ansible template

This commit is contained in:
egarette@silique.fr 2023-06-23 08:12:05 +02:00
parent 84e583f8a4
commit 21c86b0e97
281 changed files with 4341 additions and 2136 deletions

View file

@ -2,9 +2,9 @@
<rougail version="0.10">
<services>
<service name="httpd" target="multi-user">
<file>/etc/httpd/conf/httpd.conf</file>
<file>/etc/httpd/conf.d/risotto.conf</file>
<file>/etc/httpd/conf.d/ssl.conf</file>
<file engine="none">/etc/httpd/conf/httpd.conf</file>
<file engine="ansible">/etc/httpd/conf.d/risotto.conf</file>
<file engine="ansible">/etc/httpd/conf.d/ssl.conf</file>
<file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
<file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
</service>

View file

@ -1,15 +1,15 @@
# Timeout
Timeout %%apache_timeout
Timeout {{ general.apache.apache_timeout }}
# Keepalive
%if %%apache_keepalive
{% if general.apache.apache_keepalive %}
KeepAlive On
%else
{% else %}
KeepAlive Off
%end if
{% endif %}
MaxKeepAliveRequests 50
KeepAliveTimeout %%apache_timeout
KeepAliveTimeout {{ general.apache.apache_timeout }}
# RemoteIp
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy %%revprox_client_server_ip
RemoteIPInternalProxy {{ general.revprox.revprox_client_server_ip }}

View file

@ -100,7 +100,7 @@ SSLProxyCipherSuite PROFILE=SYSTEM
# require an ECC certificate which can also be configured in
# parallel.
# GNUNUX SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile %%tls_cert_directory/revprox.crt
SSLCertificateFile {{ general.tls_cert_directory }}/revprox.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
@ -109,7 +109,7 @@ SSLCertificateFile %%tls_cert_directory/revprox.crt
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
# GNUNUX SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile %%tls_key_directory/revprox.key
SSLCertificateKeyFile {{ general.tls_key_directory }}/revprox.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@ -126,7 +126,7 @@ SSLCertificateKeyFile %%tls_key_directory/revprox.key
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#>GNUNUX
SSLCACertificateFile %%tls_ca_directory/InternalReverseProxy.crt
SSLCACertificateFile {{ general.tls_ca_directory }}/InternalReverseProxy.crt
#<GNUNUX
# Client Authentication (Type):

View file

@ -2,7 +2,7 @@
<rougail version="0.10">
<services>
<service name="dnssec" manage="False">
<file>/etc/dnssec-trust-anchors.d/local.negative</file>
<file engine="ansible">/etc/dnssec-trust-anchors.d/local.negative</file>
</service>
</services>
<variables>

View file

@ -1,2 +1,2 @@
%set %%domain=%%domain_name_eth0.split('.', 1)[1]
%%domain
{% set domain = domain_name_eth0.split('.', 1)[1] %}
{{ domain }}

View file

@ -2,7 +2,7 @@
<rougail version="0.10">
<services>
<service name="systemd-networkd">
<override/>
<override engine="none"/>
</service>
<service name='logrotate' disabled="True"/>
<service name="debian" manage="False">

View file

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="update-ca-certificates" engine="cheetah" target="multi-user"/>
<service name="update-ca-certificates" engine="ansible" target="multi-user"/>
</services>
<variables>
<variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">

View file

@ -4,7 +4,7 @@ Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/update-ca-certificates --localcertsdir %%tls_ca_directory
ExecStart=/usr/sbin/update-ca-certificates --localcertsdir {{ general.tls_ca_directory }}
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,6 @@
format: '0.1'
description: Base information of a Fedora 38
website: https://getfedora.org/
depends:
- base-fedora
distribution: true

View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<!--services>
<service name="base">
<file engine="none">/etc/pam.d/login</file>
</service>
</services-->
<variables>
<variable name="os_version" type="string" description="Version de l'OS" hidden="True">
<value>38</value>
</variable>
</variables>
</rougail>

View file

@ -0,0 +1,7 @@
# ACTIVE NETWORKD
mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

View file

@ -0,0 +1 @@
BASE_PKG="$BASE_PKG pam util-linux"

View file

@ -0,0 +1 @@
RELEASEVER=38

View file

@ -0,0 +1,17 @@
#GNUNUX File from util-linux-*.x86_64 (not installed)
#%PAM-1.0
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so

View file

@ -5,6 +5,7 @@
<file engine="none">/tmpfiles.d/fedora.conf</file>
</service>
<service name='logrotate' disabled="True"/>
<service name='logrotate' disabled="True" type="timer"/>
</services>
<variables>
<variable name="os_name" type="string" description="Nom de l'OS" hidden="True">

View file

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="update-ca-trust" engine="cheetah" target="multi-user"/>
<service name="update-ca-trust" engine="ansible" target="multi-user"/>
</services>
<variables>
<variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">

View file

@ -12,6 +12,7 @@
<variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
<family name="network" description="Réseau">
<variable name="server_name" description="Nom de domaine du serveur" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
<variable name="last_server_name" type="domainname" hidden="True"/>
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
<variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True" provider="global:zones_list"/>
<family name="interface_" description="Interface " dynamic="interfaces_list">
@ -47,6 +48,10 @@
<param name="index" type="suffix"/>
<target>gateway_eth</target>
</fill>
<fill name="get_last_server_name">
<param type="variable">domain_name_eth</param>
<target>last_server_name</target>
</fill>
</constraints>
</rougail>

View file

@ -83,3 +83,7 @@ def get_zone_name(zones: list,
):
if zones is not None:
return zones[int(index)]
def get_last_server_name(server_names):
return server_names[-1]

View file

@ -1,6 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<variables>
<variable name="providers" hidden="True"/>
<variable name="copy_tests" type="boolean" mandatory="True" hidden="True"/>
</variables>
<constraints>

View file

@ -38,6 +38,7 @@ def get_zones_info(zones: dict,
zone_names: _List[str]=None,
zone_name: str=None,
index: int=None,
uniq: bool=False,
) -> str:
if type == 'host_ip' and index != 0:
return
@ -47,4 +48,12 @@ def get_zones_info(zones: dict,
if type == 'cidr':
return zones[zone_name]['host_ip'] + '/' + zones[zone_name]['network'].split('/')[-1]
return zones[zone_name][type]
return [data[type] for zone_name, data in zones.items() if not zone_names or zone_name in zone_names]
ret = []
for zone_name, data in zones.items():
if zone_names and zone_name not in zone_names:
continue
val = data[type]
if uniq and val in ret:
continue
ret.append(val)
return ret

View file

@ -2,7 +2,7 @@
<rougail version="0.10">
<services>
<service name="dns-local" manage="False">
<file filelist="copy_tests">/tests/dns-local.yml</file>
<file engine="ansible" filelist="copy_tests">/tests/dns-local.yml</file>
</service>
</services>
<variables>
@ -22,5 +22,3 @@
</fill>
</constraints>
</rougail>

View file

@ -1,25 +1,26 @@
address: '%%domain_name_eth0'
address: '{{ domain_name_eth0 }}'
addresses:
%if %%getVar('dns_client_address', None)
- dns_address: '%%dns_client_address'
dns_ip: '%%ip_dns'
%elif %%getVar('unbound_forward_address', None) is not None
%for %%authority in %%unbound_forward_address
- dns_address: %%authority
dns_ip: %%authority.unbound_allowed_client
%end for
%elif %%getVar('nsd_zones', None)
%for %%zone in %%nsd_zones
%set %%suffix = %%normalize_family(%%zone)
%set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
%for %%hostname in %%hostnames
- dns_address: %%{hostname}.%%zone
dns_ip: %%hostname["ip_" + %%suffix]
%end for
%end for
%end if
%if %%dns_is_only_local
{% if 'dns_client_address' in general.network %}
- dns_address: '{{ general.network.dns_client_address }}'
dns_ip: '{{ ip_dns }}'
{% elif 'unbound_forward_address' in general.dns_resolver.forward_zones %}
{% for authority in general.dns_resolver.forward_zones.unbound_forward_address %}
- dns_address: {{ authority }}
dns_ip: {{ authority.unbound_allowed_client }}
{% endfor %}
{% elif 'nsd_zones' in general.dns_zone %}
{%for zone in general.dns_zone.nsd_zones %}
{% set suffix = zone|normalize_family %}
{% set hostnames = nsd["nsd_zone_" + suffix]["hostname_" + suffix]["hostname_" + suffix] %}
{% for hostname in hostnames %}
- dns_address: {{ hostname }}.{{ zone }}
dns_ip: {{ hostname["ip_" + suffix] }}
{% endfor %}
{% endfor %}
{% endif %}
{% endif %}
{% if dns_is_only_local %}
dns_is_only_local: true
%else
{% else %}
dns_is_only_local: false
%end if
{% endif %}

View file

@ -2,49 +2,48 @@
<rougail version="0.10">
<services>
<service name="postfix" target="multi-user">
<override/>
<override engine="none"/>
<certificate format="pem" authority="External" type="server" domain="submission_domainname" provider="mail_crt_provider" certificate_type="variable">submission_domainname</certificate>
<certificate format="pem" authority="Mail" owner="postfix" type="server">postfixlocal</certificate>
<certificate format="pem" server="last_server_name" domain="last_server_name" authority="InternalMail" owner="postfix" type="server">postfixlocal</certificate>
<certificate authority="Mail" owner="postfix" type="server">postfix</certificate>
<certificate authority="LDAP" owner="postfix" server="ldap_server_address">postfix_ldap_client</certificate>
<file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
<file>/etc/postfix/main.cf</file>
<file>/etc/postfix/master.cf</file>
<file>/etc/postfix/relay_passwd</file>
<file>/etc/postfix/ldapsource.cf</file>
<file>/etc/postfix/sni</file>
<file mode="700">/sbin/risotto_backup</file>
<file engine="ansible">/etc/postfix/main.cf</file>
<file engine="none">/etc/postfix/master.cf</file>
<file engine="ansible">/etc/postfix/relay_passwd</file>
<file engine="ansible">/etc/postfix/ldapsource.cf</file>
<file engine="ansible">/etc/postfix/sni</file>
<file engine="ansible" mode="700">/sbin/risotto_backup</file>
</service>
<service name='dovecot-init'>
<override/>
<file>/etc/nginx/default.d/autoconfig.conf</file>
<override engine="none"/>
<file engine="none">/etc/nginx/default.d/autoconfig.conf</file>
</service>
<service name='nginx'>
<file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
<file engine="ansible" source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
</service>
<service name="dovecot" target="multi-user">
<certificate authority="External" type="server" domain="imap_domainname" provider="mail_crt_provider" certificate_type="variable">imap_domainname</certificate>
<certificate authority="IMAP" owner="dovecot" type="server">dovecot</certificate>
<certificate authority="IMAP" domain="last_server_name" owner="dovecot" type="server">dovecot</certificate>
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
<file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
<file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
<file>/etc/dovecot/conf.d/10-master.conf</file>
<file>/etc/dovecot/conf.d/10-ssl.conf</file>
<!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
<file engine="ansible">/etc/dovecot/conf.d/10-master.conf</file>
<file engine="ansible">/etc/dovecot/conf.d/10-ssl.conf</file>
<file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
<file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
<file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
<!--plain authentification-->
<file>/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
<file>/etc/dovecot/dovecot-ldap.conf.ext</file>
<file engine="none">/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
<file engine="ansible">/etc/dovecot/dovecot-ldap.conf.ext</file>
<!--oauth2 authentification-->
<file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
<file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
<file engine="none">/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
<file engine="ansible">/etc/dovecot/dovecot-oauth2.conf.ext</file>
<!--internal authentification-->
<file filelist="copy_tests">/tests/imap.yml</file>
<file engine="ansible" filelist="copy_tests">/tests/imap.yml</file>
</service>
</services>
<variables>
@ -54,7 +53,7 @@
<value>993</value>
</variable>
</family>
<family name="annuaire">
<family name="ldap">
<family name="client">
<variable name='ldapclient_family' redefine="True">
<value>all</value>

View file

@ -73,7 +73,7 @@ service lmtp {
#}
#>GNUNUX
inet_listener lmtp {
address = %%ip_eth0
address = {{ general.smtp.smtp_client_ip }}
port = 8024
}
#<GNUNUX

View file

@ -14,17 +14,17 @@ ssl = required
#GNUNUX ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
#GNUNUX ssl_key = </etc/pki/dovecot/private/dovecot.pem
#>GNUNUX
ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key
%for %%mail in %%mail_domains
local_name %%mail.imap_domainname {
ssl_cert = %echo '<' + %%tls_cert_directory + '/' + %%mail.imap_domainname + '.crt'
ssl_key = %echo '<' + %%tls_key_directory + '/' + %%mail.imap_domainname + '.key'
ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
ssl_key = <{{ general.tls_key_directory }}/dovecot.key
{% for mail in general.mail.domain.mail_domains %}
local_name {{ mail.imap_domainname }} {
ssl_cert = <{{ general.tls_cert_directory }}/{{ mail.imap_domainname }}.crt
ssl_key = <{{ general.tls_key_directory }}/{{ mail.imap_domainname }}.key
}
%end for
local_name %%domain_name_eth0 {
ssl_cert = %echo '<' + %%tls_cert_directory + '/dovecot.crt'
ssl_key = %echo '<' + %%tls_key_directory + '/dovecot.key'
{% endfor %}
local_name {{ general.network.last_server_name }} {
ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
ssl_key = <{{ general.tls_key_directory }}/dovecot.key
}
#<GNUNUX
@ -50,7 +50,7 @@ local_name %%domain_name_eth0 {
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
#ssl_client_ca_file =
ssl_client_ca_file = %%tls_ca_directory/IMAP.crt
ssl_client_ca_file = {{ general.tls_ca_directory }}/IMAP.crt
# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes

View file

@ -1,23 +0,0 @@
# Uncomment to enable managesieve protocol:
protocols = $protocols sieve
service managesieve-login {
inet_listener sieve {
port = 4190
}
#inet_listener sieve_deprecated {
# port = 2000
#}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
service_count = 1
# Number of processes to always keep waiting for more connections.
process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
vsz_limit = 64M
}

View file

@ -1,23 +1,23 @@
<?xml version="1.0"?>
# GNUNUX: from https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat -->
%set %%domain = %%rougail_variable
%set %%leader = %%mail_domains[%%mail_domains.index(%%domain)]
%set %%imap_domain = %%leader.imap_domainname
%set %%submission_domain = %%leader.submission_domainname
{%set domain = rougail_variable %}
{%set leader = general.mail.domain.mail_domains[mail_domains.index(domain)] %}
{%set imap_domain = leader.imap_domainname %}
{%set submission_domain = leader.submission_domainname %}
<clientConfig version="1.1">
<emailProvider id="%%domain">
<domain>%%domain</domain>
<displayName>Services %%domain</displayName>
<displayShortName>%%domain</displayShortName>
<emailProvider id="{{ domain }}">
<domain>{{ domain }}</domain>
<displayName>Services {{ domain }}</displayName>
<displayShortName>{{ domain }}</displayShortName>
<incomingServer type="imap">
<hostname>%%imap_domain</hostname>
<hostname>{{ imap_domain }}</hostname>
<port>993</port>
<socketType>SSL</socketType>
<username>%EMAILADDRESS%</username>
<authentication>password-cleartext</authentication>
</incomingServer>
<outgoingServer type="smtp">
<hostname>%%submission_domain</hostname>
<hostname>{{ submission_domain }}</hostname>
<port>587</port>
<socketType>STARTTLS</socketType>
<username>%EMAILADDRESS%</username>

View file

@ -24,7 +24,7 @@
# setting isn't supported by all LDAP libraries.
#uris =
#>GNUNUX
uris = ldaps://%%ldap_server_address
uris = ldaps://{{ general.ldap.server.ldap_server_address }}
#<GNUNUX
# Distinguished Name - the username used to login to the LDAP server.
@ -34,8 +34,8 @@ uris = ldaps://%%ldap_server_address
# Password for LDAP server, if dn is specified.
#dnpass =
#>GNUNUX
dn = %%ldapclient_user
dnpass = %%ldapclient_user_password
dn = {{ general.ldap.client.ldapclient_user }}
dnpass = {{ general.ldap.client.ldapclient_user_password }}
#<GNUNUX
# Use SASL binding instead of the simple binding. Note that this changes
@ -61,9 +61,9 @@ dnpass = %%ldapclient_user_password
# Valid values: never, hard, demand, allow, try
#tls_require_cert =
#>GNUNUX
tls_cert_file = %%tls_cert_directory/ldap_client.crt
tls_key_file = %%tls_key_directory/ldap_client.key
tls_ca_cert_file = %%tls_ca_directory/LDAP.crt
tls_cert_file = {{ general.tls_cert_directory }}/ldap_client.crt
tls_key_file = {{ general.tls_key_directory }}/ldap_client.key
tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
tls_require_cert = hard
#>GNUNUX
@ -107,7 +107,7 @@ auth_bind = yes
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
# GNUNUX base =
base = %%ldapclient_search_dn
base = {{ general.ldap.client.ldapclient_search_dn }}
# Dereference: never, searching, finding, always
#deref = never

View file

@ -4,7 +4,7 @@
## url for verifying token validity. Token is appended to the URL
# tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
#>GNUNUX
tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?access_token=
tokeninfo_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/userinfo/?access_token=
#<GNUNUX
## introspection endpoint, used to gather extra fields and other information.
@ -21,7 +21,7 @@ tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?acces
## Set this to yes if you are using active_attribute
# force_introspection = no
#>GNUNUX
introspection_url = https://%%oauth2_client_server_domainname/oauth2/introspect/
introspection_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/introspect/
introspection_mode = post
force_introspection = no
#<GNUNUX
@ -57,7 +57,7 @@ username_attribute = email
## URL to RFC 7628 OpenID Provider Configuration Information schema
# openid_configuration_url =
#>GNUNUX
openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known/openid-configuration
openid_configuration_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration
#<GNUNUX
## Extra fields to set in passdb response (in passdb static style)
@ -79,8 +79,8 @@ openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known
# rawlog_dir = /tmp/oauth2
#>GNUNUX
client_id = %%oauth2_client_id
client_secret = %%oauth2_client_secret
client_id = {{ general.oauth2_client.oauth2_client_id }}
client_secret = {{ general.oauth2_client.oauth2_client_secret }}
#<GNUNUX
## TLS settings

View file

@ -1,2 +0,0 @@
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

View file

@ -1 +0,0 @@
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

View file

@ -1,12 +1,12 @@
%set %%username="rougail_test@silique.fr"
%set %%username_family="rougail_test@gnunux.info"
%set %%name_family="gnunux"
address: %%ip_eth0
dns: %%domain_name_eth0
username: %%username
password: %%get_password(server_name='test', username=%%username, description="test", type="cleartext", hide=%%hide_secret, temporary=True)
username_family: %%username_family
password_family: %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
name_family: %%name_family
smtp: %%smtp_relay_ip
{%set username="rougail_test@silique.fr" %}
{%set username_family="rougail_test@gnunux.info" %}
{%set name_family="gnunux" %}
address: {{ general.network.interface_0.ip_eth0 }}
dns: {{ general.network.interface_0.domain_name_eth0 }}
username: {{ username }}
password: {{ username|get_password(server_name='test', description="test", type="cleartext", hide=hide_secret, temporary=True) }}
username_family: {{ username_family }}
password_family: {{ username_family|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True)
name_family: {{ name_family }}
smtp: {{ general.smtp.smtp_relay_ip }}
ext_username: 'test@example.net'

View file

@ -1,13 +1,13 @@
server_host = ldaps://%%ldap_server_address
server_port = %%ldap_port
tls_cert = %%tls_cert_directory/postfix_ldap_client.crt
tls_key = %%tls_key_directory/postfix_ldap_client.key
tls_ca_cert_file = %%tls_ca_directory/LDAP.crt
server_host = ldaps://{{ general.ldap.server.ldap_server_address }}
server_port = {{ general.ldap.server.ldap_port }}
tls_cert = {{ general.tls_cert_directory }}/postfix_ldap_client.crt
tls_key = {{ general.tls_key_directory }}/postfix_ldap_client.key
tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
tls_require_cert = yes
version = 3
bind = yes
bind_dn = %%ldapclient_user
bind_pw = %%ldapclient_user_password
search_base = %%ldapclient_search_dn
bind_dn = {{ general.ldap.client.ldapclient_user }}
bind_pw = {{ general.ldap.client.ldapclient_user_password }}
search_base = {{ general.ldap.client.ldapclient_search_dn }}
query_filter = (mailLocalAddress=%s)
result_attribute = cn

View file

@ -95,7 +95,7 @@ mail_owner = postfix
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = %%domain_name_eth0
myhostname = {{ general.network.interface_0.domain_name_eth0 }}
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
@ -119,7 +119,7 @@ myhostname = %%domain_name_eth0
#
#myorigin = $myhostname
#myorigin = $mydomain
myorigin = %%domain_name_eth0
myorigin = {{ general.network.interface_0.domain_name_eth0 }}
# RECEIVING MAIL
@ -359,7 +359,7 @@ mynetworks = 127.0.0.0/8
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
#>GNUNUX
relayhost = %%smtp_relay_address
relayhost = {{ general.smtp.smtp_relay_address }}
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtp_sasl_security_options = noanonymous
@ -742,15 +742,15 @@ readme_directory = /usr/share/doc/postfix/README_FILES
# in PEM format. Intermediate certificates should be included in general,
# the server certificate first, then the issuing CA(s) (bottom-up order).
#
smtpd_tls_cert_file = %%tls_cert_directory/postfix.crt
smtpd_tls_cert_file = {{ general.tls_cert_directory }}/postfix.crt
# The full pathname of a file with the Postfix SMTP server RSA private key
# in PEM format. The private key must be accessible without a pass-phrase,
# i.e. it must not be encrypted.
#
smtpd_tls_key_file = %%tls_key_directory/postfix.key
smtpd_tls_key_file = {{ general.tls_key_directory }}/postfix.key
smtpd_tls_CApath = %%tls_ca_directory
smtpd_tls_CApath = {{ general.tls_ca_directory }}
#>GNUNUX
tls_server_sni_maps = hash:/etc/postfix/sni
#<GNUNUX
@ -762,13 +762,13 @@ smtpd_tls_security_level = may
# Directory with PEM format Certification Authority certificates that the
# Postfix SMTP client uses to verify a remote SMTP server certificate.
#
smtp_tls_CApath = %%tls_ca_directory
smtp_tls_CApath = {{ general.tls_ca_directory }}
# The full pathname of a file containing CA certificates of root CAs
# trusted to sign either remote SMTP server certificates or intermediate CA
# certificates.
#
smtp_tls_CAfile = %%tls_ca_directory/Mail.crt
smtp_tls_CAfile = {{ general.tls_ca_directory }}/Mail.crt
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext (opportunistic TLS outbound).
@ -800,11 +800,11 @@ smtpd_sasl_path = /srv/dovecot/auth
broken_sasl_auth_clients = yes
dovecot_destination_recipient_limit = 1
%set %%domains = []
%for %%domain in %%mail_domains
%%domains.append(%%str(%%domain))%slurp
%end for
virtual_mailbox_domains = %echo ', '.join(%%domains)
{% set domains = [] %}
{% for domain in general.mail.domain.mail_domains %}
{{ domains.append(domain|string) }}
{% endfor %}
virtual_mailbox_domains = {{ domains|join(', ') }}
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
virtual_minimum_uid = 1000
#vmail uid

View file

@ -1,3 +0,0 @@
%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
%%cert

View file

@ -1,2 +1,2 @@
%%smtp_relay_address %%smtp_relay_user@%%ip_eth0:%%smtp_relay_password
{{ general.smtp.smtp_relay_address }} {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}:{{ general.smtp.smtp_relay_password }}

View file

@ -1,6 +1,6 @@
%echo "#!/bin/bash"
#!/bin/bash
BACKUP_DIR="%%backup_dir"
BACKUP_DIR="{{ general.backup_dir }}"
mkdir -p $BACKUP_DIR
chown vmail: $BACKUP_DIR
@ -14,7 +14,7 @@ done
ls $BACKUP_DIR | while read $user; do
if [ ! -f $BACKUP_DIR/$user.done ]; then
rm -rf $BACKUP_DIR/$user
if
fi
done
rm -f $BACKUP_DIR/*.done

View file

@ -1,4 +1,4 @@
%for %%name in %%mail_domains
%%name.submission_domainname %%tls_key_directory/%%{name.submission_domainname}.pem
%end for
%%domain_name_eth0 %%tls_key_directory/postfixlocal.pem
{% for name in general.mail.domain.mail_domains %}
{{ name.submission_domainname }} {{ general.tls_key_directory }}/{{ name.submission_domainname }}.pem
{% endfor %}
{{ general.network.last_server_name }} {{ general.tls_key_directory }}/postfixlocal.pem

View file

@ -2,7 +2,7 @@ format: '0.1'
description: Forgejo, a community managed lightweight code hosting solution
website: https://forgejo.org/
depends:
- base-fedora-37
- base-fedora-38
- postgresql-client
- reverse-proxy-client
- relay-mail-client

View file

@ -1,11 +1,11 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="forgejo" target="multi-user" engine="cheetah">
<service name="forgejo" target="multi-user" engine="ansible">
<file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
<file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
<file>/etc/forgejo/app.ini</file>
<file filelist="copy_tests">/tests/forgejo.yml</file>
<file engine="ansible">/etc/forgejo/app.ini</file>
<file engine="ansible" filelist="copy_tests">/tests/forgejo.yml</file>
</service>
</services>
<variables>

View file

@ -1,7 +1,4 @@
#RISOTTO: https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/custom/conf/app.example.ini
%compiler-settings
commentStartToken = ;
%end compiler-settings
; This file lists the default values used by Gitea
;; Copy required sections to your own app.ini (default is custom/conf/app.ini)
;; and modify as needed.
@ -50,7 +47,7 @@ commentStartToken = ;
;; App name that shows in every page title
;>GNUNUX
;APP_NAME = ; Gitea: Git with a cup of tea
APP_NAME = %%forgejo_title
APP_NAME = {{ general.forgejo.forgejo_title }}
;<GNUNUX
;;
;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
@ -89,13 +86,13 @@ PROTOCOL = https
;; Set the domain for the server
;DOMAIN = localhost
;>GNUNUX
DOMAIN = %%revprox_client_external_domainnames[0]
DOMAIN = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
;<GNUNUX
;;
;; Overwrite the automatically generated public URL. Necessary for proxies and docker.
;ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
;>GNUNUX
ROOT_URL = https://%%revprox_client_external_domainnames[0]%%revprox_client_external_domainnames[0]revprox_client_location
ROOT_URL = https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}{{ general.revprox.revprox_client.revprox_client_external_domainnames[0]['revprox_client_location'] }}
;<GNUNUX
;;
;; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
@ -146,7 +143,7 @@ HTTP_PORT = 3000
;; Do not set this variable if PROTOCOL is set to 'unix'.
;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
;>GNUNUX
LOCAL_ROOT_URL = https://%%domain_name_eth0:3000/
LOCAL_ROOT_URL = https://{{ general.network.interface_0.domain_name_eth0 }}:3000/
;<GNUNUX
;;
;; When making local connections pass the PROXY protocol header.
@ -176,7 +173,7 @@ BUILTIN_SSH_SERVER_USER = "git"
;; Domain name to be exposed in clone URL
;SSH_DOMAIN = %(DOMAIN)s
;>GNUNUX
SSH_DOMAIN = %%revprox_client_external_domainnames[0]
SSH_DOMAIN = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
;<GNUNUX
;;
;; SSH username displayed in clone URLs.
@ -188,13 +185,13 @@ SSH_DOMAIN = %%revprox_client_external_domainnames[0]
;; Port number to be exposed in clone URL
;SSH_PORT = 22
;>GNUNUX
SSH_PORT = %%incoming_ports[0]
SSH_PORT = {{ general.network.incoming_ports[0] }}
;<GNUNUX
;;
;; The port number the builtin SSH server should listen on
;SSH_LISTEN_PORT = %(SSH_PORT)s
;>GNUNUX
SSH_LISTEN_PORT = %%incoming_ports[0]
SSH_LISTEN_PORT = {{ general.network.incoming_ports[0] }}
;<GNUNUX
;;
;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
@ -319,8 +316,8 @@ OFFLINE_MODE = true
;CERT_FILE = https/cert.pem
;KEY_FILE = https/key.pem
;>GNUNUX
CERT_FILE = %%tls_cert_directory/revprox.crt
KEY_FILE = %%tls_key_directory/revprox.key
CERT_FILE = {{ general.tls_cert_directory }}/revprox.crt
KEY_FILE = {{ general.tls_key_directory }}/revprox.key
;<GNUNUX
;;
;; Root directory containing templates and static files.
@ -355,7 +352,7 @@ LFS_START_SERVER = true
;; LFS authentication secret, change this yourself
;>GNUNUX
;LFS_JWT_SECRET =
LFS_JWT_SECRET = %%forgejo_lfs_jwt_secret
LFS_JWT_SECRET = {{ general.forgejo.forgejo_lfs_jwt_secret }}
;<GNUNUX
;;
;; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
@ -419,10 +416,10 @@ LFS_JWT_SECRET = %%forgejo_lfs_jwt_secret
;SSL_MODE=disable ;either "disable" (default), "require", or "verify-full"
;>GNUNUX
DB_TYPE = postgres
HOST = %%pg_client_server_domainname:5432
NAME = %%pg_client_database
USER = %%pg_client_username
PASSWD = %%pg_client_password
HOST = {{ general.postgresql.pg_client_server_domainname }}:5432
NAME = {{ general.postgresql.pg_client_database }}
USER = {{ general.postgresql.pg_client_username }}
PASSWD = {{ general.postgresql.pg_client_password }}
SCHEMA =
SSL_MODE = verify-full
CHARSET = utf8
@ -492,7 +489,7 @@ INSTALL_LOCK = true
;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
;>GNUNUX
;SECRET_KEY =
SECRET_KEY = %%forgejo_secret_key
SECRET_KEY = {{ general.forgejo.forgejo_secret_key }}
;<GNUNUX
;;
;; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one
@ -502,7 +499,7 @@ SECRET_KEY = %%forgejo_secret_key
;; Secret used to validate communication within Gitea binary.
;>GNUNUX
;INTERNAL_TOKEN=
INTERNAL_TOKEN = %%forgejo_internal_token
INTERNAL_TOKEN = {{ general.forgejo.forgejo_internal_token }}
;<GNUNUX
;;
;; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one
@ -671,7 +668,7 @@ ROUTER = console
;ACCESS = file
;;
;; Sets the template used to create the access log.
;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"
{#;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}" #}
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
@ -1760,7 +1757,7 @@ PROTOCOL = smtp+starttls
;; (Before 1.18, see the notice, this was combined with SMTP_PORT as HOST.)
;SMTP_ADDR =
;>GNUNUX
SMTP_ADDR = %%smtp_relay_address
SMTP_ADDR = {{ smtp_relay_address }}
;<GNUNUX
;;
;; Mail server port. Common ports are:
@ -1793,7 +1790,7 @@ SMTP_PORT = 25
;; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
;FROM =
;>GNUNUX
FROM = %%forgejo_mail_sender
FROM = {{ general.forgejo.forgejo_mail_sender }}
;<GNUNUX
;;
;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
@ -1802,13 +1799,13 @@ FROM = %%forgejo_mail_sender
;; Mailer user name and password, if required by provider.
;USER =
;>GNUNUX
USER = %%smtp_relay_user@%%ip_eth0
USER = {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}
;<GNUNUX
;;
;; Use PASSWD = `your password` for quoting if you use special characters in the password.
;PASSWD =
;>GNUNUX
PASSWD = %%smtp_relay_password
PASSWD = {{ general.smtp.smtp_relay_password }}
;<GNUNUX
;;
;; Send mails only in plain text, without HTML alternative
@ -1857,7 +1854,7 @@ ADAPTER = redis
;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
;HOST =
;>GNUNUX
HOST = network=tcp,addr=%%redis_client_server_domainname:6379,username=%%redis_client_username,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
HOST = network=tcp,addr={{ general.redis.redis_client_server_domainname }}:6379,username={{ general.redis.redis_client_username }},password={{ general.redis.redis_client_password }},db={{ general.redis.redis_client_index }},pool_size=100,idle_timeout=180
;<GNUNUX
;;
;; Time to keep items in cache if not used, default is 16 hours.
@ -1904,7 +1901,7 @@ PROVIDER = redis
;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
;>GNUNUX
PROVIDER_CONFIG = network=tcp,addr=%%redis_client_server_domainname:6379,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
PROVIDER_CONFIG = network=tcp,addr={{ general.redis.redis_client_server_domainname }}:6379,password={{ general.redis.redis_client_password }},db={{ general.redis.redis_client_index }},pool_size=100,idle_timeout=180
;<GNUNUX
;;
;; Session cookie name

View file

@ -20,17 +20,17 @@ User=forgejo
Group=forgejo
WorkingDirectory=/srv/forgejo/lib/
ExecStart=/usr/bin/forgejo web --config /etc/forgejo/app.ini
ExecStartPre=/bin/bash -c '%slurp
/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;%slurp
if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then %slurp
echo "UPDATE";%slurp
id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");%slurp
/usr/bin/forgejo admin auth update-oauth --id $id --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
else %slurp
echo "CONFIGURE";%slurp
/usr/bin/forgejo admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
fi;%slurp
sleep 2;%slurp
ExecStartPre=/bin/bash -c '{% if True -%}{% endif -%}
/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then {% if True -%}{% endif -%}
echo "UPDATE";{% if True -%}{% endif -%}
id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");{% if True -%}{% endif -%}
/usr/bin/forgejo admin auth update-oauth --id $id --name "{{ general.network.interface_0.domain_name_eth0 }}" --provider "openidConnect" --key "{{ general.oauth2_client.oauth2_client_id }}" --secret "{{ general.oauth2_client.oauth2_client_secret }}" --scopes "profile email" --auto-discover-url "https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration" --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
else {% if True -%}{% endif -%}
echo "CONFIGURE";{% if True -%}{% endif -%}
/usr/bin/forgejo admin auth add-oauth --name "{{ general.network.interface_0.domain_name_eth0 }}" --provider "openidConnect" --key "{{ general.oauth2_client.oauth2_client_id }}" --secret "{{ general.oauth2_client.oauth2_client_secret }}" --scopes "profile email" --auto-discover-url "https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration" --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
fi;{% if True -%}{% endif -%}
sleep 2;{% if True -%}{% endif -%}
echo "CONFIGURATION DONE"'
Restart=always
Environment=GITEA_WORK_DIR=/srv/forgejo/lib

View file

@ -1,11 +1,11 @@
%set %%username="rougail_test@silique.fr"
ip: %%ip_eth0
revprox_ip: %%revprox_client_server_ip
%set %%domain = %%revprox_client_external_domainnames[0]
base_url: https://%%domain%%domain.revprox_client_location
auth_url: %%oauth2_client_external[0]
auth_server: %%oauth2_server_domainname
username: %%username
password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
forgejo_title: "%%forgejo_title"
git_url: "[%%domain]:%%incoming_ports[0]"
{% set username="rougail_test@silique.fr" %}
ip: {{ general.network.interface_0.ip_eth0 }}
revprox_ip: {{ general.revprox.revprox_client.revprox_client_server_ip }}
{% set domain = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
base_url: https://{{ domain }}{{domain.revprox_client_location }}
auth_url: {{ general.oauth2_client.oauth2_client_external[0] }}
auth_server: {{ general.oauth2_client.oauth2_server_domainname }}
username: {{ username }}
password: {{ username|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True) }}
forgejo_title: "{{ general.forgejo.forgejo_title }}"
git_url: "[{{ domain] }}:{{ general.network.incoming_ports[0] }}"

2
seed/grafana/DEBUG.md Normal file
View file

@ -0,0 +1,2 @@
sed -i "s/;level = info/level = debug/g" /etc/grafana/grafana.ini
systemctl restart grafana-server

View file

@ -0,0 +1,9 @@
format: '0.1'
description: Grafana is an analytics and interactive visualization web application
website: https://grafana.com/
depends:
- base-fedora-38
- postgresql-client
- oauth2-client
- reverse-proxy-client
- relay-mail-client

View file

@ -0,0 +1,67 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="grafana-server" target="multi-user">
<override engine="none"/>
<file engine="ansible">/etc/grafana/grafana.ini</file>
<file engine="ansible">/etc/sysconfig/grafana-server</file>
<file engine="none" source="tmpfile-grafana.conf">/tmpfiles.d/0grafana.conf</file>
</service>
</services>
<variables>
<family name="grafana">
<variable name="admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
</family>
<family name="revprox">
<family name="revprox_client">
<variable name="revprox_client_local_location" redefine="True">
<value>/</value>
</variable>
</family>
<variable name="revprox_client_port" redefine="True">
<value>3000</value>
</variable>
<variable name="revprox_client_cert_owner" redefine="True">
<value>grafana</value>
</variable>
</family>
<family name="oauth2_client">
<variable name="oauth2_is_client_application" redefine='True'>
<value>True</value>
</variable>
<variable name="oauth2_client_name" redefine='True'>
<value>Grafana</value>
</variable>
<variable name="oauth2_client_description" redefine='True'>
<value>Visualisation de données</value>
</variable>
<variable name="oauth2_client_category" redefine='True'>
<value>Administration</value>
</variable>
<variable name="oauth2_client_logo" redefine='True'>
<value>silique_note.png</value>
</variable>
<variable name="oauth2_client_token_signature_algo" redefine="True">
<value>RS256</value>
</variable>
<variable name="oauth2_email_domain" type="domainname" description="Domain name allowed to log on Grafana" mandatory="True"/>
</family>
<family name="postgresql">
<variable name="pg_client_key_owner" redefine="True">
<value>grafana</value>
</variable>
</family>
</variables>
<constraints>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username">admin</param>
<param name="description">admin</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<param name="temporary" type="boolean">True</param>
<target>admin_password</target>
</fill>
</constraints>
</rougail>

View file

@ -0,0 +1,11 @@
mkdir -p $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/grafana/plugins
#echo """#!/bin/bash -xe
#grafana-cli plugins install grafana-image-renderer
#mkdir -p /usr/lib/grafana
#mv /var/lib/grafana/plugins/ /usr/lib/grafana/
#""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
#chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
#mv $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf /tmp
#echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
#chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP /install.sh
#mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf

View file

@ -0,0 +1 @@
PKG="$PKG grafana"

View file

@ -0,0 +1,30 @@
GRAFANA_USER=grafana
GRAFANA_GROUP=grafana
#>GNUNUX
#GRAFANA_HOME=/usr/share/grafana
GRAFANA_HOME=/srv/grafana/home
#<GNUNUX
LOG_DIR=/var/log/grafana
#>GNUNUX
#DATA_DIR=/var/lib/grafana
DATA_DIR=/srv/grafana/var
#<GNUNUX
MAX_OPEN_FILES=10000
CONF_DIR=/etc/grafana
CONF_FILE=/etc/grafana/grafana.ini
RESTART_ON_UPGRADE=true
PLUGINS_DIR=/var/lib/grafana/plugins
PROVISIONING_CFG_DIR=/etc/grafana/provisioning
# Only used on systemd systems
PID_FILE_DIR=/var/run/grafana

View file

@ -0,0 +1,5 @@
[Unit]
After=risotto.target
[Service]
GRAFANA_HOME=/srv/grafana/home

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,2 @@
d /srv/grafana 700 grafana grafana - -
d /srv/grafana/home 700 grafana grafana - -

View file

@ -2,32 +2,37 @@
<rougail version="0.10">
<services>
<service name="systemd-machined">
<file>/etc/systemd/network/80-container-vz.network</file>
<file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
<file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
<file engine="none">/etc/systemd/network/80-container-vz.network</file>
<file file_type="variable" source="70-container.network" variable="zone_name" engine="ansible">systemd_zone_filename</file>
<file file_type="variable" source="70-container.netdev" variable="zone_name" engine="ansible">systemd_netzone_filename</file>
</service>
<service name="risotto-images" engine="cheetah" manage="False"/>
<service name="risotto-images" engine="ansible" manage="False"/>
<service name="systemd-sysctl"/>
<service name="systemd-networkd"/>
<service name="systemd-resolved"/>
<service name="risotto-images" type="timer" engine="cheetah"/>
<service name="risottofirewall" engine="cheetah"/>
<service name="risotto-images" type="timer" engine="none"/>
<service name="risottofirewall" engine="ansible"/>
<service name="systemd-nspawn@">
<file>/tmpfiles.d/0asystemd-nspawn.conf</file>
<file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
<file>/etc/distro.repos.d/boot.repo</file>
<file engine="none">/tmpfiles.d/0asystemd-nspawn.conf</file>
<file engine="none">/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
<file engine="none">/etc/distro.repos.d/boot.repo</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-38-x86_64</file>
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
<file>/etc/sysctl.d/90-risotto.conf</file>
<file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
<file engine="ansible">/etc/sysctl.d/90-risotto.conf</file>
<file engine="ansible" file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
</service>
<service name="vector" servicelist="vector">
<file engine="ansible">/etc/vector/vector.toml</file>
</service>
</services>
<variables>
<variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True" provider="global:host_install_dir"/>
<variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
<variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
<variable name="tls_server" type="domainname" description="tls domaine name" mandatory="True" provider="global:tls_server"/>
<variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
<variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
<variable name="vm_swappiness" type="number" description="Ajustement de la mémoire virtuelle" mandatory="True">
@ -80,6 +85,14 @@
<variable name="zone_name" type="string" hidden="True" multi="True"/>
<variable name="zone_cidr" type="cidr" hidden="True"/>
</family>
<family name="vector">
<variable name="server_address" type="domainname" hidden="True" supplier="Vector"/>
<variable name="ip_address" type="ip" hidden="True"/>
</family>
<family name="prometheus">
<variable name="prometheus_server_address" type="domainname" hidden="True" supplier="Prometheus"/>
<variable name="prometheus_ip_address" type="ip" hidden="True" supplier="Prometheus:address"/>
</family>
</variables>
<constraints>
<fill name="get_internal_zone_names">
@ -120,6 +133,16 @@
<param type="index"/>
<target>first_interface</target>
</fill>
<fill name="get_ip">
<param type="information">zones</param>
<param type="variable">server_address</param>
<target>ip_address</target>
</fill>
<fill name="get_host_ip">
<param type="information">zones</param>
<param type="variable">prometheus_server_address</param>
<target>prometheus_ip_address</target>
</fill>
<condition name="disabled_if_not_in" source="interface_type">
<param>ipv4</param>
<target>interface_ip</target>
@ -131,5 +154,14 @@
<target>interface_gateway</target>
<target>interface_domain_name_servers</target>
</condition>
<condition name="disabled_if_in" source="server_address">
<param type="nil"/>
<target type="servicelist">vector</target>
<target type="variable">ip_address</target>
</condition>
<condition name="disabled_if_in" source="prometheus_server_address">
<param type="nil"/>
<target type="variable">prometheus_ip_address</target>
</condition>
</constraints>
</rougail>

View file

@ -2,9 +2,10 @@
<rougail version="0.10">
<services>
<service name="systemd-nspawn@">
<file file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
<file file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
<file file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
<file engine="ansible" file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
<file engine="ansible" file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
<file engine="ansible" file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
<file engine="ansible" file_type="variable" source="directory-script" variable="machined.machines" mode="700">machined.nspawn_script_directory</file>
</service>
</services>
<variables>
@ -22,6 +23,7 @@
<variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
<variable name="nspawn_script_network" type="filename" hidden="True" multi="True"/>
<variable name="nspawn_script_tls" type="filename" hidden="True" multi="True"/>
<variable name="nspawn_script_directory" type="filename" hidden="True" multi="True"/>
</variables>
<constraints>
<fill name="calc_value">
@ -38,6 +40,13 @@
<param name="multi" type="boolean">True</param>
<target>machined.nspawn_script_tls</target>
</fill>
<fill name="calc_value">
<param>/sbin/directory-</param>
<param type="variable">machined.machines</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>machined.nspawn_script_directory</target>
</fill>
<fill name="calc_value">
<param>/etc/systemd/nspawn/</param>
<param type="variable">machined.machines</param>

View file

@ -9,3 +9,16 @@ def get_internal_zone_names(zones) -> _List[str]:
def is_first_interface(index) -> bool:
return index == 0
@_multi_function
def get_host_ip(zones: dict,
server_name: str,
):
host_name, domain_name = server_name.split('.', 1)
for zone in zones.values():
if domain_name == zone['domain_name']:
break
else:
raise ValueError(f'cannot find IP in domain name "{domain_name}" (for "{server_name}")')
return zone['host_ip']

View file

@ -1,3 +1,3 @@
[NetDev]
Name=%%rougail_variable
Name={{ rougail_variable }}
Kind=bridge

View file

@ -1,6 +1,6 @@
[Match]
Name=%%rougail_variable
Name={{ rougail_variable }}
[Network]
Address=%%zone_name[%%rougail_index].zone_cidr
Address={{ general.zones.zone_name[rougail_index].zone_cidr }}
EmitLLDP=customer-bridge

View file

@ -1,3 +1,3 @@
net.ipv4.ip_forward = 1
fs.inotify.max_user_instances = 1024
vm.swappiness = %%vm_swappiness
vm.swappiness = {{ general.vm_swappiness }}

View file

@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGIC2cYBEADJye1aE0AR17qwj6wsHWlCQlcihmqkL8s4gbOk1IevBbH4iXJx
lu6bN+NhTcCCX6eHmaL5Pwb/bpkMmLR+/r1D2cLDK24YzvN6kJnwRQUTf2dbqYmg
mNBgIMm+kAabBZPwUHUzyQ9CT/WJpYr1OYu8JIkdxF35nrPewnnOUUqxqbi8fXRQ
gskSLF8UveiOjFIqmWwlPwT1UtnevAaF80UGQlkwFvqjjh4b9vKY2gHMAQwt+wg5
HFFCSwSrnd88ZoDb3pKvDMeurYUiPzF5f2r+ziVkMuaSNckvp58uge7HvyqQPAdJ
ZRswCCxhUAo9VqkNfB4Ud25ASyalk9jOE3HB8E35gFfPXvuX1n15THXNcwMEiybk
Omne2YwXL8ShGNr5otjqywThMrrqcl2g/pJVTcpDHTR5Hn9YRp+GHlYLjyEr+/x7
xM19y9ca9GUiJqDbEREHcKKIhYiGmcIjjcJvei/3C/aM4pqeGFJBbVSnw3qeMxH/
6ArAMA1sAdShCkv2YjlcF0r4uoCjXdS3xrKLz9PSCquot7RySnOE9TZ7flfJll7Z
q+lNaSeJg7FK8VWSUb9Lit6VEYVbzWKzespDDbujrHbFpydyq8gXurk7bSR2w0te
gsmytQqT/w1z2bydgGF6SfY9Px0wuA8GQKr48l5Bhdc6+vHHFqPKzz0PVQARAQAB
tDFGZWRvcmEgKDM4KSA8ZmVkb3JhLTM4LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
cmc+iQJOBBMBCAA4FiEEalG7q7o9VGe2FxIhgJqNfOsQtGQFAmIC2cYCGw8FCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQgJqNfOsQtGScyw/7BLmD4Fwi4QZY94zl
vlJdNufZRavOemSIVVDHoCr8pQBAdrvoMypxJd5zM4ODIqFsjdYpFti+Tkeq4/4U
25UoLPEOtU8UDt2uq7LqfdCxspaj7VyXAJIkpf7wEvLS4Jzo+YaMIlsd0dCrMXTM
vhu4gKpBFW6C+gGlmuDyTJbyrf7ilytgVzVtIfRrT7XffylviIlZHwKm43UDjvzX
YEl3EAFR1RjATwXMy2aJh7GCNsz+fKs+7YRKQUhpMF5un/2pyNJO+LbVGGwGZvga
K9Kfsg/4r1ync4nDDD1dadKIHhobDeiJ9uZLoBvvVDz7Ywu7q/vv4zIPxstYBNq4
6fLKDtYXuJCK0EV9Qy4ox67t0UGlaRGH8y5YUqOI10xH7iQej0xWlSc8w2dKhPz8
z9XLv2OMK+PvqvflhFHhWkqEoQRqTu0TVD0fLLe4lqieJlqZcJqW0F9G/vNSSWmf
POLa/Nim71gL2fPjCJOIRV4K/cJSyBmu5NchG7dHD5sUtJxZ4TFSuepaBZ8cPK1x
e26TaCBqoUWgUXWmw+P89aOpYOJYEFfT/VAm2Ywn+c1EFUmD+30wQ7aP/RUFl94z
n0BjqsWDnCKVFHydZ0TZSpeADmXMg2VYZPcp/cQR1KjoBoDxAscis7b1XPQUg7CB
zquq5jBVAnsNIhs7g47GWKyDUJM=
=aCLl
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -1,17 +1,17 @@
[Match]
Name=%%rougail_variable
Name={{ rougail_variable }}
[Network]
%set %%leader = %%interface_names[%%rougail_index]
%if %%leader.interface_type == 'dhcp'
{% set leader = general.network.interfaces.interface_names[rougail_index] %}
{% if leader.interface_type == 'dhcp' %}
DHCP=ipv4
%else
{% else %}
DHCP=no
Address=%%leader.interface_ip
%if %%leader.first_interface
Gateway=%%leader.interface_gateway
%for %%dns in %%leader.interface_domain_name_servers
DNS=%%dns
%end for
%end if
%end if
Address={{ leader.interface_ip }}
{% if leader.first_interface %}
Gateway={{ leader.interface_gateway }}
{% for dns in leader.interface_domain_name_servers %}
DNS={{ dns }}
{% endfor %}
{% endif %}
{% endif %}

View file

@ -0,0 +1,16 @@
#!/bin/bash
set -e
{% set family = rougail_variable|normalize_family %}
{% set srv_dir = machined['machine_' + family]['srv_dir_' + family] %}
{% if srv_dir %}
mkdir -p {{ srv_dir }}
chmod 755 {{ srv_dir }}
{% endif %}
{% set journal_dir = machined['machine_' + family]['journal_dir_' + family] %}
mkdir -p {{ journal_dir }}
chmod 755 {{ journal_dir }}
exit 0

View file

@ -1,18 +1,18 @@
%echo "#!/bin/bash"
#!/bin/bash
set -e
%set %%name = %%normalize_family(%%rougail_variable)
%set %%container = %%machined['machine_' + %%name]
%set zones = %%container['zones_' + %%name]
%if %%len(%%zones) > 1
%for %%idx, %%zone in %%enumerate(%%zones)
%if not %%idx
%continue
%end if
%set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
echo "configuration de %intname"
/usr/sbin/ip link set dev %%intname[:15] master %%zone
/usr/sbin/ip link set dev %%intname[:15] up
%end for
%end if
{% set name = rougail_variable|normalize_family %}
{% set container = machined['machine_' + name] %}
{% set zones = container['zones_' + name] %}
{% if zones| length > 1 %}
{% for zone in zones %}
{% set idx = loop.index - 1 %}
{% if idx %}
{% set intname = "vc-" + idx|string + rougail_variable %}
echo "configuration de {{ intname }}"
/usr/sbin/ip link set dev {{ intname[:15] }} master {{ zone }}
/usr/sbin/ip link set dev {{ intname[:15] }} up
{% endif %}
{% endfor %}
{% endif %}
exit 0

View file

@ -1,31 +1,32 @@
[Files]
Volatile=true
PrivateUsersChown=false
%set %%name = %%normalize_family(%%rougail_variable)
%set %%container = %%machined['machine_' + %%name]
%if %%container['srv_dir_' + %%name]
Bind=%%container['srv_dir_' + %%name]:/srv
%end if
Bind=%%container['journal_dir_' + %%name]:/var/log/journal/
BindReadOnly=%%container['config_dir_' + %%name]:/usr/local/lib
%if %%container['tls_dir_' + %%name]
Bind=%%container['tls_dir_' + %%name]:/srv/tls
%end if
%set zones = %%container['zones_' + %%name]
%if %%zones
{% set name = rougail_variable|normalize_family %}
{% set container = machined['machine_' + name] %}
{% if container['srv_dir_' + name] %}
Bind={{ container['srv_dir_' + name] }}:/srv
{% endif %}
Bind={{ container['journal_dir_' + name] }}:/var/log/journal/
BindReadOnly={{ container['config_dir_' + name] }}:/usr/local/lib
{% if container['tls_dir_' + name] %}
Bind={{ container['tls_dir_' + name] }}:/srv/tls
{% endif %}
{% set zones = container['zones_' + name] %}
{% if zones %}
[Network]
Private=yes
VirtualEthernet=yes
%for %%idx, %%zone in %%enumerate(%%zones)
%if %%idx == 0
Bridge=%%zones[0]
%else
%set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
VirtualEthernetExtra=%%intname[:15]:host%%idx
%end if
%end for
%end if
%for %%port in %%container['incoming_ports_' + %%name]
Port=tcp:%%port:%%port
%end for
{% for zone in zones %}
{% set index = loop.index - 1 %}
{% if index == 0 %}
Bridge={{ zones[0] }}
{% else %}
{% set intname = "vc-" + index|string + rougail_variable %}
VirtualEthernetExtra={{ intname[:15] }}:host{{ index }}
{% endif %}
{% endfor %}
{% endif %}
{% for port in container['incoming_ports_' + name] %}
Port=tcp:{{ port }}:{{ port }}
{% endfor %}

View file

@ -4,8 +4,8 @@ After=network.target local-fs.target systemd-logind.service
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/backup_images no
ExecStart=/usr/local/sbin/update_images
ExecStart=/usr/local/sbin/backup_images
ExecStart=/usr/local/sbin/update_images {{ tls_server }} "" reboot_every_monday
[Install]
WantedBy=multi-user.target

View file

@ -1,11 +1,3 @@
%def %%get_protocol_port(%%port)
%if ':' in %%port
%set %%protocol, %%port = %%port.split(':')
%else
%set %%protocol = 'tcp'
%end if
%return %%protocol, %%port
%end def
[Unit]
Description=Firewall for Risotto
After=network.target
@ -13,32 +5,54 @@ After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
%set %%has_rules = False
%set %%incoming_ports = {'tcp': {}, 'udp': {}}
%for %%dns in %%machined.machines
%set %%machine = %%normalize_family(%%dns)
%set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
%if %%outgoing
%set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine]
%for %%port in %%outgoing
%set %%protocol, %%port = %%get_protocol_port(%%port)
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
%set %%has_rules = False
%end for
%end if
%set %%incoming = %%machined['machine_' + %%machine]['incoming_ports_' + %%machine]
%for %%port in %%incoming
%set %%protocol, %%port = %%get_protocol_port(%%port)
%if %%port in %%incoming_ports[%%protocol]
%raise Exception('the port "' + %%port + '" cannot be deployed for multiple machines: "' + %%dns + '" and "' + %%incoming_ports[%%protocol][%%port] + '"')
%end if
%set %%incoming_ports[%%protocol][%%port] = %%dns
%end for
%end for
%if not %%has_rules
{% set ns = namespace(has_rules=False, incoming_ports={"tcp": {}, "udp": {}}) %}
{% for dns in machined.machines %}
{% set machine = dns|normalize_family %}
{% set outgoing = machined["machine_" + machine]["outgoing_ports_" + machine] %}
{% if outgoing %}
{% set ip = machined["machine_" + machine]["ip_" + machine] %}
{% for port in outgoing %}
{% if ":" in port %}
{% set protocol, port = port.split(":") %}
{% else %}
{% set protocol = "tcp" %}
{% endif %}
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
{% set ns.has_rules = True %}
{% endfor %}
{% endif %}
{% set incoming = machined["machine_" + machine]["incoming_ports_" + machine] %}
{% for port in incoming %}
{% if ":" in port %}
{% set protocol, port = port.split(":") %}
{% else %}
{% set protocol = "tcp" %}
{% endif %}
{% if port in ns.incoming_ports[protocol] %}
{% set msg = 'the port "' + port + '" cannot be deployed for multiple machines: "' + dns + '" and "' + ns.incoming_ports[protocol][port] + '"' %}
{{ msg|raise }}
{% endif %}
{% set x=ns.incoming_ports.__getitem__(protocol).__setitem__(port, dns) %}
{% endfor %}
{% endfor %}
{% if not ns.has_rules %}
ExecStart=/usr/bin/echo "No rule"
%end if
{% endif %}
#FIXME
ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
#FIXME
[Install]
WantedBy=multi-user.target

View file

@ -1,3 +1,4 @@
[Service]
ExecStartPre=/usr/local/lib/sbin/directory-%i
ExecStartPre=/usr/local/lib/sbin/tls-%i
ExecStartPost=/usr/local/lib/sbin/network-%i

View file

@ -1,29 +1,29 @@
%echo "#!/bin/bash"
#!/bin/bash
set -e
%for %%machine in %%machined.machines
%set %%nor_machine = %%normalize_family(%%machine)
%set tls_dir = %%machined['machine_' + %%nor_machine]['tls_dir_' + %%nor_machine]
%if %%tls_dir
%break
%end if
%end for
%if %%tls_dir
%set %%dst_dir = %%machined['machine_' + %%normalize_family(%%rougail_variable)]['config_dir_' + %%normalize_family(%%rougail_variable)]
%set %%src_dir = %%tls_dir + "/machines/" + %%rougail_variable
%if 'certificates' in %%extra_variables and %%rougail_variable in %%extra_variables['certificates']
if [ -d "%%dst_dir" ] && [ -d "%%src_dir" ]; then
%for %%certificate in %%extra_variables['certificates'][%%rougail_variable]
%set %%files = [%%certificate.name]
%if %%certificate.provider == 'autosigne'
%%files.append(%%certificate.authority)
%end if
%if 'private' in %%certificate
%%files.append(%%certificate.private)
%end if
%for %%file in %%files
src_file="%%{src_dir}%%file"
dst_file="%%{dst_dir}%%file"
{% set ns = namespace(tls_dir=None) %}
{% for machine in machined.machines %}
{% if not ns.tls_dir %}
{% set nor_machine = machine|normalize_family %}
{% set ns.tls_dir = machined['machine_' + nor_machine]['tls_dir_' + nor_machine] %}
{% endif %}
{% endfor %}
{% if ns.tls_dir %}
{% set dst_dir = machined['machine_' + rougail_variable|normalize_family]['config_dir_' + rougail_variable|normalize_family] %}
{% set src_dir = ns.tls_dir + "/machines/" + rougail_variable %}
{% if 'certificates' in extra_variables and rougail_variable in extra_variables['certificates'] %}
if [ -d "{{ dst_dir }}" ] && [ -d "{{ src_dir }}" ]; then
{% for certificate in extra_variables['certificates'][rougail_variable] %}
{% set files = [certificate.name] %}
{% if certificate.provider == 'autosigne' %}
{{ files.append(certificate.authority) }}
{% endif %}
{% if 'private' in certificate %}
{{ files.append(certificate.private) }}
{% endif %}
{% for file in files %}
src_file="{{ src_dir }}{{ file}}"
dst_file="{{dst_dir}}{{ file }}"
dst_dir=$(dirname "$dst_file")
mkdir -p "$dst_dir"
# ne fonctionne pas avec revprox :/
@ -39,9 +39,9 @@ if [ -d "%%dst_dir" ] && [ -d "%%src_dir" ]; then
chown root: "$dst_file"
chmod 700 "$dst_file"
%end for
%end for
{% endfor %}
{% endfor %}
fi
%end if
%end if
{% endif %}
{% endif %}
exit 0

View file

@ -0,0 +1,69 @@
# __ __ __
# \ \ / / / /
# \ V / / /
# \_/ \/
#
# V E C T O R
# Configuration
#
# ------------------------------------------------------------------------------
# Website: https://vector.dev
# Docs: https://vector.dev/docs
# Chat: https://chat.vector.dev
# ------------------------------------------------------------------------------
# Change this to use a non-default directory for Vector data storage:
# data_dir = "/var/lib/vector"
# Random Syslog-formatted logs
#>GNUNUX
#[sources.dummy_logs]
#type = "demo_logs"
#format = "syslog"
#interval = 1
[sources.journal]
type = "journald"
{% if general.prometheus.prometheus_server_address %}
[sources.metrics]
type = "host_metrics"
{% endif %}
#<GNUNUX
# Parse Syslog logs
# See the Vector Remap Language reference for more info: https://vrl.dev
#>GNUNUX
#[transforms.parse_logs]
#type = "remap"
#inputs = ["dummy_logs"]
#source = '''
#. = parse_syslog!(string!(.message))
#'''
#<GNUNUX
# Print parsed logs to stdout
#>GNUNUX
[sinks.vector]
type = "vector"
inputs = ["journal"]
address = "{{ general.vector.ip_address }}:8686"
{% if general.prometheus.prometheus_server_address %}
[sinks.prometheus]
type = "prometheus_exporter"
inputs = ["metrics"]
address = "{{ general.prometheus.prometheus_ip_address }}:9090"
#{% endif %}
#<GNUNUX
# Vector's GraphQL API (disabled by default)
# Uncomment to try it out with the `vector top` command or
# in your browser at http://localhost:8686
#[api]
#enabled = true
#address = "127.0.0.1:8686"
#>GNUNUX
[api]
enabled = true
address = "127.0.0.1:8686"
#<GNUNUX

View file

@ -0,0 +1,3 @@
format: '0.1'
description: Journald
website: https://systemd.io/

View file

@ -0,0 +1,26 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="systemd-journal-upload" target="multi-user" servicelist="journald">
<override engine="none"/>
<certificate authority="Journald" server="journal_client_server_domainname" group="systemd-journal">journald</certificate>
<file engine="ansible">/etc/systemd/journal-upload.conf</file>
</service>
</services>
<variables>
<family name="journald" description="systemd-journald">
<variable name="journal_client_server_domainname" type="domainname" supplier="Journald"/>
<variable name="journal_host_name" type="domainname" supplier="Journald:host"/>
</family>
</variables>
<constraints>
<condition name="disabled_if_in" source="journal_client_server_domainname">
<param type="nil"/>
<target type="servicelist">journald</target>
</condition>
<fill name="calc_value">
<param type="variable">domain_name_eth0</param>
<target>journal_host_name</target>
</fill>
</constraints>
</rougail>

View file

@ -0,0 +1 @@
PKG="$PKG systemd-journal-remote"

View file

@ -0,0 +1,25 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the journal-upload.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# See journal-upload.conf(5) for details.
[Upload]
# URL=
# ServerKeyFile=/etc/ssl/private/journal-upload.pem
# ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
# TrustedCertificateFile=/etc/ssl/ca/trusted.pem
#>GNUNUX
URL=https://{{ journal_client_server_domainname }}:19532
ServerCertificateFile={{ general.tls_cert_directory }}/journald.crt
ServerKeyFile={{ general.tls_key_directory }}/journald.key
TrustedCertificateFile={{ general.tls_ca_directory }}/Journald.crt
#<GNUNUX

View file

@ -0,0 +1,2 @@
[Unit]
After=risotto.target

View file

@ -0,0 +1,3 @@
format: '0.1'
description: Journald remote
website: https://systemd.io/

View file

@ -0,0 +1,11 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="systemd-journal-remote" target="multi-user">
<override engine="none"/>
<certificate certificatelist="journald" authority="Journald" type="server" owner="systemd-journal-remote">journald</certificate>
<file engine="ansible" filelist="journald">/etc/systemd/journal-remote.conf</file>
</service>
</services>
</rougail>

View file

@ -0,0 +1,21 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<variables>
<variable name="remotes" description="Remote journald" type="domainname" provider="Journald" mandatory="True" multi="True"/>
<family name="remote_" description="Account for " dynamic="accounts.remotes">
<variable name="host_" description="Remote host" type="domainname" mandatory="True" provider="Journald:host"/>
<variable name="messages_" multi="True" provider="Journald:message" unique="False"/>
<variable name="services_" multi="True" provider="Journald:service" unique="False"/>
<variable name="functions_" multi="True" provider="Journald:function" mandatory="False" unique="False"/>
</family>
<variable name="vector_conditions" hidden="True"/>
</variables>
<constraints>
<fill name="calc_vector_conditions">
<param type="variable">accounts.remote_.messages_</param>
<param type="variable">accounts.remote_.services_</param>
<param type="variable">accounts.remote_.functions_</param>
<target>accounts.vector_conditions</target>
</fill>
</constraints>
</rougail>

View file

@ -0,0 +1,20 @@
from itertools import chain as _chain
def calc_vector_conditions(messages, services, functions):
mes = _chain(*messages)
ser = list(_chain(*services))
fun = list(_chain(*functions))
conditions = []
for idx, message in enumerate(mes):
service = ser[idx]
function = fun[idx]
condition = '(.SYSLOG_IDENTIFIER == "' + service + '" && '
if not function:
condition += '.message == "' + message + '"'
else:
condition += function + '(to_string(.message) ?? "", "' + message + '")'
condition += ')'
if condition not in conditions:
conditions.append(condition)
return '!(' + ' || '.join(conditions) + ')'

View file

@ -0,0 +1 @@
PKG="$PKG systemd-journal-remote"

View file

@ -0,0 +1,26 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the journal-remote.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# See journal-remote.conf(5) for details.
[Remote]
# Seal=false
# SplitMode=host
# ServerKeyFile=/etc/ssl/private/journal-remote.pem
# ServerCertificateFile=/etc/ssl/certs/journal-remote.pem
# TrustedCertificateFile=/etc/ssl/ca/trusted.pem
#>GNUNUX
SplitMode=none
ServerCertificateFile={{ general.tls_cert_directory }}/journald.crt
ServerKeyFile={{ general.tls_key_directory }}/journald.key
TrustedCertificateFile={{ general.tls_ca_directory }}/Journald.crt
#<GNUNUX

View file

@ -0,0 +1,3 @@
[Service]
ExecStart=
ExecStart=/usr/lib/systemd/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/risotto.journal

View file

@ -1,22 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10">
<services>
<service name="ldap-client" target="risotto" engine="cheetah">
<service name="ldap-client" target="risotto" engine="ansible">
<certificate authority="LDAP" owner="ldap_key_file_owner" owner_type="variable" server="ldap_server_address">ldap_client</certificate>
<file source="ldap.conf" file_type="variable">ldap_client_file</file>
<file engine="ansible" source="ldap.conf" file_type="variable">ldap_client_file</file>
</service>
</services>
<variables>
<family name="annuaire" description="Annuaire OpenLDAP">
<family name="ldap" description="Annuaire OpenLDAP">
<family name="server" description="Serveur">
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True' supplier="LDAP"/>
<variable name="ldap_server_ip" type="ip" hidden="True"/>
<variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True">
<value>636</value>
</variable>
<variable name='prefix_domain_name' hidden="True" mandatory="True" provider="global:prefix_domain_name"/>
</family>
<family name="client" description="Client">
<variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP" supplier="LDAP:family"/>
<variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True" supplier="LDAP:dn"/>
<variable name='ldapclient_address' hidden="True"/>
<variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True" supplier="LDAP:password"/>
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" supplier="LDAP:base_dn"/>
<variable name='ldapclient_search_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
@ -33,8 +36,13 @@
<check name='valid_base_dn'>
<target>ldapclient_base_dn</target>
</check>
<fill name='get_default_base_dn'>
<fill name="get_ip">
<param type="information">zones</param>
<param type="variable">ldap_server_address</param>
<target>ldap_server_ip</target>
</fill>
<fill name='get_default_base_dn'>
<param type="variable">prefix_domain_name</param>
<target>ldapclient_base_dn</target>
</fill>
<fill name='calc_value'>
@ -45,12 +53,18 @@
</fill>
<fill name='calc_value'>
<param>cn=</param>
<param type='variable'>domain_name_eth0</param>
<param type='variable'>ldapclient_address</param>
<param>,</param>
<param type='variable'>ldapclient_base_dn</param>
<param name="join"></param>
<target>ldapclient_user</target>
</fill>
<fill name="get_client_address">
<param type='variable'>ldap_server_ip</param>
<param type='variable'>domain_name_eth</param>
<param type='variable'>network_eth</param>
<target>ldapclient_address</target>
</fill>
<fill name="get_password">
<param name="server_name" type="variable">ldap_server_address</param>
<param name="username" type="variable">ldapclient_user</param>

View file

@ -1,4 +1,8 @@
from ipaddress import ip_network as _ip_network, ip_address as _ip_address
def valid_base_dn(base_dn: str) -> None:
# copied from openldap
for att in ['o', 'dc', 'ou']:
if base_dn.startswith(att + '='):
break
@ -11,6 +15,7 @@ def calc_ldapclient_base_dn(ldap_base_dn: str,
base: bool=False,
group: bool=False,
) -> str:
# copied from openldap
if ldap_base_dn is None:
return
if family_name == 'all':
@ -39,14 +44,23 @@ class _Undefined:
_undefined = _Undefined()
def get_default_base_dn(server_name: str) -> str:
if not server_name or '.' not in server_name:
def get_default_base_dn(prefix: str) -> str:
# copied from openldap
if not prefix or '.' not in prefix:
return None
values = server_name.split('.')
# cannot calculated base dn should be server.domain.tld
values = prefix.split('.')
# cannot calculated base dn should be subdomain.domain.tld
# remove 'server' in dn
if len(values) < 3:
return None
domain = ['ou=' + domain for domain in values[1:-2]]
domain = ['ou=' + domain for domain in values[0:-2]]
domain.append(f'o={values[-2]},o={values[-1]}')
return ','.join(domain)
def get_client_address(ip, infos, network_eth):
ip_mail = _ip_address(ip)
for idx, net in enumerate(network_eth):
if ip_mail in _ip_network(net):
val = infos[idx]
return val

View file

@ -4,4 +4,4 @@ Before=risotto.target
[Service]
Type=oneshot
ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/{{ ldap_server_address }}/{{ ldap_port }}; do sleep 1; done'

View file

@ -8,8 +8,8 @@
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#>GNUNUX
BASE %%ldapclient_search_dn
URI ldaps://%%ldap_server_address:%%ldap_port
BASE {{ ldapclient_search_dn }}
URI ldaps://{{ ldap_server_address }}:{{ ldap_port }}
#<GNUNUX
#SIZELIMIT 12
@ -21,9 +21,9 @@ URI ldaps://%%ldap_server_address:%%ldap_port
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
#>GNUNUX
TLS_CERT %%tls_cert_directory/ldap_client.crt
TLS_KEY %%tls_key_directory/ldap_client.key
TLS_CACERT %%tls_ca_directory/LDAP.crt
TLS_CERT {{ tls_cert_directory }}/ldap_client.crt
TLS_KEY {{ tls_key_directory }}/ldap_client.key
TLS_CACERT {{ tls_ca_directory }}/LDAP.crt
#<GNUNUX
# System-wide Crypto Policies provide up to date cipher suite which should
@ -36,9 +36,9 @@ TLS_CACERT %%tls_ca_directory/LDAP.crt
SASL_NOCANON on
#>GNUNUX
BINDDN %%ldapclient_user
BINDDN {{ ldapclient_user }}
TIMELIMIT 10
NETWORK_TIMEOUT 10
TIMEOUT 10
BINDPW %%ldapclient_user_password
BINDPW {{ ldapclient_user_password }}
#<GNUNUX

View file

@ -3,3 +3,7 @@ Log level to DEBUG
sed -i "s/logLevel = info/logLevel = debug/g" /etc/lemonldap-ng/lemonldap-ng.ini
systemctl restart lemonldap-ng-fastcgi-server.service
sed -i 's/log error/log debug/g' /etc/nginx/nginx.conf
systemctl restart nginx

View file

@ -2,7 +2,7 @@
<rougail version="0.10">
<services>
<service name="lemonldap-ng-fastcgi-server">
<override/>
<override engine="none"/>
<file engine="none">/static/logo.png</file>
<file engine="none">/static/demo.png</file>
<file engine="none">/static/silique_email.png</file>
@ -11,16 +11,15 @@
<file engine="none">/static/silique_video.png</file>
<file engine="none">/static/silique_image.png</file>
<file engine="none">/static/risotto.css</file>
<file>/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
<file engine="ansible">/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
<file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>
<!--file>/etc/lemonldap-ng/handler-nginx.conf</file-->
<file>/etc/lemonldap-ng/portal-nginx.conf</file>
<file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
<file>/etc/default/lemonldap-ng-fastcgi-server</file>
<file mode="750">/sbin/interne_well_known.pl</file>
<file mode="750">/sbin/wget.pl</file>
<file engine="ansible">/etc/lemonldap-ng/portal-nginx.conf</file>
<file engine="none">/etc/lemonldap-ng/nginx-lmlog.conf</file>
<file engine="ansible">/etc/default/lemonldap-ng-fastcgi-server</file>
<file engine="ansible" mode="750">/sbin/interne_well_known.pl</file>
<file engine="ansible" mode="750">/sbin/wget.pl</file>
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
<file filelist="copy_tests">/tests/lemonldap.yml</file>
<file engine="ansible" filelist="copy_tests">/tests/lemonldap.yml</file>
</service>
</services>
<variables>
@ -36,7 +35,7 @@
</variable>
<variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
</family>
<family name="annuaire">
<family name="ldap">
<family name="client">
<variable name='ldapclient_family' redefine="True">
<value>all</value>

View file

@ -3,6 +3,7 @@
<variables>
<variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="OAuth2"/>
<family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
<variable name="client_id_" description="Remote client id for " mandatory="True" hidden="True" provider="OAuth2:client_id"/>
<variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="OAuth2:secret"/>
<variable name="name_" description="Remote name for " hidden="True" provider="OAuth2:name"/>
<variable name="description_" description="Remote description for " hidden="True" provider="OAuth2:description"/>

View file

@ -21,10 +21,10 @@ server {
# GNUNUX server_name reload.example.com;
#>GNUNUX
listen 443 ssl;
server_name %%lemon_reload_web_name;
ssl_certificate %%tls_cert_directory/revprox.crt;
ssl_certificate_key %%tls_key_directory/revprox.key;
ssl_client_certificate %%tls_ca_directory/InternalReverseProxy.crt;
server_name {{ general.lemonldap.lemon_reload_web_name }};
ssl_certificate {{ general.tls_cert_directory }}/revprox.crt;
ssl_certificate_key {{ general.tls_key_directory }}/revprox.key;
ssl_client_certificate {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
#<GNUNUX
root /var/www/html;
@ -55,7 +55,7 @@ server {
# Client requests
location / {
allow %%revprox_client_server_ip;
allow {{ general.revprox.revprox_client.revprox_client_server_ip }};
deny all;
# Uncomment this if you use https only

View file

@ -1,17 +1,17 @@
%echo "#!/usr/bin/env perl"
#!/usr/bin/env perl
# retrieve and modify (if no argument) well-known file
use HTTP::Tiny;
use JSON qw(from_json to_json);
my $baseUrl = 'https://%%domain_name_eth0/';
my $baseUrl = 'https://{{ general.network.interface_0.domain_name_eth0 }}/';
my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configuration');
die "Failed!\n" unless $response->{success};
my $json = from_json($response->{content});
%echo "$num_args = $#ARGV + 1;"
$num_args = $#ARGV + 1;
if ($num_args == 0) {
$json->{token_endpoint} = $baseUrl . 'oauth2/token';

View file

@ -1,7 +1,7 @@
# Number of process (default: 7)
#NPROC = 7
#>GNUNUX
NPROC=%%lemon_proc
NPROC={{ general.lemonldap.lemon_proc }}
#<GNUNUX
# Unix socket to listen to

View file

@ -1,3 +1,3 @@
address: %%revprox_client_external_domainnames[0]
internal_address: %%domain_name_eth0
ip: %%ip_eth0
address: {{ revprox_client_external_domainnames[0] }}
internal_address: {{ domain_name_eth0 }}
ip: {{ ip_eth0 }}

View file

@ -1,19 +1,16 @@
%compiler-settings
commentStartToken = §
%end compiler-settings
{
"mailFrom" : "%%lemon_mail_admin",
"mailFrom" : "{{ general.lemonldap.lemon_mail_admin }}",
"mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
"portalSkinBackground" : "",
"portalCustomCss": "risotto/risotto.css",
"authentication" : "LDAP",
"AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
"managerDn" : "%%ldapclient_user",
"managerPassword" : "%%ldapclient_user_password",
"managerDn" : "{{ general.ldap.client.ldapclient_user }}",
"managerPassword" : "{{ general.ldap.client.ldapclient_user_password }}",
"ldapPpolicyControl" : 1,
"ldapAllowResetExpiredPassword" : 1,
"ldapChangePasswordAsUser" : 1,
"ldapBase" : "%%ldapclient_search_dn",
"ldapBase" : "{{ general.ldap.client.ldapclient_search_dn }}",
"ldapExportedVars" : {
"uid" : "uid",
"cn" : "cn",
@ -22,7 +19,7 @@ commentStartToken = §
"givenName" : "givenName",
"home" : "homeDirectory"
},
"ldapGroupBase" : "%%ldapclient_group_dn",
"ldapGroupBase" : "{{ general.ldap.client.ldapclient_group_dn }}",
"ldapGroupAttributeName" : "member",
"ldapGroupAttributeNameUser" : "cn",
"ldapGroupAttributeNameGroup" : "dn",
@ -30,7 +27,7 @@ commentStartToken = §
"ldapGroupAttributeNameUser" : "dn",
"ldapGroupObjectClass" : "groupOfNames",
"ldapPort" : "636",
"ldapServer" : "ldaps://%%ldap_server_address",
"ldapServer" : "ldaps://{{ general.ldap.server.ldap_server_address }}",
"ldapVerify" : "required",
"ldapTimeout" : 120,
"cfgAuthor" : "Risotto",
@ -41,7 +38,7 @@ commentStartToken = §
"mail" : "mail",
"uid" : "uid"
},
"domain" : "%%revprox_client_external_domainnames[0]",
"domain" : "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}",
"exportedVars" : {
"UA" : "HTTP_USER_AGENT",
"cn" : "cn",
@ -60,23 +57,22 @@ commentStartToken = §
"namespace" : "lemonldap-ng-sessions"
},
"locationRules" : {
"%%revprox_client_external_domainnames[0]" : {
"{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}" : {
"default" : "accept"
%set %%domains = []
%for %%app in %%oauth2.remotes
%set %%key = %%normalize_family(%%app)
§ somethink like ['https://domain/']
%for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
%set %%domain = %%str(%%external).split('/', 3)[-2]
%if %%domain not in %%domains
{% set domains = [] %}
{% for app in oauth2.remotes %}
{% set key = app|normalize_family %}
{% for external in oauth2['oauth2_' + key]['external_' + key]['hosts_' + key] %}
{% set domain = (external|string).split('/', 3)[-2] %}
{% if domain not in domains %}
},
"%%domain" : {
"{{ domain }}" : {
"^/logout" : "logout_sso",
"default" : "$groups eq \"%%external['family_' + %%key]\""
%%domains.append(%%domain)%slurp
%end if
%end for
%end for
"default" : "$groups eq \"{{ external['family_' + key] }}\""
{{ domains.append(domain) }}
{% endif %}
{% endfor %}
{% endfor %}
}
},
"loginHistoryEnabled" : 1,
@ -84,7 +80,7 @@ commentStartToken = §
"UA" : "$ENV{HTTP_USER_AGENT}",
"_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
},
"mailUrl" : "https://%%revprox_client_external_domainnames[0]/resetpwd",
"mailUrl" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/resetpwd",
"mySessionAuthorizedRWKeys" : [
"_appsListOrder",
"_oidcConnectedRP",
@ -95,53 +91,50 @@ commentStartToken = §
"dirName" : "/srv/lemonldap-ng/notifications"
},
"oidcRPMetaDataExportedVars" : {
%set %%len_app = %%len(%%oauth2.remotes)
%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
%set %%key = %%normalize_family(%%app)
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
"%%app" : {
{% set len_app = oauth2.remotes|length %}
{% for app in oauth2.remotes %}
{% set key = app|normalize_family %}
{% set description = oauth2['oauth2_' + key]['description_' + key] %}
"{{ app }}" : {
"email" : "mail",
"family_name" : "sn",
"name" : "cn",
"nickname" : "uid",
"home" : "home"
%if %%len_app - 1 == %%idx
{% if len_app == loop.index %}
}
%else
{% else %}
},
%end if
%end for
{% endif %}
{% endfor %}
},
"oidcRPMetaDataOptions" : {
%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
%set %%key = %%normalize_family(%%app)
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
"%%app" : {
{% for app in oauth2.remotes %}
{% set key = app|normalize_family %}
{% set description = oauth2['oauth2_' + key]['description_' + key] %}
"{{ app }}" : {
"oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0,
"oidcRPMetaDataOptionsAllowOffline" : 1,
"oidcRPMetaDataOptionsAllowPasswordGrant" : 0,
"oidcRPMetaDataOptionsBypassConsent" : 1,
"oidcRPMetaDataOptionsClientID" : "%%key",
"oidcRPMetaDataOptionsClientSecret" : "%%oauth2['oauth2_' + %%key]['secret_' + %%key]",
"oidcRPMetaDataOptionsClientID" : "{{ oauth2['oauth2_' + key]['client_id_' + key] }}",
"oidcRPMetaDataOptionsClientSecret" : "{{ oauth2['oauth2_' + key]['secret_' + key] }}",
"oidcRPMetaDataOptionsIDTokenForceClaims" : 0,
"oidcRPMetaDataOptionsIDTokenSignAlg" : "%%oauth2['oauth2_' + %%key]['token_signature_algo_' + %%key]",
"oidcRPMetaDataOptionsIDTokenSignAlg" : "{{ oauth2['oauth2_' + key]['token_signature_algo_' + key] }}",
"oidcRPMetaDataOptionsLogoutSessionRequired" : 0,
"oidcRPMetaDataOptionsLogoutType" : "front",
§ "oidcRPMetaDataOptionsLogoutUrl" : "https://git.gnunux.com/user/oauth2/NAME/logout",
§FIXME
"oidcRPMetaDataOptionsPostLogoutRedirectUris" : "gnunux-allow",
"oidcRPMetaDataOptionsPublic" : 0,
%if %%oauth2['oauth2_' + %%key]['login_' + %%key]
"oidcRPMetaDataOptionsRedirectUris" : "%%oauth2['oauth2_' + %%key]['login_' + %%key]",
%end if
{% if oauth2['oauth2_' + key]['login_' + key] %}
"oidcRPMetaDataOptionsRedirectUris" : "{{ oauth2['oauth2_' + key]['login_' + key] }}",
{% endif %}
"oidcRPMetaDataOptionsRefreshToken" : 0,
"oidcRPMetaDataOptionsRequirePKCE" : 0
%if %%len_app - 1 == %%idx
{% if len_app == loop.index %}
}
%else
{% else %}
},
%end if
%end for
{% endif %}
{% endfor %}
},
"oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg",
"oidcServiceMetaDataAuthnContext" : {
@ -151,62 +144,63 @@ commentStartToken = §
"loa-4" : 4,
"loa-5" : 5
},
%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
"oidcServicePublicKeySig" : "%%pub",
%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
"oidcServicePrivateKeySig" : "%%priv",
{% set tpub = domain_name_eth0|get_public_key(hide=hide_secret) %}
{% set pub = tpub.split("\n")|join('\\n') %}
"oidcServicePublicKeySig" : "{{ pub }}",
{% set tpriv = domain_name_eth0|get_private_key(hide=hide_secret) %}
{% set priv = tpriv.split("\n")|join('\\n') %}
"oidcServicePrivateKeySig" : "{{ priv }}",
"passwordDB" : "LDAP",
"persistentStorage" : "Apache::Session::File",
"persistentStorageOptions" : {
"Directory": "/srv/lemonldap-ng/psessions",
"LockDirectory": "/srv/lemonldap-ng/psessions/lock"
},
"portal" : "https://%%revprox_client_external_domainnames[0]/",
"portal" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/",
"portalCheckLogins": 0,
"portalDisplayRegister": 0,
"portalDisplayResetPassword": 0,
"portalMainLogo": "risotto/logo.png",
"showLanguages": 0,
"requireToken": "$env->{REMOTE_ADDR} ne '%%gateway_eth0'",
"requireToken": "$env->{REMOTE_ADDR} ne '{{ gateway_eth0 }}'",
"whatToTrace" : "_whatToTrace",
%set %%remotes = {}
%for %%index, %%app in %%enumerate(%%oauth2.remotes)
%set %%key = %%normalize_family(%%app)
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
%if not %%description
%continue
%end if
%set %%dico = {'key': %%key,
'description': %%description,
'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
%end for
{% set remotes = {} %}
{% for app in oauth2.remotes %}
{% set key = app|normalize_family %}
{% set description = oauth2['oauth2_' + key]['description_' + key] %}
{% if description %}
{% set dico = {'key': key,
'description': description,
'logo': "risotto/" + oauth2['oauth2_' + key]['logo_' + key],
'name': oauth2['oauth2_' + key]['name_' + key],
'uri': oauth2['oauth2_' + key]['external_' + key]['hosts_' + key]} %}
{{ remotes.setdefault(oauth2['oauth2_' + key]['category_' + key], []).append(dico) }}
{% endif %}
{% endfor %}
"applicationList" : {
%for %%index, %%cat in %%enumerate(%%remotes)
%if %%index != 0
{% for cat in remotes %}
{% if loop.index != 1 %}
,
%end if
"cat_%%index" : {
"catname" : "%%cat",
%for %%dico in %%remotes[%%cat]
%for %%idx, %%uri in %%enumerate(%%dico['uri'])
"%%{dico['key']}_%%idx" : {
{% endif %}
"cat_{{ loop.index - 1 }}" : {
"catname" : "{{ cat }}",
{% for dico in remotes[cat] %}
{% for uri in dico['uri'] %}
"{{ dico['key'] }}_{{ loop.index - 1 }}" : {
"options" : {
"description" : "%%dico['description']",
"description" : "{{ dico['description'] }}",
"display" : "auto",
"logo" : "%%dico['logo']",
"name" : "%%dico['name']",
"uri" : "%%uri"
"logo" : "{{ dico['logo'] }}",
"name" : "{{ dico['name'] }}",
"uri" : "{{ uri }}"
},
"type" : "application"
},
%end for
%end for
{% endfor %}
{% endfor %}
"type" : "category"
}%slurp
%end for
}
{%- endfor -%}
}
}

View file

@ -26,7 +26,7 @@ server {
include /etc/nginx/fastcgi_params;
fastcgi_pass llng_portal_upstream;
fastcgi_param REQUEST_URI /.well-known/openid-configuration;
fastcgi_param HTTP_HOST %%domain_name_eth0;
fastcgi_param HTTP_HOST {{ general.network.interface_0.domain_name_eth0 }};
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
@ -37,8 +37,10 @@ server {
#>GNUNUX
geo $zone_name {
default ext;
%%gateway_eth0 ext;
%%network_eth0 int;
{{ general.network.interface_0.gateway_eth0 }} ext;
{% for interface in range(zones_list|length) %}
{{ general.network['interface_' + interface|string]['network_eth' + interface|string] }} int;
{% endfor %}
}
#<GNUNUX
@ -47,11 +49,11 @@ server {
# GNUNUX listen [::]:80;
# GNUNUX server_name auth.example.com;
#>GNUNUX
listen 443 ssl;
server_name %%{revprox_client_external_domainnames[0]};
ssl_certificate %%tls_cert_directory/revprox.crt;
ssl_certificate_key %%tls_key_directory/revprox.key;
ssl_client_certificate %%tls_ca_directory/InternalReverseProxy.crt;
listen {{ general.network.interface_0.domain_name_eth0 }}:443 ssl;
server_name {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }};
ssl_certificate {{ general.tls_cert_directory }}/revprox.crt;
ssl_certificate_key {{ general.tls_key_directory }}/revprox.key;
ssl_client_certificate {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
ssl_session_cache shared:SSL:10m;
#<GNUNUX
root /usr/share/lemonldap-ng/portal/htdocs/;
@ -67,7 +69,7 @@ server {
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
#>GNUNUX
set_real_ip_from %%revprox_client_server_ip;
set_real_ip_from {{ general.revprox.revprox_client_server_ip }};
real_ip_header X-Forwarded-For;
#<GNUNUX
@ -106,35 +108,35 @@ server {
# REST/SOAP functions for sessions management (disabled by default)
location ~ ^/index.psgi/adminSessions {
fastcgi_pass llng_portal_upstream;
allow %%revprox_client_server_ip;
allow {{ general.revprox.revprox_client_server_ip }};
deny all;
}
# REST/SOAP functions for proxy auth and password reset (disabled by default)
location ~ ^/index.psgi/proxy {
fastcgi_pass llng_portal_upstream;
allow %%revprox_client_server_ip;
allow {{ general.revprox.revprox_client_server_ip }};
deny all;
}
# REST/SOAP functions for sessions access (disabled by default)
location ~ ^/index.psgi/sessions {
fastcgi_pass llng_portal_upstream;
allow %%revprox_client_server_ip;
allow {{ general.revprox.revprox_client_server_ip }};
deny all;
}
# REST/SOAP functions for configuration access (disabled by default)
location ~ ^/index.psgi/config {
fastcgi_pass llng_portal_upstream;
allow %%revprox_client_server_ip;
allow {{ general.revprox.revprox_client_server_ip }};
deny all;
}
# REST/SOAP functions for notification insertion (disabled by default)
location ~ ^/index.psgi/notification {
fastcgi_pass llng_portal_upstream;
allow %%revprox_client_server_ip;
allow {{ general.revprox.revprox_client_server_ip }};
deny all;
}

View file

@ -1,8 +1,8 @@
%echo "#!/usr/bin/env perl"
#!/usr/bin/env perl
use HTTP::Tiny;
my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
my $response = HTTP::Tiny->new->get('https://{{ general.network.interface_0.domain_name_eth0 }}/.well-known/openid-configuration');
die "Failed!\n" unless $response->{success};

View file

@ -0,0 +1,5 @@
format: '0.1'
description: Loki, a log aggregation platform
website: https://grafana.com/
depends:
- base-fedora-38

View file

@ -0,0 +1,16 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name="loki" target="multi-user" engine="ansible">
<file engine="ansible" source="loki-local-config.yaml">/etc/loki/loki.yaml</file>
<file engine="none" source="sysuser-loki.conf">/sysusers.d/loki.conf</file>
<file engine="none" source="tmpfile-loki.conf">/tmpfiles.d/0loki.conf</file>
</service>
</services>
<variables>
<family name="loki" description="loki">
<variable name="remotes" description="Remote loki client" type="domainname" provider="Loki" mandatory="True" multi="True"/>
</family>
</variables>
</rougail>

View file

@ -0,0 +1,17 @@
set -ex
#FIXME unsign?
mkdir -p ~/loki/
URL=$(wget https://api.github.com/repos/grafana/loki/releases/latest -q -O - | jq -r '.assets[].browser_download_url'|grep loki-linux-amd64)
VERS=$(echo "$URL" | awk -F'/' '{ print $8 }')
if [ ! -f ~/"loki/loki-$VERS-linux-amd64.zip" ]; then
rm -rf ~/"loki/loki-*-linux-amd64.zip"
wget "$URL" -O ~/"loki/loki-$VERS-linux-amd64.zip"
fi
cp -a ~/"loki/loki-$VERS-linux-amd64.zip" .
unzip "loki-$VERS-linux-amd64.zip"
mv "loki-linux-amd64" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/loki"
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/loki"

View file

@ -0,0 +1,55 @@
#RISOTTO: https://raw.githubusercontent.com/grafana/loki/main/cmd/loki/loki-local-config.yaml
auth_enabled: false
server:
http_listen_port: 3100
grpc_listen_port: 9096
common:
instance_addr: 127.0.0.1
path_prefix: /srv/loki
storage:
filesystem:
chunks_directory: /srv/loki/chunks
rules_directory: /srv/loki/rules
replication_factor: 1
ring:
kvstore:
store: inmemory
query_range:
results_cache:
cache:
embedded_cache:
enabled: true
max_size_mb: 100
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
ruler:
alertmanager_url: http://localhost:9093
# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
#
# Statistics help us better understand how Loki is used, and they show us performance
# levels for most users. This helps us prioritize features and documentation.
# For more information on what's sent, look at
# https://github.com/grafana/loki/blob/main/pkg/usagestats/stats.go
# Refer to the buildReport method to see what goes into a report.
#
# If you would like to disable reporting, uncomment the following lines:
#analytics:
# reporting_enabled: false
#>GNUNUX
analytics:
reporting_enabled: false
#<GNUNUX

View file

@ -0,0 +1,14 @@
[Unit]
Description=Loki Grafana
Wants=risotto.target
After=risotto.target
[Service]
Type=simple
User=loki
Group=loki
ExecStart=/usr/bin/loki -config.file=/etc/loki/loki.yaml
Restart=always
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,2 @@
g loki 997 -
u loki 997:997 "Loki Grafana" /tmp /sbin/nologin

Some files were not shown because too many files have changed in this diff Show more