This commit is contained in:
Emmanuel Garette 2022-06-24 19:00:16 +02:00
parent 43208f0968
commit 0cab627154
118 changed files with 673 additions and 519 deletions

View file

@ -31,6 +31,7 @@
<fill name="get_chain">
<param name="authority_cn" type="variable">revprox_client_server_domainname</param>
<param name="authority_name">InternalReverseProxy</param>
<param name="hide" type="variable">hide_secret</param>
<target>server_ca</target>
</fill>
</constraints>

View file

@ -1 +1 @@
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)

View file

@ -6,10 +6,8 @@
</service>
</services>
<variables>
<family name="general">
<variable name="os_version" type="string" description="OS Version" hidden="True">
<variable name="os_version" type="string" description="Version de l'OS" hidden="True">
<value>bullseye</value>
</variable>
</family>
</variables>
</rougail>

View file

@ -1,26 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="debian" manage="False">
<file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
<file engine="none">/etc/default/locale</file>
</service>
<service name="update-ca-certificates" engine="creole" target="multi-user"/>
</services>
<variables>
<family name="general">
<variable name="os_name" type="string" description="OS name" hidden="True">
<value>Debian</value>
</variable>
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
<value>/etc/ssl-localca</value>
</variable>
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
<value>/etc/ssl/certs</value>
</variable>
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
<value>/etc/ssl/private</value>
</variable>
</family>
</variables>
</rougail>

View file

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="debian" manage="False">
<file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
<file engine="none">/etc/default/locale</file>
</service>
</services>
<variables>
<variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
<value>Debian</value>
</variable>
</variables>
</rougail>

View file

@ -0,0 +1,17 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="update-ca-certificates" engine="creole" target="multi-user"/>
</services>
<variables>
<variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">
<value>/etc/ssl-localca</value>
</variable>
<variable name="tls_cert_directory" type="filename" description="Répertoire des certificats" hidden="True">
<value>/etc/ssl/certs</value>
</variable>
<variable name="tls_key_directory" type="filename" description="Répertoire des clefs privés" hidden="True">
<value>/etc/ssl/private</value>
</variable>
</variables>
</rougail>

View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<family name="general">
<variable name="os_version" type="string" description="OS Version" hidden="True">
<value>35</value>
</variable>
</family>
</variables>
</rougail>

View file

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<variable name="os_version" type="string" description="Version de l'OS" hidden="True">
<value>35</value>
</variable>
</variables>
</rougail>

View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<family name="general">
<variable name="os_version" type="string" description="OS Version" hidden="True">
<value>36</value>
</variable>
</family>
</variables>
</rougail>

View file

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<variable name="os_version" type="string" description="Version de l'OS" hidden="True">
<value>36</value>
</variable>
</variables>
</rougail>

View file

@ -1,25 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="update-ca-trust" engine="creole" target="multi-user"/>
<service name="fedora-base" manage="False">
<file engine="none">/tmpfiles.d/fedora.conf</file>
</service>
</services>
<variables>
<family name="general">
<variable name="os_name" type="string" description="OS name" hidden="True">
<value>Fedora</value>
</variable>
<variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
<value>/etc/pki/ca-trust/source/anchors</value>
</variable>
<variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
<value>/etc/pki/tls/certs</value>
</variable>
<variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
<value>/etc/pki/tls/private</value>
</variable>
</family>
</variables>
</rougail>

View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="fedora-base" manage="False">
<file engine="none">/tmpfiles.d/fedora.conf</file>
</service>
</services>
<variables>
<variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
<value>Fedora</value>
</variable>
</variables>
</rougail>

View file

@ -0,0 +1,17 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="update-ca-trust" engine="creole" target="multi-user"/>
</services>
<variables>
<variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">
<value>/etc/pki/ca-trust/source/anchors</value>
</variable>
<variable name="tls_cert_directory" type="filename" description="Nom du répertoire des certificats" hidden="True">
<value>/etc/pki/tls/certs</value>
</variable>
<variable name="tls_key_directory" type="filename" description="Nom du répertoire des clefs privés" hidden="True">
<value>/etc/pki/tls/private</value>
</variable>
</variables>
</rougail>

View file

@ -6,25 +6,22 @@
</service>
</services>
<variables>
<family name='general' description="Général">
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
<variable name="number_of_interfaces" type="number" description="Nombre d'interface disponible" hidden="True"/>
<variable name="interfaces_list" type="number" multi="True" description="Liste de toutes les interfaces" hidden="True"/>
<variable name="server_deployed" type="boolean" description="Le serveur est déployé" hidden="True">
<variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents">
<value>False</value>
</variable>
</family>
<family name="dns" description="DNS">
<variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur SMTP"/>
<variable name="ip_dns" type="ip" description="The DNS server" hidden="True"/>
</family>
<family name="network" description="Réseau">
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
<variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True"/>
<variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS"/>
<variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
<family name="interface_" description="Interface " dynamic="interfaces_list">
<variable name="zone_name_eth" type="string" description="Zone name for interface " hidden="True"/>
<variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True"/>
<variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
<variable name="network_eth" type="network_cidr" description="The zone network for interface " hidden="True"/>
<variable name="gateway_eth" type="ip" description="The zone gateway for interface "/>
<variable name="network_eth" type="network_cidr" description="Réseau de l'interface " hidden="True"/>
<variable name="gateway_eth" type="ip" description="La route de l'interface "/>
<variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/>
</family>
</family>
</variables>
<constraints>
<fill name="set_linked">
@ -34,16 +31,12 @@
<param name="linked_returns">ip</param>
<target>ip_dns</target>
</fill>
<fill name="get_number_of_interfaces">
<param type="information">zones_name</param>
<target>number_of_interfaces</target>
</fill>
<fill name="calc_value">
<param type="information">zones_name</param>
<target>zones_list</target>
</fill>
<fill name="get_range">
<param type="variable">number_of_interfaces</param>
<param type="information">zones_name</param>
<target>interfaces_list</target>
</fill>
<fill name="get_ip">
@ -75,10 +68,6 @@
<param name="index" type="suffix"/>
<target>gateway_eth</target>
</fill>
<check name="valid_entier">
<param name="mini" type="number">1</param>
<target>number_of_interfaces</target>
</check>
</constraints>
</rougail>

View file

@ -1,4 +1,5 @@
import __main__
from typing import List
from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
from string import ascii_letters as _ascii_letters
from random import choice as _choice
@ -6,6 +7,9 @@ from os.path import dirname as _dirname, abspath as _abspath, join as _join, isf
from os import makedirs as _makedirs
from risotto.utils import load_domains, DOMAINS
_HERE = _dirname(_abspath(__main__.__file__))
_PASSWORD_DIR = _join(_HERE, 'password')
@ -14,9 +18,12 @@ def get_password(server_name: str,
username: str,
description: str,
type: str,
hide: bool,
length: int=20,
temporary: bool=True,
) -> str:
if hide:
return "XXXXX"
def gen_password():
return _token_urlsafe(length)[:length]
return _set_password(server_name,
@ -32,8 +39,11 @@ def get_password_alpha_num(server_name,
username: str,
description: str,
length,
hide: bool,
starts_with_char=False,
):
if hide:
return "XXXXX"
def gen_password():
password = _token_hex()
if starts_with_char:
@ -72,14 +82,8 @@ def _set_password(server_name: str,
return file_content
def get_range(stop):
return list(range(stop))
def get_number_of_interfaces(zones):
if zones is None:
return 1
return len(zones)
def get_range(lst):
return list(range(max(1, len(lst))))
def get_zone_name(zones: list,
@ -97,3 +101,13 @@ def get_domain_name(server_name: str,
if index == 0:
return server_name
return extra_domainnames[index - 1]
def get_ip(server_name: str,
zones_name: List[str],
index: str,
) -> str:
load_domains()
host_name, domain_name = server_name.split('.', 1)
domain = DOMAINS[domain_name]
return domain[1][domain[0].index(host_name)]

View file

@ -11,6 +11,8 @@ from datetime import datetime, timezone
os_name = argv[1]
OLD_DIR = argv[2]
NEW_DIR = argv[3]
WEBSITE = len(argv) != 5
FILES = []
def diff_files(dcmp):
for name in dcmp.diff_files:
@ -25,6 +27,7 @@ diff_files(dcmp)
date = datetime.now(timezone.utc).isoformat()
title = f"Nouvelle version de la configuration de {os_name}"
subtitle = f"Différence entre les fichiers de configuration de {os_name}"
if WEBSITE:
print(f"""+++
title = "{title}"
description = "{subtitle}"
@ -41,7 +44,15 @@ lead = "{subtitle}."
type = "installe"
+++
""")
TITLE = True
else:
TITLE = False
for filename in FILES:
if not TITLE:
print(title)
print("=" * len(title))
print()
TITLE = True
print(f'- mise à jour du fichier {filename} :\n')
try:
with open(join(OLD_DIR, filename[1:]), 'r') as ori:
@ -51,7 +62,9 @@ for filename in FILES:
except UnicodeDecodeError:
print('fichier binaire')
else:
if WEBSITE:
print('```diff')
for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
print(line.rstrip())
if WEBSITE:
print('```')

View file

@ -50,11 +50,17 @@
</service>
</services>
<variables>
<family name="network">
<variable name="external_ports" redefine="True">
<value>587</value>
<value>993</value>
</variable>
</family>
<family name="annuaire">
<family name="client">
<variable name='ldapclient_family' redefine="True">
<value>all</value>
</variable>
<variable name="ldap_key_file_owner" redefine="True">
<value>dovecot</value>
</variable>
@ -62,6 +68,7 @@
<value>postfix</value>
</variable>
</family>
</family>
<family name="mail" description="Mail domain" leadership="True">
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
<variable name="mail_domains_calc" type="domainname" hidden="True"/>
@ -187,12 +194,5 @@
<param type="variable">mail_domains</param>
<target>well_knowns</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_value">all</param>
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_family</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>mail_domains_calc</target>
</check>
</constraints>
</rougail>

View file

@ -1 +1 @@
%%get_chain(%%domain_name_eth0, "IMAPServer")
%%get_chain(%%domain_name_eth0, "IMAPServer", hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_chain(%%domain_name_eth0, "MailServer")
%%get_chain(%%domain_name_eth0, "MailServer", hide=%%hide_secret)

View file

@ -34,8 +34,8 @@ uris = ldaps://%%ldap_server_address
# Password for LDAP server, if dn is specified.
#dnpass =
#>GNUNUX
dn = %%ldapclient_remote_user
dnpass = %%ldapclient_remote_user_password
dn = %%ldapclient_user
dnpass = %%ldapclient_user_password
#<GNUNUX
# Use SASL binding instead of the simple binding. Note that this changes
@ -107,7 +107,7 @@ auth_bind = yes
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
# GNUNUX base =
base = %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
base = %%ldapclient_base_dn
# Dereference: never, searching, finding, always
#deref = never

View file

@ -1,5 +1,8 @@
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%for %%idx in %%range(%%len(%%zones_list))
%if not idx
%continue
%end if
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames)
%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames, hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(%%domain_name_eth0, 'IMAPServer')
%%get_private_key(cn=%%domain_name_eth0, authority_name='IMAPServer', hide=%%hide_secret)

View file

@ -1,2 +1,2 @@
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

View file

@ -6,8 +6,8 @@ tls_ca_cert_file = %%ldap_ca_file
tls_require_cert = yes
version = 3
bind = yes
bind_dn = %%ldapclient_remote_user
bind_pw = %%ldapclient_remote_user_password
search_base = %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
bind_dn = %%ldapclient_user
bind_pw = %%ldapclient_user_password
search_base = %%ldapclient_base_dn
query_filter = (mailLocalAddress=%s)
result_attribute = cn

View file

@ -1,5 +1,8 @@
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%for %%idx in %%range(%%len(%%zones_list))
%if not %%idx
%continue
%end if
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames)
%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames, hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(%%domain_name_eth0, 'MailServer')
%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)

View file

@ -1,2 +1,2 @@
%%get_private_key(%%domain_name_eth0, 'MailServer')
%%get_certificate(%%domain_name_eth0, "MailServer")
%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)
%%get_certificate(cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret)

View file

@ -1,3 +1,3 @@
%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
%%cert

View file

@ -9,9 +9,11 @@
</service>
</services>
<variables>
<family name="network">
<variable name="external_ports" redefine="True">
<value>2222</value>
</variable>
</family>
<family name="gitea" description="Gitea" help="Git forge Gitea">
<variable name="gitea_title" mandatory="True" description="Titre de la forge">
<value>Gitea: Git avec une tasse de thé</value>
@ -54,8 +56,10 @@
<variable name="oauth2_client_token_signature_algo" redefine="True">
<value>RS256</value>
</variable>
<family name="external">
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family>
</family>
</variables>
<constraints>
<fill name="get_password">
@ -63,6 +67,7 @@
<param name="username">secret_key</param>
<param name="description">gitea</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="length" type="number">105</param>
<target>gitea_secret_key</target>
</fill>
@ -71,6 +76,7 @@
<param name="username">internal_token</param>
<param name="description">gitea</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="length" type="number">105</param>
<target>gitea_internal_token</target>
</fill>
@ -79,6 +85,7 @@
<param name="username">lfs_jwt_secret</param>
<param name="description">gitea</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="length" type="number">43</param>
<target>gitea_lfs_jwt_secret</target>
</fill>

View file

@ -1 +1 @@
%%get_chain(%%imap_address, 'IMAPServer')
%%get_chain(%%imap_address, 'IMAPServer', hide=%%hide_secret)

View file

@ -1,11 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<family name="annuaire">
<variable name="ldap_client_file" type="filename" description="LDAP client filename" hidden="True">
<value>/etc/ldap/ldap.conf</value>
</variable>
</family>
</variables>
</rougail>

View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<family name="annuaire">
<family name="client">
<variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True">
<value>/etc/ldap/ldap.conf</value>
</variable>
</family>
</family>
</variables>
</rougail>

View file

@ -1,11 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<family name="annuaire">
<variable name="ldap_client_file" type="filename" description="LDAP client filename" hidden="True">
<value>/etc/openldap/ldap.conf</value>
</variable>
</family>
</variables>
</rougail>

View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<family name="annuaire">
<family name="client">
<variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True">
<value>/etc/openldap/ldap.conf</value>
</variable>
</family>
</family>
</variables>
</rougail>

View file

@ -10,34 +10,34 @@
</service>
</services>
<variables>
<family name="annuaire">
<family name="annuaire" description="Annuaire OpenLDAP">
<family name="server" description="Serveur">
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
<variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True">
<value>636</value>
</variable>
</family>
<family name="client" description="Client">
<variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP"/>
<variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
<variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
<variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True"/>
<variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
<variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
<variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
<variable name="ldap_key_file" type="filename" description="LDAP private key filename" hidden="True"/>
<variable name="ldap_key_file_owner" type="unix_user" description="LDAP private key file owner" hidden="True">
<variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True"/>
<variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True"/>
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="False"/>
<variable name="ldap_ca_file" type="filename" description="Fichier de l'autorité de certification LDAP" hidden="True"/>
<variable name="ldap_cert_file" type="filename" description="Fichier du certificate LDAP" hidden="True"/>
<variable name="ldap_key_file" type="filename" description="Fichier de la clef privée LDAP" hidden="True"/>
<variable name="ldap_key_file_owner" type="unix_user" description="Propriétaire du fichier de la clef privée LDAP" hidden="True">
<value>root</value>
</variable>
<variable name="ldap_key_file_group" type="unix_user" description="LDAP private key file group" hidden="True">
<variable name="ldap_key_file_group" type="unix_user" description="Groupe du fichier de la clef privée LDAP" hidden="True">
<value>root</value>
</variable>
</family>
</family>
</variables>
<constraints>
<check name='valid_base_dn'>
<target>ldap_base_dn</target>
</check>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldap_base_dn</param>
<param type="variable">ldapclient_family</param>
<target>ldapclient_base_dn</target>
</fill>
</check>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_LDAP.crt</param>
@ -56,35 +56,32 @@
<param name="join">/</param>
<target>ldap_key_file</target>
</fill>
<fill name="set_linked">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<fill name="set_linked_multi_variables">
<param type="variable">ldap_server_address</param>
<param name="linked_provider_0">clients</param>
<param name="linked_value_0" type="variable">domain_name_eth0</param>
<param name="linked_provider_1">client_family</param>
<param name="linked_value_1" type="variable">ldapclient_family</param>
<param name="allow_none_1" type="boolean">True</param>
<param name="linked_returns">dn</param>
<target>ldapclient_user</target>
</fill>
<fill name="get_password">
<param name="server_name" type="variable">ldap_server_address</param>
<param name="username" type="variable">ldapclient_user</param>
<param name="description">remote account</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="temporary" type="boolean">True</param>
<target>ldapclient_user_password</target>
</fill>
<fill name="set_linked_multi_variables">
<param type="variable">ldap_server_address</param>
<param name="linked_provider_0">client_password</param>
<param name="linked_value_0" type="variable">ldapclient_user_password</param>
<param name="linked_returns">base_dn</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>ldapclient_remote_user</target>
<target>ldapclient_base_dn</target>
</fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_password</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>ldapclient_remote_user_password</target>
</fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">ldap_dn</param>
<target>ldap_base_dn</target>
</fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">ldap_port</param>
<target>ldap_port</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_family</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>ldapclient_family</target>
</check>
</constraints>
</rougail>

View file

@ -7,15 +7,24 @@ def valid_base_dn(base_dn: str) -> None:
def calc_ldapclient_base_dn(ldap_base_dn: str,
family_name: str,
accounts: bool=False,
family_name: str=None,
base: bool=False,
group: bool=False,
) -> str:
base = f'ou=accounts,{ldap_base_dn}'
if accounts:
return base
if family_name == 'all':
family_name = None
base = True
if group:
return f'ou=groups,{ldap_base_dn}'
if not ldap_base_dn.startswith('ou=accounts,'):
base_name = f'ou=accounts,{ldap_base_dn}'
else:
base_name = ldap_base_dn
if base:
return base_name
if not family_name:
return f'ou=users,{base}'
families = f'ou=families,{base}'
return f'ou=users,{base_name}'
base_name = f'ou=families,{base_name}'
if family_name != '-':
return f'ou={family_name},{families}'
return families
base_name = f'ou={family_name},{base_name}'
return base_name

View file

@ -1 +1 @@
%%get_chain(%%ldap_server_address, 'LDAP')
%%get_chain(%%ldap_server_address, 'LDAP', hide=%%hide_secret)

View file

@ -31,8 +31,8 @@ TLS_CACERT %%ldap_ca_file
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
BINDDN %%ldapclient_remote_user
BINDDN %%ldapclient_user
TIMELIMIT 10
NETWORK_TIMEOUT 10
TIMEOUT 10
BINDPW %%ldapclient_remote_user_password
BINDPW %%ldapclient_user_password

View file

@ -1 +1 @@
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client')
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client', hide=%%hide_secret)

View file

@ -1,4 +1,4 @@
%set %%key = %%get_private_key(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client')
%set %%key = %%get_private_key(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client', hide=%%hide_secret)
%if not %%key
%raise Exception('empty key')
%end if

View file

@ -28,14 +28,12 @@
</variable>
<variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
</family>
<family name="annuaire">
<family name="client">
<variable name='ldapclient_family' redefine="True">
<value>all</value>
</variable>
</family>
</family>
</variables>
<constraints>
<check name="set_linked_configuration">
<param name="linked_value">all</param>
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_family</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>lemon_mail_admin</target>
</check>
</constraints>
</rougail>

View file

@ -7,6 +7,7 @@ Providers
- oauth2_token_signature_algo : algorithme de la signature du jeton
- oauth2_name : nom du service affiché à l'utilisateur
- oauth2_description : description du service affiché à l'utilisateur
- oauth2_external : adresse du service (de type https://domaine/location/) c'est une variable multiple, dans ce cas plusieurs lien peuvent être généré pour accéder à ce service (par exemple un pour les utilisateurs + un différent pour une famille)
- oauth2_host : adresse du service (de type https://domaine/location/) c'est une variable multiple, dans ce cas plusieurs lien peuvent être généré pour accéder à ce service (par exemple un pour les utilisateurs + un différent pour une famille)
- oauth2_family : famille autoriser à accéder
- oauth2_logo : logo visible par l'utilisateur
- oauth2_category : catégorie qui permet de classer le service

View file

@ -8,7 +8,12 @@
<variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
<variable name="category_" hidden="True" provider="oauth2_category"/>
<variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
<variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external" multi="True"/>
<family name="external_" leadership="True">
<variable name="hosts_" description="Remote external for" provider="oauth2_external" multi="True"/>
<variable name="family_" hidden="True" provider="oauth2_family">
<value>users</value>
</variable>
</family>
<variable name="logo_" hidden="True" provider="oauth2_logo"/>
<variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
<choice>HS512</choice>
@ -22,6 +27,7 @@
<param name="username" type="suffix"/>
<param name="description">remote</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>oauth2.oauth2_.secret_</target>
</fill>
</constraints>

View file

@ -2,4 +2,5 @@
After=nginx.service
[Service]
ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'

View file

@ -8,12 +8,12 @@ commentStartToken = §
"portalCustomCss": "risotto/risotto.css",
"authentication" : "LDAP",
"AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
"managerDn" : "%%ldapclient_remote_user",
"managerPassword" : "%%ldapclient_remote_user_password",
"managerDn" : "%%ldapclient_user",
"managerPassword" : "%%ldapclient_user_password",
"ldapPpolicyControl" : 1,
"ldapAllowResetExpiredPassword" : 1,
"ldapChangePasswordAsUser" : 1,
"ldapBase" : "%%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)",
"ldapBase" : "%%ldapclient_base_dn",
"ldapExportedVars" : {
"uid" : "uid",
"cn" : "cn",
@ -22,9 +22,13 @@ commentStartToken = §
"givenName" : "givenName",
"home" : "homeDirectory"
},
"ldapGroupAttributeName" : "memberUid",
"ldapGroupBase" : "%%ldapclient_base_dn",
"ldapGroupAttributeName" : "member",
"ldapGroupAttributeNameUser" : "cn",
"ldapGroupObjectClass" : "group",
"ldapGroupAttributeNameGroup" : "dn",
"ldapGroupAttributeNameSearch" : "cn",
"ldapGroupAttributeNameUser" : "dn",
"ldapGroupObjectClass" : "groupOfNames",
"ldapPort" : "636",
"ldapServer" : "ldaps://%%ldap_server_address",
"ldapVerify" : "required",
@ -61,18 +65,18 @@ commentStartToken = §
%set %%domains = []
%for %%app in %%oauth2.remotes
%set %%key = %%normalize_family(%%app)
%set %%external = %%oauth2['oauth2_' + %%key]['external_' + %%key]
§ external is somethink like https://domain/
%if %%external
§ somethink like ['https://domain/']
%for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
%set %%domain = %%str(%%external).split('/', 3)[-2]
%if %%domain not in %%domains
},
"%%domain" : {
"^/logout" : "logout_sso",
§ FIXME "default" : "$groups eq %%external['family_' + %%key]"
"default" : "accept"
%%domains.append(%%domain)%slurp
%end if
%end if
%end for
%end for
}
},
@ -148,9 +152,9 @@ commentStartToken = §
"loa-4" : 4,
"loa-5" : 5
},
%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0).split("\n"))
%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
"oidcServicePublicKeySig" : "%%pub",
%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0).split("\n"))
%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
"oidcServicePrivateKeySig" : "%%priv",
"passwordDB" : "LDAP",
"persistentStorage" : "Apache::Session::File",
@ -176,7 +180,7 @@ commentStartToken = §
'description': %%description,
'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]}
'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
%end for
"applicationList" : {

View file

@ -14,6 +14,7 @@
<param type="variable">plugin_name</param>
<param type="variable">credential_filename</param>
<param type="variable">email</param>
<param type="variable">hide_secret</param>
<target>domain_names</target>
</check>
</constraints>

View file

@ -17,7 +17,10 @@ def letsencrypt_certif(domain: str,
plugin_name: str,
credential_filename: str,
email: str,
hide_secret: bool,
) -> None:
if hide_secret:
return
if None in (domain, authority_cn, plugin_name, credential_filename, email):
return
authority_name = 'External'

View file

@ -22,7 +22,7 @@
<family name="mailman" description="Gestionnaire de liste">
<variable name="mailman_mail_owner" type="mail" description="Courriel du gestionnaire de liste du site"/>
<variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True"/>
<variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="True"/>
<variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="False"/>
</family>
<family name="oauth2_client">
<variable name="oauth2_is_client_application" redefine='True'>
@ -43,8 +43,10 @@
<variable name="oauth2_client_token_signature_algo" redefine="True">
<value>RS256</value>
</variable>
<family name="external">
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family>
</family>
<family name="postgresql">
<variable name="pg_client_key_owner" redefine="True">
<value>mailman</value>
@ -57,6 +59,7 @@
<param name="username">postorius</param>
<param name="description">secret_key</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>postorius_secret_key</target>
</fill>
<fill name="calc_oauth2_client_external">

View file

@ -1 +1 @@
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)

View file

@ -4,4 +4,4 @@ Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"'
ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"'

View file

@ -19,6 +19,7 @@
<param name="username">root_password</param>
<param name="description">mariadb</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="length" type="number">50</param>
<target>mariadb_root_password</target>
</fill>

View file

@ -14,9 +14,9 @@
</services>
<variables>
<family name="nextcloud" description="Nextcloud">
<variable name="nextcloud_admin_password" type="password" auto_freeze="True" hidden="True"/>
<variable name="nextcloud_admin_password" type="password" auto_save="False" hidden="True"/>
<variable name="nextcloud_mail_admin" type="mail" mandatory="True"/>
<variable name="nextcloud_instance_id" type="password" auto_freeze="True" hidden="True"/>
<variable name="nextcloud_instance_id" type="password" auto_save="False" hidden="True"/>
<variable name="nextcloud_well_known_server" type="domainname" description="Nom de domaine du serveur hebergeant le répertoire .well-known"/>
<variable name="nextcloud_well_known_caldav" type="web_address" hidden='True'/>
<variable name="nextcloud_well_known_carddav" type="web_address" hidden='True'/>
@ -53,6 +53,7 @@
<param name="username">admin_password</param>
<param name="description">nextcloud</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>nextcloud_admin_password</target>
</fill>
<!-- see lib/private/legacy/OC_Util.php -->
@ -62,6 +63,7 @@
<param name="description">nextcloud</param>
<param name="length" type="number">10</param>
<param name="starts_with_char" type="boolean">True</param>
<param name="hide" type="variable">hide_secret</param>
<target>nextcloud_instance_id</target>
</fill>
<fill name="calc_value">

View file

@ -27,8 +27,8 @@ fi
/usr/bin/php /usr/share/nextcloud/occ config:app:set user_ldap bgjRefreshInterval --value=300 -q
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapHost "ldaps://%%ldap_server_address"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_user"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_user_password"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn"

View file

@ -2,7 +2,7 @@ client_max_body_size %%{nginx_post_max_size}M;
client_body_buffer_size 128k;
# Always trust ourself
%for %%interface in %%range(%%number_of_interfaces)
%for %%interface in %%range(%%len(%%zones_list))
set_real_ip_from %%getVar('ip_eth{0}'.format(%%interface));
%end for

View file

@ -1,2 +1,2 @@
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server", hide=%%hide_secret)
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server', hide=%%hide_secret)

View file

@ -10,10 +10,12 @@
</service>
</services>
<variables>
<family name="network">
<variable name="external_ports" redefine="True">
<value>80</value>
<value>443</value>
</variable>
</family>
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
<variable name="nginx_default" redefine="True" mandatory="True"/>
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>

View file

@ -1,3 +1,3 @@
%for %%idx in %%range(0, %%number_of_interfaces)
%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy")
%for %%idx in %%range(%%len(%%zones_list))
%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy", hide=%%hide_secret)
%end for

View file

@ -1 +1 @@
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

View file

@ -14,7 +14,7 @@
</service>
</services>
<variables>
<family name="dns" description="DNS">
<family name="network">
<variable name="dns_client_address" redefine="True" disabled="True"/>
<variable name="ip_dns" redefine="True" remove_fill="True">
<value>127.0.0.1</value>

View file

@ -1,6 +1,6 @@
server:
interface: 127.0.0.1
%for %%interface in %%interfaces_list
%for %%interface in %%range(%%len(%%zones_list))
interface: %%getVar('ip_eth' + %%str(%%interface))
%end for
do-ip4: yes

View file

@ -9,7 +9,12 @@
<variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True'/>
<variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/>
<variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login" multi="True"/>
<family name="external">
<variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True"/>
<variable name="oauth2_client_family" description="OAuth2 family">
<value>users</value>
</variable>
</family>
<variable name="oauth2_client_category" description="OAuth2 category" mandatory='True'>
<value>Défaut</value>
</variable>
@ -74,6 +79,13 @@
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_logo</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_family</param>
<param name="leader_provider">oauth2_external</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_family</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_login</param>
@ -96,6 +108,7 @@
<target type="variable">oauth2_client_name</target>
<target type="variable">oauth2_client_description</target>
<target type="variable">oauth2_client_external</target>
<target type="variable">oauth2_client_family</target>
</condition>
</constraints>
</rougail>

View file

@ -13,44 +13,21 @@
<file>/secrets/config_acl.ldif</file>
<file>/secrets/admin_ldap.pwd</file>
<file engine="none">/sysusers.d/risotto-openldap.conf</file>
<file engine="none" source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
<file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
</service>
</services>
<variables>
<family name="annuaire">
<family name="server">
<variable name='ldap_server_address' redefine="True" hidden="True"/>
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="ldap_port">
<value>636</value>
</variable>
<variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
<variable name='ldap_admin_password' type="password" description="Mot de passe de l'administrateur de l'annuaire" hidden='True' auto_save='True'/>
<family name='ldap_index_attribute' leadership='True' description="Gestion des index des attributes">
<variable name='ldap_index_attribute' type='string' description="Attribut à indexer" multi="True">
<value>objectClass</value>
<value>uid</value>
<value>cn</value>
<value>sn</value>
<!--value>mailLocalAddress</value-->
<value>givenName</value>
<value>mail</value>
<value>entryCSN</value>
<value>entryUUID</value>
<value>contextCSN</value>
</variable>
<variable name='ldap_index_indices' type='string' description="Types d'index" multi="True">
<value>eq</value>
<value>pres</value>
</variable>
<variable name='openldap_ca_chain' description="CA certificate" hidden='True'/>
</family>
<variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
<value>/etc/openldap/schema/cosine.ldif</value>
<value>/etc/openldap/schema/inetorgperson.ldif</value>
<value>/etc/openldap/schema/nis.ldif</value>
<value>/etc/openldap/schema/misc.ldif</value>
</variable>
<family name='limits' description='Limites' mode='expert'>
<variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
<value>0</value>
</variable>
@ -60,8 +37,6 @@
<variable name='ldap_timelimit' type='number' description='Temps de réponse maximum à une requête (en secondes)' mode="expert">
<value>3600</value>
</variable>
<variable name='ldapclient_remote_user' redefine="True"/>
<variable name='ldapclient_remote_user_password' redefine="True"/>
</family>
<family name='db_environment' description='DB environment' mode='expert'>
<variable name='db_cache_size_g' description="Quantité de Giga-octets à utiliser pour le cache HDB" type="number">
@ -83,18 +58,26 @@
<value>2097152</value>
</variable>
<variable name='db_log_directory' type='filename' description='Répertoire de conservation des informations de journalisation'>
<value>/var/lib/ldap/logs</value>
<value>/srv/openldap/log</value>
</variable>
<variable name='db_lk_max_objects' type='number' description="Numbre d'objet qui peuvent être verrouillés simultanément ">
<variable name='db_lk_max_objects' type='number' description="Nombre d'objet qui peuvent être verrouillés simultanément ">
<value>5000</value>
</variable>
<variable name='db_lk_max' type='number' description='Nombre de verrous maximal'>
<value>5000</value>
</variable>
<variable name='db_lk_max_lockers' type='number' description='Nombre de verrouilleur maximal'>
<variable name='db_lk_max_lockers' type='number' description='Nombre de verroulleur maximal'>
<value>5000</value>
</variable>
</family>
</family>
<family name="client">
<variable name='ldapclient_user' redefine="True"/>
<!--variable name='ldapclient_user_password' redefine="True"/-->
<variable name='ldapclient_family' redefine="True" disabled="True"/>
<variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
</family>
</family>
</variables>
<constraints>
<!--fill/auto-->
@ -104,34 +87,13 @@
</fill>
<fill name='get_default_base_dn'>
<param type="variable">domain_name_eth0</param>
<target>ldap_base_dn</target>
<target>ldapclient_base_dn</target>
</fill>
<fill name='calc_value'>
<param>cn=admin</param>
<param type='variable'>ldap_base_dn</param>
<param type='variable'>ldapclient_base_dn</param>
<param name="join">,</param>
<target>ldap_admin_dn</target>
</fill>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username">writer</param>
<param name="description">LDAP</param>
<param name="type">cleartext</param>
<param name="temporary" type="boolean">True</param>
<target>ldap_admin_password</target>
</fill>
<fill name="calc_value">
<param type="variable">ldap_admin_dn</param>
<target>ldapclient_remote_user</target>
</fill>
<fill name="calc_value">
<param type="variable">ldap_admin_password</param>
<target>ldapclient_remote_user_password</target>
</fill>
<fill name="get_chain">
<param name="authority_cn" type="variable">domain_name_eth0</param>
<param name="authority_name">LDAP</param>
<target>openldap_ca_chain</target>
<target>ldapclient_user</target>
</fill>
</constraints>
</rougail>

View file

@ -3,14 +3,11 @@
<variables>
<variable name="remotes" description="Serveurs distant ayant un compte" type="domainname" multi="True" provider="clients"/>
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
<variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
<variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
<variable name="family_" description="Nom de la familly" auto_save="True" hidden="True" provider="client_family"/>
<variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
</family>
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
<variable name='ldap_acl_attribute' type="string" description="ACL de l'attribut" multi="True"/>
<variable name='ldap_acl_rights' type="string" description="ACL de l'attribut" multi="True"/>
<variable name="family_" description="Nom de la familly de " hidden="True" provider="client_family"/>
<variable name="dn_" description="LDAP DN de " hidden="True" provider="dn"/>
<variable name="password_" description="Mot de passe de " hidden="True" provider="client_password"/>
<variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="base_dn"/>
<variable name="read_only_" description="Le compte est en lecture seule de " type="boolean"/>
</family>
<family name="users" description="Gestion des utilisateurs" leadership="True">
<variable name='ldap_user_mail' type="mail" description="Adresse courriel du compte" multi="True"/>
@ -22,38 +19,36 @@
</family>
<variable name="families" description="Familles" type="unix_user" multi="True"/>
<family name="family_" description="Gestion de la famille " dynamic="accounts.families">
<family name="users_" description="Gestion des utilisateurs" leadership="True">
<variable name='ldap_user_mail_' type="mail" description="Adresse courriel du compte" multi="True"/>
<variable name='ldap_user_aliases_' type="mail" description="Aliases du mail" multi="True"/>
<variable name='ldap_user_uid_' type="unix_user" description="Nom de compte" mandatory="True"/>
<variable name='ldap_user_sn_' type="string" description="Prénom" mandatory="True"/>
<variable name='ldap_user_gn_' type="string" description="Nom de famille" mandatory="True"/>
<variable name='ldap_user_password_' type="password" description="Mot de passe" mandatory="True" hidden="True"/>
<family name="users_" description="Gestion des utilisateurs de la famille " leadership="True">
<variable name='ldap_user_mail_' type="mail" description="Adresse courriel du compte de la famille " multi="True"/>
<variable name='ldap_user_aliases_' type="mail" description="Aliases du mail de la famille " multi="True"/>
<variable name='ldap_user_uid_' type="unix_user" description="Nom de compte de la famille " mandatory="True"/>
<variable name='ldap_user_sn_' type="string" description="Prénom de la famille " mandatory="True"/>
<variable name='ldap_user_gn_' type="string" description="Nom de famille de la famille " mandatory="True"/>
<variable name='ldap_user_password_' type="password" description="Mot de passe de la famille " mandatory="True" hidden="True"/>
</family>
</family>
</variables>
<constraints>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldapclient_base_dn</param>
<param type="variable">accounts.remote_.family_</param>
<target>accounts.remote_.base_dn_</target>
</fill>
<fill name='calc_value'>
<param>cn=</param>
<param type='suffix'></param>
<param>,</param>
<param type='variable'>ldap_base_dn</param>
<param type='variable'>ldapclient_base_dn</param>
<param name="join"></param>
<target>accounts.remote_.dn_</target>
</fill>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type='suffix'/>
<param name="description">remote account</param>
<param name="type">cleartext</param>
<param name="temporary" type="boolean">True</param>
<target>accounts.remote_.password_</target>
</fill>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type='variable'>accounts.users.ldap_user_mail</param>
<param name="description">ldap user</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="temporary" type="boolean">True</param>
<target>accounts.users.ldap_user_password</target>
</fill>
@ -62,6 +57,7 @@
<param name="username" type='variable'>accounts.family_.users_.ldap_user_mail_</param>
<param name="description">ldap family user</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="temporary" type="boolean">True</param>
<target>accounts.family_.users_.ldap_user_password_</target>
</fill>

View file

@ -1 +1 @@
%%ldap_admin_password%slurp
%%ldapclient_user_password%slurp

View file

@ -100,7 +100,7 @@ olcDatabase: {-1}frontend
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="%%ldap_admin_dn" write by * none
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="%%ldapclient_user" write by * none
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
@ -112,11 +112,17 @@ objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /srv/openldap
olcRootDN: %%ldap_admin_dn
olcRootPW:: %%ssha_encode(%%ldap_admin_password)
olcSuffix: %%ldap_base_dn
olcRootDN: %%ldapclient_user
olcRootPW:: %%ssha_encode(%%ldapclient_user_password)
olcSuffix: %%ldapclient_base_dn
olcSizeLimit: %%ldap_sizelimit
olcTimeLimit: %%ldap_timelimit
%for %%attribute in %%ldap_index_attribute
olcDbIndex: %%attribute %echo ','.join(%%attribute.ldap_index_indices)
%end for
olcDbIndex: objectClass eq,pres
olcDbIndex: uid eq,pres
olcDbIndex: cn eq,pres
olcDbIndex: sn eq,pres
olcDbIndex: givenName eq,pres
olcDbIndex: mail eq,pres
olcDbIndex: entryCSN eq,pres
olcDbIndex: entryUUID eq,pres
olcDbIndex: contextCSN eq,pres

View file

@ -1,7 +1,9 @@
%set %%dns = {}
%set %%groups = []
%for %%remote in %%accounts.remotes
%set %%name = %%normalize_family(%%remote)
%set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
%%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
%end for
dn: olcDatabase={2}mdb,cn=config
@ -11,27 +13,27 @@ olcAccess: {0}to attrs=userPassword
by self write
by anonymous auth
by * none
%set %%aclidx = 1
olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)"
%for group in %%groups
by dn="%%group" read
%end for
by * none
%set %%aclidx = 2
%for %%family, %%remotes in %%dns.items()
%if %%family == 'all'
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)"
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)"
%else
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
%end if
by self read
%for %%remote in %%remotes
by dn="%%remote[0]" %slurp
%if %%remote[1]
read%slurp
read
%else
write%slurp
write
%end if
%end for
%set %%aclidx += 1
by * none
%end for
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
%set %%aclidx += 1
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
%end for

View file

@ -1,5 +1,5 @@
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%for %%idx in %%range(%%len(%%zones_list))
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames, hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(%%domain_name_eth0, 'LDAP')
%%get_private_key(cn=%%domain_name_eth0, authority_name='LDAP', hide=%%hide_secret)

View file

@ -11,6 +11,6 @@ ExecStart=
# remove none tls port
ExecStart=+/usr/sbin/slapd -u ldap -h ldaps:///
#waiting for ldap server...
ExecStartPost=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
ExecStartPost=-/usr/bin/ldapmodify -D %%ldap_admin_dn -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
ExecStartPost=-/usr/bin/ldapmodify -D %%ldap_admin_dn -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif
ExecStartPost=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif

View file

@ -1,2 +1,3 @@
d /srv/openldap 700 ldap ldap - -
d %%db_log_directory 700 ldap ldap - -
d /etc/openldap/slapd.d 750 ldap ldap - -

View file

@ -1,6 +1,7 @@
# BaseDN
dn: %%ldap_base_dn
%set %%attribute, %%organization = %%ldap_base_dn.split(',', 1)[0].split('=')
%set groups = {}
dn: %%ldapclient_base_dn
%set %%attribute, %%organization = %%ldapclient_base_dn.split(',', 1)[0].split('=')
%%attribute: %%organization
objectClass: top
%if %%attribute == 'o'
@ -22,21 +23,22 @@ objectClass: inetOrgPerson
%end for
# Accounts
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)
ou: accounts
objectClass: top
objectClass: organizationalUnit
## Users
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
## Accounts users
%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None)
dn: %%users
ou: users
objectClass: top
objectClass: organizationalUnit
%for %%user in %%accounts.users.ldap_user_mail
dn: cn=%%user,%%users
%set %%userdn = "cn=" + %%user + "," + %%users
%%groups.setdefault('users', []).append(%%userdn)
dn: %%userdn
cn: %%user
mail: %%user
sn: %%user.ldap_user_sn
@ -59,20 +61,22 @@ objectClass: inetLocalMailRecipient
%end for
## Families
dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, '-')
dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='-')
ou: families
objectClass: top
objectClass: organizationalUnit
%for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
dn: %%families
ou: %%family
objectClass: top
objectClass: organizationalUnit
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
dn: cn=%%user,%%families
%set %%userdn = "cn=" + %%user + "," + %%families
%%groups.setdefault(%%family, []).append(%%userdn)
dn: %%userdn
cn: %%user
mail: %%user
sn: %%user['ldap_user_sn_' + %%family]
@ -95,3 +99,20 @@ objectClass: inetLocalMailRecipient
%end for
%end for
## Groups
%set %%groupdn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)
dn: %%groupdn
ou: groups
objectClass: top
objectClass: organizationalUnit
%for %%group, %%members in %%groups.items()
dn: cn=%%group,%%groupdn
cn: %%group
objectclass: top
objectclass: groupOfNames
%for %%member in %%members
member: %%member
%end for
%end for

View file

@ -8,7 +8,7 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
%end for
# Users
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, '')
%for %%user in %%accounts.users.ldap_user_mail
dn: cn=%%user,%%users
changetype: modify
@ -26,7 +26,7 @@ mailLocalAddress: %%alias
%end for
# Families
%for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
dn: cn=%%user,%%families
changetype: modify

View file

@ -36,8 +36,10 @@
<variable name="oauth2_client_logo" redefine='True'>
<value>silique_video.png</value>
</variable>
<family name="external">
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family>
</family>
<family name="nginx">
<family name="revprox_client">
<variable name="revprox_client_location" redefine="True">

View file

@ -11,7 +11,7 @@
</services>
<variables>
<variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
<variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
<variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
<family name="nginx">
<variable name="nginx_root_directory" mandatory="True" redefine="True">
<value>/usr/local/share/piwigo</value>
@ -48,6 +48,7 @@
<param name="username">admin_password</param>
<param name="description">piwigo</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>piwigo_admin_password</target>
</fill>
<fill name="get_locations">

View file

@ -36,8 +36,10 @@
<variable name="oauth2_client_logo" redefine='True'>
<value>silique_video.png</value>
</variable>
<family name="external">
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family>
</family>
<family name="nginx" description="Reverse proxy">
<family name="revprox_client" description="Point d'entré des clients" leadership="True">
<variable name="revprox_client_location" redefine="True">

View file

@ -32,16 +32,18 @@
</service>
</services>
<variables>
<family name="network">
<variable name="external_ports" redefine="True">
<value>25</value>
</variable>
</family>
<family name="postfix" description="Postfix mail server">
<variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
<variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
<variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
<family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
<variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
<variable name="local_authentification_password_" type="secret" auto_save="False" provider="mail_password"/>
</family>
<variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
</family>
@ -63,6 +65,7 @@
<param name="username" type="suffix"/>
<param name="description">local authentification</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>local_authentification_password_</target>
</fill>
<fill name="calc_value">

View file

@ -1 +1 @@
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer")
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_certificate(%%domain_name_eth0, 'MailServer')
%%get_certificate(%%domain_name_eth0, 'MailServer', hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(%%domain_name_eth0, 'MailServer')
%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)

View file

@ -1,4 +1,4 @@
%for %%idx in %%range(0, %%number_of_interfaces)
%for %%idx in %%range(%%len(%%zones_list))
%set %%domain = %%getVar('domain_name_eth' + %%str(%%idx))
%%domain /etc/postfix/certs/%%{domain}.pem
%end for

View file

@ -1,4 +1,4 @@
%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay")
%set %%cert = %%get_certificate(%%rougail_variable, 'MailRelay')
%%get_private_key(%%rougail_variable, 'MailRelay')
%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay", hide=%%hide_secret)
%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
%%get_private_key(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
%%cert

View file

@ -1,2 +1,2 @@
%%get_chain(authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL")
%%get_chain(authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL", hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)

View file

@ -5,5 +5,5 @@ Before=network.target
[Service]
Type=oneshot
Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
ExecStart=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'
ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
ExecStart=/usr/bin/timeout 90 bash -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'

View file

@ -1 +1 @@
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL")
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL", hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_certificate(%%domain_name_eth0, 'PostgreSQL')
%%get_certificate(%%domain_name_eth0, 'PostgreSQL', hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(%%domain_name_eth0, 'PostgreSQL')
%%get_private_key(cn=%%domain_name_eth0, authority_name='PostgreSQL', hide=%%hide_secret)

View file

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<variable name="host" type="domainname" description="Machine où est démarré le conteneur" mandatory="True"/>
</variables>
</rougail>

View file

@ -9,26 +9,28 @@
</service>
</services>
<variables>
<variable name="link_configurations" redefine="True" disabled="True"/>
<variable name="container_srv_path" type="filename" description="Nom du répertoire racine des données">
<value>/var/lib/risotto/srv</value>
</variable>
<variable name="srv_dir" description='Nom du répertoire des données' type="filename" hidden="True"/>
<variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations">
<value>/var/lib/risotto/configurations</value>
</variable>
<variable name="config_dir" description='Nom du répertoire des configurations' type="filename" hidden="True" mandatory="True"/>
<variable name="container_journal_path" type="filename" description="Nom du répertoire racine des journaux">
<value>/var/lib/risotto/journals</value>
</variable>
<variable name="host" type="domainname" description="Machine où est démarrer le conteneur" mandatory="True"/>
<variable name="external_ports" type="port" description="Port exposé depuis l'extérieur" multi="True"/>
<variable name="srv_dir" type="filename" hidden="True"/>
<variable name="journal_dir" type="filename" hidden="True" mandatory="True"/>
<variable name="config_dir" type="filename" hidden="True" mandatory="True"/>
<variable name="journal_dir" description='Nom du répertoire des journaux' type="filename" hidden="True" mandatory="True"/>
<variable name="use_systemd_repart" redefine="True">
<value>False</value>
</variable>
<family name="network">
<variable name="external_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True"/>
<variable name="netwokd_interface_name_type" redefine="True">
<value>host</value>
</variable>
</family>
</variables>
<constraints>
<condition name="disabled_if_in" source="machine.add_srv">

View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<variable name="var_size" disabled="True" redefine="True"/>
<variable name="srv_size" disabled="True" redefine="True"/>
<variable name='data_disk_size' disabled="True" redefine="True"/>
<variable name="add_tmp" disabled="True" redefine="True"/>
<variable name="var_tmp_size" disabled="True" redefine="True"/>
<variable name="add_swap" disabled="True" redefine="True"/>
<variable name="swap_size" disabled="True" redefine="True"/>
</variables>
</rougail>

View file

@ -1 +1 @@
%%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis")
%%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)

View file

@ -1 +1 @@
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)

View file

@ -1,5 +1,5 @@
%set %%ca_chain = %%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis")
%set %%cert = %%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
%set %%ca_chain = %%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)
%set %%cert = %%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
%%cert
%%ca_chain

View file

@ -3,7 +3,7 @@
<variables>
<variable name="remote" description="Remote client needing an account" type="domainname" provider="redis_client" mandatory="True"/>
<variable name="remote_ip" description="Remote IP" type="ip" provider="redis_client_ip" mandatory="True"/>
<variable name="password" auto_save="True" hidden="True" type="password" mandatory="True" provider="redis_client_password"/>
<variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="redis_client_password"/>
</variables>
<constraints>
<fill name="get_password">
@ -11,6 +11,7 @@
<param name="username" type="variable">account.remote</param>
<param name="description">redis</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>account.password</target>
</fill>
</constraints>

Some files were not shown because too many files have changed in this diff Show more