This commit is contained in:
Emmanuel Garette 2022-05-04 10:29:03 +02:00
parent da3e4d487d
commit 5ccb69012b
60 changed files with 384 additions and 299 deletions

View file

@ -2,6 +2,7 @@
<rougail version="0.10">
<services>
<service name="httpd" target="multi-user">
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file>/etc/httpd/conf/httpd.conf</file>
<file>/etc/httpd/conf.d/risotto.conf</file>
<file>/etc/httpd/conf.d/ssl.conf</file>
@ -13,9 +14,11 @@
</service>
</services>
<variables>
<family name="nginx">
<variable name="php_fpm_user" redefine="True" exists="True">
<value>apache</value>
</variable>
</family>
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
<value>300</value>

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe
#!/bin/bash -e
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
@ -24,4 +24,6 @@ systemctl restart systemd-resolved
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
echo "install host OK"
exit 0

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe
#!/bin/bash -e
HOST_NAME=$1
IMAGE_NAME=$2
@ -14,7 +14,7 @@ rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
mkdir -p "$RISOTTO_IMAGE_DIR"
PKG=""
BASE_DIR=""
for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do
for script in $(ls $IMAGE_NAME/manual/preinstall/*.sh 2> /dev/null); do
. "$script"
done
@ -46,7 +46,7 @@ function new_package_base() {
OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
else
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR"
debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR" > /dev/null
chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
fi
}
@ -75,6 +75,7 @@ function install_pkg() {
if [ ! -f "$BASE_LOCK" ]; then
echo " - reinstallation de l'image de base"
rm -rf "$BASE_DIR"
new_package_base
diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
@ -83,7 +84,7 @@ if [ ! -f "$BASE_LOCK" ]; then
install_base
cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
tar cf "$BASE_TAR" "$BASE_NAME"
cd -
cd - > /dev/null
if [ -f "$BASE_PKGS_FILE" ]; then
mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
fi
@ -100,8 +101,8 @@ if [ -n "$COPR" ]; then
#FIXME signature...
mkdir -p "$REPO_DIR"
cd "$REPO_DIR"
wget "$COPR"
cd -
wget -q "$COPR"
cd - > /dev/null
fi
if [ "$FUSION" = true ]; then
dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR"
@ -109,19 +110,24 @@ fi
# FIXME verifier s'il y a des modifs sur pre/post
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
echo "Différence(s) avec les paquets de base"
echo " - différence(s) avec les paquets de base"
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
else
NEW_BASE=true
fi
new_package
if [ "$NEW_BASE" = false ]; then
echo "Différence(s) avec les paquets de l'image"
echo " - différence(s) avec les paquets de l'image"
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
else
INSTALL=true
fi
find $IMAGE_NAME/manual -type f -exec md5sum '{}' \; > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new
if [ "$NEW_BASE" = false ]; then
diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new && INSTALL=false || INSTALL=true
fi
if [ "$INSTALL" = true ]; then
echo " - installation"
if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
else
@ -145,7 +151,7 @@ if [ "$INSTALL" = true ]; then
install_pkg
sleep 2
for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do
for script in $(ls $IMAGE_NAME/manual/postinstall/*.sh 2> /dev/null); do
. "$script"
done
@ -161,11 +167,13 @@ if [ "$INSTALL" = true ]; then
fi
tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
cd -
cd - > /dev/null
cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum
VERSION=$((VERSION + 1))
echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
fi
rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
echo " => OK"
exit 0

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe
#!/bin/bash -e
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name"
@ -8,6 +8,8 @@ fi
rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
for image in *; do
if [ -d "$image" ]; then
echo
echo "Install image $image"
./install_image "$HOST_NAME" "$image"
fi
done

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe
#!/bin/bash -e
HOST_NAME=$1
IMAGE_NAME=$2
MACHINE=$3
@ -26,19 +26,19 @@ if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || NEW_CONF=true
fi
if [ "$NEW_IMAGE" = true ] || [ "$NEW_CONF" = true ]; then
echo " - stop $IMAGE_NAME"
machinectl stop "$MACHINE" 2> /dev/null || true
while true; do
machinectl status "$MACHINE" > /dev/null 2>&1 || break
sleep 1
echo "retry..."
done
fi
if [ "$NEW_IMAGE" = true ]; then
echo "SUPPRIME ANCIENNE IMAGE"
echo " - delete old image"
rm -rf "$MACHINE_MACHINES_DIR"
fi
if [ "$NEW_CONF" = true ]; then
echo "SUPPRIME ANCIENNE CONF"
echo " - delete old settings"
./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
fi
@ -58,7 +58,8 @@ if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
mkdir -p "$SHA_MACHINE_DIR"
cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
cd -
cd - > /dev/null
fi
echo " => OK"
exit 0

View file

@ -1,4 +1,4 @@
#!/bin/bash -xe
#!/bin/bash -e
HOST_NAME=$1
if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name"
@ -14,6 +14,8 @@ for image in *; do
if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
MACHINES="$MACHINES$osname "
fi
echo
echo "Install machine $image"
./install_machine "$HOST_NAME" "$image" "$osname"
fi
done

View file

@ -5,4 +5,4 @@ depends:
- relay-mail-client
- ldap-client-fedora
- oauth2-client
- nginx-common
- nginx-https

View file

@ -7,7 +7,6 @@
<file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
<file>/etc/postfix/main.cf</file>
<file>/etc/postfix/master.cf</file>
<file>/etc/postfix/ldapsource.cf</file>
<file>/etc/postfix/relay_passwd</file>
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
<file>/etc/pki/tls/certs/postfix.crt</file>
@ -22,9 +21,6 @@
</service>
<service name='nginx'>
<file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
<file file_type="variable" source="revprox.key" mode="400">revprox_key_file</file>
</service>
<service name="dovecot" target="multi-user">
<file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
@ -69,7 +65,7 @@
</family>
<family name="mail" description="Mail domain" leadership="True">
<variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
<variable name="mail_domains_calc" type="domainname" multi="True" hidden="True"/>
<variable name="mail_domains_calc" type="domainname" hidden="True"/>
<variable name="imap_domainname" type="domainname" mandatory="True"/>
<variable name="submission_domainname" type="domainname" mandatory="True"/>
</family>
@ -88,11 +84,11 @@
</family>
</family>
<family name="nginx">
<variable name="nginx_default" redefine="True" remove_fill="True" mandatory="False"/>
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
<variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
<family name="revprox_client">
<variable name="revprox_client_location" redefine="True" mandatory="False">
<value/>
</variable>
</family>
</family>
</variables>
<constraints>
@ -115,24 +111,6 @@
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>mail_domains</target>
</check>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_InternalReverseProxy.crt</param>
<param name="join">/</param>
<target>revprox_ca_file</target>
</fill>
<fill name="calc_value">
<param type="variable">tls_cert_directory</param>
<param>revprox.crt</param>
<param name="join">/</param>
<target>revprox_cert_file</target>
</fill>
<fill name="calc_value">
<param type="variable">tls_key_directory</param>
<param>revprox.key</param>
<param name="join">/</param>
<target>revprox_key_file</target>
</fill>
<fill name="calc_value">
<param>/etc/pki/tls/certs/imap_</param>
<param type="variable">imap_domainname</param>
@ -159,7 +137,6 @@
</fill>
<fill name="calc_value">
<param type="variable">mail_domains</param>
<param name="multi" type="boolean">True</param>
<target>mail_domains_calc</target>
</fill>
<fill name="calc_value">
@ -172,7 +149,7 @@
<target>well_known_filenames</target>
</fill>
<check name="set_linked_multi_variables">
<param type="variable">revprox_server_domainname</param>
<param type="variable">revprox_client_server_domainname</param>
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param>
@ -183,7 +160,7 @@
<target>mail_domains_calc</target>
</check>
<check name="set_linked_multi_variables">
<param type="variable">revprox_server_domainname</param>
<param type="variable">revprox_client_server_domainname</param>
<param name="linked_provider_0">revprox_clients</param>
<param name="linked_provider_1">revprox_location</param>
<param name="linked_value_1">/autodiscover/autodiscover.xml</param>

View file

@ -28,7 +28,7 @@
# <doc/wiki/MailLocation.txt>
#
#>GNUNUX
mail_location = maildir:/srv/mail/%u
mail_location = maildir:~/
#<GNUNUX
# If you need to set multiple mailbox locations or want to change default
@ -107,8 +107,8 @@ namespace inbox {
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
#mail_uid =
#mail_gid =
mail_uid = vmail
mail_gid = vmail
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.

View file

@ -16,13 +16,14 @@ passdb {
# driver = prefetch
#}
# GNUNUX userdb {
# GNUNUX driver = ldap
userdb {
driver = ldap
# GNUNUX args = /etc/dovecot/dovecot-ldap.conf.ext
# GNUNUX
# GNUNUX # Default fields can be used to specify defaults that LDAP may override
# GNUNUX #default_fields = home=/home/virtual/%u
# GNUNUX }
args = /etc/dovecot/dovecot-ldap.conf.ext
# Default fields can be used to specify defaults that LDAP may override
#default_fields = home=/home/virtual/%u
}
# If you don't have any user-specific settings, you can avoid the userdb LDAP
# lookup by using userdb static instead of userdb ldap, for example:
@ -31,9 +32,3 @@ passdb {
#driver = static
#args = uid=vmail gid=vmail home=/var/vmail/%u
#}
#>GNUNUX
userdb {
driver = static
args = uid=vmail gid=vmail home=/srv/mail/%u
}
#<GNUNUX

View file

@ -1 +0,0 @@
%%get_chain(%%revprox_server_domainname, authority_name='InternalReverseProxy')

View file

@ -99,7 +99,7 @@ tls_require_cert = hard
#auth_bind_userdn =
#>GNUNUX
auth_bind = yes
auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
auth_bind_userdn = cn=%u,%%ldapclient_base_dn
#<GNUNUX
# LDAP protocol version to use. Likely 2 or 3.
@ -108,7 +108,7 @@ auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
# GNUNUX base =
base = ou=users,%%ldap_base_dn
base = %%ldapclient_base_dn
# Dereference: never, searching, finding, always
#deref = never
@ -126,6 +126,9 @@ base = ou=users,%%ldap_base_dn
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
#>GNUNUX
user_attrs = homeDirectory=home
#<GNUNUX
# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):

View file

@ -784,7 +784,6 @@ smtpd_use_tls = yes
mailbox_size_limit = 0
message_size_limit = 202400000
biff = no
#virtual_maps = ldap:/etc/postfix/ldapsource.cf
smtpd_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = yes
@ -804,12 +803,11 @@ dovecot_destination_recipient_limit = 1
%%domains.append(%%str(%%domain))%slurp
%end for
virtual_mailbox_domains = %echo ', '.join(%%domains)
virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
virtual_minimum_uid = 1000
#vmail uid
virtual_uid_maps = static:999
virtual_gid_maps = static:999
virtual_transport = dovecot
virtual_mailbox_base = /srv/mail
#virtual_mailbox_base = /srv/mail
#<GNUNUX

View file

@ -1,2 +0,0 @@
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type="server")
%%get_chain(%%revprox_server_domainname, 'InternalReverseProxy')

View file

@ -1 +0,0 @@
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type='server')

View file

@ -3,4 +3,4 @@ g dovenull 982 -
g vmail 999 -
u dovecot 97:97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
u dovenull 984:982 "Dovecot's unauthorized user" /usr/libexec/dovecot /sbin/nologin
u vmail 999:999 "Virtual mail user" /srv/mail /sbin/nologin
u vmail 999:999 "Virtual mail user" /srv/home /sbin/nologin

View file

@ -1 +1,4 @@
d /srv/dovecot 750 dovecot postfix - -
d /srv/home 750 root vmail - -
d /srv/home/users 770 root vmail - -
d /srv/home/families 770 root vmail - -

View file

@ -1,5 +1,4 @@
d /srv/postfix 750 postfix postfix - -
d /srv/postfix/data 750 postfix postfix - -
d /srv/postfix/spool 755 root root - -
d /srv/mail 770 root vmail - -
d /var/lib/misc/ 755 root root - -

View file

@ -2,6 +2,7 @@
<rougail version="0.10">
<services>
<service name="gitea" target="multi-user" engine="creole">
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
<file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
<file>/etc/gitea/app.ini</file>

View file

@ -12,9 +12,11 @@
<variables>
<family name="annuaire">
<variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
<variable name='ldapclient_family' type='unix_user' description="L'arbre LDAP est de type famille"/>
<variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
<variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
<variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
<variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True"/>
<variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
<variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
<variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
@ -31,6 +33,11 @@
<check name='valid_base_dn'>
<target>ldap_base_dn</target>
</check>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldap_base_dn</param>
<param type="variable">ldapclient_family</param>
<target>ldapclient_base_dn</target>
</fill>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_LDAP.crt</param>
@ -65,13 +72,19 @@
</fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">LDAP_DN</param>
<param name="linked_provider">ldap_dn</param>
<target>ldap_base_dn</target>
</fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">LDAP_PORT</param>
<param name="linked_provider">ldap_port</param>
<target>ldap_port</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_family</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>ldapclient_family</target>
</check>
</constraints>
</rougail>

View file

@ -4,3 +4,11 @@ def valid_base_dn(base_dn: str) -> None:
break
else:
raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
def calc_ldapclient_base_dn(ldap_base_dn: str,
family_name: str,
) -> str:
if not family_name:
return f'ou=users,{ldap_base_dn}'
return f'ou={family_name},ou=families,{ldap_base_dn}'

View file

@ -6,7 +6,7 @@
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
BASE ou=users,%%ldap_base_dn
BASE %%ldapclient_base_dn
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldaps://%%ldap_server_address:%%ldap_port

View file

@ -13,13 +13,14 @@ commentStartToken = §
"ldapPpolicyControl" : 1,
"ldapAllowResetExpiredPassword" : 1,
"ldapChangePasswordAsUser" : 1,
"ldapBase" : "ou=users,%%ldap_base_dn",
"ldapBase" : "%%ldapclient_base_dn",
"ldapExportedVars" : {
"uid" : "uid",
"cn" : "cn",
"sn" : "sn",
"mail" : "mail",
"givenName" : "givenName"
"givenName" : "givenName",
"home" : "homeDirectory"
},
"ldapGroupAttributeName" : "memberUid",
"ldapGroupAttributeNameUser" : "cn",
@ -99,7 +100,8 @@ commentStartToken = §
"email" : "mail",
"family_name" : "sn",
"name" : "cn",
"nickname" : "uid"
"nickname" : "uid",
"home" : "home"
%if %%len_app - 1 == %%idx
}
%else

View file

@ -1,7 +1,7 @@
PYTHON="usr/lib/python3.10/site-packages"
cp -a "mailman/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
cp -a "mailman/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
cp -a "mailman/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
cp -a "mailman/manual/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
cp -a "mailman/manual/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
cp -a "mailman/manual/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"

View file

@ -29,9 +29,9 @@ fi
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "ou=users,%%ldap_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "ou=users,%%ldap_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "ou=users,%%ldap_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"

View file

@ -4,18 +4,26 @@
<service name='nginx' target='multi-user'>
<file>/etc/nginx/nginx.conf</file>
<file source="default">/etc/nginx/sites-available/default</file>
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/risotto.conf</file>
<!--file source="default-nginx-ssl.conf">/etc/nginx/conf.d/risotto-ssl.conf</file-->
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
<file source="nginx.index.html">/var/www/html/index.html</file>
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
<file>/var/www/html/error.html</file>
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file filelist="nginx_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
<file filelist="nginx_https" mode="600">/etc/pki/tls/private/nginx.key</file>
</service>
</services>
<variables>
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='True'/>
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
<variable name="nginx_root" type="filename" mandatory='False'>
<value>/usr/share/nginx/html</value>
</variable>
<variable name="nginx_https" type="boolean" description="Activer HTTPS sur le serveur" mandatory='True' hidden="True">
<value>False</value>
</variable>
<variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
<value>128</value>
<choice type="string">128</choice>
@ -25,13 +33,10 @@
<variable name="nginx_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)" mode="expert" mandatory="True">
<value>32</value>
</variable>
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
</family>
</variables>
<constraints>
<fill name="calc_value">
<param type="variable">domain_name_eth0</param>
<target>nginx_default</target>
</fill>
<condition name="disabled_if_not_in" source="os_name">
<param>Fedora</param>
<target type="filelist">nginx_fedora</target>
@ -40,5 +45,15 @@
<param type="nil"/>
<target type="filelist">nginx_default</target>
</condition>
<condition name="disabled_if_in" source="nginx_https">
<param type="boolean">False</param>
<target type="filelist">nginx_https</target>
</condition>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_InternalReverseProxy.crt</param>
<param name="join">/</param>
<target>revprox_ca_file</target>
</fill>
</constraints>
</rougail>

View file

@ -1,10 +0,0 @@
#FIXME server {
#FIXME listen 443 ssl;
#FIXME ssl_certificate %%nginx_certificate[%%revprox_domainnames_all.index(%%nginx_default)];
#FIXME ssl_certificate_key %%nginx_private_key[%%revprox_domainnames_all.index(%%nginx_default)];
#FIXME ssl_client_certificate /etc/ssl/certs/ca.crt;
#FIXME server_name _ default;
#FIXME rewrite ^(.*) https://%%nginx_default$1;
#FIXME break;
#FIXME }

View file

@ -52,11 +52,12 @@ http {
# for more information.
include /etc/nginx/conf.d/*.conf;
%if %%os_name == 'Fedora'
%if %%nginx_default
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
root %%nginx_root;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
@ -69,35 +70,40 @@ http {
location = /50x.html {
}
}
%end if
# Settings for a TLS enabled server.
#
%if %%nginx_https
server {
listen 443 ssl http2;
server_name %%domain_name_eth0;
root %%nginx_root;
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
%end if
%else
include /etc/nginx/sites-enabled/*;
%end if
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

View file

@ -2,3 +2,4 @@ format: '0.1'
description: Nginx as reverse proxy
depends:
- nginx-common
- reverse-proxy-client

View file

@ -2,19 +2,38 @@
<rougail version="0.10">
<services>
<service name='nginx'>
<file>/etc/nginx/conf.d/risotto.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file mode="600">/etc/pki/tls/certs/nginx.crt</file>
<file mode="600">/etc/pki/tls/private/nginx.key</file>
<file filelist="nginx_default_risotto">/etc/nginx/default.d/risotto.conf</file>
</service>
</services>
<variables>
<variable name="nginx_root_directory" type="filename" mandatory="True"/>
<family name="nginx">
<variable name="nginx_https" redefine="True">
<value>True</value>
</variable>
<variable name="php_fpm_user" redefine="True" exists="True">
<value>nginx</value>
</variable>
<variable name="nginx_root_directory" type="filename"/>
<variable name="nginx_locations" type="filename" multi="True" mandatory="True">
<value>/</value>
</variable>
</family>
<family name="redis" description="Redis">
<variable name="redis_client_key_owner" redefine="True" exists="True">
<value>nginx</value>
</variable>
</family>
<family name="postgresql" description="PostgreSQL">
<variable name="pg_client_key_owner" redefine="True" exists="True">
<value>nginx</value>
</variable>
</family>
</variables>
<constraints>
<condition name="disabled_if_in" source="nginx_root_directory">
<param type="nil"/>
<target type="filelist">nginx_default_risotto</target>
<target type="variable">nginx_locations</target>
</condition>
</constraints>
</rougail>

View file

@ -1 +0,0 @@
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy")

View file

@ -1 +1,2 @@
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')

View file

@ -1 +1 @@
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')

View file

@ -1,27 +1,14 @@
server {
listen 443 default ssl;
server_name %%domain_name_eth0;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
error_page 403 404 502 503 504 /error.html;
location = /error.html{
root /var/www/html;
}
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header Referrer-Policy no-referrer always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header Referrer-Policy no-referrer always;
%for %%location in %%nginx_locations
location %%location {
location %%location {
%if %%location == '/'
root %slurp
%else
@ -39,6 +26,5 @@ server {
include fastcgi_params;
}
%end if
}
%end for
}
%end for

View file

@ -5,7 +5,6 @@
<override engine="creole"/>
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
<file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
</service>
@ -19,7 +18,7 @@
<variable name="ip_eth" redefine="True" provider="ip"/>
</family>
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
<variable name="nginx_default" redefine="True" remove_fill="True"/>
<variable name="nginx_default" redefine="True" mandatory="True"/>
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
<variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>

View file

@ -1,11 +1,12 @@
from typing import List as _List
from os.path import join as _join, isdir as _isdir, abspath as _abspath
from os.path import join as _join, isfile as _isfile, isdir as _isdir, abspath as _abspath, basename as _basename
from datetime import datetime as _datetime
from ipaddress import ip_network, ip_address
from subprocess import run as _run
from os import makedirs as _makedirs, unlink as _unlink
from shutil import rmtree as _rmtree
from os import makedirs as _makedirs
from shutil import rmtree as _rmtree, copy2 as _copy2
from glob import glob as _glob
from filecmp import cmp as _cmp
_PKI_DIR = _abspath('pki/dnssec')
@ -98,13 +99,21 @@ def sign(zone_filename: str,
cn: str,
) -> str:
authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0]
copy_file = _join(_PKI_DIR, cn, authority_cn, _basename(zone_filename))
signed_filename = f'{copy_file}.signed'
if not _isfile(copy_file) or not _cmp(zone_filename, copy_file):
_copy2(zone_filename, copy_file)
zsk, ksk = _gen_keys(cn, authority_cn)
cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
proc = _run(cmd, capture_output=True)
if proc.returncode != 0:
raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
signed_filename = f'{zone_filename}.signed'
new_signed_filename = f'{zone_filename}.signed'
with open(new_signed_filename) as fh:
content = fh.read().strip()
content.replace('0000000000', nsd_serial())
with open(signed_filename, 'w') as fh:
fh.write(content)
with open(signed_filename) as fh:
content = fh.read().strip()
_unlink(signed_filename)
return content

View file

@ -12,7 +12,7 @@ $ORIGIN %%rougail_variable
$TTL 1800
@ IN SOA %%domain_name_eth0. admin.%%name. (
%%nsd_serial() ; serial number
0000000000 ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire

View file

@ -2,7 +2,7 @@ $ORIGIN %%rougail_variable.
$TTL 1800
@ IN SOA %%domain_name_eth0. admin.%%rougail_variable. (
%%nsd_serial() ; serial number
0000000000 ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire

View file

@ -20,8 +20,8 @@
<variables>
<family name="annuaire">
<variable name='ldap_server_address' redefine="True" hidden="True"/>
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="LDAP_DN"/>
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="LDAP_PORT">
<variable name='ldap_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
<variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="ldap_port">
<value>636</value>
</variable>
<variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
@ -47,6 +47,7 @@
<variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
<value>/etc/openldap/schema/cosine.ldif</value>
<value>/etc/openldap/schema/inetorgperson.ldif</value>
<value>/etc/openldap/schema/nis.ldif</value>
</variable>
<variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
<value>0</value>

View file

@ -5,6 +5,7 @@
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
<variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
<variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
<variable name="family_" description="Nom de la familly" auto_save="True" hidden="True" provider="client_family"/>
<variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
</family>
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">

View file

@ -1,3 +1,9 @@
%set %%dns = {}
%for %%remote in %%accounts.remotes
%set %%name = %%normalize_family(%%remote)
%set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
%end for
dn: olcDatabase={2}mdb,cn=config
changetype:modify
replace: olcAccess
@ -5,20 +11,22 @@ olcAccess: {0}to attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: {1}to dn.subtree="ou=users,%%ldap_base_dn"
by self read
%set %%aclidx = 1
%for %%remote in %%accounts.remotes
%set %%name = %%normalize_family(%%remote)
by dn="%%accounts['remote_' + %%name]['dn_' + %%name]" %slurp
%if %%accounts['remote_' + %%name]['read_only_' + %%name]
%for %%family, %%remotes in %%dns.items()
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
by self read
%for %%remote in %%remotes
by dn="%%remote[0]" %slurp
%if %%remote[1]
read%slurp
%else
write%slurp
%end if
%end for
%end for
%set %%aclidx += 1
by * none
%end for
%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
%set %%aclidx += 1
olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)

View file

@ -35,8 +35,12 @@ sn: %%user.ldap_user_sn
givenName: %%user.ldap_user_gn
uid: %%user.ldap_user_uid
userPassword:: %%ssha_encode(%%user.ldap_user_password)
homeDirectory: /srv/home/users/%%user
uidNumber: 0
gidNumber: 0
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
%end for
# Families
@ -52,15 +56,19 @@ objectClass: top
objectClass: organizationalUnit
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
dn: cn=%%user,ou=families,%%ldap_base_dn
dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
cn: %%user
mail: %%user
sn: %%user['ldap_user_sn_' + %%family]
givenName: %%user['ldap_user_gn_' + %%family]
uid: %%user['ldap_user_uid_' + %%family]
userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family])
homeDirectory: /srv/home/families/%%family/%%user
uidNumber: 0
gidNumber: 0
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
%end for
%end for

View file

@ -7,3 +7,20 @@ replace: userPassword
userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
%end for
## Users
#%for %%user in %%accounts.users.ldap_user_mail
#dn: cn=%%user,ou=users,%%ldap_base_dn
#changetype: modify
#replace: homeDirectory
#homeDirectory: /srv/home/users/%%user
#
#%end for
## Families
#%for %%family in %%accounts.families
# %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
#dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
#replace: homeDirectory
#homeDirectory: /srv/home/families/%%family/%%user
#
# %end for
#%end for

View file

@ -38,8 +38,8 @@
</variable>
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family>
<family name="nginx" description="Reverse proxy">
<family name="revprox_client" description="Point d'entré des clients" leadership="True">
<family name="nginx">
<family name="revprox_client">
<variable name="revprox_client_location" redefine="True">
<value>/</value>
</variable>

View file

@ -25,5 +25,5 @@ rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
patch -p0 < $OLDPWD/peertube/postinstall/peertube.patch
patch -p0 < $OLDPWD/peertube/manual/postinstall/peertube.patch
cd -

View file

@ -0,0 +1,6 @@
Debug
======
echo "log_level = debug" >> /etc/php-fpm.conf
systemctl restart php-fpm

View file

@ -9,11 +9,13 @@
</service>
</services>
<variables>
<family name="nginx">
<variable name="php_fpm_user" type="unix_user">
<value>root</value>
</variable>
<variable name="php_fpm_installed" type="boolean">
<value>True</value>
</variable>
</family>
</variables>
</rougail>

View file

@ -8,4 +8,3 @@ depends:
- relay-mail-client
- nginx-https
- php-fpm
- reverse-proxy-client

View file

@ -12,9 +12,11 @@
<variables>
<variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
<variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
<family name="nginx">
<variable name="nginx_root_directory" mandatory="True" redefine="True">
<value>/usr/local/share/piwigo</value>
</variable>
</family>
<variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
<value>Album photographique</value>
</variable>

View file

@ -14,10 +14,10 @@ ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php
ln -s /srv/piwigo/data piwigo/_data
ln -s /srv/piwigo/upload piwigo/upload
ln -s /srv/piwigo/logs piwigo/logs
cp $OLDPWD/piwigo/postinstall/osmmap.php piwigo/
cp $OLDPWD/piwigo/manual/postinstall/osmmap.php piwigo/
chmod 644 piwigo/osmmap.php
patch -p0 < $OLDPWD/piwigo/postinstall/piwigo.patch
cp $OLDPWD/piwigo/postinstall/piwigo_cli.php piwigo/
patch -p0 < $OLDPWD/piwigo/manual/postinstall/piwigo.patch
cp $OLDPWD/piwigo/manual/postinstall/piwigo_cli.php piwigo/
# Plugins
cd piwigo/plugins
wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip

View file

@ -9,4 +9,4 @@ def calc_postfix_relay_domains(criteria):
if '@' in lst:
lst = lst.split('@')[1]
relay.add(lst)
return list(relay)
return sorted(list(relay))

View file

@ -2,7 +2,6 @@
<rougail version="0.10">
<services>
<service name="nginx" manage="False">
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file file_type="variable" source="revprox.crt">revprox_cert_file</file>
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
</service>
@ -32,10 +31,8 @@
<variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
<value>root</value>
</variable>
<variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
<variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
<variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
<variable name="nginx_default" exists="True" redefine="True" remove_fill="True" mandatory="False"/>
</family>
</variables>
<constraints>
@ -45,12 +42,6 @@
<param type="variable">revprox_client_local_location</param>
<target>revprox_client_web_address</target>
</fill>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>
<param>ca_InternalReverseProxy.crt</param>
<param name="join">/</param>
<target>revprox_ca_file</target>
</fill>
<fill name="calc_value">
<param type="variable">tls_cert_directory</param>
<param>revprox.crt</param>

View file

@ -1,3 +1,8 @@
Supprimer oauth
================
sed -i "s/'generic'/null/g" /etc/roundcubemail/config.inc.php
Debug ldap
==========

View file

@ -3,9 +3,8 @@ description: Interface web de consultation des courriels Roundcube
depends:
- base-fedora-35
- postgresql-client
- ldap-client-fedora
- imap-client
- redis-client
- oauth2-client
- apache
- nginx-https
- php-fpm

View file

@ -2,8 +2,8 @@
<rougail version="0.10">
<services>
<service name="roundcube" engine="creole" target="multi-user">
<file owner="root" group="apache" mode="640">/etc/roundcubemail/config.inc.php</file>
<file>/etc/httpd/conf.d/roundcubemail.conf</file>
<file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
<file>/etc/nginx/default.d/roundcubemail.conf</file>
<file>/secrets/roundcube-init.php</file>
<file engine="none">/static/silique_cloud.svg</file>
<file engine="none">/static/watermark.html</file>
@ -32,9 +32,15 @@
</variable>
</family>
<family name="nginx">
<variable name="revprox_client_local_location" redefine="True">
<value>/roundcube/</value>
<variable name="nginx_root" redefine="True">
<value>/usr/share/roundcubemail/</value>
</variable>
<variable name="revprox_client_local_location" redefine="True">
<value>/</value>
</variable>
</family>
<family name="annuaire">
<variable name='ldapclient_family' redefine="True" exists="True" mandatory="True"/>
</family>
</variables>
<constraints>

View file

@ -0,0 +1,8 @@
#!/bin/bash -ex
echo """#!/bin/bash -e
/usr/bin/chgrp nginx /etc/roundcubemail/*
""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh
rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"

View file

@ -1059,9 +1059,10 @@ $config['address_book_type'] = 'sql';
// Array key must contain only safe characters, ie. a-zA-Z0-9_
$config['ldap_public'] = [];
#>GNUNUX
%if %%getVar('ldap_server_address', None)
$config['ldap_public'] = array (
'Local' => array (
'name' => "Contacts",
'name' => "Ma famille",
'hosts' => array (
0 => 'ldaps://%%ldap_server_address',
),
@ -1073,7 +1074,7 @@ $config['ldap_public'] = array (
'auth_method' => '',
'vlv' => false, //Samba do not support Virtual List View functions
'user_specific' => false,
'base_dn' => 'ou=users,%%ldap_base_dn',
'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
'writable' => false,
'required_fields' => array (
0 => 'cn',
@ -1104,6 +1105,7 @@ $config['ldap_public'] = array (
),
),
);
%end if
#<GNUNUX
// If you are going to use LDAP for individual address books, you will need to

View file

@ -1,7 +1,7 @@
[Unit]
Description=Roundcube database init
After=postgresqlclient.service
Before=apache.service php-fpm.service
Before=nginx.service php-fpm.service
[Service]
Type=oneshot

View file

@ -1,60 +1,51 @@
#
# Round Cube Webmail is a browser-based multilingual IMAP client
#
location = / {
alias %%nginx_root;
}
location / {
root %%nginx_root;
index index.php;
#>GNUNUX
Alias /roundcube/skins/elastic/risotto/ /usr/local/lib/static/
<Directory /usr/local/lib/static/>
Require all granted
</Directory>
#<GNUNUX
# GNUNUX Alias /roundcubemail /usr/share/roundcubemail
Alias /roundcube /usr/share/roundcubemail
location ~ ^/bin/(.+)$ {
deny all;
}
location ~ ^/plugins/enigma/home/(.+)$ {
deny all;
}
# Define who can access the Webmail
# You can enlarge permissions once configured
# Define who can access the installer
# keep this secured once configured
<Directory /usr/share/roundcubemail/>
Require all granted
# GNUNUX <IfModule mod_authz_core.c>
# GNUNUX # Apache 2.4
# GNUNUX Require local
# GNUNUX </IfModule>
# GNUNUX <IfModule !mod_authz_core.c>
# GNUNUX # Apache 2.2
# GNUNUX Order Deny,Allow
# GNUNUX Deny from all
# GNUNUX Allow from 127.0.0.1
# GNUNUX Allow from ::1
# GNUNUX </IfModule>
</Directory>
location ~ ^/installer/(.+\.php)$ {
allow 127.0.0.1;
allow ::1;
deny all;
# Define who can access the installer
# keep this secured once configured
try_files $uri =404;
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SERVER_NAME $host;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php-fpm;
}
<Directory /usr/share/roundcubemail/installer/>
Order Allow,Deny
Deny from all
# GNUNUX <IfModule mod_authz_core.c>
# GNUNUX # Apache 2.4
# GNUNUX Require local
# GNUNUX </IfModule>
# GNUNUX <IfModule !mod_authz_core.c>
# GNUNUX # Apache 2.2
# GNUNUX Order Deny,Allow
# GNUNUX Deny from all
# GNUNUX Allow from 127.0.0.1
# GNUNUX Allow from ::1
# GNUNUX </IfModule>
</Directory>
# Define who can access the Webmail
# You can enlarge permissions once configured
# Those directories should not be viewed by Web clients.
<Directory /usr/share/roundcubemail/bin/>
Order Allow,Deny
Deny from all
</Directory>
<Directory /usr/share/roundcubemail/plugins/enigma/home/>
Order Allow,Deny
Deny from all
</Directory>
location ~ ^/(.+\.php)$ {
# GNUNUX allow 127.0.0.1;
# GNUNUX allow ::1;
# GNUNUX deny all;
try_files $uri =404;
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SERVER_NAME $host;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php-fpm;
}
}
location /skins/elastic/risotto {
alias /usr/local/lib/static/;
}

View file

@ -3,6 +3,7 @@
<services>
<service name="vaultwarden" target="multi-user">
<override/>
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
<file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
</service>