reorganize

This commit is contained in:
Emmanuel Garette 2022-08-18 10:19:43 +02:00
parent 97e5b8e02e
commit 543ba30f8c
98 changed files with 537 additions and 756 deletions

View file

@ -10,39 +10,25 @@
<value>False</value> <value>False</value>
</variable> </variable>
<family name="network" description="Réseau"> <family name="network" description="Réseau">
<variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/> <variable name="server_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
<variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True"/> <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
<variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True" provider="global:zones_list"/>
<family name="interface_" description="Interface " dynamic="interfaces_list"> <family name="interface_" description="Interface " dynamic="interfaces_list">
<variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True"/> <variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True" mandatory="True"/>
<variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/> <variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" mandatory="True"/>
<variable name="network_eth" type="network_cidr" description="Réseau de l'interface " hidden="True"/> <variable name="network_eth" type="network_cidr" description="Réseau de l'interface " hidden="True"/>
<variable name="gateway_eth" type="ip" description="La route de l'interface "/> <variable name="gateway_eth" type="ip" description="La route de l'interface "/>
<variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/> <variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True" provider="global:server_names"/>
</family> </family>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="calc_value">
<param type="information">zones_name</param>
<target>zones_list</target>
</fill>
<fill name="get_range">
<param type="information">zones_name</param>
<target>interfaces_list</target>
</fill>
<fill name="get_ip"> <fill name="get_ip">
<param name="server_name" type="information">server_name</param> <param name="server_name" type="variable">domain_name_eth</param>
<target>ip_eth</target> <target>ip_eth</target>
</fill> </fill>
<!-- Return "server_name" only for domain_name_eth0 -->
<fill name="get_domain_name">
<param type="information">server_name</param>
<param type="information">extra_domainnames</param>
<param type="suffix"/>
<target>domain_name_eth</target>
</fill>
<fill name="get_zone_name"> <fill name="get_zone_name">
<param type="information">zones_name</param> <param type="variable">zones_list</param>
<param name="index" type="suffix"/> <param name="index" type="suffix"/>
<target>zone_name_eth</target> <target>zone_name_eth</target>
</fill> </fill>

View file

@ -6,7 +6,7 @@ from os.path import dirname as _dirname, abspath as _abspath, join as _join, isf
from os import makedirs as _makedirs from os import makedirs as _makedirs
from risotto.utils import ZONES_SERVER #from risotto.utils import ZONES_SERVER
_HERE = _dirname(_abspath(__main__.__file__)) _HERE = _dirname(_abspath(__main__.__file__))
@ -81,30 +81,8 @@ def _set_password(server_name: str,
return file_content return file_content
def get_range(lst):
return list(range(max(1, len(lst))))
def get_zone_name(zones: list, def get_zone_name(zones: list,
index: str, index: str,
): ):
if zones is not None: if zones is not None:
return zones[int(index)] return zones[int(index)]
def get_domain_name(server_name: str,
extra_domainnames: list,
suffix: str,
) -> str:
index = int(suffix)
if index == 0:
return server_name
return extra_domainnames[index - 1]
def get_provider_name(network_name: str,
provider: str,
) -> str:
if network_name not in ZONES_SERVER['providers'] or provider not in ZONES_SERVER['providers'][network_name]:
return
return ZONES_SERVER['providers'][network_name][provider][0]

View file

@ -1,9 +1,26 @@
from typing import List from typing import List
from risotto.utils import load_domains, DOMAINS from risotto.utils import load_domains, DOMAINS
from risotto.utils import multi_function as _multi_function
@_multi_function
def get_ip(server_name: str) -> str: def get_ip(server_name: str) -> str:
load_domains() if server_name is None:
host_name, domain_name = server_name.split('.', 1) return
domain = DOMAINS[domain_name] if isinstance(server_name, list):
return domain[1][domain[0].index(host_name)] return_list = True
else:
return_list = False
server_name = [server_name]
lst = []
for s_name in server_name:
host_name, domain_name = s_name.split('.', 1)
if not domain_name in DOMAINS:
raise ValueError(f'cannot find IP in domain name "{domain_name}" (for "{s_name}")')
domain = DOMAINS[domain_name]
ret = domain[1][domain[0].index(host_name)]
if not return_list:
return ret
if ret not in lst:
lst.append(ret)
return lst

View file

@ -5,14 +5,7 @@
<variable name="dns_is_only_local" redefine="True"> <variable name="dns_is_only_local" redefine="True">
<value>False</value> <value>False</value>
</variable> </variable>
<variable name="dns_client_address" redefine="True"/> <variable name="dns_client_address" redefine="True" supplier="ExternalDNS"/>
</family> </family>
</variables> </variables>
<constraints>
<fill name="get_provider_name">
<param type="variable">zone_name_eth0</param>
<param>ExternalDNS</param>
<target>dns_client_address</target>
</fill>
</constraints>
</rougail> </rougail>

View file

@ -10,21 +10,13 @@
<variable name="dns_is_only_local" type="boolean" description="DNS resolve only local address" hidden="True"> <variable name="dns_is_only_local" type="boolean" description="DNS resolve only local address" hidden="True">
<value>True</value> <value>True</value>
</variable> </variable>
<variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS"/> <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS" supplier="LocalDNS"/>
<variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/> <variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_provider_name"> <fill name="get_ip">
<param type="variable">zone_name_eth0</param> <param name="server_name" type="variable">dns_client_address</param>
<param>LocalDNS</param>
<target>dns_client_address</target>
</fill>
<fill name="set_linked">
<param name="linked_server" type="variable">dns_client_address</param>
<param name="linked_provider">dns</param>
<param name="linked_value" type="variable">ip_eth0</param>
<param name="linked_returns">ip</param>
<target>ip_dns</target> <target>ip_dns</target>
</fill> </fill>
</constraints> </constraints>

View file

@ -3,13 +3,13 @@ addresses:
%if %%getVar('dns_client_address', None) %if %%getVar('dns_client_address', None)
- dns_address: '%%dns_client_address' - dns_address: '%%dns_client_address'
dns_ip: '%%ip_dns' dns_ip: '%%ip_dns'
%elif %%getVar('unbound_forward_address', None) %elif %%getVar('unbound_forward_address', None) is not None
%for %%authority in %%unbound_forward_address %for %%authority in %%unbound_forward_address
- dns_address: %%authority - dns_address: %%authority
dns_ip: %%get_ip(%%str(%%authority)) dns_ip: %%get_ip(%%str(%%authority))
%end for %end for
%else %else
%for %%zone in %%nsd_zones_auto %for %%zone in %%nsd_zones
%set %%suffix = %%normalize_family(%%zone) %set %%suffix = %%normalize_family(%%zone)
%set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix] %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
%for %%nsd in %%hostnames %for %%nsd in %%hostnames

View file

@ -2,8 +2,7 @@ format: '0.1'
description: Postfix et Dovecot description: Postfix et Dovecot
depends: depends:
- base-fedora-36 - base-fedora-36
- relay-mail-client - relay-lmtp-client
- ldap-client-fedora - ldap-client-fedora
- oauth2-client - oauth2-client
- nginx-https - nginx-https
provider: IMAP

View file

@ -47,7 +47,7 @@
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file> <file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
<file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file> <file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
<file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file> <file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
<file>/tests/imap.yml</file> <file>/tests/imap.yml</file>
</service> </service>
</services> </services>
<variables> <variables>
@ -71,9 +71,8 @@
</family> </family>
</family> </family>
<family name="mail" description="Mail domain" leadership="True"> <family name="mail" description="Mail domain" leadership="True">
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/> <variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True" supplier="LMTP:criteria"/>
<variable name="mail_domains_calc" type="domainname" hidden="True"/> <variable name="mail_domains_calc" type="domainname" hidden="True"/>
<variable name="mail_domains_calc_autoconfig" type="domainname" hidden="True"/>
<variable name="imap_domainname" type="domainname" mandatory="True"/> <variable name="imap_domainname" type="domainname" mandatory="True"/>
<variable name="submission_domainname" type="domainname" mandatory="True"/> <variable name="submission_domainname" type="domainname" mandatory="True"/>
</family> </family>
@ -81,36 +80,22 @@
<variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/> <variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
</family> </family>
<family name="dovecot" description="IMAP mail server"> <family name="dovecot" description="IMAP mail server">
<variable name="well_knowns" type="web_address" hidden='True' multi="True"/> <variable name="imap_internal_address" type="domainname" description="Adresse interne du serveur IMAP" mandatory="True" provider="IMAP"/>
<variable name="well_known_filenames" type="filename" hidden='True' multi="True"/> <variable name="well_known_filenames" type="filename" hidden='True' multi="True"/>
<variable name='external_imap_crt' type="filename" hidden='True' multi='True'/> <variable name='external_imap_crt' type="filename" hidden='True' multi='True'/>
<variable name='external_imap_key' type="filename" hidden='True' multi='True'/> <variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
</family> </family>
<family name="nginx"> <family name="nginx">
<family name="revprox_client">
<variable name="revprox_client_external_domainnames" redefine="True"/>
<variable name="revprox_client_web_address" redefine="True"/>
</family>
<variable name="nginx_default_https" redefine="True"> <variable name="nginx_default_https" redefine="True">
<value>False</value> <value>False</value>
</variable> </variable>
<variable name="revprox_client_external_domainnames" redefine="True" mandatory="False"/>
<family name="revprox_client">
<variable name="revprox_client_location" redefine="True" mandatory="False">
<value/>
</variable>
</family>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_server</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>mail_domains</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_criteria</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>mail_domains</target>
</check>
<fill name="calc_value"> <fill name="calc_value">
<param>/etc/pki/tls/certs/imap_</param> <param>/etc/pki/tls/certs/imap_</param>
<param type="variable">imap_domainname</param> <param type="variable">imap_domainname</param>
@ -136,14 +121,12 @@
<target>postfix_pem_files</target> <target>postfix_pem_files</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">mail_domains</param> <param type="variable">domain_name_eth0</param>
<target>mail_domains_calc</target> <target>imap_internal_address</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param>autoconfig</param>
<param type="variable">mail_domains</param> <param type="variable">mail_domains</param>
<param name="join">.</param> <target>mail_domains_calc</target>
<target>mail_domains_calc_autoconfig</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param>/var/www/html/mail/</param> <param>/var/www/html/mail/</param>
@ -154,49 +137,20 @@
<param name="multi" type="boolean">True</param> <param name="multi" type="boolean">True</param>
<target>well_known_filenames</target> <target>well_known_filenames</target>
</fill> </fill>
<check name="set_linked_multi_variables">
<param type="variable">revprox_client_server_domainname</param>
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/mail/config-v1.1.xml</param>
<param name="linked_provider_2">revprox_is_websocket</param>
<param name="linked_value_2" type="boolean">False</param>
<param name="linked_provider_3">revprox_url</param>
<param name="linked_value_3" type="variable">well_knowns</param>
<param name="variable_index_3" type="boolean">True</param>
<param name="variable_index" type="index"/>
<target>mail_domains_calc_autoconfig</target>
</check>
<check name="set_linked_multi_variables">
<param type="variable">revprox_client_server_domainname</param>
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param>
<param name="linked_provider_2">revprox_is_websocket</param>
<param name="linked_value_2" type="boolean">False</param>
<param name="linked_provider_3">revprox_url</param>
<param name="linked_value_3" type="variable">well_knowns</param>
<param name="variable_index_3" type="boolean">True</param>
<param name="variable_index" type="index"/>
<target>mail_domains_calc</target>
</check>
<check name="set_linked_multi_variables">
<param type="variable">revprox_client_server_domainname</param>
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/autodiscover/autodiscover.xml</param>
<param name="linked_provider_2">revprox_is_websocket</param>
<param name="linked_value_2" type="boolean">False</param>
<param name="linked_provider_3">revprox_url</param>
<param name="linked_value_3" type="variable">well_knowns</param>
<param name="variable_index_3" type="boolean">True</param>
<param name="variable_index" type="index"/>
<target>mail_domains_calc</target>
</check>
<fill name="calc_well_known"> <fill name="calc_well_known">
<param type="index"/>
<param type="variable">domain_name_eth0</param> <param type="variable">domain_name_eth0</param>
<param type="variable">mail_domains</param> <param type="variable">mail_domains</param>
<target>well_knowns</target> <target>revprox_client_web_address</target>
</fill>
<fill name="calc_domains">
<param type="variable">mail_domains</param>
<target>revprox_client_external_domainnames</target>
</fill>
<fill name="calc_locations">
<param type="variable">revprox_client_external_domainnames</param>
<param type="index"/>
<target>revprox_client_location</target>
</fill> </fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -11,10 +11,29 @@ def sha512_crypt(password):
@_multi_function @_multi_function
def calc_well_known(*args): def calc_domains(domains):
if None in args:
return
ret = [] ret = []
for dom in args[1]: for domain in domains:
ret.append(f'https://{args[0]}/mail/{dom}/autodiscover/autodiscover.xml') ret.append(domain)
ret.append(domain)
ret.append(f'autoconfig.{domain}')
return ret return ret
@_multi_function
def calc_locations(domain, index):
i = index//3
if 3 * i == index:
# divisible by three
return '/autodiscover/autodiscover.xml'
elif 3 * i + 1 == index:
return '/.well-known/autoconfig/mail/config-v1.1.xml'
return '/mail/config-v1.1.xml'
@_multi_function
def calc_well_known(index, dns, doms):
if None in (dns, doms):
return None
i = index//3
return f'https://{dns}/mail/{doms[i]}/autodiscover/autodiscover.xml'

View file

@ -107,7 +107,7 @@ auth_bind = yes
# LDAP base. %variables can be used here. # LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org # For example: dc=mail, dc=example, dc=org
# GNUNUX base = # GNUNUX base =
base = %%ldapclient_base_dn base = %%ldapclient_search_dn
# Dereference: never, searching, finding, always # Dereference: never, searching, finding, always
#deref = never #deref = never

View file

@ -8,6 +8,6 @@ version = 3
bind = yes bind = yes
bind_dn = %%ldapclient_user bind_dn = %%ldapclient_user
bind_pw = %%ldapclient_user_password bind_pw = %%ldapclient_user_password
search_base = %%ldapclient_base_dn search_base = %%ldapclient_search_dn
query_filter = (mailLocalAddress=%s) query_filter = (mailLocalAddress=%s)
result_attribute = cn result_attribute = cn

View file

@ -25,9 +25,11 @@
<variable name="gitea_lfs_jwt_secret" type="password" hidden="True"/> <variable name="gitea_lfs_jwt_secret" type="password" hidden="True"/>
</family> </family>
<family name="nginx"> <family name="nginx">
<variable name="revprox_client_local_location" redefine="True"> <family name="revprox_client">
<value>/</value> <variable name="revprox_client_local_location" redefine="True">
</variable> <value>/</value>
</variable>
</family>
<variable name="revprox_client_port" redefine="True"> <variable name="revprox_client_port" redefine="True">
<value>3000</value> <value>3000</value>
</variable> </variable>

View file

@ -19,10 +19,10 @@ ROOT = /srv/gitea/lib/data/gitea-repositories
DEFAULT_BRANCH = main DEFAULT_BRANCH = main
[server] [server]
SSH_DOMAIN = %%revprox_client_external_domainname SSH_DOMAIN = %%revprox_client_external_domainnames[0]
DOMAIN = %%revprox_client_external_domainname DOMAIN = %%revprox_client_external_domainnames[0]
HTTP_PORT = 3000 HTTP_PORT = 3000
ROOT_URL = https://%%revprox_client_external_domainname/gitea/ ROOT_URL = https://%%revprox_client_external_domainnames[0]/gitea/
LOCAL_ROOT_URL = https://%%domain_name_eth0:3000/ LOCAL_ROOT_URL = https://%%domain_name_eth0:3000/
DISABLE_SSH = false DISABLE_SSH = false
START_SSH_SERVER = true START_SSH_SERVER = true

View file

@ -1,7 +1,8 @@
%set %%username="rougail_test@silique.fr" %set %%username="rougail_test@silique.fr"
ip: %%ip_eth0 ip: %%ip_eth0
revprox_ip: %%revprox_client_server_ip revprox_ip: %%revprox_client_server_ip
base_url: https://%%revprox_client_external_domainname%%revprox_client_location[0] %set %%domain = %%revprox_client_external_domainnames[0]
base_url: https://%%domain%%domain.revprox_client_location
auth_url: %%oauth2_client_external[0] auth_url: %%oauth2_client_external[0]
auth_server: %%oauth2_server_domainname auth_server: %%oauth2_server_domainname
username: %%username username: %%username

View file

@ -24,7 +24,7 @@
<variables> <variables>
<variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True"/> <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True"/>
<variable name="host_dhcp_filename" type="filename" hidden="True" multi="True"/> <variable name="host_dhcp_filename" type="filename" hidden="True" multi="True"/>
<variable name="host_name" type="domainname" hidden="True"/> <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
<variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/> <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
<variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/> <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
<family name="network"> <family name="network">
@ -64,10 +64,6 @@
<param name="multi" type="boolean">True</param> <param name="multi" type="boolean">True</param>
<target>systemd_netzone_filename</target> <target>systemd_netzone_filename</target>
</fill> </fill>
<fill name="calc_value">
<param type="information">server_name</param>
<target>host_name</target>
</fill>
<fill name="get_internal_zone_information"> <fill name="get_internal_zone_information">
<param type="variable">zone_name</param> <param type="variable">zone_name</param>
<param>cidr</param> <param>cidr</param>

View file

@ -7,14 +7,14 @@
</service> </service>
</services> </services>
<variables> <variables>
<variable name="machines" description="Machines started in this host" type="domainname" multi="True" provider="machines"/> <variable name="machines" description="Machines started in this host" type="domainname" multi="True" provider="Host"/>
<family name="machine_" description="Machine " dynamic="machined.machines"> <family name="machine_" description="Machine " dynamic="machined.machines">
<variable name="incoming_ports_" description="Incomming external ports for " hidden="True" type="port" multi="True" provider="incoming_ports"/> <variable name="incoming_ports_" description="Incomming external ports for " hidden="True" type="port" multi="True" provider="Host:incoming_ports"/>
<variable name="outgoing_ports_" description="Outcoming external ports for " hidden="True" type="port" multi="True" provider="outgoing_ports"/> <variable name="outgoing_ports_" description="Outcoming external ports for " hidden="True" type="port" multi="True" provider="Host:outgoing_ports"/>
<variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="machine_srv"/> <variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="Host:machine_srv"/>
<variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="machine_journal"/> <variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="Host:machine_journal"/>
<variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="machine_config" mandatory="True"/> <variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="Host:config_dir" mandatory="True"/>
<variable name="zones_" description="Zones for " hidden="True" provider="machine_zones" mandatory="True" multi="True"/> <variable name="zones_" description="Zones for " hidden="True" provider="Host:machine_zones" mandatory="True" multi="True"/>
</family> </family>
<variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/> <variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
<variable name="nspawn_script_filename" type="filename" hidden="True" multi="True"/> <variable name="nspawn_script_filename" type="filename" hidden="True" multi="True"/>

View file

@ -7,14 +7,7 @@
</services> </services>
<variables> <variables>
<family name="imap" description="Client SMTP"> <family name="imap" description="Client SMTP">
<variable name="imap_address" type="domainname" description="Nom de domaine du serveur IMAP" mandatory="True"/> <variable name="imap_address" type="domainname" description="Nom de domaine du serveur IMAP" mandatory="True" supplier="IMAP"/>
</family> </family>
</variables> </variables>
<constraints>
<fill name="get_provider_name">
<param type="variable">zone_name_eth0</param>
<param>IMAP</param>
<target>imap_address</target>
</fill>
</constraints>
</rougail> </rougail>

View file

@ -12,16 +12,19 @@
<variables> <variables>
<family name="annuaire" description="Annuaire OpenLDAP"> <family name="annuaire" description="Annuaire OpenLDAP">
<family name="server" description="Serveur"> <family name="server" description="Serveur">
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/> <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True' supplier="LDAP"/>
<variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True"> <variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True">
<value>636</value> <value>636</value>
</variable> </variable>
</family> </family>
<family name="client" description="Client"> <family name="client" description="Client">
<variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP"/> <variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP" supplier="LDAP:family"/>
<variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True"/> <variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True" supplier="LDAP:dn"/>
<variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True"/> <variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True" supplier="LDAP:password"/>
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="False"/> <variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" supplier="LDAP:base_dn"/>
<variable name='ldapclient_search_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
<variable name='ldapclient_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="True"/>
<variable name='ldapclient_user_dn' type='string' description="Base DN de l'annuaire des utilisateurs n'appartenant à une famille" mandatory="True"/>
<variable name="ldap_ca_file" type="filename" description="Fichier de l'autorité de certification LDAP" hidden="True"/> <variable name="ldap_ca_file" type="filename" description="Fichier de l'autorité de certification LDAP" hidden="True"/>
<variable name="ldap_cert_file" type="filename" description="Fichier du certificate LDAP" hidden="True"/> <variable name="ldap_cert_file" type="filename" description="Fichier du certificate LDAP" hidden="True"/>
<variable name="ldap_key_file" type="filename" description="Fichier de la clef privée LDAP" hidden="True"/> <variable name="ldap_key_file" type="filename" description="Fichier de la clef privée LDAP" hidden="True"/>
@ -38,10 +41,23 @@
<check name='valid_base_dn'> <check name='valid_base_dn'>
<target>ldapclient_base_dn</target> <target>ldapclient_base_dn</target>
</check> </check>
<fill name="get_provider_name"> <fill name='get_default_base_dn'>
<param type="variable">zone_name_eth0</param> <param type="variable">ldap_server_address</param>
<param>LDAP</param> <target>ldapclient_base_dn</target>
<target>ldap_server_address</target> </fill>
<fill name='calc_value'>
<param>ou=accounts</param>
<param type="variable">ldapclient_base_dn</param>
<param name="join">,</param>
<target>ldapclient_search_dn</target>
</fill>
<fill name='calc_value'>
<param>cn=</param>
<param type='variable'>domain_name_eth0</param>
<param>,</param>
<param type='variable'>ldapclient_base_dn</param>
<param name="join"></param>
<target>ldapclient_user</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">tls_ca_directory</param> <param type="variable">tls_ca_directory</param>
@ -61,16 +77,6 @@
<param name="join">/</param> <param name="join">/</param>
<target>ldap_key_file</target> <target>ldap_key_file</target>
</fill> </fill>
<fill name="set_linked_multi_variables">
<param type="variable">ldap_server_address</param>
<param name="linked_provider_0">clients</param>
<param name="linked_value_0" type="variable">domain_name_eth0</param>
<param name="linked_provider_1">client_family</param>
<param name="linked_value_1" type="variable">ldapclient_family</param>
<param name="allow_none_1" type="boolean">True</param>
<param name="linked_returns">dn</param>
<target>ldapclient_user</target>
</fill>
<fill name="get_password"> <fill name="get_password">
<param name="server_name" type="variable">ldap_server_address</param> <param name="server_name" type="variable">ldap_server_address</param>
<param name="username" type="variable">ldapclient_user</param> <param name="username" type="variable">ldapclient_user</param>
@ -80,13 +86,14 @@
<param name="temporary" type="boolean">True</param> <param name="temporary" type="boolean">True</param>
<target>ldapclient_user_password</target> <target>ldapclient_user_password</target>
</fill> </fill>
<fill name="set_linked_multi_variables"> <fill name="calc_ldapclient_base_dn">
<param type="variable">ldap_server_address</param> <param type="variable">ldapclient_base_dn</param>
<param name="linked_provider_0">client_password</param> <param name="group" type="boolean">True</param>
<param name="linked_value_0" type="variable">ldapclient_user_password</param> <target>ldapclient_group_dn</target>
<param name="linked_returns">base_dn</param> </fill>
<param name="dynamic" type="variable">domain_name_eth0</param> <fill name="calc_ldapclient_base_dn">
<target>ldapclient_base_dn</target> <param type="variable">ldapclient_base_dn</param>
<target>ldapclient_user_dn</target>
</fill> </fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -11,6 +11,8 @@ def calc_ldapclient_base_dn(ldap_base_dn: str,
base: bool=False, base: bool=False,
group: bool=False, group: bool=False,
) -> str: ) -> str:
if ldap_base_dn is None:
return
if family_name == 'all': if family_name == 'all':
family_name = None family_name = None
base = True base = True
@ -28,3 +30,23 @@ def calc_ldapclient_base_dn(ldap_base_dn: str,
if family_name != '-': if family_name != '-':
base_name = f'ou={family_name},{base_name}' base_name = f'ou={family_name},{base_name}'
return base_name return base_name
class _Undefined:
pass
_undefined = _Undefined()
def get_default_base_dn(server_name: str) -> str:
if not server_name or '.' not in server_name:
return None
values = server_name.split('.')
# cannot calculated base dn should be server.domain.tld
# remove 'server' in dn
if len(values) < 3:
return None
domain = ['ou=' + domain for domain in values[1:-2]]
domain.append(f'o={values[-2]},o={values[-1]}')
return ','.join(domain)

View file

@ -6,7 +6,7 @@
# This file should be world readable but not world writable. # This file should be world readable but not world writable.
#BASE dc=example,dc=com #BASE dc=example,dc=com
BASE %%ldapclient_base_dn BASE %%ldapclient_search_dn
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldaps://%%ldap_server_address:%%ldap_port URI ldaps://%%ldap_server_address:%%ldap_port

View file

@ -6,4 +6,3 @@ depends:
- reverse-proxy-client - reverse-proxy-client
- relay-mail-client - relay-mail-client
- nginx-common - nginx-common
provider: OAuth2

View file

@ -28,6 +28,7 @@
<variable name="nginx_default_https" redefine="True"> <variable name="nginx_default_https" redefine="True">
<value>False</value> <value>False</value>
</variable> </variable>
<variable name="oauth2_client_external_domain" type="domainname" hidden="True" supplier="OAuth2Client:external_domain"/>
</family> </family>
<family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG"> <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
<variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True"> <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">
@ -40,15 +41,13 @@
<variable name='ldapclient_family' redefine="True"> <variable name='ldapclient_family' redefine="True">
<value>all</value> <value>all</value>
</variable> </variable>
<variable name='ldapclient_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="False"/>
</family> </family>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_linked_configuration"> <fill name="get_first_value">
<param name="linked_server" type="variable">ldap_server_address</param> <param type="variable">revprox_client_external_domainnames</param>
<param name="linked_provider">ldap_group</param> <target>oauth2_client_external_domain</target>
<target>ldapclient_group_dn</target>
</fill> </fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -1,23 +1,30 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="oauth2"/> <variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="OAuth2"/>
<family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes"> <family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
<variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="oauth2_secret"/> <variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="OAuth2:secret"/>
<variable name="name_" description="Remote name for " hidden="True" provider="oauth2_name"/> <variable name="name_" description="Remote name for " hidden="True" provider="OAuth2:name"/>
<variable name="description_" description="Remote description for " hidden="True" provider="oauth2_description"/> <variable name="description_" description="Remote description for " hidden="True" provider="OAuth2:description"/>
<variable name="category_" hidden="True" provider="oauth2_category"/> <variable name="category_" hidden="True" provider="OAuth2:category"/>
<variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/> <variable name="login_" description="Remote URL to login" hidden="True" provider="OAuth2:login"/>
<family name="external_" leadership="True"> <family name="external_" leadership="True">
<variable name="hosts_" description="Remote external for " provider="oauth2_external" multi="True"/> <variable name="hosts_" description="Remote external for " provider="OAuth2:external" multi="True"/>
<variable name="family_" hidden="True" provider="oauth2_family"/> <variable name="family_" hidden="True" provider="OAuth2:family"/>
</family> </family>
<variable name="logo_" hidden="True" provider="oauth2_logo"/> <variable name="logo_" hidden="True" provider="OAuth2:logo"/>
<variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo"> <variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="OAuth2:token_signature_algo">
<choice>HS512</choice> <choice>HS512</choice>
<choice>RS256</choice> <choice>RS256</choice>
</variable> </variable>
</family> </family>
<variable name="clients" description="Remote clients" type="domainname" multi="True" supplier="OAuth2Client"/>
</variables> </variables>
<constraints>
<fill name="calc_value">
<param type="variable">oauth2.remotes</param>
<target>oauth2.clients</target>
</fill>
</constraints>
</rougail> </rougail>

View file

@ -3,5 +3,5 @@ After=nginx.service
[Service] [Service]
ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done' ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 5; done' ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 1; done'
ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext' ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext'

View file

@ -1,3 +1,3 @@
address: %%revprox_client_external_domainname address: %%revprox_client_external_domainnames[0]
internal_address: %%domain_name_eth0 internal_address: %%domain_name_eth0
ip: %%ip_eth0 ip: %%ip_eth0

View file

@ -13,7 +13,7 @@ commentStartToken = §
"ldapPpolicyControl" : 1, "ldapPpolicyControl" : 1,
"ldapAllowResetExpiredPassword" : 1, "ldapAllowResetExpiredPassword" : 1,
"ldapChangePasswordAsUser" : 1, "ldapChangePasswordAsUser" : 1,
"ldapBase" : "%%ldapclient_base_dn", "ldapBase" : "%%ldapclient_search_dn",
"ldapExportedVars" : { "ldapExportedVars" : {
"uid" : "uid", "uid" : "uid",
"cn" : "cn", "cn" : "cn",
@ -41,7 +41,7 @@ commentStartToken = §
"mail" : "mail", "mail" : "mail",
"uid" : "uid" "uid" : "uid"
}, },
"domain" : "%%revprox_client_external_domainname", "domain" : "%%revprox_client_external_domainnames[0]",
"exportedVars" : { "exportedVars" : {
"UA" : "HTTP_USER_AGENT", "UA" : "HTTP_USER_AGENT",
"cn" : "cn", "cn" : "cn",
@ -60,21 +60,21 @@ commentStartToken = §
"namespace" : "lemonldap-ng-sessions" "namespace" : "lemonldap-ng-sessions"
}, },
"locationRules" : { "locationRules" : {
"%%revprox_client_external_domainname" : { "%%revprox_client_external_domainnames[0]" : {
"default" : "accept" "default" : "accept"
%set %%domains = [] %set %%domains = []
%for %%app in %%oauth2.remotes %for %%app in %%oauth2.remotes
%set %%key = %%normalize_family(%%app) %set %%key = %%normalize_family(%%app)
§ somethink like ['https://domain/'] § somethink like ['https://domain/']
%for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key] %for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
%set %%domain = %%str(%%external).split('/', 3)[-2] %set %%domain = %%str(%%external).split('/', 3)[-2]
%if %%domain not in %%domains %if %%domain not in %%domains
}, },
"%%domain" : { "%%domain" : {
"^/logout" : "logout_sso", "^/logout" : "logout_sso",
"default" : "$groups eq \"%%external['family_' + %%key]\"" "default" : "$groups eq \"%%external['family_' + %%key]\""
%%domains.append(%%domain)%slurp %%domains.append(%%domain)%slurp
%end if %end if
%end for %end for
%end for %end for
} }
@ -84,7 +84,7 @@ commentStartToken = §
"UA" : "$ENV{HTTP_USER_AGENT}", "UA" : "$ENV{HTTP_USER_AGENT}",
"_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)" "_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
}, },
"mailUrl" : "https://%%revprox_client_external_domainname/resetpwd", "mailUrl" : "https://%%revprox_client_external_domainnames[0]/resetpwd",
"mySessionAuthorizedRWKeys" : [ "mySessionAuthorizedRWKeys" : [
"_appsListOrder", "_appsListOrder",
"_oidcConnectedRP", "_oidcConnectedRP",
@ -161,7 +161,7 @@ commentStartToken = §
"Directory": "/srv/lemonldap-ng/psessions", "Directory": "/srv/lemonldap-ng/psessions",
"LockDirectory": "/srv/lemonldap-ng/psessions/lock" "LockDirectory": "/srv/lemonldap-ng/psessions/lock"
}, },
"portal" : "https://%%revprox_client_external_domainname/", "portal" : "https://%%revprox_client_external_domainnames[0]/",
"portalCheckLogins": 0, "portalCheckLogins": 0,
"portalDisplayRegister": 0, "portalDisplayRegister": 0,
"portalDisplayResetPassword": 0, "portalDisplayResetPassword": 0,

View file

@ -48,7 +48,7 @@ server {
# GNUNUX server_name auth.example.com; # GNUNUX server_name auth.example.com;
#>GNUNUX #>GNUNUX
listen 443 ssl; listen 443 ssl;
server_name %%revprox_client_external_domainname; server_name %%{revprox_client_external_domainnames[0]};
ssl_certificate %%revprox_cert_file; ssl_certificate %%revprox_cert_file;
ssl_certificate_key %%revprox_key_file; ssl_certificate_key %%revprox_key_file;
ssl_client_certificate %%revprox_ca_file; ssl_client_certificate %%revprox_ca_file;

View file

@ -56,7 +56,8 @@ def letsencrypt_certif(domain: str,
] ]
ret = _run(cli_args, capture_output=True) ret = _run(cli_args, capture_output=True)
if ret.returncode != 0: if ret.returncode != 0:
raise ValueError(ret.stderr.decode()) print("FIXME")
#raise ValueError(ret.stderr.decode())
print("Done") print("Done")
with open(date_file, 'w') as fh: with open(date_file, 'w') as fh:
fh.write(today) fh.write(today)

View file

@ -3,7 +3,7 @@ description: Gestionnaire de liste de diffusion Mailman
depends: depends:
- base-fedora-35 - base-fedora-35
- postgresql-client - postgresql-client
- relay-mail-client - relay-lmtp-client
- reverse-proxy-client - reverse-proxy-client
- nginx-common - nginx-common
- oauth2-client - oauth2-client

View file

@ -5,7 +5,7 @@
<variable name="name_" description="Nom des listes" type="unix_user" multi="True" mandatory="True"/> <variable name="name_" description="Nom des listes" type="unix_user" multi="True" mandatory="True"/>
<variable name="names_" description="Address names" type="string" multi="True" mandatory="True" hidden="True"/> <variable name="names_" description="Address names" type="string" multi="True" mandatory="True" hidden="True"/>
</family> </family>
<variable name="names_" description="Address names" type="string" multi="True" mandatory="True" hidden="True"/> <variable name="names_" description="Address names" type="string" multi="True" mandatory="True" hidden="True" supplier="LMTP:criteria"/>
</variables> </variables>
<constraints> <constraints>
<fill name="mailman_emails"> <fill name="mailman_emails">
@ -17,18 +17,6 @@
<param type="variable">mailman.list_.names_</param> <param type="variable">mailman.list_.names_</param>
<target>mailman.names_</target> <target>mailman.names_</target>
</fill> </fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_server</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>mailman.names_</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_criteria</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>mailman.names_</target>
</check>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -13,9 +13,9 @@ DATABASES = {
'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '/etc/pki/tls/certs/postgresql.crt', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'}, 'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '/etc/pki/tls/certs/postgresql.crt', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'},
} }
} }
ALLOWED_HOSTS = ['%%revprox_client_external_domainname'] ALLOWED_HOSTS = ['%%{revprox_client_external_domainnames[0]}']
POSTORIUS_TEMPLATE_BASE_URL = 'https://%%revprox_client_external_domainname' POSTORIUS_TEMPLATE_BASE_URL = 'https://%%{revprox_client_external_domainnames[0]}'
CSRF_TRUSTED_ORIGINS = ['%%revprox_client_external_domainname'] CSRF_TRUSTED_ORIGINS = ['%%{revprox_client_external_domainnames[0]}']
USE_X_FORWARDED_HOST = True USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
LANGUAGE_CODE = 'fr' LANGUAGE_CODE = 'fr'

View file

@ -19,7 +19,7 @@ RestrictRealtime=yes
PrivateMounts=yes PrivateMounts=yes
Environment="MAILMAN_WEB_CONFIG=/usr/share/postorius/m_postorius/settings.py" Environment="MAILMAN_WEB_CONFIG=/usr/share/postorius/m_postorius/settings.py"
ExecStartPre=/usr/share/postorius/manage.py migrate ExecStartPre=/usr/share/postorius/manage.py migrate
ExecStartPre=/usr/share/postorius/manage.py shell -c 'from django.contrib.sites.models import Site; site=Site.objects.first(); site.name="%%revprox_client_external_domainname"; site.domain="%%revprox_client_external_domainname"; site.save()' ExecStartPre=/usr/share/postorius/manage.py shell -c 'from django.contrib.sites.models import Site; site=Site.objects.first(); site.name="%%{revprox_client_external_domainnames[0]}"; site.domain="%%{revprox_client_external_domainnames[0]}"; site.save()'
ExecStartPre=/usr/share/postorius/manage.py shell -c 'from allauth.socialaccount.models import SocialApp; SocialApp.objects.create() if SocialApp.objects.count() == 0 else print("social app already exists"); a=SocialApp.objects.first(); a.name = "%%domain_name_eth0"; a.provider = "risotto"; a.client_id = "%%oauth2_client_id"; a.secret = "%%oauth2_client_secret"; a.sites.set([1]); a.save()' ExecStartPre=/usr/share/postorius/manage.py shell -c 'from allauth.socialaccount.models import SocialApp; SocialApp.objects.create() if SocialApp.objects.count() == 0 else print("social app already exists"); a=SocialApp.objects.first(); a.name = "%%domain_name_eth0"; a.provider = "risotto"; a.client_id = "%%oauth2_client_id"; a.secret = "%%oauth2_client_secret"; a.sites.set([1]); a.save()'
ExecStartPre=-/usr/share/postorius/manage.py createsuperuser --username "%%mailman_mail_owner" --email "%%mailman_mail_owner" --noinput ExecStartPre=-/usr/share/postorius/manage.py createsuperuser --username "%%mailman_mail_owner" --email "%%mailman_mail_owner" --noinput
ExecStart=/usr/bin/gunicorn --config /etc/postorius/gunicorn_config.py m_postorius.wsgi ExecStart=/usr/bin/gunicorn --config /etc/postorius/gunicorn_config.py m_postorius.wsgi

View file

@ -5,33 +5,28 @@
</services> </services>
<variables> <variables>
<family name="mariadb" description="MariaDB"> <family name="mariadb" description="MariaDB">
<variable name="mariadb_client_server_domainname" type="domainname" description="Nom de domaine du serveur MariaDB" mandatory="True"/> <variable name="mariadb_client_server_domainname" type="domainname" description="Nom de domaine du serveur MariaDB" mandatory="True" supplier="MariaDB"/>
<variable name="mariadb_client_username" description="Database username" mandatory="True" hidden="True"/> <variable name="mariadb_client_username" description="Database username" mandatory="True" hidden="True"/>
<variable name="mariadb_client_password" type="secret" description="Database password" mandatory="True" hidden="True"/> <variable name="mariadb_client_password" type="secret" description="Database password" mandatory="True" hidden="True" supplier="MariaDB:password"/>
<variable name="mariadb_client_database" description="Database name" mandatory="True" hidden="True"/> <variable name="mariadb_client_database" description="Database name" mandatory="True" hidden="True"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_provider_name"> <fill name="normalize_family">
<param type="variable">zone_name_eth0</param> <param type="variable">domain_name_eth0</param>
<param>MariaDB</param>
<target>mariadb_client_server_domainname</target>
</fill>
<fill name="set_linked">
<param name="linked_server" type="variable">mariadb_client_server_domainname</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>mariadb_client_username</target> <target>mariadb_client_username</target>
</fill> </fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">mariadb_client_server_domainname</param>
<param name="linked_provider">client_password</param>
<param name="dynamic" type="variable">mariadb_client_username</param>
<target>mariadb_client_password</target>
</fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">mariadb_client_username</param> <param type="variable">mariadb_client_username</param>
<target>mariadb_client_database</target> <target>mariadb_client_database</target>
</fill> </fill>
<fill name="get_password">
<param name="server_name" type="variable">mariadb_client_server_domainname</param>
<param name="username" type="variable">domain_name_eth0</param>
<param name="description">remote</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>mariadb_client_password</target>
</fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -1,6 +1,4 @@
format: '0.1' format: '0.1'
description: Mariadb description: Mariadb
depends: depends:
- server
- base-fedora-36 - base-fedora-36
provider: MariaDB

View file

@ -0,0 +1,10 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<variables>
<variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="MariaDB"/>
<family name="remote_" description="Account for " dynamic="accounts.remotes">
<variable name="password_" description="Remote password" auto_save="False" hidden="True" type="password" mandatory="True" provider="MariaDB:password"/>
</family>
</variables>
</rougail>

View file

@ -5,7 +5,7 @@
<service name="nextcloudcron" type="timer" engine="none" target="timers"/> <service name="nextcloudcron" type="timer" engine="none" target="timers"/>
<service name="nextcloud" engine="creole" target="multi-user"> <service name="nextcloud" engine="creole" target="multi-user">
<file owner="apache" group="apache" mode="440" source="nextcloud-config.php">/etc/nextcloud/config.php</file> <file owner="apache" group="apache" mode="440" source="nextcloud-config.php">/etc/nextcloud/config.php</file>
<file owner="root" group="apache" mode="750">/etc/nextcloud/nextcloud.init</file> <file owner="root" group="root" mode="755">/sbin/nextcloud.init</file>
<file>/etc/httpd/conf.d/a-nextcloud-access.conf</file> <file>/etc/httpd/conf.d/a-nextcloud-access.conf</file>
<file>/etc/httpd/conf.d/z-nextcloud-access.conf</file> <file>/etc/httpd/conf.d/z-nextcloud-access.conf</file>
<file>/etc/php.d/20-pgsql.ini</file> <file>/etc/php.d/20-pgsql.ini</file>
@ -66,38 +66,12 @@
<param name="hide" type="variable">hide_secret</param> <param name="hide" type="variable">hide_secret</param>
<target>nextcloud_instance_id</target> <target>nextcloud_instance_id</target>
</fill> </fill>
<fill name="calc_value">
<param type="variable">revprox_client_external_domainnames</param>
<target>nextcloud_well_known_server</target>
</fill>
<!-- FIXME : check name="set_linked_multi_variables">
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_value_0" type="variable">nextcloud_well_known_server</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/.well-known/caldav</param>
<param name="linked_provider_2">revprox_is_websocket</param>
<param name="linked_value_2" type="boolean">False</param>
<param name="linked_provider_3">revprox_url</param>
<param name="linked_value_3" type="variable">nextcloud_well_known_caldav</param>
<target>revprox_client_server_domainname</target>
</check-->
<fill name="calc_web_address"> <fill name="calc_web_address">
<param type="variable">domain_name_eth0</param> <param type="variable">domain_name_eth0</param>
<param type="variable">revprox_client_port</param> <param type="variable">revprox_client_port</param>
<param>/.well-known/caldav</param> <param>/.well-known/caldav</param>
<target>nextcloud_well_known_caldav</target> <target>nextcloud_well_known_caldav</target>
</fill> </fill>
<!-- FIXME : check name="set_linked_multi_variables">
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_value_0" type="variable">nextcloud_well_known_server</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/.well-known/carddav</param>
<param name="linked_provider_2">revprox_is_websocket</param>
<param name="linked_value_2" type="boolean">False</param>
<param name="linked_provider_3">revprox_url</param>
<param name="linked_value_3" type="variable">nextcloud_well_known_carddav</param>
<target>revprox_client_server_domainname</target>
</check-->
<fill name="calc_web_address"> <fill name="calc_web_address">
<param type="variable">domain_name_eth0</param> <param type="variable">domain_name_eth0</param>
<param type="variable">revprox_client_port</param> <param type="variable">revprox_client_port</param>

View file

@ -11,7 +11,7 @@ $CONFIG = array (
'trusted_domains' => 'trusted_domains' =>
array ( array (
0 => 'localhost', 0 => 'localhost',
1 => '%%revprox_client_external_domainname', 1 => '%%revprox_client_external_domainnames[0]',
), ),
'apps_paths' => 'apps_paths' =>
array ( array (
@ -49,7 +49,7 @@ $CONFIG = array (
'memcache.distributed' => '\OC\Memcache\Redis', 'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis',
'trusted_proxies' => '%%revprox_client_server_ip', 'trusted_proxies' => '%%revprox_client_server_ip',
'overwritehost' => '%%revprox_client_external_domainname', 'overwritehost' => '%%revprox_client_external_domainnames[0]',
'filelocking.enabled' => true, 'filelocking.enabled' => true,
'redis' => [ 'redis' => [
'host' => '%%redis_client_server_domainname', 'host' => '%%redis_client_server_domainname',

View file

@ -29,9 +29,9 @@ fi
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_user" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_user"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_user_password" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_user_password"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_search_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_user_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_group_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))" /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"

View file

@ -8,7 +8,7 @@ Type=oneshot
WorkingDirectory=/usr/share/nextcloud WorkingDirectory=/usr/share/nextcloud
#FIXME #FIXME
ExecStart=+/usr/bin/chmod +w /etc/nextcloud/config.php ExecStart=+/usr/bin/chmod +w /etc/nextcloud/config.php
ExecStart=/etc/nextcloud/nextcloud.init ExecStart=/usr/local/lib/sbin/nextcloud.init
ExecStart=+/usr/bin/chmod -w /etc/nextcloud/config.php ExecStart=+/usr/bin/chmod -w /etc/nextcloud/config.php
User=apache User=apache
Group=apache Group=apache

View file

@ -3,4 +3,3 @@ description: Nginx as reverse proxy
depends: depends:
- base-fedora-36 - base-fedora-36
- nginx-common - nginx-common
provider: ReverseProxy

View file

@ -5,8 +5,8 @@
<override engine="creole"/> <override engine="creole"/>
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file> <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file> <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
<file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file> <file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
<file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file> <file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
<file>/tests/reverse-proxy.yml</file> <file>/tests/reverse-proxy.yml</file>
</service> </service>
</services> </services>
@ -22,34 +22,6 @@
<variable name="nginx_default_http" redefine="True"> <variable name="nginx_default_http" redefine="True">
<value>True</value> <value>True</value>
</variable> </variable>
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
<variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
<variable name='nginx_private_key_filename' type="filename" description="Private key filename" hidden='True' multi='True'/>
<variable name='nginx_certificate_filename' type="filename" description="Certificate filename" hidden='True' multi='True'/>
</family> </family>
</variables> </variables>
<constraints>
<fill name="nginx_concat_lists">
<param type="variable">revprox_domainnames</param>
<param type="variable">revprox_domainnames_auto</param>
<target>revprox_domainnames_all</target>
</fill>
<fill name="calc_value">
<param>/etc/pki/tls/certs/</param>
<param type="variable">revprox_domainnames_all</param>
<param>.crt</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>nginx_certificate_filename</target>
</fill>
<fill name="calc_value">
<param>/etc/pki/tls/private/</param>
<param type="variable">revprox_domainnames_all</param>
<param>.key</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>nginx_private_key_filename</target>
</fill>
</constraints>
</rougail> </rougail>

View file

@ -1,16 +1,40 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<family name="reverse_proxy_for_" description="Serveur mandataire inverse pour " dynamic="revprox_domainnames_all"> <variable name="remotes" type="domainname" description="Nom des domaines dans le serveur mandataire inverse" multi="True" provider="ReverseProxy"/>
<variable name="revprox_domain_wildcard_" description="Activer la redirection pour tous les sous-domaines" help="Exemple pour &quot;domaine&quot; : tous les sous-domaines de &quot;domaine&quot; seront redirigés" type="boolean"> <family name="reverse_proxy_for_" description="Serveur mandataire inverse pour " dynamic="nginx.remotes">
<value>False</value>
</variable>
<family name="reverse_proxy_" description="Reverse proxy " help="Paramètrage du proxy inverse" leadership="True"> <family name="reverse_proxy_" description="Reverse proxy " help="Paramètrage du proxy inverse" leadership="True">
<variable name="revprox_location_" type="filename" description="Répertoire ou nom de la page à rediriger pour " help="URL relative (sans le nom de domaine) redirigée pour l'adresse définie dans la variable ci-dessus (exemple &quot;/mail&quot;)" mandatory="True" multi="True" provider="revprox_location"/> <variable name="revprox_domainnames_" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="ReverseProxy:external" hidden="True"/>
<variable name="revprox_url_" type="web_address" description="Domaine de destination ou URI complète pour " mandatory="True" help="Nom de domaine ou IP de destination, par exemple &quot;http://domainelocal&quot; ou URI, par exemple &quot;http://domainelocal/dir/&quot;" provider="revprox_url"/> <variable name="revprox_location_" type="filename" description="Répertoire ou nom de la page à rediriger pour " help="URL relative (sans le nom de domaine) redirigée pour l'adresse définie dans la variable ci-dessus (exemple &quot;/mail&quot;)" mandatory="True" multi="True" provider="ReverseProxy:location"/>
<variable name="revprox_is_websocket_" type="boolean" description="Le point d'entré est de types websocket pour " mandatory="True" provider="revprox_is_websocket"/> <variable name="revprox_url_" type="web_address" description="Domaine de destination ou URI complète pour " mandatory="True" help="Nom de domaine ou IP de destination, par exemple &quot;http://domainelocal&quot; ou URI, par exemple &quot;http://domainelocal/dir/&quot;" provider="ReverseProxy:url"/>
<variable name="revprox_max_body_size_" description="Taille maximum du corps pour " provider="revprox_max_body_size"/> <variable name="revprox_is_websocket_" type="boolean" description="Le point d'entré est de types websocket pour " mandatory="True" multi="True" provider="ReverseProxy:websocket"/>
<variable name="revprox_max_body_size_" description="Taille maximum du corps pour " provider="ReverseProxy:max_body_size"/>
</family> </family>
</family> </family>
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" hidden="True"/>
<variable name='nginx_private_key_filename' type="filename" description="Private key filename" hidden='True' multi='True'/>
<variable name='nginx_certificate_filename' type="filename" description="Certificate filename" hidden='True' multi='True'/>
</variables> </variables>
<constraints>
<fill name="nginx_list">
<param type="variable">nginx.reverse_proxy_for_.reverse_proxy_.revprox_domainnames_</param>
<target>nginx.revprox_domainnames</target>
</fill>
<fill name="calc_value">
<param>/etc/pki/tls/certs/</param>
<param type="variable">nginx.revprox_domainnames</param>
<param>.crt</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>nginx.nginx_certificate_filename</target>
</fill>
<fill name="calc_value">
<param>/etc/pki/tls/private/</param>
<param type="variable">nginx.revprox_domainnames</param>
<param>.key</param>
<param name="join"></param>
<param name="multi" type="boolean">True</param>
<target>nginx.nginx_private_key_filename</target>
</fill>
</constraints>
</rougail> </rougail>

View file

@ -1,9 +1,11 @@
from typing import List as _List from risotto.utils import multi_function as _multi_function
from risotto.utils import multi_function
@multi_function @_multi_function
def nginx_concat_lists(list1: _List[str], def nginx_list(lst):
list2: _List[str], ret = []
) -> _List[str]: for l in lst:
return list1 + list2 ret.extend(l)
ret = list(set(ret))
ret.sort()
return ret

View file

@ -1,9 +1,9 @@
%set %%domains = set() %set %%domains = set()
%for %%domainname in %%revprox_domainnames_all %for %%domainname in %%nginx.remotes
%set %%family = %%normalize_family(%%domainname) %set %%family = %%normalize_family(%%domainname)
%set %%revprox = %%nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family] %set %%revprox = %%nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family]
%for %%location in %%revprox['revprox_location_' + family] %for %%domain in %%revprox['revprox_domainnames_' + family]
%set %%domain = %%location['revprox_url_' + family].split('/', 3)[2].split(':')[0] %set %%domain = %%domain['revprox_url_' + family].split('/', 3)[2].split(':')[0]
%%domains.add(%%domain)%slurp %%domains.add(%%domain)%slurp
%end for %end for
%end for %end for

View file

@ -1,10 +1,12 @@
address: %%ip_eth0 address: %%ip_eth0
urls: urls:
%for %%domain in %%revprox_domainnames_all %for %%domain in %%nginx.remotes
%set %%suffix = %%normalize_family(%%domain) %set %%suffix = %%normalize_family(%%domain)
%for %%location in %%nginx['reverse_proxy_for_' + %%suffix]['reverse_proxy_' + %%suffix]['revprox_location_' + %%suffix] %for %%revprox in %%nginx['reverse_proxy_for_' + %%suffix]['reverse_proxy_' + %%suffix]['revprox_domainnames_' + %%suffix]
%if not %%location['revprox_is_websocket_' + %%suffix] %for %%loc_idx, %%location in %%enumerate(%%revprox['revprox_location_' + %%suffix])
- %%domain%%location %if not %%revprox['revprox_is_websocket_' + %%suffix][%%loc_idx]
%end if - %%revprox%%location
%end if
%end for
%end for %end for
%end for %end for

View file

@ -1,7 +1,4 @@
%for %%idx, %%domainname in %%enumerate(%%revprox_domainnames_all) %for %%idx, %%domainname in %%enumerate(%%nginx.revprox_domainnames)
%set %%family = %%normalize_family(%%domainname)
%set %%revprox = %%nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family]
%set %%wildcard = %%nginx['reverse_proxy_for_' + family]['revprox_domain_wildcard_' + family]
# Configuration HTTP %%domainname # Configuration HTTP %%domainname
server { server {
listen 80; listen 80;
@ -12,23 +9,29 @@ server {
# Configuration HTTPS %%domainname # Configuration HTTPS %%domainname
server { server {
listen 443 ssl http2; listen 443 ssl http2;
ssl_certificate %%nginx_certificate_filename[%%idx]; ssl_certificate %%nginx.nginx_certificate_filename[%%idx];
ssl_certificate_key %%nginx_private_key_filename[%%idx]; ssl_certificate_key %%nginx.nginx_private_key_filename[%%idx];
server_name %%domainname; server_name %%domainname;
error_page 403 404 502 503 504 /error.html; error_page 403 404 502 503 504 /error.html;
location = /error.html{ location = /error.html{
root /var/www/html; root /var/www/html;
} }
%for %%location in %%revprox['revprox_location_' + family] %for %%remote in %%nginx.remotes
%set %%location_str = %%str(%%location) %set %%family = %%normalize_family(%%remote)
%set %%revprox = %%nginx['reverse_proxy_for_' + %%family]['reverse_proxy_' + %%family]
%for %%rp_domainname in %%revprox['revprox_domainnames_' + %%family]
%if %%domainname != %%str(%%rp_domainname)
%continue
%end if
%for %%loc_idx, %%location in %%enumerate(%%rp_domainname['revprox_location_' + %%family])
location %%location { location %%location {
proxy_pass %%location['revprox_url_' + family]; proxy_pass %%rp_domainname['revprox_url_' + %%family];
%if %%location['revprox_is_websocket_' + family] %if %%rp_domainname['revprox_is_websocket_' + %%family][%%loc_idx]
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
%else %else
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
@ -37,25 +40,28 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Destination $dest; proxy_set_header Destination $dest;
%end if %end if
proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt; proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
proxy_ssl_verify on; proxy_ssl_verify on;
proxy_ssl_verify_depth 2; proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on; proxy_ssl_session_reuse on;
%set %%maxbody = %%location['revprox_max_body_size_' + family] %set %%maxbody = %%rp_domainname['revprox_max_body_size_' + %%family]
%if %%maxbody %if %%maxbody
client_max_body_size %%maxbody; client_max_body_size %%maxbody;
%end if %end if
set $dest $http_destination; set $dest $http_destination;
index error.html; index error.html;
root /var/www/html; root /var/www/html;
} }
# If user missing '/' # If user missing '/'
%if %%location_str != '/' and %%location_str.endswith('/') %if %%location != '/' and %%location.endswith('/')
location %%location_str[:-1] { location %%location[:-1] {
rewrite ^(%%location_str[:-1])$ $1/ permanent; rewrite ^(%%location[:-1])$ $1/ permanent;
} }
%end if %end if
%end for
%end for
%end for %end for
} }
%end for %end for

View file

@ -3,4 +3,3 @@ description: Configuration du serveur faisant autorité NSD
service: true service: true
depends: depends:
- base-fedora-36 - base-fedora-36
provider: LocalDNS

View file

@ -5,9 +5,9 @@
<override/> <override/>
<ip ip_type="variable">nsd_allowed_all_client</ip> <ip ip_type="variable">nsd_allowed_all_client</ip>
<file>/etc/nsd/conf.d/risotto.conf</file> <file>/etc/nsd/conf.d/risotto.conf</file>
<file file_type="variable" source="nsd.zone" variable="nsd_zones_all" included="content">nsd_zone_filenames</file> <file file_type="variable" source="nsd.zone" variable="nsd_zones" included="content">nsd_zone_filenames</file>
<file file_type="variable" source="nsd.signed" variable="nsd_zone_filenames">nsd_zone_filenames_signed</file> <file file_type="variable" source="nsd.signed" variable="nsd_zone_filenames">nsd_zone_filenames_signed</file>
<file file_type="variable" source="nsd.reverse" variable="nsd_reverse_reverse_name" included="content">nsd_reverse_filenames</file> <file file_type="variable" source="nsd.reverse" variable="nsd_reverse_name" included="content">nsd_reverse_filenames</file>
<file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file> <file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
<file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file> <file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
<file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file> <file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
@ -20,78 +20,59 @@
<variable name="ip_dns" redefine="True" remove_fill="True"/> <variable name="ip_dns" redefine="True" remove_fill="True"/>
</family> </family>
<family name="dns_server" description="Serveur DNS"> <family name="dns_server" description="Serveur DNS">
<variable name="nsd_allowed_client" type="ip" description="Clients" multi="True" mandatory="True" hidden="True" provider="dns"/> <variable name="nsd_allowed_client" type="domainname" description="Clients" multi="True" mandatory="True" hidden="True" provider="LocalDNS"/>
<variable name="nsd_resolver" type="domainname" description="Nom de domaine du résolveur DNS associé"/> <variable name="nsd_allowed_client_ip" type="ip" description="Clients" multi="True" mandatory="True" hidden="True"/>
<variable name="nsd_resolver" type="domainname" description="Nom de domaine du résolveur DNS associé" supplier="ExternalDNS"/>
<variable name="nsd_resolve_ip" type="ip" hidden="True"/> <variable name="nsd_resolve_ip" type="ip" hidden="True"/>
<variable name="nsd_allowed_all_client" type="ip" description="All autorised IP" multi="True" hidden="True"/> <variable name="nsd_allowed_all_client" type="ip" description="All autorised IP" multi="True" hidden="True"/>
</family> </family>
<family name="dns_zone" description="Zone DNS"> <family name="dns_zone" description="Zone DNS">
<variable name="nsd_zones" type="domainname" description="Zones DNS" multi="True"/> <variable name="nsd_zones" type="domainname" description="Zones DNS" multi="True"/>
<variable name="nsd_zones_auto" type="domainname" description="Zones DNS automatique" multi="True" hidden="True"/>
<variable name="nsd_zones_all" type="domainname" description="Toutes les zones DNS" multi="True" hidden="True" mandatory="True"/>
</family> </family>
<family name="dns_reverses" description="Zone DNS reverse" leadership="True"> <family name="dns_reverses" description="Zone DNS reverse" leadership="True">
<variable name="nsd_reverse_network" description="Réseau pour la résolution reverse" type="network_cidr" multi="True"/> <variable name="nsd_reverse_network" description="Réseau pour la résolution reverse" type="network_cidr" multi="True"/>
<variable name="nsd_reverse_reverse_name" description="Nom de la zone" hidden="True"/> <variable name="nsd_reverse_name" description="Nom de la zone" hidden="True"/>
</family> </family>
<variable name="nsd_zones_all" type="domainname" multi="True" supplier="ExternalDNS:authority_zones" hidden="True"/>
<variable name="nsd_zone_filenames" type="filename" description="Nom des fichiers de zone" multi="True" hidden="True"/> <variable name="nsd_zone_filenames" type="filename" description="Nom des fichiers de zone" multi="True" hidden="True"/>
<variable name="nsd_zone_filenames_signed" type="filename" description="Nom des fichiers de zone signé" multi="True" hidden="True"/> <variable name="nsd_zone_filenames_signed" type="filename" description="Nom des fichiers de zone signé" multi="True" hidden="True"/>
<variable name="nsd_reverse_filenames" type="filename" description="Nom des fichiers de zone reverse" multi="True" hidden="True"/> <variable name="nsd_reverse_filenames" type="filename" description="Nom des fichiers de zone reverse" multi="True" hidden="True"/>
<variable name="nsd_reverse_filenames_signed" type="filename" description="Nom des fichiers de zone reverse signé" multi="True" hidden="True"/> <variable name="nsd_reverse_filenames_signed" type="filename" description="Nom des fichiers de zone reverse signé" multi="True" hidden="True"/>
</variables> </variables>
<constraints> <constraints>
<fill name="get_provider_name">
<param type="variable">zone_name_eth0</param>
<param>ExternalDNS</param>
<target>nsd_resolver</target>
</fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">ip_eth0</param> <param type="variable">ip_eth0</param>
<target>ip_dns</target> <target>ip_dns</target>
</fill> </fill>
<fill name="nsd_concat_lists"> <fill name="get_ip">
<param type="variable">ip_eth</param>
<param type="variable">nsd_allowed_client</param> <param type="variable">nsd_allowed_client</param>
<param type="variable">nsd_resolve_ip</param> <target>nsd_allowed_client_ip</target>
<target>nsd_allowed_all_client</target>
</fill>
<fill name="set_linked">
<param name="linked_server" type="variable">nsd_resolver</param>
<param name="linked_provider">authorities</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<param name="linked_returns">ip</param>
<param name="dynamic">0</param>
<target>nsd_resolve_ip</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">nsd_resolver</param>
<param name="leader_provider">authorities</param>
<param name="leader_value" type="variable">domain_name_eth0</param>
<param name="linked_provider">authority_zones</param>
<target>nsd_zones_all</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">nsd_resolver</param>
<param name="leader_provider">authorities</param>
<param name="leader_value" type="variable">domain_name_eth0</param>
<param name="linked_provider">authority_zones</param>
<target>nsd_reverse_reverse_name</target>
</check>
<fill name="get_internal_zones">
<target>nsd_zones_auto</target>
</fill> </fill>
<fill name="nsd_concat_lists"> <fill name="nsd_concat_lists">
<param type="variable">nsd_zones</param> <param type="variable">nsd_zones</param>
<param type="variable">nsd_zones_auto</param> <param type="variable">nsd_reverse_name</param>
<target>nsd_zones_all</target> <target>nsd_zones_all</target>
</fill> </fill>
<fill name="nsd_concat_lists">
<param type="variable">ip_eth</param>
<param type="variable">nsd_allowed_client_ip</param>
<param type="variable">nsd_resolve_ip</param>
<target>nsd_allowed_all_client</target>
</fill>
<fill name="get_ip">
<param type="variable">nsd_resolver</param>
<target>nsd_resolve_ip</target>
</fill>
<fill name="get_internal_zones">
<target>nsd_zones</target>
</fill>
<fill name="get_reverse_name"> <fill name="get_reverse_name">
<param type="variable">nsd_reverse_network</param> <param type="variable">nsd_reverse_network</param>
<target>nsd_reverse_reverse_name</target> <target>nsd_reverse_name</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param>/etc/nsd/</param> <param>/etc/nsd/</param>
<param type="variable">nsd_zones_all</param> <param type="variable">nsd_zones</param>
<param>.zone</param> <param>.zone</param>
<param name="join"></param> <param name="join"></param>
<param name="multi" type="boolean">True</param> <param name="multi" type="boolean">True</param>
@ -106,7 +87,7 @@
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param>/etc/nsd/</param> <param>/etc/nsd/</param>
<param type="variable">nsd_reverse_reverse_name</param> <param type="variable">nsd_reverse_name</param>
<param>reverse</param> <param>reverse</param>
<param name="join"></param> <param name="join"></param>
<param name="multi" type="boolean">True</param> <param name="multi" type="boolean">True</param>

View file

@ -1,8 +1,7 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<family name="nsd_zone_" description="Zone " dynamic="nsd_zones_all"> <family name="nsd_zone_" description="Zone " dynamic="nsd_zones" hidden="True">
<variable name="is_auto_" description="Le domaine est automatique " type="boolean" hidden="True"/>
<family name="hostname_" description="Nom d'hôte pour " leadership="True"> <family name="hostname_" description="Nom d'hôte pour " leadership="True">
<variable name="hostname_" description="Nom d'hôte pour " type="hostname" multi="True" mandatory="True"/> <variable name="hostname_" description="Nom d'hôte pour " type="hostname" multi="True" mandatory="True"/>
<variable name="type_" description="Type pour " type="choice"> <variable name="type_" description="Type pour " type="choice">
@ -16,20 +15,13 @@
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="value_in">
<param type="suffix"/>
<param type="variable">nsd_zones_auto</param>
<target>nsd.nsd_zone_.is_auto_</target>
</fill>
<fill name="get_internal_info_in_zone"> <fill name="get_internal_info_in_zone">
<param type="suffix"/> <param type="suffix"/>
<param type="variable">nsd.nsd_zone_.is_auto_</param>
<param>host</param> <param>host</param>
<target>nsd.nsd_zone_.hostname_.hostname_</target> <target>nsd.nsd_zone_.hostname_.hostname_</target>
</fill> </fill>
<fill name="get_internal_info_in_zone"> <fill name="get_internal_info_in_zone">
<param type="suffix"/> <param type="suffix"/>
<param type="variable">nsd.nsd_zone_.is_auto_</param>
<param>ip</param> <param>ip</param>
<param type="index"/> <param type="index"/>
<target>nsd.nsd_zone_.hostname_.ip_</target> <target>nsd.nsd_zone_.hostname_.ip_</target>
@ -42,9 +34,5 @@
<param>CNAME</param> <param>CNAME</param>
<target type="variable">nsd.nsd_zone_.hostname_.ip_</target> <target type="variable">nsd.nsd_zone_.hostname_.ip_</target>
</condition> </condition>
<condition name="hidden_if_in" source="nsd.nsd_zone_.is_auto_">
<param type="boolean">True</param>
<target type="family">nsd.nsd_zone_.hostname_</target>
</condition>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -8,6 +8,8 @@ from shutil import rmtree as _rmtree, copy2 as _copy2
from glob import glob as _glob from glob import glob as _glob
from filecmp import cmp as _cmp from filecmp import cmp as _cmp
from risotto.utils import DOMAINS as _DOMAINS
_PKI_DIR = _abspath('pki/dnssec') _PKI_DIR = _abspath('pki/dnssec')
_ALGO = 'ECDSAP256SHA256' _ALGO = 'ECDSAP256SHA256'
@ -32,9 +34,11 @@ def nsd_concat_lists(list1: _List[str],
list2: _List[str], list2: _List[str],
str1: str=None, str1: str=None,
) -> _List[str]: ) -> _List[str]:
ret = list1 + list2 ret = set(list1 + list2)
if str1: if str1:
ret.append(str1) ret.add(str1)
ret = list(ret)
ret.sort()
return ret return ret
@ -117,3 +121,14 @@ def sign(zone_filename: str,
with open(signed_filename) as fh: with open(signed_filename) as fh:
content = fh.read().strip() content = fh.read().strip()
return content return content
def get_internal_info_in_zone(zone: str,
type: str,
index: int=None,
) -> _List[str]:
if zone not in _DOMAINS:
return []
if type == 'host':
return list(_DOMAINS[zone][0])
return _DOMAINS[zone][1][index]

View file

@ -1,6 +1,6 @@
%set %%name = None %set %%name = None
%set %%network = %%ip_network(%%nsd_reverse_network[%%rougail_index]) %set %%network = %%ip_network(%%nsd_reverse_network[%%rougail_index])
%for %%zone in %%nsd_zones_all %for %%zone in %%nsd_zones
%set %%suffix = %%normalize_family(%%zone) %set %%suffix = %%normalize_family(%%zone)
%set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix] %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
%for %%hostname in %%hostnames %for %%hostname in %%hostnames

View file

@ -1,6 +1,6 @@
address: '%%ip_eth0' address: '%%ip_eth0'
records: records:
%for %%domain in %%nsd_zones_all %for %%domain in %%nsd_zones
%set %%suffix = %%normalize_family(%%domain) %set %%suffix = %%normalize_family(%%domain)
%set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix] %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
%for %%nsd in %%hostnames %for %%nsd in %%hostnames

View file

@ -10,7 +10,7 @@ server:
remote-control: remote-control:
control-enable: no control-enable: no
%for %%zone in %%nsd_zones_all %for %%zone in %%nsd_zones
zone: zone:
name: "%%zone" name: "%%zone"
@ -19,6 +19,6 @@ zone:
%for %%reverse in %%nsd_reverse_network %for %%reverse in %%nsd_reverse_network
zone: zone:
name: "%%reverse.nsd_reverse_reverse_name" name: "%%reverse.nsd_reverse_name"
zonefile: "%%{reverse.nsd_reverse_reverse_name}reverse.signed" zonefile: "%%{reverse.nsd_reverse_name}reverse.signed"
%end for %end for

View file

@ -2,41 +2,37 @@
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<family name="oauth2_client" description="OAuth2 client"> <family name="oauth2_client" description="OAuth2 client">
<variable name="oauth2_client_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True'/> <variable name="oauth2_client_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True' supplier="OAuth2"/>
<variable name="oauth2_is_client_application" type="boolean" description="OAuth2 client is an application" mandatory='True'> <variable name="oauth2_is_client_application" type="boolean" description="OAuth2 client is an application" mandatory='True'>
<value>False</value> <value>False</value>
</variable> </variable>
<variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True'/> <variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True' supplier="OAuth2:name"/>
<variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/> <variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True' supplier="OAuth2:description"/>
<variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login"/> <variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login" supplier="OAuth2:login"/>
<family name="external"> <family name="external">
<variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True"/> <variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True" supplier="OAuth2:external"/>
<variable name="oauth2_client_family" description="OAuth2 family"> <variable name="oauth2_client_family" description="OAuth2 family" supplier="OAuth2:family">
<value>users</value> <value>users</value>
</variable> </variable>
</family> </family>
<variable name="oauth2_client_category" description="OAuth2 category" mandatory='True'> <variable name="oauth2_client_category" description="OAuth2 category" mandatory='True' supplier="OAuth2:category">
<value>Défaut</value> <value>Défaut</value>
</variable> </variable>
<variable name="oauth2_client_logo" description="OAuth2 logo" mandatory='True'> <variable name="oauth2_client_logo" description="OAuth2 logo" mandatory='True' supplier="OAuth2:logo">
<value>demo.png</value> <value>demo.png</value>
</variable> </variable>
<variable name="oauth2_client_id" description="OAuth2 ID" mandatory='True' hidden='True'/> <variable name="oauth2_client_id" description="OAuth2 ID" mandatory='True' hidden='True'/>
<variable name="oauth2_client_secret" type="password" description="OAuth2 secret" mandatory='True' hidden='True'/> <variable name="oauth2_client_secret" type="password" description="OAuth2 secret" mandatory='True' hidden='True' supplier="OAuth2:secret"/>
<variable name="oauth2_client_token_signature_algo" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden='True'> <variable name="oauth2_client_token_signature_algo" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden='True' supplier="OAuth2:token_signature_algo">
<value>HS512</value> <value>HS512</value>
<choice>HS512</choice> <choice>HS512</choice>
<choice>RS256</choice> <choice>RS256</choice>
</variable> </variable>
<variable name="oauth2_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True' hidden='True'/> <variable name="oauth2_clients" description="Remote clients" type="domainname" multi="True" provider="OAuth2Client"/>
<variable name="oauth2_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True' provider="OAuth2Client:external_domain"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_provider_name">
<param type="variable">zone_name_eth0</param>
<param>OAuth2</param>
<target>oauth2_client_server_domainname</target>
</fill>
<fill name="normalize_family"> <fill name="normalize_family">
<param type="variable">domain_name_eth0</param> <param type="variable">domain_name_eth0</param>
<target>oauth2_client_id</target> <target>oauth2_client_id</target>
@ -49,32 +45,6 @@
<param name="hide" type="variable">hide_secret</param> <param name="hide" type="variable">hide_secret</param>
<target>oauth2_client_secret</target> <target>oauth2_client_secret</target>
</fill> </fill>
<fill name="set_linked_multi_variables">
<param type="variable">oauth2_client_server_domainname</param>
<param name="linked_value_0" type="variable">domain_name_eth0</param>
<param name="linked_provider_0">oauth2</param>
<param name="linked_value_1" type="variable">oauth2_client_secret</param>
<param name="linked_provider_1">oauth2_secret</param>
<param name="linked_value_2" type="variable" propertyerror="False">oauth2_client_name</param>
<param name="linked_provider_2">oauth2_name</param>
<param name="linked_value_3" type="variable" propertyerror="False">oauth2_client_description</param>
<param name="linked_provider_3">oauth2_description</param>
<param name="linked_value_4" type="variable" propertyerror="False">oauth2_client_external</param>
<param name="linked_provider_4">oauth2_external</param>
<param name="linked_value_5" type="variable" propertyerror="False">oauth2_client_family</param>
<param name="linked_provider_5">oauth2_family</param>
<param name="linked_value_6" type="variable">oauth2_client_category</param>
<param name="linked_provider_6">oauth2_category</param>
<param name="linked_value_7" type="variable">oauth2_client_logo</param>
<param name="linked_provider_7">oauth2_logo</param>
<param name="linked_value_8" type="variable">oauth2_client_login</param>
<param name="linked_provider_8">oauth2_login</param>
<param name="allow_none_8" type="boolean">True</param>
<param name="linked_value_9" type="variable">oauth2_client_token_signature_algo</param>
<param name="linked_provider_9">oauth2_token_signature_algo</param>
<param name="linked_returns">external_domainname</param>
<target>oauth2_server_domainname</target>
</fill>
<fill name="calc_oauth2_client_external"> <fill name="calc_oauth2_client_external">
<param type="variable" optional="True">revprox_client_external_domainnames</param> <param type="variable" optional="True">revprox_client_external_domainnames</param>
<param type="variable" optional="True">revprox_client_location</param> <param type="variable" optional="True">revprox_client_location</param>

View file

@ -4,6 +4,8 @@ from risotto.utils import multi_function as _multi_function
@_multi_function @_multi_function
def calc_oauth2_client_external(external, location, *extras): def calc_oauth2_client_external(external, location, *extras):
if not external or not location or None in extras: if not external or not location or None in extras:
if isinstance(external, list):
return []
return return
if isinstance(external, list): if isinstance(external, list):
return [f'https://{exter}{location[0]}' + ''.join(extras) for exter in external] return [f'https://{exter}{location[0]}' + ''.join(extras) for exter in external]

View file

@ -3,4 +3,3 @@ description: OpenLDAP server
depends: depends:
- ldap-client-fedora - ldap-client-fedora
- base-fedora-36 - base-fedora-36
provider: LDAP

View file

@ -14,7 +14,7 @@
<file>/secrets/admin_ldap.pwd</file> <file>/secrets/admin_ldap.pwd</file>
<file engine="none">/sysusers.d/risotto-openldap.conf</file> <file engine="none">/sysusers.d/risotto-openldap.conf</file>
<file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file> <file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
<file>/tests/openldap.yml</file> <file>/tests/openldap.yml</file>
</service> </service>
</services> </services>
@ -76,10 +76,9 @@
<variable name='ldapclient_user' redefine="True"/> <variable name='ldapclient_user' redefine="True"/>
<!--variable name='ldapclient_user_password' redefine="True"/--> <!--variable name='ldapclient_user_password' redefine="True"/-->
<variable name='ldapclient_family' redefine="True" disabled="True"/> <variable name='ldapclient_family' redefine="True" disabled="True"/>
<variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn" description="Base DN"/> <variable name='ldapclient_base_dn' redefine="True" mandatory="True" description="Base DN"/>
<variable name='ldap_account_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/> <variable name='ldap_account_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
<variable name='ldap_user_dn' type='string' description="Base DN de l'annuaire des utilisateurs n'appartenant à une famille" mandatory="True"/> <variable name='ldapclient_search_dn' redefine="True"/>
<variable name='ldap_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="True" provider="ldap_group"/>
</family> </family>
</family> </family>
</variables> </variables>
@ -89,29 +88,20 @@
<param type='variable'>domain_name_eth0</param> <param type='variable'>domain_name_eth0</param>
<target>ldap_server_address</target> <target>ldap_server_address</target>
</fill> </fill>
<fill name='get_default_base_dn'>
<param type="variable">domain_name_eth0</param>
<target>ldapclient_base_dn</target>
</fill>
<fill name="calc_ldapclient_base_dn"> <fill name="calc_ldapclient_base_dn">
<param type="variable">ldapclient_base_dn</param> <param type="variable">ldapclient_base_dn</param>
<param name="base" type="boolean">True</param> <param name="base" type="boolean">True</param>
<target>ldap_account_dn</target> <target>ldap_account_dn</target>
</fill> </fill>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldapclient_base_dn</param>
<param name="group" type="boolean">True</param>
<target>ldap_group_dn</target>
</fill>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldapclient_base_dn</param>
<target>ldap_user_dn</target>
</fill>
<fill name='calc_value'> <fill name='calc_value'>
<param>cn=admin</param> <param>cn=admin</param>
<param type='variable'>ldapclient_base_dn</param> <param type='variable'>ldapclient_base_dn</param>
<param name="join">,</param> <param name="join">,</param>
<target>ldapclient_user</target> <target>ldapclient_user</target>
</fill> </fill>
<fill name='calc_value'>
<param type="variable">ldapclient_base_dn</param>
<target>ldapclient_search_dn</target>
</fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -1,13 +1,12 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<variable name="remotes" description="Serveurs distant ayant un compte" type="domainname" multi="True" provider="clients"/> <variable name="remotes" description="Serveurs distant ayant un compte" type="domainname" multi="True" provider="LDAP"/>
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes"> <family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
<variable name="family_" description="Nom de la familly de " hidden="True" provider="client_family"/> <variable name="family_" description="Nom de la familly de " hidden="True" provider="LDAP:family"/>
<variable name="dn_" description="LDAP DN de " hidden="True" provider="dn"/> <variable name="dn_" description="LDAP DN de " hidden="True" provider="LDAP:dn"/>
<variable name="password_" description="Mot de passe de " hidden="True" provider="client_password"/> <variable name="password_" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
<variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="base_dn"/> <variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="LDAP:base_dn"/>
<variable name="read_only_" description="Le compte est en lecture seule de " type="boolean"/>
</family> </family>
<family name="users" description="Gestion des utilisateurs" leadership="True"> <family name="users" description="Gestion des utilisateurs" leadership="True">
<variable name='ldap_user_mail' type="mail" description="Adresse courriel du compte" multi="True"/> <variable name='ldap_user_mail' type="mail" description="Adresse courriel du compte" multi="True"/>
@ -30,19 +29,6 @@
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldapclient_base_dn</param>
<param type="variable">accounts.remote_.family_</param>
<target>accounts.remote_.base_dn_</target>
</fill>
<fill name='calc_value'>
<param>cn=</param>
<param type='suffix'></param>
<param>,</param>
<param type='variable'>ldapclient_base_dn</param>
<param name="join"></param>
<target>accounts.remote_.dn_</target>
</fill>
<fill name="get_password"> <fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param> <param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type='variable'>accounts.users.ldap_user_mail</param> <param name="username" type='variable'>accounts.users.ldap_user_mail</param>

View file

@ -29,16 +29,3 @@ def ssha_encode(password):
with open(_SSHA_PASSWORD_DIR, 'w') as fh: with open(_SSHA_PASSWORD_DIR, 'w') as fh:
_dump(passwords, fh) _dump(passwords, fh)
return ret return ret
def get_default_base_dn(server_name: str) -> str:
if not server_name or '.' not in server_name:
return None
values = server_name.split('.')
# cannot calculated base dn should be server.domain.tld
# remove 'server' in dn
if len(values) < 3:
return None
domain = ['ou=' + domain for domain in values[1:-2]]
domain.append(f'o={values[-2]},o={values[-1]}')
return ','.join(domain)

View file

@ -11,11 +11,12 @@
%set %%name = %%normalize_family(%%remote) %set %%name = %%normalize_family(%%remote)
%set %%family = %%accounts['remote_' + %%name]['family_' + %%name] %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
%%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp %%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
%if %%accounts['remote_' + %%name]['read_only_' + %%name] %set %%right = 'read'
%set %%right = 'read' # %if %%accounts['remote_' + %%name]['read_only_' + %%name]
%else # %set %%right = 'read'
%set %%right = 'write' # %else
%end if # %set %%right = 'write'
# %end if
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%right))%slurp %%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%right))%slurp
%end for %end for
dn: olcDatabase={2}mdb,cn=config dn: olcDatabase={2}mdb,cn=config
@ -25,7 +26,7 @@ olcAccess: {0}to attrs=userPassword
by self write by self write
by anonymous auth by anonymous auth
by * none by * none
olcAccess: {1}to dn.subtree="%%ldap_group_dn" olcAccess: {1}to dn.subtree="%%ldapclient_group_dn"
%for group in %%groups %for group in %%groups
by dn="%%group" read by dn="%%group" read
%end for %end for

View file

@ -12,9 +12,9 @@ user_password: %%get_password(server_name='test', username=%%username, descripti
user_family_dn: %%userfamilydn user_family_dn: %%userfamilydn
user_family_password: %%get_password(server_name='test', username=%%username_family, description="test", type="cleartext", hide=%%hide_secret, temporary=True) user_family_password: %%get_password(server_name='test', username=%%username_family, description="test", type="cleartext", hide=%%hide_secret, temporary=True)
base_account_dn: %%ldap_account_dn base_account_dn: %%ldap_account_dn
base_user_dn: %%ldap_user_dn base_user_dn: %%ldapclient_user_dn
base_family_dn: %%familydn base_family_dn: %%familydn
base_group_dn: %%ldap_group_dn base_group_dn: %%ldapclient_group_dn
%for %%idx in %%range(3) %for %%idx in %%range(3)
%set %%name = 'remote_test' + %%str(%%idx) %set %%name = 'remote_test' + %%str(%%idx)
remote%%idx: cn=%%name,%%ldapclient_base_dn remote%%idx: cn=%%name,%%ldapclient_base_dn
@ -24,7 +24,7 @@ users:
%%username: %%userdn %%username: %%userdn
%%username_family: %%userfamilydn %%username_family: %%userfamilydn
%for %%user in %%accounts.users.ldap_user_mail %for %%user in %%accounts.users.ldap_user_mail
%%user: cn=%%user,%%ldap_user_dn %%user: cn=%%user,%%ldapclient_user_dn
%end for %end for
%for %%family in %%accounts.families %for %%family in %%accounts.families
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family) %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
@ -36,7 +36,7 @@ groups:
users: users:
- %%userdn - %%userdn
%for %%user in %%accounts.users.ldap_user_mail %for %%user in %%accounts.users.ldap_user_mail
- cn=%%user,%%ldap_user_dn - cn=%%user,%%ldapclient_user_dn
%end for %end for
%for %%family in %%accounts.families %for %%family in %%accounts.families
%%family: %%family:

View file

@ -40,7 +40,7 @@ objectClass: top
objectClass: organizationalUnit objectClass: organizationalUnit
## Accounts users ## Accounts users
%set %%users = %%ldap_user_dn %set %%users = %%ldapclient_user_dn
dn: %%users dn: %%users
ou: users ou: users
objectClass: top objectClass: top
@ -129,7 +129,7 @@ objectClass: inetLocalMailRecipient
%end for %end for
## Groups ## Groups
%set %%groupdn = %%ldap_group_dn %set %%groupdn = %%ldapclient_group_dn
dn: %%groupdn dn: %%groupdn
ou: groups ou: groups
objectClass: top objectClass: top

View file

@ -27,7 +27,7 @@ userPassword:: %%ssha_encode(%%password)
%set groups = {'users': [%%userdn], %set groups = {'users': [%%userdn],
%%name_family: [%%userfamilydn], %%name_family: [%%userfamilydn],
} }
%set %%users = %%ldap_user_dn %set %%users = %%ldapclient_user_dn
%for %%user in %%accounts.users.ldap_user_mail %for %%user in %%accounts.users.ldap_user_mail
%set %%userdn = 'cn=' + %%user + ',' + %%users %set %%userdn = 'cn=' + %%user + ',' + %%users
%%groups['users'].append(%%userdn)%slurp %%groups['users'].append(%%userdn)%slurp
@ -57,7 +57,7 @@ mailLocalAddress: %%alias
%end for %end for
# Groups # Groups
%set %%groupdn = %%ldap_group_dn %set %%groupdn = %%ldapclient_group_dn
%for %%group, %%members in %%groups.items() %for %%group, %%members in %%groups.items()
dn: cn=%%group,%%groupdn dn: cn=%%group,%%groupdn
changetype: modify changetype: modify

View file

@ -68,7 +68,7 @@ server {
location @api { location @api {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host %%revprox_client_external_domainname; proxy_set_header Host %%revprox_client_external_domainnames[0];
# proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 100k; # default is 1M client_max_body_size 100k; # default is 1M
@ -119,7 +119,7 @@ server {
location @api_websocket { location @api_websocket {
proxy_http_version 1.1; proxy_http_version 1.1;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host %%revprox_client_external_domainname; proxy_set_header Host %%revprox_client_external_domainnames[0];
# proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Upgrade $http_upgrade; # proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade"; # proxy_set_header Connection "upgrade";

View file

@ -8,7 +8,7 @@ listen:
# Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL) # Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
webserver: webserver:
https: true https: true
hostname: '%%revprox_client_external_domainname' hostname: '%%revprox_client_external_domainnames[0]'
port: 443 port: 443
rates_limit: rates_limit:

View file

@ -5,7 +5,7 @@
<file source="tmpfile-piwigo.conf">/tmpfiles.d/0piwigo.conf</file> <file source="tmpfile-piwigo.conf">/tmpfiles.d/0piwigo.conf</file>
<file>/etc/piwigo/config.inc.php</file> <file>/etc/piwigo/config.inc.php</file>
<file>/etc/piwigo/database.inc.php</file> <file>/etc/piwigo/database.inc.php</file>
<file mode="755">/bin/piwigo.sh</file> <file mode="755">/sbin/piwigo.sh</file>
<file engine="none">/etc/php-fpm.d/piwigo.conf</file> <file engine="none">/etc/php-fpm.d/piwigo.conf</file>
</service> </service>
</services> </services>

View file

@ -5,7 +5,7 @@ Before=nginx.service php-fpm.service
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/usr/local/lib/bin/piwigo.sh ExecStart=/usr/local/lib/sbin/piwigo.sh
User=nginx User=nginx
Group=nginx Group=nginx

View file

@ -0,0 +1,2 @@
format: '0.1'
description: Postfix as LMTP relay

View file

@ -1,9 +1,9 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<variable name="server_lmtp" description="LMTP remote server" type="domainname" provider="lmtp_server" multi="True"/> <variable name="server_lmtp" description="LMTP remote server" type="domainname" provider="LMTP" multi="True"/>
<family name="lmtp_" description="LMTP " dynamic="lmtp.server_lmtp"> <family name="lmtp_" description="LMTP " dynamic="lmtp.server_lmtp">
<variable name="criteria_" description="transport criteria" type="string" multi="True" mandatory="True" hidden="True" provider="lmtp_criteria"/> <variable name="criteria_" description="transport criteria" type="string" multi="True" mandatory="True" hidden="True" provider="LMTP:criteria"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>

View file

@ -49,3 +49,9 @@ postconf maillog_file=/dev/stdout
https://www.mail-tester.com/ https://www.mail-tester.com/
https://dkimvalidator.com/ https://dkimvalidator.com/
# debug mail :
journalctl -m -u postfix -g address mail
# get date
journalctl -m -u postfix --since "2022-07-31 23:14:04"

View file

@ -1,6 +1,6 @@
format: '0.1' format: '0.1'
description: Postfix has relay description: Postfix as relay
depends: depends:
- base-fedora-35 - base-fedora-35
- dns-external - dns-external
provider: SMTP - postfix-lmtp-relay

View file

@ -43,10 +43,9 @@
<family name="postfix" description="Postfix mail server"> <family name="postfix" description="Postfix mail server">
<variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/> <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
<variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/> <variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
<variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/> <variable name='postfix_relay_authentifications' description="Authentification sur le relai SMTP" multi="True" provider="SMTP"/>
<family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'> <family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/> <variable name="local_authentification_password_" type="secret" auto_save="False" provider="SMTP:password"/>
<variable name="local_authentification_password_" type="secret" auto_save="False" provider="mail_password"/>
</family> </family>
<variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/> <variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
</family> </family>
@ -63,14 +62,6 @@
<param name="multi" type="boolean">True</param> <param name="multi" type="boolean">True</param>
<target>opendkim_keys</target> <target>opendkim_keys</target>
</fill> </fill>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type="suffix"/>
<param name="description">local authentification</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>local_authentification_password_</target>
</fill>
<fill name="calc_value"> <fill name="calc_value">
<param>/etc/postfix/certs/</param> <param>/etc/postfix/certs/</param>
<param type="variable">domain_name_eth</param> <param type="variable">domain_name_eth</param>

View file

@ -318,7 +318,7 @@ smtpd_recipient_restrictions =
#mynetworks = 168.100.3.0/28, 127.0.0.0/8 #mynetworks = 168.100.3.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks #mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table #mynetworks = hash:/etc/postfix/network_table
mynetworks = 172.0.0.0/8 mynetworks = 127.0.0.0/8
# The relay_domains parameter restricts what destinations this system will # The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in # relay mail to. See the smtpd_recipient_restrictions description in

View file

@ -4,7 +4,7 @@ ExecStartPre=/usr/sbin/postmap -F /etc/postfix/sni
%for %%local in %%postfix_relay_authentifications %for %%local in %%postfix_relay_authentifications
%set %%user = %%normalize_family(%%local) %set %%user = %%normalize_family(%%local)
%set %%password = %%getVar('local_authentification_password_' + %%user) %set %%password = %%getVar('local_authentification_password_' + %%user)
%set %%ip = %%getVar('local_authentification_ip_' + %%user) %set %%ip = %%get_ip(%%local)
ExecStartPre=-/usr/bin/bash -c "echo %%password | /usr/sbin/saslpasswd2 -u %%ip %%user -p" ExecStartPre=-/usr/bin/bash -c "echo %%password | /usr/sbin/saslpasswd2 -u %%ip %%user -p"
%end for %end for
ExecStartPre=/usr/bin/chown postfix: /etc/sasl2/sasldb2 ExecStartPre=/usr/bin/chown postfix: /etc/sasl2/sasldb2

View file

@ -10,9 +10,9 @@
</services> </services>
<variables> <variables>
<family name="postgresql" description="PostgreSQL"> <family name="postgresql" description="PostgreSQL">
<variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True"/> <variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql"/>
<variable name="pg_client_username" description="Client username" mandatory="True" hidden="True"/> <variable name="pg_client_username" description="Client username" mandatory="True" hidden="True"/>
<variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True"/> <variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True" supplier="Postgresql:password"/>
<variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/> <variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/>
<variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True"> <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
<value>apache</value> <value>apache</value>
@ -24,18 +24,17 @@
<param type="variable">domain_name_eth0</param> <param type="variable">domain_name_eth0</param>
<target>pg_client_username</target> <target>pg_client_username</target>
</fill> </fill>
<fill name="get_provider_name"> <!--fill name="get_provider_name">
<param type="variable">zone_name_eth0</param> <param type="variable">zone_name_eth0</param>
<param>Postgresql</param> <param>Postgresql</param>
<target>pg_client_server_domainname</target> <target>pg_client_server_domainname</target>
</fill> </fill-->
<fill name="set_linked_multi_variables"> <fill name="get_password">
<param type="variable">pg_client_server_domainname</param> <param name="server_name" type="variable">pg_client_server_domainname</param>
<param name="linked_value_0" type="variable">domain_name_eth0</param> <param name="username" type="variable">domain_name_eth0</param>
<param name="linked_provider_0">clients</param> <param name="description">remote</param>
<param name="linked_value_1" type="variable">ip_eth0</param> <param name="type">cleartext</param>
<param name="linked_provider_1">client_ip</param> <param name="hide" type="variable">hide_secret</param>
<param name="linked_returns">client_password</param>
<target>pg_client_password</target> <target>pg_client_password</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">

View file

@ -1,6 +1,4 @@
format: '0.1' format: '0.1'
description: Postgresql description: Postgresql
depends: depends:
- server
- base-fedora-36 - base-fedora-36
provider: Postgresql

View file

@ -8,7 +8,7 @@
<file>/etc/postgresql/pg_hba.conf</file> <file>/etc/postgresql/pg_hba.conf</file>
<file mode="600" owner="postgres" group="postgres">/etc/postgresql/postgresql.sql</file> <file mode="600" owner="postgres" group="postgres">/etc/postgresql/postgresql.sql</file>
<file engine="none">/etc/postgresql/pg_ident.conf</file> <file engine="none">/etc/postgresql/pg_ident.conf</file>
<file engine="none" mode="755">/bin/postgresql_init</file> <file engine="none" mode="755">/sbin/postgresql_init</file>
<file engine="none" source="sysuser-postgresql.conf">/sysusers.d/0postgresql.conf</file> <file engine="none" source="sysuser-postgresql.conf">/sysusers.d/0postgresql.conf</file>
<file engine="none" source="tmpfiles.postgresql.conf">/tmpfiles.d/0postgresql.conf</file> <file engine="none" source="tmpfiles.postgresql.conf">/tmpfiles.d/0postgresql.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file> <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>

View file

@ -1,20 +1,16 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="clients"/> <variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="Postgresql"/>
<family name="remote_" description="Account for " dynamic="accounts.remotes"> <family name="remote_" description="Account for " dynamic="accounts.remotes">
<variable name="password_" description="Remote password" auto_save="False" hidden="True" type="password" mandatory="True" provider="client_password"/> <variable name="remote_ip_" description="Remote IP" type="ip" mandatory="True"/>
<variable name="remote_ip_" description="Remote IP" type="ip" hidden="True" provider="client_ip"/> <variable name="password_" description="Remote password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Postgresql:password"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_password"> <fill name="get_ip">
<param name="server_name" type="variable">domain_name_eth0</param> <param type="suffix"/>
<param name="username" type="suffix"/> <target>accounts.remote_.remote_ip_</target>
<param name="description">remote</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>accounts.remote_.password_</target>
</fill> </fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -5,7 +5,7 @@ Environment=PG_HBA=/etc/postgresql/pg_hba.conf
Environment=PG_IDENT=/etc/postgresql/pg_ident.conf Environment=PG_IDENT=/etc/postgresql/pg_ident.conf
Environment=LC_ALL=fr_FR.UTF-8 Environment=LC_ALL=fr_FR.UTF-8
ExecStartPre= ExecStartPre=
ExecStartPre=+/usr/local/lib/bin/postgresql_init ExecStartPre=+/usr/local/lib/sbin/postgresql_init
# if upgrade needed, do it # if upgrade needed, do it
ExecStartPre=/bin/bash -c '%slurp ExecStartPre=/bin/bash -c '%slurp
/usr/libexec/postgresql-check-db-dir %N || (%slurp /usr/libexec/postgresql-check-db-dir %N || (%slurp

View file

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<variable name="host" type="domainname" description="Machine où est démarré le conteneur" mandatory="True"/> <variable name="host" type="domainname" description="Machine où est démarré le conteneur" mandatory="True" supplier="Host"/>
</variables> </variables>
</rougail> </rougail>

View file

@ -13,24 +13,25 @@
<variable name="container_srv_path" type="filename" description="Nom du répertoire racine des données"> <variable name="container_srv_path" type="filename" description="Nom du répertoire racine des données">
<value>/var/lib/risotto/srv</value> <value>/var/lib/risotto/srv</value>
</variable> </variable>
<variable name="srv_dir" description='Nom du répertoire des données' type="filename" hidden="True"/> <variable name="srv_dir" description='Nom du répertoire des données' type="filename" hidden="True" supplier="Host:machine_srv"/>
<variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations"> <variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations">
<value>/var/lib/risotto/configurations</value> <value>/var/lib/risotto/configurations</value>
</variable> </variable>
<variable name="config_dir" description='Nom du répertoire des configurations' type="filename" hidden="True" mandatory="True"/> <variable name="config_dir" description='Nom du répertoire des configurations' type="filename" hidden="True" mandatory="True" supplier="Host:config_dir"/>
<variable name="container_journal_path" type="filename" description="Nom du répertoire racine des journaux"> <variable name="container_journal_path" type="filename" description="Nom du répertoire racine des journaux">
<value>/var/lib/risotto/journals</value> <value>/var/lib/risotto/journals</value>
</variable> </variable>
<variable name="journal_dir" description='Nom du répertoire des journaux' type="filename" hidden="True" mandatory="True"/> <variable name="journal_dir" description='Nom du répertoire des journaux' type="filename" hidden="True" mandatory="True" supplier="Host:machine_journal"/>
<variable name="use_systemd_repart" redefine="True"> <variable name="use_systemd_repart" redefine="True">
<value>False</value> <value>False</value>
</variable> </variable>
<family name="network"> <family name="network">
<variable name="incoming_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True"/> <variable name="incoming_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True" supplier="Host:incoming_ports"/>
<variable name="outgoing_ports" type="port" description="Ports autorisés vers l'extérieur" multi="True"/> <variable name="outgoing_ports" type="port" description="Ports autorisés vers l'extérieur" multi="True" supplier="Host:outgoing_ports"/>
<variable name="netwokd_interface_name_type" redefine="True"> <variable name="netwokd_interface_name_type" redefine="True">
<value>host</value> <value>host</value>
</variable> </variable>
<variable name="zones_list" redefine="True" supplier="Host:machine_zones"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
@ -41,65 +42,24 @@
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">container_srv_path</param> <param type="variable">container_srv_path</param>
<param>/</param> <param>/</param>
<param type="variable">domain_name_eth0</param> <param type="variable">server_name</param>
<param name="join"></param> <param name="join"></param>
<target>srv_dir</target> <target>srv_dir</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">container_journal_path</param> <param type="variable">container_journal_path</param>
<param>/</param> <param>/</param>
<param type="variable">domain_name_eth0</param> <param type="variable">server_name</param>
<param name="join"></param> <param name="join"></param>
<target>journal_dir</target> <target>journal_dir</target>
</fill> </fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">container_config_path</param> <param type="variable">container_config_path</param>
<param>/</param> <param>/</param>
<param type="variable">domain_name_eth0</param> <param type="variable">server_name</param>
<param name="join"></param> <param name="join"></param>
<target>config_dir</target> <target>config_dir</target>
</fill> </fill>
<check name="set_linked">
<param name="linked_provider">machines</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>host</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param>
<param name="linked_provider">incoming_ports</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>incoming_ports</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param>
<param name="linked_provider">outgoing_ports</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>outgoing_ports</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param>
<param name="linked_provider">machine_srv</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>srv_dir</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param>
<param name="linked_provider">machine_journal</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>journal_dir</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param>
<param name="linked_provider">machine_config</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>config_dir</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param>
<param name="linked_provider">machine_zones</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>zones_list</target>
</check>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -10,38 +10,26 @@
</services> </services>
<variables> <variables>
<family name="redis" description="Redis"> <family name="redis" description="Redis">
<variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True"/> <variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True" supplier="Redis"/>
<variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True" hidden="True"/> <variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True"/>
<variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" hidden="True"/> <variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" supplier="Redis:password"/>
<variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True"> <variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
<value>apache</value> <value>apache</value>
</variable> </variable>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_provider_name"> <fill name="normalize_family">
<param type="variable">zone_name_eth0</param> <param type="variable">domain_name_eth0</param>
<param>Redis</param>
<target>redis_client_server_domainname</target>
</fill>
<fill name="set_linked">
<param name="linked_server" type="variable">redis_client_server_domainname</param>
<param name="linked_provider">redis_client</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>redis_client_username</target> <target>redis_client_username</target>
</fill> </fill>
<fill name="get_linked_configuration"> <fill name="get_password">
<param name="linked_server" type="variable">redis_client_server_domainname</param> <param name="server_name" type="variable">redis_client_server_domainname</param>
<param name="linked_provider">redis_client_password</param> <param name="username" type="variable">domain_name_eth0</param>
<param name="dynamic" type="variable">redis_client_username</param> <param name="description">redis</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>redis_client_password</target> <target>redis_client_password</target>
</fill> </fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">redis_client_server_domainname</param>
<param name="linked_provider">redis_client_ip</param>
<param name="linked_value" type="variable">ip_eth0</param>
<param name="dynamic" type="variable">redis_client_username</param>
<target>redis_client_password</target>
</check>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -2,4 +2,3 @@ format: '0.1'
description: Redis description: Redis
depends: depends:
- base-fedora-36 - base-fedora-36
provider: Redis

View file

@ -1,18 +1,14 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<variables> <variables>
<variable name="remote" description="Remote client needing an account" type="domainname" provider="redis_client" mandatory="True"/> <variable name="remote" description="Remote Redis client needing an account" type="domainname" provider="Redis" mandatory="True"/>
<variable name="remote_ip" description="Remote IP" type="ip" provider="redis_client_ip" mandatory="True"/> <variable name="remote_ip" description="Remote IP" type="ip" mandatory="True"/>
<variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="redis_client_password"/> <variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:password"/>
</variables> </variables>
<constraints> <constraints>
<fill name="get_password"> <fill name="get_ip">
<param name="server_name" type="variable">domain_name_eth0</param> <param type="variable">account.remote</param>
<param name="username" type="variable">account.remote</param> <target>account.remote_ip</target>
<param name="description">redis</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>account.password</target>
</fill> </fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -0,0 +1,4 @@
format: '0.1'
description: Client LMTP
depends:
- relay-mail-client

View file

@ -0,0 +1,12 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<variables>
<variable name="lmtp_relay_address" type="domainname" description="Nom de domaine du serveur LMTP" mandatory="True" supplier="LMTP"/>
</variables>
<constraints>
<fill name="calc_value">
<param type="variable" optional="True">smtp_relay_address</param>
<target>lmtp_relay_address</target>
</fill>
</constraints>
</rougail>

View file

@ -7,35 +7,23 @@
</services> </services>
<variables> <variables>
<family name="smtp" description="Client SMTP"> <family name="smtp" description="Client SMTP">
<variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True"/> <variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True" supplier="SMTP"/>
<variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/> <variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/>
<variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True"/> <variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True" supplier="SMTP:password"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_provider_name"> <fill name="normalize_family">
<param type="variable">zone_name_eth0</param> <param type="variable">domain_name_eth0</param>
<param>SMTP</param>
<target>smtp_relay_address</target>
</fill>
<fill name="set_linked">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">mail</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>smtp_relay_user</target> <target>smtp_relay_user</target>
</fill> </fill>
<fill name="get_linked_configuration"> <fill name="get_password">
<param name="linked_server" type="variable">smtp_relay_address</param> <param name="server_name" type="variable">smtp_relay_address</param>
<param name="linked_provider">mail_password</param> <param name="username" type="variable">domain_name_eth0</param>
<param name="dynamic" type="variable">smtp_relay_user</param> <param name="description">local authentification</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>smtp_relay_password</target> <target>smtp_relay_password</target>
</fill> </fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">mail_ip</param>
<param name="linked_value" type="variable">ip_eth0</param>
<param name="dynamic" type="variable">smtp_relay_user</param>
<target>smtp_relay_password</target>
</check>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -8,21 +8,20 @@
</services> </services>
<variables> <variables>
<family name="nginx" description="Reverse proxy"> <family name="nginx" description="Reverse proxy">
<variable name="revprox_client_server_domainname" type="domainname" description="Nom de domaine du serveur mandataire inverse" mandatory='True'/> <variable name="revprox_client_server_domainname" type="domainname" description="Nom de domaine du serveur mandataire inverse" mandatory='True' supplier="ReverseProxy"/>
<variable name="revprox_client_server_ip" type="ip" hidden='True'/> <variable name="revprox_client_server_ip" type="ip" hidden='True'/>
<variable name="revprox_client_external_domainnames" type="domainname" description="Nom de domaine exterieur du serveur" mandatory='True' multi="True"/>
<variable name="revprox_client_external_domainname" type="domainname" provider="external_domainname" hidden="True"/>
<family name="revprox_client" description="Point d'entré des clients" leadership="True"> <family name="revprox_client" description="Point d'entré des clients" leadership="True">
<variable name="revprox_client_location" type="filename" description="Nom de l'arborescence racine du site" mandatory="True" multi="True"> <variable name="revprox_client_external_domainnames" type="domainname" description="Nom de domaine exterieur du serveur" mandatory='True' multi="True" unique="False" supplier="ReverseProxy:external"/>
<variable name="revprox_client_location" type="filename" description="Nom de l'arborescence racine du site" mandatory="True" supplier="ReverseProxy:location">
<value>/</value> <value>/</value>
</variable> </variable>
<variable name="revprox_client_is_websocket" type="boolean" description="Le point d'entré est de types websocket" mandatory="True"> <variable name="revprox_client_is_websocket" type="boolean" description="Le point d'entré est de types websocket" mandatory="True" supplier="ReverseProxy:websocket">
<value>False</value> <value>False</value>
</variable> </variable>
<variable name="revprox_client_max_body_size" description="Taille maximum du corps"/> <variable name="revprox_client_max_body_size" description="Taille maximum du corps" supplier="ReverseProxy:max_body_size"/>
<variable name="revprox_client_local_location" type="filename" description="Nom de l'arborescene racine du site localement" hidden='True'/>
<variable name="revprox_client_web_address" type="web_address" description="Nom de domaine du client du mandataire inverse" hidden='True' supplier="ReverseProxy:url"/>
</family> </family>
<variable name="revprox_client_local_location" type="filename" description="Nom de l'arborescene racine du site localement" hidden='True'/>
<variable name="revprox_client_web_address" type="web_address" description="Nom de domaine du client du mandataire inverse" hidden='True'/>
<variable name="revprox_client_port" type="port" description="Port du client du mandataire inverse" hidden='True'> <variable name="revprox_client_port" type="port" description="Port du client du mandataire inverse" hidden='True'>
<value>443</value> <value>443</value>
</variable> </variable>
@ -37,14 +36,9 @@
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_provider_name"> <fill name="get_ip">
<param type="variable">zone_name_eth0</param> <param type="variable">revprox_client_server_domainname</param>
<param>ReverseProxy</param> <target>revprox_client_server_ip</target>
<target>revprox_client_server_domainname</target>
</fill>
<fill name="get_first_value">
<param type="variable">revprox_client_external_domainnames</param>
<target>revprox_client_external_domainname</target>
</fill> </fill>
<fill name="calc_web_address"> <fill name="calc_web_address">
<param type="variable">domain_name_eth0</param> <param type="variable">domain_name_eth0</param>
@ -64,23 +58,5 @@
<param name="join">/</param> <param name="join">/</param>
<target>revprox_key_file</target> <target>revprox_key_file</target>
</fill> </fill>
<fill name="set_linked_multi_variables">
<param type="variable">revprox_client_server_domainname</param>
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_value_0" type="variable">revprox_client_external_domainnames</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1" type="variable">revprox_client_location</param>
<param name="linked_provider_2">revprox_is_websocket</param>
<param name="linked_value_2" type="variable">revprox_client_is_websocket</param>
<param name="linked_provider_3">revprox_max_body_size</param>
<param name="linked_value_3" type="variable">revprox_client_max_body_size</param>
<param name="linked_provider_4">revprox_url</param>
<param name="linked_value_4" type="variable">revprox_client_web_address</param>
<target>revprox_client_server_ip</target>
</fill>
<!--fill name="get_ip_from_domain">
<param type="variable">revprox_client_server_domainname</param>
<target>revprox_client_server_ip</target>
</fill-->
</constraints> </constraints>
</rougail> </rougail>

View file

@ -46,10 +46,12 @@
<variable name="nginx_root" redefine="True"> <variable name="nginx_root" redefine="True">
<value>/usr/share/roundcubemail/</value> <value>/usr/share/roundcubemail/</value>
</variable> </variable>
<variable name="revprox_client_local_location" redefine="True"> <family name="revprox_client">
<value>/</value> <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
</variable> <variable name="revprox_client_local_location" redefine="True">
<variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/> <value>/</value>
</variable>
</family>
</family> </family>
<family name="annuaire"> <family name="annuaire">
<family name="client"> <family name="client">

View file

@ -1,2 +0,0 @@
format: '0.1'
description: Extra files to allowed easily Server-Client configuration

View file

@ -1,6 +0,0 @@
Providers
=========
- clients : nom de domaine des clients (générique)
- client_password : mot de passe des clients
- client_ip : adresse IP des clients

View file

@ -4,4 +4,3 @@ service: true
depends: depends:
- base-fedora-36 - base-fedora-36
- dns-external - dns-external
provider: ExternalDNS

View file

@ -25,13 +25,13 @@
</variable> </variable>
</family> </family>
<family name='dns_resolver' description='Résolveur DNS'> <family name='dns_resolver' description='Résolveur DNS'>
<variable name="unbound_allowed_client" type="ip" description="Réseau des clients autorisés à faire des requêtes DNS" multi="True" mandatory="True" provider="dns"/>
<variable name="unbound_default_forwards" description="Serveur résolveur DNS par défaut" multi="True" mandatory="True"/>
<family name="forward_zones" description="Serveur DNS faisant autorité sur une zone particulière" leadership="True" hidden="True"> <family name="forward_zones" description="Serveur DNS faisant autorité sur une zone particulière" leadership="True" hidden="True">
<variable name="unbound_forward_address" description="Adresse du serveur faisant autorité" provider="authorities" multi="True"/> <variable name="unbound_forward_address" description="Adresse du serveur faisant autorité" provider="ExternalDNS" multi="True"/>
<variable name="unbound_forward_zones" type="domainname" description="Nom de domaine de la zone" multi="True" provider="authority_zones"/> <variable name="unbound_forward_zones" type="domainname" description="Nom de domaine de la zone" multi="True" provider="ExternalDNS:authority_zones"/>
<variable name="unbound_forward_reverse_zones" type="domainname" description="Nom de domaine de la zone" multi="True" provider="reverse_authority_zones"/> <variable name="unbound_forward_reverse_zones" type="domainname" description="Nom de domaine de la zone" multi="True" provider="ExternalDNS:reverse_authority_zones"/>
</family> </family>
<variable name="unbound_allowed_client" type="ip" description="IP des clients autorisés à faire des requêtes DNS" multi="True" mandatory="True"/>
<variable name="unbound_default_forwards" description="Serveur résolveur DNS par défaut" multi="True" mandatory="True"/>
</family> </family>
</variables> </variables>
<constraints> <constraints>
@ -39,5 +39,9 @@
<param type="variable">ip_eth0</param> <param type="variable">ip_eth0</param>
<target>ip_dns</target> <target>ip_dns</target>
</fill> </fill>
<fill name="get_ip">
<param type="variable">unbound_forward_address</param>
<target>unbound_allowed_client</target>
</fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -12,17 +12,14 @@
<variables> <variables>
<family name="nginx"> <family name="nginx">
<family name="revprox_client"> <family name="revprox_client">
<variable name="revprox_client_location" redefine="True"> <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
<value>/</value>
<value>/notifications/hub</value>
<!-- FIXME : value>/notifications/hub/negotiate</value-->
</variable>
</family> </family>
<variable name="revprox_client_cert_owner" redefine="True" hidden="True"> <variable name="revprox_client_cert_owner" redefine="True" hidden="True">
<value>vaultwarden</value> <value>vaultwarden</value>
</variable> </variable>
</family> </family>
<family name="vaultwarden" description="Vaultwarden"> <family name="vaultwarden" description="Vaultwarden">
<variable name="vaultwarden_domainname" type="domainname" description="Nom de domaine d'accès à Vaultwarden" mandatory="True"/>
<variable name="password_admin_username" description="Nom de l'utilisateur Risotto de Vaultwarden" auto_save="False"> <variable name="password_admin_username" description="Nom de l'utilisateur Risotto de Vaultwarden" auto_save="False">
<value>risotto</value> <value>risotto</value>
</variable> </variable>
@ -55,6 +52,16 @@
<param name="server_name" type="variable">domain_name_eth0</param> <param name="server_name" type="variable">domain_name_eth0</param>
<target>vaultwarden_test_device_identifier</target> <target>vaultwarden_test_device_identifier</target>
</fill> </fill>
<fill name="calc_value">
<param type="variable">vaultwarden_domainname</param>
<param type="variable">vaultwarden_domainname</param>
<param name="multi" type="boolean">True</param>
<target>revprox_client_external_domainnames</target>
</fill>
<fill name="calc_vaulwarden_location">
<param type="index"/>
<target>revprox_client_location</target>
</fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="boolean">True</param> <param type="boolean">True</param>
<param name="default" type="boolean">False</param> <param name="default" type="boolean">False</param>

View file

@ -9,6 +9,8 @@ _PASSWORD_DIR = _join(_HERE, 'password')
def get_uuid(server_name: str) -> str: def get_uuid(server_name: str) -> str:
if not server_name:
return
dir_name = _join(_PASSWORD_DIR, server_name) dir_name = _join(_PASSWORD_DIR, server_name)
if not _isdir(dir_name): if not _isdir(dir_name):
_makedirs(dir_name) _makedirs(dir_name)
@ -20,3 +22,9 @@ def get_uuid(server_name: str) -> str:
with open(file_name, 'r') as fh: with open(file_name, 'r') as fh:
file_content = fh.read().strip() file_content = fh.read().strip()
return file_content return file_content
def calc_vaulwarden_location(index):
if not index:
return '/'
return '/notifications/hub'

View file

@ -1,4 +1,5 @@
url: https://%%revprox_client_external_domainname%%{revprox_client_location[0]} %set %%domain = %%revprox_client_external_domainnames[0]
url: https://%%domain%%domain.revprox_client_location
%set %%username='rougail_test@silique.fr' %set %%username='rougail_test@silique.fr'
username: %%username username: %%username
password: %%get_password(server_name=%%domain_name_eth0, username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=False) password: %%get_password(server_name=%%domain_name_eth0, username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=False)

View file

@ -256,11 +256,11 @@ INVITATION_ORG_NAME=%%vaultwarden_org_name
## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
# DOMAIN=https://bw.domain.tld:8443 # DOMAIN=https://bw.domain.tld:8443
#>GNUNUX #>GNUNUX
%set %%location = %%str(%%revprox_client_location[0]) %set %%location = %%revprox_client_external_domainnames[0].revprox_client_location
%if %%location.endswith('/') %if %%location.endswith('/')
%set %%location = %%location[:-1] %set %%location = %%location[:-1]
%end if %end if
DOMAIN=https://%%revprox_client_external_domainname%%location DOMAIN=https://%%{revprox_client_external_domainnames[0]}%%location
#<GNUNUX #<GNUNUX
## Allowed iframe ancestors (Know the risks!) ## Allowed iframe ancestors (Know the risks!)