From b96c29e40eced3a6f18fb05041fe321207d40d33 Mon Sep 17 00:00:00 2001 From: Emmanuel Garette Date: Sun, 25 Dec 2022 17:08:52 +0100 Subject: [PATCH] improvements --- seed/apache/dictionaries/20_web.xml | 2 +- seed/apache/templates/server.ca | 2 +- .../dictionaries/11-debian-base.xml | 2 + .../dictionaries/17-debian-base.xml | 2 +- .../manual/image/postinstall/debian.sh | 16 +- .../image/postinstall/base_fedora_35.sh | 12 +- .../image/postinstall/base_fedora_version.sh | 12 +- .../dictionaries/17-fedora-base.xml | 2 +- .../manual/image/preinstall/base_fedora.sh | 2 +- seed/base-machine/dictionaries/12-base.xml | 19 +- seed/base-machine/funcs/funcs.py | 3 - seed/base/funcs/base.py | 33 +- seed/dns-local/dictionaries/13-dns-local.xml | 3 +- seed/dns-local/templates/dns-local.yml | 10 +- seed/dovecot/dictionaries/26_dovecot.xml | 4 +- seed/dovecot/templates/ca_IMAPServer.crt | 2 +- seed/dovecot/templates/ca_MailServer.crt | 2 +- seed/dovecot/templates/imap.yml | 2 +- seed/gitea/dictionaries/31_gitea.xml | 4 +- seed/gitea/manual/image/postinstall/gitea.sh | 6 +- .../dictionaries/21-machined.xml | 56 ++- .../extras/machined/00-machined.xml | 6 + .../templates/dhcp.network | 12 + .../templates/risottofirewall.service | 18 +- seed/imap-client/templates/ca_IMAPServer.crt | 2 +- .../dictionaries/21_ldap-client.xml | 2 +- seed/ldap-client/templates/ca_LDAP.crt | 2 +- seed/letsencrypt/funcs/letsencrypt.py | 18 +- seed/mailman/dictionaries/31_mailman.xml | 29 +- .../manual/image/postinstall/postorius.sh | 24 +- .../manual/image/preinstall/mailman.sh | 4 +- seed/mailman/templates/mailman-web.py | 263 ++++++++++++-- seed/mailman/templates/mailman.cfg | 328 ++++++++++++++++-- seed/mailman/templates/tmpfile-mailman.conf | 6 +- .../dictionaries/20_mariadb.xml | 2 +- seed/mariadb/dictionaries/20_mariadb.xml | 2 +- seed/nextcloud/dictionaries/31_nextcloud.xml | 2 +- .../manual/image/postinstall/nextcloud.sh | 14 +- seed/nginx-common/dictionaries/21_nginx.xml | 2 +- seed/nginx-https/templates/nginx.crt | 3 +- .../dictionaries/25_nginx.xml | 2 +- .../extras/nginx/00-nginx.xml | 6 +- .../nginx-reverse-proxy/templates/ca_HTTP.crt | 2 +- .../templates/ca_InternalReverseProxy.crt | 2 +- .../templates/certificate.crt | 1 + seed/nginx-reverse-proxy/templates/nginx.crt | 3 +- .../templates/revprox-nginx.conf | 2 + seed/nsd/dictionaries/20_nsd.xml | 6 + seed/nsd/extras/nsd/00_nsd.xml | 2 + seed/nsd/funcs/funcs.py | 20 +- seed/nsd/templates/nsd.yml | 6 +- .../dictionaries/30_oauth2_client.xml | 2 +- .../templates/oauth2-client.service | 2 +- seed/odoo/dictionaries/40_odoo.xml | 2 +- seed/odoo/manual/image/postinstall/odoo.sh | 28 +- .../dictionaries/21_openldap-server.xml | 4 +- .../image/postinstall/openldap_server.sh | 2 +- seed/openldap/templates/slapd.service | 8 +- seed/peertube/dictionaries/30_peertube.xml | 2 + .../manual/image/postinstall/peertube.sh | 18 +- seed/php-fpm/templates/php-fpm.conf | 1 + seed/php-fpm/templates/www.conf | 7 +- seed/php/dictionaries/20_php.xml | 12 +- seed/php/templates/php.ini | 5 +- seed/piwigo/dictionaries/31_piwigo.xml | 6 +- .../piwigo/manual/image/postinstall/piwigo.sh | 25 +- .../postfix-relay/dictionaries/30_postfix.xml | 6 + .../postfix-relay/templates/ca_MailServer.crt | 2 +- seed/postfix-relay/templates/postfix.service | 2 +- seed/postfix-relay/templates/sni.pem | 2 +- .../dictionaries/23_postgresql.xml | 6 +- .../templates/ca_PostgreSQL.crt | 2 +- .../postgresql/dictionaries/22_postgresql.xml | 4 +- .../extras/accounts/00_accounts.xml | 1 + seed/postgresql/templates/ca_PostgreSQL.crt | 2 +- .../dictionaries/10-machined.xml | 2 +- .../dictionaries/16-machined.xml | 4 +- seed/redis-client/dictionaries/23_redis.xml | 2 +- seed/redis-client/templates/ca_Redis.crt | 2 +- seed/redis-client/templates/redis.pem | 2 +- seed/redis/dictionaries/90_redis.xml | 2 +- seed/redis/extras/account/00_account.xml | 1 + seed/redis/templates/ca_Redis.crt | 2 +- .../dictionaries/20_smtp_client.xml | 6 + .../templates/ca_MailRelay.crt | 2 +- .../dictionaries/21_revprox_client.xml | 15 +- .../templates/ca_InternalReverseProxy.crt | 2 +- .../templates/revprox.crt | 2 +- seed/roundcube/dictionaries/31_roundcube.xml | 4 +- .../manual/image/postinstall/roundcube.sh | 8 +- seed/roundcube/templates/ca_MailServer.crt | 2 +- .../dictionaries/40_speedtest-rs.xml | 4 +- .../manual/image/postinstall/speedtest-rs.sh | 8 +- seed/systemd/dictionaries/15-systemd.xml | 16 +- seed/systemd/extras/machine/10_systemd.xml | 14 +- .../manual/image/postinstall/systemd.sh | 2 +- seed/unbound/dictionaries/20_unbound.xml | 3 +- seed/unbound/templates/risotto.conf | 6 +- .../dictionaries/40_vaultwarden.xml | 4 +- .../manual/image/postinstall/vaultwarden.sh | 2 +- 100 files changed, 946 insertions(+), 309 deletions(-) diff --git a/seed/apache/dictionaries/20_web.xml b/seed/apache/dictionaries/20_web.xml index dfc519f1..1cdf9127 100644 --- a/seed/apache/dictionaries/20_web.xml +++ b/seed/apache/dictionaries/20_web.xml @@ -19,7 +19,7 @@ - + 300 diff --git a/seed/apache/templates/server.ca b/seed/apache/templates/server.ca index ad46dd66..91ed66dd 100644 --- a/seed/apache/templates/server.ca +++ b/seed/apache/templates/server.ca @@ -1 +1 @@ -%%get_chain(authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret) +%%get_chain(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret) diff --git a/seed/base-debian/dictionaries/11-debian-base.xml b/seed/base-debian/dictionaries/11-debian-base.xml index 48e321ab..73c4a163 100644 --- a/seed/base-debian/dictionaries/11-debian-base.xml +++ b/seed/base-debian/dictionaries/11-debian-base.xml @@ -10,7 +10,9 @@ /sysusers.d/debian.conf + + diff --git a/seed/base-debian/dictionaries/17-debian-base.xml b/seed/base-debian/dictionaries/17-debian-base.xml index b17a9da7..d3a0e363 100644 --- a/seed/base-debian/dictionaries/17-debian-base.xml +++ b/seed/base-debian/dictionaries/17-debian-base.xml @@ -1,7 +1,7 @@ - + - + + zones domain_name_eth ip_eth @@ -33,14 +34,16 @@ zone_name_eth - - zone_name_eth + + zones network + zone_name_eth network_eth - - zone_name_eth - gateway + + zones + host_ip + zone_name_eth gateway_eth diff --git a/seed/base-machine/funcs/funcs.py b/seed/base-machine/funcs/funcs.py index 6c4599cf..1784d5a3 100644 --- a/seed/base-machine/funcs/funcs.py +++ b/seed/base-machine/funcs/funcs.py @@ -6,9 +6,6 @@ from os.path import join as _join, isfile as _isfile, isdir as _isdir from os import makedirs as _makedirs, environ as _environ -#from risotto.utils import ZONES_SERVER - - _HERE = _environ['PWD'] _PASSWORD_DIR = _join(_HERE, 'password') diff --git a/seed/base/funcs/base.py b/seed/base/funcs/base.py index 6e3dde36..c4fe7125 100644 --- a/seed/base/funcs/base.py +++ b/seed/base/funcs/base.py @@ -1,10 +1,11 @@ -from typing import List -from risotto.utils import load_domains, DOMAINS from risotto.utils import multi_function as _multi_function +from typing import List as _List @_multi_function -def get_ip(server_name: str) -> str: +def get_ip(zones: dict, + server_name: str, + ) -> str: if server_name is None: return if isinstance(server_name, list): @@ -15,12 +16,32 @@ def get_ip(server_name: str) -> str: lst = [] for s_name in server_name: host_name, domain_name = s_name.split('.', 1) - if not domain_name in DOMAINS: + for zone in zones.values(): + if domain_name == zone['domain_name']: + break + else: raise ValueError(f'cannot find IP in domain name "{domain_name}" (for "{s_name}")') - domain = DOMAINS[domain_name] - ret = domain[1][domain[0].index(host_name)] + ret = zone['hosts'][host_name] if not return_list: return ret if ret not in lst: lst.append(ret) return lst + + +@_multi_function +def get_zones_info(zones: dict, + type: str, + zone_names: _List[str]=None, + zone_name: str=None, + index: int=None, + ) -> str: + if type == 'host_ip' and index != 0: + return + if zone_name: + if zone_name not in zones: + raise ValueError(f"cannot get zone informations in unknown zone '{zone_name}'") + if type == 'cidr': + return zones[zone_name]['host_ip'] + '/' + zones[zone_name]['network'].split('/')[-1] + return zones[zone_name][type] + return [data[type] for zone_name, data in zones.items() if not zone_names or zone_name in zone_names] diff --git a/seed/dns-local/dictionaries/13-dns-local.xml b/seed/dns-local/dictionaries/13-dns-local.xml index fb58cb48..30796579 100644 --- a/seed/dns-local/dictionaries/13-dns-local.xml +++ b/seed/dns-local/dictionaries/13-dns-local.xml @@ -10,12 +10,13 @@ - + + zones dns_client_address ip_dns diff --git a/seed/dns-local/templates/dns-local.yml b/seed/dns-local/templates/dns-local.yml index 1f5b1cef..dca8aa91 100644 --- a/seed/dns-local/templates/dns-local.yml +++ b/seed/dns-local/templates/dns-local.yml @@ -6,15 +6,15 @@ addresses: %elif %%getVar('unbound_forward_address', None) is not None %for %%authority in %%unbound_forward_address - dns_address: %%authority - dns_ip: %%get_ip(%%str(%%authority)) + dns_ip: %%authority.unbound_allowed_client %end for -%else +%elif %%getVar('nsd_zones', None) %for %%zone in %%nsd_zones %set %%suffix = %%normalize_family(%%zone) %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix] - %for %%nsd in %%hostnames -- dns_address: %%{nsd}.%%zone - dns_ip: %%nsd["ip_" + %%suffix] + %for %%hostname in %%hostnames +- dns_address: %%{hostname}.%%zone + dns_ip: %%hostname["ip_" + %%suffix] %end for %end for %end if diff --git a/seed/dovecot/dictionaries/26_dovecot.xml b/seed/dovecot/dictionaries/26_dovecot.xml index 89a55027..db4d7673 100644 --- a/seed/dovecot/dictionaries/26_dovecot.xml +++ b/seed/dovecot/dictionaries/26_dovecot.xml @@ -85,11 +85,13 @@ diff --git a/seed/host-systemd-machined/templates/dhcp.network b/seed/host-systemd-machined/templates/dhcp.network index d6df20a9..53b91e99 100644 --- a/seed/host-systemd-machined/templates/dhcp.network +++ b/seed/host-systemd-machined/templates/dhcp.network @@ -2,4 +2,16 @@ Name=%%rougail_variable [Network] +%set %%leader = %%interface_names[%%rougail_index] +%if %%leader.interface_type == 'dhcp' DHCP=ipv4 +%else +DHCP=no +Address=%%leader.interface_ip + %if %%leader.first_interface +Gateway=%%leader.interface_gateway + %for %%dns in %%leader.interface_domain_name_servers +DNS=%%dns + %end for + %end if +%end if diff --git a/seed/host-systemd-machined/templates/risottofirewall.service b/seed/host-systemd-machined/templates/risottofirewall.service index fa56e57b..f83aae87 100644 --- a/seed/host-systemd-machined/templates/risottofirewall.service +++ b/seed/host-systemd-machined/templates/risottofirewall.service @@ -5,21 +5,27 @@ After=network.target [Service] Type=oneshot RemainAfterExit=yes +%set %%has_rules = False %for %%dns in %%machined.machines -%set %%machine = %%normalize_family(%%dns) -%set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine] + %set %%machine = %%normalize_family(%%dns) + %set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine] %if %%outgoing + %set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine] %for %%port in %%outgoing %if ':' in %%port -%set %%protocol, %%port = %%port.split(':') + %set %%protocol, %%port = %%port.split(':') %else -%set %%protocol = 'tcp' + %set %%protocol = 'tcp' %end if -ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE -ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE +ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE + %set %%has_rules = False %end for %end if %end for +%if not %%has_rules +ExecStart=/usr/bin/echo "No rule" +%end if [Install] WantedBy=multi-user.target diff --git a/seed/imap-client/templates/ca_IMAPServer.crt b/seed/imap-client/templates/ca_IMAPServer.crt index ed24ab89..04b8fc99 100644 --- a/seed/imap-client/templates/ca_IMAPServer.crt +++ b/seed/imap-client/templates/ca_IMAPServer.crt @@ -1 +1 @@ -%%get_chain(%%imap_address, 'IMAPServer', hide=%%hide_secret) +%%get_chain(%%domain_name_eth0, %%imap_address, 'IMAPServer', hide=%%hide_secret) diff --git a/seed/ldap-client/dictionaries/21_ldap-client.xml b/seed/ldap-client/dictionaries/21_ldap-client.xml index b0835e48..4b1239a8 100644 --- a/seed/ldap-client/dictionaries/21_ldap-client.xml +++ b/seed/ldap-client/dictionaries/21_ldap-client.xml @@ -2,7 +2,7 @@ - + ldap_client_file ldap_ca_file ldap_cert_file diff --git a/seed/ldap-client/templates/ca_LDAP.crt b/seed/ldap-client/templates/ca_LDAP.crt index d04f2f99..59f77a0e 100644 --- a/seed/ldap-client/templates/ca_LDAP.crt +++ b/seed/ldap-client/templates/ca_LDAP.crt @@ -1 +1 @@ -%%get_chain(%%ldap_server_address, 'LDAP', hide=%%hide_secret) +%%get_chain(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name="LDAP", hide=%%hide_secret) diff --git a/seed/letsencrypt/funcs/letsencrypt.py b/seed/letsencrypt/funcs/letsencrypt.py index 7238932d..6628068d 100644 --- a/seed/letsencrypt/funcs/letsencrypt.py +++ b/seed/letsencrypt/funcs/letsencrypt.py @@ -3,7 +3,7 @@ from subprocess import run as _run from os.path import join as _join, isfile as _isfile, isdir as _isdir from datetime import datetime as _datetime from shutil import copyfile as _copyfile -from os import makedirs as _makedirs, environ as _environ +from os import makedirs as _makedirs, environ as _environ, listdir as _listdir, unlink as _unlink _HERE = _environ['PWD'] @@ -54,25 +54,31 @@ def letsencrypt_certif(domain: str, '360', ] ret = _run(cli_args, capture_output=True) - if ret.returncode != 0: - print("FIXME") + #if ret.returncode != 0: + # print("FIXME") #raise ValueError(ret.stderr.decode()) # print("Done") with open(date_file, 'w') as fh: fh.write(today) rootdir = _join(_X509_DIR, f'{authority_name}+{authority_cn}') - chaindir = _join(rootdir, 'ca') certdir = _join(rootdir, 'certificats', domain, 'server') + chaindir = _join(rootdir, 'certificats', domain, 'ca') week_number = date.isocalendar().week for dirname in (chaindir, certdir): if not _isdir(dirname): _makedirs(dirname) + certificate_name = f'certificate_{week_number}.crt' _copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'chain.pem'), - _join(chaindir, f'certificate_{week_number}.crt'), + _join(chaindir, certificate_name), ) _copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'privkey.pem'), _join(certdir, 'private.key'), ) _copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'fullchain.pem'), - _join(certdir, f'certificate_{week_number}.crt'), + _join(certdir, certificate_name), ) + for dirname in (chaindir, certdir): + for filename in _listdir(dirname): + if not filename.endswith('.crt') or filename == certificate_name: + continue + _unlink(_join(dirname, filename)) diff --git a/seed/mailman/dictionaries/31_mailman.xml b/seed/mailman/dictionaries/31_mailman.xml index 3ee89c0f..1e3378ba 100644 --- a/seed/mailman/dictionaries/31_mailman.xml +++ b/seed/mailman/dictionaries/31_mailman.xml @@ -1,24 +1,23 @@ - - - /etc/mailman.cfg - /etc/mailman3.d/postfix.cfg - /sysusers.d/0mailman.conf + + + /etc/mailman3/mailman.cfg /tmpfiles.d/0mailman.conf - - - /etc/postorius/gunicorn_config.py - /sysusers.d/0postorius.conf - /etc/nginx/default.d/postorius.conf - /etc/mailman3.d/postorius.py /tests/mailman.yml + - + + + /etc/mailman3/mailman-web.py + + - /etc/pki/tls/private/postgresql_postorius.key - + + @@ -56,7 +55,7 @@ - mailman + list diff --git a/seed/mailman/manual/image/postinstall/postorius.sh b/seed/mailman/manual/image/postinstall/postorius.sh index 23a6f7cc..1c5ed1c0 100644 --- a/seed/mailman/manual/image/postinstall/postorius.sh +++ b/seed/mailman/manual/image/postinstall/postorius.sh @@ -1,12 +1,12 @@ -PYTHON="usr/lib/python3.10/site-packages" -cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/" -cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/" -cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius" -chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py" -ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py" -ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/" -ln -s ../../django/contrib/admin/static/admin "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/" -#translation -msgfmt $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/locale/fr/LC_MESSAGES/django.po -o $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/locale/fr/LC_MESSAGES/django.mo -sed -i 's/$event.mlist.fqdn_listname\./$event.mlist.fqdn_listname/g' $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.po -msgfmt $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.po -o $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.mo +#PYTHON="usr/lib/python3/site-packages" +#cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/allauth/socialaccount/providers/" +#cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/allauth/socialaccount/providers/" +#cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/postorius" +#chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/postorius/manage.py" +#ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/postorius/m_postorius/settings_local.py" +#ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/postorius/static/" +#ln -s ../../django/contrib/admin/static/admin "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/postorius/static/" +##translation +#msgfmt $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/postorius/locale/fr/LC_MESSAGES/django.po -o $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/postorius/locale/fr/LC_MESSAGES/django.mo +#sed -i 's/$event.mlist.fqdn_listname\./$event.mlist.fqdn_listname/g' $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.po +#msgfmt $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.po -o $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.mo diff --git a/seed/mailman/manual/image/preinstall/mailman.sh b/seed/mailman/manual/image/preinstall/mailman.sh index fcc29ea9..2101ebbb 100644 --- a/seed/mailman/manual/image/preinstall/mailman.sh +++ b/seed/mailman/manual/image/preinstall/mailman.sh @@ -1 +1,3 @@ -PKG="$PKG mailman3 postorius python3-psycopg2 python-unversioned-command python3-django-cors-headers" +#PKG="$PKG mailman3 postorius python3-psycopg2 python-unversioned-command python3-django-cors-headers" +PKG="$PKG mailman3-full" +#python3-xapian-haystack diff --git a/seed/mailman/templates/mailman-web.py b/seed/mailman/templates/mailman-web.py index a0aae369..8ba705d5 100644 --- a/seed/mailman/templates/mailman-web.py +++ b/seed/mailman/templates/mailman-web.py @@ -1,37 +1,239 @@ -# -*- coding: utf-8 -*- +# This file is imported by the Mailman Suite. It is used to override +# the default settings from /usr/share/mailman3-web/settings.py. + +# SECURITY WARNING: keep the secret key used in production secret! +#>GNUNUX SECRET_KEY = '%%postorius_secret_key' -#FIXME same database has mailman? +#GNUNUX + #'*' + '%%{revprox_client_external_domainnames[0]}' +#GNUNUX +# Mailman API credentials +#MAILMAN_REST_API_URL = 'http://localhost:8001' +#MAILMAN_REST_API_USER = 'restadmin' +#MAILMAN_REST_API_PASS = 'T0zVrLFZBJrftkW9Sjs660sEr/P3zehYGYPuo93LSGZT1KHd' +#MAILMAN_ARCHIVER_KEY = 'BzzgFI+QbeFOsGFy0Q6wfD5cp9fQvk1o' +#MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1') +#GNUNUX + #'ENGINE': 'django.db.backends.sqlite3', +#GNUNUX + #'NAME': '/var/lib/mailman3/web/mailman3web.db', +#GNUNUX + #'USER': '', + #'PASSWORD': '', +#GNUNUX + #'HOST': '', 'ENGINE': 'django.db.backends.postgresql_psycopg2', - 'NAME': '%%pg_client_database', # Database name +#FIXME same database has mailman? + 'NAME': '%%pg_client_database', 'USER': '%%pg_client_username', # PostgreSQL username 'PASSWORD': '%%pg_client_password', # PostgreSQL password 'HOST': '%%pg_client_server_domainname', # Database server - 'PORT': '', # Database port (leave blank for default) - 'CONN_MAX_AGE': 300, # Max database connection age - 'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '%%pg_client_crt_file', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '%%pg_client_ca_file'}, + 'CONN_MAX_AGE': 300, +#>GNUNUX + # PORT: set to empty string for default. + 'PORT': '', + # OPTIONS: Extra parameters to use when connecting to the database. + 'OPTIONS': { + # Set sql_mode to 'STRICT_TRANS_TABLES' for MySQL. See + # https://docs.djangoproject.com/en/1.11/ref/ + # databases/#setting-sql-mode + #'init_command': "SET sql_mode='STRICT_TRANS_TABLES'", +#>GNUNUX + 'sslmode': 'verify-full', + 'sslcert': '%%pg_client_crt_file', + 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', + 'sslrootcert': '%%pg_client_ca_file', +#GNUNUX +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +#GNUNUX +CSRF_TRUSTED_ORIGINS = ['%%{revprox_client_external_domainnames[0]}'] +#GNUNUX +#LANGUAGE_CODE = 'en-us' +LANGUAGE_CODE = 'fr' +#GNUNUX +#DEFAULT_FROM_EMAIL = 'postorius@{}'.format(EMAILNAME) +DEFAULT_FROM_EMAIL = '%%mailman_mail_owner' +#GNUNUX +#SERVER_EMAIL = 'root@{}'.format(EMAILNAME) +SERVER_EMAIL = '%%mailman_mail_owner' EMAIL_HOST = "%%smtp_relay_address" EMAIL_PORT = 25 EMAIL_HOST_USER = "%%smtp_relay_user@%%ip_eth0" EMAIL_HOST_PASSWORD = "%%smtp_relay_password" EMAIL_USE_TLS = True -DEFAULT_FROM_EMAIL = '%%mailman_mail_owner' +#FIXME EMAIL_SUBJECT_PREFIX = '[Django] ' -SERVER_EMAIL = '%%mailman_mail_owner' -SOCIALACCOUNT_EMAIL_VERIFICATION = 'none' + + +STATIC_URL = '/mailman/postorius_static/' +FORCE_SCRIPT_NAME = '/mailman' +#GNUNUX +SOCIALACCOUNT_EMAIL_VERIFICATION = 'none' +#GNUNUX +#POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/' +POSTORIUS_TEMPLATE_BASE_URL = 'https://%%{revprox_client_external_domainnames[0]}' +#. + +# This file contains the Debian configuration for mailman. It uses ini-style +# formats under the lazr.config regime to define all system configuration +# options. See for details. + [mailman] -# GNUNUX default_language: en -#>GNUNUX -default_language: fr -#GNUNUX +#site_owner: changeme@example.com site_owner: %%mailman_mail_owner +#GNUNUX +#default_language: en +default_language: fr +#>> + +# Banner to show on startup. +banner: Welcome to the GNU Mailman shell + +# Use IPython as the shell, which must be found on the system. Valid values +# are `no`, `yes`, and `debug` where the latter is equivalent to `yes` except +# that any import errors will be displayed to stderr. +use_ipython: no + +# Set this to allow for command line history if readline is available. This +# can be as simple as $var_dir/history.py to put the file in the var directory. +history_file: + + +[paths.debian] +# Important directories for Mailman operation. These are defined here so that +# different layouts can be supported. For example, a developer layout would +# be different from a FHS layout. Most paths are based off the var_dir, and +# often just setting that will do the right thing for all the other paths. +# You might also have to set spool_dir though. +# +# Substitutions are allowed, but must be of the form $var where 'var' names a +# configuration variable in the paths.* section. Substitutions are expanded +# recursively until no more $-variables are present. Beware of infinite +# expansion loops! +# +# This is the root of the directory structure that Mailman will use to store +# its run-time data. +#>GNUNUX +#var_dir: /var/lib/mailman3 +var_dir: /srv/mailman/ +#GNUNUX +#log_dir: /var/log/mailman3 +log_dir: /srv/mailman/log +#GNUNUX -[database] class: mailman.database.postgresql.PostgreSQLDatabase +#GNUNUX url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file +#GNUNUX +#FIXME format: %(asctime)s (%(process)d) %(message)s +#FIXME datefmt: %b %d %H:%M:%S %Y +#FIXME propagate: no +#FIXME level: info +#FIXME path: mailman.log +#GNUNUX +#hostname: localhost +hostname: %%mailman_domains +#GNUNUX +#port: 8001 +port: 443 +#GNUNUX +#use_https: no +use_https: yes +#GNUNUX +#smtp_host: localhost smtp_host: %%smtp_relay_address -smtp_user: %%smtp_relay_user@%%ip_eth0 -smtp_pass: %%smtp_relay_password smtp_port: 25 +#smtp_user: +smtp_user: %%smtp_relay_user@%%ip_eth0 +#smtp_pass: +smtp_pass: %%smtp_relay_password smtp_secure_mode: starttls smtp_verify_cert: yes smtp_verify_hostname: yes #GNUNUX -var_dir: /srv/mailman/lib -queue_dir: /srv/mailman/spool -log_dir: /var/log/mailman +#lmtp_host: 127.0.0.1 +lmtp_host: %%ip_eth0 # - + diff --git a/seed/mariadb/dictionaries/20_mariadb.xml b/seed/mariadb/dictionaries/20_mariadb.xml index a035d512..e125dbbf 100644 --- a/seed/mariadb/dictionaries/20_mariadb.xml +++ b/seed/mariadb/dictionaries/20_mariadb.xml @@ -6,7 +6,7 @@ /etc/my.cnf.d/risotto.cnf /tmpfiles.d/0mariadb.conf /etc/mariadb.sql - /tests/mariadb.yml + /tests/mariadb.yml diff --git a/seed/nextcloud/dictionaries/31_nextcloud.xml b/seed/nextcloud/dictionaries/31_nextcloud.xml index 26e5a2e7..c93e76c9 100644 --- a/seed/nextcloud/dictionaries/31_nextcloud.xml +++ b/seed/nextcloud/dictionaries/31_nextcloud.xml @@ -3,7 +3,7 @@ - + /etc/nextcloud/config.php /sbin/nextcloud.init /etc/httpd/conf.d/a-nextcloud-access.conf diff --git a/seed/nextcloud/manual/image/postinstall/nextcloud.sh b/seed/nextcloud/manual/image/postinstall/nextcloud.sh index 4bc4832d..ae2b0607 100644 --- a/seed/nextcloud/manual/image/postinstall/nextcloud.sh +++ b/seed/nextcloud/manual/image/postinstall/nextcloud.sh @@ -1,6 +1,7 @@ -ln -s "$IMAGE_NAME_RISOTTO_IMAGE_DIR/srv/nextcloud/data" "/var/lib/risotto/images/nextcloud//usr/share/nextcloud/data" -mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share/nextcloud/apps" -cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share/nextcloud/apps" +CALENDAR="3.5.2" +ln -s "/srv/nextcloud/data" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/nextcloud/data" +mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps" +cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps" #user_saml=$(wget https://api.github.com/repos/nextcloud/user_saml/releases/latest -q -O - | jq -r '.assets[0].browser_download_url') app=$(wget https://api.github.com/repos/pulsejet/nextcloud-oidc-login/releases/latest -q -O - | jq -r '.assets[0].browser_download_url') wget -q $app @@ -8,20 +9,21 @@ tar xf *tar.gz rm -f *tar.gz chown -R root: oidc_login # -app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url') +#app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url') +app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz" wget -q $app -O app.tar.gz tar xf app.tar.gz rm -f app.tar.gz chown -R root: calendar # -app=$(wget https://api.github.com/repos/nextcloud-releases/contacts/releases/latest -q -O - | jq -r '.assets[0].browser_download_url') +#app=$(wget https://api.github.com/repos/nextcloud-releases/contacts/releases/latest -q -O - | jq -r '.assets[0].browser_download_url') app=https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz wget -q $app -O app.tar.gz tar xf app.tar.gz rm -f app.tar.gz chown -R root: contacts # -app=$(wget https://api.github.com/repos/nextcloud/notes/releases/latest -q -O - | jq -r '.assets[0].browser_download_url') +#app=$(wget https://api.github.com/repos/nextcloud/notes/releases/latest -q -O - | jq -r '.assets[0].browser_download_url') app=https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz wget -q $app -O app.tar.gz tar xf app.tar.gz diff --git a/seed/nginx-common/dictionaries/21_nginx.xml b/seed/nginx-common/dictionaries/21_nginx.xml index 210676f4..ec67a93b 100644 --- a/seed/nginx-common/dictionaries/21_nginx.xml +++ b/seed/nginx-common/dictionaries/21_nginx.xml @@ -24,7 +24,7 @@ False - + diff --git a/seed/nginx-https/templates/nginx.crt b/seed/nginx-https/templates/nginx.crt index 9a430003..cec84897 100644 --- a/seed/nginx-https/templates/nginx.crt +++ b/seed/nginx-https/templates/nginx.crt @@ -1,2 +1,3 @@ +%set %%chain = %%get_chain(%%domain_name_eth0, %%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret) %%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server", hide=%%hide_secret) -%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret) +%%chain diff --git a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml b/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml index e4aa3699..27134013 100644 --- a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml +++ b/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml @@ -2,7 +2,7 @@ - + /etc/nginx/conf.d/options-rp.conf /etc/nginx/sites-enabled/risotto.conf nginx.nginx_certificate_filename diff --git a/seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml b/seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml index c80da867..b68dcb34 100644 --- a/seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml +++ b/seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml @@ -7,7 +7,7 @@ diff --git a/seed/nginx-reverse-proxy/templates/ca_HTTP.crt b/seed/nginx-reverse-proxy/templates/ca_HTTP.crt index dcbc3aa3..13cfeeab 100644 --- a/seed/nginx-reverse-proxy/templates/ca_HTTP.crt +++ b/seed/nginx-reverse-proxy/templates/ca_HTTP.crt @@ -1,3 +1,3 @@ %for %%idx in %%range(%%len(%%zones_list)) -%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="HTTP", hide=%%hide_secret) +%%get_chain(cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="HTTP", hide=%%hide_secret) %end for diff --git a/seed/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt b/seed/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt index 0342bded..69445abd 100644 --- a/seed/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt +++ b/seed/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt @@ -1,3 +1,3 @@ %for %%idx in %%range(%%len(%%zones_list)) -%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy", hide=%%hide_secret) +%%get_chain(cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy", hide=%%hide_secret) %end for diff --git a/seed/nginx-reverse-proxy/templates/certificate.crt b/seed/nginx-reverse-proxy/templates/certificate.crt index f604de8c..c3df7f22 100644 --- a/seed/nginx-reverse-proxy/templates/certificate.crt +++ b/seed/nginx-reverse-proxy/templates/certificate.crt @@ -1 +1,2 @@ +%set %%chain=%%get_chain(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret) %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret) diff --git a/seed/nginx-reverse-proxy/templates/nginx.crt b/seed/nginx-reverse-proxy/templates/nginx.crt index de2a8a1d..f56de4f5 100644 --- a/seed/nginx-reverse-proxy/templates/nginx.crt +++ b/seed/nginx-reverse-proxy/templates/nginx.crt @@ -1,2 +1,3 @@ +%set %%chain = %%get_chain(cn=%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', hide=%%hide_secret) %%get_certificate(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type="server", hide=%%hide_secret) -%%get_chain(%%nginx_default, 'HTTP', hide=%%hide_secret) +%%chain diff --git a/seed/nginx-reverse-proxy/templates/revprox-nginx.conf b/seed/nginx-reverse-proxy/templates/revprox-nginx.conf index 0f48e774..a96adb5a 100644 --- a/seed/nginx-reverse-proxy/templates/revprox-nginx.conf +++ b/seed/nginx-reverse-proxy/templates/revprox-nginx.conf @@ -45,6 +45,8 @@ server { proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; + # SNI support + proxy_ssl_server_name on; %set %%maxbody = %%rp_domainname['revprox_max_body_size_' + %%family] %if %%maxbody client_max_body_size %%maxbody; diff --git a/seed/nsd/dictionaries/20_nsd.xml b/seed/nsd/dictionaries/20_nsd.xml index eb7c213f..20d49b53 100644 --- a/seed/nsd/dictionaries/20_nsd.xml +++ b/seed/nsd/dictionaries/20_nsd.xml @@ -45,6 +45,7 @@ ip_dns + zones nsd_allowed_client nsd_allowed_client_ip @@ -60,10 +61,13 @@ nsd_allowed_all_client + zones nsd_resolver nsd_resolve_ip + zones_list + zones nsd_zones @@ -101,7 +105,9 @@ nsd_reverse_filenames_signed + zones network + zones_list nsd_reverse_network diff --git a/seed/nsd/extras/nsd/00_nsd.xml b/seed/nsd/extras/nsd/00_nsd.xml index 16228bad..846c9cd5 100644 --- a/seed/nsd/extras/nsd/00_nsd.xml +++ b/seed/nsd/extras/nsd/00_nsd.xml @@ -16,11 +16,13 @@ + zones host nsd.nsd_zone_.hostname_.hostname_ + zones ip diff --git a/seed/nsd/funcs/funcs.py b/seed/nsd/funcs/funcs.py index 387743a6..31582bb0 100644 --- a/seed/nsd/funcs/funcs.py +++ b/seed/nsd/funcs/funcs.py @@ -8,8 +8,6 @@ from shutil import rmtree as _rmtree, copy2 as _copy2 from glob import glob as _glob from filecmp import cmp as _cmp -from risotto.utils import DOMAINS as _DOMAINS - _PKI_DIR = _abspath('pki/dnssec') _ALGO = 'ECDSAP256SHA256' @@ -106,8 +104,8 @@ def sign(zone_filename: str, copy_file = _join(_PKI_DIR, cn, authority_cn, _basename(zone_filename)) signed_filename = f'{copy_file}.signed' if not _isfile(copy_file) or not _cmp(zone_filename, copy_file): - _copy2(zone_filename, copy_file) zsk, ksk = _gen_keys(cn, authority_cn) + _copy2(zone_filename, copy_file) cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk] proc = _run(cmd, capture_output=True) if proc.returncode != 0: @@ -123,12 +121,20 @@ def sign(zone_filename: str, return content -def get_internal_info_in_zone(zone: str, +def get_internal_info_in_zone(zones: list, + domain_name: str, type: str, index: int=None, ) -> _List[str]: - if zone not in _DOMAINS: + for zone in zones.values(): + if domain_name == zone['domain_name']: + break + else: return [] if type == 'host': - return list(_DOMAINS[zone][0]) - return _DOMAINS[zone][1][index] + return list(zone['hosts']) + return list(zone['hosts'].values())[index] + + +def get_internal_zones(zones_name, zones) -> _List[str]: + return [zone['domain_name'] for zone_name, zone in zones.items() if zone_name in zones_name] diff --git a/seed/nsd/templates/nsd.yml b/seed/nsd/templates/nsd.yml index 8da8c983..ac420063 100644 --- a/seed/nsd/templates/nsd.yml +++ b/seed/nsd/templates/nsd.yml @@ -3,10 +3,10 @@ records: %for %%domain in %%nsd_zones %set %%suffix = %%normalize_family(%%domain) %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix] - %for %%nsd in %%hostnames - %set %%type = %%nsd['type_' + %%suffix] + %for %%hostname in %%hostnames + %set %%type = %%hostname['type_' + %%suffix] %if %%type == 'A' - %%{nsd}.%%domain: '%%nsd['ip_' + %%suffix]' + %%{hostname}.%%domain: '%%hostname['ip_' + %%suffix]' %end if %end for %end for diff --git a/seed/oauth2-client/dictionaries/30_oauth2_client.xml b/seed/oauth2-client/dictionaries/30_oauth2_client.xml index 80a28a6c..c7a87e13 100644 --- a/seed/oauth2-client/dictionaries/30_oauth2_client.xml +++ b/seed/oauth2-client/dictionaries/30_oauth2_client.xml @@ -1,7 +1,7 @@ - + diff --git a/seed/oauth2-client/templates/oauth2-client.service b/seed/oauth2-client/templates/oauth2-client.service index c2bb7768..775aeb1c 100644 --- a/seed/oauth2-client/templates/oauth2-client.service +++ b/seed/oauth2-client/templates/oauth2-client.service @@ -4,4 +4,4 @@ Before=risotto.target [Service] Type=oneshot -ExecStart=/usr/bin/timeout 90 bash -c 'while ! [ "$(/usr/bin/curl --write-out '%{http_code}' --silent --output /dev/null https://%%oauth2_client_server_domainname/.well-known/openid-configuration)" = 200 ]; do sleep 1; done;' +ExecStart=/usr/bin/timeout 90 bash -c 'while ! [ "$(/usr/bin/curl --write-out '%{http_code}' --silent --output /dev/null https://%%oauth2_client_server_domainname/.well-known/openid-configuration)" = 200 ]; do /usr/bin/curl https://%%oauth2_client_server_domainname/.well-known/openid-configuration; sleep 1; done;' diff --git a/seed/odoo/dictionaries/40_odoo.xml b/seed/odoo/dictionaries/40_odoo.xml index bf103ad0..17461e93 100644 --- a/seed/odoo/dictionaries/40_odoo.xml +++ b/seed/odoo/dictionaries/40_odoo.xml @@ -4,7 +4,7 @@ /sysusers.d/1odoo.conf - /tmpfiles.d/0odoo.conf + /tmpfiles.d/0odoo.conf /sbin/config_odoo.py /etc/odoo/odoo.conf /etc/odoo/postgresql.pass diff --git a/seed/odoo/manual/image/postinstall/odoo.sh b/seed/odoo/manual/image/postinstall/odoo.sh index 8ff55792..39259323 100644 --- a/seed/odoo/manual/image/postinstall/odoo.sh +++ b/seed/odoo/manual/image/postinstall/odoo.sh @@ -2,16 +2,16 @@ set -e ODOO_VERSION="16.0" WKHTML_VERSION="0.12.6.1-2" #curl http://nightly.odoo.com/${ODOO_VERSION}/nightly/rpm/odoo_${ODOO_VERSION}.latest.rpm -o odoo_${ODOO_VERSION}.latest.rpm -#OPT=$(dnf_opt_base "$IMAGE_NAME_RISOTTO_IMAGE_DIR") +#OPT=$(dnf_opt_base "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP") #dnf --assumeyes $OPT localinstall odoo_${ODOO_VERSION}.latest.rpm #rm -f odoo_${ODOO_VERSION}.latest.rpm -mv $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf /tmp -echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf +mv $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf /tmp +echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf WKHTML_PKG=wkhtmltox_$WKHTML_VERSION.bullseye_amd64.deb -curl https://nightly.odoo.com/odoo.key -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR/odoo.key" -curl -L "https://github.com/wkhtmltopdf/packaging/releases/download/$WKHTML_VERSION/$WKHTML_PKG" -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$WKHTML_PKG" +curl https://nightly.odoo.com/odoo.key -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/odoo.key" +curl -L "https://github.com/wkhtmltopdf/packaging/releases/download/$WKHTML_VERSION/$WKHTML_PKG" -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$WKHTML_PKG" echo """#!/bin/bash -xe cat /odoo.key | apt-key add - rm /odoo.key @@ -21,16 +21,16 @@ apt install --no-install-recommends -y odoo dpkg -i /"$WKHTML_PKG" || true rm -f /"$WKHTML_PKG" apt -f install -y -""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh -chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh -chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR /install.sh +""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh +chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh +chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP /install.sh -sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/service/server.py -sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/service/db.py -sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/bus/models/bus.py -sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_cron.py -sed -i "s@ldap://@ldaps://@g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/auth_ldap/models/res_company_ldap.py -mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf +sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/service/server.py +sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/service/db.py +sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/addons/bus/models/bus.py +sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_cron.py +sed -i "s@ldap://@ldaps://@g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/addons/auth_ldap/models/res_company_ldap.py +mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf set +e diff --git a/seed/openldap/dictionaries/21_openldap-server.xml b/seed/openldap/dictionaries/21_openldap-server.xml index 29dfa490..154f28a7 100644 --- a/seed/openldap/dictionaries/21_openldap-server.xml +++ b/seed/openldap/dictionaries/21_openldap-server.xml @@ -9,8 +9,8 @@ /var/lib/ldap/DB_CONFIG /secrets/users.ldif /secrets/users_mod.ldif - /secrets/config.ldif - /secrets/config_acl.ldif + /etc/ldap/secrets/config.ldif + /etc/ldap/secrets/config_acl.ldif /secrets/admin_ldap.pwd /sysusers.d/risotto-openldap.conf /tmpfiles.d/0openldap-server.conf diff --git a/seed/openldap/manual/image/postinstall/openldap_server.sh b/seed/openldap/manual/image/postinstall/openldap_server.sh index c025a65c..877e6037 100644 --- a/seed/openldap/manual/image/postinstall/openldap_server.sh +++ b/seed/openldap/manual/image/postinstall/openldap_server.sh @@ -1 +1 @@ -rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/openldap/slapd.d/" +rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/openldap/slapd.d/" diff --git a/seed/openldap/templates/slapd.service b/seed/openldap/templates/slapd.service index 8a3c0566..4b9a6397 100644 --- a/seed/openldap/templates/slapd.service +++ b/seed/openldap/templates/slapd.service @@ -1,10 +1,10 @@ [Service] ExecStartPre= -ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l /usr/local/lib/secrets/config.ldif +ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l /etc/ldap/secrets/config.ldif %for %%schema in %%ldap_schemas ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l %%schema %end for -ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -c -v -l /usr/local/lib/secrets/users.ldif +ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -c -v -l /etc/ldap/secrets/users.ldif User=ldap Group=ldap ExecStart= @@ -12,5 +12,5 @@ ExecStart= ExecStart=+/usr/sbin/slapd -u ldap -h ldaps:/// #waiting for ldap server... ExecStartPost=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done' -ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif -ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif +ExecStartPost=+-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif +ExecStartPost=+-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif diff --git a/seed/peertube/dictionaries/30_peertube.xml b/seed/peertube/dictionaries/30_peertube.xml index 490afbaa..32e85b92 100644 --- a/seed/peertube/dictionaries/30_peertube.xml +++ b/seed/peertube/dictionaries/30_peertube.xml @@ -49,6 +49,8 @@ /usr/share/peertube + + / diff --git a/seed/peertube/manual/image/postinstall/peertube.sh b/seed/peertube/manual/image/postinstall/peertube.sh index b8e6d45b..a5492f77 100644 --- a/seed/peertube/manual/image/postinstall/peertube.sh +++ b/seed/peertube/manual/image/postinstall/peertube.sh @@ -1,5 +1,5 @@ -mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/" -cat /proc/self/stat > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/stat" +mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/proc/self/" +cat /proc/self/stat > "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/proc/self/stat" PLUGINS_DIR=/usr/share/peertube_plugins echo """#!/bin/bash set -ex @@ -15,13 +15,13 @@ chown peertube: "\$PLUGINS_DIR/data/peertube-plugin-auth-openid-connect" rm -f /etc/resolv.conf mv /tmp/resolv.conf /etc -""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh" -chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh" -chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh -rm "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/stat" -rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/" +""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh" +chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh" +chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP" /install.sh +rm "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/proc/self/stat" +rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/proc/self/" -rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh" -cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.." +rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh" +cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP$PLUGINS_DIR/.." #patch -p0 < "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/peertube.patch" cd - diff --git a/seed/php-fpm/templates/php-fpm.conf b/seed/php-fpm/templates/php-fpm.conf index 1532ebf7..a198b023 100644 --- a/seed/php-fpm/templates/php-fpm.conf +++ b/seed/php-fpm/templates/php-fpm.conf @@ -137,3 +137,4 @@ daemonize = yes ; FPM can handle. Your system will tell you anyway :) ; See /etc/php-fpm.d/*.conf + diff --git a/seed/php-fpm/templates/www.conf b/seed/php-fpm/templates/www.conf index 7a315283..42348828 100644 --- a/seed/php-fpm/templates/www.conf +++ b/seed/php-fpm/templates/www.conf @@ -448,10 +448,13 @@ php_admin_flag[log_errors] = on ; See warning about choosing the location of these directories on your system ; at http://php.net/session.save-path ;GNUNUX php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache ;php_value[opcache.file_cache] = /var/lib/php/opcache diff --git a/seed/php/dictionaries/20_php.xml b/seed/php/dictionaries/20_php.xml index d985cec4..7246925f 100644 --- a/seed/php/dictionaries/20_php.xml +++ b/seed/php/dictionaries/20_php.xml @@ -7,25 +7,25 @@ - + 32 - + 16 - + 30 - + 60 - + 512 False - + 3600 diff --git a/seed/php/templates/php.ini b/seed/php/templates/php.ini index cb876f48..b1015bad 100644 --- a/seed/php/templates/php.ini +++ b/seed/php/templates/php.ini @@ -1266,11 +1266,14 @@ browscap = /etc/php/extra/browscap.ini ; Handler used to store/retrieve data. ; https://php.net/session.save-handler ;>GNUNUX -; session.save_handler = files +%if not %%getVar('redis_client_server_domainname', None) +session.save_handler = files +%else session.save_handler = redis session.save_path = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password" ;GNUNUX https://github.com/phpredis/phpredis/issues/2062 ;session.save_path = "tls://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password&stream[verify_peer]=1&stream[cafile]=/etc/pki/ca-trust/source/anchors/ca_Redis.crt&stream[local_cert]=/etc/pki/tls/certs/redis.crt&stream[local_pk]=/etc/pki/tls/private/redis.key" +%end if ; - + /tmpfiles.d/0piwigo.conf /etc/piwigo/config.inc.php /etc/piwigo/database.inc.php @@ -13,11 +13,11 @@ + + zones + + postfix_relay_ip_ + diff --git a/seed/postfix-relay/templates/ca_MailServer.crt b/seed/postfix-relay/templates/ca_MailServer.crt index 13b8d621..6eef509e 100644 --- a/seed/postfix-relay/templates/ca_MailServer.crt +++ b/seed/postfix-relay/templates/ca_MailServer.crt @@ -1 +1 @@ -%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret) +%%get_chain(cn=%%domain_name_eth0, authority_cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret) diff --git a/seed/postfix-relay/templates/postfix.service b/seed/postfix-relay/templates/postfix.service index bf6a4ede..c38325e8 100644 --- a/seed/postfix-relay/templates/postfix.service +++ b/seed/postfix-relay/templates/postfix.service @@ -4,7 +4,7 @@ ExecStartPre=/usr/sbin/postmap -F /etc/postfix/sni %for %%local in %%postfix_relay_authentifications %set %%user = %%normalize_family(%%local) %set %%password = %%getVar('local_authentification_password_' + %%user) - %set %%ip = %%get_ip(%%local) + %set %%ip = %%getVar('postfix_relay_ip_' + %%user) ExecStartPre=-/usr/bin/bash -c "echo %%password | /usr/sbin/saslpasswd2 -u %%ip %%user -p" %end for ExecStartPre=/usr/bin/chown postfix: /etc/sasl2/sasldb2 diff --git a/seed/postfix-relay/templates/sni.pem b/seed/postfix-relay/templates/sni.pem index 92fdfd2b..beb29d05 100644 --- a/seed/postfix-relay/templates/sni.pem +++ b/seed/postfix-relay/templates/sni.pem @@ -1,4 +1,4 @@ -%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay", hide=%%hide_secret) +%set %%chain = %%get_chain(cn=%%rougail_variable, authority_cn=%%rougail_variable, authority_name="MailRelay", hide=%%hide_secret) %set %%cert = %%get_certificate(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret) %%get_private_key(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret) %%cert diff --git a/seed/postgresql-client/dictionaries/23_postgresql.xml b/seed/postgresql-client/dictionaries/23_postgresql.xml index 9bdf204b..5b90f9cd 100644 --- a/seed/postgresql-client/dictionaries/23_postgresql.xml +++ b/seed/postgresql-client/dictionaries/23_postgresql.xml @@ -1,7 +1,7 @@ - + /secrets/postgresql.pass pg_client_ca_file pg_client_crt_file @@ -11,11 +11,11 @@ - + + zones accounts.remote_.remote_ip_ diff --git a/seed/postgresql/templates/ca_PostgreSQL.crt b/seed/postgresql/templates/ca_PostgreSQL.crt index 4abf995f..8c8c9cf6 100644 --- a/seed/postgresql/templates/ca_PostgreSQL.crt +++ b/seed/postgresql/templates/ca_PostgreSQL.crt @@ -1 +1 @@ -%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL", hide=%%hide_secret) +%%get_chain(cn=%%domain_name_eth0, authority_cn=%%domain_name_eth0, authority_name="PostgreSQL", hide=%%hide_secret) diff --git a/seed/provider-systemd-machined/dictionaries/10-machined.xml b/seed/provider-systemd-machined/dictionaries/10-machined.xml index 0519f9be..267173a4 100644 --- a/seed/provider-systemd-machined/dictionaries/10-machined.xml +++ b/seed/provider-systemd-machined/dictionaries/10-machined.xml @@ -1,7 +1,7 @@ - + diff --git a/seed/provider-systemd-machined/dictionaries/16-machined.xml b/seed/provider-systemd-machined/dictionaries/16-machined.xml index f241fb72..cfd42616 100644 --- a/seed/provider-systemd-machined/dictionaries/16-machined.xml +++ b/seed/provider-systemd-machined/dictionaries/16-machined.xml @@ -27,8 +27,8 @@ False - - + +