From da3e4d487d62f8f212a0ffc02be12442124f1ee7 Mon Sep 17 00:00:00 2001 From: Emmanuel Garette Date: Thu, 28 Apr 2022 21:48:16 +0200 Subject: [PATCH] add piwigo --- doc/certificates.md | 103 ++-- .../2022.03.08/apache/dictionaries/20_web.xml | 5 +- .../2022.03.08/base/funcs/funcs.py | 10 +- .../base/manual/install/config_machine.sh | 1 + .../base/manual/install/install_host | 2 +- .../base/manual/install/install_machine | 21 +- .../2022.03.08/gitea/templates/app.ini | 2 +- .../extras/machined/00-machined.xml | 1 + .../host-systemd-machined/templates/nspawn | 1 + .../ldap-client/funcs/openldap_client.py | 13 - .../dictionaries/70_lemonldap_ng.xml | 1 + .../lemonldap/templates/silique_image.png | Bin 0 -> 2584 bytes .../mailman/dictionaries/31_mailman.xml | 8 + .../2022.03.08/mailman/templates/mailman.cfg | 2 +- .../templates/postgresql_postorius.key | 1 + .../mailman/templates/postorius-settings.py | 2 +- .../dictionaries/20_mariadb.xml | 3 + .../templates/mariadbclient.service | 7 + .../nextcloud/dictionaries/31_nextcloud.xml | 2 +- .../nextcloud/templates/nextcloud-config.php | 10 +- .../DEBUG | 0 .../nginx-https/applicationservice.yml | 4 + .../nginx-https/dictionaries/25_nginx.xml | 20 + .../templates/ca_InternalReverseProxy.crt | 1 + .../nginx-https/templates/nginx.crt | 1 + .../nginx-https/templates/nginx.index.html | 10 + .../nginx-https/templates/nginx.key | 1 + .../nginx-https/templates/risotto.conf | 44 ++ .../{20_unbound.xml => 20_reverse_proxy.xml} | 0 .../templates/ca_InternalReverseProxy.crt | 4 +- .../openldap/extras/accounts/00_account.xml | 25 +- .../2022.03.08/openldap/funcs/ldap.py | 34 +- .../2022.03.08/openldap/templates/users.ldif | 28 +- .../php-fpm/dictionaries/20_phpfpm.xml | 11 +- .../php-fpm/manual/image/preinstall/phpfpm.sh | 1 + .../php-fpm/templates/tmpfile-phpfpm.conf | 2 +- .../2022.03.08/php-fpm/templates/www.conf | 439 ++++++++++++++++++ .../2022.03.08/php/DEBUG.md | 14 + .../2022.03.08/php/applicationservice.yml | 2 + .../2022.03.08/php/templates/php.ini | 8 +- .../2022.03.08/piwigo/applicationservice.yml | 2 +- .../piwigo/dictionaries/31_piwigo.xml | 49 +- .../2022.03.08/piwigo/funcs/piwigo.sh | 6 + .../manual/image/postinstall/osmmap.php | 13 + .../manual/image/postinstall/piwigo.patch | 288 ++++++++++++ .../piwigo/manual/image/postinstall/piwigo.sh | 65 ++- .../manual/image/postinstall/piwigo_cli.php | 288 ++++++++++++ .../piwigo/manual/image/preinstall/piwigo.sh | 1 + .../piwigo/templates/config.inc.php | 50 ++ .../piwigo/templates/database.inc.php | 32 ++ .../2022.03.08/piwigo/templates/piwigo.conf | 2 + .../piwigo/templates/piwigo.service | 14 + .../2022.03.08/piwigo/templates/piwigo.sh | 85 ++++ .../piwigo/templates/tmpfile-piwigo.conf | 6 + .../postfix-relay/templates/sni.pem | 3 +- .../dictionaries/23_postgresql.xml | 4 +- .../dictionaries/21-machined.xml | 17 + .../redis-client/dictionaries/23_redis.xml | 11 + .../redis-client/templates/ca_Redis.crt | 1 + .../redis-client/templates/redis.crt | 1 + .../redis-client/templates/redis.key | 1 + .../redis-client/templates/redis.pem | 5 + .../redis/dictionaries/90_redis.xml | 3 + .../redis/extras/account/00_account.xml | 2 +- .../2022.03.08/redis/templates/ca_Redis.crt | 1 + .../2022.03.08/redis/templates/redis.conf | 11 +- .../2022.03.08/redis/templates/redis.crt | 1 + .../2022.03.08/redis/templates/redis.key | 1 + .../roundcube/dictionaries/31_roundcube.xml | 7 +- .../roundcube/templates/config.inc.php | 2 +- 70 files changed, 1716 insertions(+), 100 deletions(-) create mode 100644 seed/applicationservice/2022.03.08/lemonldap/templates/silique_image.png create mode 100644 seed/applicationservice/2022.03.08/mailman/templates/postgresql_postorius.key create mode 100644 seed/applicationservice/2022.03.08/mariadb-client/templates/mariadbclient.service rename seed/applicationservice/2022.03.08/{nginx-reverse-proxy => nginx-common}/DEBUG (100%) create mode 100644 seed/applicationservice/2022.03.08/nginx-https/applicationservice.yml create mode 100644 seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml create mode 100644 seed/applicationservice/2022.03.08/nginx-https/templates/ca_InternalReverseProxy.crt create mode 100644 seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt create mode 100644 seed/applicationservice/2022.03.08/nginx-https/templates/nginx.index.html create mode 100644 seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key create mode 100644 seed/applicationservice/2022.03.08/nginx-https/templates/risotto.conf rename seed/applicationservice/2022.03.08/nginx-reverse-proxy/extras/machine/{20_unbound.xml => 20_reverse_proxy.xml} (100%) create mode 100644 seed/applicationservice/2022.03.08/php-fpm/manual/image/preinstall/phpfpm.sh create mode 100644 seed/applicationservice/2022.03.08/php-fpm/templates/www.conf create mode 100644 seed/applicationservice/2022.03.08/php/DEBUG.md create mode 100644 seed/applicationservice/2022.03.08/piwigo/funcs/piwigo.sh create mode 100644 seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/osmmap.php create mode 100644 seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.patch create mode 100644 seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo_cli.php create mode 100644 seed/applicationservice/2022.03.08/piwigo/manual/image/preinstall/piwigo.sh create mode 100644 seed/applicationservice/2022.03.08/piwigo/templates/config.inc.php create mode 100644 seed/applicationservice/2022.03.08/piwigo/templates/database.inc.php create mode 100644 seed/applicationservice/2022.03.08/piwigo/templates/piwigo.conf create mode 100644 seed/applicationservice/2022.03.08/piwigo/templates/piwigo.service create mode 100644 seed/applicationservice/2022.03.08/piwigo/templates/piwigo.sh create mode 100644 seed/applicationservice/2022.03.08/piwigo/templates/tmpfile-piwigo.conf create mode 100644 seed/applicationservice/2022.03.08/redis-client/templates/ca_Redis.crt create mode 100644 seed/applicationservice/2022.03.08/redis-client/templates/redis.crt create mode 100644 seed/applicationservice/2022.03.08/redis-client/templates/redis.key create mode 100644 seed/applicationservice/2022.03.08/redis-client/templates/redis.pem create mode 100644 seed/applicationservice/2022.03.08/redis/templates/ca_Redis.crt create mode 100644 seed/applicationservice/2022.03.08/redis/templates/redis.crt create mode 100644 seed/applicationservice/2022.03.08/redis/templates/redis.key diff --git a/doc/certificates.md b/doc/certificates.md index 6bcf0496..bd2fa932 100644 --- a/doc/certificates.md +++ b/doc/certificates.md @@ -1,68 +1,73 @@ # Généré des certificats via la PKI interne de mini_risotto -## Génération des certificates sur le serveur +## Génération du certificate sur le serveur -Création la variable contenant la chain : +### Sous Fedora ``` - - + + + mailman + + diff --git a/seed/applicationservice/2022.03.08/mailman/templates/mailman.cfg b/seed/applicationservice/2022.03.08/mailman/templates/mailman.cfg index 66fa624f..b5ec3acd 100644 --- a/seed/applicationservice/2022.03.08/mailman/templates/mailman.cfg +++ b/seed/applicationservice/2022.03.08/mailman/templates/mailman.cfg @@ -24,7 +24,7 @@ layout: fhs #>GNUNUX [database] class: mailman.database.postgresql.PostgreSQLDatabase -url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full +url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt [mta] lmtp_host: %%ip_eth0 diff --git a/seed/applicationservice/2022.03.08/mailman/templates/postgresql_postorius.key b/seed/applicationservice/2022.03.08/mailman/templates/postgresql_postorius.key new file mode 100644 index 00000000..316de5e6 --- /dev/null +++ b/seed/applicationservice/2022.03.08/mailman/templates/postgresql_postorius.key @@ -0,0 +1 @@ +%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client") diff --git a/seed/applicationservice/2022.03.08/mailman/templates/postorius-settings.py b/seed/applicationservice/2022.03.08/mailman/templates/postorius-settings.py index ff1f3345..7d26767b 100644 --- a/seed/applicationservice/2022.03.08/mailman/templates/postorius-settings.py +++ b/seed/applicationservice/2022.03.08/mailman/templates/postorius-settings.py @@ -10,7 +10,7 @@ DATABASES = { 'HOST': '%%pg_client_server_domainname', # Database server 'PORT': '', # Database port (leave blank for default) 'CONN_MAX_AGE': 300, # Max database connection age - 'OPTIONS': {'sslmode': 'verify-full'}, + 'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '/etc/pki/tls/certs/postgresql.crt', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'}, } } ALLOWED_HOSTS = ['%%revprox_client_external_domainname'] diff --git a/seed/applicationservice/2022.03.08/mariadb-client/dictionaries/20_mariadb.xml b/seed/applicationservice/2022.03.08/mariadb-client/dictionaries/20_mariadb.xml index e0748d0d..baf56794 100644 --- a/seed/applicationservice/2022.03.08/mariadb-client/dictionaries/20_mariadb.xml +++ b/seed/applicationservice/2022.03.08/mariadb-client/dictionaries/20_mariadb.xml @@ -1,5 +1,8 @@ + + + diff --git a/seed/applicationservice/2022.03.08/mariadb-client/templates/mariadbclient.service b/seed/applicationservice/2022.03.08/mariadb-client/templates/mariadbclient.service new file mode 100644 index 00000000..60caeff3 --- /dev/null +++ b/seed/applicationservice/2022.03.08/mariadb-client/templates/mariadbclient.service @@ -0,0 +1,7 @@ +[Unit] +Description=Waiting for mariadb server +Before=network.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"' diff --git a/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml b/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml index 99f9ef68..0656f10f 100644 --- a/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml +++ b/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml @@ -32,7 +32,7 @@ Plateforme de collaboration Nextcloud - Collaboration + Diffusion silique_folder.png diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud-config.php b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud-config.php index 803a441d..ceb39df0 100644 --- a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud-config.php +++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud-config.php @@ -37,7 +37,7 @@ $CONFIG = array ( 'dbtableprefix' => 'oc_', 'dbuser' => '%%pg_client_username', 'dbpassword' => '%%pg_client_password', - 'dbdriveroptions' => array('sslmode' => 'verify-full'), + 'dbdriveroptions' => array('sslmode' => 'verify-full', 'sslcert' => '/etc/pki/tls/certs/postgresql.crt', 'sslkey' => '/etc/pki/tls/private/postgresql.key', 'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'), 'passwordsalt' => '{{SALT}}', 'secret' => '{{SECRET}}', 'instanceid' => '%%nextcloud_instance_id', @@ -53,9 +53,15 @@ $CONFIG = array ( 'filelocking.enabled' => true, 'redis' => [ 'host' => '%%redis_client_server_domainname', - 'port' => 6379, + 'port' => 6380, + 'user' => '%%redis_client_username', 'password' => '%%redis_client_password', 'dbindex' => 0, + 'ssl_context' => [ + 'local_cert' => '/etc/pki/tls/certs/redis.crt', + 'local_pk' => '/etc/pki/tls/private/redis.key', + 'cafile' => '/etc/pki/ca-trust/source/anchors/ca_Redis.crt', + ] ], 'default_phone_region' => 'FR', //OIDC login diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/DEBUG b/seed/applicationservice/2022.03.08/nginx-common/DEBUG similarity index 100% rename from seed/applicationservice/2022.03.08/nginx-reverse-proxy/DEBUG rename to seed/applicationservice/2022.03.08/nginx-common/DEBUG diff --git a/seed/applicationservice/2022.03.08/nginx-https/applicationservice.yml b/seed/applicationservice/2022.03.08/nginx-https/applicationservice.yml new file mode 100644 index 00000000..076ecac6 --- /dev/null +++ b/seed/applicationservice/2022.03.08/nginx-https/applicationservice.yml @@ -0,0 +1,4 @@ +format: '0.1' +description: Nginx as reverse proxy +depends: + - nginx-common diff --git a/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml new file mode 100644 index 00000000..c34612cc --- /dev/null +++ b/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml @@ -0,0 +1,20 @@ + + + + + /etc/nginx/conf.d/risotto.conf + /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt + /etc/pki/tls/certs/nginx.crt + /etc/pki/tls/private/nginx.key + + + + + + nginx + + + / + + + diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/ca_InternalReverseProxy.crt b/seed/applicationservice/2022.03.08/nginx-https/templates/ca_InternalReverseProxy.crt new file mode 100644 index 00000000..55ee9059 --- /dev/null +++ b/seed/applicationservice/2022.03.08/nginx-https/templates/ca_InternalReverseProxy.crt @@ -0,0 +1 @@ +%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy") diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt new file mode 100644 index 00000000..73d46b2b --- /dev/null +++ b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt @@ -0,0 +1 @@ +%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy') diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.index.html b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.index.html new file mode 100644 index 00000000..eeef59df --- /dev/null +++ b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.index.html @@ -0,0 +1,10 @@ + + + +Welcome + + + + + diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key new file mode 100644 index 00000000..9edabbb6 --- /dev/null +++ b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key @@ -0,0 +1 @@ +%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy') diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/risotto.conf b/seed/applicationservice/2022.03.08/nginx-https/templates/risotto.conf new file mode 100644 index 00000000..cf541f89 --- /dev/null +++ b/seed/applicationservice/2022.03.08/nginx-https/templates/risotto.conf @@ -0,0 +1,44 @@ +server { + listen 443 default ssl; + server_name %%domain_name_eth0; + + ssl_certificate /etc/pki/tls/certs/nginx.crt; + ssl_certificate_key /etc/pki/tls/private/nginx.key; + ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt; + + error_page 403 404 502 503 504 /error.html; + location = /error.html{ + root /var/www/html; + } + + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;'; + add_header Referrer-Policy no-referrer always; + +%for %%location in %%nginx_locations + location %%location { +%if %%location == '/' + root %slurp +%else + alias %slurp +%end if +%%nginx_root_directory; +%if not %%getVar('php_fpm_installed', False) + index index.html; +%else + index index.php; + location ~ ^(?.+?\.php)(?/.*)?$ { + fastcgi_pass php-fpm; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $request_filename; + include fastcgi_params; + } +%end if + } +%end for +} diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/extras/machine/20_unbound.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/extras/machine/20_reverse_proxy.xml similarity index 100% rename from seed/applicationservice/2022.03.08/nginx-reverse-proxy/extras/machine/20_unbound.xml rename to seed/applicationservice/2022.03.08/nginx-reverse-proxy/extras/machine/20_reverse_proxy.xml diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt index 55ee9059..7aa65537 100644 --- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt +++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt @@ -1 +1,3 @@ -%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy") +%for %%idx in %%range(0, %%number_of_interfaces) +%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy") +%end for diff --git a/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml b/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml index d862d29b..886421f3 100644 --- a/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml +++ b/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml @@ -7,6 +7,10 @@ + + + + @@ -15,9 +19,16 @@ - - - + + + + + + + + + @@ -45,5 +56,13 @@ True accounts.users.ldap_user_password + + domain_name_eth0 + accounts.family_.users_.ldap_user_mail_ + ldap family user + cleartext + True + accounts.family_.users_.ldap_user_password_ + diff --git a/seed/applicationservice/2022.03.08/openldap/funcs/ldap.py b/seed/applicationservice/2022.03.08/openldap/funcs/ldap.py index c74d1060..597d26cb 100644 --- a/seed/applicationservice/2022.03.08/openldap/funcs/ldap.py +++ b/seed/applicationservice/2022.03.08/openldap/funcs/ldap.py @@ -1,12 +1,44 @@ +import __main__ from os import urandom as _urandom from hashlib import sha1 as _sha1 from base64 import encodebytes as _encodebytes, b64encode as _b64encode +from json import load as _load, dump as _dump +from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile + + +_HERE = _dirname(_abspath(__main__.__file__)) +_SSHA_PASSWORD_DIR = _join(_HERE, 'password', 'ssha.json') # unproudly borrowed from # http://www.openldap.org/faq/data/cache/347.html def ssha_encode(password): + # do not regenerate SSHA + if _isfile(_SSHA_PASSWORD_DIR): + with open(_SSHA_PASSWORD_DIR, 'r') as fh: + passwords = _load(fh) + else: + passwords = {} + if password in passwords: + return passwords[password] salt = _urandom(4) h = _sha1(password.encode()) h.update(salt) - return _b64encode(b"{SSHA}" + _encodebytes(h.digest() + salt)[:-1]).decode() + ret = _b64encode(b"{SSHA}" + _encodebytes(h.digest() + salt)[:-1]).decode() + passwords[password] = ret + with open(_SSHA_PASSWORD_DIR, 'w') as fh: + _dump(passwords, fh) + return ret + + +def get_default_base_dn(server_name: str) -> str: + if not server_name or '.' not in server_name: + return None + values = server_name.split('.') + # cannot calculated base dn should be server.domain.tld + # remove 'server' in dn + if len(values) < 3: + return None + domain = ['ou=' + domain for domain in values[1:-2]] + domain.append(f'o={values[-2]},o={values[-1]}') + return ','.join(domain) diff --git a/seed/applicationservice/2022.03.08/openldap/templates/users.ldif b/seed/applicationservice/2022.03.08/openldap/templates/users.ldif index e21193a2..f170dbf9 100644 --- a/seed/applicationservice/2022.03.08/openldap/templates/users.ldif +++ b/seed/applicationservice/2022.03.08/openldap/templates/users.ldif @@ -21,12 +21,12 @@ objectClass: top objectClass: inetOrgPerson %end for +# Users dn: ou=users,%%ldap_base_dn ou: users objectClass: top objectClass: organizationalUnit -# Users %for %%user in %%accounts.users.ldap_user_mail dn: cn=%%user,ou=users,%%ldap_base_dn cn: %%user @@ -34,9 +34,33 @@ mail: %%user sn: %%user.ldap_user_sn givenName: %%user.ldap_user_gn uid: %%user.ldap_user_uid -#%%user.ldap_user_password userPassword:: %%ssha_encode(%%user.ldap_user_password) objectClass: top objectClass: inetOrgPerson %end for +# Families +dn: ou=families,%%ldap_base_dn +ou: families +objectClass: top +objectClass: organizationalUnit + +%for %%family in %%accounts.families +dn: ou=%%family,ou=families,%%ldap_base_dn +ou: %%family +objectClass: top +objectClass: organizationalUnit + + %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family] +dn: cn=%%user,ou=families,%%ldap_base_dn +cn: %%user +mail: %%user +sn: %%user['ldap_user_sn_' + %%family] +givenName: %%user['ldap_user_gn_' + %%family] +uid: %%user['ldap_user_uid_' + %%family] +userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family]) +objectClass: top +objectClass: inetOrgPerson + + %end for +%end for diff --git a/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml b/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml index 520e5719..6514de77 100644 --- a/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml +++ b/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml @@ -3,8 +3,17 @@ /etc/php-fpm.conf + /etc/php-fpm.d/www.conf /sysusers.d/phpfpm.conf - /tmpfiles.d/0phpfpm.conf + /tmpfiles.d/0phpfpm.conf + + + root + + + True + + diff --git a/seed/applicationservice/2022.03.08/php-fpm/manual/image/preinstall/phpfpm.sh b/seed/applicationservice/2022.03.08/php-fpm/manual/image/preinstall/phpfpm.sh new file mode 100644 index 00000000..b637921b --- /dev/null +++ b/seed/applicationservice/2022.03.08/php-fpm/manual/image/preinstall/phpfpm.sh @@ -0,0 +1 @@ +PKG="$PKG php-fpm" diff --git a/seed/applicationservice/2022.03.08/php-fpm/templates/tmpfile-phpfpm.conf b/seed/applicationservice/2022.03.08/php-fpm/templates/tmpfile-phpfpm.conf index ad78522c..702c8612 100644 --- a/seed/applicationservice/2022.03.08/php-fpm/templates/tmpfile-phpfpm.conf +++ b/seed/applicationservice/2022.03.08/php-fpm/templates/tmpfile-phpfpm.conf @@ -1 +1 @@ -d /var/lib/php/session 770 root apache - - +d /var/lib/php/session 770 root %%php_fpm_user - - diff --git a/seed/applicationservice/2022.03.08/php-fpm/templates/www.conf b/seed/applicationservice/2022.03.08/php-fpm/templates/www.conf new file mode 100644 index 00000000..33c272d9 --- /dev/null +++ b/seed/applicationservice/2022.03.08/php-fpm/templates/www.conf @@ -0,0 +1,439 @@ +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or @php_fpm_prefix@) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +; RPM: apache user chosen to provide access to the same directories as httpd +user = %%php_fpm_user +; RPM: Keep a group allowed to write in log dir. +group = %%php_fpm_user + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php-fpm/www.sock + +; Set listen(2) backlog. +; Default Value: 511 +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. +; Default Values: user and group are set as the running user +; mode is set to 0660 +;listen.owner = nobody +;listen.group = nobody +;listen.mode = 0660 + +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +listen.acl_users = %%php_fpm_user +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user +; or group is differrent than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 50 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 5 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 5 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 35 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: @EXPANDED_DATADIR@/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +slowlog = syslog + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or @prefix@) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +php_admin_value[error_log] = syslog +php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 128M + +; Set the following data paths to directories owned by the FPM process user. +; +; Do not change the ownership of existing system directories, if the process +; user does not have write permission, create dedicated directories for this +; purpose. +; +; See warning about choosing the location of these directories on your system +; at http://php.net/session.save-path +php_value[session.save_handler] = redis +;GNUNUX php_value[session.save_path] = /var/lib/php/session +;php_value[session.save_path] = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password" +php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache +;php_value[opcache.file_cache] = /var/lib/php/opcache diff --git a/seed/applicationservice/2022.03.08/php/DEBUG.md b/seed/applicationservice/2022.03.08/php/DEBUG.md new file mode 100644 index 00000000..0282a15f --- /dev/null +++ b/seed/applicationservice/2022.03.08/php/DEBUG.md @@ -0,0 +1,14 @@ +Test une session avec redis +============================ + + + diff --git a/seed/applicationservice/2022.03.08/php/applicationservice.yml b/seed/applicationservice/2022.03.08/php/applicationservice.yml index 60a43167..ccaa5836 100644 --- a/seed/applicationservice/2022.03.08/php/applicationservice.yml +++ b/seed/applicationservice/2022.03.08/php/applicationservice.yml @@ -1,2 +1,4 @@ format: '0.1' description: PHP configuration +depends: + - redis-client diff --git a/seed/applicationservice/2022.03.08/php/templates/php.ini b/seed/applicationservice/2022.03.08/php/templates/php.ini index 8dcd9a79..ef7ff4e7 100644 --- a/seed/applicationservice/2022.03.08/php/templates/php.ini +++ b/seed/applicationservice/2022.03.08/php/templates/php.ini @@ -1329,7 +1329,11 @@ browscap = /etc/php/extra/browscap.ini [Session] ; Handler used to store/retrieve data. ; http://php.net/session.save-handler -session.save_handler = files +# GNUNUX session.save_handler = files +session.save_handler = redis +session.save_path = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password" +;GNUNUX https://github.com/phpredis/phpredis/issues/2062 +#session.save_path = "tls://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password&stream[verify_peer]=1&stream[cafile]=/etc/pki/ca-trust/source/anchors/ca_Redis.crt&stream[local_cert]=/etc/pki/tls/certs/redis.crt&stream[local_pk]=/etc/pki/tls/private/redis.key" ; Argument passed to save_handler. In the case of files, this is the path ; where data files are stored. Note: Windows users have to change this @@ -1424,7 +1428,7 @@ session.serialize_handler = php ; Development Value: 1 ; Production Value: 1 ; http://php.net/session.gc-probability -session.gc_probability = 0 +session.gc_probability = 1 ; Defines the probability that the 'garbage collection' process is started on every ; session initialization. The probability is calculated by using gc_probability/gc_divisor, diff --git a/seed/applicationservice/2022.03.08/piwigo/applicationservice.yml b/seed/applicationservice/2022.03.08/piwigo/applicationservice.yml index 7db8c434..561214a9 100644 --- a/seed/applicationservice/2022.03.08/piwigo/applicationservice.yml +++ b/seed/applicationservice/2022.03.08/piwigo/applicationservice.yml @@ -6,6 +6,6 @@ depends: - ldap-client-fedora - oauth2-client - relay-mail-client - - nginx-common + - nginx-https - php-fpm - reverse-proxy-client diff --git a/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml b/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml index 8a689fe9..0b4b8a16 100644 --- a/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml +++ b/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml @@ -1,11 +1,56 @@ - + + /tmpfiles.d/0piwigo.conf + /etc/piwigo/config.inc.php + /etc/piwigo/database.inc.php + /bin/piwigo.sh + /etc/php-fpm.d/piwigo.conf - + + + + + domain_name_eth0 + admin_password + piwigo + cleartext + piwigo_admin_password + + + piwigo_users + nginx_locations + + diff --git a/seed/applicationservice/2022.03.08/piwigo/funcs/piwigo.sh b/seed/applicationservice/2022.03.08/piwigo/funcs/piwigo.sh new file mode 100644 index 00000000..d177538c --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/funcs/piwigo.sh @@ -0,0 +1,6 @@ +from risotto.utils import multi_function as _multi_function + + +@_multi_function +def get_locations(usernames): + return ['/'] + ['/' + user for user in usernames] diff --git a/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/osmmap.php b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/osmmap.php new file mode 100644 index 00000000..4589c9c5 --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/osmmap.php @@ -0,0 +1,13 @@ + diff --git a/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.patch b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.patch new file mode 100644 index 00000000..626e8453 --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.patch @@ -0,0 +1,288 @@ +--- piwigo/admin/include/functions_install.inc.php ++++ piwigo/admin/include/functions_install.inc.php +@@ -21,6 +21,7 @@ + * @param string $replaced + * @param string $replacing + */ ++ + function execute_sqlfile($filepath, $replaced, $replacing, $dblayer) + { + $sql_lines = file($filepath); +@@ -91,17 +92,15 @@ function activate_core_plugins() + } + + /** +- * Connect to database during installation. Uses $_POST. ++ * Connect to database during installation. + * +- * @param array &$infos - populated with infos + * @param array &$errors - populated with errors + */ +-function install_db_connect(&$infos, &$errors) ++function install_db_connect($dbhost, $dbuser, $dbpasswd, $dbname, &$errors) + { + try + { +- pwg_db_connect($_POST['dbhost'], $_POST['dbuser'], +- $_POST['dbpasswd'], $_POST['dbname']); ++ pwg_db_connect($dbhost, $dbuser, $dbpasswd, $dbname); + pwg_db_check_version(); + } + catch (Exception $e) +@@ -110,4 +109,101 @@ function install_db_connect(&$infos, &$errors) + } + } + +-?> +\ No newline at end of file ++/** ++ * Create and initialize database ++ * ++ * @param object languages - languages informations ++ * @param string language - default language ++ * @param string prefixeTable - prefix of database names ++ */ ++function initialize_db($languages, $language, $prefixeTable, &$errors=[]) ++{ ++ include_once(PHPWG_ROOT_PATH.PWG_LOCAL_DIR .'config/database.inc.php'); ++ $result = pwg_query("SHOW TABLES LIKE '${prefixeTable}activity';"); ++ if(pwg_db_num_rows($result)) ++ { ++ $errors[] = l10n('The database is already imported'); ++ return; ++ } ++ // tables creation, based on piwigo_structure.sql ++ execute_sqlfile( ++ PHPWG_ROOT_PATH.'install/piwigo_structure-mysql.sql', ++ DEFAULT_PREFIX_TABLE, ++ $prefixeTable, ++ 'mysql' ++ ); ++ // We fill the tables with basic informations ++ execute_sqlfile( ++ PHPWG_ROOT_PATH.'install/config.sql', ++ DEFAULT_PREFIX_TABLE, ++ $prefixeTable, ++ 'mysql' ++ ); ++ ++ $query = ' ++INSERT INTO '.$prefixeTable.'config (param,value,comment) ++ VALUES (\'secret_key\',md5('.pwg_db_cast_to_text(DB_RANDOM_FUNCTION.'()').'), ++ \'a secret key specific to the gallery for internal use\');'; ++ pwg_query($query); ++ ++ conf_update_param('piwigo_db_version', get_branch_from_version(PHPWG_VERSION)); ++ conf_update_param('gallery_title', pwg_db_real_escape_string(l10n('Just another Piwigo gallery'))); ++ ++ conf_update_param( ++ 'page_banner', ++ '

%gallery_title%

'."\n\n

".pwg_db_real_escape_string(l10n('Welcome to my photo gallery')).'

' ++ ); ++ ++ // fill languages table, only activate the current language ++ $languages->perform_action('activate', $language); ++ ++ // fill $conf global array ++ load_conf_from_db(); ++ ++ // PWG_CHARSET is required for building the fs_themes array in the ++ // themes class ++ if (!defined('PWG_CHARSET')) ++ { ++ define('PWG_CHARSET', 'utf-8'); ++ } ++ activate_core_themes(); ++ activate_core_plugins(); ++ ++ $insert = array( ++ 'id' => 1, ++ 'galleries_url' => PHPWG_ROOT_PATH.'galleries/', ++ ); ++ mass_inserts(SITES_TABLE, array_keys($insert), array($insert)); ++ ++} ++ ++/** ++ * Add first admin in database ++ * ++ * @param string admin_name - admin name ++ * @param string admin_pass1 - admin password ++ * @param string admin_main - admin email ++ * @param string admin_language - language of admin ++ */ ++function add_admin($admin_name, $admin_pass1, $admin_mail, $language) ++{ ++ // webmaster admin user ++ $inserts = array( ++ array( ++ 'id' => 1, ++ 'username' => $admin_name, ++ 'password' => md5($admin_pass1), ++ 'mail_address' => $admin_mail, ++ ), ++ array( ++ 'id' => 2, ++ 'username' => 'guest', ++ ), ++ ); ++ mass_inserts(USERS_TABLE, array_keys($inserts[0]), $inserts); ++ ++ create_user_infos(array(1,2), array('language' => $language)); ++ ++} ++ ++?> +--- piwigo/admin/include/functions_upgrade.php ++++ piwigo/admin/include/functions_upgrade.php +@@ -319,4 +319,30 @@ function upgrade_db_connect() + my_error(l10n($e->getMessage()), true); + } + } ++ ++/** ++ * Mark all upgrades as done. ++ * Available upgrades must be ignored after a fresh installation. To ++ * make PWG avoid upgrading, we must tell it upgrades have already been ++ * made. ++ */ ++function mark_all_upgrades_as_done() { ++ list($dbnow) = pwg_db_fetch_row(pwg_query('SELECT NOW();')); ++ define('CURRENT_DATE', $dbnow); ++ $datas = array(); ++ foreach (get_available_upgrade_ids() as $upgrade_id) ++ { ++ $datas[] = array( ++ 'id' => $upgrade_id, ++ 'applied' => CURRENT_DATE, ++ 'description' => 'upgrade included in installation', ++ ); ++ } ++ mass_inserts( ++ UPGRADE_TABLE, ++ array_keys($datas[0]), ++ $datas ++ ); ++} ++ + ?> +--- piwigo/install.php ++++ piwigo/install.php +@@ -166,6 +166,7 @@ if (@file_exists($config_file)) + + include(PHPWG_ROOT_PATH . 'include/constants.php'); + include(PHPWG_ROOT_PATH . 'admin/include/functions.php'); ++include(PHPWG_ROOT_PATH . 'admin/include/functions_upgrade.php'); + + include(PHPWG_ROOT_PATH . 'admin/include/languages.class.php'); + $languages = new languages('utf-8'); +@@ -253,11 +254,10 @@ if (!isset($step)) + //---------------------------------------------------------------- form analyze + include(PHPWG_ROOT_PATH .'include/dblayer/functions_'.$dblayer.'.inc.php'); + include(PHPWG_ROOT_PATH . 'admin/include/functions_install.inc.php'); +-include(PHPWG_ROOT_PATH . 'admin/include/functions_upgrade.php'); + + if (isset($_POST['install'])) + { +- install_db_connect($infos, $errors); ++ install_db_connect($dbhost, $dbuser, $dbpasswd, $dbname, $errors); + pwg_db_check_charset(); + + $webmaster = trim(preg_replace('/\s{2,}/', ' ', $admin_name)); +@@ -328,93 +328,9 @@ define(\'DB_COLLATE\', \'\'); + @fputs($fp, $file_content, strlen($file_content)); + @fclose($fp); + +- // tables creation, based on piwigo_structure.sql +- execute_sqlfile( +- PHPWG_ROOT_PATH.'install/piwigo_structure-mysql.sql', +- DEFAULT_PREFIX_TABLE, +- $prefixeTable, +- 'mysql' +- ); +- // We fill the tables with basic informations +- execute_sqlfile( +- PHPWG_ROOT_PATH.'install/config.sql', +- DEFAULT_PREFIX_TABLE, +- $prefixeTable, +- 'mysql' +- ); +- +- $query = ' +-INSERT INTO '.$prefixeTable.'config (param,value,comment) +- VALUES (\'secret_key\',md5('.pwg_db_cast_to_text(DB_RANDOM_FUNCTION.'()').'), +- \'a secret key specific to the gallery for internal use\');'; +- pwg_query($query); +- +- conf_update_param('piwigo_db_version', get_branch_from_version(PHPWG_VERSION)); +- conf_update_param('gallery_title', pwg_db_real_escape_string(l10n('Just another Piwigo gallery'))); +- +- conf_update_param( +- 'page_banner', +- '

%gallery_title%

'."\n\n

".pwg_db_real_escape_string(l10n('Welcome to my photo gallery')).'

' +- ); +- +- // fill languages table, only activate the current language +- $languages->perform_action('activate', $language); +- +- // fill $conf global array +- load_conf_from_db(); +- +- // PWG_CHARSET is required for building the fs_themes array in the +- // themes class +- if (!defined('PWG_CHARSET')) +- { +- define('PWG_CHARSET', 'utf-8'); +- } +- activate_core_themes(); +- activate_core_plugins(); +- +- $insert = array( +- 'id' => 1, +- 'galleries_url' => PHPWG_ROOT_PATH.'galleries/', +- ); +- mass_inserts(SITES_TABLE, array_keys($insert), array($insert)); +- +- // webmaster admin user +- $inserts = array( +- array( +- 'id' => 1, +- 'username' => $admin_name, +- 'password' => md5($admin_pass1), +- 'mail_address' => $admin_mail, +- ), +- array( +- 'id' => 2, +- 'username' => 'guest', +- ), +- ); +- mass_inserts(USERS_TABLE, array_keys($inserts[0]), $inserts); +- +- create_user_infos(array(1,2), array('language' => $language)); +- +- // Available upgrades must be ignored after a fresh installation. To +- // make PWG avoid upgrading, we must tell it upgrades have already been +- // made. +- list($dbnow) = pwg_db_fetch_row(pwg_query('SELECT NOW();')); +- define('CURRENT_DATE', $dbnow); +- $datas = array(); +- foreach (get_available_upgrade_ids() as $upgrade_id) +- { +- $datas[] = array( +- 'id' => $upgrade_id, +- 'applied' => CURRENT_DATE, +- 'description' => 'upgrade included in installation', +- ); +- } +- mass_inserts( +- UPGRADE_TABLE, +- array_keys($datas[0]), +- $datas +- ); +- ++ initialize_db($languages, $language, $prefixeTable); ++ add_admin($admin_name, $admin_pass1, $admin_mail, $language); ++ mark_all_upgrades_as_done(); + if ($is_newsletter_subscribe) + { + fetchRemote( diff --git a/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh index f3a3a2ad..4f680155 100644 --- a/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh +++ b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh @@ -1,3 +1,5 @@ +set -e +ORIPWD=$PWD mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share" cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share" app=$(wget https://api.github.com/repos/Piwigo/Piwigo/releases/latest -q -O - | jq -r '.tag_name') @@ -6,4 +8,65 @@ tar xf *tar.gz rm -f *tar.gz mv Piwigo-* piwigo chown -R root: piwigo -cd - +rm -rf piwigo/doc piwigo/README.md # piwigo/install.php +ln -s /etc/piwigo/config.inc.php piwigo/local/config/config.inc.php +ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php +ln -s /srv/piwigo/data piwigo/_data +ln -s /srv/piwigo/upload piwigo/upload +ln -s /srv/piwigo/logs piwigo/logs +cp $OLDPWD/piwigo/postinstall/osmmap.php piwigo/ +chmod 644 piwigo/osmmap.php +patch -p0 < $OLDPWD/piwigo/postinstall/piwigo.patch +cp $OLDPWD/piwigo/postinstall/piwigo_cli.php piwigo/ +# Plugins +cd piwigo/plugins +wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip +unzip plugin.zip +rm -f plugin.zip +# +wget https://piwigo.org/ext/download.php?rid=8014 -O plugin.zip +unzip plugin.zip +rm -f plugin.zip +# +app=$(wget https://api.github.com/repos/Piwigo/piwigo-openstreetmap/releases/latest -q -O - | jq -r '.tag_name') +wget -q "https://github.com/Piwigo/piwigo-openstreetmap/archive/refs/tags/$app.tar.gz" +tar xf *tar.gz +rm -f *tar.gz +mv piwigo-openstreetmap-* piwigo-openstreetmap +# +wget https://piwigo.org/ext/download.php?rid=7744 -O plugin.zip +unzip plugin.zip +rm -f plugin.zip +# community +wget https://piwigo.org/ext/download.php?rid=8160 -O plugin.zip +unzip plugin.zip +rm -f plugin.zip +echo """ +""" >> community/language/fr_FR/plugin.lang.php +# embedded +wget https://fr.piwigo.org/ext/download.php?rid=7924 -O plugin.zip +unzip plugin.zip +rm -f plugin.zip +# user delete photo +#wget https://fr.piwigo.org/ext/download.php?rid=7974 -O plugin.zip +#unzip plugin.zip +#rm -f plugin.zip +# Theme +cd ../themes/ +wget https://piwigo.org/ext/download.php?rid=8163 -O plugin.zip +unzip plugin.zip +rm -f plugin.zip +ln -s /srv/piwigo/bootstrap_darkroom ../local/bootstrap_darkroom +# +cd $ORIPWD diff --git a/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo_cli.php b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo_cli.php new file mode 100644 index 00000000..f4d62d13 --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo_cli.php @@ -0,0 +1,288 @@ +#!/usr/bin/php + array('language:'), + 'user:create' => array('login:', 'mail_address:'), + 'user:admin:create' => array('login:', 'admin_pass:', 'mail_address:', 'language:'), + 'config:show' => array(), + 'config:modify' => array('conf_name:', 'value:', 'type:'), + 'config:show:array' => array('conf_name:'), + 'config:modify:array' => array('conf_name:', 'key:', 'value:', 'type:'), + 'config:show:json' => array('conf_name:'), + 'config:modify:json' => array('conf_name:', 'key:', 'value:', 'type:'), + 'plugin:activate' => array('plugin_name:'), + 'plugin:deactivate' => array('plugin_name:'), + 'theme:activate' => array('theme_name:'), +); +if ($OIDC_INSTALLED) { + $namespaces_data['user:create'][] = 'oidc'; +} +if (is_file(PHPWG_ROOT_PATH . 'plugins/community/admin.php')) { + $namespaces_data['community:permission:add'] = array('type:', 'user_album', 'recursive', 'create_subcategories', 'moderated'); +} + +// command line must starts with -c namespace +$namespaces = array_keys($namespaces_data); +if ($argc < 3 || $argv[1] != '-c' || !in_array($argv[2], $namespaces)) { + $namespaces_str = implode('|', $namespaces); + exit("Usage: $argv[0]: -c [$namespaces_str]" . PHP_EOL); +} + +// load extra parameter for this namespace +$namespace = $argv[2]; +$rest_index = 0; +$options = getopt('c:', $namespaces_data[$namespace], $rest_index); + +$error = false; +$namespace_options = ''; +foreach ($namespaces_data[$namespace] as $parameter) { + if(str_ends_with($parameter, ':')) { + $parameter = substr($parameter, 0, -1); + $namespace_options .= " --$parameter <$parameter>"; + if (!isset($options[$parameter])) { + $error = true; + } + } else { + $namespace_options .= " --$parameter"; + } +} +if ($rest_index != count($argv)) { + exit("Error in arguments.". PHP_EOL . "Usage: $argv[0]: -c $namespace$namespace_options" . PHP_EOL); +} +if ($error) { + exit("Some arguments are missing.". PHP_EOL . "Usage: $argv[0]: -c $namespace$namespace_options" . PHP_EOL); +} + +function get_all_languages() +{ + include(PHPWG_ROOT_PATH . 'admin/include/languages.class.php'); + return new languages('utf-8'); +} + +function validate_language($language, $languages) { + $languages_available = array_keys($languages->fs_languages); + if (!in_array($language, $languages_available)) + { + exit("Invalid language $language (not in " . implode(', ', $languages_available) . ") ". PHP_EOL . "Usage: $argv[0]: -c $namespace$namespace_options" . PHP_EOL); + } +} + +function cast_value($type, $value) +{ + if ($type === 'boolean') + { + $value = get_boolean($value); + } + else if ($type === 'integer') + { + $value = intval($value); + } + return $value; +} + +function custom_array_modify($ori_config, $options) +{ + $value = cast_value($options['type'], $options['value']); + $keys = array_reverse(explode('.', $options['key'])); + $update = Array($keys[0] => $value); + for ($i=0; $i $update); + } + return array_replace_recursive($ori_config, $update); +} + +$errors = array(); +install_db_connect($conf['db_host'], $conf['db_user'], $conf['db_password'], $conf['db_base'], $errors); +if ( count( $errors ) !== 0 ) +{ + for ($i=0; $i 'webmaster'); + $language = $options['language']; + $languages = get_all_languages(); + validate_language($language, $languages); + $errors = []; + initialize_db($languages, $language, $prefixeTable, $errors); + if ($errors) { + for ($i=0; $i 0); + $_SERVER['REMOTE_ADDR'] = '127.0.0.1'; + session_start(); + $id = register_user($options['login'], $password, $options['mail_address'], false); + if(array_key_exists('oidc', $options) && !$options['oidc']) + { + single_insert(OIDC_TABLE, [ + 'sub' => $options['mail_address'], + 'user_id' => $id, + ]); + } +} +else if ($namespace == 'user:admin:create') +{ + $language = $options['language']; + $languages = get_all_languages(); + validate_language($language, $languages); + add_admin($options['login'], $options['admin_pass'], $options['mail_address'], $options['language']); +} +else if ($namespace == 'config:show') +{ + load_conf_from_db(); + $config = safe_unserialize($conf); + var_dump($config); +} +else if ($namespace == 'config:modify') +{ + $value = cast_value($options['type'], $options['value']); + load_conf_from_db(); + conf_update_param($options['conf_name'], $value); +} +else if ($namespace == 'plugin:activate') +{ + global $user, $template; + $user = Array('status' => 'webmaster', 'id' => 0); + $_SERVER['REMOTE_ADDR'] = '127.0.0.1'; + session_start(); + $template = new Template(PHPWG_ROOT_PATH.'admin/themes', 'clear'); + $conf['secret_key'] = 'secret'; + $params = array( + 'action' => 'activate', + 'plugin' => $options['plugin_name'], + 'pwg_token' => get_pwg_token(), + ); + $errors = ws_plugins_performAction($params, null); + if (! $errors) { + var_dump($errors); + exit(1); + } +} +else if ($namespace == 'plugin:deactivate') +{ + global $user, $template; + $user = Array('status' => 'webmaster'); + $template = new Template(PHPWG_ROOT_PATH.'admin/themes', 'clear'); + $conf['secret_key'] = 'secret'; + $params = array( + 'action' => 'deactivate', + 'plugin' => $options['plugin_name'], + 'pwg_token' => get_pwg_token(), + ); + $errors = ws_plugins_performAction($params, null); + if (! $errors) { + var_dump($errors); + exit(1); + } +} +else if ($namespace == 'config:show:array') +{ + load_conf_from_db(); + $config = safe_unserialize($conf[$options['conf_name']]); + var_dump($config); +} +else if ($namespace == 'config:modify:array') +{ + load_conf_from_db(); + $ori_config = safe_unserialize($conf[$options['conf_name']]); + $new_config = serialize(custom_array_modify($ori_config, $options)); + conf_update_param($options['conf_name'], $new_config); +} +else if ($namespace == 'config:show:json') +{ + load_conf_from_db(); + $config = json_decode($conf[$options['conf_name']], true); + var_dump($config); +} +else if ($namespace == 'config:modify:json') +{ + load_conf_from_db(); + if(array_key_exists($options['conf_name'], $conf)) + { + $ori_config = json_decode($conf[$options['conf_name']], true); + } + else + { + $ori_config = Array(); + } + $new_config = json_encode(custom_array_modify($ori_config, $options)); + conf_update_param($options['conf_name'], $new_config); +} +else if ($namespace == 'theme:activate') +{ + global $page, $template; + $template = new Template(PHPWG_ROOT_PATH.'admin/themes', 'clear'); + $conf['mobile_theme'] = ''; + $page = Array('page' => $options['theme_name']); + include(PHPWG_ROOT_PATH.'admin/themes_installed.php'); + $themes = new themes(); + $errors = $themes->perform_action('activate', $options['theme_name']); + if (!empty($errors)) { + var_dump($errors); + exit(1); + } +} +else if ($namespace == 'community:permission:add') +{ + include(PHPWG_ROOT_PATH . 'plugins/community/main.inc.php'); + $insert = array( + 'type' => $options['type'], + 'group_id' => null, + 'user_id' => null, + 'category_id' => null, + 'user_album' => array_key_exists('user_album', $options) ? 'true' : 'false', + '`recursive`' => array_key_exists('recursive', $options) ? 'true' : 'false', + 'create_subcategories' => array_key_exists('create_subcategories', $options) ? 'true' : 'false', + 'moderated' => array_key_exists('moderated', $options) ? 'true' : 'false', + 'nb_photos' => -1, + 'storage' => -1, + ); + mass_inserts( + COMMUNITY_PERMISSIONS_TABLE, + array_keys($insert), + array($insert) + ); +} + +?> diff --git a/seed/applicationservice/2022.03.08/piwigo/manual/image/preinstall/piwigo.sh b/seed/applicationservice/2022.03.08/piwigo/manual/image/preinstall/piwigo.sh new file mode 100644 index 00000000..08ded257 --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/manual/image/preinstall/piwigo.sh @@ -0,0 +1 @@ +PKG="$PKG php-mysqlnd php-mbstring ImageMagick php-cli php-gd perl-Image-ExifTool" diff --git a/seed/applicationservice/2022.03.08/piwigo/templates/config.inc.php b/seed/applicationservice/2022.03.08/piwigo/templates/config.inc.php new file mode 100644 index 00000000..f845436e --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/templates/config.inc.php @@ -0,0 +1,50 @@ + $_ENV['REQUEST_URI']); +} + +%for %%idx, %%user in %%enumerate(%%piwigo_users) +%if %%idx != 0 +} +else %slurp +%end if +if(str_starts_with($_SERVER['REQUEST_URI'], '/%%user/')) { + $prefixe = '%%{user}'; +%end for +} +else +{ + $conf['OIDC'] = Array('issuer_url' => 'https://%%oauth2_client_server_domainname/', + 'client_id' => '%%oauth2_client_id', + 'client_secret' => '%%oauth2_client_secret', + 'scope' => 'openid profile email', + ); + require_once(PHPWG_ROOT_PATH . 'plugins/OpenIdConnect/oidc.php'); + require_once(PHPWG_ROOT_PATH . 'include/functions.inc.php'); + $oidc = get_oidc_client(); + try { + $success = $oidc->authenticate(); + } catch (Exception $e) { + } + if (isset($_REQUEST['code'])) { + $token_json = $oidc->getTokenResponse(); + $oidc->setAccessToken($token_json->access_token); + $name = $oidc->requestUserInfo('nickname'); + if(isset($name)) { + redirect('/' . $name . '/plugins/OpenIdConnect/auth.php'); + }; + print('unknown album'); + die(); + } +} +$conf['data_location'] = "_data/$prefixe/"; +$conf['log_dir'] = "logs/$prefixe"; +$conf['upload_dir'] = "./upload/$prefixe"; +$conf['graphics_library'] = 'ext_imagick'; +$conf['osm_add_osmmap.php'] = false; +$conf['show_exif'] = false; +$conf['derivative_default_size'] = 'large'; +#FOR GPX +$conf['upload_form_all_types'] = true; +?> diff --git a/seed/applicationservice/2022.03.08/piwigo/templates/database.inc.php b/seed/applicationservice/2022.03.08/piwigo/templates/database.inc.php new file mode 100644 index 00000000..546f810e --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/templates/database.inc.php @@ -0,0 +1,32 @@ + $_ENV['REQUEST_URI']); +} + +%for %%idx, %%user in %%enumerate(%%piwigo_users) +%if %%idx != 0 +} +else %slurp +%end if +if(str_starts_with($_SERVER['REQUEST_URI'], '/%%user/')) { + $prefixeTable = 'piwigo_%%{user}_'; +%end for +} +else +{ + die('unknown album'); +} + + +define('PHPWG_INSTALLED', true); +define('PWG_CHARSET', 'utf-8'); +define('DB_CHARSET', 'utf8'); +define('DB_COLLATE', ''); +?> diff --git a/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.conf b/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.conf new file mode 100644 index 00000000..1bedf943 --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.conf @@ -0,0 +1,2 @@ +[www] +php_admin_value[error_reporting] = E_ALL & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT diff --git a/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.service b/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.service new file mode 100644 index 00000000..3afd3384 --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.service @@ -0,0 +1,14 @@ +[Unit] +Description=Piwigo management +After=mariadbclient.service +Before=nginx.service php-fpm.service + +[Service] +Type=oneshot +ExecStart=/usr/local/lib/bin/piwigo.sh + +User=nginx +Group=nginx + +[Install] +WantedBy=multi-user.target diff --git a/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.sh b/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.sh new file mode 100644 index 00000000..4b0e8157 --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/templates/piwigo.sh @@ -0,0 +1,85 @@ +%echo "#!/bin/bash" + +set -x + +cd /usr/local/share/piwigo +%for %%user in %%piwigo_users +export REQUEST_URI="/%%user/" +/usr/bin/php piwigo_cli.php -c db:install --language fr_FR +IMPORTED=$? +if [ "$IMPORTED" = "0" ]; then + /usr/bin/php piwigo_cli.php -c user:admin:create --login admin --admin_pass %%piwigo_admin_password --mail_address %%piwigo_admin_email --language fr_FR +fi +# +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key author --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key rating_score --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key visits --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key categories --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key posted_on --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify --conf_name gallery_title --value "%%piwigo_title" --type string +/usr/bin/php piwigo_cli.php -c config:modify --conf_name page_banner --value "%%piwigo_title" --type string +/usr/bin/php piwigo_cli.php -c config:modify --conf_name allow_user_registration --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify --conf_name allow_user_customization --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify --conf_name nb_categories_page --value 40 --type string +/usr/bin/php piwigo_cli.php -c config:modify --conf_name picture_metadata_icon --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify --conf_name picture_favorite_icon --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify --conf_name picture_sizes_icon --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify --conf_name no_photo_yet --value false --type boolean +# +/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name piwigo-openstreetmap +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key left_menu.enabled --value true --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key left_menu.link --value "Voir sur la carte" --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key right_panel.enabled --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key category_description.enabled --value true --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key category_description.height --value 500 --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key category_description.width --value 300 --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key main_menu.enabled --value false --type boolean +#/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key left_menu.link --value Carte --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key batch.global_height --value 300 --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key batch.unit_height --value 300 --type string +#/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key main_menu.height --value 300 --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key map.attrplugin --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key method --value resize --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key method --value resize --type string +# +/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name GDThumb +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name gdThumb --key margin --value 1 --type integer +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name gdThumb --key big_thumb --value false --type boolean +#/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name gdThumb --key thumb_animate --value true --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name gdThumb --key thumb_metamode --value hide --type string +# +/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name rv_tscroller +# +/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name gvideo +# +/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name OpenIdConnect +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key issuer_url --value https://%%oauth2_client_server_domainname/ --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key client_id --value %%oauth2_client_id --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key client_secret --value %%oauth2_client_secret --type string +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key verify_host --value true --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key verify_peer --value true --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key register_new_users --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key redirect_new_to_profile --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key notify_admins_on_register --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key notify_user_on_register --value false --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key authorization_code_flow --value true --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key password_flow --value false --type boolean +# +/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name community +if [ "$IMPORTED" = "0" ]; then + /usr/bin/php piwigo_cli.php -c community:permission:add --type any_registered_user --create_subcategories +fi +# +/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name gvideo +# +/usr/bin/php piwigo_cli.php -c theme:activate --theme_name bootstrap_darkroom +/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key fluid_width --value true --type boolean +/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key page_header --value none --type string +/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key bootstrap_theme --value bootswatch-darkly --type string +/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key navbar_main_bg --value bg-primary --type string +/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key social_enabled --value false --type boolean +# +if [ "$IMPORTED" = "0" ]; then + /usr/bin/php piwigo_cli.php -c user:create --login %%user --mail_address %%user.piwigo_email --oidc +fi +%end for diff --git a/seed/applicationservice/2022.03.08/piwigo/templates/tmpfile-piwigo.conf b/seed/applicationservice/2022.03.08/piwigo/templates/tmpfile-piwigo.conf new file mode 100644 index 00000000..55b6e7f2 --- /dev/null +++ b/seed/applicationservice/2022.03.08/piwigo/templates/tmpfile-piwigo.conf @@ -0,0 +1,6 @@ +%for %%user in %%piwigo_users +d /srv/piwigo/logs/%%user 770 root nginx - - +d /srv/piwigo/upload/%%user 770 root nginx - - +d /srv/piwigo/data/%%user 770 root nginx - - +%end for +d /srv/piwigo/bootstrap_darkroom 770 root nginx - - diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem index 9d489ca2..8706e9de 100644 --- a/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem +++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem @@ -1,5 +1,4 @@ -%set %%chain = %%get_chain(%%rougail_variable, 'MailRelay') +%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay") %set %%cert = %%get_certificate(%%rougail_variable, 'MailRelay') %%get_private_key(%%rougail_variable, 'MailRelay') %%cert -%%chain diff --git a/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml b/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml index ed51763d..9ccd2da3 100644 --- a/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml +++ b/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml @@ -5,7 +5,7 @@ /secrets/postgresql.pass /etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt /etc/pki/tls/certs/postgresql.crt - /etc/pki/tls/private/postgresql.key + /etc/pki/tls/private/postgresql.key @@ -15,7 +15,7 @@ diff --git a/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml index 7c072855..e4b6b724 100644 --- a/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml +++ b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml @@ -15,9 +15,13 @@ /var/lib/risotto/configurations + + /var/lib/risotto/journals +