
return _token_urlsafe(length)[:length]
return _set_password(server_name,
@ -27,7 +26,6 @@ def get_password(username: str,
description,
gen_password,
temporary,
type,
)
@ -35,11 +33,8 @@ def get_password_alpha_num(server_name,
username: str,
description: str,
length,
hide: bool,
starts_with_char=False,
):
if hide:
return "XXXXX"
def gen_password():
password = _token_hex()
if starts_with_char:
@ -50,7 +45,6 @@ def get_password_alpha_num(server_name,
description,
gen_password,
True,
'cleartext',
)
@ -59,10 +53,7 @@ def _set_password(server_name: str,
description: str,
gen_password,
temporary,
type,
) -> str:
if type != 'cleartext':
raise Exception('only cleartext is supported')
if not server_name or not username:
return
dir_name = _join(_PASSWORD_DIR, server_name, description)
@ -74,5 +65,31 @@ def _set_password(server_name: str,
with open(file_name, 'w') as fh:
fh.write(password)
with open(file_name, 'r') as fh:
file_content = fh.read().strip()
return file_content
return fh.read().strip()
def get_range(stop):
return list(range(stop))
def get_number_of_interfaces(zones):
if zones is None:
return 1
return len(zones)
def get_zone_name(zones: list,
index: str,
):
if zones is not None:
return zones[int(index)]
def get_domain_name(server_name: str,
extra_domainnames: list,
suffix: str,
) -> str:
index = int(suffix)
if index == 0:
return server_name
return extra_domainnames[index - 1]

1
seed/base-machine/manual/install/config.sh → seed/applicationservice/2022.03.08/base/manual/install/config.sh
View file

@ -4,7 +4,6 @@ RISOTTO_IMAGE_DIR="$RISOTTO_DIR/images"
RISOTTO_SRV_DIR="$RISOTTO_DIR/srv"
RISOTTO_CONFIG_DIR="$RISOTTO_DIR/configurations"
MACHINES_DIR="/var/lib/machines"
BACKUP_DIR="/root/backup"
# image configuration
IMAGE_BASE_RISOTTO_BASE_DIR="$RISOTTO_IMAGE_DIR/image_bases"
IMAGE_NAME_RISOTTO_IMAGE_DIR="$RISOTTO_IMAGE_DIR/$IMAGE_NAME"

1
seed/base-machine/manual/install/config_machine.sh → seed/applicationservice/2022.03.08/base/manual/install/config_machine.sh
View file

@ -1,7 +1,6 @@
# machine configuration
MACHINE_RISOTTO_SRV_DIR_LOCAL="srv/$MACHINE"
MACHINE_RISOTTO_SRV_DIR="$RISOTTO_SRV_DIR/$MACHINE"
RISOTTO_JOURNALD_DIR="$RISOTTO_DIR/journals/$MACHINE"
MACHINE_RISOTTO_CONFIG_DIR_LOCAL="$IMAGE_NAME/configurations/$MACHINE"
MACHINE_RISOTTO_CONFIG_DIR="$RISOTTO_CONFIG_DIR/$MACHINE"
MACHINE_MACHINES_DIR="$MACHINES_DIR/$MACHINE"

53
seed/applicationservice/2022.03.08/base/manual/install/diff.py Executable file
View file

@ -0,0 +1,53 @@
#!/usr/bin/env python3
from os.path import join
from filecmp import dircmp
from difflib import unified_diff
from sys import stdout, argv
from datetime import datetime, timezone
os_name = argv[1]
OLD_DIR = argv[2]
NEW_DIR = argv[3]
FILES = []
def diff_files(dcmp):
for name in dcmp.diff_files:
FILES.append(join(dcmp.right[len(NEW_DIR):], name))
for sub_dcmp in dcmp.subdirs.values():
diff_files(sub_dcmp)
dcmp = dircmp(OLD_DIR, NEW_DIR)
diff_files(dcmp)
date = datetime.now(timezone.utc).isoformat()
title = f"Nouvelle version de la configuration de {os_name}"
subtitle = f"Différence entre les fichiers de configuration de {os_name}"
print(f"""+++
title = "{title}"
description = "{subtitle}"
date = {date}
updated = {date}
draft = false
template = "blog/page.html"
[taxonomies]
authors = ["Automate"]
[extra]
lead = "{subtitle}."
type = "installe"
+++
""")
for filename in FILES:
with open(join(OLD_DIR, filename[1:]), 'r') as ori:
ori_content = ori.readlines()
with open(join(NEW_DIR, filename[1:]), 'r') as new:
new_content = new.readlines()
print(f'- mise à jour du fichier {filename} :\n')
print('```diff')
for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
print(line.rstrip())
print('```')

27
seed/applicationservice/2022.03.08/base/manual/install/install_host Executable file
View file

@ -0,0 +1,27 @@
#!/bin/bash -xe
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name"
exit 1
fi
apt install --yes systemd-container dnf jq debootstrap htop gettext
systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
systemctl daemon-reload
systemctl restart systemd-sysctl.service
systemctl enable systemd-networkd
systemctl restart systemd-networkd
systemctl enable systemd-resolved
systemctl restart systemd-resolved
# systemctl mask dev-hugepages.mount
#nft add table nat
#nft flush table nat;
#nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
#nft 'add rule nat prerouting iif enp0s3 tcp dport { 80, 443 } dnat to 192.168.45.12'
#nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
exit 0

161
seed/applicationservice/2022.03.08/base/manual/install/install_image Executable file
View file

@ -0,0 +1,161 @@
#!/bin/bash -xe
HOST_NAME=$1
IMAGE_NAME=$2
if [ -z "$IMAGE_NAME" ]; then
echo "PAS DE NOM DE MODULE"
exit 1
fi
. config.sh
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
mkdir -p "$RISOTTO_IMAGE_DIR"
PKG=""
BASE_DIR=""
for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do
. "$script"
done
if [ -z "$OS_NAME" ]; then
echo "NO OS NAME DEFINED"
exit 0
fi
if [ -z "$RELEASEVER" ]; then
echo "NO RELEASEVER DEFINED"
exit 0
fi
if [ -z "$INSTALL_TOOL" ]; then
echo "NO INSTALL TOOL DEFINED"
exit 0
fi
BASE_NAME="$OS_NAME-$RELEASEVER"
BASE_DIR="$IMAGE_BASE_RISOTTO_BASE_DIR/$BASE_NAME"
BASE_TAR="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME".tar
BASE_PKGS_FILE="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.pkgs"
BASE_LOCK="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.build"
function dnf_opt() {
INSTALL_DIR=$1
INSTALL_PKG=$2
echo "--setopt=install_weak_deps=False --nodocs --noplugins --installroot=$INSTALL_DIR --releasever $RELEASEVER install $INSTALL_PKG"
}
function new_package_base() {
if [ "$INSTALL_TOOL" = "dnf" ]; then
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
else
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR"
chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
fi
}
function install_base() {
if [ "$INSTALL_TOOL" = "dnf" ]; then
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
dnf --assumeyes $OPT
fi
}
function new_package() {
if [ "$INSTALL_TOOL" = "dnf" ]; then
OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
dnf --assumeno $OPT | grep ^" " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
else
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG -s 2>/dev/null|grep ^"Inst " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
fi
}
function install_pkg() {
if [ "$INSTALL_TOOL" = "dnf" ]; then
OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
dnf --assumeyes $OPT
else
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG
fi
}
if [ ! -f "$BASE_LOCK" ]; then
rm -rf "$BASE_DIR"
new_package_base
diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
if [ ! -f "$BASE_TAR" ] || [ "$NEW_BASE" = true ]; then
mkdir -p "$IMAGE_BASE_RISOTTO_BASE_DIR"
install_base
cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
tar cf "$BASE_TAR" "$BASE_NAME"
cd -
if [ -f "$BASE_PKGS_FILE" ]; then
mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
fi
mv "$BASE_PKGS_FILE".new "$BASE_PKGS_FILE"
rm -rf "$IMAGE_BASE_RISOTTO_BASE_DIR"
fi
rm -rf "$BASE_DIR"
touch "$BASE_LOCK"
fi
tar xf "$BASE_TAR"
mv "$BASE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
if [ -n "$COPR" ]; then
#FIXME signature...
mkdir -p "$REPO_DIR"
cd "$REPO_DIR"
wget "$COPR"
cd -
fi
# FIXME verifier s'il y a des modifs sur pre/post
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
echo "Différence(s) avec les paquets de base"
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
else
NEW_BASE=true
fi
new_package
if [ "$NEW_BASE" = false ]; then
echo "Différence(s) avec les paquets de l'image"
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
else
INSTALL=true
fi
if [ "$INSTALL" = true ]; then
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
else
VERSION=0
fi
mkdir tmp
cd tmp
if [ ! "$VERSION" = 0 ]; then
tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
fi
../make_changelog "$IMAGE_NAME" "$VERSION" "$OS_NAME" "$RELEASEVER" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER"_"$VERSION"_changelog.md
cd -
rm -rf tmp
install_pkg
sleep 2
for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do
. "$script"
done
CONTAINER=$IMAGE_NAME ./make_volatile /etc
if [ ! "$?" = 0 ]; then
echo "make_volatile failed"
exit 1
fi
cd "$RISOTTO_IMAGE_DIR"
#7zr a "$IMAGE_NAME".7z "$IMAGE_NAME"
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_NAME".old
fi
tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
cd -
cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
VERSION=$((VERSION + 1))
echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
fi
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
exit 0

15
seed/applicationservice/2022.03.08/base/manual/install/install_images Executable file
View file

@ -0,0 +1,15 @@
#!/bin/bash -xe
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name"
exit 1
fi
. config.sh
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
for image in *; do
if [ -d "$image" ]; then
./install_image "$HOST_NAME" "$image"
fi
done
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
exit 0

51
seed/applicationservice/2022.03.08/base/manual/install/install_machine Executable file
View file

@ -0,0 +1,51 @@
#!/bin/bash -xe
HOST_NAME=$1
IMAGE_NAME=$2
MACHINE=$3
. config.sh
. config_machine.sh
if [ -z "$MACHINE" ]; then
echo "usage: $0 name pkg dns_name"
exit 1
fi
if [ ! -f "$MACHINE_NAME_NSPAWN_LOCAL" ]; then
echo "PAS DE CONFIG NSPAWN $MACHINE_NAME_NSPAWN_LOCAL"
exit 0
fi
if [ ! -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
echo "PAS D'IMAGE $IMAGE_NAME_RISOTTO_IMAGE_NAME"
exit 1
fi
if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
machinectl stop "$MACHINE" 2> /dev/null || true
while true; do
machinectl status "$MACHINE" > /dev/null 2>&1 || break
sleep 1
echo "retry..."
done
diff -q "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE" || rm -rf "$MACHINE_MACHINES_DIR"
fi
if [ -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
# fait un diff
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || ( ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md; rm -rf "$MACHINE_RISOTTO_CONFIG_DIR" )
fi
cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
cp -a "$MACHINE_NAME_SCRIPT_LOCAL" "$MACHINE_NAME_SCRIPT"
if [ ! -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
cp -a "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" "$MACHINE_RISOTTO_CONFIG_DIR"
fi
if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
fi
if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
cd "$MACHINES_DIR"
tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
mkdir -p "$SHA_MACHINE_DIR"
cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
cd -
fi
exit 0

25
seed/applicationservice/2022.03.08/base/manual/install/install_machines Executable file
View file

@ -0,0 +1,25 @@
#!/bin/bash -xe
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name"
exit 1
fi
MACHINES=""
for image in *; do
if [ -d "$image" ]; then
for os in $image/configurations/*; do
if [ -d "$os" ]; then
osname="$(basename $os)"
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
MACHINES="$MACHINES$osname "
fi
./install_machine "$HOST_NAME" "$image" "$osname"
fi
done
fi
done
machinectl enable $MACHINES
machinectl start $MACHINES
exit 0

11
seed/base-machine/manual/install/make_changelog → seed/applicationservice/2022.03.08/base/manual/install/make_changelog
View file

@ -34,6 +34,7 @@ def read_dnf_pkg_file(os_name, filename1, filename2):
for idx, pkg_line in enumerate(pkgs_fh.readlines()):
if idx < header_idx[fidx]:
# header
print("béééé")
continue
sp_line = pkg_line.strip().split()
if len(sp_line) < idx_version[fidx] + 1:
@ -153,17 +154,13 @@ type = "installe"
for package in ori_pkg & new_dict:
if ori_dict[package] == new_dict[package]:
continue
info = run(['apt', 'download', package], capture_output=True)
if info.returncode:
raise Exception(f'cannot download {package}: {info}')
run(['apt', 'download', package])
packages = list(glob('*.deb'))
packages.sort()
for package in packages:
info = run(['chroot', '.', 'apt-listchanges', '--which', 'both', '-f', 'text', package], capture_output=True)
if info.returncode:
raise Exception(f'cannot list changes for {package}: {info}')
info = run(['apt-listchanges', '--which', 'both', '-f', 'text', package], capture_output=True)
header = True
for line in info.stdout.decode().split('\n'):
for line in info.split('\n'):
if not header:
print(line)
if line.startswith('-----------------------'):

0
seed/base-machine/manual/install/make_volatile → seed/applicationservice/2022.03.08/base/manual/install/make_volatile
View file

1
seed/applicationservice/2022.03.08/base/templates/locale.conf Normal file
View file

@ -0,0 +1 @@
LANG=fr_FR.UTF-8

0
seed/dovecot/DEBUG.md → seed/applicationservice/2022.03.08/dovecot/DEBUG.md
View file

0
seed/postfix-relay/FIXME → seed/applicationservice/2022.03.08/dovecot/FIXME
View file

7
seed/applicationservice/2022.03.08/dovecot/applicationservice.yml Normal file
View file

@ -0,0 +1,7 @@
format: '0.1'
description: Postfix et Dovecot
depends:
- base-fedora-35
- relay-mail-client
- ldap-client-fedora
- oauth2-client

135
seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml Normal file
View file

@ -0,0 +1,135 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="postfix" target="multi-user">
<override/>
<file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
<file>/etc/postfix/main.cf</file>
<file>/etc/postfix/master.cf</file>
<file>/etc/postfix/ldapsource.cf</file>
<file>/etc/postfix/relay_passwd</file>
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
<file>/etc/pki/tls/certs/postfix.crt</file>
<file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
<file>/etc/postfix/sni</file>
<file source="postfix_sni.pem" file_type="variable" mode="400" variable="submission_domainname">postfix_pem_files</file>
<file mode="400">/etc/postfix/certs/postfix.pem</file>
</service>
<service name='dovecot-init'>
<override/>
</service>
<service name="dovecot" target="multi-user">
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
<file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
<file>/etc/dovecot/conf.d/10-master.conf</file>
<file>/etc/dovecot/conf.d/10-ssl.conf</file>
<!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
<file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
<file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
<file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
<!--plain authentification-->
<file>/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
<file>/etc/dovecot/dovecot-ldap.conf.ext</file>
<!--oauth2 authentification-->
<file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
<file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
<!--internal authentification-->
<file>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</file>
<file>/etc/dovecot/risotto_users</file>
<file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
<file>/etc/pki/tls/certs/dovecot.crt</file>
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
<file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
<file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
</service>
</services>
<variables>
<variable name="external_ports" redefine="True">
<value>587</value>
<value>993</value>
</variable>
<family name="annuaire">
<variable name="ldap_key_file_owner" redefine="True">
<value>dovecot</value>
</variable>
<variable name="ldap_key_file_group" redefine="True">
<value>postfix</value>
</variable>
</family>
<family name="mail" description="Mail domain" leadership="True">
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
<variable name="imap_domainname" type="domainname" mandatory="True"/>
<variable name="submission_domainname" type="domainname" mandatory="True"/>
</family>
<family name="postfix">
<variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
</family>
<family name="dovecot" description="IMAP mail server">
<variable name='external_imap_crt' type="filename" hidden='True' multi='True'/>
<variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
<variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
<family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'>
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
<variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
</family>
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
<variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
</family>
</variables>
<constraints>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type="suffix"/>
<param name="description">local authentification</param>
<param name="type">cleartext</param>
<target>local_authentification_password_</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_server</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>mail_domains</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_criteria</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>mail_domains</target>
</check>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_InternalReverseProxy.crt</param>
<param name="join">/</param>
<target>revprox_ca_file</target>
</fill>
<fill name="calc_value">
<param>/etc/pki/tls/certs/imap_</param>
<param type="variable">imap_domainname</param>
<param>.crt</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>external_imap_crt</target>
</fill>
<fill name="calc_value">
<param>/etc/pki/tls/private/imap_</param>
<param type="variable">imap_domainname</param>
<param>.key</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>external_imap_key</target>
</fill>
<fill name="calc_value">
<param>/etc/postfix/certs/</param>
<param type="variable">submission_domainname</param>
<param>.pem</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>postfix_pem_files</target>
</fill>
</constraints>
</rougail>

9
seed/applicationservice/2022.03.08/dovecot/funcs/dovecot.py Normal file
View file

@ -0,0 +1,9 @@
from crypt import crypt as _crypt
from string import ascii_letters as _ascii_letters, digits as _digits
from secrets import choice as _choice
def sha512_crypt(password):
salt = ''.join([_choice(_ascii_letters + _digits) for _ in range(8)])
prefix = '$6$'
return _crypt(password, prefix + salt)

2
seed/dovecot/manual/image/preinstall/postfix_dovecot.sh → seed/applicationservice/2022.03.08/dovecot/manual/image/preinstall/postfix_dovecot.sh
View file

@ -1 +1 @@
PKG="$PKG postfix-ldap dovecot cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain nginx"
PKG="$PKG postfix-ldap dovecot cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain"

0
seed/dovecot/templates/00-risotto.conf → seed/applicationservice/2022.03.08/dovecot/templates/00-risotto.conf
View file

2
seed/dovecot/templates/10-auth.conf → seed/applicationservice/2022.03.08/dovecot/templates/10-auth.conf
View file

@ -137,4 +137,6 @@ auth_mechanisms = $auth_mechanisms xoauth2
!include auth-oauth2.conf.ext
# IMAP auth
!include auth-ldap.conf.ext
# Internal users (ie. roundcube)
!include auth-passwdfile.conf.ext
#<GNUNUX

0
seed/dovecot/templates/10-logging.conf → seed/applicationservice/2022.03.08/dovecot/templates/10-logging.conf
View file

6
seed/dovecot/templates/10-mail.conf → seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf
View file

@ -28,7 +28,7 @@
# <doc/wiki/MailLocation.txt>
#
#>GNUNUX
mail_location = maildir:~/
mail_location = maildir:/srv/mail/%u
#<GNUNUX
# If you need to set multiple mailbox locations or want to change default
@ -107,8 +107,8 @@ namespace inbox {
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
mail_uid = vmail
mail_gid = vmail
#mail_uid =
#mail_gid =
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.

2
seed/dovecot/templates/10-master.conf → seed/applicationservice/2022.03.08/dovecot/templates/10-master.conf
View file

@ -73,7 +73,7 @@ service lmtp {
#}
#>GNUNUX
inet_listener lmtp {
address = {{ general.smtp.smtp_client_ip }}
address = %%ip_eth0
port = 8024
}
#<GNUNUX

22
seed/dovecot/templates/10-ssl.conf → seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf
View file

@ -14,17 +14,17 @@ ssl = required
#GNUNUX ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
#GNUNUX ssl_key = </etc/pki/dovecot/private/dovecot.pem
#>GNUNUX
ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
ssl_key = <{{ general.tls_key_directory }}/dovecot.key
{% for mail in general.mail.domain.mail_domains %}
local_name {{ mail.imap_domainname }} {
ssl_cert = <{{ general.tls_cert_directory }}/{{ mail.imap_domainname }}.crt
ssl_key = <{{ general.tls_key_directory }}/{{ mail.imap_domainname }}.key
ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key
%for %%mail in %%mail_domains
local_name %%mail.imap_domainname {
ssl_cert = </etc/pki/tls/certs/imap_%%{mail.imap_domainname}.crt
ssl_key = </etc/pki/tls/private/imap_%%{mail.imap_domainname}.key
}
{% endfor %}
local_name {{ general.network.last_server_name }} {
ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
ssl_key = <{{ general.tls_key_directory }}/dovecot.key
%end for
local_name %%domain_name_eth0 {
ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key
}
#<GNUNUX
@ -50,7 +50,7 @@ local_name {{ general.network.last_server_name }} {
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
#ssl_client_ca_file =
ssl_client_ca_file = {{ general.tls_ca_directory }}/IMAP.crt
ssl_client_ca_file = /etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt
# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes

23
seed/applicationservice/2022.03.08/dovecot/templates/12-managesieve.conf Normal file
View file

@ -0,0 +1,23 @@
# Uncomment to enable managesieve protocol:
protocols = $protocols sieve
service managesieve-login {
inet_listener sieve {
port = 4190
}
#inet_listener sieve_deprecated {
# port = 2000
#}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
service_count = 1
# Number of processes to always keep waiting for more connections.
process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
vsz_limit = 64M
}

0
seed/dovecot/templates/15-ldap.conf → seed/applicationservice/2022.03.08/dovecot/templates/15-ldap.conf
View file

0
seed/dovecot/templates/30-service-stats.conf → seed/applicationservice/2022.03.08/dovecot/templates/30-service-stats.conf
View file

19
seed/dovecot/templates/auth-ldap.conf.ext → seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext
View file

@ -16,14 +16,13 @@ passdb {
# driver = prefetch
#}
userdb {
driver = ldap
# GNUNUX userdb {
# GNUNUX driver = ldap
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
args = /etc/dovecot/dovecot-ldap.conf.ext
# Default fields can be used to specify defaults that LDAP may override
#default_fields = home=/home/virtual/%u
}
# GNUNUX
# GNUNUX # Default fields can be used to specify defaults that LDAP may override
# GNUNUX #default_fields = home=/home/virtual/%u
# GNUNUX }
# If you don't have any user-specific settings, you can avoid the userdb LDAP
# lookup by using userdb static instead of userdb ldap, for example:
@ -32,3 +31,9 @@ userdb {
#driver = static
#args = uid=vmail gid=vmail home=/var/vmail/%u
#}
#>GNUNUX
userdb {
driver = static
args = uid=vmail gid=vmail home=/srv/mail/%u
}
#<GNUNUX

0
seed/dovecot/templates/auth-oauth2.conf.ext → seed/applicationservice/2022.03.08/dovecot/templates/auth-oauth2.conf.ext
View file

21
seed/applicationservice/2022.03.08/dovecot/templates/auth-passwdfile.conf.ext Normal file
View file

@ -0,0 +1,21 @@
# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>
passdb {
driver = passwd-file
# GNUNUX args = scheme=CRYPT username_format=%u /etc/dovecot/users
args = scheme=SHA512-CRYPT username_format=%n /etc/dovecot/risotto_users
}
# GNUNUX userdb {
# GNUNUX driver = passwd-file
# GNUNUX args = username_format=%u /etc/dovecot/users
# GNUNUX
# GNUNUX # Default fields that can be overridden by passwd-file
# GNUNUX #default_fields = quota_rule=*:storage=1G
# GNUNUX
# GNUNUX # Override fields from passwd-file
# GNUNUX #override_fields = home=/home/virtual/%u
# GNUNUX }

1
seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt Normal file
View file

@ -0,0 +1 @@
%%get_chain(%%domain_name_eth0, "IMAPServer")

1
seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt Normal file
View file

@ -0,0 +1 @@
%%get_chain(%%revprox_server_domainname, authority_name='InternalReverseProxy')

1
seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt Normal file
View file

@ -0,0 +1 @@
%%get_chain(%%domain_name_eth0, "MailServer")

2
seed/dovecot/templates/dovecot-init.service → seed/applicationservice/2022.03.08/dovecot/templates/dovecot-init.service
View file

@ -1,5 +1,5 @@
[Unit]
After=risotto.target
After=network.target
[Service]
ExecStart=

26
seed/dovecot/templates/dovecot-ldap.conf.ext → seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
View file

@ -24,7 +24,7 @@
# setting isn't supported by all LDAP libraries.
#uris =
#>GNUNUX
uris = ldaps://{{ general.ldap.server.ldap_server_address }}
uris = ldaps://%%ldap_server_address
#<GNUNUX
# Distinguished Name - the username used to login to the LDAP server.
@ -34,8 +34,8 @@ uris = ldaps://{{ general.ldap.server.ldap_server_address }}
# Password for LDAP server, if dn is specified.
#dnpass =
#>GNUNUX
dn = {{ general.ldap.client.ldapclient_user }}
dnpass = {{ general.ldap.client.ldapclient_user_password }}
dn = %%ldapclient_remote_user
dnpass = %%ldapclient_remote_user_password
#<GNUNUX
# Use SASL binding instead of the simple binding. Note that this changes
@ -61,9 +61,9 @@ dnpass = {{ general.ldap.client.ldapclient_user_password }}
# Valid values: never, hard, demand, allow, try
#tls_require_cert =
#>GNUNUX
tls_cert_file = {{ general.tls_cert_directory }}/ldap_client.crt
tls_key_file = {{ general.tls_key_directory }}/ldap_client.key
tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
tls_cert_file = %%ldap_cert_file
tls_key_file = %%ldap_key_file
tls_ca_cert_file = %%ldap_ca_file
tls_require_cert = hard
#>GNUNUX
@ -81,9 +81,6 @@ tls_require_cert = hard
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
#auth_bind = no
#>GNUNUX
auth_bind = yes
#<GNUNUX
# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
@ -100,6 +97,10 @@ auth_bind = yes
# auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn =
#>GNUNUX
auth_bind = yes
auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
#<GNUNUX
# LDAP protocol version to use. Likely 2 or 3.
#ldap_version = 3
@ -107,7 +108,7 @@ auth_bind = yes
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
# GNUNUX base =
base = {{ general.ldap.client.ldapclient_search_dn }}
base = ou=users,%%ldap_base_dn
# Dereference: never, searching, finding, always
#deref = never
@ -125,9 +126,6 @@ base = {{ general.ldap.client.ldapclient_search_dn }}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
#>GNUNUX
user_attrs = homeDirectory=home
#<GNUNUX
# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
@ -136,7 +134,7 @@ user_attrs = homeDirectory=home
# %d - domain part in user@domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u))
#>GNUNUX
user_filter = (&(objectClass=inetOrgPerson)(mailLocalAddress=%u))
user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
#<GNUNUX
# Password checking attributes:

10
seed/dovecot/templates/dovecot-oauth2.conf.ext → seed/applicationservice/2022.03.08/dovecot/templates/dovecot-oauth2.conf.ext
View file

@ -4,7 +4,7 @@
## url for verifying token validity. Token is appended to the URL
# tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
#>GNUNUX
tokeninfo_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/userinfo/?access_token=
tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?access_token=
#<GNUNUX
## introspection endpoint, used to gather extra fields and other information.
@ -21,7 +21,7 @@ tokeninfo_url = https://{{ general.oauth2_client.oauth2_client_server_domainname
## Set this to yes if you are using active_attribute
# force_introspection = no
#>GNUNUX
introspection_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/introspect/
introspection_url = https://%%oauth2_client_server_domainname/oauth2/introspect/
introspection_mode = post
force_introspection = no
#<GNUNUX
@ -57,7 +57,7 @@ username_attribute = email
## URL to RFC 7628 OpenID Provider Configuration Information schema
# openid_configuration_url =
#>GNUNUX
openid_configuration_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration
openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known/openid-configuration
#<GNUNUX
## Extra fields to set in passdb response (in passdb static style)
@ -79,8 +79,8 @@ openid_configuration_url = https://{{ general.oauth2_client.oauth2_client_server
# rawlog_dir = /tmp/oauth2
#>GNUNUX
client_id = {{ general.oauth2_client.oauth2_client_id }}
client_secret = {{ general.oauth2_client.oauth2_client_secret }}
client_id = %%oauth2_client_id
client_secret = %%oauth2_client_secret
#<GNUNUX
## TLS settings

5
seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt Normal file
View file

@ -0,0 +1,5 @@
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames)

1
seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key Normal file
View file

@ -0,0 +1 @@
%%get_private_key(%%domain_name_eth0, 'IMAPServer')

2
seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt Normal file
View file

@ -0,0 +1,2 @@
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')

1
seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key Normal file
View file

@ -0,0 +1 @@
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')

13
seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf Normal file
View file

@ -0,0 +1,13 @@
server_host = ldaps://%%ldap_server_address
server_port = %%ldap_port
tls_cert = %%ldap_cert_file
tls_key = %%ldap_key_file
tls_ca_cert_file = %%ldap_ca_file
tls_require_cert = yes
version = 3
bind = yes
bind_dn = %%ldapclient_remote_user
bind_pw = %%ldapclient_remote_user_password
search_base = ou=users,%%ldap_base_dn
query_filter = (mail=%s)
result_attribute = cn

Some files were not shown because too many files have changed in this diff Show more