update documentations
This commit is contained in:
parent
f369998d15
commit
c676afdb26
92 changed files with 3636 additions and 504 deletions
|
@ -15,8 +15,9 @@
|
||||||
- [dns-local](dns-local/README.md): DNS client with access to local zones
|
- [dns-local](dns-local/README.md): DNS client with access to local zones
|
||||||
- [dotclear](dotclear/README.md): Dotclear an open-source web publishing software
|
- [dotclear](dotclear/README.md): Dotclear an open-source web publishing software
|
||||||
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (Submission and IMAP)
|
- [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (Submission and IMAP)
|
||||||
|
- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution
|
||||||
- [galette](galette/README.md): Galette, a membership management web application towards non profit organizations
|
- [galette](galette/README.md): Galette, a membership management web application towards non profit organizations
|
||||||
- [gitea](gitea/README.md): Gitea, a community managed lightweight code hosting solution
|
- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo
|
||||||
- [host-systemd-machined](host-systemd-machined/README.md): Host with machine started in Systemd Machined environment
|
- [host-systemd-machined](host-systemd-machined/README.md): Host with machine started in Systemd Machined environment
|
||||||
- [imap-client](imap-client/README.md): Application service needs interact with an IMAP server
|
- [imap-client](imap-client/README.md): Application service needs interact with an IMAP server
|
||||||
- [ldap-client](ldap-client/README.md): Application service needs interact with a LDAP server
|
- [ldap-client](ldap-client/README.md): Application service needs interact with a LDAP server
|
||||||
|
@ -62,3 +63,47 @@
|
||||||
- [unbound](unbound/README.md): Unbound, a validating, recursive, caching DNS resolver
|
- [unbound](unbound/README.md): Unbound, a validating, recursive, caching DNS resolver
|
||||||
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager
|
- [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager
|
||||||
- [znc](znc/README.md): ZNC, a bouncer IRC
|
- [znc](znc/README.md): ZNC, a bouncer IRC
|
||||||
|
|
||||||
|
# Providers and suppliers
|
||||||
|
|
||||||
|
- ExternalDNS:
|
||||||
|
- Provider: [unbound](unbound/README.md)
|
||||||
|
- Suppliers:
|
||||||
|
- [dns-external](dns-external/README.md)
|
||||||
|
- [nsd](nsd/README.md)
|
||||||
|
- Host:
|
||||||
|
- Provider: [host-systemd-machined](host-systemd-machined/README.md)
|
||||||
|
- Supplier: [provider-systemd-machined](provider-systemd-machined/README.md)
|
||||||
|
- IMAP:
|
||||||
|
- Provider: [dovecot](dovecot/README.md)
|
||||||
|
- Supplier: [imap-client](imap-client/README.md)
|
||||||
|
- LDAP:
|
||||||
|
- Provider: [openldap](openldap/README.md)
|
||||||
|
- Supplier: [ldap-client](ldap-client/README.md)
|
||||||
|
- LMTP:
|
||||||
|
- Provider: [postfix-lmtp-relay](postfix-lmtp-relay/README.md)
|
||||||
|
- Supplier: [relay-lmtp-client](relay-lmtp-client/README.md)
|
||||||
|
- LocalDNS:
|
||||||
|
- Provider: [nsd](nsd/README.md)
|
||||||
|
- Supplier: [dns-local](dns-local/README.md)
|
||||||
|
- MariaDB:
|
||||||
|
- Provider: [mariadb](mariadb/README.md)
|
||||||
|
- Supplier: [mariadb-client](mariadb-client/README.md)
|
||||||
|
- OAuth2:
|
||||||
|
- Provider: [lemonldap](lemonldap/README.md)
|
||||||
|
- Supplier: [oauth2-client](oauth2-client/README.md)
|
||||||
|
- OAuth2Client:
|
||||||
|
- Provider: [oauth2-client](oauth2-client/README.md)
|
||||||
|
- Supplier: [lemonldap](lemonldap/README.md)
|
||||||
|
- Postgresql:
|
||||||
|
- Provider: [postgresql](postgresql/README.md)
|
||||||
|
- Supplier: [postgresql-client](postgresql-client/README.md)
|
||||||
|
- Redis:
|
||||||
|
- Provider: [redis](redis/README.md)
|
||||||
|
- Supplier: [redis-client](redis-client/README.md)
|
||||||
|
- ReverseProxy:
|
||||||
|
- Provider: [nginx-reverse-proxy](nginx-reverse-proxy/README.md)
|
||||||
|
- Supplier: [reverse-proxy-client](reverse-proxy-client/README.md)
|
||||||
|
- SMTP:
|
||||||
|
- Provider: [postfix-relay](postfix-relay/README.md)
|
||||||
|
- Supplier: [relay-mail-client](relay-mail-client/README.md)
|
||||||
|
|
|
@ -24,22 +24,14 @@ Base information of a Fedora 36.
|
||||||
## Used by
|
## Used by
|
||||||
|
|
||||||
- [galette](../galette/README.md)
|
- [galette](../galette/README.md)
|
||||||
- [nginx-static](../nginx-static/README.md)
|
|
||||||
- [postgresql](../postgresql/README.md)
|
|
||||||
- [peertube](../peertube/README.md)
|
- [peertube](../peertube/README.md)
|
||||||
- [piwigo](../piwigo/README.md)
|
- [piwigo](../piwigo/README.md)
|
||||||
- [dovecot](../dovecot/README.md)
|
- [dovecot](../dovecot/README.md)
|
||||||
- [unbound](../unbound/README.md)
|
|
||||||
- [redis](../redis/README.md)
|
|
||||||
- [nsd](../nsd/README.md)
|
|
||||||
- [dotclear](../dotclear/README.md)
|
- [dotclear](../dotclear/README.md)
|
||||||
- [speedtest-rs](../speedtest-rs/README.md)
|
- [speedtest-rs](../speedtest-rs/README.md)
|
||||||
- [nginx-reverse-proxy](../nginx-reverse-proxy/README.md)
|
|
||||||
- [sensmotdire](../sensmotdire/README.md)
|
- [sensmotdire](../sensmotdire/README.md)
|
||||||
- [roundcube](../roundcube/README.md)
|
- [roundcube](../roundcube/README.md)
|
||||||
- [znc](../znc/README.md)
|
- [znc](../znc/README.md)
|
||||||
- [vaultwarden](../vaultwarden/README.md)
|
- [vaultwarden](../vaultwarden/README.md)
|
||||||
- [mariadb](../mariadb/README.md)
|
- [mariadb](../mariadb/README.md)
|
||||||
- [nextcloud](../nextcloud/README.md)
|
- [nextcloud](../nextcloud/README.md)
|
||||||
- [openldap](../openldap/README.md)
|
|
||||||
- [gitea](../gitea/README.md)
|
|
||||||
|
|
|
@ -20,3 +20,14 @@ Base information of a Fedora 37.
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
- [base](../base/README.md)
|
- [base](../base/README.md)
|
||||||
- [dns-local](../dns-local/README.md)
|
- [dns-local](../dns-local/README.md)
|
||||||
|
|
||||||
|
## Used by
|
||||||
|
|
||||||
|
- [nginx-static](../nginx-static/README.md)
|
||||||
|
- [postgresql](../postgresql/README.md)
|
||||||
|
- [unbound](../unbound/README.md)
|
||||||
|
- [redis](../redis/README.md)
|
||||||
|
- [forgejo](../forgejo/README.md)
|
||||||
|
- [nsd](../nsd/README.md)
|
||||||
|
- [nginx-reverse-proxy](../nginx-reverse-proxy/README.md)
|
||||||
|
- [openldap](../openldap/README.md)
|
||||||
|
|
|
@ -1 +1,6 @@
|
||||||
|
# This is the fallback locale configuration provided by systemd.
|
||||||
|
|
||||||
|
#>GNUNUX
|
||||||
|
#LANG="C.UTF-8"
|
||||||
LANG=fr_FR.UTF-8
|
LANG=fr_FR.UTF-8
|
||||||
|
#<GNUNUX
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name="dns-local" manage="False">
|
<service name="dns-local" manage="False">
|
||||||
<file>/tests/dns-local.yml</file>
|
<file filelist="copy_tests">/tests/dns-local.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -61,18 +61,18 @@ This a family is a leadership.
|
||||||
|
|
||||||
#### IMAP mail server (*general.dovecot*)
|
#### IMAP mail server (*general.dovecot*)
|
||||||
|
|
||||||
| Description | Type | Provider |
|
| Description | Type | Values | Provider |
|
||||||
|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
|
|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|------------|
|
||||||
| **Adresse interne du serveur IMAP** (*[imap_internal_address](dictionaries/26_dovecot.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | IMAP |
|
| **Adresse interne du serveur IMAP** (*[imap_internal_address](dictionaries/26_dovecot.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | IMAP |
|
||||||
|
|
||||||
#### revprox (*general.revprox*)
|
#### revprox (*general.revprox*)
|
||||||
|
|
||||||
##### revprox_client (*general.revprox.revprox_client*)
|
##### revprox_client (*general.revprox.revprox_client*)
|
||||||
|
|
||||||
| Description |
|
| Description | Values |
|
||||||
|----------------------------------------------------------------------|
|
|----------------------------------------------------------------------|--------------|
|
||||||
| *[revprox_client_external_domainnames](dictionaries/26_dovecot.xml)* |
|
| *[revprox_client_external_domainnames](dictionaries/26_dovecot.xml)* | <calculated> |
|
||||||
| *[revprox_client_web_address](dictionaries/26_dovecot.xml)* |
|
| *[revprox_client_web_address](dictionaries/26_dovecot.xml)* | <calculated> |
|
||||||
|
|
||||||
#### nginx (*general.nginx*)
|
#### nginx (*general.nginx*)
|
||||||
|
|
||||||
|
|
|
@ -47,7 +47,7 @@
|
||||||
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
|
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
|
||||||
<file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
|
<file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
|
||||||
<file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
|
<file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
|
||||||
<file>/tests/imap.yml</file>
|
<file filelist="copy_tests">/tests/imap.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
92
seed/forgejo/README.md
Normal file
92
seed/forgejo/README.md
Normal file
|
@ -0,0 +1,92 @@
|
||||||
|
---
|
||||||
|
gitea: none
|
||||||
|
include_toc: true
|
||||||
|
---
|
||||||
|
|
||||||
|
# forgejo
|
||||||
|
|
||||||
|
[All applications services for this dataset.](../README.md)
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
Forgejo, a community managed lightweight code hosting solution.
|
||||||
|
|
||||||
|
[For more informations](https://forgejo.org/)
|
||||||
|
|
||||||
|
## Dependances
|
||||||
|
|
||||||
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
|
- [base-fedora](../base-fedora/README.md)
|
||||||
|
- [systemd](../systemd/README.md)
|
||||||
|
- [base-machine](../base-machine/README.md)
|
||||||
|
- [base](../base/README.md)
|
||||||
|
- [dns-local](../dns-local/README.md)
|
||||||
|
- [postgresql-client](../postgresql-client/README.md)
|
||||||
|
- [reverse-proxy-client](../reverse-proxy-client/README.md)
|
||||||
|
- [relay-mail-client](../relay-mail-client/README.md)
|
||||||
|
- [redis-client](../redis-client/README.md)
|
||||||
|
- [oauth2-client](../oauth2-client/README.md)
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
### Général (*general*)
|
||||||
|
|
||||||
|
#### network (*general.network*)
|
||||||
|
|
||||||
|
| Description | Values |
|
||||||
|
|-----------------------------------------------------|----------|
|
||||||
|
| *[**incoming_ports**](dictionaries/31_forgejo.xml)* | 2222 |
|
||||||
|
|
||||||
|
#### Redis (*general.redis*)
|
||||||
|
|
||||||
|
| Description | Values |
|
||||||
|
|-------------------------------------------------------------|----------|
|
||||||
|
| *[**redis_client_key_owner**](dictionaries/31_forgejo.xml)* | forgejo |
|
||||||
|
|
||||||
|
#### Forgejo (*general.forgejo*)
|
||||||
|
|
||||||
|
Git forge Forgejo
|
||||||
|
|
||||||
|
| Description | Values | Type |
|
||||||
|
|---------------------------------------------------------------------------------------------------------------|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
|
||||||
|
| **Titre de la forge** (*[forgejo_title](dictionaries/31_forgejo.xml)*) | Forgejo : Au-delà du développement. Nous forgeons. | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
|
||||||
|
| **Les courriels sont envoyés à partir de cet adresse** (*[forgejo_mail_sender](dictionaries/31_forgejo.xml)*) | | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
|
||||||
|
|
||||||
|
#### revprox (*general.revprox*)
|
||||||
|
|
||||||
|
| Description | Values |
|
||||||
|
|----------------------------------------------------------------|----------|
|
||||||
|
| *[**revprox_client_port**](dictionaries/31_forgejo.xml)* | 3000 |
|
||||||
|
| *[**revprox_client_cert_owner**](dictionaries/31_forgejo.xml)* | forgejo |
|
||||||
|
| *[**revprox_client_cert_group**](dictionaries/31_forgejo.xml)* | forgejo |
|
||||||
|
|
||||||
|
##### revprox_client (*general.revprox.revprox_client*)
|
||||||
|
|
||||||
|
| Description | Values |
|
||||||
|
|--------------------------------------------------------------------|----------|
|
||||||
|
| *[**revprox_client_local_location**](dictionaries/31_forgejo.xml)* | / |
|
||||||
|
|
||||||
|
#### oauth2_client (*general.oauth2_client*)
|
||||||
|
|
||||||
|
| Description | Values |
|
||||||
|
|-------------------------------------------------------------------------|------------------------|
|
||||||
|
| *[**oauth2_is_client_application**](dictionaries/31_forgejo.xml)* | True |
|
||||||
|
| *[**oauth2_client_name**](dictionaries/31_forgejo.xml)* | Forge |
|
||||||
|
| *[**oauth2_client_description**](dictionaries/31_forgejo.xml)* | Forge logiciel Forgejo |
|
||||||
|
| *[**oauth2_client_category**](dictionaries/31_forgejo.xml)* | Développement |
|
||||||
|
| *[**oauth2_client_logo**](dictionaries/31_forgejo.xml)* | silique_note.png |
|
||||||
|
| *[**oauth2_client_token_signature_algo**](dictionaries/31_forgejo.xml)* | RS256 |
|
||||||
|
|
||||||
|
##### external (*general.oauth2_client.external*)
|
||||||
|
|
||||||
|
| Description | Values |
|
||||||
|
|---------------------------------------------------------|--------------|
|
||||||
|
| *[oauth2_client_external](dictionaries/31_forgejo.xml)* | <calculated> |
|
||||||
|
|
||||||
|
|
||||||
|
- [+]: variable is multiple
|
||||||
|
- **bold**: variable is mandatory
|
||||||
|
|
||||||
|
## Used by
|
||||||
|
|
||||||
|
- [gitea](../gitea/README.md)
|
|
@ -2,7 +2,7 @@ format: '0.1'
|
||||||
description: Forgejo, a community managed lightweight code hosting solution
|
description: Forgejo, a community managed lightweight code hosting solution
|
||||||
website: https://forgejo.org/
|
website: https://forgejo.org/
|
||||||
depends:
|
depends:
|
||||||
- base-fedora-36
|
- base-fedora-37
|
||||||
- postgresql-client
|
- postgresql-client
|
||||||
- reverse-proxy-client
|
- reverse-proxy-client
|
||||||
- relay-mail-client
|
- relay-mail-client
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
|
<file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
|
||||||
<file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
|
<file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
|
||||||
<file>/etc/forgejo/app.ini</file>
|
<file>/etc/forgejo/app.ini</file>
|
||||||
<file>/tests/forgejo.yml</file>
|
<file filelist="copy_tests">/tests/forgejo.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
@ -19,9 +19,9 @@
|
||||||
<value>forgejo</value>
|
<value>forgejo</value>
|
||||||
</variable>
|
</variable>
|
||||||
</family>
|
</family>
|
||||||
<family name="forgejo" description="Gitea" help="Git forge Gitea">
|
<family name="forgejo" description="Forgejo" help="Git forge Forgejo">
|
||||||
<variable name="forgejo_title" mandatory="True" description="Titre de la forge">
|
<variable name="forgejo_title" mandatory="True" description="Titre de la forge">
|
||||||
<value>Gitea: Git avec une tasse de thé</value>
|
<value>Forgejo : Au-delà du développement. Nous forgeons.</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name="forgejo_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True"/>
|
<variable name="forgejo_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True"/>
|
||||||
<variable name="forgejo_secret_key" type="password" hidden="True"/>
|
<variable name="forgejo_secret_key" type="password" hidden="True"/>
|
||||||
|
@ -52,7 +52,7 @@
|
||||||
<value>Forge</value>
|
<value>Forge</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name="oauth2_client_description" redefine='True'>
|
<variable name="oauth2_client_description" redefine='True'>
|
||||||
<value>Forge logiciel Gitea</value>
|
<value>Forge logiciel Forgejo</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name="oauth2_client_category" redefine='True'>
|
<variable name="oauth2_client_category" redefine='True'>
|
||||||
<value>Développement</value>
|
<value>Développement</value>
|
||||||
|
|
|
@ -4,8 +4,8 @@ set -ex
|
||||||
|
|
||||||
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
|
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
|
||||||
|
|
||||||
JSON==$(wget -q 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?draft=false&pre-release=false&limit=1' --header 'accept: application/json' -O -)
|
JSON=$(wget -q 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?draft=false&pre-release=false&limit=1' --header 'accept: application/json' -O -)
|
||||||
VERS=$(echo JSON| jq -r '.[0].name')
|
VERS=$(echo $JSON| jq -r '.[0].name')
|
||||||
|
|
||||||
mkdir -p ~/forgejo/
|
mkdir -p ~/forgejo/
|
||||||
|
|
||||||
|
@ -15,7 +15,7 @@ if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz" ]; then
|
||||||
fi
|
fi
|
||||||
if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ]; then
|
if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ]; then
|
||||||
rm -rf ~/"forgejo/forgejo-*-linux-amd64.xz.asc"
|
rm -rf ~/"forgejo/forgejo-*-linux-amd64.xz.asc"
|
||||||
wget $(echo $JSON | jq -r '.[0].assets | map(select(.name | endswith("linux-amd64.xz"))) | .[0].browser_download_url') -O ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc"
|
wget $(echo $JSON | jq -r '.[0].assets | map(select(.name | endswith("linux-amd64.xz.asc"))) | .[0].browser_download_url') -O ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
gpg --verify ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ~/"forgejo/forgejo-$VERS-linux-amd64.xz"
|
gpg --verify ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ~/"forgejo/forgejo-$VERS-linux-amd64.xz"
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -1,3 +1,4 @@
|
||||||
|
import datetime
|
||||||
from yaml import load, SafeLoader
|
from yaml import load, SafeLoader
|
||||||
from os import environ, makedirs, unlink
|
from os import environ, makedirs, unlink
|
||||||
from os.path import expandvars, isfile, isdir, dirname, join
|
from os.path import expandvars, isfile, isdir, dirname, join
|
||||||
|
@ -14,12 +15,11 @@ from mookdns import MookDnsSystem
|
||||||
|
|
||||||
|
|
||||||
PORT = '3000'
|
PORT = '3000'
|
||||||
GITEA_USERNAME = 'forgejo'
|
FORGEJO_USERNAME = 'forgejo'
|
||||||
GITEA_PORT = '2222'
|
FORGEJO_PORT = '2222'
|
||||||
KEY_FILE = '/var/lib/risotto/srv/hosts/forgejo'
|
KEY_FILE = '/var/lib/risotto/srv/hosts/forgejo'
|
||||||
# transition between gitea and forgejo
|
# transition between gitea and forgejo
|
||||||
GITEA_KEY_FILE = '/var/lib/risotto/srv/hosts/gitea'
|
GITEA_KEY_FILE = '/var/lib/risotto/srv/hosts/gitea'
|
||||||
KNOWN_KEY = expandvars('$HOME/.ssh/known_hosts')
|
|
||||||
CONFIG_SSH = expandvars('$HOME/.ssh/config')
|
CONFIG_SSH = expandvars('$HOME/.ssh/config')
|
||||||
CONFIG_GIT = expandvars('$HOME/.gitconfig')
|
CONFIG_GIT = expandvars('$HOME/.gitconfig')
|
||||||
|
|
||||||
|
@ -99,7 +99,6 @@ def get_info(authentication,
|
||||||
with_data_id=False,
|
with_data_id=False,
|
||||||
found_string=None
|
found_string=None
|
||||||
):
|
):
|
||||||
# <input type="hidden" name="_csrf" value="YQbVgdYHX_3VQ-KuZ5cKtr9RzXE6MTY1NzgxMzUzNTA0OTYwODQ0NQ">
|
|
||||||
pattern_csrf = r'name="_csrf" value="([a-zA-Z0-9\-\_=]+)"'
|
pattern_csrf = r'name="_csrf" value="([a-zA-Z0-9\-\_=]+)"'
|
||||||
ret = authentication.get(url)
|
ret = authentication.get(url)
|
||||||
csrf = search(pattern_csrf, ret)[1]
|
csrf = search(pattern_csrf, ret)[1]
|
||||||
|
@ -203,7 +202,7 @@ def test_repo():
|
||||||
with TemporaryDirectory() as tmpdirname:
|
with TemporaryDirectory() as tmpdirname:
|
||||||
username = data['username'].split('@', 1)[0]
|
username = data['username'].split('@', 1)[0]
|
||||||
dns = data['base_url'].split('/', 3)[2]
|
dns = data['base_url'].split('/', 3)[2]
|
||||||
ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:{GITEA_PORT}/{username}/test.git'
|
ssh_url = f'ssh://{FORGEJO_USERNAME}@{dns}:{FORGEJO_PORT}/{username}/test.git'
|
||||||
with SSHConfig():
|
with SSHConfig():
|
||||||
with MookDnsSystem(dns, data['ip']):
|
with MookDnsSystem(dns, data['ip']):
|
||||||
filename = join(tmpdirname, 'test.txt')
|
filename = join(tmpdirname, 'test.txt')
|
||||||
|
@ -268,11 +267,11 @@ def test_repo_persistent():
|
||||||
with TemporaryDirectory() as tmpdirname:
|
with TemporaryDirectory() as tmpdirname:
|
||||||
username = data['username'].split('@', 1)[0]
|
username = data['username'].split('@', 1)[0]
|
||||||
dns = data['base_url'].split('/', 3)[2]
|
dns = data['base_url'].split('/', 3)[2]
|
||||||
ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:{GITEA_PORT}/{username}/test_persistent.git'
|
ssh_url = f'ssh://{FORGEJO_USERNAME}@{dns}:{FORGEJO_PORT}/{username}/test_persistent.git'
|
||||||
with SSHConfig():
|
with SSHConfig():
|
||||||
with MookDnsSystem(dns, data['ip']):
|
with MookDnsSystem(dns, data['ip']):
|
||||||
if 'FIRST_RUN' in environ:
|
|
||||||
filename = join(tmpdirname, 'test.txt')
|
filename = join(tmpdirname, 'test.txt')
|
||||||
|
if 'FIRST_RUN' in environ:
|
||||||
with open(filename, 'w') as fh:
|
with open(filename, 'w') as fh:
|
||||||
fh.write('test')
|
fh.write('test')
|
||||||
repo = init(tmpdirname)
|
repo = init(tmpdirname)
|
||||||
|
@ -284,6 +283,25 @@ def test_repo_persistent():
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
repo = clone(ssh_url, tmpdirname)
|
repo = clone(ssh_url, tmpdirname)
|
||||||
|
with open(filename, 'r') as fh:
|
||||||
|
len_file = len(fh.readlines())
|
||||||
|
# get previous commit number
|
||||||
lst = list(repo.get_walker())
|
lst = list(repo.get_walker())
|
||||||
assert len(lst) == 1
|
len_before_commit = len(lst)
|
||||||
assert lst[0].commit.message == b'test commit'
|
assert len_before_commit == len_file
|
||||||
|
# add a new line in file and commit
|
||||||
|
with open(filename, 'a') as fh:
|
||||||
|
fh.write('\ntest')
|
||||||
|
add(repo, filename)
|
||||||
|
date = datetime.datetime.now()
|
||||||
|
commit_message = f'test commit {date}'.encode()
|
||||||
|
commit(repo, message=commit_message)
|
||||||
|
push(repo=repo,
|
||||||
|
remote_location=ssh_url,
|
||||||
|
refspecs='master',
|
||||||
|
)
|
||||||
|
# test if commit is added and last commit
|
||||||
|
lst = list(repo.get_walker())
|
||||||
|
len_after_commit = len(lst)
|
||||||
|
assert len_before_commit + 1 == len_after_commit
|
||||||
|
assert lst[-1].commit.message == commit_message
|
||||||
|
|
41
seed/gitea/README.md
Normal file
41
seed/gitea/README.md
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
---
|
||||||
|
gitea: none
|
||||||
|
include_toc: true
|
||||||
|
---
|
||||||
|
|
||||||
|
# gitea
|
||||||
|
|
||||||
|
[All applications services for this dataset.](../README.md)
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
Transitional package for Gitea to Forgejo.
|
||||||
|
|
||||||
|
## Dependances
|
||||||
|
|
||||||
|
- [forgejo](../forgejo/README.md)
|
||||||
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
|
- [base-fedora](../base-fedora/README.md)
|
||||||
|
- [systemd](../systemd/README.md)
|
||||||
|
- [base-machine](../base-machine/README.md)
|
||||||
|
- [base](../base/README.md)
|
||||||
|
- [dns-local](../dns-local/README.md)
|
||||||
|
- [postgresql-client](../postgresql-client/README.md)
|
||||||
|
- [reverse-proxy-client](../reverse-proxy-client/README.md)
|
||||||
|
- [relay-mail-client](../relay-mail-client/README.md)
|
||||||
|
- [redis-client](../redis-client/README.md)
|
||||||
|
- [oauth2-client](../oauth2-client/README.md)
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
### Général (*general*)
|
||||||
|
|
||||||
|
#### Transitional family (*general.gitea*)
|
||||||
|
|
||||||
|
| Description | Type |
|
||||||
|
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
|
||||||
|
| Transitional variable, please do not use it (*[gitea_mail_sender](dictionaries/32_gitea.xml)*) | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
|
||||||
|
|
||||||
|
|
||||||
|
- [+]: variable is multiple
|
||||||
|
- **bold**: variable is mandatory
|
|
@ -16,9 +16,10 @@
|
||||||
<file>/usr/local/lib/risotto-tmpfiles.d/0asystemd-nspawn.conf</file>
|
<file>/usr/local/lib/risotto-tmpfiles.d/0asystemd-nspawn.conf</file>
|
||||||
<file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
|
<file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
|
||||||
<file>/etc/distro.repos.d/boot.repo</file>
|
<file>/etc/distro.repos.d/boot.repo</file>
|
||||||
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
|
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
|
||||||
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
|
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
|
||||||
<file>/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
|
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
|
||||||
|
<file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
|
||||||
<file>/etc/sysctl.d/90-risotto.conf</file>
|
<file>/etc/sysctl.d/90-risotto.conf</file>
|
||||||
<file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
|
<file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
|
||||||
</service>
|
</service>
|
||||||
|
@ -50,6 +51,13 @@
|
||||||
<value>tree</value>
|
<value>tree</value>
|
||||||
<value>tshark</value>
|
<value>tshark</value>
|
||||||
<value>vim</value>
|
<value>vim</value>
|
||||||
|
<value>python3-pytest</value>
|
||||||
|
<value>python3-yaml</value>
|
||||||
|
<value>python3-ldap</value>
|
||||||
|
<value>python3-dnspython</value>
|
||||||
|
<value>python3-dulwich</value>
|
||||||
|
<value>python3-psycopg2</value>
|
||||||
|
<value>python3-redis</value>
|
||||||
</variable>
|
</variable>
|
||||||
<family name="network">
|
<family name="network">
|
||||||
<variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>
|
<variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>
|
||||||
|
|
|
@ -25,13 +25,13 @@ Application service needs interact with a LDAP server.
|
||||||
|
|
||||||
##### Client (*general.annuaire.client*)
|
##### Client (*general.annuaire.client*)
|
||||||
|
|
||||||
| Description | Type | Supplier |
|
| Description | Type | Supplier | Values |
|
||||||
|----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------|
|
|----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------|--------------|
|
||||||
| Nom de la famille LDAP (*[ldapclient_family](dictionaries/21_ldap-client.xml)*) | [unix_user](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:family |
|
| Nom de la famille LDAP (*[ldapclient_family](dictionaries/21_ldap-client.xml)*) | [unix_user](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:family | |
|
||||||
| **Base DN de l'annuaire** (*[ldapclient_base_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:base_dn |
|
| **Base DN de l'annuaire** (*[ldapclient_base_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:base_dn | <calculated> |
|
||||||
| **Base DN de l'annuaire des utilisateurs** (*[ldapclient_search_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Base DN de l'annuaire des utilisateurs** (*[ldapclient_search_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
|
||||||
| **Base DN de l'annuaire des groupes** (*[ldapclient_group_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Base DN de l'annuaire des groupes** (*[ldapclient_group_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
|
||||||
| **Base DN de l'annuaire des utilisateurs n'appartenant à une famille** (*[ldapclient_user_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Base DN de l'annuaire des utilisateurs n'appartenant à une famille** (*[ldapclient_user_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
|
||||||
|
|
||||||
|
|
||||||
- [+]: variable is multiple
|
- [+]: variable is multiple
|
||||||
|
|
|
@ -6,9 +6,11 @@
|
||||||
# This file should be world readable but not world writable.
|
# This file should be world readable but not world writable.
|
||||||
|
|
||||||
#BASE dc=example,dc=com
|
#BASE dc=example,dc=com
|
||||||
BASE %%ldapclient_search_dn
|
|
||||||
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
||||||
|
#>GNUNUX
|
||||||
|
BASE %%ldapclient_search_dn
|
||||||
URI ldaps://%%ldap_server_address:%%ldap_port
|
URI ldaps://%%ldap_server_address:%%ldap_port
|
||||||
|
#<GNUNUX
|
||||||
|
|
||||||
#SIZELIMIT 12
|
#SIZELIMIT 12
|
||||||
#TIMELIMIT 15
|
#TIMELIMIT 15
|
||||||
|
@ -18,9 +20,11 @@ URI ldaps://%%ldap_server_address:%%ldap_port
|
||||||
# are in use. In order to have these available along with the ones specified
|
# are in use. In order to have these available along with the ones specified
|
||||||
# by TLS_CACERTDIR one has to include them explicitly:
|
# by TLS_CACERTDIR one has to include them explicitly:
|
||||||
#TLS_CACERT /etc/pki/tls/cert.pem
|
#TLS_CACERT /etc/pki/tls/cert.pem
|
||||||
|
#>GNUNUX
|
||||||
TLS_KEY %%ldap_key_file
|
TLS_KEY %%ldap_key_file
|
||||||
TLS_CERT %%ldap_cert_file
|
TLS_CERT %%ldap_cert_file
|
||||||
TLS_CACERT %%ldap_ca_file
|
TLS_CACERT %%ldap_ca_file
|
||||||
|
#<GNUNUX
|
||||||
|
|
||||||
# System-wide Crypto Policies provide up to date cipher suite which should
|
# System-wide Crypto Policies provide up to date cipher suite which should
|
||||||
# be used unless one needs a finer grinded selection of ciphers. Hence, the
|
# be used unless one needs a finer grinded selection of ciphers. Hence, the
|
||||||
|
@ -31,8 +35,10 @@ TLS_CACERT %%ldap_ca_file
|
||||||
# Turning this off breaks GSSAPI used with krb5 when rdns = false
|
# Turning this off breaks GSSAPI used with krb5 when rdns = false
|
||||||
SASL_NOCANON on
|
SASL_NOCANON on
|
||||||
|
|
||||||
|
#>GNUNUX
|
||||||
BINDDN %%ldapclient_user
|
BINDDN %%ldapclient_user
|
||||||
TIMELIMIT 10
|
TIMELIMIT 10
|
||||||
NETWORK_TIMEOUT 10
|
NETWORK_TIMEOUT 10
|
||||||
TIMEOUT 10
|
TIMEOUT 10
|
||||||
BINDPW %%ldapclient_user_password
|
BINDPW %%ldapclient_user_password
|
||||||
|
#<GNUNUX
|
||||||
|
|
|
@ -15,16 +15,16 @@ LemonLDAP, a Web Single Sign On and Access Management.
|
||||||
|
|
||||||
## Dependances
|
## Dependances
|
||||||
|
|
||||||
|
- [ldap-client](../ldap-client/README.md)
|
||||||
|
- [reverse-proxy-client](../reverse-proxy-client/README.md)
|
||||||
|
- [relay-mail-client](../relay-mail-client/README.md)
|
||||||
|
- [nginx-common](../nginx-common/README.md)
|
||||||
- [base-debian-bullseye](../base-debian-bullseye/README.md)
|
- [base-debian-bullseye](../base-debian-bullseye/README.md)
|
||||||
- [base-debian](../base-debian/README.md)
|
- [base-debian](../base-debian/README.md)
|
||||||
- [systemd](../systemd/README.md)
|
- [systemd](../systemd/README.md)
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
- [base](../base/README.md)
|
- [base](../base/README.md)
|
||||||
- [dns-local](../dns-local/README.md)
|
- [dns-local](../dns-local/README.md)
|
||||||
- [ldap-client](../ldap-client/README.md)
|
|
||||||
- [reverse-proxy-client](../reverse-proxy-client/README.md)
|
|
||||||
- [relay-mail-client](../relay-mail-client/README.md)
|
|
||||||
- [nginx-common](../nginx-common/README.md)
|
|
||||||
|
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
|
@ -55,10 +55,10 @@ Configuration de la solution d'authentification unique LemonLDAP::NG
|
||||||
|
|
||||||
### Oauth2 (*oauth2*)
|
### Oauth2 (*oauth2*)
|
||||||
|
|
||||||
| Description | Type | Provider | Supplier |
|
| Description | Type | Provider | Values | Supplier |
|
||||||
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|
|
|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|--------------|
|
||||||
| Remote clients needing to verify OAuth2 account (*[remotes](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 | |
|
| Remote clients needing to verify OAuth2 account (*[remotes](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 | | |
|
||||||
| Remote clients (*[clients](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | OAuth2Client |
|
| Remote clients (*[clients](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> | OAuth2Client |
|
||||||
|
|
||||||
#### OAuth2 for (*oauth2.oauth2_*)
|
#### OAuth2 for (*oauth2.oauth2_*)
|
||||||
|
|
||||||
|
|
|
@ -2,8 +2,8 @@ format: '0.1'
|
||||||
description: LemonLDAP, a Web Single Sign On and Access Management
|
description: LemonLDAP, a Web Single Sign On and Access Management
|
||||||
website: https://lemonldap-ng.org/
|
website: https://lemonldap-ng.org/
|
||||||
depends:
|
depends:
|
||||||
- base-debian-bullseye
|
|
||||||
- ldap-client
|
- ldap-client
|
||||||
- reverse-proxy-client
|
- reverse-proxy-client
|
||||||
- relay-mail-client
|
- relay-mail-client
|
||||||
- nginx-common
|
- nginx-common
|
||||||
|
- base-debian-bullseye
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
<file mode="750">/sbin/interne_well_known.pl</file>
|
<file mode="750">/sbin/interne_well_known.pl</file>
|
||||||
<file mode="750">/sbin/wget.pl</file>
|
<file mode="750">/sbin/wget.pl</file>
|
||||||
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
|
<file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
|
||||||
<file>/tests/lemonldap.yml</file>
|
<file filelist="copy_tests">/tests/lemonldap.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -54,9 +54,9 @@ GNU Mailman, managing electronic mail discussion and e-newsletter lists.
|
||||||
|
|
||||||
##### external (*general.oauth2_client.external*)
|
##### external (*general.oauth2_client.external*)
|
||||||
|
|
||||||
| Description |
|
| Description | Values |
|
||||||
|---------------------------------------------------------|
|
|---------------------------------------------------------|--------------|
|
||||||
| *[oauth2_client_external](dictionaries/31_mailman.xml)* |
|
| *[oauth2_client_external](dictionaries/31_mailman.xml)* | <calculated> |
|
||||||
|
|
||||||
#### nginx (*general.nginx*)
|
#### nginx (*general.nginx*)
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<!--override/-->
|
<!--override/-->
|
||||||
<file owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
|
<file owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
|
||||||
<file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
|
<file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
|
||||||
<file>/tests/mailman.yml</file>
|
<file filelist="copy_tests">/tests/mailman.yml</file>
|
||||||
<!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
|
<!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
|
||||||
</service>
|
</service>
|
||||||
<service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->
|
<service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
<file>/etc/my.cnf.d/risotto.cnf</file>
|
<file>/etc/my.cnf.d/risotto.cnf</file>
|
||||||
<file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
|
<file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
|
||||||
<file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
|
<file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
|
||||||
<file>/tests/mariadb.yml</file>
|
<file filelist="copy_tests">/tests/mariadb.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
CALENDAR="3.5.2"
|
#CALENDAR="3.5.2"
|
||||||
ln -s "/srv/nextcloud/data" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/nextcloud/data"
|
ln -s "/srv/nextcloud/data" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/nextcloud/data"
|
||||||
mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
|
mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
|
||||||
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
|
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
|
||||||
|
@ -9,8 +9,11 @@ tar xf *tar.gz
|
||||||
rm -f *tar.gz
|
rm -f *tar.gz
|
||||||
chown -R root: oidc_login
|
chown -R root: oidc_login
|
||||||
#
|
#
|
||||||
#app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
|
if [ -z "$CALENDAR" ]; then
|
||||||
app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
|
app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
|
||||||
|
else
|
||||||
|
app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
|
||||||
|
fi
|
||||||
wget -q $app -O app.tar.gz
|
wget -q $app -O app.tar.gz
|
||||||
tar xf app.tar.gz
|
tar xf app.tar.gz
|
||||||
rm -f app.tar.gz
|
rm -f app.tar.gz
|
||||||
|
|
|
@ -2,17 +2,15 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name='nginx' target='multi-user'>
|
<service name='nginx' target='multi-user'>
|
||||||
<file>/etc/nginx/nginx.conf</file>
|
<file source="nginx_source_conf" source_type="variable">/etc/nginx/nginx.conf</file>
|
||||||
<file source="default">/etc/nginx/sites-available/default</file>
|
<file filelist="nginx_debian">/etc/nginx/sites-available/default</file>
|
||||||
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
|
<file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
|
||||||
<file source="nginx.index.html">/var/www/html/index.html</file>
|
|
||||||
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
|
<file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
|
||||||
<file>/var/www/html/error.html</file>
|
|
||||||
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
|
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
|
||||||
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
|
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
|
||||||
<file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.crt">revprox_crt_file</file>
|
<file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.crt">revprox_crt_file</file>
|
||||||
<file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.key">revprox_key_file</file>
|
<file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.key">revprox_key_file</file>
|
||||||
<file>/tests/nginx-common.yml</file>
|
<file filelist="copy_tests">/tests/nginx-common.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
@ -41,6 +39,7 @@
|
||||||
<variable name="revprox_key_file" type="filename" description="Reverse proxy key filename" hidden="True"/>
|
<variable name="revprox_key_file" type="filename" description="Reverse proxy key filename" hidden="True"/>
|
||||||
<variable name="nginx_owner" type="unix_user" description="Nginx process owner" mandatory="True" hidden="True"/>
|
<variable name="nginx_owner" type="unix_user" description="Nginx process owner" mandatory="True" hidden="True"/>
|
||||||
<variable name="nginx_group" type="unix_user" description="Nginx process group" mandatory="True" hidden="True"/>
|
<variable name="nginx_group" type="unix_user" description="Nginx process group" mandatory="True" hidden="True"/>
|
||||||
|
<variable name="nginx_source_conf" hidden="True"/>
|
||||||
</family>
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
|
@ -49,6 +48,10 @@
|
||||||
<target type="filelist">nginx_fedora</target>
|
<target type="filelist">nginx_fedora</target>
|
||||||
<target>nginx_default</target>
|
<target>nginx_default</target>
|
||||||
</condition>
|
</condition>
|
||||||
|
<condition name="disabled_if_not_in" source="os_name">
|
||||||
|
<param>Debian</param>
|
||||||
|
<target type="filelist">nginx_debian</target>
|
||||||
|
</condition>
|
||||||
<condition name="disabled_if_in" source="nginx_default">
|
<condition name="disabled_if_in" source="nginx_default">
|
||||||
<param type="nil"/>
|
<param type="nil"/>
|
||||||
<target type="filelist">nginx_default</target>
|
<target type="filelist">nginx_default</target>
|
||||||
|
@ -89,5 +92,11 @@
|
||||||
<param name="expected">Fedora</param>
|
<param name="expected">Fedora</param>
|
||||||
<target>nginx_group</target>
|
<target>nginx_group</target>
|
||||||
</fill>
|
</fill>
|
||||||
|
<fill name="calc_value">
|
||||||
|
<param>nginx.conf</param>
|
||||||
|
<param type="variable">os_name</param>
|
||||||
|
<param name="join">.</param>
|
||||||
|
<target>nginx_source_conf</target>
|
||||||
|
</fill>
|
||||||
</constraints>
|
</constraints>
|
||||||
</rougail>
|
</rougail>
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
rewrite ^(.*) http://%%nginx_default$1;
|
rewrite ^(.*) http://%%nginx_default$1;
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
client_max_body_size %%{nginx_post_max_size}M;
|
client_max_body_size %%{nginx_post_max_size}M;
|
||||||
client_body_buffer_size 128k;
|
client_body_buffer_size 128k;
|
||||||
|
|
||||||
|
|
|
@ -42,9 +42,9 @@ def test_revprox():
|
||||||
protocols.append('https')
|
protocols.append('https')
|
||||||
# test certificate
|
# test certificate
|
||||||
with raises(SSLError):
|
with raises(SSLError):
|
||||||
# not certificat problem for https://{url}
|
# certificat problem for https://{url}
|
||||||
req(f'https://{url}', data['address'])
|
req(f'https://{url}', data['address'])
|
||||||
for protocol in protocols:
|
for protocol in protocols:
|
||||||
ret_code, content = req(f'{protocol}://{url}', data['address'], verify=False)
|
ret_code, content = req(f'{protocol}://{url}', data['address'], verify=False)
|
||||||
assert ret_code == 200, f'{protocol}://{url} do not returns code 200 but {ret_code}'
|
assert ret_code == 200, f'{protocol}://{url} do not returns code 200 but {ret_code}'
|
||||||
assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'{protocol}://{url} do not returns default fedora page'
|
# assert "<title>Welcome</title>" in content, f'{protocol}://{url} do not returns default fedora page'
|
||||||
|
|
|
@ -15,13 +15,13 @@ Nginx as reverse proxy.
|
||||||
|
|
||||||
## Dependances
|
## Dependances
|
||||||
|
|
||||||
- [base-fedora-36](../base-fedora-36/README.md)
|
- [nginx-common](../nginx-common/README.md)
|
||||||
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
- [base-fedora](../base-fedora/README.md)
|
- [base-fedora](../base-fedora/README.md)
|
||||||
- [systemd](../systemd/README.md)
|
- [systemd](../systemd/README.md)
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
- [base](../base/README.md)
|
- [base](../base/README.md)
|
||||||
- [dns-local](../dns-local/README.md)
|
- [dns-local](../dns-local/README.md)
|
||||||
- [nginx-common](../nginx-common/README.md)
|
|
||||||
|
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
|
@ -38,8 +38,8 @@ Nginx as reverse proxy.
|
||||||
Paramétrage global de NGINX
|
Paramétrage global de NGINX
|
||||||
|
|
||||||
| Description | Values |
|
| Description | Values |
|
||||||
|--------------------------------------------------------|----------|
|
|--------------------------------------------------------|--------------|
|
||||||
| *[**nginx_default**](dictionaries/25_nginx.xml)* | |
|
| *[**nginx_default**](dictionaries/25_nginx.xml)* | <calculated> |
|
||||||
| *[**nginx_default_http**](dictionaries/25_nginx.xml)* | True |
|
| *[**nginx_default_http**](dictionaries/25_nginx.xml)* | True |
|
||||||
| *[**nginx_default_https**](dictionaries/25_nginx.xml)* | True |
|
| *[**nginx_default_https**](dictionaries/25_nginx.xml)* | True |
|
||||||
|
|
||||||
|
|
|
@ -2,5 +2,5 @@ format: '0.1'
|
||||||
description: Nginx as reverse proxy
|
description: Nginx as reverse proxy
|
||||||
website: https://nginx.org/
|
website: https://nginx.org/
|
||||||
depends:
|
depends:
|
||||||
- base-fedora-36
|
|
||||||
- nginx-common
|
- nginx-common
|
||||||
|
- base-fedora-37
|
||||||
|
|
|
@ -4,10 +4,12 @@
|
||||||
<service name='nginx'>
|
<service name='nginx'>
|
||||||
<override engine="cheetah"/>
|
<override engine="cheetah"/>
|
||||||
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
|
<file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
|
||||||
<file source="revprox-nginx.conf">/etc/nginx/sites-enabled/risotto.conf</file>
|
<file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
|
||||||
|
<file>/etc/pki/ca-trust/source/anchors/ca_External.crt</file>
|
||||||
<file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
|
<file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
|
||||||
<file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
|
<file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
|
||||||
<file>/tests/reverse-proxy.yml</file>
|
<file filelist="copy_tests">/tests/reverse-proxy.yml</file>
|
||||||
|
<file>/var/www/html/error.html</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -37,7 +37,7 @@
|
||||||
<target>nginx.nginx_private_key_filename</target>
|
<target>nginx.nginx_private_key_filename</target>
|
||||||
</fill>
|
</fill>
|
||||||
<fill name="get_first_value">
|
<fill name="get_first_value">
|
||||||
<param type="variable">nginx.remotes</param>
|
<param type="variable">nginx.reverse_proxy_for_.reverse_proxy_.revprox_domainnames_</param>
|
||||||
<target>nginx_default</target>
|
<target>nginx_default</target>
|
||||||
</fill>
|
</fill>
|
||||||
</constraints>
|
</constraints>
|
||||||
|
|
|
@ -1,2 +1 @@
|
||||||
%set %%chain=%%get_chain(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret)
|
|
||||||
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
|
%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
# We use X-Forwarded-For header
|
# We use X-Forwarded-For header
|
||||||
real_ip_header X-Forwarded-For;
|
real_ip_header X-Forwarded-For;
|
||||||
|
|
|
@ -10,3 +10,4 @@ urls:
|
||||||
%end for
|
%end for
|
||||||
%end for
|
%end for
|
||||||
%end for
|
%end for
|
||||||
|
ca_certificate: ../etc/pki/ca-trust/source/anchors/ca_External.crt
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
%for %%idx, %%domainname in %%enumerate(%%nginx.revprox_domainnames)
|
%for %%idx, %%domainname in %%enumerate(%%nginx.revprox_domainnames)
|
||||||
# Configuration HTTP %%domainname
|
# Configuration HTTP %%domainname
|
||||||
server {
|
server {
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
from yaml import load, SafeLoader
|
from yaml import load, SafeLoader
|
||||||
from os import environ
|
from os import environ
|
||||||
|
from os.path import join
|
||||||
|
|
||||||
import warnings
|
import warnings
|
||||||
import socket
|
import socket
|
||||||
|
@ -19,9 +20,9 @@ def req(url, ip, verify=True):
|
||||||
if not verify:
|
if not verify:
|
||||||
with warnings.catch_warnings():
|
with warnings.catch_warnings():
|
||||||
warnings.simplefilter("ignore")
|
warnings.simplefilter("ignore")
|
||||||
ret = get(url, verify=verify)
|
ret = get(url, verify=verify, allow_redirects=False)
|
||||||
else:
|
else:
|
||||||
ret = get(url, verify=verify)
|
ret = get(url, verify=verify, allow_redirects=False)
|
||||||
ret_code = ret.status_code
|
ret_code = ret.status_code
|
||||||
content = ret.content
|
content = ret.content
|
||||||
socket.getaddrinfo = old_getaddrinfo
|
socket.getaddrinfo = old_getaddrinfo
|
||||||
|
@ -34,6 +35,8 @@ def test_revprox():
|
||||||
data = load(yaml, Loader=SafeLoader)
|
data = load(yaml, Loader=SafeLoader)
|
||||||
# test known domains
|
# test known domains
|
||||||
for url in data['urls']:
|
for url in data['urls']:
|
||||||
|
try:
|
||||||
ret_code, content = req(f'https://{url}', data['address'])
|
ret_code, content = req(f'https://{url}', data['address'])
|
||||||
|
except SSLError:
|
||||||
|
ret_code, content = req(f'https://{url}', data['address'], verify=join(environ["MACHINE_TEST_DIR"], data["ca_certificate"]))
|
||||||
assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
|
assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
|
||||||
assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} do returns default fedora page'
|
|
||||||
|
|
|
@ -18,7 +18,7 @@ Nginx as static web site.
|
||||||
- [nginx-https](../nginx-https/README.md)
|
- [nginx-https](../nginx-https/README.md)
|
||||||
- [nginx-common](../nginx-common/README.md)
|
- [nginx-common](../nginx-common/README.md)
|
||||||
- [reverse-proxy-client](../reverse-proxy-client/README.md)
|
- [reverse-proxy-client](../reverse-proxy-client/README.md)
|
||||||
- [base-fedora-36](../base-fedora-36/README.md)
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
- [base-fedora](../base-fedora/README.md)
|
- [base-fedora](../base-fedora/README.md)
|
||||||
- [systemd](../systemd/README.md)
|
- [systemd](../systemd/README.md)
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
|
|
|
@ -3,4 +3,4 @@ description: Nginx as static web site
|
||||||
website: https://nginx.org/
|
website: https://nginx.org/
|
||||||
depends:
|
depends:
|
||||||
- nginx-https
|
- nginx-https
|
||||||
- base-fedora-36
|
- base-fedora-37
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
<services>
|
<services>
|
||||||
<service name='nginx' target='multi-user'>
|
<service name='nginx' target='multi-user'>
|
||||||
<file source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
|
<file source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
|
||||||
|
<file source="index.html">/srv/static/index.html</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -15,7 +15,7 @@ NSD, an authoritative DNS name server.
|
||||||
|
|
||||||
## Dependances
|
## Dependances
|
||||||
|
|
||||||
- [base-fedora-36](../base-fedora-36/README.md)
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
- [base-fedora](../base-fedora/README.md)
|
- [base-fedora](../base-fedora/README.md)
|
||||||
- [systemd](../systemd/README.md)
|
- [systemd](../systemd/README.md)
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
|
@ -28,9 +28,9 @@ NSD, an authoritative DNS name server.
|
||||||
|
|
||||||
#### network (*general.network*)
|
#### network (*general.network*)
|
||||||
|
|
||||||
| Description |
|
| Description | Values |
|
||||||
|-------------------------------------|
|
|-------------------------------------|--------------|
|
||||||
| *[ip_dns](dictionaries/20_nsd.xml)* |
|
| *[ip_dns](dictionaries/20_nsd.xml)* | <calculated> |
|
||||||
|
|
||||||
#### Serveur DNS (*general.dns_server*)
|
#### Serveur DNS (*general.dns_server*)
|
||||||
|
|
||||||
|
@ -40,17 +40,17 @@ NSD, an authoritative DNS name server.
|
||||||
|
|
||||||
#### Zone DNS (*general.dns_zone*)
|
#### Zone DNS (*general.dns_zone*)
|
||||||
|
|
||||||
| Description | Type |
|
| Description | Type | Values |
|
||||||
|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
|
|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|
|
||||||
| Zones DNS (*[nsd_zones](dictionaries/20_nsd.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
|
| Zones DNS (*[nsd_zones](dictionaries/20_nsd.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
|
||||||
|
|
||||||
#### Zone DNS reverse (*general.dns_reverses*)
|
#### Zone DNS reverse (*general.dns_reverses*)
|
||||||
|
|
||||||
This a family is a leadership.
|
This a family is a leadership.
|
||||||
|
|
||||||
| Description | Type |
|
| Description | Type | Values |
|
||||||
|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
|
|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------|
|
||||||
| Réseau pour la résolution reverse (*[nsd_reverse_network](dictionaries/20_nsd.xml)*) [+] | [network_cidr](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
|
| Réseau pour la résolution reverse (*[nsd_reverse_network](dictionaries/20_nsd.xml)*) [+] | [network_cidr](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
|
||||||
|
|
||||||
### Machine (*machine*)
|
### Machine (*machine*)
|
||||||
|
|
||||||
|
|
|
@ -3,4 +3,4 @@ description: NSD, an authoritative DNS name server
|
||||||
website: https://www.nlnetlabs.nl/projects/nsd/about/
|
website: https://www.nlnetlabs.nl/projects/nsd/about/
|
||||||
service: true
|
service: true
|
||||||
depends:
|
depends:
|
||||||
- base-fedora-36
|
- base-fedora-37
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
<file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
|
<file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
|
||||||
<file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
|
<file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
|
||||||
<file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
|
<file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
|
||||||
<file>/tests/nsd.yml</file>
|
<file filelist="copy_tests">/tests/nsd.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
%%sign(%%rougail_destination_dir + %%rougail_variable, %%domain_name_eth0)
|
%%sign(%%rougail_destination_dir + %%rougail_variable, %%domain_name_eth0)
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
server:
|
server:
|
||||||
interface: 127.0.0.1
|
interface: 127.0.0.1
|
||||||
%for %%interface in %%range(%%len(%%zones_list))
|
%for %%interface in %%range(%%len(%%zones_list))
|
||||||
|
|
|
@ -31,10 +31,10 @@ Application service needs interact with a Oauth2 server.
|
||||||
|
|
||||||
##### external (*general.oauth2_client.external*)
|
##### external (*general.oauth2_client.external*)
|
||||||
|
|
||||||
| Description | Type | Supplier | Values |
|
| Description | Type | Values | Supplier |
|
||||||
|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------|----------|
|
|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|--------------|-----------------|
|
||||||
| **OAuth2 client external** (*[oauth2_client_external](dictionaries/30_oauth2_client.xml)*) [+] | [web_address](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2:external | |
|
| **OAuth2 client external** (*[oauth2_client_external](dictionaries/30_oauth2_client.xml)*) [+] | [web_address](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | OAuth2:external |
|
||||||
| **OAuth2 family** (*[oauth2_client_family](dictionaries/30_oauth2_client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2:family | users |
|
| **OAuth2 family** (*[oauth2_client_family](dictionaries/30_oauth2_client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | users | OAuth2:family |
|
||||||
|
|
||||||
|
|
||||||
- [+]: variable is multiple
|
- [+]: variable is multiple
|
||||||
|
@ -47,9 +47,9 @@ Application service needs interact with a Oauth2 server.
|
||||||
- [peertube](../peertube/README.md)
|
- [peertube](../peertube/README.md)
|
||||||
- [piwigo](../piwigo/README.md)
|
- [piwigo](../piwigo/README.md)
|
||||||
- [dovecot](../dovecot/README.md)
|
- [dovecot](../dovecot/README.md)
|
||||||
|
- [forgejo](../forgejo/README.md)
|
||||||
- [roundcube](../roundcube/README.md)
|
- [roundcube](../roundcube/README.md)
|
||||||
- [nextcloud](../nextcloud/README.md)
|
- [nextcloud](../nextcloud/README.md)
|
||||||
- [gitea](../gitea/README.md)
|
|
||||||
|
|
||||||
## Linked to
|
## Linked to
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
<family name="odoo" description="Odoo">
|
<family name="odoo" description="Odoo">
|
||||||
<variable name="odoo_admin_password" description="Mot de passe de l'administrateur" hidden="True"/>
|
<variable name="odoo_admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
|
||||||
<variable name="odoo_admin_email" type="mail" description="Adresse courriel de l'administrateur" mandatory="True"/>
|
<variable name="odoo_admin_email" type="mail" description="Adresse courriel de l'administrateur" mandatory="True"/>
|
||||||
<variable name="odoo_company_name" description="Nom" mandatory="True"/>
|
<variable name="odoo_company_name" description="Nom" mandatory="True"/>
|
||||||
<variable name="odoo_company_street" description="Adresse" mandatory="True"/>
|
<variable name="odoo_company_street" description="Adresse" mandatory="True"/>
|
||||||
|
|
|
@ -16,7 +16,7 @@ OpenLDAP, a LDAP server.
|
||||||
## Dependances
|
## Dependances
|
||||||
|
|
||||||
- [ldap-client](../ldap-client/README.md)
|
- [ldap-client](../ldap-client/README.md)
|
||||||
- [base-fedora-36](../base-fedora-36/README.md)
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
- [base-fedora](../base-fedora/README.md)
|
- [base-fedora](../base-fedora/README.md)
|
||||||
- [systemd](../systemd/README.md)
|
- [systemd](../systemd/README.md)
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
|
@ -60,12 +60,12 @@ OpenLDAP, a LDAP server.
|
||||||
|
|
||||||
##### client (*general.annuaire.client*)
|
##### client (*general.annuaire.client*)
|
||||||
|
|
||||||
| Description |
|
| Description | Values |
|
||||||
|-------------------------------------------------------------------------------------------------------|
|
|-------------------------------------------------------------------------------------------------------|--------------|
|
||||||
| *[ldapclient_user](dictionaries/21_openldap-server.xml)* |
|
| *[ldapclient_user](dictionaries/21_openldap-server.xml)* | <calculated> |
|
||||||
| **Base DN** (*[ldapclient_base_dn](dictionaries/21_openldap-server.xml)*) |
|
| **Base DN** (*[ldapclient_base_dn](dictionaries/21_openldap-server.xml)*) | |
|
||||||
| **Base DN de l'annuaire des utilisateurs** (*[ldap_account_dn](dictionaries/21_openldap-server.xml)*) |
|
| **Base DN de l'annuaire des utilisateurs** (*[ldap_account_dn](dictionaries/21_openldap-server.xml)*) | <calculated> |
|
||||||
| *[ldapclient_search_dn](dictionaries/21_openldap-server.xml)* |
|
| *[ldapclient_search_dn](dictionaries/21_openldap-server.xml)* | <calculated> |
|
||||||
|
|
||||||
### Machine (*machine*)
|
### Machine (*machine*)
|
||||||
|
|
||||||
|
|
|
@ -3,4 +3,4 @@ description: OpenLDAP, a LDAP server
|
||||||
website: https://www.openldap.org/
|
website: https://www.openldap.org/
|
||||||
depends:
|
depends:
|
||||||
- ldap-client
|
- ldap-client
|
||||||
- base-fedora-36
|
- base-fedora-37
|
||||||
|
|
|
@ -3,18 +3,17 @@
|
||||||
<services>
|
<services>
|
||||||
<service name="slapd" target="multi-user">
|
<service name="slapd" target="multi-user">
|
||||||
<override/>
|
<override/>
|
||||||
<file source='default.slapd'>/etc/default/slapd</file>
|
|
||||||
<file>/etc/pki/tls/certs/openldap.crt</file>
|
<file>/etc/pki/tls/certs/openldap.crt</file>
|
||||||
<file owner="ldap" mode="400">/etc/pki/tls/private/openldap.key</file>
|
<file owner="ldap" mode="400">/etc/pki/tls/private/openldap.key</file>
|
||||||
<file owner="ldap">/var/lib/ldap/DB_CONFIG</file>
|
<file owner="ldap">/var/lib/ldap/DB_CONFIG</file>
|
||||||
<file>/secrets/users.ldif</file>
|
|
||||||
<file>/secrets/users_mod.ldif</file>
|
|
||||||
<file owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
|
<file owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
|
||||||
<file owner="ldap" mode="400">/etc/ldap/secrets/config_acl.ldif</file>
|
<file owner="ldap" mode="400">/etc/ldap/secrets/users.ldif</file>
|
||||||
<file>/secrets/admin_ldap.pwd</file>
|
<file>/secrets/users_mod.ldif</file>
|
||||||
|
<file>/secrets/config_acl.ldif</file>
|
||||||
|
<file mode="400">/secrets/admin_ldap.pwd</file>
|
||||||
<file engine="none">/sysusers.d/risotto-openldap.conf</file>
|
<file engine="none">/sysusers.d/risotto-openldap.conf</file>
|
||||||
<file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
|
<file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
|
||||||
<file>/tests/openldap.yml</file>
|
<file filelist="copy_tests">/tests/openldap.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
|
<family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
|
||||||
<variable name="family_" description="Nom de la familly de " hidden="True" provider="LDAP:family"/>
|
<variable name="family_" description="Nom de la familly de " hidden="True" provider="LDAP:family"/>
|
||||||
<variable name="dn_" description="LDAP DN de " hidden="True" provider="LDAP:dn"/>
|
<variable name="dn_" description="LDAP DN de " hidden="True" provider="LDAP:dn"/>
|
||||||
<variable name="password_" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
|
<variable name="password_" type ="password" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
|
||||||
<variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="LDAP:base_dn"/>
|
<variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="LDAP:base_dn"/>
|
||||||
</family>
|
</family>
|
||||||
<family name="users" description="Gestion des utilisateurs" leadership="True">
|
<family name="users" description="Gestion des utilisateurs" leadership="True">
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
# $OpenLDAP$
|
# $OpenLDAP$
|
||||||
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
|
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
dn: cn=config
|
dn: cn=config
|
||||||
objectClass: olcGlobal
|
objectClass: olcGlobal
|
||||||
#olcLogLevel: %%ldap_loglevel
|
#olcLogLevel: %%ldap_loglevel
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
%set %%name_family = 'gnunux'
|
%set %%name_family = 'gnunux'
|
||||||
%set %%dns = {}
|
%set %%dns = {}
|
||||||
%set %%groups = []
|
%set %%groups = []
|
||||||
|
|
|
@ -47,3 +47,8 @@ groups:
|
||||||
- cn=%%user,%%families
|
- cn=%%user,%%families
|
||||||
%end for
|
%end for
|
||||||
%end for
|
%end for
|
||||||
|
%if 'gnunux' not in %%accounts.families
|
||||||
|
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, 'gnunux')
|
||||||
|
gnunux:
|
||||||
|
- cn=rougail_test@gnunux.info,%%families
|
||||||
|
%end if
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
%set %%add_test = True
|
||||||
%set %%username="rougail_test@silique.fr"
|
%set %%username="rougail_test@silique.fr"
|
||||||
%set %%username_family="rougail_test@gnunux.info"
|
%set %%username_family="rougail_test@gnunux.info"
|
||||||
%set %%name_family="gnunux"
|
%set %%name_family="gnunux"
|
||||||
|
@ -64,41 +65,23 @@ ou: families
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
|
|
||||||
%for %%family in %%accounts.families
|
%def add_family(%%family, %%families)
|
||||||
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
|
|
||||||
dn: %%families
|
dn: %%families
|
||||||
ou: %%family
|
ou: %%family
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
|
%end def
|
||||||
|
%if %%add_test and 'gnunux' not in %%accounts.families
|
||||||
|
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='gnunux')
|
||||||
|
%%add_family('gnunux', %%families)
|
||||||
|
%end if
|
||||||
|
%for %%family in %%accounts.families
|
||||||
|
%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
|
||||||
|
%%add_family(%%family, %%families)
|
||||||
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||||
%set %%userdn = "cn=" + %%user + "," + %%families
|
%set %%userdn = "cn=" + %%user + "," + %%families
|
||||||
%%groups.setdefault(%%family, []).append(%%userdn)%slurp
|
%%groups.setdefault(%%family, []).append(%%userdn)%slurp
|
||||||
%%acc.append((%%userdn, %%user, %%user['ldap_user_password_' + %%family], %%user['ldap_user_sn_' + %%family], %%user['ldap_user_gn_' + %%family], %%user['ldap_user_uid_' + %%family], %%user['ldap_user_aliases_' + %%family], %%family))%slurp
|
%%acc.append((%%userdn, %%user, %%user['ldap_user_password_' + %%family], %%user['ldap_user_sn_' + %%family], %%user['ldap_user_gn_' + %%family], %%user['ldap_user_uid_' + %%family], %%user['ldap_user_aliases_' + %%family], %%family))%slurp
|
||||||
#pouet
|
|
||||||
#dn: %%userdn
|
|
||||||
#cn: %%user
|
|
||||||
#mail: %%user
|
|
||||||
#sn:
|
|
||||||
#givenName:
|
|
||||||
#uid:
|
|
||||||
#userPassword:: %%ssha_encode()
|
|
||||||
#homeDirectory: /srv/home/families/%%family/%%user
|
|
||||||
#mailLocalAddress: %%user
|
|
||||||
# %if %%user['ldap_user_aliases_' + %%family]
|
|
||||||
# %for %%alias in
|
|
||||||
#mailLocalAddress: %%alias
|
|
||||||
# %end for
|
|
||||||
# %end if
|
|
||||||
#uidNumber: 0
|
|
||||||
#gidNumber: 0
|
|
||||||
#objectClass: top
|
|
||||||
#objectClass: inetOrgPerson
|
|
||||||
#objectClass: posixAccount
|
|
||||||
#objectClass: inetLocalMailRecipient
|
|
||||||
#
|
|
||||||
# %end for
|
|
||||||
#%end for
|
|
||||||
%end for
|
%end for
|
||||||
%end for
|
%end for
|
||||||
%for %%userdn, %%user, %%password, %%sn, %%gn, %%uid, %%aliases, %%family in %%acc
|
%for %%userdn, %%user, %%password, %%sn, %%gn, %%uid, %%aliases, %%family in %%acc
|
||||||
|
|
|
@ -79,7 +79,10 @@ def test_ldap_migration():
|
||||||
if 'FIRST_RUN' in environ:
|
if 'FIRST_RUN' in environ:
|
||||||
l.simple_bind_s(data['admin_dn'], data['admin_password'])
|
l.simple_bind_s(data['admin_dn'], data['admin_password'])
|
||||||
l.passwd_s(data['user_family_dn'], data['user_family_password'], data['user_family_password'] + "2")
|
l.passwd_s(data['user_family_dn'], data['user_family_password'], data['user_family_password'] + "2")
|
||||||
|
try:
|
||||||
l.simple_bind_s(data['user_family_dn'], data['user_family_password'] + "2")
|
l.simple_bind_s(data['user_family_dn'], data['user_family_password'] + "2")
|
||||||
|
except INVALID_CREDENTIALS as err:
|
||||||
|
raise Exception(f'cannot find {data["user_family_dn"]} do you run script with FIRST_RUN env variables?')
|
||||||
|
|
||||||
|
|
||||||
def test_ldap_remote_auth():
|
def test_ldap_remote_auth():
|
||||||
|
|
|
@ -61,9 +61,9 @@ Peertube, a federated (ActivityPub) video streaming platform.
|
||||||
|
|
||||||
##### external (*general.oauth2_client.external*)
|
##### external (*general.oauth2_client.external*)
|
||||||
|
|
||||||
| Description |
|
| Description | Values |
|
||||||
|----------------------------------------------------------|
|
|----------------------------------------------------------|--------------|
|
||||||
| *[oauth2_client_external](dictionaries/30_peertube.xml)* |
|
| *[oauth2_client_external](dictionaries/30_peertube.xml)* | <calculated> |
|
||||||
|
|
||||||
#### nginx (*general.nginx*)
|
#### nginx (*general.nginx*)
|
||||||
|
|
||||||
|
|
|
@ -42,7 +42,7 @@
|
||||||
</family>
|
</family>
|
||||||
<family name="postfix" description="Postfix mail server">
|
<family name="postfix" description="Postfix mail server">
|
||||||
<variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
|
<variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
|
||||||
<variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
|
<variable name="postfix_relay_domains" type="domainname" description="Local LTMP domain" multi="True" hidden="True"/>
|
||||||
<variable name='postfix_relay_authentifications' description="Authentification sur le relai SMTP" multi="True" provider="SMTP"/>
|
<variable name='postfix_relay_authentifications' description="Authentification sur le relai SMTP" multi="True" provider="SMTP"/>
|
||||||
<family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
|
<family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
|
||||||
<variable name="local_authentification_password_" type="secret" auto_save="False" provider="SMTP:password"/>
|
<variable name="local_authentification_password_" type="secret" auto_save="False" provider="SMTP:password"/>
|
||||||
|
|
|
@ -18,11 +18,11 @@ Application service needs interact with a Postgresql server.
|
||||||
- [odoo](../odoo/README.md)
|
- [odoo](../odoo/README.md)
|
||||||
- [mailman](../mailman/README.md)
|
- [mailman](../mailman/README.md)
|
||||||
- [peertube](../peertube/README.md)
|
- [peertube](../peertube/README.md)
|
||||||
|
- [forgejo](../forgejo/README.md)
|
||||||
- [dotclear](../dotclear/README.md)
|
- [dotclear](../dotclear/README.md)
|
||||||
- [roundcube](../roundcube/README.md)
|
- [roundcube](../roundcube/README.md)
|
||||||
- [vaultwarden](../vaultwarden/README.md)
|
- [vaultwarden](../vaultwarden/README.md)
|
||||||
- [nextcloud](../nextcloud/README.md)
|
- [nextcloud](../nextcloud/README.md)
|
||||||
- [gitea](../gitea/README.md)
|
|
||||||
|
|
||||||
## Linked to
|
## Linked to
|
||||||
|
|
||||||
|
|
|
@ -12,9 +12,9 @@
|
||||||
<variables>
|
<variables>
|
||||||
<family name="postgresql" description="PostgreSQL">
|
<family name="postgresql" description="PostgreSQL">
|
||||||
<variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql" hidden="True"/>
|
<variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql" hidden="True"/>
|
||||||
<variable name="pg_client_username" description="Client username" mandatory="True" hidden="True"/>
|
<variable name="pg_client_username" description="Client username" mandatory="True" hidden="True" supplier="Postgresql:username"/>
|
||||||
<variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True" supplier="Postgresql:password"/>
|
<variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True" supplier="Postgresql:password"/>
|
||||||
<variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/>
|
<variable name="pg_client_database" description="Client database" mandatory="True" hidden="True" supplier="Postgresql:database"/>
|
||||||
<variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
|
<variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
|
||||||
<value>apache</value>
|
<value>apache</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
|
|
@ -15,7 +15,7 @@ Postgresql, a database.
|
||||||
|
|
||||||
## Dependances
|
## Dependances
|
||||||
|
|
||||||
- [base-fedora-36](../base-fedora-36/README.md)
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
- [base-fedora](../base-fedora/README.md)
|
- [base-fedora](../base-fedora/README.md)
|
||||||
- [systemd](../systemd/README.md)
|
- [systemd](../systemd/README.md)
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
|
@ -59,9 +59,9 @@ Paramétrage du serveur de gestion de bases de données PostgreSQL
|
||||||
|
|
||||||
This a dynamic family generated from the variable "accounts.remotes".
|
This a dynamic family generated from the variable "accounts.remotes".
|
||||||
|
|
||||||
| Description | Type |
|
| Description | Type | Values |
|
||||||
|-----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
|
|------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------|
|
||||||
| **Remote IP** (*[remote_ip_](extras/accounts/00_accounts.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
|
| **Remote IP ** (*[remote_ip_](extras/accounts/00_accounts.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
|
||||||
|
|
||||||
|
|
||||||
- [+]: variable is multiple
|
- [+]: variable is multiple
|
||||||
|
|
|
@ -2,4 +2,4 @@ format: '0.1'
|
||||||
description: Postgresql, a database
|
description: Postgresql, a database
|
||||||
website: https://www.postgresql.org
|
website: https://www.postgresql.org
|
||||||
depends:
|
depends:
|
||||||
- base-fedora-36
|
- base-fedora-37
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
<file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
|
<file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
|
||||||
<file>/etc/pki/tls/certs/postgresql.crt</file>
|
<file>/etc/pki/tls/certs/postgresql.crt</file>
|
||||||
<file owner="root" group="postgres" mode="440">/etc/pki/tls/private/postgresql.key</file>
|
<file owner="root" group="postgres" mode="440">/etc/pki/tls/private/postgresql.key</file>
|
||||||
<file>/tests/postgresql.yml</file>
|
<file filelist="copy_tests">/tests/postgresql.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -3,8 +3,10 @@
|
||||||
<variables>
|
<variables>
|
||||||
<variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="Postgresql"/>
|
<variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="Postgresql"/>
|
||||||
<family name="remote_" description="Account for " dynamic="accounts.remotes">
|
<family name="remote_" description="Account for " dynamic="accounts.remotes">
|
||||||
<variable name="remote_ip_" description="Remote IP" type="ip" mandatory="True"/>
|
<variable name="remote_ip_" description="Remote IP " type="ip" mandatory="True"/>
|
||||||
<variable name="password_" description="Remote password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Postgresql:password"/>
|
<variable name="database_" description="Remote database " auto_save="False" hidden="True" mandatory="True" provider="Postgresql:database"/>
|
||||||
|
<variable name="username_" description="Remote username " auto_save="False" hidden="True" type="unix_user" mandatory="True" provider="Postgresql:username"/>
|
||||||
|
<variable name="password_" description="Remote password " auto_save="False" hidden="True" type="password" mandatory="True" provider="Postgresql:password"/>
|
||||||
</family>
|
</family>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: file://usr/share/pgsql/pg_hba.conf.sample
|
||||||
# PostgreSQL Client Authentication Configuration File
|
# PostgreSQL Client Authentication Configuration File
|
||||||
# ===================================================
|
# ===================================================
|
||||||
#
|
#
|
||||||
|
@ -18,12 +19,13 @@
|
||||||
#
|
#
|
||||||
# (The uppercase items must be replaced by actual values.)
|
# (The uppercase items must be replaced by actual values.)
|
||||||
#
|
#
|
||||||
# The first field is the connection type: "local" is a Unix-domain
|
# The first field is the connection type:
|
||||||
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
|
# - "local" is a Unix-domain socket
|
||||||
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
|
# - "host" is a TCP/IP socket (encrypted or not)
|
||||||
# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a
|
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
|
||||||
# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a
|
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
|
||||||
# non-GSSAPI socket.
|
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
|
||||||
|
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
|
||||||
#
|
#
|
||||||
# DATABASE can be "all", "sameuser", "samerole", "replication", a
|
# DATABASE can be "all", "sameuser", "samerole", "replication", a
|
||||||
# database name, or a comma-separated list thereof. The "all"
|
# database name, or a comma-separated list thereof. The "all"
|
||||||
|
@ -76,29 +78,32 @@
|
||||||
# listen on a non-local interface via the listen_addresses
|
# listen on a non-local interface via the listen_addresses
|
||||||
# configuration parameter, or via the -i or -h command line switches.
|
# configuration parameter, or via the -i or -h command line switches.
|
||||||
|
|
||||||
|
#GNUNUX @authcomment@
|
||||||
|
|
||||||
# TYPE DATABASE USER ADDRESS METHOD
|
# TYPE DATABASE USER ADDRESS METHOD
|
||||||
|
|
||||||
# "local" is for Unix domain socket connections only
|
|
||||||
#GNUNUX local all all peer
|
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
|
#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
|
||||||
|
#@remove-line-for-nolocal@local all all @authmethodlocal@
|
||||||
local all postgres ident map=pg_map
|
local all postgres ident map=pg_map
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
# IPv4 local connections:
|
# IPv4 local connections:
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
# host all all 127.0.0.1/32 ident
|
#host all all 127.0.0.1/32 @authmethodhost@
|
||||||
hostssl rougail_test rougail_test %%gateway_eth0/32 md5
|
hostssl rougail_test rougail_test %%gateway_eth0/32 md5
|
||||||
%for %%server in %%accounts.remotes
|
%for %%server in %%accounts.remotes
|
||||||
hostssl %%normalize_family(%%server) %%normalize_family(%%server) %%server md5
|
%set %%name = %%normalize_family(%%server)
|
||||||
|
%set %%database = %%accounts["remote_" + %%name]["database_" + %%name]
|
||||||
|
%set %%username = %%accounts["remote_" + %%name]["username_" + %%name]
|
||||||
|
hostssl %%database %%username %%server md5
|
||||||
%end for
|
%end for
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
# IPv6 local connections:
|
# IPv6 local connections:
|
||||||
#host all all ::1/128 ident
|
#GNUNUX host all all ::1/128 @authmethodhost@
|
||||||
# Allow replication connections from localhost, by a user with the
|
# Allow replication connections from localhost, by a user with the
|
||||||
# replication privilege.
|
# replication privilege.
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
#local replication all peer
|
#@remove-line-for-nolocal@local replication all @authmethodlocal@
|
||||||
#host replication all 127.0.0.1/32 ident
|
#host replication all 127.0.0.1/32 @authmethodhost@
|
||||||
#host replication all ::1/128 ident
|
#host replication all ::1/128 @authmethodhost@
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
|
@ -1,12 +1,14 @@
|
||||||
|
#RISOTTO: file://usr/share/pgsql/pg_ident.conf.sample
|
||||||
# PostgreSQL User Name Maps
|
# PostgreSQL User Name Maps
|
||||||
# =========================
|
# =========================
|
||||||
#
|
#
|
||||||
# Refer to the PostgreSQL Administrator's Guide, chapter "Client
|
# Refer to the PostgreSQL documentation, chapter "Client
|
||||||
# Authentication" for a complete description. A short synopsis follows.
|
# Authentication" for a complete description. A short synopsis
|
||||||
|
# follows.
|
||||||
#
|
#
|
||||||
# This file controls PostgreSQL username mapping. It maps
|
# This file controls PostgreSQL user name mapping. It maps external
|
||||||
# external user names to their corresponding
|
# user names to their corresponding PostgreSQL user names. Records
|
||||||
# PostgreSQL user names. Records are of the form:
|
# are of the form:
|
||||||
#
|
#
|
||||||
# MAPNAME SYSTEM-USERNAME PG-USERNAME
|
# MAPNAME SYSTEM-USERNAME PG-USERNAME
|
||||||
#
|
#
|
||||||
|
@ -18,24 +20,27 @@
|
||||||
# existence of a record specifies that SYSTEM-USERNAME may connect as
|
# existence of a record specifies that SYSTEM-USERNAME may connect as
|
||||||
# PG-USERNAME.
|
# PG-USERNAME.
|
||||||
#
|
#
|
||||||
# If SYSTEM-USERNAME starts with a slash (/), it will be treated as
|
# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
|
||||||
# a regular expression. Optionally this can contain a capture (a
|
# regular expression. Optionally this can contain a capture (a
|
||||||
# parenthesized subexpression). The substring matching the capture
|
# parenthesized subexpression). The substring matching the capture
|
||||||
# will be substituted for \1 (backslash-one) if present in PG-USERNAME.
|
# will be substituted for \1 (backslash-one) if present in
|
||||||
|
# PG-USERNAME.
|
||||||
#
|
#
|
||||||
# Multiple maps may be specified in this file and used by pg_hba.conf.
|
# Multiple maps may be specified in this file and used by pg_hba.conf.
|
||||||
#
|
#
|
||||||
# No map names are defined in the default configuration. If all system
|
# No map names are defined in the default configuration. If all
|
||||||
# user names and PostgreSQL user names are the same, you don't need
|
# system user names and PostgreSQL user names are the same, you don't
|
||||||
# anything in this file.
|
# need anything in this file.
|
||||||
#
|
#
|
||||||
# This file is read on server startup and when the postmaster receives
|
# This file is read on server startup and when the postmaster receives
|
||||||
# a SIGHUP signal. If you edit the file on a running system, you have
|
# a SIGHUP signal. If you edit the file on a running system, you have
|
||||||
# to SIGHUP the postmaster for the changes to take effect. You can use
|
# to SIGHUP the postmaster for the changes to take effect. You can
|
||||||
# "pg_ctl reload" to do that.
|
# use "pg_ctl reload" to do that.
|
||||||
|
|
||||||
# Put your actual configuration here
|
# Put your actual configuration here
|
||||||
# ----------------------------------
|
# ----------------------------------
|
||||||
|
|
||||||
# MAPNAME SYSTEM-USERNAME PG-USERNAME
|
# MAPNAME SYSTEM-USERNAME PG-USERNAME
|
||||||
|
#>GNUNUX
|
||||||
pg_map postgres postgres
|
pg_map postgres postgres
|
||||||
|
#<GNUNUX
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: file://usr/share/pgsql/postgresql.conf.sample
|
||||||
%compiler-settings
|
%compiler-settings
|
||||||
cheetahVarStartToken = §§
|
cheetahVarStartToken = §§
|
||||||
directiveStartToken = §
|
directiveStartToken = §
|
||||||
|
@ -77,16 +78,16 @@ ident_file = '/etc/postgresql/pg_ident.conf'
|
||||||
listen_addresses = '*'
|
listen_addresses = '*'
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
#port = 5432 # (change requires restart)
|
#port = 5432 # (change requires restart)
|
||||||
#>GNUNUX
|
|
||||||
#max_connections = 100 # (change requires restart)
|
#max_connections = 100 # (change requires restart)
|
||||||
|
#>GNUNUX
|
||||||
max_connections = §§pg_max_connections
|
max_connections = §§pg_max_connections
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
#superuser_reserved_connections = 3 # (change requires restart)
|
#superuser_reserved_connections = 3 # (change requires restart)
|
||||||
#unix_socket_directories = '/var/run/postgresql, /tmp' # comma-separated list of directories
|
#unix_socket_directories = '/tmp' # comma-separated list of directories
|
||||||
|
# (change requires restart)
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
unix_socket_directories = '/var/run/postgresql'
|
unix_socket_directories = '/var/run/postgresql'
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
# (change requires restart)
|
|
||||||
#unix_socket_group = '' # (change requires restart)
|
#unix_socket_group = '' # (change requires restart)
|
||||||
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
|
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
|
||||||
# (change requires restart)
|
# (change requires restart)
|
||||||
|
@ -107,6 +108,10 @@ unix_socket_directories = '/var/run/postgresql'
|
||||||
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
|
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
|
||||||
# 0 selects the system default
|
# 0 selects the system default
|
||||||
|
|
||||||
|
#client_connection_check_interval = 0 # time between checks for client
|
||||||
|
# disconnection while running queries;
|
||||||
|
# 0 for never
|
||||||
|
|
||||||
# - Authentication -
|
# - Authentication -
|
||||||
|
|
||||||
#authentication_timeout = 1min # 1s-600s
|
#authentication_timeout = 1min # 1s-600s
|
||||||
|
@ -126,7 +131,7 @@ authentication_timeout = §§{pg_authentication_timeout}s
|
||||||
#ssl_ca_file = ''
|
#ssl_ca_file = ''
|
||||||
#ssl_cert_file = 'server.crt'
|
#ssl_cert_file = 'server.crt'
|
||||||
#ssl_crl_file = ''
|
#ssl_crl_file = ''
|
||||||
##ssl_crl_dir = ''
|
#ssl_crl_dir = ''
|
||||||
#ssl_key_file = 'server.key'
|
#ssl_key_file = 'server.key'
|
||||||
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
|
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
|
||||||
#ssl_prefer_server_ciphers = on
|
#ssl_prefer_server_ciphers = on
|
||||||
|
@ -143,15 +148,18 @@ ssl_cert_file = '/etc/pki/tls/certs/postgresql.crt' # (change requires restart)
|
||||||
ssl_key_file = '/etc/pki/tls/private/postgresql.key' # (change requires restart)
|
ssl_key_file = '/etc/pki/tls/private/postgresql.key' # (change requires restart)
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
|
|
||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# RESOURCE USAGE (except WAL)
|
# RESOURCE USAGE (except WAL)
|
||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
# - Memory -
|
# - Memory -
|
||||||
|
|
||||||
shared_buffers = 128MB # min 128kB
|
#shared_buffers = 32MB # min 128kB
|
||||||
# (change requires restart)
|
# (change requires restart)
|
||||||
|
#>GNUNUX
|
||||||
shared_buffers = §§{pg_shared_buffers}§§pg_shared_buffers_unit
|
shared_buffers = §§{pg_shared_buffers}§§pg_shared_buffers_unit
|
||||||
|
#<GNUNUX
|
||||||
#huge_pages = try # on, off, or try
|
#huge_pages = try # on, off, or try
|
||||||
# (change requires restart)
|
# (change requires restart)
|
||||||
#huge_page_size = 0 # zero for system default
|
#huge_page_size = 0 # zero for system default
|
||||||
|
@ -177,7 +185,7 @@ maintenance_work_mem = §§{pg_maintenance_work_mem}§§pg_maintenance_work_mem_
|
||||||
# sysv
|
# sysv
|
||||||
# windows
|
# windows
|
||||||
# (change requires restart)
|
# (change requires restart)
|
||||||
dynamic_shared_memory_type = posix # the default is the first option
|
#dynamic_shared_memory_type = posix # the default is the first option
|
||||||
# supported by the operating system:
|
# supported by the operating system:
|
||||||
# posix
|
# posix
|
||||||
# sysv
|
# sysv
|
||||||
|
@ -209,7 +217,7 @@ dynamic_shared_memory_type = posix # the default is the first option
|
||||||
#bgwriter_delay = 200ms # 10-10000ms between rounds
|
#bgwriter_delay = 200ms # 10-10000ms between rounds
|
||||||
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
|
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
|
||||||
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
|
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
|
||||||
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
|
#bgwriter_flush_after = 0 # measured in pages, 0 disables
|
||||||
|
|
||||||
# - Asynchronous Behavior -
|
# - Asynchronous Behavior -
|
||||||
|
|
||||||
|
@ -219,9 +227,9 @@ dynamic_shared_memory_type = posix # the default is the first option
|
||||||
#max_worker_processes = 8 # (change requires restart)
|
#max_worker_processes = 8 # (change requires restart)
|
||||||
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
|
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
|
||||||
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
|
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
|
||||||
#parallel_leader_participation = on
|
|
||||||
#max_parallel_workers = 8 # maximum number of max_worker_processes that
|
#max_parallel_workers = 8 # maximum number of max_worker_processes that
|
||||||
# can be used in parallel operations
|
# can be used in parallel operations
|
||||||
|
#parallel_leader_participation = on
|
||||||
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
|
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
|
||||||
# (change requires restart)
|
# (change requires restart)
|
||||||
|
|
||||||
|
@ -268,13 +276,14 @@ wal_buffers = §§pg_wal_buffers
|
||||||
|
|
||||||
#checkpoint_timeout = 5min # range 30s-1d
|
#checkpoint_timeout = 5min # range 30s-1d
|
||||||
#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0
|
#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0
|
||||||
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
|
#checkpoint_flush_after = 0 # measured in pages, 0 disables
|
||||||
#checkpoint_warning = 30s # 0 disables
|
#checkpoint_warning = 30s # 0 disables
|
||||||
#>GNUNUX
|
|
||||||
#max_wal_size = 1GB
|
#max_wal_size = 1GB
|
||||||
|
#min_wal_size = 80MB
|
||||||
|
#>GNUNUX
|
||||||
max_wal_size = §§{pg_max_wal_size}§§pg_max_wal_size_unit
|
max_wal_size = §§{pg_max_wal_size}§§pg_max_wal_size_unit
|
||||||
#<GNUNUX
|
|
||||||
min_wal_size = 80MB
|
min_wal_size = 80MB
|
||||||
|
#<GNUNUX
|
||||||
|
|
||||||
# - Archiving -
|
# - Archiving -
|
||||||
|
|
||||||
|
@ -422,8 +431,8 @@ min_wal_size = 80MB
|
||||||
#cpu_tuple_cost = 0.01 # same scale as above
|
#cpu_tuple_cost = 0.01 # same scale as above
|
||||||
#cpu_index_tuple_cost = 0.005 # same scale as above
|
#cpu_index_tuple_cost = 0.005 # same scale as above
|
||||||
#cpu_operator_cost = 0.0025 # same scale as above
|
#cpu_operator_cost = 0.0025 # same scale as above
|
||||||
#parallel_tuple_cost = 0.1 # same scale as above
|
|
||||||
#parallel_setup_cost = 1000.0 # same scale as above
|
#parallel_setup_cost = 1000.0 # same scale as above
|
||||||
|
#parallel_tuple_cost = 0.1 # same scale as above
|
||||||
#min_parallel_table_scan_size = 8MB
|
#min_parallel_table_scan_size = 8MB
|
||||||
#min_parallel_index_scan_size = 512kB
|
#min_parallel_index_scan_size = 512kB
|
||||||
#effective_cache_size = 4GB
|
#effective_cache_size = 4GB
|
||||||
|
@ -440,7 +449,6 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
|
||||||
# query is more expensive than this;
|
# query is more expensive than this;
|
||||||
# -1 disables
|
# -1 disables
|
||||||
|
|
||||||
|
|
||||||
# - Genetic Query Optimizer -
|
# - Genetic Query Optimizer -
|
||||||
|
|
||||||
#geqo = on
|
#geqo = on
|
||||||
|
@ -474,6 +482,7 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
|
||||||
# stderr, csvlog, syslog, and eventlog,
|
# stderr, csvlog, syslog, and eventlog,
|
||||||
# depending on platform. csvlog
|
# depending on platform. csvlog
|
||||||
# requires logging_collector to be on.
|
# requires logging_collector to be on.
|
||||||
|
|
||||||
# This is used when logging to stderr:
|
# This is used when logging to stderr:
|
||||||
#GNUNUX: logging_collector = on # Enable capturing of stderr and csvlog
|
#GNUNUX: logging_collector = on # Enable capturing of stderr and csvlog
|
||||||
# into log files. Required to be on for
|
# into log files. Required to be on for
|
||||||
|
@ -487,6 +496,11 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
|
||||||
# can include strftime() escapes
|
# can include strftime() escapes
|
||||||
#log_file_mode = 0600 # creation mode for log files,
|
#log_file_mode = 0600 # creation mode for log files,
|
||||||
# begin with 0 to use octal notation
|
# begin with 0 to use octal notation
|
||||||
|
#GNUNUX: log_rotation_age = 1d # Automatic rotation of logfiles will
|
||||||
|
# happen after that time. 0 disables.
|
||||||
|
#GNUNUX: log_rotation_size = 0 # Automatic rotation of logfiles will
|
||||||
|
# happen after that much log output.
|
||||||
|
# 0 disables.
|
||||||
#GNUNUX: log_truncate_on_rotation = on # If on, an existing log file with the
|
#GNUNUX: log_truncate_on_rotation = on # If on, an existing log file with the
|
||||||
# same name as the new log file will be
|
# same name as the new log file will be
|
||||||
# truncated rather than appended to.
|
# truncated rather than appended to.
|
||||||
|
@ -495,11 +509,6 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
|
||||||
# or size-driven rotation. Default is
|
# or size-driven rotation. Default is
|
||||||
# off, meaning append to existing files
|
# off, meaning append to existing files
|
||||||
# in all cases.
|
# in all cases.
|
||||||
#GNUNUX: log_rotation_age = 1d # Automatic rotation of logfiles will
|
|
||||||
# happen after that time. 0 disables.
|
|
||||||
#GNUNUX: log_rotation_size = 0 # Automatic rotation of logfiles will
|
|
||||||
# happen after that much log output.
|
|
||||||
# 0 disables.
|
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
log_destination = 'syslog'
|
log_destination = 'syslog'
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
@ -620,7 +629,10 @@ log_destination = 'syslog'
|
||||||
# than the specified size in kilobytes;
|
# than the specified size in kilobytes;
|
||||||
# -1 disables, 0 logs all temp files
|
# -1 disables, 0 logs all temp files
|
||||||
#FIXME en dure ?
|
#FIXME en dure ?
|
||||||
|
#>GNUNUX
|
||||||
|
#log_timezone = 'GMT'
|
||||||
log_timezone = 'Europe/Paris'
|
log_timezone = 'Europe/Paris'
|
||||||
|
#<GNUNUX
|
||||||
|
|
||||||
|
|
||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
|
@ -741,10 +753,16 @@ autovacuum = off
|
||||||
|
|
||||||
# - Locale and Formatting -
|
# - Locale and Formatting -
|
||||||
|
|
||||||
|
#datestyle = 'iso, mdy'
|
||||||
|
#>GNUNUX
|
||||||
datestyle = 'iso, dmy'
|
datestyle = 'iso, dmy'
|
||||||
|
#<GNUNUX
|
||||||
#intervalstyle = 'postgres'
|
#intervalstyle = 'postgres'
|
||||||
|
#timezone = 'GMT'
|
||||||
|
#>GNUNUX
|
||||||
#FIXME en dure ?
|
#FIXME en dure ?
|
||||||
timezone = 'Europe/Paris'
|
timezone = 'Europe/Paris'
|
||||||
|
#<GNUNUX
|
||||||
#timezone_abbreviations = 'Default' # Select the set of available time zone
|
#timezone_abbreviations = 'Default' # Select the set of available time zone
|
||||||
# abbreviations. Currently, there are
|
# abbreviations. Currently, there are
|
||||||
# Default
|
# Default
|
||||||
|
@ -758,15 +776,24 @@ timezone = 'Europe/Paris'
|
||||||
# encoding
|
# encoding
|
||||||
|
|
||||||
# These settings are initialized by initdb, but they can be changed.
|
# These settings are initialized by initdb, but they can be changed.
|
||||||
#FIXME en dure ?
|
#lc_messages = 'C' # locale for system error message
|
||||||
lc_messages = 'fr_FR.UTF-8' # locale for system error message
|
|
||||||
# strings
|
# strings
|
||||||
lc_monetary = 'fr_FR.UTF-8' # locale for monetary formatting
|
#lc_monetary = 'C' # locale for monetary formatting
|
||||||
lc_numeric = 'fr_FR.UTF-8' # locale for number formatting
|
#lc_numeric = 'C' # locale for number formatting
|
||||||
lc_time = 'fr_FR.UTF-8' # locale for time formatting
|
#lc_time = 'C' # locale for time formatting
|
||||||
|
#>GNUNUX
|
||||||
|
#FIXME en dure ?
|
||||||
|
lc_messages = 'fr_FR.UTF-8'
|
||||||
|
lc_monetary = 'fr_FR.UTF-8'
|
||||||
|
lc_numeric = 'fr_FR.UTF-8'
|
||||||
|
lc_time = 'fr_FR.UTF-8'
|
||||||
|
#<GNUNUX
|
||||||
|
|
||||||
# default configuration for text search
|
# default configuration for text search
|
||||||
|
#>GNUNUX
|
||||||
|
#default_text_search_config = 'pg_catalog.french'
|
||||||
default_text_search_config = 'pg_catalog.french'
|
default_text_search_config = 'pg_catalog.french'
|
||||||
|
#<GNUNUX
|
||||||
|
|
||||||
# - Shared Library Preloading -
|
# - Shared Library Preloading -
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,15 @@
|
||||||
%set %%new_accounts = [('rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
|
#RISOTTO: do not compare
|
||||||
|
%set %%new_accounts = [('rougail_test', 'rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
|
||||||
%for %%server in %%accounts.remotes
|
%for %%server in %%accounts.remotes
|
||||||
%set %%name = %%normalize_family(%%server)
|
%set %%name = %%normalize_family(%%server)
|
||||||
|
%set %%database = %%accounts["remote_" + %%name]["database_" + %%name]
|
||||||
|
%set %%username = %%accounts["remote_" + %%name]["username_" + %%name]
|
||||||
%set %%password = %%accounts["remote_" + %%name]["password_" + %%name]
|
%set %%password = %%accounts["remote_" + %%name]["password_" + %%name]
|
||||||
%%new_accounts.append((%%name, %%password))%slurp
|
%%new_accounts.append((%%database, %%username, %%password))%slurp
|
||||||
%end for
|
%end for
|
||||||
%for %%name, %%password in %%new_accounts
|
%for %%database, %%name, %%password in %%new_accounts
|
||||||
CREATE DATABASE "%%name";
|
CREATE DATABASE "%%name";
|
||||||
CREATE ROLE "%%name" WITH LOGIN ENCRYPTED PASSWORD '%%password';
|
CREATE ROLE "%%name" WITH LOGIN ENCRYPTED PASSWORD '%%password';
|
||||||
ALTER USER "%%name" PASSWORD '%%password';
|
ALTER USER "%%name" PASSWORD '%%password';
|
||||||
GRANT ALL PRIVILEGES ON DATABASE "%%name" TO "%%name";
|
GRANT ALL PRIVILEGES ON DATABASE "%%name" TO "%%database";
|
||||||
%end for
|
%end for
|
||||||
|
|
|
@ -19,11 +19,11 @@ Application service needs interact with a Redis server.
|
||||||
|
|
||||||
#### Redis (*general.redis*)
|
#### Redis (*general.redis*)
|
||||||
|
|
||||||
| Description | Type | Supplier |
|
| Description | Type | Supplier | Values |
|
||||||
|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------------|
|
|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------------|--------------|
|
||||||
| **Nom de domaine du serveur** (*[redis_client_server_domainname](dictionaries/23_redis.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis |
|
| **Nom de domaine du serveur** (*[redis_client_server_domainname](dictionaries/23_redis.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis | |
|
||||||
| **Nom d'utilisateur** (*[redis_client_username](dictionaries/23_redis.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Nom d'utilisateur** (*[redis_client_username](dictionaries/23_redis.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis:username | <calculated> |
|
||||||
| **Mot de passe de connexion** (*[redis_client_password](dictionaries/23_redis.xml)*) | [password](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis:password |
|
| **Mot de passe de connexion** (*[redis_client_password](dictionaries/23_redis.xml)*) | [password](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis:password | <calculated> |
|
||||||
|
|
||||||
|
|
||||||
- [+]: variable is multiple
|
- [+]: variable is multiple
|
||||||
|
@ -33,9 +33,9 @@ Application service needs interact with a Redis server.
|
||||||
|
|
||||||
- [peertube](../peertube/README.md)
|
- [peertube](../peertube/README.md)
|
||||||
- [piwigo](../piwigo/README.md)
|
- [piwigo](../piwigo/README.md)
|
||||||
|
- [forgejo](../forgejo/README.md)
|
||||||
- [roundcube](../roundcube/README.md)
|
- [roundcube](../roundcube/README.md)
|
||||||
- [nextcloud](../nextcloud/README.md)
|
- [nextcloud](../nextcloud/README.md)
|
||||||
- [gitea](../gitea/README.md)
|
|
||||||
|
|
||||||
## Linked to
|
## Linked to
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
<variables>
|
<variables>
|
||||||
<family name="redis" description="Redis">
|
<family name="redis" description="Redis">
|
||||||
<variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True" supplier="Redis"/>
|
<variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True" supplier="Redis"/>
|
||||||
<variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True"/>
|
<variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True" supplier="Redis:username"/>
|
||||||
<variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" supplier="Redis:password"/>
|
<variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" supplier="Redis:password"/>
|
||||||
<variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
|
<variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
|
||||||
<value>apache</value>
|
<value>apache</value>
|
||||||
|
|
|
@ -15,7 +15,7 @@ Redis, an in-memory data structure store.
|
||||||
|
|
||||||
## Dependances
|
## Dependances
|
||||||
|
|
||||||
- [base-fedora-36](../base-fedora-36/README.md)
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
- [base-fedora](../base-fedora/README.md)
|
- [base-fedora](../base-fedora/README.md)
|
||||||
- [systemd](../systemd/README.md)
|
- [systemd](../systemd/README.md)
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
|
@ -31,20 +31,20 @@ Redis, an in-memory data structure store.
|
||||||
Configuration du service de cache Redis
|
Configuration du service de cache Redis
|
||||||
|
|
||||||
| Description | Values | Help | Type | Choices |
|
| Description | Values | Help | Type | Choices |
|
||||||
|----------------------------------------------------------------------------------------------------------------------------|------------|--------------------------|------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
|
|----------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------|------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| **Nom de l'instance** (*[redis_instance_name](dictionaries/90_redis.xml)*) | | | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Nom de l'instance** (*[redis_instance_name](dictionaries/90_redis.xml)*) | <calculated> | | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
||||||
| **Activer la persistence des données** (*[redis_save](dictionaries/90_redis.xml)*) | False | | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Activer la persistence des données** (*[redis_save](dictionaries/90_redis.xml)*) | False | | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
||||||
| **Quantité de mémoire utilisable par Redis** (*[redis_max_memory](dictionaries/90_redis.xml)*) | 512 | La valeur est en Mo | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Quantité de mémoire utilisable par Redis** (*[redis_max_memory](dictionaries/90_redis.xml)*) | 512 | La valeur est en Mo | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
||||||
| **Méthode de libération de mémoire lorsque le maximum est atteint** (*[redis_memory_policy](dictionaries/90_redis.xml)*) | noeviction | | [choice](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | volatile-lru<br />allkeys-lru<br />volatile-lfu<br />allkeys-lfu<br />volatile-random<br />allkeys-random<br />volatile-ttl<br />noeviction |
|
| **Méthode de libération de mémoire lorsque le maximum est atteint** (*[redis_memory_policy](dictionaries/90_redis.xml)*) | noeviction | | [choice](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | volatile-lru<br />allkeys-lru<br />volatile-lfu<br />allkeys-lfu<br />volatile-random<br />allkeys-random<br />volatile-ttl<br />noeviction |
|
||||||
| **Intervalle entre le dernier envoi de paquet TCP et la réponse ACK** (*[redis_tcp_keepalive](dictionaries/90_redis.xml)*) | 60 | La valeur est en seconde | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Intervalle entre le dernier envoi de paquet TCP et la réponse ACK** (*[redis_tcp_keepalive](dictionaries/90_redis.xml)*) | 300 | La valeur est en seconde | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
||||||
| **Nombre de client maximum autorisé** (*[redis_max_clients](dictionaries/90_redis.xml)*) | 10000 | | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Nombre de client maximum autorisé** (*[redis_max_clients](dictionaries/90_redis.xml)*) | 10000 | | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
||||||
|
|
||||||
### Account (*account*)
|
### Account (*account*)
|
||||||
|
|
||||||
| Description | Type | Provider |
|
| Description | Type | Provider | Values |
|
||||||
|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
|
|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|
|
||||||
| **Remote Redis client needing an account** (*[remote](extras/account/00_account.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis |
|
| **Remote Redis client needing an account** (*[remote](extras/account/00_account.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis | |
|
||||||
| **Remote IP** (*[remote_ip](extras/account/00_account.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | |
|
| **Remote IP** (*[remote_ip](extras/account/00_account.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | | <calculated> |
|
||||||
|
|
||||||
|
|
||||||
- [+]: variable is multiple
|
- [+]: variable is multiple
|
||||||
|
|
|
@ -2,4 +2,4 @@ format: '0.1'
|
||||||
description: Redis, an in-memory data structure store
|
description: Redis, an in-memory data structure store
|
||||||
website: https://redis.io/
|
website: https://redis.io/
|
||||||
depends:
|
depends:
|
||||||
- base-fedora-36
|
- base-fedora-37
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
<file>/etc/pki/ca-trust/source/anchors/ca_Redis.crt</file>
|
<file>/etc/pki/ca-trust/source/anchors/ca_Redis.crt</file>
|
||||||
<file>/etc/pki/tls/certs/redis.crt</file>
|
<file>/etc/pki/tls/certs/redis.crt</file>
|
||||||
<file owner="root" group="redis" mode="440">/etc/pki/tls/private/redis.key</file>
|
<file owner="root" group="redis" mode="440">/etc/pki/tls/private/redis.key</file>
|
||||||
<file>/tests/redis.yml</file>
|
<file filelist="copy_tests">/tests/redis.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
@ -33,7 +33,7 @@
|
||||||
<choice>noeviction</choice>
|
<choice>noeviction</choice>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name="redis_tcp_keepalive" type="number" description="Intervalle entre le dernier envoi de paquet TCP et la réponse ACK" help="La valeur est en seconde">
|
<variable name="redis_tcp_keepalive" type="number" description="Intervalle entre le dernier envoi de paquet TCP et la réponse ACK" help="La valeur est en seconde">
|
||||||
<value>60</value>
|
<value>300</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name="redis_max_clients" type="number" description="Nombre de client maximum autorisé">
|
<variable name="redis_max_clients" type="number" description="Nombre de client maximum autorisé">
|
||||||
<value>10000</value>
|
<value>10000</value>
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
<variables>
|
<variables>
|
||||||
<variable name="remote" description="Remote Redis client needing an account" type="domainname" provider="Redis" mandatory="True"/>
|
<variable name="remote" description="Remote Redis client needing an account" type="domainname" provider="Redis" mandatory="True"/>
|
||||||
<variable name="remote_ip" description="Remote IP" type="ip" mandatory="True"/>
|
<variable name="remote_ip" description="Remote IP" type="ip" mandatory="True"/>
|
||||||
|
<variable name="username" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:username"/>
|
||||||
<variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:password"/>
|
<variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:password"/>
|
||||||
</variables>
|
</variables>
|
||||||
<constraints>
|
<constraints>
|
||||||
|
|
|
@ -32,8 +32,17 @@
|
||||||
# If instead you are interested in using includes to override configuration
|
# If instead you are interested in using includes to override configuration
|
||||||
# options, it is better to use include as the last line.
|
# options, it is better to use include as the last line.
|
||||||
#
|
#
|
||||||
|
# Included paths may contain wildcards. All files matching the wildcards will
|
||||||
|
# be included in alphabetical order.
|
||||||
|
# Note that if an include path contains a wildcards but no files match it when
|
||||||
|
# the server is started, the include statement will be ignored and no error will
|
||||||
|
# be emitted. It is safe, therefore, to include wildcard files from empty
|
||||||
|
# directories.
|
||||||
|
#
|
||||||
# include /path/to/local.conf
|
# include /path/to/local.conf
|
||||||
# include /path/to/other.conf
|
# include /path/to/other.conf
|
||||||
|
# include /path/to/fragments/*.conf
|
||||||
|
#
|
||||||
|
|
||||||
################################## MODULES #####################################
|
################################## MODULES #####################################
|
||||||
|
|
||||||
|
@ -51,7 +60,7 @@
|
||||||
# the "bind" configuration directive, followed by one or more IP addresses.
|
# the "bind" configuration directive, followed by one or more IP addresses.
|
||||||
# Each address can be prefixed by "-", which means that redis will not fail to
|
# Each address can be prefixed by "-", which means that redis will not fail to
|
||||||
# start if the address is not available. Being not available only refers to
|
# start if the address is not available. Being not available only refers to
|
||||||
# addresses that does not correspond to any network interfece. Addresses that
|
# addresses that does not correspond to any network interface. Addresses that
|
||||||
# are already in use will always fail, and unsupported protocols will always BE
|
# are already in use will always fail, and unsupported protocols will always BE
|
||||||
# silently skipped.
|
# silently skipped.
|
||||||
#
|
#
|
||||||
|
@ -70,36 +79,65 @@
|
||||||
# running on).
|
# running on).
|
||||||
#
|
#
|
||||||
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
|
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
|
||||||
# JUST COMMENT OUT THE FOLLOWING LINE.
|
# COMMENT OUT THE FOLLOWING LINE.
|
||||||
|
#
|
||||||
|
# You will also need to set a password unless you explicitly disable protected
|
||||||
|
# mode.
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
#bind 127.0.0.1 -::1
|
#bind 127.0.0.1 -::1
|
||||||
bind 0.0.0.0
|
bind 0.0.0.0
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
|
# By default, outgoing connections (from replica to master, from Sentinel to
|
||||||
|
# instances, cluster bus, etc.) are not bound to a specific local address. In
|
||||||
|
# most cases, this means the operating system will handle that based on routing
|
||||||
|
# and the interface through which the connection goes out.
|
||||||
|
#
|
||||||
|
# Using bind-source-addr it is possible to configure a specific address to bind
|
||||||
|
# to, which may also affect how the connection gets routed.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# bind-source-addr 10.0.0.1
|
||||||
|
|
||||||
# Protected mode is a layer of security protection, in order to avoid that
|
# Protected mode is a layer of security protection, in order to avoid that
|
||||||
# Redis instances left open on the internet are accessed and exploited.
|
# Redis instances left open on the internet are accessed and exploited.
|
||||||
#
|
#
|
||||||
# When protected mode is on and if:
|
# When protected mode is on and the default user has no password, the server
|
||||||
#
|
# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address
|
||||||
# 1) The server is not binding explicitly to a set of addresses using the
|
# (::1) or Unix domain sockets.
|
||||||
# "bind" directive.
|
|
||||||
# 2) No password is configured.
|
|
||||||
#
|
|
||||||
# The server only accepts connections from clients connecting from the
|
|
||||||
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
|
|
||||||
# sockets.
|
|
||||||
#
|
#
|
||||||
# By default protected mode is enabled. You should disable it only if
|
# By default protected mode is enabled. You should disable it only if
|
||||||
# you are sure you want clients from other hosts to connect to Redis
|
# you are sure you want clients from other hosts to connect to Redis
|
||||||
# even if no authentication is configured, nor a specific set of interfaces
|
# even if no authentication is configured.
|
||||||
# are explicitly listed using the "bind" directive.
|
protected-mode yes
|
||||||
#FIXMEprotected-mode yes
|
|
||||||
protected-mode no
|
# Redis uses default hardened security configuration directives to reduce the
|
||||||
|
# attack surface on innocent users. Therefore, several sensitive configuration
|
||||||
|
# directives are immutable, and some potentially-dangerous commands are blocked.
|
||||||
|
#
|
||||||
|
# Configuration directives that control files that Redis writes to (e.g., 'dir'
|
||||||
|
# and 'dbfilename') and that aren't usually modified during runtime
|
||||||
|
# are protected by making them immutable.
|
||||||
|
#
|
||||||
|
# Commands that can increase the attack surface of Redis and that aren't usually
|
||||||
|
# called by users are blocked by default.
|
||||||
|
#
|
||||||
|
# These can be exposed to either all connections or just local ones by setting
|
||||||
|
# each of the configs listed below to either of these values:
|
||||||
|
#
|
||||||
|
# no - Block for any connection (remain immutable)
|
||||||
|
# yes - Allow for any connection (no protection)
|
||||||
|
# local - Allow only for local connections. Ones originating from the
|
||||||
|
# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets.
|
||||||
|
#
|
||||||
|
# enable-protected-configs no
|
||||||
|
# enable-debug-command no
|
||||||
|
# enable-module-command no
|
||||||
|
|
||||||
# Accept connections on the specified port, default is 6379 (IANA #815344).
|
# Accept connections on the specified port, default is 6379 (IANA #815344).
|
||||||
# If port 0 is specified Redis will not listen on a TCP socket.
|
# If port 0 is specified Redis will not listen on a TCP socket.
|
||||||
# GNUNUX: for php/php-fpm
|
|
||||||
port 6379
|
port 6379
|
||||||
|
|
||||||
# TCP listen() backlog.
|
# TCP listen() backlog.
|
||||||
|
@ -142,6 +180,17 @@ timeout 0
|
||||||
#tcp-keepalive 300
|
#tcp-keepalive 300
|
||||||
tcp-keepalive %%redis_tcp_keepalive
|
tcp-keepalive %%redis_tcp_keepalive
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
|
# Apply OS-specific mechanism to mark the listening socket with the specified
|
||||||
|
# ID, to support advanced routing and filtering capabilities.
|
||||||
|
#
|
||||||
|
# On Linux, the ID represents a connection mark.
|
||||||
|
# On FreeBSD, the ID represents a socket cookie ID.
|
||||||
|
# On OpenBSD, the ID represents a route table ID.
|
||||||
|
#
|
||||||
|
# The default value is 0, which implies no marking is required.
|
||||||
|
# socket-mark-id 0
|
||||||
|
|
||||||
################################# TLS/SSL #####################################
|
################################# TLS/SSL #####################################
|
||||||
|
|
||||||
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
|
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
|
||||||
|
@ -384,10 +433,10 @@ proc-title-template "{title} {listen-addr} {server-mode}"
|
||||||
|
|
||||||
# Save the DB to disk.
|
# Save the DB to disk.
|
||||||
#
|
#
|
||||||
# save <seconds> <changes>
|
# save <seconds> <changes> [<seconds> <changes> ...]
|
||||||
#
|
#
|
||||||
# Redis will save the DB if both the given number of seconds and the given
|
# Redis will save the DB if the given number of seconds elapsed and it
|
||||||
# number of write operations against the DB occurred.
|
# surpassed the given number of write operations against the DB.
|
||||||
#
|
#
|
||||||
# Snapshotting can be completely disabled with a single empty string argument
|
# Snapshotting can be completely disabled with a single empty string argument
|
||||||
# as in following example:
|
# as in following example:
|
||||||
|
@ -395,23 +444,16 @@ proc-title-template "{title} {listen-addr} {server-mode}"
|
||||||
# save ""
|
# save ""
|
||||||
#
|
#
|
||||||
# Unless specified otherwise, by default Redis will save the DB:
|
# Unless specified otherwise, by default Redis will save the DB:
|
||||||
# * After 3600 seconds (an hour) if at least 1 key changed
|
# * After 3600 seconds (an hour) if at least 1 change was performed
|
||||||
# * After 300 seconds (5 minutes) if at least 100 keys changed
|
# * After 300 seconds (5 minutes) if at least 100 changes were performed
|
||||||
# * After 60 seconds if at least 10000 keys changed
|
# * After 60 seconds if at least 10000 changes were performed
|
||||||
#
|
#
|
||||||
# You can set these explicitly by uncommenting the three following lines.
|
# You can set these explicitly by uncommenting the following line.
|
||||||
#
|
#
|
||||||
# save 3600 1
|
# save 3600 1 300 100 60 10000
|
||||||
# save 300 100
|
|
||||||
# save 60 10000
|
|
||||||
# save ""
|
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
%if %%redis_save
|
%if %%redis_save
|
||||||
save 900 1
|
save 900 1 300 10 60 10000
|
||||||
save 300 10
|
|
||||||
save 60 10000
|
|
||||||
%else
|
|
||||||
save ""
|
|
||||||
%end if
|
%end if
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
|
@ -445,13 +487,13 @@ rdbcompression yes
|
||||||
# tell the loading code to skip the check.
|
# tell the loading code to skip the check.
|
||||||
rdbchecksum yes
|
rdbchecksum yes
|
||||||
|
|
||||||
# Enables or disables full sanitation checks for ziplist and listpack etc when
|
# Enables or disables full sanitization checks for ziplist and listpack etc when
|
||||||
# loading an RDB or RESTORE payload. This reduces the chances of a assertion or
|
# loading an RDB or RESTORE payload. This reduces the chances of a assertion or
|
||||||
# crash later on while processing commands.
|
# crash later on while processing commands.
|
||||||
# Options:
|
# Options:
|
||||||
# no - Never perform full sanitation
|
# no - Never perform full sanitization
|
||||||
# yes - Always perform full sanitation
|
# yes - Always perform full sanitization
|
||||||
# clients - Perform full sanitation only for user connections.
|
# clients - Perform full sanitization only for user connections.
|
||||||
# Excludes: RDB files, RESTORE commands received from the master
|
# Excludes: RDB files, RESTORE commands received from the master
|
||||||
# connection, and client connections which have the
|
# connection, and client connections which have the
|
||||||
# skip-sanitize-payload ACL flag.
|
# skip-sanitize-payload ACL flag.
|
||||||
|
@ -540,9 +582,10 @@ dir /srv/redis
|
||||||
# still reply to client requests, possibly with out of date data, or the
|
# still reply to client requests, possibly with out of date data, or the
|
||||||
# data set may just be empty if this is the first synchronization.
|
# data set may just be empty if this is the first synchronization.
|
||||||
#
|
#
|
||||||
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with
|
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error
|
||||||
# an error "SYNC with master in progress" to all commands except:
|
# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'"
|
||||||
# INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
|
# to all data access commands, excluding commands such as:
|
||||||
|
# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
|
||||||
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
|
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
|
||||||
# HOST and LATENCY.
|
# HOST and LATENCY.
|
||||||
#
|
#
|
||||||
|
@ -591,7 +634,7 @@ replica-read-only yes
|
||||||
#
|
#
|
||||||
# With slow disks and fast (large bandwidth) networks, diskless replication
|
# With slow disks and fast (large bandwidth) networks, diskless replication
|
||||||
# works better.
|
# works better.
|
||||||
repl-diskless-sync no
|
repl-diskless-sync yes
|
||||||
|
|
||||||
# When diskless replication is enabled, it is possible to configure the delay
|
# When diskless replication is enabled, it is possible to configure the delay
|
||||||
# the server waits in order to spawn the child that transfers the RDB via socket
|
# the server waits in order to spawn the child that transfers the RDB via socket
|
||||||
|
@ -605,6 +648,12 @@ repl-diskless-sync no
|
||||||
# it entirely just set it to 0 seconds and the transfer will start ASAP.
|
# it entirely just set it to 0 seconds and the transfer will start ASAP.
|
||||||
repl-diskless-sync-delay 5
|
repl-diskless-sync-delay 5
|
||||||
|
|
||||||
|
# When diskless replication is enabled with a delay, it is possible to let
|
||||||
|
# the replication start before the maximum delay is reached if the maximum
|
||||||
|
# number of replicas expected have connected. Default of 0 means that the
|
||||||
|
# maximum is not defined and Redis will wait the full delay.
|
||||||
|
repl-diskless-sync-max-replicas 0
|
||||||
|
|
||||||
# -----------------------------------------------------------------------------
|
# -----------------------------------------------------------------------------
|
||||||
# WARNING: RDB diskless load is experimental. Since in this setup the replica
|
# WARNING: RDB diskless load is experimental. Since in this setup the replica
|
||||||
# does not immediately store an RDB on disk, it may cause data loss during
|
# does not immediately store an RDB on disk, it may cause data loss during
|
||||||
|
@ -619,19 +668,23 @@ repl-diskless-sync-delay 5
|
||||||
#
|
#
|
||||||
# In many cases the disk is slower than the network, and storing and loading
|
# In many cases the disk is slower than the network, and storing and loading
|
||||||
# the RDB file may increase replication time (and even increase the master's
|
# the RDB file may increase replication time (and even increase the master's
|
||||||
# Copy on Write memory and salve buffers).
|
# Copy on Write memory and replica buffers).
|
||||||
# However, parsing the RDB file directly from the socket may mean that we have
|
# However, parsing the RDB file directly from the socket may mean that we have
|
||||||
# to flush the contents of the current database before the full rdb was
|
# to flush the contents of the current database before the full rdb was
|
||||||
# received. For this reason we have the following options:
|
# received. For this reason we have the following options:
|
||||||
#
|
#
|
||||||
# "disabled" - Don't use diskless load (store the rdb file to the disk first)
|
# "disabled" - Don't use diskless load (store the rdb file to the disk first)
|
||||||
# "on-empty-db" - Use diskless load only when it is completely safe.
|
# "on-empty-db" - Use diskless load only when it is completely safe.
|
||||||
# "swapdb" - Keep a copy of the current db contents in RAM while parsing
|
# "swapdb" - Keep current db contents in RAM while parsing the data directly
|
||||||
# the data directly from the socket. note that this requires
|
# from the socket. Replicas in this mode can keep serving current
|
||||||
# sufficient memory, if you don't have it, you risk an OOM kill.
|
# data set while replication is in progress, except for cases where
|
||||||
|
# they can't recognize master as having a data set from same
|
||||||
|
# replication history.
|
||||||
|
# Note that this requires sufficient memory, if you don't have it,
|
||||||
|
# you risk an OOM kill.
|
||||||
repl-diskless-load disabled
|
repl-diskless-load disabled
|
||||||
|
|
||||||
# Replicas send PINGs to server in a predefined interval. It's possible to
|
# Master send PINGs to its replicas in a predefined interval. It's possible to
|
||||||
# change this interval with the repl_ping_replica_period option. The default
|
# change this interval with the repl_ping_replica_period option. The default
|
||||||
# value is 10 seconds.
|
# value is 10 seconds.
|
||||||
#
|
#
|
||||||
|
@ -706,6 +759,31 @@ repl-disable-tcp-nodelay no
|
||||||
# By default the priority is 100.
|
# By default the priority is 100.
|
||||||
replica-priority 100
|
replica-priority 100
|
||||||
|
|
||||||
|
# The propagation error behavior controls how Redis will behave when it is
|
||||||
|
# unable to handle a command being processed in the replication stream from a master
|
||||||
|
# or processed while reading from an AOF file. Errors that occur during propagation
|
||||||
|
# are unexpected, and can cause data inconsistency. However, there are edge cases
|
||||||
|
# in earlier versions of Redis where it was possible for the server to replicate or persist
|
||||||
|
# commands that would fail on future versions. For this reason the default behavior
|
||||||
|
# is to ignore such errors and continue processing commands.
|
||||||
|
#
|
||||||
|
# If an application wants to ensure there is no data divergence, this configuration
|
||||||
|
# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas'
|
||||||
|
# to only panic when a replica encounters an error on the replication stream. One of
|
||||||
|
# these two panic values will become the default value in the future once there are
|
||||||
|
# sufficient safety mechanisms in place to prevent false positive crashes.
|
||||||
|
#
|
||||||
|
# propagation-error-behavior ignore
|
||||||
|
|
||||||
|
# Replica ignore disk write errors controls the behavior of a replica when it is
|
||||||
|
# unable to persist a write command received from its master to disk. By default,
|
||||||
|
# this configuration is set to 'no' and will crash the replica in this condition.
|
||||||
|
# It is not recommended to change this default, however in order to be compatible
|
||||||
|
# with older versions of Redis this config can be toggled to 'yes' which will just
|
||||||
|
# log a warning and execute the write command it got from the master.
|
||||||
|
#
|
||||||
|
# replica-ignore-disk-write-errors no
|
||||||
|
|
||||||
# -----------------------------------------------------------------------------
|
# -----------------------------------------------------------------------------
|
||||||
# By default, Redis Sentinel includes all replicas in its reports. A replica
|
# By default, Redis Sentinel includes all replicas in its reports. A replica
|
||||||
# can be excluded from Redis Sentinel's announcements. An unannounced replica
|
# can be excluded from Redis Sentinel's announcements. An unannounced replica
|
||||||
|
@ -837,10 +915,12 @@ replica-priority 100
|
||||||
# off Disable the user: it's no longer possible to authenticate
|
# off Disable the user: it's no longer possible to authenticate
|
||||||
# with this user, however the already authenticated connections
|
# with this user, however the already authenticated connections
|
||||||
# will still work.
|
# will still work.
|
||||||
# skip-sanitize-payload RESTORE dump-payload sanitation is skipped.
|
# skip-sanitize-payload RESTORE dump-payload sanitization is skipped.
|
||||||
# sanitize-payload RESTORE dump-payload is sanitized (default).
|
# sanitize-payload RESTORE dump-payload is sanitized (default).
|
||||||
# +<command> Allow the execution of that command
|
# +<command> Allow the execution of that command.
|
||||||
# -<command> Disallow the execution of that command
|
# May be used with `|` for allowing subcommands (e.g "+config|get")
|
||||||
|
# -<command> Disallow the execution of that command.
|
||||||
|
# May be used with `|` for blocking subcommands (e.g "-config|set")
|
||||||
# +@<category> Allow the execution of all the commands in such category
|
# +@<category> Allow the execution of all the commands in such category
|
||||||
# with valid categories are like @admin, @set, @sortedset, ...
|
# with valid categories are like @admin, @set, @sortedset, ...
|
||||||
# and so forth, see the full list in the server.c file where
|
# and so forth, see the full list in the server.c file where
|
||||||
|
@ -848,10 +928,11 @@ replica-priority 100
|
||||||
# The special category @all means all the commands, but currently
|
# The special category @all means all the commands, but currently
|
||||||
# present in the server, and that will be loaded in the future
|
# present in the server, and that will be loaded in the future
|
||||||
# via modules.
|
# via modules.
|
||||||
# +<command>|subcommand Allow a specific subcommand of an otherwise
|
# +<command>|first-arg Allow a specific first argument of an otherwise
|
||||||
# disabled command. Note that this form is not
|
# disabled command. It is only supported on commands with
|
||||||
# allowed as negative like -DEBUG|SEGFAULT, but
|
# no sub-commands, and is not allowed as negative form
|
||||||
# only additive starting with "+".
|
# like -SELECT|1, only additive starting with "+". This
|
||||||
|
# feature is deprecated and may be removed in the future.
|
||||||
# allcommands Alias for +@all. Note that it implies the ability to execute
|
# allcommands Alias for +@all. Note that it implies the ability to execute
|
||||||
# all the future commands loaded via the modules system.
|
# all the future commands loaded via the modules system.
|
||||||
# nocommands Alias for -@all.
|
# nocommands Alias for -@all.
|
||||||
|
@ -859,6 +940,10 @@ replica-priority 100
|
||||||
# commands. For instance ~* allows all the keys. The pattern
|
# commands. For instance ~* allows all the keys. The pattern
|
||||||
# is a glob-style pattern like the one of KEYS.
|
# is a glob-style pattern like the one of KEYS.
|
||||||
# It is possible to specify multiple patterns.
|
# It is possible to specify multiple patterns.
|
||||||
|
# %R~<pattern> Add key read pattern that specifies which keys can be read
|
||||||
|
# from.
|
||||||
|
# %W~<pattern> Add key write pattern that specifies which keys can be
|
||||||
|
# written to.
|
||||||
# allkeys Alias for ~*
|
# allkeys Alias for ~*
|
||||||
# resetkeys Flush the list of allowed keys patterns.
|
# resetkeys Flush the list of allowed keys patterns.
|
||||||
# &<pattern> Add a glob-style pattern of Pub/Sub channels that can be
|
# &<pattern> Add a glob-style pattern of Pub/Sub channels that can be
|
||||||
|
@ -884,6 +969,14 @@ replica-priority 100
|
||||||
# reset Performs the following actions: resetpass, resetkeys, off,
|
# reset Performs the following actions: resetpass, resetkeys, off,
|
||||||
# -@all. The user returns to the same state it has immediately
|
# -@all. The user returns to the same state it has immediately
|
||||||
# after its creation.
|
# after its creation.
|
||||||
|
# (<options>) Create a new selector with the options specified within the
|
||||||
|
# parentheses and attach it to the user. Each option should be
|
||||||
|
# space separated. The first character must be ( and the last
|
||||||
|
# character must be ).
|
||||||
|
# clearselectors Remove all of the currently attached selectors.
|
||||||
|
# Note this does not change the "root" user permissions,
|
||||||
|
# which are the permissions directly applied onto the
|
||||||
|
# user (outside the parentheses).
|
||||||
#
|
#
|
||||||
# ACL rules can be specified in any order: for instance you can start with
|
# ACL rules can be specified in any order: for instance you can start with
|
||||||
# passwords, then flags, or key patterns. However note that the additive
|
# passwords, then flags, or key patterns. However note that the additive
|
||||||
|
@ -905,10 +998,44 @@ replica-priority 100
|
||||||
#
|
#
|
||||||
# Basically ACL rules are processed left-to-right.
|
# Basically ACL rules are processed left-to-right.
|
||||||
#
|
#
|
||||||
|
# The following is a list of command categories and their meanings:
|
||||||
|
# * keyspace - Writing or reading from keys, databases, or their metadata
|
||||||
|
# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
|
||||||
|
# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
|
||||||
|
# key or metadata will also have `write` category. Commands that only read
|
||||||
|
# the keyspace, key or metadata will have the `read` category.
|
||||||
|
# * read - Reading from keys (values or metadata). Note that commands that don't
|
||||||
|
# interact with keys, will not have either `read` or `write`.
|
||||||
|
# * write - Writing to keys (values or metadata)
|
||||||
|
# * admin - Administrative commands. Normal applications will never need to use
|
||||||
|
# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc.
|
||||||
|
# * dangerous - Potentially dangerous (each should be considered with care for
|
||||||
|
# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS,
|
||||||
|
# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc.
|
||||||
|
# * connection - Commands affecting the connection or other connections.
|
||||||
|
# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc.
|
||||||
|
# * blocking - Potentially blocking the connection until released by another
|
||||||
|
# command.
|
||||||
|
# * fast - Fast O(1) commands. May loop on the number of arguments, but not the
|
||||||
|
# number of elements in the key.
|
||||||
|
# * slow - All commands that are not Fast.
|
||||||
|
# * pubsub - PUBLISH / SUBSCRIBE related
|
||||||
|
# * transaction - WATCH / MULTI / EXEC related commands.
|
||||||
|
# * scripting - Scripting related.
|
||||||
|
# * set - Data type: sets related.
|
||||||
|
# * sortedset - Data type: zsets related.
|
||||||
|
# * list - Data type: lists related.
|
||||||
|
# * hash - Data type: hashes related.
|
||||||
|
# * string - Data type: strings related.
|
||||||
|
# * bitmap - Data type: bitmaps related.
|
||||||
|
# * hyperloglog - Data type: hyperloglog related.
|
||||||
|
# * geo - Data type: geo related.
|
||||||
|
# * stream - Data type: streams related.
|
||||||
|
#
|
||||||
# For more information about ACL configuration please refer to
|
# For more information about ACL configuration please refer to
|
||||||
# the Redis web site at https://redis.io/topics/acl
|
# the Redis web site at https://redis.io/topics/acl
|
||||||
#>GNUNUX
|
#>GNUNUX
|
||||||
user %%normalize_family(%%account.remote) on >%%account.password ~* &* +@all
|
user %%account.username on >%%account.password ~* &* +@all
|
||||||
#<GNUNUX
|
#<GNUNUX
|
||||||
|
|
||||||
# ACL LOG
|
# ACL LOG
|
||||||
|
@ -937,7 +1064,7 @@ acllog-max-len 128
|
||||||
# AUTH <password> as usually, or more explicitly with AUTH default <password>
|
# AUTH <password> as usually, or more explicitly with AUTH default <password>
|
||||||
# if they follow the new protocol: both will work.
|
# if they follow the new protocol: both will work.
|
||||||
#
|
#
|
||||||
# The requirepass is not compatable with aclfile option and the ACL LOAD
|
# The requirepass is not compatible with aclfile option and the ACL LOAD
|
||||||
# command, these will cause requirepass to be ignored.
|
# command, these will cause requirepass to be ignored.
|
||||||
#
|
#
|
||||||
# requirepass foobared
|
# requirepass foobared
|
||||||
|
@ -954,15 +1081,7 @@ requirepass %%account.password
|
||||||
# allchannels: grants access to all Pub/Sub channels
|
# allchannels: grants access to all Pub/Sub channels
|
||||||
# resetchannels: revokes access to all Pub/Sub channels
|
# resetchannels: revokes access to all Pub/Sub channels
|
||||||
#
|
#
|
||||||
# To ensure backward compatibility while upgrading Redis 6.0, acl-pubsub-default
|
# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
|
||||||
# defaults to the 'allchannels' permission.
|
|
||||||
#
|
|
||||||
# Future compatibility note: it is very likely that in a future version of Redis
|
|
||||||
# the directive's default of 'allchannels' will be changed to 'resetchannels' in
|
|
||||||
# order to provide better out-of-the-box Pub/Sub security. Therefore, it is
|
|
||||||
# recommended that you explicitly define Pub/Sub permissions for all users
|
|
||||||
# rather then rely on implicit default values. Once you've set explicit
|
|
||||||
# Pub/Sub for all existing users, you should uncomment the following line.
|
|
||||||
#
|
#
|
||||||
# acl-pubsub-default resetchannels
|
# acl-pubsub-default resetchannels
|
||||||
|
|
||||||
|
@ -1186,7 +1305,7 @@ replica-lazy-flush no
|
||||||
|
|
||||||
lazyfree-lazy-user-del no
|
lazyfree-lazy-user-del no
|
||||||
|
|
||||||
# FLUSHDB, FLUSHALL, and SCRIPT FLUSH support both asynchronous and synchronous
|
# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous
|
||||||
# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
|
# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
|
||||||
# commands. When neither flag is passed, this directive will be used to determine
|
# commands. When neither flag is passed, this directive will be used to determine
|
||||||
# if the data should be deleted asynchronously.
|
# if the data should be deleted asynchronously.
|
||||||
|
@ -1231,7 +1350,7 @@ lazyfree-lazy-user-flush no
|
||||||
# Usually threading reads doesn't help much.
|
# Usually threading reads doesn't help much.
|
||||||
#
|
#
|
||||||
# NOTE 1: This configuration directive cannot be changed at runtime via
|
# NOTE 1: This configuration directive cannot be changed at runtime via
|
||||||
# CONFIG SET. Aso this feature currently does not work when SSL is
|
# CONFIG SET. Also, this feature currently does not work when SSL is
|
||||||
# enabled.
|
# enabled.
|
||||||
#
|
#
|
||||||
# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
|
# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
|
||||||
|
@ -1249,7 +1368,7 @@ lazyfree-lazy-user-flush no
|
||||||
# attempt to have background child processes killed before all others, and
|
# attempt to have background child processes killed before all others, and
|
||||||
# replicas killed before masters.
|
# replicas killed before masters.
|
||||||
#
|
#
|
||||||
# Redis supports three options:
|
# Redis supports these options:
|
||||||
#
|
#
|
||||||
# no: Don't make changes to oom-score-adj (default).
|
# no: Don't make changes to oom-score-adj (default).
|
||||||
# yes: Alias to "relative" see below.
|
# yes: Alias to "relative" see below.
|
||||||
|
@ -1305,10 +1424,39 @@ disable-thp yes
|
||||||
|
|
||||||
appendonly no
|
appendonly no
|
||||||
|
|
||||||
# The name of the append only file (default: "appendonly.aof")
|
# The base name of the append only file.
|
||||||
|
#
|
||||||
|
# Redis 7 and newer use a set of append-only files to persist the dataset
|
||||||
|
# and changes applied to it. There are two basic types of files in use:
|
||||||
|
#
|
||||||
|
# - Base files, which are a snapshot representing the complete state of the
|
||||||
|
# dataset at the time the file was created. Base files can be either in
|
||||||
|
# the form of RDB (binary serialized) or AOF (textual commands).
|
||||||
|
# - Incremental files, which contain additional commands that were applied
|
||||||
|
# to the dataset following the previous file.
|
||||||
|
#
|
||||||
|
# In addition, manifest files are used to track the files and the order in
|
||||||
|
# which they were created and should be applied.
|
||||||
|
#
|
||||||
|
# Append-only file names are created by Redis following a specific pattern.
|
||||||
|
# The file name's prefix is based on the 'appendfilename' configuration
|
||||||
|
# parameter, followed by additional information about the sequence and type.
|
||||||
|
#
|
||||||
|
# For example, if appendfilename is set to appendonly.aof, the following file
|
||||||
|
# names could be derived:
|
||||||
|
#
|
||||||
|
# - appendonly.aof.1.base.rdb as a base file.
|
||||||
|
# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files.
|
||||||
|
# - appendonly.aof.manifest as a manifest file.
|
||||||
|
|
||||||
appendfilename "appendonly.aof"
|
appendfilename "appendonly.aof"
|
||||||
|
|
||||||
|
# For convenience, Redis stores all persistent append-only files in a dedicated
|
||||||
|
# directory. The name of the directory is determined by the appenddirname
|
||||||
|
# configuration parameter.
|
||||||
|
|
||||||
|
appenddirname "appendonlydir"
|
||||||
|
|
||||||
# The fsync() call tells the Operating System to actually write data on disk
|
# The fsync() call tells the Operating System to actually write data on disk
|
||||||
# instead of waiting for more data in the output buffer. Some OS will really flush
|
# instead of waiting for more data in the output buffer. Some OS will really flush
|
||||||
# data on disk, some other OS will just try to do it ASAP.
|
# data on disk, some other OS will just try to do it ASAP.
|
||||||
|
@ -1348,7 +1496,7 @@ appendfsync everysec
|
||||||
# BGSAVE or BGREWRITEAOF is in progress.
|
# BGSAVE or BGREWRITEAOF is in progress.
|
||||||
#
|
#
|
||||||
# This means that while another child is saving, the durability of Redis is
|
# This means that while another child is saving, the durability of Redis is
|
||||||
# the same as "appendfsync none". In practical terms, this means that it is
|
# the same as "appendfsync no". In practical terms, this means that it is
|
||||||
# possible to lose up to 30 seconds of log in the worst scenario (with the
|
# possible to lose up to 30 seconds of log in the worst scenario (with the
|
||||||
# default Linux settings).
|
# default Linux settings).
|
||||||
#
|
#
|
||||||
|
@ -1401,34 +1549,69 @@ auto-aof-rewrite-min-size 64mb
|
||||||
# will be found.
|
# will be found.
|
||||||
aof-load-truncated yes
|
aof-load-truncated yes
|
||||||
|
|
||||||
# When rewriting the AOF file, Redis is able to use an RDB preamble in the
|
# Redis can create append-only base files in either RDB or AOF formats. Using
|
||||||
# AOF file for faster rewrites and recoveries. When this option is turned
|
# the RDB format is always faster and more efficient, and disabling it is only
|
||||||
# on the rewritten AOF file is composed of two different stanzas:
|
# supported for backward compatibility purposes.
|
||||||
#
|
|
||||||
# [RDB file][AOF tail]
|
|
||||||
#
|
|
||||||
# When loading, Redis recognizes that the AOF file starts with the "REDIS"
|
|
||||||
# string and loads the prefixed RDB file, then continues loading the AOF
|
|
||||||
# tail.
|
|
||||||
aof-use-rdb-preamble yes
|
aof-use-rdb-preamble yes
|
||||||
|
|
||||||
################################ LUA SCRIPTING ###############################
|
# Redis supports recording timestamp annotations in the AOF to support restoring
|
||||||
|
# the data from a specific point-in-time. However, using this capability changes
|
||||||
|
# the AOF format in a way that may not be compatible with existing AOF parsers.
|
||||||
|
aof-timestamp-enabled no
|
||||||
|
|
||||||
# Max execution time of a Lua script in milliseconds.
|
################################ SHUTDOWN #####################################
|
||||||
|
|
||||||
|
# Maximum time to wait for replicas when shutting down, in seconds.
|
||||||
#
|
#
|
||||||
# If the maximum execution time is reached Redis will log that a script is
|
# During shut down, a grace period allows any lagging replicas to catch up with
|
||||||
# still in execution after the maximum allowed time and will start to
|
# the latest replication offset before the master exists. This period can
|
||||||
# reply to queries with an error.
|
# prevent data loss, especially for deployments without configured disk backups.
|
||||||
#
|
#
|
||||||
# When a long running script exceeds the maximum execution time only the
|
# The 'shutdown-timeout' value is the grace period's duration in seconds. It is
|
||||||
# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
|
# only applicable when the instance has replicas. To disable the feature, set
|
||||||
# used to stop a script that did not yet call any write commands. The second
|
# the value to 0.
|
||||||
# is the only way to shut down the server in the case a write command was
|
|
||||||
# already issued by the script but the user doesn't want to wait for the natural
|
|
||||||
# termination of the script.
|
|
||||||
#
|
#
|
||||||
# Set it to 0 or a negative value for unlimited execution without warnings.
|
# shutdown-timeout 10
|
||||||
lua-time-limit 5000
|
|
||||||
|
# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default
|
||||||
|
# an RDB snapshot is written to disk in a blocking operation if save points are configured.
|
||||||
|
# The options used on signaled shutdown can include the following values:
|
||||||
|
# default: Saves RDB snapshot only if save points are configured.
|
||||||
|
# Waits for lagging replicas to catch up.
|
||||||
|
# save: Forces a DB saving operation even if no save points are configured.
|
||||||
|
# nosave: Prevents DB saving operation even if one or more save points are configured.
|
||||||
|
# now: Skips waiting for lagging replicas.
|
||||||
|
# force: Ignores any errors that would normally prevent the server from exiting.
|
||||||
|
#
|
||||||
|
# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously.
|
||||||
|
# Example: "nosave force now"
|
||||||
|
#
|
||||||
|
# shutdown-on-sigint default
|
||||||
|
# shutdown-on-sigterm default
|
||||||
|
|
||||||
|
################ NON-DETERMINISTIC LONG BLOCKING COMMANDS #####################
|
||||||
|
|
||||||
|
# Maximum time in milliseconds for EVAL scripts, functions and in some cases
|
||||||
|
# modules' commands before Redis can start processing or rejecting other clients.
|
||||||
|
#
|
||||||
|
# If the maximum execution time is reached Redis will start to reply to most
|
||||||
|
# commands with a BUSY error.
|
||||||
|
#
|
||||||
|
# In this state Redis will only allow a handful of commands to be executed.
|
||||||
|
# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some
|
||||||
|
# module specific 'allow-busy' commands.
|
||||||
|
#
|
||||||
|
# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not
|
||||||
|
# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop
|
||||||
|
# the server in the case a write command was already issued by the script when
|
||||||
|
# the user doesn't want to wait for the natural termination of the script.
|
||||||
|
#
|
||||||
|
# The default is 5 seconds. It is possible to set it to 0 or a negative value
|
||||||
|
# to disable this mechanism (uninterrupted execution). Note that in the past
|
||||||
|
# this config had a different name, which is now an alias, so both of these do
|
||||||
|
# the same:
|
||||||
|
# lua-time-limit 5000
|
||||||
|
# busy-reply-threshold 5000
|
||||||
|
|
||||||
################################ REDIS CLUSTER ###############################
|
################################ REDIS CLUSTER ###############################
|
||||||
|
|
||||||
|
@ -1452,6 +1635,11 @@ lua-time-limit 5000
|
||||||
#
|
#
|
||||||
# cluster-node-timeout 15000
|
# cluster-node-timeout 15000
|
||||||
|
|
||||||
|
# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
|
||||||
|
# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
|
||||||
|
# you to specify the cluster bus port when executing cluster meet.
|
||||||
|
# cluster-port 0
|
||||||
|
|
||||||
# A replica of a failing master will avoid to start a failover if its data
|
# A replica of a failing master will avoid to start a failover if its data
|
||||||
# looks too old.
|
# looks too old.
|
||||||
#
|
#
|
||||||
|
@ -1549,7 +1737,7 @@ lua-time-limit 5000
|
||||||
# cluster-replica-no-failover no
|
# cluster-replica-no-failover no
|
||||||
|
|
||||||
# This option, when set to yes, allows nodes to serve read traffic while the
|
# This option, when set to yes, allows nodes to serve read traffic while the
|
||||||
# the cluster is in a down state, as long as it believes it owns the slots.
|
# cluster is in a down state, as long as it believes it owns the slots.
|
||||||
#
|
#
|
||||||
# This is useful for two cases. The first case is for when an application
|
# This is useful for two cases. The first case is for when an application
|
||||||
# doesn't require consistency of data during node failures or network partitions.
|
# doesn't require consistency of data during node failures or network partitions.
|
||||||
|
@ -1564,6 +1752,52 @@ lua-time-limit 5000
|
||||||
#
|
#
|
||||||
# cluster-allow-reads-when-down no
|
# cluster-allow-reads-when-down no
|
||||||
|
|
||||||
|
# This option, when set to yes, allows nodes to serve pubsub shard traffic while
|
||||||
|
# the cluster is in a down state, as long as it believes it owns the slots.
|
||||||
|
#
|
||||||
|
# This is useful if the application would like to use the pubsub feature even when
|
||||||
|
# the cluster global stable state is not OK. If the application wants to make sure only
|
||||||
|
# one shard is serving a given channel, this feature should be kept as yes.
|
||||||
|
#
|
||||||
|
# cluster-allow-pubsubshard-when-down yes
|
||||||
|
|
||||||
|
# Cluster link send buffer limit is the limit on the memory usage of an individual
|
||||||
|
# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed
|
||||||
|
# this limit. This is to primarily prevent send buffers from growing unbounded on links
|
||||||
|
# toward slow peers (E.g. PubSub messages being piled up).
|
||||||
|
# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field
|
||||||
|
# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase.
|
||||||
|
# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single
|
||||||
|
# PubSub message by default. (client-query-buffer-limit default value is 1gb)
|
||||||
|
#
|
||||||
|
# cluster-link-sendbuf-limit 0
|
||||||
|
|
||||||
|
# Clusters can configure their announced hostname using this config. This is a common use case for
|
||||||
|
# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
|
||||||
|
# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
|
||||||
|
# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
|
||||||
|
# communicated along the clusterbus to all nodes, setting it to an empty string will remove
|
||||||
|
# the hostname and also propagate the removal.
|
||||||
|
#
|
||||||
|
# cluster-announce-hostname ""
|
||||||
|
|
||||||
|
# Clusters can advertise how clients should connect to them using either their IP address,
|
||||||
|
# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
|
||||||
|
# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
|
||||||
|
# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
|
||||||
|
# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
|
||||||
|
# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
|
||||||
|
# will be returned instead.
|
||||||
|
#
|
||||||
|
# When a cluster advertises itself as having an unknown endpoint, it's indicating that
|
||||||
|
# the server doesn't know how clients can reach the cluster. This can happen in certain
|
||||||
|
# networking situations where there are multiple possible routes to the node, and the
|
||||||
|
# server doesn't know which one the client took. In this case, the server is expecting
|
||||||
|
# the client to reach out on the same endpoint it used for making the last request, but use
|
||||||
|
# the port provided in the response.
|
||||||
|
#
|
||||||
|
# cluster-preferred-endpoint-type ip
|
||||||
|
|
||||||
# In order to setup your cluster make sure to read the documentation
|
# In order to setup your cluster make sure to read the documentation
|
||||||
# available at https://redis.io web site.
|
# available at https://redis.io web site.
|
||||||
|
|
||||||
|
@ -1651,6 +1885,20 @@ slowlog-max-len 128
|
||||||
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
|
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
|
||||||
latency-monitor-threshold 0
|
latency-monitor-threshold 0
|
||||||
|
|
||||||
|
################################ LATENCY TRACKING ##############################
|
||||||
|
|
||||||
|
# The Redis extended latency monitoring tracks the per command latencies and enables
|
||||||
|
# exporting the percentile distribution via the INFO latencystats command,
|
||||||
|
# and cumulative latency distributions (histograms) via the LATENCY command.
|
||||||
|
#
|
||||||
|
# By default, the extended latency monitoring is enabled since the overhead
|
||||||
|
# of keeping track of the command latency is very small.
|
||||||
|
# latency-tracking yes
|
||||||
|
|
||||||
|
# By default the exported latency percentiles via the INFO latencystats command
|
||||||
|
# are the p50, p99, and p999.
|
||||||
|
# latency-tracking-info-percentiles 50 99 99.9
|
||||||
|
|
||||||
############################# EVENT NOTIFICATION ##############################
|
############################# EVENT NOTIFICATION ##############################
|
||||||
|
|
||||||
# Redis can notify Pub/Sub clients about events happening in the key space.
|
# Redis can notify Pub/Sub clients about events happening in the key space.
|
||||||
|
@ -1676,6 +1924,7 @@ latency-monitor-threshold 0
|
||||||
# z Sorted set commands
|
# z Sorted set commands
|
||||||
# x Expired events (events generated every time a key expires)
|
# x Expired events (events generated every time a key expires)
|
||||||
# e Evicted events (events generated when a key is evicted for maxmemory)
|
# e Evicted events (events generated when a key is evicted for maxmemory)
|
||||||
|
# n New key events (Note: not included in the 'A' class)
|
||||||
# t Stream commands
|
# t Stream commands
|
||||||
# d Module key type events
|
# d Module key type events
|
||||||
# m Key-miss events (Note: It is not included in the 'A' class)
|
# m Key-miss events (Note: It is not included in the 'A' class)
|
||||||
|
@ -1702,71 +1951,13 @@ latency-monitor-threshold 0
|
||||||
# specify at least one of K or E, no events will be delivered.
|
# specify at least one of K or E, no events will be delivered.
|
||||||
notify-keyspace-events ""
|
notify-keyspace-events ""
|
||||||
|
|
||||||
############################### GOPHER SERVER #################################
|
|
||||||
|
|
||||||
# Redis contains an implementation of the Gopher protocol, as specified in
|
|
||||||
# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
|
|
||||||
#
|
|
||||||
# The Gopher protocol was very popular in the late '90s. It is an alternative
|
|
||||||
# to the web, and the implementation both server and client side is so simple
|
|
||||||
# that the Redis server has just 100 lines of code in order to implement this
|
|
||||||
# support.
|
|
||||||
#
|
|
||||||
# What do you do with Gopher nowadays? Well Gopher never *really* died, and
|
|
||||||
# lately there is a movement in order for the Gopher more hierarchical content
|
|
||||||
# composed of just plain text documents to be resurrected. Some want a simpler
|
|
||||||
# internet, others believe that the mainstream internet became too much
|
|
||||||
# controlled, and it's cool to create an alternative space for people that
|
|
||||||
# want a bit of fresh air.
|
|
||||||
#
|
|
||||||
# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol
|
|
||||||
# as a gift.
|
|
||||||
#
|
|
||||||
# --- HOW IT WORKS? ---
|
|
||||||
#
|
|
||||||
# The Redis Gopher support uses the inline protocol of Redis, and specifically
|
|
||||||
# two kind of inline requests that were anyway illegal: an empty request
|
|
||||||
# or any request that starts with "/" (there are no Redis commands starting
|
|
||||||
# with such a slash). Normal RESP2/RESP3 requests are completely out of the
|
|
||||||
# path of the Gopher protocol implementation and are served as usual as well.
|
|
||||||
#
|
|
||||||
# If you open a connection to Redis when Gopher is enabled and send it
|
|
||||||
# a string like "/foo", if there is a key named "/foo" it is served via the
|
|
||||||
# Gopher protocol.
|
|
||||||
#
|
|
||||||
# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher
|
|
||||||
# talking), you likely need a script like the following:
|
|
||||||
#
|
|
||||||
# https://github.com/antirez/gopher2redis
|
|
||||||
#
|
|
||||||
# --- SECURITY WARNING ---
|
|
||||||
#
|
|
||||||
# If you plan to put Redis on the internet in a publicly accessible address
|
|
||||||
# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance.
|
|
||||||
# Once a password is set:
|
|
||||||
#
|
|
||||||
# 1. The Gopher server (when enabled, not by default) will still serve
|
|
||||||
# content via Gopher.
|
|
||||||
# 2. However other commands cannot be called before the client will
|
|
||||||
# authenticate.
|
|
||||||
#
|
|
||||||
# So use the 'requirepass' option to protect your instance.
|
|
||||||
#
|
|
||||||
# Note that Gopher is not currently supported when 'io-threads-do-reads'
|
|
||||||
# is enabled.
|
|
||||||
#
|
|
||||||
# To enable Gopher support, uncomment the following line and set the option
|
|
||||||
# from no (the default) to yes.
|
|
||||||
#
|
|
||||||
# gopher-enabled no
|
|
||||||
|
|
||||||
############################### ADVANCED CONFIG ###############################
|
############################### ADVANCED CONFIG ###############################
|
||||||
|
|
||||||
# Hashes are encoded using a memory efficient data structure when they have a
|
# Hashes are encoded using a memory efficient data structure when they have a
|
||||||
# small number of entries, and the biggest entry does not exceed a given
|
# small number of entries, and the biggest entry does not exceed a given
|
||||||
# threshold. These thresholds can be configured using the following directives.
|
# threshold. These thresholds can be configured using the following directives.
|
||||||
hash-max-ziplist-entries 512
|
hash-max-listpack-entries 512
|
||||||
hash-max-ziplist-value 64
|
hash-max-listpack-value 64
|
||||||
|
|
||||||
# Lists are also encoded in a special way to save a lot of space.
|
# Lists are also encoded in a special way to save a lot of space.
|
||||||
# The number of entries allowed per internal list node can be specified
|
# The number of entries allowed per internal list node can be specified
|
||||||
|
@ -1781,7 +1972,7 @@ hash-max-ziplist-value 64
|
||||||
# per list node.
|
# per list node.
|
||||||
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
|
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
|
||||||
# but if your use case is unique, adjust the settings as necessary.
|
# but if your use case is unique, adjust the settings as necessary.
|
||||||
list-max-ziplist-size -2
|
list-max-listpack-size -2
|
||||||
|
|
||||||
# Lists may also be compressed.
|
# Lists may also be compressed.
|
||||||
# Compress depth is the number of quicklist ziplist nodes from *each* side of
|
# Compress depth is the number of quicklist ziplist nodes from *each* side of
|
||||||
|
@ -1809,8 +2000,8 @@ set-max-intset-entries 512
|
||||||
# Similarly to hashes and lists, sorted sets are also specially encoded in
|
# Similarly to hashes and lists, sorted sets are also specially encoded in
|
||||||
# order to save a lot of space. This encoding is only used when the length and
|
# order to save a lot of space. This encoding is only used when the length and
|
||||||
# elements of a sorted set are below the following limits:
|
# elements of a sorted set are below the following limits:
|
||||||
zset-max-ziplist-entries 128
|
zset-max-listpack-entries 128
|
||||||
zset-max-ziplist-value 64
|
zset-max-listpack-value 64
|
||||||
|
|
||||||
# HyperLogLog sparse representation bytes limit. The limit includes the
|
# HyperLogLog sparse representation bytes limit. The limit includes the
|
||||||
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
|
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
|
||||||
|
@ -1889,6 +2080,13 @@ activerehashing yes
|
||||||
# Instead there is a default limit for pubsub and replica clients, since
|
# Instead there is a default limit for pubsub and replica clients, since
|
||||||
# subscribers and replicas receive data in a push fashion.
|
# subscribers and replicas receive data in a push fashion.
|
||||||
#
|
#
|
||||||
|
# Note that it doesn't make sense to set the replica clients output buffer
|
||||||
|
# limit lower than the repl-backlog-size config (partial sync will succeed
|
||||||
|
# and then replica will get disconnected).
|
||||||
|
# Such a configuration is ignored (the size of repl-backlog-size will be used).
|
||||||
|
# This doesn't have memory consumption implications since the replica client
|
||||||
|
# will share the backlog buffers memory.
|
||||||
|
#
|
||||||
# Both the hard or the soft limit can be disabled by setting them to zero.
|
# Both the hard or the soft limit can be disabled by setting them to zero.
|
||||||
client-output-buffer-limit normal 0 0 0
|
client-output-buffer-limit normal 0 0 0
|
||||||
client-output-buffer-limit replica 256mb 64mb 60
|
client-output-buffer-limit replica 256mb 64mb 60
|
||||||
|
@ -1902,6 +2100,25 @@ client-output-buffer-limit pubsub 32mb 8mb 60
|
||||||
#
|
#
|
||||||
# client-query-buffer-limit 1gb
|
# client-query-buffer-limit 1gb
|
||||||
|
|
||||||
|
# In some scenarios client connections can hog up memory leading to OOM
|
||||||
|
# errors or data eviction. To avoid this we can cap the accumulated memory
|
||||||
|
# used by all client connections (all pubsub and normal clients). Once we
|
||||||
|
# reach that limit connections will be dropped by the server freeing up
|
||||||
|
# memory. The server will attempt to drop the connections using the most
|
||||||
|
# memory first. We call this mechanism "client eviction".
|
||||||
|
#
|
||||||
|
# Client eviction is configured using the maxmemory-clients setting as follows:
|
||||||
|
# 0 - client eviction is disabled (default)
|
||||||
|
#
|
||||||
|
# A memory value can be used for the client eviction threshold,
|
||||||
|
# for example:
|
||||||
|
# maxmemory-clients 1g
|
||||||
|
#
|
||||||
|
# A percentage value (between 1% and 100%) means the client eviction threshold
|
||||||
|
# is based on a percentage of the maxmemory setting. For example to set client
|
||||||
|
# eviction at 5% of maxmemory:
|
||||||
|
# maxmemory-clients 5%
|
||||||
|
|
||||||
# In the Redis protocol, bulk requests, that are, elements representing single
|
# In the Redis protocol, bulk requests, that are, elements representing single
|
||||||
# strings, are normally limited to 512 mb. However you can change this limit
|
# strings, are normally limited to 512 mb. However you can change this limit
|
||||||
# here, but must be 1mb or greater
|
# here, but must be 1mb or greater
|
||||||
|
@ -1942,13 +2159,13 @@ hz 10
|
||||||
dynamic-hz yes
|
dynamic-hz yes
|
||||||
|
|
||||||
# When a child rewrites the AOF file, if the following option is enabled
|
# When a child rewrites the AOF file, if the following option is enabled
|
||||||
# the file will be fsync-ed every 32 MB of data generated. This is useful
|
# the file will be fsync-ed every 4 MB of data generated. This is useful
|
||||||
# in order to commit the file to the disk more incrementally and avoid
|
# in order to commit the file to the disk more incrementally and avoid
|
||||||
# big latency spikes.
|
# big latency spikes.
|
||||||
aof-rewrite-incremental-fsync yes
|
aof-rewrite-incremental-fsync yes
|
||||||
|
|
||||||
# When redis saves RDB file, if the following option is enabled
|
# When redis saves RDB file, if the following option is enabled
|
||||||
# the file will be fsync-ed every 32 MB of data generated. This is useful
|
# the file will be fsync-ed every 4 MB of data generated. This is useful
|
||||||
# in order to commit the file to the disk more incrementally and avoid
|
# in order to commit the file to the disk more incrementally and avoid
|
||||||
# big latency spikes.
|
# big latency spikes.
|
||||||
rdb-save-incremental-fsync yes
|
rdb-save-incremental-fsync yes
|
||||||
|
@ -2045,7 +2262,7 @@ rdb-save-incremental-fsync yes
|
||||||
# defragmentation process. If you are not sure about what they mean it is
|
# defragmentation process. If you are not sure about what they mean it is
|
||||||
# a good idea to leave the defaults untouched.
|
# a good idea to leave the defaults untouched.
|
||||||
|
|
||||||
# Enabled active defragmentation
|
# Active defragmentation is disabled by default
|
||||||
# activedefrag no
|
# activedefrag no
|
||||||
|
|
||||||
# Minimum amount of fragmentation waste to start active defrag
|
# Minimum amount of fragmentation waste to start active defrag
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
address: %%ip_eth0
|
address: %%ip_eth0
|
||||||
username: %%normalize_family(%%account.remote)
|
username: %%account.username
|
||||||
password: %%account.password
|
password: %%account.password
|
||||||
|
|
|
@ -19,9 +19,9 @@ Application service needs interact with a Postfix server with LMTP protocol.
|
||||||
|
|
||||||
### Général (*general*)
|
### Général (*general*)
|
||||||
|
|
||||||
| Description | Type | Supplier |
|
| Description | Type | Values | Supplier |
|
||||||
|---------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
|
|---------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|------------|
|
||||||
| **Nom de domaine du serveur LMTP** (*[lmtp_relay_address](dictionaries/30_lmtp.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LMTP |
|
| **Nom de domaine du serveur LMTP** (*[lmtp_relay_address](dictionaries/30_lmtp.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | LMTP |
|
||||||
|
|
||||||
|
|
||||||
- [+]: variable is multiple
|
- [+]: variable is multiple
|
||||||
|
|
|
@ -30,11 +30,11 @@ Client SMTP.
|
||||||
- [odoo](../odoo/README.md)
|
- [odoo](../odoo/README.md)
|
||||||
- [peertube](../peertube/README.md)
|
- [peertube](../peertube/README.md)
|
||||||
- [piwigo](../piwigo/README.md)
|
- [piwigo](../piwigo/README.md)
|
||||||
|
- [forgejo](../forgejo/README.md)
|
||||||
- [vaultwarden](../vaultwarden/README.md)
|
- [vaultwarden](../vaultwarden/README.md)
|
||||||
- [relay-lmtp-client](../relay-lmtp-client/README.md)
|
- [relay-lmtp-client](../relay-lmtp-client/README.md)
|
||||||
- [nextcloud](../nextcloud/README.md)
|
- [nextcloud](../nextcloud/README.md)
|
||||||
- [lemonldap](../lemonldap/README.md)
|
- [lemonldap](../lemonldap/README.md)
|
||||||
- [gitea](../gitea/README.md)
|
|
||||||
|
|
||||||
## Linked to
|
## Linked to
|
||||||
|
|
||||||
|
|
|
@ -36,12 +36,12 @@ This a family is a leadership.
|
||||||
- [odoo](../odoo/README.md)
|
- [odoo](../odoo/README.md)
|
||||||
- [mailman](../mailman/README.md)
|
- [mailman](../mailman/README.md)
|
||||||
- [peertube](../peertube/README.md)
|
- [peertube](../peertube/README.md)
|
||||||
|
- [forgejo](../forgejo/README.md)
|
||||||
- [speedtest-rs](../speedtest-rs/README.md)
|
- [speedtest-rs](../speedtest-rs/README.md)
|
||||||
- [nginx-https](../nginx-https/README.md)
|
- [nginx-https](../nginx-https/README.md)
|
||||||
- [vaultwarden](../vaultwarden/README.md)
|
- [vaultwarden](../vaultwarden/README.md)
|
||||||
- [apache](../apache/README.md)
|
- [apache](../apache/README.md)
|
||||||
- [lemonldap](../lemonldap/README.md)
|
- [lemonldap](../lemonldap/README.md)
|
||||||
- [gitea](../gitea/README.md)
|
|
||||||
|
|
||||||
## Linked to
|
## Linked to
|
||||||
|
|
||||||
|
|
|
@ -2,9 +2,10 @@
|
||||||
<rougail version="0.10">
|
<rougail version="0.10">
|
||||||
<services>
|
<services>
|
||||||
<service name="revprox" manage="False">
|
<service name="revprox" manage="False">
|
||||||
|
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_client_ca_file</file>
|
||||||
<file file_type="variable" source="revprox.crt">revprox_client_cert_file</file>
|
<file file_type="variable" source="revprox.crt">revprox_client_cert_file</file>
|
||||||
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_client_key_file</file>
|
<file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_client_key_file</file>
|
||||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_client_ca_file</file>
|
<file filelist="copy_tests">/tests/reverse-proxy.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -11,4 +11,8 @@ def calc_web_address(domain_name: str, port: str, local_location: str) -> str:
|
||||||
|
|
||||||
def get_first_value(lst: list):
|
def get_first_value(lst: list):
|
||||||
if lst:
|
if lst:
|
||||||
|
if isinstance(lst[0], list):
|
||||||
|
if lst[0] and lst[0][0]:
|
||||||
|
return lst[0][0]
|
||||||
|
else:
|
||||||
return lst[0]
|
return lst[0]
|
||||||
|
|
|
@ -1,5 +1,13 @@
|
||||||
from requests import get, post, session
|
from requests import get, post, session
|
||||||
|
from requests.exceptions import SSLError
|
||||||
from mookdns import MookDns
|
from mookdns import MookDns
|
||||||
|
from os import environ
|
||||||
|
from os.path import join
|
||||||
|
from yaml import load, SafeLoader
|
||||||
|
from glob import glob
|
||||||
|
|
||||||
|
|
||||||
|
VERIFY = True
|
||||||
|
|
||||||
|
|
||||||
class Authentication:
|
class Authentication:
|
||||||
|
@ -30,7 +38,19 @@ class Authentication:
|
||||||
req,
|
req,
|
||||||
url,
|
url,
|
||||||
):
|
):
|
||||||
ret = req.get(url)
|
global VERIFY
|
||||||
|
try:
|
||||||
|
ret = req.get(url, verify=VERIFY)
|
||||||
|
except SSLError:
|
||||||
|
conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml'
|
||||||
|
with open(conf_file) as yaml:
|
||||||
|
data = load(yaml, Loader=SafeLoader)
|
||||||
|
path = join(environ["MACHINE_TEST_DIR"], data["ca_certificate"])
|
||||||
|
cert = glob(path)
|
||||||
|
if len(cert) != 1:
|
||||||
|
raise Exception(f'{path} should find one and one certificate but found: {cert}')
|
||||||
|
VERIFY=cert[0]
|
||||||
|
ret = req.get(url, verify=VERIFY)
|
||||||
code = ret.status_code
|
code = ret.status_code
|
||||||
content = ret.content
|
content = ret.content
|
||||||
assert code == 200, f"cannot access to lemonldap; {content}"
|
assert code == 200, f"cannot access to lemonldap; {content}"
|
||||||
|
@ -51,7 +71,7 @@ class Authentication:
|
||||||
"Accept": "application/json",
|
"Accept": "application/json",
|
||||||
}
|
}
|
||||||
portal_url = f'https://{portal_server}/oauth2/'
|
portal_url = f'https://{portal_server}/oauth2/'
|
||||||
ret = req.post(portal_url, data=json, headers=headers)
|
ret = req.post(portal_url, data=json, headers=headers, verify=VERIFY)
|
||||||
json = ret.json()
|
json = ret.json()
|
||||||
assert json['error']
|
assert json['error']
|
||||||
assert json['result'] == 1
|
assert json['result'] == 1
|
||||||
|
@ -60,7 +80,7 @@ class Authentication:
|
||||||
# curl -X POST -d user=dwho -d password=dwho -H 'Accept: application/json' 'https://oidctest.wsweet.org/oauth2/'
|
# curl -X POST -d user=dwho -d password=dwho -H 'Accept: application/json' 'https://oidctest.wsweet.org/oauth2/'
|
||||||
# curl -s -D - -o /dev/null -b lemonldap=0640f95827111f00ba7ad5863ba819fe46cfbcecdb18ce525836369fb4c8350b 'https://oidctest.wsweet.org/oauth2/authorize?response_type=code&client_id=private&scope=openid+profile+email&redirect_uri=http://localhost' | grep '^location'
|
# curl -s -D - -o /dev/null -b lemonldap=0640f95827111f00ba7ad5863ba819fe46cfbcecdb18ce525836369fb4c8350b 'https://oidctest.wsweet.org/oauth2/authorize?response_type=code&client_id=private&scope=openid+profile+email&redirect_uri=http://localhost' | grep '^location'
|
||||||
authorize_url = f'{portal_url}authorize'
|
authorize_url = f'{portal_url}authorize'
|
||||||
ret = req.get(authorize_url)
|
ret = req.get(authorize_url, verify=VERIFY)
|
||||||
assert ret.status_code == 200
|
assert ret.status_code == 200
|
||||||
content = ret.content.decode()
|
content = ret.content.decode()
|
||||||
assert title in content, f'cannot find {title} in {content}'
|
assert title in content, f'cannot find {title} in {content}'
|
||||||
|
@ -70,7 +90,7 @@ class Authentication:
|
||||||
json=False,
|
json=False,
|
||||||
):
|
):
|
||||||
with MookDns(self.ip):
|
with MookDns(self.ip):
|
||||||
ret = get(url, cookies=self.cookies)
|
ret = get(url, cookies=self.cookies, verify=VERIFY)
|
||||||
assert ret.status_code == 200, f'return code is {ret.status_code}'
|
assert ret.status_code == 200, f'return code is {ret.status_code}'
|
||||||
if json:
|
if json:
|
||||||
return ret.json()
|
return ret.json()
|
||||||
|
@ -82,5 +102,5 @@ class Authentication:
|
||||||
headers=None,
|
headers=None,
|
||||||
):
|
):
|
||||||
with MookDns(self.ip):
|
with MookDns(self.ip):
|
||||||
ret = post(url, cookies=self.cookies, data=data, headers=headers)
|
ret = post(url, cookies=self.cookies, data=data, headers=headers, verify=VERIFY)
|
||||||
assert ret.status_code == 200, f'return code is {ret.status_code}'
|
assert ret.status_code == 200, f'return code is {ret.status_code}'
|
||||||
|
|
|
@ -60,10 +60,10 @@ This a family is a leadership.
|
||||||
|
|
||||||
##### external (*general.oauth2_client.external*)
|
##### external (*general.oauth2_client.external*)
|
||||||
|
|
||||||
| Description |
|
| Description | Values |
|
||||||
|---------------------------------------------------------------|
|
|---------------------------------------------------------------|--------------|
|
||||||
| *[oauth2_client_external](dictionaries/31_roundcube.xml)* [+] |
|
| *[oauth2_client_external](dictionaries/31_roundcube.xml)* [+] | |
|
||||||
| *[oauth2_client_family](dictionaries/31_roundcube.xml)* [+] |
|
| *[oauth2_client_family](dictionaries/31_roundcube.xml)* [+] | <calculated> |
|
||||||
|
|
||||||
#### nginx (*general.nginx*)
|
#### nginx (*general.nginx*)
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
%set %%intnb = %%rougail_index
|
%set %%intnb = %%rougail_index
|
||||||
[Match]
|
[Match]
|
||||||
%if %%netwokd_interface_name_type == 'host'
|
%if %%netwokd_interface_name_type == 'host'
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=
|
ExecStart=
|
||||||
ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd
|
ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd --locale=fr_FR.UTF-8
|
||||||
ExecStart=/usr/bin/systemd-firstboot --copy
|
ExecStart=/usr/bin/systemd-firstboot --copy
|
||||||
|
|
|
@ -15,13 +15,13 @@ Unbound, a validating, recursive, caching DNS resolver.
|
||||||
|
|
||||||
## Dependances
|
## Dependances
|
||||||
|
|
||||||
- [base-fedora-36](../base-fedora-36/README.md)
|
- [dns-external](../dns-external/README.md)
|
||||||
|
- [base-fedora-37](../base-fedora-37/README.md)
|
||||||
- [base-fedora](../base-fedora/README.md)
|
- [base-fedora](../base-fedora/README.md)
|
||||||
- [systemd](../systemd/README.md)
|
- [systemd](../systemd/README.md)
|
||||||
- [base-machine](../base-machine/README.md)
|
- [base-machine](../base-machine/README.md)
|
||||||
- [base](../base/README.md)
|
- [base](../base/README.md)
|
||||||
- [dns-local](../dns-local/README.md)
|
- [dns-local](../dns-local/README.md)
|
||||||
- [dns-external](../dns-external/README.md)
|
|
||||||
|
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
|
@ -31,7 +31,7 @@ Unbound, a validating, recursive, caching DNS resolver.
|
||||||
|
|
||||||
| Description | Values |
|
| Description | Values |
|
||||||
|---------------------------------------------------------|----------------|
|
|---------------------------------------------------------|----------------|
|
||||||
| *[ip_dns](dictionaries/20_unbound.xml)* | |
|
| *[ip_dns](dictionaries/20_unbound.xml)* | <calculated> |
|
||||||
| *[**outgoing_ports**](dictionaries/20_unbound.xml)* [+] | udp:53<br />53 |
|
| *[**outgoing_ports**](dictionaries/20_unbound.xml)* [+] | udp:53<br />53 |
|
||||||
|
|
||||||
#### Résolveur DNS (*general.dns_resolver*)
|
#### Résolveur DNS (*general.dns_resolver*)
|
||||||
|
|
|
@ -3,5 +3,5 @@ description: Unbound, a validating, recursive, caching DNS resolver
|
||||||
website: https://www.nlnetlabs.nl/projects/unbound/about/
|
website: https://www.nlnetlabs.nl/projects/unbound/about/
|
||||||
service: true
|
service: true
|
||||||
depends:
|
depends:
|
||||||
- base-fedora-36
|
|
||||||
- dns-external
|
- dns-external
|
||||||
|
- base-fedora-37
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#RISOTTO: do not compare
|
||||||
server:
|
server:
|
||||||
%for %%interface in %%range(%%len(%%zones_list))
|
%for %%interface in %%range(%%len(%%zones_list))
|
||||||
interface: %%getVar('ip_eth' + %%str(%%interface))
|
interface: %%getVar('ip_eth' + %%str(%%interface))
|
||||||
|
|
|
@ -185,6 +185,10 @@ server:
|
||||||
# perform connect for UDP sockets to mitigate ICMP side channel.
|
# perform connect for UDP sockets to mitigate ICMP side channel.
|
||||||
# udp-connect: yes
|
# udp-connect: yes
|
||||||
|
|
||||||
|
# The number of retries, per upstream nameserver in a delegation, when
|
||||||
|
# a throwaway response (also timeouts) is received.
|
||||||
|
# outbound-msg-retry: 5
|
||||||
|
|
||||||
# msec for waiting for an unknown server to reply. Increase if you
|
# msec for waiting for an unknown server to reply. Increase if you
|
||||||
# are behind a slow satellite link, to eg. 1128.
|
# are behind a slow satellite link, to eg. 1128.
|
||||||
# unknown-server-time-limit: 376
|
# unknown-server-time-limit: 376
|
||||||
|
@ -216,6 +220,9 @@ server:
|
||||||
# minimum wait time for responses, increase if uplink is long. In msec.
|
# minimum wait time for responses, increase if uplink is long. In msec.
|
||||||
# infra-cache-min-rtt: 50
|
# infra-cache-min-rtt: 50
|
||||||
|
|
||||||
|
# maximum wait time for responses. In msec.
|
||||||
|
# infra-cache-max-rtt: 120000
|
||||||
|
|
||||||
# enable to make server probe down hosts more frequently.
|
# enable to make server probe down hosts more frequently.
|
||||||
# infra-keep-probing: no
|
# infra-keep-probing: no
|
||||||
|
|
||||||
|
@ -393,9 +400,6 @@ server:
|
||||||
# enable to not answer version.server and version.bind queries.
|
# enable to not answer version.server and version.bind queries.
|
||||||
# hide-version: no
|
# hide-version: no
|
||||||
|
|
||||||
# enable to not set the User-Agent HTTP header.
|
|
||||||
# hide-http-user-agent: no
|
|
||||||
|
|
||||||
# enable to not answer trustanchor.unbound queries.
|
# enable to not answer trustanchor.unbound queries.
|
||||||
# hide-trustanchor: no
|
# hide-trustanchor: no
|
||||||
|
|
||||||
|
@ -704,6 +708,7 @@ server:
|
||||||
# local-zone: "localhost." nodefault
|
# local-zone: "localhost." nodefault
|
||||||
# local-zone: "127.in-addr.arpa." nodefault
|
# local-zone: "127.in-addr.arpa." nodefault
|
||||||
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
|
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
|
||||||
|
# local-zone: "home.arpa." nodefault
|
||||||
# local-zone: "onion." nodefault
|
# local-zone: "onion." nodefault
|
||||||
# local-zone: "test." nodefault
|
# local-zone: "test." nodefault
|
||||||
# local-zone: "invalid." nodefault
|
# local-zone: "invalid." nodefault
|
||||||
|
@ -851,6 +856,8 @@ server:
|
||||||
|
|
||||||
# Add system certs to the cert bundle, from the Windows Cert Store
|
# Add system certs to the cert bundle, from the Windows Cert Store
|
||||||
# tls-win-cert: no
|
# tls-win-cert: no
|
||||||
|
# and on other systems, the default openssl certificates
|
||||||
|
# tls-system-cert: no
|
||||||
|
|
||||||
# Pad queries over TLS upstreams
|
# Pad queries over TLS upstreams
|
||||||
# pad-queries: yes
|
# pad-queries: yes
|
||||||
|
@ -900,6 +907,10 @@ server:
|
||||||
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
|
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
|
||||||
# ratelimit-factor: 10
|
# ratelimit-factor: 10
|
||||||
|
|
||||||
|
# Aggressive rate limit when the limit is reached and until demand has
|
||||||
|
# decreased in a 2 second rate window.
|
||||||
|
# ratelimit-backoff: no
|
||||||
|
|
||||||
# override the ratelimit for a specific domain name.
|
# override the ratelimit for a specific domain name.
|
||||||
# give this setting multiple times to have multiple overrides.
|
# give this setting multiple times to have multiple overrides.
|
||||||
# ratelimit-for-domain: example.com 1000
|
# ratelimit-for-domain: example.com 1000
|
||||||
|
@ -920,6 +931,10 @@ server:
|
||||||
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
|
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
|
||||||
# ip-ratelimit-factor: 10
|
# ip-ratelimit-factor: 10
|
||||||
|
|
||||||
|
# Aggressive rate limit when the limit is reached and until demand has
|
||||||
|
# decreased in a 2 second rate window.
|
||||||
|
# ip-ratelimit-backoff: no
|
||||||
|
|
||||||
# Limit the number of connections simultaneous from a netblock
|
# Limit the number of connections simultaneous from a netblock
|
||||||
# tcp-connection-limit: 192.0.2.0/24 12
|
# tcp-connection-limit: 192.0.2.0/24 12
|
||||||
|
|
||||||
|
@ -929,6 +944,14 @@ server:
|
||||||
# the number of servers that will be used in the fast server selection.
|
# the number of servers that will be used in the fast server selection.
|
||||||
# fast-server-num: 3
|
# fast-server-num: 3
|
||||||
|
|
||||||
|
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
|
||||||
|
ede: yes
|
||||||
|
|
||||||
|
# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
|
||||||
|
# Answer as EDNS0 option to expired responses.
|
||||||
|
# Note that the ede option above needs to be enabled for this to work.
|
||||||
|
ede-serve-expired: yes
|
||||||
|
|
||||||
# Specific options for ipsecmod. Unbound needs to be configured with
|
# Specific options for ipsecmod. Unbound needs to be configured with
|
||||||
# --enable-ipsecmod for these to take effect.
|
# --enable-ipsecmod for these to take effect.
|
||||||
#
|
#
|
||||||
|
@ -1040,6 +1063,7 @@ include: /etc/unbound/conf.d/*.conf
|
||||||
# stub-addr: 192.0.2.68
|
# stub-addr: 192.0.2.68
|
||||||
# stub-prime: no
|
# stub-prime: no
|
||||||
# stub-first: no
|
# stub-first: no
|
||||||
|
# stub-tcp-upstream: no
|
||||||
# stub-tls-upstream: no
|
# stub-tls-upstream: no
|
||||||
# stub-no-cache: no
|
# stub-no-cache: no
|
||||||
# stub-zone:
|
# stub-zone:
|
||||||
|
@ -1061,6 +1085,7 @@ include: /etc/unbound/conf.d/*.conf
|
||||||
# forward-addr: 192.0.2.68
|
# forward-addr: 192.0.2.68
|
||||||
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
|
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
|
||||||
# forward-first: no
|
# forward-first: no
|
||||||
|
# forward-tcp-upstream: no
|
||||||
# forward-tls-upstream: no
|
# forward-tls-upstream: no
|
||||||
# forward-no-cache: no
|
# forward-no-cache: no
|
||||||
# forward-zone:
|
# forward-zone:
|
||||||
|
@ -1131,6 +1156,7 @@ auth-zone:
|
||||||
# another crypto library
|
# another crypto library
|
||||||
#
|
#
|
||||||
# DNSCrypt
|
# DNSCrypt
|
||||||
|
# o enable, use --enable-dnscrypt to configure before compiling.
|
||||||
# Caveats:
|
# Caveats:
|
||||||
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
|
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
|
||||||
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
|
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
|
||||||
|
@ -1151,7 +1177,9 @@ auth-zone:
|
||||||
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
|
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
|
||||||
|
|
||||||
# CacheDB
|
# CacheDB
|
||||||
# Enable external backend DB as auxiliary cache. Specify the backend name
|
# External backend DB as auxiliary cache.
|
||||||
|
# To enable, use --enable-cachedb to configure before compiling.
|
||||||
|
# Specify the backend name
|
||||||
# (default is "testframe", which has no use other than for debugging and
|
# (default is "testframe", which has no use other than for debugging and
|
||||||
# testing) and backend-specific options. The 'cachedb' module must be
|
# testing) and backend-specific options. The 'cachedb' module must be
|
||||||
# included in module-config, just before the iterator module.
|
# included in module-config, just before the iterator module.
|
||||||
|
@ -1161,6 +1189,7 @@ auth-zone:
|
||||||
# secret-seed: "default"
|
# secret-seed: "default"
|
||||||
#
|
#
|
||||||
# # For "redis" backend:
|
# # For "redis" backend:
|
||||||
|
# # (to enable, use --with-libhiredis to configure before compiling)
|
||||||
# # redis server's IP address or host name
|
# # redis server's IP address or host name
|
||||||
# redis-server-host: 127.0.0.1
|
# redis-server-host: 127.0.0.1
|
||||||
# # redis server's TCP port
|
# # redis server's TCP port
|
||||||
|
@ -1172,7 +1201,9 @@ auth-zone:
|
||||||
|
|
||||||
# IPSet
|
# IPSet
|
||||||
# Add specify domain into set via ipset.
|
# Add specify domain into set via ipset.
|
||||||
# Note: To enable ipset Unbound needs to run as root user.
|
# To enable:
|
||||||
|
# o use --enable-ipset to configure before compiling;
|
||||||
|
# o Unbound then needs to run as root user.
|
||||||
# ipset:
|
# ipset:
|
||||||
# # set name for ip v4 addresses
|
# # set name for ip v4 addresses
|
||||||
# name-v4: "list-v4"
|
# name-v4: "list-v4"
|
||||||
|
@ -1180,9 +1211,10 @@ auth-zone:
|
||||||
# name-v6: "list-v6"
|
# name-v6: "list-v6"
|
||||||
#
|
#
|
||||||
|
|
||||||
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
|
# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
|
||||||
# to yes and also some of dnstap-log-..-messages to yes. And select an
|
# To enable, set the dnstap-enable to yes and also some of
|
||||||
# upstream log destination, by socket path, TCP or TLS destination.
|
# dnstap-log-..-messages to yes. And select an upstream log destination, by
|
||||||
|
# socket path, TCP or TLS destination.
|
||||||
# dnstap:
|
# dnstap:
|
||||||
# dnstap-enable: no
|
# dnstap-enable: no
|
||||||
# # if set to yes frame streams will be used in bidirectional mode
|
# # if set to yes frame streams will be used in bidirectional mode
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<override/>
|
<override/>
|
||||||
<file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
|
<file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
|
||||||
<file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
|
<file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
|
||||||
<file>/tests/vaultwarden.yml</file>
|
<file filelist="copy_tests">/tests/vaultwarden.yml</file>
|
||||||
</service>
|
</service>
|
||||||
</services>
|
</services>
|
||||||
<variables>
|
<variables>
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
g znc 998 -
|
g znc 998 -
|
||||||
u znc 998:1000 "Account for ZNC to run as" /var/lib/znc /sbin/nologin
|
u znc 998:998 "Account for ZNC to run as" /var/lib/znc /sbin/nologin
|
||||||
m znc ssl-cert
|
m znc ssl-cert
|
||||||
|
|
Loading…
Reference in a new issue