stove/dataset
3
0
Fork 1
Code Issues 2 Pull requests Projects Releases Wiki Activity

Compare commits

base: stove:b77d7d5784ea20211570d2aa4b76bdf3dd84b6b2
Branches Tags
stove:main
...
compare: stove:c09ab0c79489b8018c5b293a398c6910c0815432
Branches Tags
stove:main

5 commits
b77d7d5784 ... c09ab0c794

Author SHA1 Message Date
Emmanuel Garette
c09ab0c794 update tests 2023-01-23 20:21:42 +01:00
Emmanuel Garette
aa09ef03ea update doc 2023-01-18 09:28:02 +01:00
Emmanuel Garette
17033403b9 fedora 37 2023-01-17 21:48:07 +01:00
Emmanuel Garette
c676afdb26 update documentations 2023-01-17 21:43:32 +01:00
Emmanuel Garette
f369998d15 gitea to forgejo 2023-01-03 11:36:37 +01:00
139 changed files with 4395 additions and 880 deletions
Show stats Expand all files Collapse all files

47
seed/README.md
View file

@ -15,8 +15,9 @@
- [dns-local](dns-local/README.md): DNS client with access to local zones
- [dotclear](dotclear/README.md): Dotclear an open-source web publishing software
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (Submission and IMAP)
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution
- [galette](galette/README.md): Galette, a membership management web application towards non profit organizations
- [gitea](gitea/README.md): Gitea, a community managed lightweight code hosting solution
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo
- [host-systemd-machined](host-systemd-machined/README.md): Host with machine started in Systemd Machined environment
- [imap-client](imap-client/README.md): Application service needs interact with an IMAP server
- [ldap-client](ldap-client/README.md): Application service needs interact with a LDAP server
@ -62,3 +63,47 @@
- [unbound](unbound/README.md): Unbound, a validating, recursive, caching DNS resolver
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager
- [znc](znc/README.md): ZNC, a bouncer IRC
# Providers and suppliers
- ExternalDNS:
- Provider: [unbound](unbound/README.md)
- Suppliers:
- [dns-external](dns-external/README.md)
- [nsd](nsd/README.md)
- Host:
- Provider: [host-systemd-machined](host-systemd-machined/README.md)
- Supplier: [provider-systemd-machined](provider-systemd-machined/README.md)
- IMAP:
- Provider: [dovecot](dovecot/README.md)
- Supplier: [imap-client](imap-client/README.md)
- LDAP:
- Provider: [openldap](openldap/README.md)
- Supplier: [ldap-client](ldap-client/README.md)
- LMTP:
- Provider: [postfix-lmtp-relay](postfix-lmtp-relay/README.md)
- Supplier: [relay-lmtp-client](relay-lmtp-client/README.md)
- LocalDNS:
- Provider: [nsd](nsd/README.md)
- Supplier: [dns-local](dns-local/README.md)
- MariaDB:
- Provider: [mariadb](mariadb/README.md)
- Supplier: [mariadb-client](mariadb-client/README.md)
- OAuth2:
- Provider: [lemonldap](lemonldap/README.md)
- Supplier: [oauth2-client](oauth2-client/README.md)
- OAuth2Client:
- Provider: [oauth2-client](oauth2-client/README.md)
- Supplier: [lemonldap](lemonldap/README.md)
- Postgresql:
- Provider: [postgresql](postgresql/README.md)
- Supplier: [postgresql-client](postgresql-client/README.md)
- Redis:
- Provider: [redis](redis/README.md)
- Supplier: [redis-client](redis-client/README.md)
- ReverseProxy:
- Provider: [nginx-reverse-proxy](nginx-reverse-proxy/README.md)
- Supplier: [reverse-proxy-client](reverse-proxy-client/README.md)
- SMTP:
- Provider: [postfix-relay](postfix-relay/README.md)
- Supplier: [relay-mail-client](relay-mail-client/README.md)

2
seed/apache/README.md
View file

@ -36,4 +36,4 @@ Paramètrage avancé du serveur web Apache
## Used by
- [nextcloud](../nextcloud/README.md)
[nextcloud](../nextcloud/README.md)

2
seed/base-debian/README.md
View file

@ -22,4 +22,4 @@ Base information of a Debian server.
## Used by
- [base-debian-bullseye](../base-debian-bullseye/README.md)
[base-debian-bullseye](../base-debian-bullseye/README.md)

2
seed/base-fedora-35/README.md
View file

@ -23,4 +23,4 @@ Base information of a Fedora 35.
## Used by
- [postfix-relay](../postfix-relay/README.md)
[postfix-relay](../postfix-relay/README.md)

8
seed/base-fedora-36/README.md
View file

@ -24,22 +24,14 @@ Base information of a Fedora 36.
## Used by
- [galette](../galette/README.md)
- [nginx-static](../nginx-static/README.md)
- [postgresql](../postgresql/README.md)
- [peertube](../peertube/README.md)
- [piwigo](../piwigo/README.md)
- [dovecot](../dovecot/README.md)
- [unbound](../unbound/README.md)
- [redis](../redis/README.md)
- [nsd](../nsd/README.md)
- [dotclear](../dotclear/README.md)
- [speedtest-rs](../speedtest-rs/README.md)
- [nginx-reverse-proxy](../nginx-reverse-proxy/README.md)
- [sensmotdire](../sensmotdire/README.md)
- [roundcube](../roundcube/README.md)
- [znc](../znc/README.md)
- [vaultwarden](../vaultwarden/README.md)
- [mariadb](../mariadb/README.md)
- [nextcloud](../nextcloud/README.md)
- [openldap](../openldap/README.md)
- [gitea](../gitea/README.md)

11
seed/base-fedora-37/README.md
View file

@ -20,3 +20,14 @@ Base information of a Fedora 37.
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
## Used by
- [nginx-static](../nginx-static/README.md)
- [postgresql](../postgresql/README.md)
- [unbound](../unbound/README.md)
- [redis](../redis/README.md)
- [forgejo](../forgejo/README.md)
- [nsd](../nsd/README.md)
- [nginx-reverse-proxy](../nginx-reverse-proxy/README.md)
- [openldap](../openldap/README.md)

13
seed/base-fedora-37/dictionaries/11-fedora-version.xml Normal file
View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<!--services>
<service name="base">
<file engine="none">/etc/pam.d/login</file>
</service>
</services-->
<variables>
<variable name="os_version" type="string" description="Version de l'OS" hidden="True">
<value>37</value>
</variable>
</variables>
</rougail>

7
seed/base-fedora-37/manual/image/postinstall/base_fedora_version.sh Normal file
View file

@ -0,0 +1,7 @@
# ACTIVE NETWORKD
mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

1
seed/base-fedora-37/manual/image/preinstall/base_fedora_37.sh Normal file
View file

@ -0,0 +1 @@
BASE_PKG="$BASE_PKG pam util-linux"

1
seed/base-fedora-37/manual/image/preinstall/base_fedora_version.sh Normal file
View file

@ -0,0 +1 @@
RELEASEVER=37

17
seed/base-fedora-37/templates/login Normal file
View file

@ -0,0 +1,17 @@
#GNUNUX File from util-linux-*.x86_64 (not installed)
#%PAM-1.0
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so

2
seed/base-machine/README.md
View file

@ -30,4 +30,4 @@ Base information for a machine.
## Used by
- [systemd](../systemd/README.md)
[systemd](../systemd/README.md)

5
seed/base-machine/templates/locale.conf
View file

@ -1 +1,6 @@
# This is the fallback locale configuration provided by systemd.
#>GNUNUX
#LANG="C.UTF-8"
LANG=fr_FR.UTF-8
#<GNUNUX

17
seed/base/dictionaries/00-base.xml Normal file
View file

@ -0,0 +1,17 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<variable name="copy_tests" type="boolean" mandatory="True" hidden="True"/>
</variables>
<constraints>
<fill name="calc_value">
<param type="information">copy_tests</param>
<target>copy_tests</target>
</fill>
<condition name="disabled_if_in" source="copy_tests">
<param>False</param>
<target type="filelist" optional="True">copy_tests</target>
</condition>
</constraints>
</rougail>

4
seed/dns-external/README.md
View file

@ -33,6 +33,6 @@ DNS client with resolution on all zones (especially outside).
- [unbound](../unbound/README.md)
- [znc](../znc/README.md)
## Linked to
## Provider
- [unbound](../unbound/README.md)
[unbound](../unbound/README.md)

6
seed/dns-local/README.md
View file

@ -13,8 +13,8 @@ DNS client with access to local zones.
## Used by
- [base-machine](../base-machine/README.md)
[base-machine](../base-machine/README.md)
## Linked to
## Provider
- [nsd](../nsd/README.md)
[nsd](../nsd/README.md)

2
seed/dns-local/dictionaries/13-dns-local.xml
View file

@ -2,7 +2,7 @@
<rougail version="0.10">
<services>
<service name="dns-local" manage="False">
<file>/tests/dns-local.yml</file>
<file filelist="copy_tests">/tests/dns-local.yml</file>
</service>
</services>
<variables>

18
seed/dovecot/README.md
View file

@ -61,18 +61,18 @@ This a family is a leadership.
#### IMAP mail server (*general.dovecot*)
| Description | Type | Provider |
|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
| **Adresse interne du serveur IMAP** (*[imap_internal_address](dictionaries/26_dovecot.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | IMAP |
| Description | Type | Values | Provider |
|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|------------|
| **Adresse interne du serveur IMAP** (*[imap_internal_address](dictionaries/26_dovecot.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | IMAP |
#### revprox (*general.revprox*)
##### revprox_client (*general.revprox.revprox_client*)
| Description |
|----------------------------------------------------------------------|
| *[revprox_client_external_domainnames](dictionaries/26_dovecot.xml)* |
| *[revprox_client_web_address](dictionaries/26_dovecot.xml)* |
| Description | Values |
|----------------------------------------------------------------------|--------------|
| *[revprox_client_external_domainnames](dictionaries/26_dovecot.xml)* | <calculated> |
| *[revprox_client_web_address](dictionaries/26_dovecot.xml)* | <calculated> |
#### nginx (*general.nginx*)
@ -84,6 +84,6 @@ This a family is a leadership.
- [+]: variable is multiple
- **bold**: variable is mandatory
## Linked to
## Supplier
- [imap-client](../imap-client/README.md)
[imap-client](../imap-client/README.md)

2
seed/dovecot/dictionaries/26_dovecot.xml
View file

@ -47,7 +47,7 @@
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
<file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
<file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
<file>/tests/imap.yml</file>
<file filelist="copy_tests">/tests/imap.yml</file>
</service>
</services>
<variables>

10
seed/forgejo/DEBUG.md Normal file
View file

@ -0,0 +1,10 @@
Créer un utilisateur
=====================
su - forgejo -s /bin/bash -c "forgejo admin user create --username gnunux --password Njw_csh7DeeZtWDxC6WVXDdB-9A --email gnunux@gnunux.info --admin -c /etc/forgejo/app.ini"
DEBUG
=====
sed -i 's/info/debug/g' /etc/forgejo/app.ini
systemctl restart forgejo

92
seed/forgejo/README.md Normal file
View file

@ -0,0 +1,92 @@
---
gitea: none
include_toc: true
---
# forgejo
[All applications services for this dataset.](../README.md)
## Description
Forgejo, a community managed lightweight code hosting solution.
[For more informations](https://forgejo.org/)
## Dependances
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [postgresql-client](../postgresql-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [redis-client](../redis-client/README.md)
- [oauth2-client](../oauth2-client/README.md)
## Variables
### Général (*general*)
#### network (*general.network*)
| Description | Values |
|-----------------------------------------------------|----------|
| *[**incoming_ports**](dictionaries/31_forgejo.xml)* | 2222 |
#### Redis (*general.redis*)
| Description | Values |
|-------------------------------------------------------------|----------|
| *[**redis_client_key_owner**](dictionaries/31_forgejo.xml)* | forgejo |
#### Forgejo (*general.forgejo*)
Git forge Forgejo
| Description | Values | Type |
|---------------------------------------------------------------------------------------------------------------|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
| **Titre de la forge** (*[forgejo_title](dictionaries/31_forgejo.xml)*) | Forgejo : Au-delà du développement. Nous forgeons. | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
| **Les courriels sont envoyés à partir de cet adresse** (*[forgejo_mail_sender](dictionaries/31_forgejo.xml)*) | | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
#### revprox (*general.revprox*)
| Description | Values |
|----------------------------------------------------------------|----------|
| *[**revprox_client_port**](dictionaries/31_forgejo.xml)* | 3000 |
| *[**revprox_client_cert_owner**](dictionaries/31_forgejo.xml)* | forgejo |
| *[**revprox_client_cert_group**](dictionaries/31_forgejo.xml)* | forgejo |
##### revprox_client (*general.revprox.revprox_client*)
| Description | Values |
|--------------------------------------------------------------------|----------|
| *[**revprox_client_local_location**](dictionaries/31_forgejo.xml)* | / |
#### oauth2_client (*general.oauth2_client*)
| Description | Values |
|-------------------------------------------------------------------------|------------------------|
| *[**oauth2_is_client_application**](dictionaries/31_forgejo.xml)* | True |
| *[**oauth2_client_name**](dictionaries/31_forgejo.xml)* | Forge |
| *[**oauth2_client_description**](dictionaries/31_forgejo.xml)* | Forge logiciel Forgejo |
| *[**oauth2_client_category**](dictionaries/31_forgejo.xml)* | Développement |
| *[**oauth2_client_logo**](dictionaries/31_forgejo.xml)* | silique_note.png |
| *[**oauth2_client_token_signature_algo**](dictionaries/31_forgejo.xml)* | RS256 |
##### external (*general.oauth2_client.external*)
| Description | Values |
|---------------------------------------------------------|--------------|
| *[oauth2_client_external](dictionaries/31_forgejo.xml)* | <calculated> |
- [+]: variable is multiple
- **bold**: variable is mandatory
## Used by
[gitea](../gitea/README.md)

10
seed/forgejo/applicationservice.yml Normal file
View file

@ -0,0 +1,10 @@
format: '0.1'
description: Forgejo, a community managed lightweight code hosting solution
website: https://forgejo.org/
depends:
- base-fedora-37
- postgresql-client
- reverse-proxy-client
- relay-mail-client
- redis-client
- oauth2-client

49
seed/gitea/dictionaries/31_gitea.xml → seed/forgejo/dictionaries/31_forgejo.xml
View file

@ -1,11 +1,11 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="gitea" target="multi-user" engine="cheetah">
<file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
<file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
<file>/etc/gitea/app.ini</file>
<file>/tests/gitea.yml</file>
<service name="forgejo" target="multi-user" engine="cheetah">
<file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
<file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
<file>/etc/forgejo/app.ini</file>
<file filelist="copy_tests">/tests/forgejo.yml</file>
</service>
</services>
<variables>
@ -16,17 +16,17 @@
</family>
<family name="redis" description="Redis">
<variable name="redis_client_key_owner" redefine="True">
<value>gitea</value>
<value>forgejo</value>
</variable>
</family>
<family name="gitea" description="Gitea" help="Git forge Gitea">
<variable name="gitea_title" mandatory="True" description="Titre de la forge">
<value>Gitea: Git avec une tasse de thé</value>
<family name="forgejo" description="Forgejo" help="Git forge Forgejo">
<variable name="forgejo_title" mandatory="True" description="Titre de la forge">
<value>Forgejo : Au-delà du développement. Nous forgeons.</value>
</variable>
<variable name="gitea_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True"/>
<variable name="gitea_secret_key" type="password" hidden="True"/>
<variable name="gitea_internal_token" type="password" hidden="True"/>
<variable name="gitea_lfs_jwt_secret" type="password" hidden="True"/>
<variable name="forgejo_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True"/>
<variable name="forgejo_secret_key" type="password" hidden="True"/>
<variable name="forgejo_internal_token" type="password" hidden="True"/>
<variable name="forgejo_lfs_jwt_secret" type="password" hidden="True"/>
</family>
<family name="revprox">
<family name="revprox_client">
@ -38,10 +38,10 @@
<value>3000</value>
</variable>
<variable name="revprox_client_cert_owner" redefine="True">
<value>gitea</value>
<value>forgejo</value>
</variable>
<variable name="revprox_client_cert_group" redefine="True">
<value>gitea</value>
<value>forgejo</value>
</variable>
</family>
<family name="oauth2_client">
@ -52,7 +52,7 @@
<value>Forge</value>
</variable>
<variable name="oauth2_client_description" redefine='True'>
<value>Forge logiciel Gitea</value>
<value>Forge logiciel Forgejo</value>
</variable>
<variable name="oauth2_client_category" redefine='True'>
<value>Développement</value>
@ -67,34 +67,39 @@
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family>
</family>
<family name="postgresql">
<variable name="pg_client_key_owner" redefine="True">
<value>forgejo</value>
</variable>
</family>
</variables>
<constraints>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username">secret_key</param>
<param name="description">gitea</param>
<param name="description">forgejo</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="length" type="number">105</param>
<target>gitea_secret_key</target>
<target>forgejo_secret_key</target>
</fill>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username">internal_token</param>
<param name="description">gitea</param>
<param name="description">forgejo</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="length" type="number">105</param>
<target>gitea_internal_token</target>
<target>forgejo_internal_token</target>
</fill>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username">lfs_jwt_secret</param>
<param name="description">gitea</param>
<param name="description">forgejo</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="length" type="number">43</param>
<target>gitea_lfs_jwt_secret</target>
<target>forgejo_lfs_jwt_secret</target>
</fill>
<fill name="calc_oauth2_client_login">
<param type="variable" optional="True">revprox_client_external_domainnames</param>

26
seed/forgejo/manual/image/postinstall/forgejo.sh Normal file
View file

@ -0,0 +1,26 @@
#!/bin/bash
set -ex
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
JSON=$(wget -q 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?draft=false&pre-release=false&limit=1' --header 'accept: application/json' -O -)
VERS=$(echo $JSON| jq -r '.[0].name')
mkdir -p ~/forgejo/
if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz" ]; then
rm -rf ~/"forgejo/forgejo-*-linux-amd64.xz"
wget $(echo $JSON | jq -r '.[0].assets | map(select(.name | endswith("linux-amd64.xz"))) | .[0].browser_download_url') -O ~/"forgejo/forgejo-$VERS-linux-amd64.xz"
fi
if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ]; then
rm -rf ~/"forgejo/forgejo-*-linux-amd64.xz.asc"
wget $(echo $JSON | jq -r '.[0].assets | map(select(.name | endswith("linux-amd64.xz.asc"))) | .[0].browser_download_url') -O ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc"
fi
gpg --verify ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ~/"forgejo/forgejo-$VERS-linux-amd64.xz"
cp -a ~/"forgejo/forgejo-$VERS-linux-amd64.xz" .
xz -d "forgejo-$VERS-linux-amd64.xz"
mv "forgejo-$VERS-linux-amd64" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/forgejo"
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/forgejo"

0
seed/gitea/manual/image/preinstall/gitea.sh → seed/forgejo/manual/image/preinstall/forgejo.sh
View file

2688
seed/forgejo/templates/app.ini Normal file
View file

File diff suppressed because it is too large Load diff

39
seed/forgejo/templates/forgejo.service Normal file
View file

@ -0,0 +1,39 @@
#GNUNUX https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service
[Unit]
Description=Forgejo (Beyond coding. We forge.)
After=syslog.target
After=network.target
#>GNUNUX
After=risotto.target
#<GNUNUX
[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=forgejo
Group=forgejo
WorkingDirectory=/srv/forgejo/lib/
ExecStart=/usr/bin/forgejo web --config /etc/forgejo/app.ini
ExecStartPre=/bin/bash -c '%slurp
/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;%slurp
if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then %slurp
echo "UPDATE";%slurp
id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");%slurp
/usr/bin/forgejo admin auth update-oauth --id $id --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
else %slurp
echo "CONFIGURE";%slurp
/usr/bin/forgejo admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
fi;%slurp
sleep 2;%slurp
echo "CONFIGURATION DONE"'
Restart=always
Environment=GITEA_WORK_DIR=/srv/forgejo/lib
[Install]
WantedBy=multi-user.target

3
seed/gitea/templates/gitea.yml → seed/forgejo/templates/forgejo.yml
View file

@ -7,4 +7,5 @@ auth_url: %%oauth2_client_external[0]
auth_server: %%oauth2_server_domainname
username: %%username
password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
gitea_title: "%%gitea_title"
forgejo_title: "%%forgejo_title"
git_url: "[%%domain]:2222"

2
seed/forgejo/templates/sysuser-forgejo.conf Normal file
View file

@ -0,0 +1,2 @@
g forgejo 999 -
u forgejo 999:999 "Git Version Control" /srv/forgejo/home /bin/nologin

4
seed/forgejo/templates/tmpfile-forgejo.conf Normal file
View file

@ -0,0 +1,4 @@
d /srv/forgejo/lib/custom 750 forgejo forgejo - -
d /srv/forgejo/lib/data 750 forgejo forgejo - -
d /srv/forgejo/lib/log 750 forgejo forgejo - -
d /srv/forgejo/home 750 forgejo forgejo - -

183
seed/gitea/tests/test_gitea.py → seed/forgejo/tests/test_forgejo.py
View file

@ -1,11 +1,13 @@
import datetime
from yaml import load, SafeLoader
from os import environ, makedirs
from os import environ, makedirs, unlink
from os.path import expandvars, isfile, isdir, dirname, join
from re import search
from dulwich.porcelain import init, clone, add, commit, push
from shutil import move
from glob import glob
from tempfile import TemporaryDirectory
from subprocess import run
from dulwich.porcelain import init, clone, add, commit, push, pull
from revprox import Authentication
@ -13,8 +15,14 @@ from mookdns import MookDnsSystem
PORT = '3000'
GITEA_USERNAME = 'gitea'
KEY_FILE = expandvars("$HOME/tests/risotto")
FORGEJO_USERNAME = 'git'
FORGEJO_PORT = '2222'
KEY_FILE = '/var/lib/risotto/srv/hosts/forgejo'
# transition between gitea and forgejo
GITEA_KEY_FILE = '/var/lib/risotto/srv/hosts/gitea'
CONFIG_SSH = expandvars('$HOME/.ssh/config')
CONFIG_GIT = expandvars('$HOME/.gitconfig')
CONFIG_KNOWN_HOST = expandvars('$HOME/.ssh/known_hosts')
AUTHENTICATION = None
@ -24,7 +32,7 @@ DATA = None
def get_data():
global DATA
if not DATA:
conf_file = f'{environ["MACHINE_TEST_DIR"]}/gitea.yml'
conf_file = f'{environ["MACHINE_TEST_DIR"]}/forgejo.yml'
with open(conf_file) as yaml:
DATA = load(yaml, Loader=SafeLoader)
return DATA
@ -38,18 +46,60 @@ def get_authentication(data):
data['revprox_ip'],
data['username'],
data['password'],
f'<title>{data["username"]} - Dashboard - {data["gitea_title"]}</title>',
# f'<title>{data["username"]} - Tableau de bord - {data["forgejo_title"]}</title>',
f'<title>{data["username"]} - Dashboard - {data["forgejo_title"]}</title>',
)
return AUTHENTICATION
class SSHConfig:
def __enter__(self):
self.old_file = '{CONFIG_SSH}.old'
if isfile(CONFIG_SSH) and not isfile(self.old_file):
move(CONFIG_SSH, self.old_file)
with open(CONFIG_SSH, 'w') as fh:
fh.write(f"""Host *
User forgejo
PubkeyAcceptedKeyTypes +ssh-rsa
StrictHostKeyChecking no
IdentityFile {KEY_FILE}
""")
def __exit__(self, *args):
if isfile(self.old_file):
move(self.old_file, CONFIG_SSH)
else:
unlink(CONFIG_SSH)
class GITConfig:
def __enter__(self):
self.old_file = '{CONFIG_GIT}.old'
if isfile(CONFIG_GIT) and not isfile(self.old_file):
move(CONFIG_GIT, self.old_file)
with open(CONFIG_GIT, 'w') as fh:
conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml'
with open(conf_file) as yaml:
data = load(yaml, Loader=SafeLoader)
path = join(environ["MACHINE_TEST_DIR"], data["ca_certificate"])
cert = glob(path)
fh.write(f"""[http]
sslCAInfo = {cert[0]}
""")
def __exit__(self, *args):
if isfile(self.old_file):
move(self.old_file, CONFIG_GIT)
else:
unlink(CONFIG_GIT)
def get_info(authentication,
url,
with_uid=False,
with_data_id=False,
found_string=None
):
# <input type="hidden" name="_csrf" value="YQbVgdYHX_3VQ-KuZ5cKtr9RzXE6MTY1NzgxMzUzNTA0OTYwODQ0NQ">
pattern_csrf = r'name="_csrf" value="([a-zA-Z0-9\-\_=]+)"'
ret = authentication.get(url)
csrf = search(pattern_csrf, ret)[1]
@ -77,7 +127,7 @@ def get_info(authentication,
def add_ssh_key(authentication, data):
# Send key to gitea
# Send key to forgejo
url = f'{data["base_url"]}user/settings/keys'
is_already_key, csrf = get_info(authentication, url, found_string='test_key_risotto')
if is_already_key:
@ -87,7 +137,7 @@ def add_ssh_key(authentication, data):
key_dir = dirname(KEY_FILE)
if not isdir(key_dir):
makedirs(key_dir)
cmd = ['/usr/bin/ssh-keygen', '-N', '', '-f', KEY_FILE]
cmd = ['/usr/bin/ssh-keygen', '-t', 'rsa', '-N', '', '-f', KEY_FILE]
run(cmd)
with open(f'{KEY_FILE}.pub') as fh:
key = fh.read()
@ -104,12 +154,12 @@ def delete_ssh_key(authentication, data):
is_already_key, csrf = get_info(authentication, url, found_string='test_key_risotto')
def test_gitea():
def test_forgejo():
data = get_data()
get_authentication(data)
def test_gitea_repos():
def test_forgejo_repos():
data = get_data()
authentication = get_authentication(data)
if 'FIRST_RUN' in environ:
@ -124,7 +174,7 @@ def test_gitea_repos():
assert json['data'][0]['full_name'] == f'{username}/test_persistent'
def test_gitea_create_repo():
def test_forgejo_create_repo():
data = get_data()
authentication = get_authentication(data)
url = f'{data["base_url"]}repo/create'
@ -144,24 +194,33 @@ def test_repo():
if 'FIRST_RUN' in environ:
# delete_ssh_key(authentication, data)
add_ssh_key(authentication, data)
cmd = ['/usr/bin/ssh-keygen', '-f', CONFIG_KNOWN_HOST, '-R', data['git_url']]
run(cmd)
if not isfile(KEY_FILE):
if isfile(GITEA_KEY_FILE):
move(GITEA_KEY_FILE, KEY_FILE)
move(GITEA_KEY_FILE + '.pub', KEY_FILE + '.pub')
else:
raise Exception(f'cannot find ssh key "{KEY_FILE}", do you run with FIRST_RUN?')
with TemporaryDirectory() as tmpdirname:
username = data['username'].split('@', 1)[0]
dns = data['base_url'].split('/', 3)[2]
ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:2222/{username}/test.git'
with MookDnsSystem(dns, data['ip']):
filename = join(tmpdirname, 'test.txt')
with open(filename, 'w') as fh:
fh.write('test')
repo = init(tmpdirname)
add(repo, filename)
commit(repo, message=b'test commit')
push(repo=repo,
remote_location=ssh_url,
refspecs='master',
)
lst = list(repo.get_walker())
assert len(lst) == 1
assert lst[0].commit.message == b'test commit'
ssh_url = f'ssh://{FORGEJO_USERNAME}@{dns}:{FORGEJO_PORT}/{username}/test.git'
with SSHConfig():
with MookDnsSystem(dns, data['ip']):
filename = join(tmpdirname, 'test.txt')
with open(filename, 'w') as fh:
fh.write('test')
repo = init(tmpdirname)
add(repo, filename)
commit(repo, message=b'test commit')
push(repo=repo,
remote_location=ssh_url,
refspecs='master',
)
lst = list(repo.get_walker())
assert len(lst) == 1
assert lst[0].commit.message == b'test commit'
def test_clone_http():
@ -174,14 +233,19 @@ def test_clone_http():
username = data['username'].split('@', 1)[0]
dns = data['base_url'].split('/', 3)[2]
http_url = f'{data["base_url"]}{username}/test.git'
with MookDnsSystem(dns, data['revprox_ip']):
repo = clone(http_url, tmpdirname)
lst = list(repo.get_walker())
assert len(lst) == 1
assert lst[0].commit.message == b'test commit'
with SSHConfig():
with MookDnsSystem(dns, data['revprox_ip']):
try:
repo = clone(http_url, tmpdirname)
except:
with GITConfig():
repo = clone(http_url, tmpdirname)
lst = list(repo.get_walker())
assert len(lst) == 1
assert lst[0].commit.message == b'test commit'
def test_gitea_delete_repo():
def test_forgejo_delete_repo():
repo_name = 'test'
data = get_data()
authentication = get_authentication(data)
@ -206,21 +270,48 @@ def test_repo_persistent():
with TemporaryDirectory() as tmpdirname:
username = data['username'].split('@', 1)[0]
dns = data['base_url'].split('/', 3)[2]
ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:2222/{username}/test_persistent.git'
with MookDnsSystem(dns, data['ip']):
if 'FIRST_RUN' in environ:
ssh_url = f'ssh://{FORGEJO_USERNAME}@{dns}:{FORGEJO_PORT}/{username}/test_persistent.git'
with SSHConfig():
with MookDnsSystem(dns, data['ip']):
filename = join(tmpdirname, 'test.txt')
with open(filename, 'w') as fh:
fh.write('test')
repo = init(tmpdirname)
if 'FIRST_RUN' in environ:
with open(filename, 'w') as fh:
fh.write('test')
repo = init(tmpdirname)
add(repo, filename)
commit(repo, message=b'test commit')
push(repo=repo,
remote_location=ssh_url,
refspecs='master',
)
else:
repo = clone(ssh_url, tmpdirname)
with open(filename, 'r') as fh:
len_file = len(fh.readlines())
# get previous commit number
lst = list(repo.get_walker())
len_before_commit = len(lst)
assert len_before_commit == len_file
# add a new line in file and commit
with open(filename, 'a') as fh:
fh.write('\ntest')
with open(filename, 'r') as fh:
len_line = len(fh.read().split('\n'))
add(repo, filename)
commit(repo, message=b'test commit')
date = datetime.datetime.now()
commit_message = f'test commit {date}'.encode()
commit(repo, message=commit_message)
push(repo=repo,
remote_location=ssh_url,
refspecs='master',
)
else:
repo = clone(ssh_url, tmpdirname)
lst = list(repo.get_walker())
assert len(lst) == 1
assert lst[0].commit.message == b'test commit'
# test if commit is added and last commit
pull(repo=repo,
remote_location=ssh_url,
refspecs='master',
)
lst = list(repo.get_walker())
len_after_commit = len(lst)
assert len_after_commit == len_line
assert len_before_commit + 1 == len_after_commit
assert lst[0].commit.message == commit_message

10
seed/gitea/DEBUG.md
View file

@ -1,10 +0,0 @@
Créer un utilisateur
=====================
su - gitea -s /bin/bash -c "gitea admin user create --username gnunux --password Njw_csh7DeeZtWDxC6WVXDdB-9A --email gnunux@gnunux.info --admin -c /etc/gitea/app.ini"
DEBUG
=====
sed -i 's/info/debug/g' /etc/gitea/app.ini
systemctl restart gitea

81
seed/gitea/README.md
View file

@ -9,79 +9,32 @@ include_toc: true
## Description
Gitea, a community managed lightweight code hosting solution.
[For more informations](https://gitea.io/)
Transitional package for Gitea to Forgejo.
## Dependances
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [postgresql-client](../postgresql-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [redis-client](../redis-client/README.md)
- [oauth2-client](../oauth2-client/README.md)
- [forgejo](../forgejo/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [postgresql-client](../postgresql-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [redis-client](../redis-client/README.md)
- [oauth2-client](../oauth2-client/README.md)
## Variables
### Général (*general*)
#### network (*general.network*)
#### Transitional family (*general.gitea*)
| Description | Values |
|---------------------------------------------------|----------|
| *[**incoming_ports**](dictionaries/31_gitea.xml)* | 2222 |
#### Redis (*general.redis*)
| Description | Values |
|-----------------------------------------------------------|----------|
| *[**redis_client_key_owner**](dictionaries/31_gitea.xml)* | gitea |
#### Gitea (*general.gitea*)
Git forge Gitea
| Description | Values | Type |
|-----------------------------------------------------------------------------------------------------------|----------------------------------|------------------------------------------------------------------------------------------------------------------------|
| **Titre de la forge** (*[gitea_title](dictionaries/31_gitea.xml)*) | Gitea: Git avec une tasse de thé | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
| **Les courriels sont envoyés à partir de cet adresse** (*[gitea_mail_sender](dictionaries/31_gitea.xml)*) | | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
#### revprox (*general.revprox*)
| Description | Values |
|--------------------------------------------------------------|----------|
| *[**revprox_client_port**](dictionaries/31_gitea.xml)* | 3000 |
| *[**revprox_client_cert_owner**](dictionaries/31_gitea.xml)* | gitea |
| *[**revprox_client_cert_group**](dictionaries/31_gitea.xml)* | gitea |
##### revprox_client (*general.revprox.revprox_client*)
| Description | Values |
|------------------------------------------------------------------|----------|
| *[**revprox_client_local_location**](dictionaries/31_gitea.xml)* | / |
#### oauth2_client (*general.oauth2_client*)
| Description | Values |
|-----------------------------------------------------------------------|----------------------|
| *[**oauth2_is_client_application**](dictionaries/31_gitea.xml)* | True |
| *[**oauth2_client_name**](dictionaries/31_gitea.xml)* | Forge |
| *[**oauth2_client_description**](dictionaries/31_gitea.xml)* | Forge logiciel Gitea |
| *[**oauth2_client_category**](dictionaries/31_gitea.xml)* | Développement |
| *[**oauth2_client_logo**](dictionaries/31_gitea.xml)* | silique_note.png |
| *[**oauth2_client_token_signature_algo**](dictionaries/31_gitea.xml)* | RS256 |
##### external (*general.oauth2_client.external*)
| Description |
|-------------------------------------------------------|
| *[oauth2_client_external](dictionaries/31_gitea.xml)* |
| Description | Type |
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
| Transitional variable, please do not use it (*[gitea_mail_sender](dictionaries/32_gitea.xml)*) | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
- [+]: variable is multiple

10
seed/gitea/applicationservice.yml
View file

@ -1,10 +1,4 @@
format: '0.1'
description: Gitea, a community managed lightweight code hosting solution
website: https://gitea.io/
description: Transitional package for Gitea to Forgejo
depends:
- base-fedora-36
- postgresql-client
- reverse-proxy-client
- relay-mail-client
- redis-client
- oauth2-client
- forgejo

17
seed/gitea/dictionaries/32_gitea.xml Normal file
View file

@ -0,0 +1,17 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="gitea" target="risotto" engine="cheetah"/>
</services>
<variables>
<family name="gitea" description="Transitional family">
<variable name="gitea_mail_sender" type="mail" description="Transitional variable, please do not use it"/>
</family>
</variables>
<constraints>
<fill name="calc_value">
<param type="variable">gitea_mail_sender</param>
<target>forgejo_mail_sender</target>
</fill>
</constraints>
</rougail>

25
seed/gitea/manual/image/postinstall/gitea.sh
View file

@ -1,25 +0,0 @@
#!/bin/bash
set -ex
gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
VERS=$(wget https://dl.gitea.io/gitea/version.json -q -O - | jq -r '.latest.version')
mkdir -p ~/gitea/
if [ ! -f ~/"gitea/gitea-$VERS-linux-amd64.xz" ]; then
rm -rf ~/"gitea/gitea-*-linux-amd64.xz"
wget "https://dl.gitea.io/gitea/$VERS/gitea-$VERS-linux-amd64.xz" -O ~/"gitea/gitea-$VERS-linux-amd64.xz"
fi
if [ ! -f ~/"gitea/gitea-$VERS-linux-amd64.xz.asc" ]; then
rm -rf ~/"gitea/gitea-*-linux-amd64.xz.asc"
wget "https://dl.gitea.io/gitea/$VERS/gitea-$VERS-linux-amd64.xz.asc" -O ~/"gitea/gitea-$VERS-linux-amd64.xz.asc"
fi
gpg --verify ~/"gitea/gitea-$VERS-linux-amd64.xz.asc" ~/"gitea/gitea-$VERS-linux-amd64.xz"
cp -a ~/"gitea/gitea-$VERS-linux-amd64.xz" .
xz -d "gitea-$VERS-linux-amd64.xz"
mv "gitea-$VERS-linux-amd64" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/gitea"
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/gitea"

107
seed/gitea/templates/app.ini
View file

@ -1,107 +0,0 @@
# GNUNUX https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini
APP_NAME = %%gitea_title
RUN_USER = gitea
RUN_MODE = prod
[database]
DB_TYPE = postgres
HOST = %%pg_client_server_domainname:5432
NAME = %%pg_client_database
USER = %%pg_client_username
PASSWD = %%pg_client_password
SCHEMA =
SSL_MODE = verify-full
CHARSET = utf8
LOG_SQL = false
[repository]
ROOT = /srv/gitea/lib/data/gitea-repositories
DEFAULT_BRANCH = main
[server]
SSH_DOMAIN = %%revprox_client_external_domainnames[0]
DOMAIN = %%revprox_client_external_domainnames[0]
HTTP_PORT = 3000
ROOT_URL = https://%%revprox_client_external_domainnames[0]/gitea/
LOCAL_ROOT_URL = https://%%domain_name_eth0:3000/
DISABLE_SSH = false
START_SSH_SERVER = true
SSH_LISTEN_PORT = 2222
SSH_PORT = 2222
LFS_START_SERVER = true
LFS_CONTENT_PATH = /srv/gitea/lib/data/lfs
LFS_JWT_SECRET = %%gitea_lfs_jwt_secret
OFFLINE_MODE = true
PROTOCOL = https
CERT_FILE = %%revprox_client_cert_file
KEY_FILE = %%revprox_client_key_file
[mailer]
ENABLED = true
HOST = %%smtp_relay_address
FROM = %%gitea_mail_sender
USER = %%smtp_relay_user@%%ip_eth0
PASSWD = %%smtp_relay_password
IS_TLS_ENABLED = true
;USE_CERTIFICATE = false
;CERT_FILE = custom/mailer/cert.pem
;KEY_FILE = custom/mailer/key.pem
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[picture]
DISABLE_GRAVATAR = true
ENABLE_FEDERATED_AVATAR = false
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[oauth2_client]
ENABLE_AUTO_REGISTRATION = true
[session]
PROVIDER = redis
PROVIDER_CONFIG = network=tcp,addr=%%redis_client_server_domainname:6379,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
[cache]
;; if the cache enabled
NABLED = true
;;
;; Either "memory", "redis", "memcache", or "twoqueue". default is "memory"
ADAPTER = redis
;;
;; For "memory" only, GC interval in seconds, default is 60
;INTERVAL = 60
;;
;; For "redis" and "memcache", connection host address
;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
;; memcache: `127.0.0.1:11211`
;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
HOST = network=tcp,addr=%%redis_client_server_domainname:6379,username=%%redis_client_username,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
;;
;; Time to keep items in cache if not used, default is 16 hours.
;; Setting it to 0 disables caching
;ITEM_TTL = 16h
[log]
MODE = console
LEVEL = info
ROOT_PATH = /srv/gitea/lib/log
ROUTER = console
[security]
INSTALL_LOCK = true
SECRET_KEY = %%gitea_secret_key
INTERNAL_TOKEN = %%gitea_internal_token
PASSWORD_HASH_ALGO = pbkdf2

35
seed/gitea/templates/gitea.service
View file

@ -1,24 +1,17 @@
#ORIGIN https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/systemd/gitea.service
[Unit]
Description=Gitea (Git with a cup of tea)
After=risotto.target
Description=Gitea transitional
Before=risotto.target
[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=gitea
Group=gitea
WorkingDirectory=/srv/gitea/lib/
ExecStart=/usr/bin/gitea web --config /etc/gitea/app.ini
ExecStartPre=-/bin/bash -c 'if /usr/bin/gitea admin auth list --config /etc/gitea/app.ini | grep "OAuth2"; then echo "UPDATE";id=$(/usr/bin/gitea --config /etc/gitea/app.ini admin auth list |tail -n 1|awk "{ print \$1}");/usr/bin/gitea admin auth update-oauth --id $id --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/gitea/app.ini;else echo "CONFIGURE"; /usr/bin/gitea admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/gitea/app.ini;fi;sleep 2; echo "CONFIGURATION DONE"'
Restart=always
Environment=USER=gitea HOME=/srv/gitea/home GITEA_WORK_DIR=/srv/gitea/lib
[Install]
WantedBy=multi-user.target
Type=oneshot
ExecStart=/bin/bash -c '%slurp
[ -d /srv/gitea/lib/data/gitea-repositories ] && mv /srv/gitea/lib/data/gitea-repositories /srv/gitea/lib/data/forgejo-repositories; %slurp
[ -d /srv/gitea ] && (mv /srv/gitea/* /srv/forgejo; rmdir /srv/gitea); %slurp
find /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks -name gitea | while read a; do b=$(dirname $a); mv $b/gitea $b/forgejo; done; %slurp
sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/proc-receive; %slurp
sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/pre-receive.d/forgejo; %slurp
sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/update.d/forgejo; %slurp
sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/post-receive.d/forgejo; %slurp
sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/config; %slurp
exit 0%slurp
'

2
seed/gitea/templates/sysuser-gitea.conf
View file

@ -1,2 +0,0 @@
g gitea 999 -
u gitea 999:999 "Git Version Control" /srv/gitea/home /bin/nologin

4
seed/gitea/templates/tmpfile-gitea.conf
View file

@ -1,4 +0,0 @@
d /srv/gitea/lib/custom 750 gitea gitea - -
d /srv/gitea/lib/data 750 gitea gitea - -
d /srv/gitea/lib/log 750 gitea gitea - -
d /srv/gitea/home 750 gitea gitea - -

4
seed/host-systemd-machined/README.md
View file

@ -54,6 +54,6 @@ This a family is a leadership.
- [+]: variable is multiple
- **bold**: variable is mandatory
## Linked to
## Supplier
- [provider-systemd-machined](../provider-systemd-machined/README.md)
[provider-systemd-machined](../provider-systemd-machined/README.md)

17
seed/host-systemd-machined/dictionaries/21-machined.xml
View file

@ -13,12 +13,13 @@
<service name="risotto-images" type="timer" engine="cheetah"/>
<service name="risottofirewall" engine="cheetah"/>
<service name="systemd-nspawn@">
<file>/usr/local/lib/risotto-tmpfiles.d/0asystemd-nspawn.conf</file>
<file>/tmpfiles.d/0asystemd-nspawn.conf</file>
<file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
<file>/etc/distro.repos.d/boot.repo</file>
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
<file>/etc/sysctl.d/90-risotto.conf</file>
<file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
</service>
@ -50,6 +51,14 @@
<value>tree</value>
<value>tshark</value>
<value>vim</value>
<value>python3-pytest</value>
<value>python3-yaml</value>
<value>python3-ldap</value>
<value>python3-dnspython</value>
<value>python3-dulwich</value>
<value>python3-psycopg2</value>
<value>python3-redis</value>
<value>python3-imaplib2</value>
</variable>
<family name="network">
<variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>

2
seed/host-systemd-machined/extras/machined/00-machined.xml
View file

@ -22,7 +22,7 @@
</variables>
<constraints>
<fill name="calc_value">
<param>/usr/local/lib/sbin/network-</param>
<param>/sbin/network-</param>
<param type="variable">machined.machines</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>

2
seed/host-systemd-machined/templates/0asystemd-nspawn.conf
View file

@ -1,7 +1,5 @@
D /usr/local/lib/sbin/ 0755 root root - -
D /etc/systemd/nspawn/ 0755 root root - -
D /etc/systemd/network/ 0755 root root - -
D /usr/local/lib/systemd/system/ 0755 root root - -
D /etc/systemd/system/machines.target.wants/ 0755 root root - -
d /var/lib/risotto/configurations/ 0755 root root - -
r /etc/network/interfaces - - - - -

29
seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-37-x86_64 Normal file
View file

@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGESvNwBEAC7HsCDTlugVeDSMFX6aW3zAPFMfvBssNj+89fdmbxcI9t7UY6f
HvkkGziUET8e+9jB8R2/wXQCGOw1J+sfmwO4aN0LdVQjhKvVNj+F5jWt3m5FAIBa
OTWS6Kvqw2ECTpH7fD86541eK3BuCni6d5U3PCd73t976FcUmpQ/1AthqMksM0Jz
cJapvNmLTCR0NZ2XyyLmn/K1hgNXe8G5j0cSrJiY+Zpz5aQkT96j96Jm6W2A+tBI
icU4n6V4vlj2TxmCumtXJGXGBGJnof/dCgh45aqi+sk5c429ns+5sooYcaEJojj6
FYSITv10l+az6ZMJz/j61VYSkhMY8hQ4Wd+yL2JVzLE9N9V0L95sX1yEZ5ILmzwx
oRKe4WHSBE6yMxNWobv7hmC+3ZC5mLPaEDS/g/0xuQj9Sy9eT2mhhFPxOv29YQ+P
sC3zXHJMMT0tlGd72PVHQQ0JYONfMhcC+7AHGFGz8p4/wor2jIFG1ouqE6Lfzm8o
XWZMYm3AydlrP/xkYaoWNE3jL/+dskSBr/Yz7ZzlkAqH9lb1HKnXQLTrw6gz6pmI
KufSDXjEFNxnFI/9gMlshJtk5+QSDzezmxFm+NMviSvDUNAVIzrU1D84dauBYph4
OrJVeECQHEotny/I53AdlVwLYB4TWkObzTs6vtV7Pz1TK2CmHpe3UW72xwARAQAB
tDFGZWRvcmEgKDM3KSA8ZmVkb3JhLTM3LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
cmc+iQJOBBMBCAA4FiEErLXuToMcdLt8Fo0n9VrT+1MjVSoFAmESvNwCGw8FCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ9VrT+1MjVSoPMhAAist7kK/YtcyBL/dt
P55hPrkJT6Ay+e2Dvt4Pixe4iT32Y3jG12aoX2LY//mxVOOpV+EhXYTTb5aLt2Jj
a8/qCKJFk7zuCOxa1hgdRcjoR7ZbU0lNjD9mMCax/YT9QafcaMEib/FlknP3g1SN
GRSKLObTJd6BbtZXCE80JRIX+Dy6+/Oz7LXRXeKpiimhlXT1wuTaqAJEtuHdQvg7
dkL4DzAJ2FiURVd5gvgo266WaCMafJjFRrSGHJm0c+V+0Z9NsuH80JbPm+rCUh5U
E9PMyztqlqtldtqc1+aZ1iUbVuXY059BUmlAhmf5sAlBktY+hEabH/4kmfGccbBL
TyBIn03Y9q9173okZSUe6q16m/hbbWI8dwkSpIADZbGGJbRi8PJpCg9y6KI355qD
atE2irleoy6eXqpKa+uPTRBk7i/r6jDoA+u+tZyFfcEnwvSWP8cN1j5mNklvITZl
YF1n5b3fejkZVdOmRZQNkyzMxYEd4UZFQZNYrx0nltAagRS8b5ikqNk2UTl+dyBG
k9gLOSZhAa2JdmAqwe9rT69jaa4kZMLlxPPC3246s83t0s7lp7vF+zLPfPSvxpsU
tg+fuT+OFKWYdBFF7VkEA+wezHAznIP6TPyQXbBpkzE889/hOXy4BYs0wy8Bpda/
Ve2Ba329f99dSCZKImi5DPCxJY4=
=ZmVd
-----END PGP PUBLIC KEY BLOCK-----

6
seed/imap-client/README.md
View file

@ -27,8 +27,8 @@ Application service needs interact with an IMAP server.
## Used by
- [roundcube](../roundcube/README.md)
[roundcube](../roundcube/README.md)
## Linked to
## Provider
- [dovecot](../dovecot/README.md)
[dovecot](../dovecot/README.md)

18
seed/ldap-client/README.md
View file

@ -25,13 +25,13 @@ Application service needs interact with a LDAP server.
##### Client (*general.annuaire.client*)
| Description | Type | Supplier |
|----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------|
| Nom de la famille LDAP (*[ldapclient_family](dictionaries/21_ldap-client.xml)*) | [unix_user](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:family |
| **Base DN de l'annuaire** (*[ldapclient_base_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:base_dn |
| **Base DN de l'annuaire des utilisateurs** (*[ldapclient_search_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Base DN de l'annuaire des groupes** (*[ldapclient_group_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| **Base DN de l'annuaire des utilisateurs n'appartenant à une famille** (*[ldapclient_user_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
| Description | Type | Supplier | Values |
|----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------|--------------|
| Nom de la famille LDAP (*[ldapclient_family](dictionaries/21_ldap-client.xml)*) | [unix_user](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:family | |
| **Base DN de l'annuaire** (*[ldapclient_base_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:base_dn | <calculated> |
| **Base DN de l'annuaire des utilisateurs** (*[ldapclient_search_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
| **Base DN de l'annuaire des groupes** (*[ldapclient_group_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
| **Base DN de l'annuaire des utilisateurs n'appartenant à une famille** (*[ldapclient_user_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
- [+]: variable is multiple
@ -47,6 +47,6 @@ Application service needs interact with a LDAP server.
- [lemonldap](../lemonldap/README.md)
- [openldap](../openldap/README.md)
## Linked to
## Provider
- [openldap](../openldap/README.md)
[openldap](../openldap/README.md)

8
seed/ldap-client/templates/ldap.conf
View file

@ -6,9 +6,11 @@
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
BASE %%ldapclient_search_dn
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#>GNUNUX
BASE %%ldapclient_search_dn
URI ldaps://%%ldap_server_address:%%ldap_port
#<GNUNUX
#SIZELIMIT 12
#TIMELIMIT 15
@ -18,9 +20,11 @@ URI ldaps://%%ldap_server_address:%%ldap_port
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
#>GNUNUX
TLS_KEY %%ldap_key_file
TLS_CERT %%ldap_cert_file
TLS_CACERT %%ldap_ca_file
#<GNUNUX
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
@ -31,8 +35,10 @@ TLS_CACERT %%ldap_ca_file
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
#>GNUNUX
BINDDN %%ldapclient_user
TIMELIMIT 10
NETWORK_TIMEOUT 10
TIMEOUT 10
BINDPW %%ldapclient_user_password
#<GNUNUX

24
seed/lemonldap/README.md
View file

@ -15,16 +15,16 @@ LemonLDAP, a Web Single Sign On and Access Management.
## Dependances
- [ldap-client](../ldap-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [nginx-common](../nginx-common/README.md)
- [base-debian-bullseye](../base-debian-bullseye/README.md)
- [base-debian](../base-debian/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [ldap-client](../ldap-client/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [relay-mail-client](../relay-mail-client/README.md)
- [nginx-common](../nginx-common/README.md)
## Variables
@ -55,10 +55,10 @@ Configuration de la solution d'authentification unique LemonLDAP::NG
### Oauth2 (*oauth2*)
| Description | Type | Provider | Supplier |
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|
| Remote clients needing to verify OAuth2 account (*[remotes](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 | |
| Remote clients (*[clients](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | OAuth2Client |
| Description | Type | Provider | Values | Supplier |
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|--------------|
| Remote clients needing to verify OAuth2 account (*[remotes](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 | | |
| Remote clients (*[clients](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> | OAuth2Client |
#### OAuth2 for (*oauth2.oauth2_*)
@ -76,6 +76,10 @@ This a family is a leadership.
- [+]: variable is multiple
- **bold**: variable is mandatory
## Linked to
## Supplier
- [oauth2-client](../oauth2-client/README.md)
[oauth2-client](../oauth2-client/README.md)
## Provider
[oauth2-client](../oauth2-client/README.md)

2
seed/lemonldap/applicationservice.yml
View file

@ -2,8 +2,8 @@ format: '0.1'
description: LemonLDAP, a Web Single Sign On and Access Management
website: https://lemonldap-ng.org/
depends:
- base-debian-bullseye
- ldap-client
- reverse-proxy-client
- relay-mail-client
- nginx-common
- base-debian-bullseye

2
seed/lemonldap/dictionaries/70_lemonldap_ng.xml
View file

@ -20,7 +20,7 @@
<file mode="750">/sbin/interne_well_known.pl</file>
<file mode="750">/sbin/wget.pl</file>
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
<file>/tests/lemonldap.yml</file>
<file filelist="copy_tests">/tests/lemonldap.yml</file>
</service>
</services>
<variables>

6
seed/mailman/README.md
View file

@ -54,9 +54,9 @@ GNU Mailman, managing electronic mail discussion and e-newsletter lists.
##### external (*general.oauth2_client.external*)
| Description |
|---------------------------------------------------------|
| *[oauth2_client_external](dictionaries/31_mailman.xml)* |
| Description | Values |
|---------------------------------------------------------|--------------|
| *[oauth2_client_external](dictionaries/31_mailman.xml)* | <calculated> |
#### nginx (*general.nginx*)

2
seed/mailman/dictionaries/31_mailman.xml
View file

@ -5,7 +5,7 @@
<!--override/-->
<file owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
<file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
<file>/tests/mailman.yml</file>
<file filelist="copy_tests">/tests/mailman.yml</file>
<!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
</service>
<service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->

4
seed/mariadb-client/README.md
View file

@ -33,6 +33,6 @@ Application service needs interact with a MariaDB server.
- [piwigo](../piwigo/README.md)
- [sensmotdire](../sensmotdire/README.md)
## Linked to
## Provider
- [mariadb](../mariadb/README.md)
[mariadb](../mariadb/README.md)

4
seed/mariadb/README.md
View file

@ -34,6 +34,6 @@ MariaDB, a relational database.
- [+]: variable is multiple
- **bold**: variable is mandatory
## Linked to
## Supplier
- [mariadb-client](../mariadb-client/README.md)
[mariadb-client](../mariadb-client/README.md)

2
seed/mariadb/dictionaries/20_mariadb.xml
View file

@ -6,7 +6,7 @@
<file>/etc/my.cnf.d/risotto.cnf</file>
<file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
<file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
<file>/tests/mariadb.yml</file>
<file filelist="copy_tests">/tests/mariadb.yml</file>
</service>
</services>
<variables>

9
seed/nextcloud/manual/image/postinstall/nextcloud.sh
View file

@ -1,4 +1,4 @@
CALENDAR="3.5.2"
#CALENDAR="3.5.2"
ln -s "/srv/nextcloud/data" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/nextcloud/data"
mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
@ -9,8 +9,11 @@ tar xf *tar.gz
rm -f *tar.gz
chown -R root: oidc_login
#
#app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
if [ -z "$CALENDAR" ]; then
app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
else
app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
fi
wget -q $app -O app.tar.gz
tar xf app.tar.gz
rm -f app.tar.gz

19
seed/nginx-common/dictionaries/21_nginx.xml
View file

@ -2,17 +2,15 @@
<rougail version="0.10">
<services>
<service name='nginx' target='multi-user'>
<file>/etc/nginx/nginx.conf</file>
<file source="default">/etc/nginx/sites-available/default</file>
<file source="nginx_source_conf" source_type="variable">/etc/nginx/nginx.conf</file>
<file filelist="nginx_debian">/etc/nginx/sites-available/default</file>
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
<file source="nginx.index.html">/var/www/html/index.html</file>
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
<file>/var/www/html/error.html</file>
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
<file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.crt">revprox_crt_file</file>
<file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.key">revprox_key_file</file>
<file>/tests/nginx-common.yml</file>
<file filelist="copy_tests">/tests/nginx-common.yml</file>
</service>
</services>
<variables>
@ -41,6 +39,7 @@
<variable name="revprox_key_file" type="filename" description="Reverse proxy key filename" hidden="True"/>
<variable name="nginx_owner" type="unix_user" description="Nginx process owner" mandatory="True" hidden="True"/>
<variable name="nginx_group" type="unix_user" description="Nginx process group" mandatory="True" hidden="True"/>
<variable name="nginx_source_conf" hidden="True"/>
</family>
</variables>
<constraints>
@ -49,6 +48,10 @@
<target type="filelist">nginx_fedora</target>
<target>nginx_default</target>
</condition>
<condition name="disabled_if_not_in" source="os_name">
<param>Debian</param>
<target type="filelist">nginx_debian</target>
</condition>
<condition name="disabled_if_in" source="nginx_default">
<param type="nil"/>
<target type="filelist">nginx_default</target>
@ -89,5 +92,11 @@
<param name="expected">Fedora</param>
<target>nginx_group</target>
</fill>
<fill name="calc_value">
<param>nginx.conf</param>
<param type="variable">os_name</param>
<param name="join">.</param>
<target>nginx_source_conf</target>
</fill>
</constraints>
</rougail>

1
seed/nginx-common/templates/default-nginx.conf
View file

@ -1,2 +1,3 @@
#RISOTTO: do not compare
rewrite ^(.*) http://%%nginx_default$1;
break;

1
seed/nginx-common/templates/nginx-options.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
client_max_body_size %%{nginx_post_max_size}M;
client_body_buffer_size 128k;

12
seed/nginx-common/templates/nginx.conf → seed/nginx-common/templates/nginx.conf.Debian
View file

@ -2,11 +2,7 @@
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
%if %%os_name == 'Fedora'
user nginx;
%else
user www-data;
%end if
worker_processes auto;
#GNUNUX error_log /var/log/nginx/error.log;
#>GNUNUX
@ -16,11 +12,7 @@ error_log syslog:server=unix:/dev/log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
%if %%os_name == 'Fedora'
include /usr/share/nginx/modules/*.conf;
%else
include /etc/nginx/modules-enabled/*.conf;
%end if
events {
worker_connections 1024;
@ -95,10 +87,6 @@ http {
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
%if %%os_name == 'Fedora'
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
%end if
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

112
seed/nginx-common/templates/nginx.conf.Fedora Normal file
View file

@ -0,0 +1,112 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
#>GNUNUX
#error_log /var/log/nginx/error.log notice;
error_log syslog:server=unix:/dev/log;
#<GNUNUX
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#GNUNUX access_log /var/log/nginx/access.log main;
#>GNUNUX
access_log syslog:server=unix:/dev/log combined;
error_log syslog:server=unix:/dev/log error;
#<GNUNUX
sendfile on;
tcp_nopush on;
#>GNUNUX
tcp_nodelay on;
#<GNUNUX
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
%if %%nginx_default_http
server {
listen 80;
listen [::]:80;
server_name _;
root %%nginx_root;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
%end if
# Settings for a TLS enabled server.
#
%if %%nginx_default_https
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
%if %%getVar('revprox_client_external_domainnames', None)
%for %%domain in %%revprox_client_external_domainnames
server_name %%domain;
%end for
%else
server_name _;
%end if
root %%nginx_root;
#>GNUNUX
#ssl_certificate "/etc/pki/nginx/server.crt";
#ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_certificate %%revprox_crt_file;
ssl_certificate_key %%revprox_key_file;
%if %%getVar('revprox_client_external_domainnames', None)
ssl_client_certificate %%revprox_ca_file;
%else
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_HTTP.crt;
%end if
#<GNUNUX
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
%end if
}

4
seed/nginx-common/tests/test_nginx_commmon.py
View file

@ -42,9 +42,9 @@ def test_revprox():
protocols.append('https')
# test certificate
with raises(SSLError):
# not certificat problem for https://{url}
# certificat problem for https://{url}
req(f'https://{url}', data['address'])
for protocol in protocols:
ret_code, content = req(f'{protocol}://{url}', data['address'], verify=False)
assert ret_code == 200, f'{protocol}://{url} do not returns code 200 but {ret_code}'
assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'{protocol}://{url} do not returns default fedora page'
# assert "<title>Welcome</title>" in content, f'{protocol}://{url} do not returns default fedora page'

10
seed/nginx-https/templates/nginx.index.html
View file

@ -1,10 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome</title>
<style>
</style>
</head>
<body>
</body>
</html>

18
seed/nginx-reverse-proxy/README.md
View file

@ -15,13 +15,13 @@ Nginx as reverse proxy.
## Dependances
- [base-fedora-36](../base-fedora-36/README.md)
- [nginx-common](../nginx-common/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
- [base](../base/README.md)
- [dns-local](../dns-local/README.md)
- [nginx-common](../nginx-common/README.md)
## Variables
@ -37,11 +37,11 @@ Nginx as reverse proxy.
Paramétrage global de NGINX
| Description | Values |
|--------------------------------------------------------|----------|
| *[**nginx_default**](dictionaries/25_nginx.xml)* | |
| *[**nginx_default_http**](dictionaries/25_nginx.xml)* | True |
| *[**nginx_default_https**](dictionaries/25_nginx.xml)* | True |
| Description | Values |
|--------------------------------------------------------|--------------|
| *[**nginx_default**](dictionaries/25_nginx.xml)* | <calculated> |
| *[**nginx_default_http**](dictionaries/25_nginx.xml)* | True |
| *[**nginx_default_https**](dictionaries/25_nginx.xml)* | True |
### Machine (*machine*)
@ -62,6 +62,6 @@ Paramétrage global de NGINX
- [+]: variable is multiple
- **bold**: variable is mandatory
## Linked to
## Supplier
- [reverse-proxy-client](../reverse-proxy-client/README.md)
[reverse-proxy-client](../reverse-proxy-client/README.md)

2
seed/nginx-reverse-proxy/applicationservice.yml
View file

@ -2,5 +2,5 @@ format: '0.1'
description: Nginx as reverse proxy
website: https://nginx.org/
depends:
- base-fedora-36
- nginx-common
- base-fedora-37

6
seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
View file

@ -4,10 +4,12 @@
<service name='nginx'>
<override engine="cheetah"/>
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
<file source="revprox-nginx.conf">/etc/nginx/sites-enabled/risotto.conf</file>
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_External.crt</file>
<file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
<file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
<file>/tests/reverse-proxy.yml</file>
<file filelist="copy_tests">/tests/reverse-proxy.yml</file>
<file>/var/www/html/error.html</file>
</service>
</services>
<variables>

2
seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml
View file

@ -37,7 +37,7 @@
<target>nginx.nginx_private_key_filename</target>
</fill>
<fill name="get_first_value">
<param type="variable">nginx.remotes</param>
<param type="variable">nginx.reverse_proxy_for_.reverse_proxy_.revprox_domainnames_</param>
<target>nginx_default</target>
</fill>
</constraints>

1
seed/nginx-reverse-proxy/templates/ca_External.crt Normal file
View file

@ -0,0 +1 @@
%%get_chain(cn=%%domain_name_eth0, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret)

1
seed/nginx-reverse-proxy/templates/certificate.crt
View file

@ -1,2 +1 @@
%set %%chain=%%get_chain(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret)
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

0
seed/nginx-common/templates/error.html → seed/nginx-reverse-proxy/templates/error.html
View file

1
seed/nginx-reverse-proxy/templates/nginx-options-rp.conf
View file

@ -1,2 +1,3 @@
#RISOTTO: do not compare
# We use X-Forwarded-For header
real_ip_header X-Forwarded-For;

10
seed/nginx-reverse-proxy/templates/nginx.index.html
View file

@ -1,10 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome</title>
<style>
</style>
</head>
<body>
</body>
</html>

1
seed/nginx-reverse-proxy/templates/reverse-proxy.yml
View file

@ -10,3 +10,4 @@ urls:
%end for
%end for
%end for
ca_certificate: ../etc/pki/ca-trust/source/anchors/ca_External.crt

1
seed/nginx-reverse-proxy/templates/revprox-nginx.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
%for %%idx, %%domainname in %%enumerate(%%nginx.revprox_domainnames)
# Configuration HTTP %%domainname
server {

11
seed/nginx-reverse-proxy/tests/test_revprox.py
View file

@ -1,5 +1,6 @@
from yaml import load, SafeLoader
from os import environ
from os.path import join
import warnings
import socket
@ -19,9 +20,9 @@ def req(url, ip, verify=True):
if not verify:
with warnings.catch_warnings():
warnings.simplefilter("ignore")
ret = get(url, verify=verify)
ret = get(url, verify=verify, allow_redirects=False)
else:
ret = get(url, verify=verify)
ret = get(url, verify=verify, allow_redirects=False)
ret_code = ret.status_code
content = ret.content
socket.getaddrinfo = old_getaddrinfo
@ -34,6 +35,8 @@ def test_revprox():
data = load(yaml, Loader=SafeLoader)
# test known domains
for url in data['urls']:
ret_code, content = req(f'https://{url}', data['address'])
try:
ret_code, content = req(f'https://{url}', data['address'])
except SSLError:
ret_code, content = req(f'https://{url}', data['address'], verify=join(environ["MACHINE_TEST_DIR"], data["ca_certificate"]))
assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} do returns default fedora page'

2
seed/nginx-static/README.md
View file

@ -18,7 +18,7 @@ Nginx as static web site.
- [nginx-https](../nginx-https/README.md)
- [nginx-common](../nginx-common/README.md)
- [reverse-proxy-client](../reverse-proxy-client/README.md)
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)

2
seed/nginx-static/applicationservice.yml
View file

@ -3,4 +3,4 @@ description: Nginx as static web site
website: https://nginx.org/
depends:
- nginx-https
- base-fedora-36
- base-fedora-37

1
seed/nginx-static/dictionaries/22_nginx_static.xml
View file

@ -3,6 +3,7 @@
<services>
<service name='nginx' target='multi-user'>
<file source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
<file source="index.html">/srv/static/index.html</file>
</service>
</services>
<variables>

0
seed/nginx-common/templates/nginx.index.html → seed/nginx-static/templates/index.html
View file

29
seed/nsd/README.md
View file

@ -15,7 +15,7 @@ NSD, an authoritative DNS name server.
## Dependances
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
@ -28,9 +28,9 @@ NSD, an authoritative DNS name server.
#### network (*general.network*)
| Description |
|-------------------------------------|
| *[ip_dns](dictionaries/20_nsd.xml)* |
| Description | Values |
|-------------------------------------|--------------|
| *[ip_dns](dictionaries/20_nsd.xml)* | <calculated> |
#### Serveur DNS (*general.dns_server*)
@ -40,17 +40,17 @@ NSD, an authoritative DNS name server.
#### Zone DNS (*general.dns_zone*)
| Description | Type |
|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| Zones DNS (*[nsd_zones](dictionaries/20_nsd.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
| Description | Type | Values |
|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|
| Zones DNS (*[nsd_zones](dictionaries/20_nsd.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
#### Zone DNS reverse (*general.dns_reverses*)
This a family is a leadership.
| Description | Type |
|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
| Réseau pour la résolution reverse (*[nsd_reverse_network](dictionaries/20_nsd.xml)*) [+] | [network_cidr](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
| Description | Type | Values |
|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------|
| Réseau pour la résolution reverse (*[nsd_reverse_network](dictionaries/20_nsd.xml)*) [+] | [network_cidr](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
### Machine (*machine*)
@ -65,7 +65,10 @@ This a family is a leadership.
- [+]: variable is multiple
- **bold**: variable is mandatory
## Linked to
## Supplier
- [dns-local](../dns-local/README.md)
- [unbound](../unbound/README.md)
[dns-local](../dns-local/README.md)
## Provider
[unbound](../unbound/README.md)

2
seed/nsd/applicationservice.yml
View file

@ -3,4 +3,4 @@ description: NSD, an authoritative DNS name server
website: https://www.nlnetlabs.nl/projects/nsd/about/
service: true
depends:
- base-fedora-36
- base-fedora-37

2
seed/nsd/dictionaries/20_nsd.xml
View file

@ -11,7 +11,7 @@
<file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
<file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
<file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
<file>/tests/nsd.yml</file>
<file filelist="copy_tests">/tests/nsd.yml</file>
</service>
</services>
<variables>

1
seed/nsd/templates/nsd.signed
View file

@ -1 +1,2 @@
#RISOTTO: do not compare
%%sign(%%rougail_destination_dir + %%rougail_variable, %%domain_name_eth0)

1
seed/nsd/templates/risotto.conf
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
server:
interface: 127.0.0.1
%for %%interface in %%range(%%len(%%zones_list))

18
seed/oauth2-client/README.md
View file

@ -31,10 +31,10 @@ Application service needs interact with a Oauth2 server.
##### external (*general.oauth2_client.external*)
| Description | Type | Supplier | Values |
|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------|----------|
| **OAuth2 client external** (*[oauth2_client_external](dictionaries/30_oauth2_client.xml)*) [+] | [web_address](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2:external | |
| **OAuth2 family** (*[oauth2_client_family](dictionaries/30_oauth2_client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2:family | users |
| Description | Type | Values | Supplier |
|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|--------------|-----------------|
| **OAuth2 client external** (*[oauth2_client_external](dictionaries/30_oauth2_client.xml)*) [+] | [web_address](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | OAuth2:external |
| **OAuth2 family** (*[oauth2_client_family](dictionaries/30_oauth2_client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | users | OAuth2:family |
- [+]: variable is multiple
@ -47,10 +47,14 @@ Application service needs interact with a Oauth2 server.
- [peertube](../peertube/README.md)
- [piwigo](../piwigo/README.md)
- [dovecot](../dovecot/README.md)
- [forgejo](../forgejo/README.md)
- [roundcube](../roundcube/README.md)
- [nextcloud](../nextcloud/README.md)
- [gitea](../gitea/README.md)
## Linked to
## Supplier
- [lemonldap](../lemonldap/README.md)
[lemonldap](../lemonldap/README.md)
## Provider
[lemonldap](../lemonldap/README.md)

2
seed/odoo/dictionaries/40_odoo.xml
View file

@ -14,7 +14,7 @@
</services>
<variables>
<family name="odoo" description="Odoo">
<variable name="odoo_admin_password" description="Mot de passe de l'administrateur" hidden="True"/>
<variable name="odoo_admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
<variable name="odoo_admin_email" type="mail" description="Adresse courriel de l'administrateur" mandatory="True"/>
<variable name="odoo_company_name" description="Nom" mandatory="True"/>
<variable name="odoo_company_street" description="Adresse" mandatory="True"/>

18
seed/openldap/README.md
View file

@ -16,7 +16,7 @@ OpenLDAP, a LDAP server.
## Dependances
- [ldap-client](../ldap-client/README.md)
- [base-fedora-36](../base-fedora-36/README.md)
- [base-fedora-37](../base-fedora-37/README.md)
- [base-fedora](../base-fedora/README.md)
- [systemd](../systemd/README.md)
- [base-machine](../base-machine/README.md)
@ -60,12 +60,12 @@ OpenLDAP, a LDAP server.
##### client (*general.annuaire.client*)
| Description |
|-------------------------------------------------------------------------------------------------------|
| *[ldapclient_user](dictionaries/21_openldap-server.xml)* |
| **Base DN** (*[ldapclient_base_dn](dictionaries/21_openldap-server.xml)*) |
| **Base DN de l'annuaire des utilisateurs** (*[ldap_account_dn](dictionaries/21_openldap-server.xml)*) |
| *[ldapclient_search_dn](dictionaries/21_openldap-server.xml)* |
| Description | Values |
|-------------------------------------------------------------------------------------------------------|--------------|
| *[ldapclient_user](dictionaries/21_openldap-server.xml)* | <calculated> |
| **Base DN** (*[ldapclient_base_dn](dictionaries/21_openldap-server.xml)*) | |
| **Base DN de l'annuaire des utilisateurs** (*[ldap_account_dn](dictionaries/21_openldap-server.xml)*) | <calculated> |
| *[ldapclient_search_dn](dictionaries/21_openldap-server.xml)* | <calculated> |
### Machine (*machine*)
@ -114,6 +114,6 @@ This a family is a leadership.
- [+]: variable is multiple
- **bold**: variable is mandatory
## Linked to
## Supplier
- [ldap-client](../ldap-client/README.md)
[ldap-client](../ldap-client/README.md)

2
seed/openldap/applicationservice.yml
View file

@ -3,4 +3,4 @@ description: OpenLDAP, a LDAP server
website: https://www.openldap.org/
depends:
- ldap-client
- base-fedora-36
- base-fedora-37

11
seed/openldap/dictionaries/21_openldap-server.xml
View file

@ -3,18 +3,17 @@
<services>
<service name="slapd" target="multi-user">
<override/>
<file source='default.slapd'>/etc/default/slapd</file>
<file>/etc/pki/tls/certs/openldap.crt</file>
<file owner="ldap" mode="400">/etc/pki/tls/private/openldap.key</file>
<file owner="ldap">/var/lib/ldap/DB_CONFIG</file>
<file>/secrets/users.ldif</file>
<file>/secrets/users_mod.ldif</file>
<file owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
<file owner="ldap" mode="400">/etc/ldap/secrets/config_acl.ldif</file>
<file>/secrets/admin_ldap.pwd</file>
<file owner="ldap" mode="400">/etc/ldap/secrets/users.ldif</file>
<file>/secrets/users_mod.ldif</file>
<file>/secrets/config_acl.ldif</file>
<file mode="400">/secrets/admin_ldap.pwd</file>
<file engine="none">/sysusers.d/risotto-openldap.conf</file>
<file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
<file>/tests/openldap.yml</file>
<file filelist="copy_tests">/tests/openldap.yml</file>
</service>
</services>

2
seed/openldap/extras/accounts/00_account.xml
View file

@ -5,7 +5,7 @@
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
<variable name="family_" description="Nom de la familly de " hidden="True" provider="LDAP:family"/>
<variable name="dn_" description="LDAP DN de " hidden="True" provider="LDAP:dn"/>
<variable name="password_" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
<variable name="password_" type ="password" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
<variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="LDAP:base_dn"/>
</family>
<family name="users" description="Gestion des utilisateurs" leadership="True">

1
seed/openldap/templates/DB_CONFIG
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
# $OpenLDAP$
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#

1
seed/openldap/templates/config.ldif
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
dn: cn=config
objectClass: olcGlobal
#olcLogLevel: %%ldap_loglevel

1
seed/openldap/templates/config_acl.ldif
View file

@ -1,3 +1,4 @@
#RISOTTO: do not compare
%set %%name_family = 'gnunux'
%set %%dns = {}
%set %%groups = []

48
seed/openldap/templates/default.slapd
View file

@ -1,48 +0,0 @@
# Location of the slapd configuration to use. If using the cn=config
# backend to store configuration in LDIF, set this variable to the
# directory containing the cn=config data; otherwise set it to the location
# of your slapd.conf file. If empty, use the compiled-in default
# (/etc/ldap/slapd.d).
SLAPD_CONF="/etc/ldap/slapd.conf"
# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="openldap"
# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="openldap"
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
# default)
SLAPD_PIDFILE=
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
SLAPD_SERVICES="ldaps:///"
# If SLAPD_NO_START is set, the init script will not start or restart
# slapd (but stop will still work). Uncomment this if you are
# starting slapd via some other means or if you don't want slapd normally
# started at boot.
#SLAPD_NO_START=1
# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
# the init script will not start or restart slapd (but stop will still
# work). Use this for temporarily disabling startup of slapd (when doing
# maintenance, for example, or through a configuration management system)
# when you don't want to edit a configuration file.
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
# For Kerberos authentication (via SASL), slapd by default uses the system
# keytab file (/etc/krb5.keytab). To use a different keytab file,
# uncomment this line and change the path.
#export KRB5_KTNAME=/etc/krb5.keytab
# Additional options to pass to slapd
SLAPD_OPTIONS=""

5
seed/openldap/templates/openldap.yml
View file

@ -47,3 +47,8 @@ groups:
- cn=%%user,%%families
%end for
%end for
%if 'gnunux' not in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, 'gnunux')
gnunux:
- cn=rougail_test@gnunux.info,%%families
%end if

37
seed/openldap/templates/users.ldif
View file

@ -1,3 +1,4 @@
%set %%add_test = True
%set %%username="rougail_test@silique.fr"
%set %%username_family="rougail_test@gnunux.info"
%set %%name_family="gnunux"
@ -64,41 +65,23 @@ ou: families
objectClass: top
objectClass: organizationalUnit
%for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
%def add_family(%%family, %%families)
dn: %%families
ou: %%family
objectClass: top
objectClass: organizationalUnit
%end def
%if %%add_test and 'gnunux' not in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='gnunux')
%%add_family('gnunux', %%families)
%end if
%for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
%%add_family(%%family, %%families)
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
%set %%userdn = "cn=" + %%user + "," + %%families
%%groups.setdefault(%%family, []).append(%%userdn)%slurp
%%acc.append((%%userdn, %%user, %%user['ldap_user_password_' + %%family], %%user['ldap_user_sn_' + %%family], %%user['ldap_user_gn_' + %%family], %%user['ldap_user_uid_' + %%family], %%user['ldap_user_aliases_' + %%family], %%family))%slurp
#pouet
#dn: %%userdn
#cn: %%user
#mail: %%user
#sn:
#givenName:
#uid:
#userPassword:: %%ssha_encode()
#homeDirectory: /srv/home/families/%%family/%%user
#mailLocalAddress: %%user
# %if %%user['ldap_user_aliases_' + %%family]
# %for %%alias in
#mailLocalAddress: %%alias
# %end for
# %end if
#uidNumber: 0
#gidNumber: 0
#objectClass: top
#objectClass: inetOrgPerson
#objectClass: posixAccount
#objectClass: inetLocalMailRecipient
#
# %end for
#%end for
%end for
%end for
%for %%userdn, %%user, %%password, %%sn, %%gn, %%uid, %%aliases, %%family in %%acc

5
seed/openldap/tests/test_openldap.py
View file

@ -79,7 +79,10 @@ def test_ldap_migration():
if 'FIRST_RUN' in environ:
l.simple_bind_s(data['admin_dn'], data['admin_password'])
l.passwd_s(data['user_family_dn'], data['user_family_password'], data['user_family_password'] + "2")
l.simple_bind_s(data['user_family_dn'], data['user_family_password'] + "2")
try:
l.simple_bind_s(data['user_family_dn'], data['user_family_password'] + "2")
except INVALID_CREDENTIALS as err:
raise Exception(f'cannot find {data["user_family_dn"]} do you run script with FIRST_RUN env variables?')
def test_ldap_remote_auth():

6
seed/peertube/README.md
View file

@ -61,9 +61,9 @@ Peertube, a federated (ActivityPub) video streaming platform.
##### external (*general.oauth2_client.external*)
| Description |
|----------------------------------------------------------|
| *[oauth2_client_external](dictionaries/30_peertube.xml)* |
| Description | Values |
|----------------------------------------------------------|--------------|
| *[oauth2_client_external](dictionaries/30_peertube.xml)* | <calculated> |
#### nginx (*general.nginx*)

2
seed/php/README.md
View file

@ -41,4 +41,4 @@ Paramètrage avancé de PHP
## Used by
- [php-fpm](../php-fpm/README.md)
[php-fpm](../php-fpm/README.md)

Some files were not shown because too many files have changed in this diff Show more