add piwigo

This commit is contained in:
Emmanuel Garette 2022-04-28 21:48:16 +02:00
parent 0bfbf16152
commit da3e4d487d
70 changed files with 1716 additions and 100 deletions

View file

@ -1,68 +1,73 @@
# Généré des certificats via la PKI interne de mini_risotto # Généré des certificats via la PKI interne de mini_risotto
## Génération des certificates sur le serveur ## Génération du certificate sur le serveur
Création la variable contenant la chain : ### Sous Fedora
``` ```
<variables> <file>/etc/pki/ca-trust/source/anchors/ca_<AUTHORITY_NAME>.crt</file>
<variable name='service_ca_chain' description="CA certificate" hidden='True'/> <file>/etc/pki/tls/certs/<SERVICE>.crt</file>
<file owner="root" group="<SERVICE>" mode="440">/etc/pki/tls/private/<SERVICE>.key</file>
```
### Les templates
Dans le template ca_<AUTHORITY_NAME>.crt :
```
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="<AUTHORITY_NAME>")
```
Dans le template <SERVICE>.crt :
```
%%get_certificate(%%domain_name_eth0, '<AUTHORITY_NAME>')
```
Dans le template <SERVICE>.key :
```
%%get_private_key(%%domain_name_eth0, '<AUTHORITY_NAME>')
```
## Génération du certificat client
### Sous Fedora
```
<services>
<service name="<SERVICE>client" manage="False">
<file>/etc/pki/ca-trust/source/anchors/ca_<AUTHORITY_NAME>.crt</file>
<file>/etc/pki/tls/certs/<SERVICE>.crt</file>
<file owner_type="variable" owner="<VARIABLE_NAME>" mode="400">/etc/pki/tls/private/<SERVICE>.key</file>
</service>
</services>
```
### La variable
```
<variable name="<VARIABLE_NAME>" type="unix_user" description="Key owner" mandatory="True">
<value>DEFAULT_VALUE</value>
</variable> </variable>
``` ```
Création d'une autorité avec le nom "AuthorityName" (le nom est un terme en CamelCase) : ### Les templates
Dans le template ca_<AUTHORITY_NAME>.crt :
``` ```
<fill name="get_chain"> %%get_chain(authority_cn=<SERVER_DOMAINNAME>, authority_name="<AUTHORITY_NAME>")
<param name="cn" type="information">server_name</param>
<param name="authority_cn" type="information">server_name</param>
<param name="authority_name">AuthorityName</param>
<target>service_chain</target>
</fill>
``` ```
La création du fichier de CA est simple, il suffit d'utiliser la variable "service_ca_chain". Dans le template <SERVICE>.crt :
Puis il faut créer le certificat avec un template qui contient :
``` ```
%%get_certificate(%%domain_name_eth0, authority_name="AuthorityName") %%get_certificate(cn=%%domain_name_eth0, authority_cn=<SERVER_DOMAINNAME>, authority_name='<AUTHORITY_NAME>', type="client")
``` ```
Si l'autorité n'est pas gérer par le serveur courant, il faut précicer le nom du serveur responsable de l'autorité : Dans le template <SERVICE>.key :
``` ```
%%get_certificate(%%domain_name_eth0, authority_cn=%%server, authority_name="AuthorityName") %%get_private_key(cn=%%domain_name_eth0, authority_cn=<SERVER_DOMAINNAME>, authority_name='<AUTHORITY_NAME>', type="client")
```
Enfin, le certificat peut avoir plusieurs nom de domaine, dans ce cas on peut le gérer par exemple en faisant :
```
%set %%extra_domainnames = []
%for %%idx in %%range(1, %%number_of_interfaces)
%%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
%end for
%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
```
Enfin on peut récupérer la clef privée (attention APRÉS avoir récupérer le certificat) :
```
%get_private_key(%%domain_name_eth0, %%server)
```
Comme le certificat, l'autorité peut ne pas être de la responsabilité du serveur courant :
```
%get_private_key(%%domain_name_eth0, authority_cn=%%server, authority_name="ReverseProxy")
```
## PKI sous Fedora
Création des fichiers pour l'autorité "AuthorityName" pour le service "service" :
```
<file>/etc/pki/ca-trust/source/anchors/ca_AuthorityName.crt</file>
<file>/etc/pki/tls/certs/service.crt</file>
<file owner="root" group="root" mode="400">/etc/pki/tls/private/service.key</file>
``` ```

View file

@ -6,13 +6,16 @@
<file>/etc/httpd/conf.d/risotto.conf</file> <file>/etc/httpd/conf.d/risotto.conf</file>
<file>/etc/httpd/conf.d/ssl.conf</file> <file>/etc/httpd/conf.d/ssl.conf</file>
<file>/etc/httpd/ssl/server.ca</file> <file>/etc/httpd/ssl/server.ca</file>
<file>/etc/httpd/ssl/server.key</file>
<file>/etc/httpd/ssl/server.crt</file> <file>/etc/httpd/ssl/server.crt</file>
<file>/etc/httpd/ssl/server.key</file>
<file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file> <file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
<file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file> <file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
</service> </service>
</services> </services>
<variables> <variables>
<variable name="php_fpm_user" redefine="True" exists="True">
<value>apache</value>
</variable>
<family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache"> <family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
<variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué"> <variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
<value>300</value> <value>300</value>

View file

@ -17,8 +17,6 @@ def get_password(server_name: str,
length: int=20, length: int=20,
temporary: bool=True, temporary: bool=True,
) -> str: ) -> str:
if type != 'cleartext':
raise Exception('only cleartext is supported')
def gen_password(): def gen_password():
return _token_urlsafe(length)[:length] return _token_urlsafe(length)[:length]
return _set_password(server_name, return _set_password(server_name,
@ -26,6 +24,7 @@ def get_password(server_name: str,
description, description,
gen_password, gen_password,
temporary, temporary,
type,
) )
@ -45,6 +44,7 @@ def get_password_alpha_num(server_name,
description, description,
gen_password, gen_password,
True, True,
'cleartext',
) )
@ -53,7 +53,10 @@ def _set_password(server_name: str,
description: str, description: str,
gen_password, gen_password,
temporary, temporary,
type,
) -> str: ) -> str:
if type != 'cleartext':
raise Exception('only cleartext is supported')
if not server_name or not username: if not server_name or not username:
return return
dir_name = _join(_PASSWORD_DIR, server_name, description) dir_name = _join(_PASSWORD_DIR, server_name, description)
@ -65,7 +68,8 @@ def _set_password(server_name: str,
with open(file_name, 'w') as fh: with open(file_name, 'w') as fh:
fh.write(password) fh.write(password)
with open(file_name, 'r') as fh: with open(file_name, 'r') as fh:
return fh.read().strip() file_content = fh.read().strip()
return file_content
def get_range(stop): def get_range(stop):

View file

@ -1,6 +1,7 @@
# machine configuration # machine configuration
MACHINE_RISOTTO_SRV_DIR_LOCAL="srv/$MACHINE" MACHINE_RISOTTO_SRV_DIR_LOCAL="srv/$MACHINE"
MACHINE_RISOTTO_SRV_DIR="$RISOTTO_SRV_DIR/$MACHINE" MACHINE_RISOTTO_SRV_DIR="$RISOTTO_SRV_DIR/$MACHINE"
RISOTTO_JOURNALD_DIR="$RISOTTO_DIR/journals/$MACHINE"
MACHINE_RISOTTO_CONFIG_DIR_LOCAL="$IMAGE_NAME/configurations/$MACHINE" MACHINE_RISOTTO_CONFIG_DIR_LOCAL="$IMAGE_NAME/configurations/$MACHINE"
MACHINE_RISOTTO_CONFIG_DIR="$RISOTTO_CONFIG_DIR/$MACHINE" MACHINE_RISOTTO_CONFIG_DIR="$RISOTTO_CONFIG_DIR/$MACHINE"
MACHINE_MACHINES_DIR="$MACHINES_DIR/$MACHINE" MACHINE_MACHINES_DIR="$MACHINES_DIR/$MACHINE"

View file

@ -5,7 +5,7 @@ if [ -z "$HOST_NAME" ]; then
echo "usage: $0 host name" echo "usage: $0 host name"
exit 1 exit 1
fi fi
apt install --yes systemd-container dnf jq debootstrap htop gettext patch apt install --yes systemd-container dnf jq debootstrap htop gettext patch unzip mlocate
systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
systemctl daemon-reload systemctl daemon-reload

View file

@ -17,18 +17,30 @@ if [ ! -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
echo "PAS D'IMAGE $IMAGE_NAME_RISOTTO_IMAGE_NAME" echo "PAS D'IMAGE $IMAGE_NAME_RISOTTO_IMAGE_NAME"
exit 1 exit 1
fi fi
NEW_IMAGE=false
NEW_CONF=false
if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
# is the base image divergent?
diff -q "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE" || NEW_IMAGE=true
# is the configuration divergent?
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || NEW_CONF=true
fi
if [ "$NEW_IMAGE" = true ] || [ "$NEW_CONF" = true ]; then
machinectl stop "$MACHINE" 2> /dev/null || true machinectl stop "$MACHINE" 2> /dev/null || true
while true; do while true; do
machinectl status "$MACHINE" > /dev/null 2>&1 || break machinectl status "$MACHINE" > /dev/null 2>&1 || break
sleep 1 sleep 1
echo "retry..." echo "retry..."
done done
diff -q "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE" || rm -rf "$MACHINE_MACHINES_DIR"
fi fi
if [ -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then if [ "$NEW_IMAGE" = true ]; then
# fait un diff echo "SUPPRIME ANCIENNE IMAGE"
diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || ( ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md; rm -rf "$MACHINE_RISOTTO_CONFIG_DIR" ) rm -rf "$MACHINE_MACHINES_DIR"
fi
if [ "$NEW_CONF" = true ]; then
echo "SUPPRIME ANCIENNE CONF"
./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
fi fi
cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN" cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
@ -39,6 +51,7 @@ fi
if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
mkdir -p "$MACHINE_RISOTTO_SRV_DIR" mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
fi fi
mkdir -p "$RISOTTO_JOURNALD_DIR"
if [ ! -d "$MACHINE_MACHINES_DIR" ]; then if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
cd "$MACHINES_DIR" cd "$MACHINES_DIR"
tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"

View file

@ -88,7 +88,7 @@ ADAPTER = redis
;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 ;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
;; memcache: `127.0.0.1:11211` ;; memcache: `127.0.0.1:11211`
;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000` ;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
HOST = network=tcp,addr=%%redis_client_server_domainname:6379,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180 HOST = network=tcp,addr=%%redis_client_server_domainname:6379,username=%%redis_client_username,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
;; ;;
;; Time to keep items in cache if not used, default is 16 hours. ;; Time to keep items in cache if not used, default is 16 hours.
;; Setting it to 0 disables caching ;; Setting it to 0 disables caching

View file

@ -11,6 +11,7 @@
<family name="machine_" description="Machine " dynamic="machined.machines"> <family name="machine_" description="Machine " dynamic="machined.machines">
<variable name="external_ports_" description="External ports for " hidden="True" type="port" multi="True" provider="external_ports"/> <variable name="external_ports_" description="External ports for " hidden="True" type="port" multi="True" provider="external_ports"/>
<variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="machine_srv"/> <variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="machine_srv"/>
<variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="machine_journal"/>
<variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="machine_config" mandatory="True"/> <variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="machine_config" mandatory="True"/>
<variable name="zones_" description="Zones for " hidden="True" provider="machine_zones" mandatory="True" multi="True"/> <variable name="zones_" description="Zones for " hidden="True" provider="machine_zones" mandatory="True" multi="True"/>
</family> </family>

View file

@ -6,6 +6,7 @@ PrivateUsersChown=false
%if %%container['srv_dir_' + %%name] %if %%container['srv_dir_' + %%name]
Bind=%%container['srv_dir_' + %%name]:/srv Bind=%%container['srv_dir_' + %%name]:/srv
%end if %end if
Bind=%%container['journal_dir_' + %%name]:/var/log/journal/
BindReadOnly=%%container['config_dir_' + %%name]:/usr/local/lib BindReadOnly=%%container['config_dir_' + %%name]:/usr/local/lib
%set zones = %%container['zones_' + %%name] %set zones = %%container['zones_' + %%name]
%if %%zones %if %%zones

View file

@ -1,16 +1,3 @@
def get_default_base_dn(server_name: str) -> str:
if not server_name or '.' not in server_name:
return None
values = server_name.split('.')
# cannot calculated base dn should be server.domain.tld
# remove 'server' in dn
if len(values) < 3:
return None
domain = ['ou=' + domain for domain in values[1:-2]]
domain.append(f'o={values[-2]},o={values[-1]}')
return ','.join(domain)
def valid_base_dn(base_dn: str) -> None: def valid_base_dn(base_dn: str) -> None:
for att in ['o', 'dc', 'ou']: for att in ['o', 'dc', 'ou']:
if base_dn.startswith(att + '='): if base_dn.startswith(att + '='):

View file

@ -9,6 +9,7 @@
<file engine="none">/static/silique_folder.png</file> <file engine="none">/static/silique_folder.png</file>
<file engine="none">/static/silique_note.png</file> <file engine="none">/static/silique_note.png</file>
<file engine="none">/static/silique_video.png</file> <file engine="none">/static/silique_video.png</file>
<file engine="none">/static/silique_image.png</file>
<file engine="none">/static/risotto.css</file> <file engine="none">/static/risotto.css</file>
<file>/var/lib/lemonldap-ng/conf/lmConf-1.json</file> <file>/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
<file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file> <file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.5 KiB

View file

@ -14,6 +14,9 @@
<file source="config-nginx.conf">/etc/nginx/conf.d/postorius.conf</file> <file source="config-nginx.conf">/etc/nginx/conf.d/postorius.conf</file>
<file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file> <file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file>
</service> </service>
<service name="postgresqlclient" target="multi-user" engine="creole">
<file owner="postorius" mode="400">/etc/pki/tls/private/postgresql_postorius.key</file>
</service>
</services> </services>
<variables> <variables>
<family name="mailman" description="Gestionnaire de liste"> <family name="mailman" description="Gestionnaire de liste">
@ -42,6 +45,11 @@
</variable> </variable>
<variable name="oauth2_client_external" redefine="True" remove_fill="True"/> <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
</family> </family>
<family name="postgresql">
<variable name="pg_client_key_owner" redefine="True">
<value>mailman</value>
</variable>
</family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_password"> <fill name="get_password">

View file

@ -24,7 +24,7 @@ layout: fhs
#>GNUNUX #>GNUNUX
[database] [database]
class: mailman.database.postgresql.PostgreSQLDatabase class: mailman.database.postgresql.PostgreSQLDatabase
url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt
[mta] [mta]
lmtp_host: %%ip_eth0 lmtp_host: %%ip_eth0

View file

@ -0,0 +1 @@
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")

View file

@ -10,7 +10,7 @@ DATABASES = {
'HOST': '%%pg_client_server_domainname', # Database server 'HOST': '%%pg_client_server_domainname', # Database server
'PORT': '', # Database port (leave blank for default) 'PORT': '', # Database port (leave blank for default)
'CONN_MAX_AGE': 300, # Max database connection age 'CONN_MAX_AGE': 300, # Max database connection age
'OPTIONS': {'sslmode': 'verify-full'}, 'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '/etc/pki/tls/certs/postgresql.crt', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'},
} }
} }
ALLOWED_HOSTS = ['%%revprox_client_external_domainname'] ALLOWED_HOSTS = ['%%revprox_client_external_domainname']

View file

@ -1,5 +1,8 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<services>
<service name="mariadbclient" target="multi-user" engine="creole"/>
</services>
<variables> <variables>
<family name="mariadb" description="MariaDB"> <family name="mariadb" description="MariaDB">
<variable name="mariadb_client_server_domainname" type="domainname" description="Nom de domaine du serveur MariaDB" mandatory="True"/> <variable name="mariadb_client_server_domainname" type="domainname" description="Nom de domaine du serveur MariaDB" mandatory="True"/>

View file

@ -0,0 +1,7 @@
[Unit]
Description=Waiting for mariadb server
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"'

View file

@ -32,7 +32,7 @@
<value>Plateforme de collaboration Nextcloud</value> <value>Plateforme de collaboration Nextcloud</value>
</variable> </variable>
<variable name="oauth2_client_category" redefine='True'> <variable name="oauth2_client_category" redefine='True'>
<value>Collaboration</value> <value>Diffusion</value>
</variable> </variable>
<variable name="oauth2_client_logo" redefine='True'> <variable name="oauth2_client_logo" redefine='True'>
<value>silique_folder.png</value> <value>silique_folder.png</value>

View file

@ -37,7 +37,7 @@ $CONFIG = array (
'dbtableprefix' => 'oc_', 'dbtableprefix' => 'oc_',
'dbuser' => '%%pg_client_username', 'dbuser' => '%%pg_client_username',
'dbpassword' => '%%pg_client_password', 'dbpassword' => '%%pg_client_password',
'dbdriveroptions' => array('sslmode' => 'verify-full'), 'dbdriveroptions' => array('sslmode' => 'verify-full', 'sslcert' => '/etc/pki/tls/certs/postgresql.crt', 'sslkey' => '/etc/pki/tls/private/postgresql.key', 'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'),
'passwordsalt' => '{{SALT}}', 'passwordsalt' => '{{SALT}}',
'secret' => '{{SECRET}}', 'secret' => '{{SECRET}}',
'instanceid' => '%%nextcloud_instance_id', 'instanceid' => '%%nextcloud_instance_id',
@ -53,9 +53,15 @@ $CONFIG = array (
'filelocking.enabled' => true, 'filelocking.enabled' => true,
'redis' => [ 'redis' => [
'host' => '%%redis_client_server_domainname', 'host' => '%%redis_client_server_domainname',
'port' => 6379, 'port' => 6380,
'user' => '%%redis_client_username',
'password' => '%%redis_client_password', 'password' => '%%redis_client_password',
'dbindex' => 0, 'dbindex' => 0,
'ssl_context' => [
'local_cert' => '/etc/pki/tls/certs/redis.crt',
'local_pk' => '/etc/pki/tls/private/redis.key',
'cafile' => '/etc/pki/ca-trust/source/anchors/ca_Redis.crt',
]
], ],
'default_phone_region' => 'FR', 'default_phone_region' => 'FR',
//OIDC login //OIDC login

View file

@ -0,0 +1,4 @@
format: '0.1'
description: Nginx as reverse proxy
depends:
- nginx-common

View file

@ -0,0 +1,20 @@
<?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10">
<services>
<service name='nginx'>
<file>/etc/nginx/conf.d/risotto.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
<file mode="600">/etc/pki/tls/certs/nginx.crt</file>
<file mode="600">/etc/pki/tls/private/nginx.key</file>
</service>
</services>
<variables>
<variable name="nginx_root_directory" type="filename" mandatory="True"/>
<variable name="php_fpm_user" redefine="True" exists="True">
<value>nginx</value>
</variable>
<variable name="nginx_locations" type="filename" multi="True" mandatory="True">
<value>/</value>
</variable>
</variables>
</rougail>

View file

@ -0,0 +1 @@
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy")

View file

@ -0,0 +1 @@
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')

View file

@ -0,0 +1,10 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome</title>
<style>
</style>
</head>
<body>
</body>
</html>

View file

@ -0,0 +1 @@
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')

View file

@ -0,0 +1,44 @@
server {
listen 443 default ssl;
server_name %%domain_name_eth0;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
ssl_client_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
error_page 403 404 502 503 504 /error.html;
location = /error.html{
root /var/www/html;
}
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header Referrer-Policy no-referrer always;
%for %%location in %%nginx_locations
location %%location {
%if %%location == '/'
root %slurp
%else
alias %slurp
%end if
%%nginx_root_directory;
%if not %%getVar('php_fpm_installed', False)
index index.html;
%else
index index.php;
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}
%end if
}
%end for
}

View file

@ -1 +1,3 @@
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy") %for %%idx in %%range(0, %%number_of_interfaces)
%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy")
%end for

View file

@ -7,6 +7,10 @@
<variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/> <variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
<variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/> <variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
</family> </family>
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
<variable name='ldap_acl_attribute' type="string" description="ACL de l'attribut" multi="True"/>
<variable name='ldap_acl_rights' type="string" description="ACL de l'attribut" multi="True"/>
</family>
<family name="users" description="Gestion des utilisateurs" leadership="True"> <family name="users" description="Gestion des utilisateurs" leadership="True">
<variable name='ldap_user_mail' type="mail" description="Adresse courriel du compte" multi="True"/> <variable name='ldap_user_mail' type="mail" description="Adresse courriel du compte" multi="True"/>
<variable name='ldap_user_aliases' type="mail" description="Aliases du mail" multi="True"/> <!-- FIXME --> <variable name='ldap_user_aliases' type="mail" description="Aliases du mail" multi="True"/> <!-- FIXME -->
@ -15,9 +19,16 @@
<variable name='ldap_user_gn' type="string" description="Nom de famille" mandatory="True"/> <variable name='ldap_user_gn' type="string" description="Nom de famille" mandatory="True"/>
<variable name='ldap_user_password' type="password" description="Mot de passe" mandatory="True" hidden="True"/> <variable name='ldap_user_password' type="password" description="Mot de passe" mandatory="True" hidden="True"/>
</family> </family>
<family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True"> <variable name="families" description="Familles" type="unix_user" multi="True"/>
<variable name='ldap_acl_attribute' type="string" description="ACL de l'attribut" multi="True"/> <family name="family_" description="Gestion de la famille " dynamic="accounts.families">
<variable name='ldap_acl_rights' type="string" description="ACL de l'attribut" multi="True"/> <family name="users_" description="Gestion des utilisateurs" leadership="True">
<variable name='ldap_user_mail_' type="mail" description="Adresse courriel du compte" multi="True"/>
<variable name='ldap_user_aliases_' type="mail" description="Aliases du mail" multi="True"/> <!-- FIXME -->
<variable name='ldap_user_uid_' type="unix_user" description="Nom de compte" mandatory="True"/>
<variable name='ldap_user_sn_' type="string" description="Prénom" mandatory="True"/>
<variable name='ldap_user_gn_' type="string" description="Nom de famille" mandatory="True"/>
<variable name='ldap_user_password_' type="password" description="Mot de passe" mandatory="True" hidden="True"/>
</family>
</family> </family>
</variables> </variables>
<constraints> <constraints>
@ -45,5 +56,13 @@
<param name="temporary" type="boolean">True</param> <param name="temporary" type="boolean">True</param>
<target>accounts.users.ldap_user_password</target> <target>accounts.users.ldap_user_password</target>
</fill> </fill>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type='variable'>accounts.family_.users_.ldap_user_mail_</param>
<param name="description">ldap family user</param>
<param name="type">cleartext</param>
<param name="temporary" type="boolean">True</param>
<target>accounts.family_.users_.ldap_user_password_</target>
</fill>
</constraints> </constraints>
</rougail> </rougail>

View file

@ -1,12 +1,44 @@
import __main__
from os import urandom as _urandom from os import urandom as _urandom
from hashlib import sha1 as _sha1 from hashlib import sha1 as _sha1
from base64 import encodebytes as _encodebytes, b64encode as _b64encode from base64 import encodebytes as _encodebytes, b64encode as _b64encode
from json import load as _load, dump as _dump
from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile
_HERE = _dirname(_abspath(__main__.__file__))
_SSHA_PASSWORD_DIR = _join(_HERE, 'password', 'ssha.json')
# unproudly borrowed from # unproudly borrowed from
# http://www.openldap.org/faq/data/cache/347.html # http://www.openldap.org/faq/data/cache/347.html
def ssha_encode(password): def ssha_encode(password):
# do not regenerate SSHA
if _isfile(_SSHA_PASSWORD_DIR):
with open(_SSHA_PASSWORD_DIR, 'r') as fh:
passwords = _load(fh)
else:
passwords = {}
if password in passwords:
return passwords[password]
salt = _urandom(4) salt = _urandom(4)
h = _sha1(password.encode()) h = _sha1(password.encode())
h.update(salt) h.update(salt)
return _b64encode(b"{SSHA}" + _encodebytes(h.digest() + salt)[:-1]).decode() ret = _b64encode(b"{SSHA}" + _encodebytes(h.digest() + salt)[:-1]).decode()
passwords[password] = ret
with open(_SSHA_PASSWORD_DIR, 'w') as fh:
_dump(passwords, fh)
return ret
def get_default_base_dn(server_name: str) -> str:
if not server_name or '.' not in server_name:
return None
values = server_name.split('.')
# cannot calculated base dn should be server.domain.tld
# remove 'server' in dn
if len(values) < 3:
return None
domain = ['ou=' + domain for domain in values[1:-2]]
domain.append(f'o={values[-2]},o={values[-1]}')
return ','.join(domain)

View file

@ -21,12 +21,12 @@ objectClass: top
objectClass: inetOrgPerson objectClass: inetOrgPerson
%end for %end for
# Users
dn: ou=users,%%ldap_base_dn dn: ou=users,%%ldap_base_dn
ou: users ou: users
objectClass: top objectClass: top
objectClass: organizationalUnit objectClass: organizationalUnit
# Users
%for %%user in %%accounts.users.ldap_user_mail %for %%user in %%accounts.users.ldap_user_mail
dn: cn=%%user,ou=users,%%ldap_base_dn dn: cn=%%user,ou=users,%%ldap_base_dn
cn: %%user cn: %%user
@ -34,9 +34,33 @@ mail: %%user
sn: %%user.ldap_user_sn sn: %%user.ldap_user_sn
givenName: %%user.ldap_user_gn givenName: %%user.ldap_user_gn
uid: %%user.ldap_user_uid uid: %%user.ldap_user_uid
#%%user.ldap_user_password
userPassword:: %%ssha_encode(%%user.ldap_user_password) userPassword:: %%ssha_encode(%%user.ldap_user_password)
objectClass: top objectClass: top
objectClass: inetOrgPerson objectClass: inetOrgPerson
%end for %end for
# Families
dn: ou=families,%%ldap_base_dn
ou: families
objectClass: top
objectClass: organizationalUnit
%for %%family in %%accounts.families
dn: ou=%%family,ou=families,%%ldap_base_dn
ou: %%family
objectClass: top
objectClass: organizationalUnit
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
dn: cn=%%user,ou=families,%%ldap_base_dn
cn: %%user
mail: %%user
sn: %%user['ldap_user_sn_' + %%family]
givenName: %%user['ldap_user_gn_' + %%family]
uid: %%user['ldap_user_uid_' + %%family]
userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family])
objectClass: top
objectClass: inetOrgPerson
%end for
%end for

View file

@ -3,8 +3,17 @@
<services> <services>
<service name="php-fpm"> <service name="php-fpm">
<file engine="none">/etc/php-fpm.conf</file> <file engine="none">/etc/php-fpm.conf</file>
<file>/etc/php-fpm.d/www.conf</file>
<file engine="none" source="sysuser-phpfpm.conf">/sysusers.d/phpfpm.conf</file> <file engine="none" source="sysuser-phpfpm.conf">/sysusers.d/phpfpm.conf</file>
<file engine="none" source="tmpfile-phpfpm.conf">/tmpfiles.d/0phpfpm.conf</file> <file source="tmpfile-phpfpm.conf">/tmpfiles.d/0phpfpm.conf</file>
</service> </service>
</services> </services>
<variables>
<variable name="php_fpm_user" type="unix_user">
<value>root</value>
</variable>
<variable name="php_fpm_installed" type="boolean">
<value>True</value>
</variable>
</variables>
</rougail> </rougail>

View file

@ -0,0 +1 @@
PKG="$PKG php-fpm"

View file

@ -1 +1 @@
d /var/lib/php/session 770 root apache - - d /var/lib/php/session 770 root %%php_fpm_user - -

View file

@ -0,0 +1,439 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or @php_fpm_prefix@) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
; RPM: apache user chosen to provide access to the same directories as httpd
user = %%php_fpm_user
; RPM: Keep a group allowed to write in log dir.
group = %%php_fpm_user
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php-fpm/www.sock
; Set listen(2) backlog.
; Default Value: 511
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server.
; Default Values: user and group are set as the running user
; mode is set to 0660
;listen.owner = nobody
;listen.group = nobody
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
listen.acl_users = %%php_fpm_user
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 50
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 5
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 5
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 35
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: @EXPANDED_DATADIR@/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
slowlog = syslog
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or @prefix@)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
php_admin_value[error_log] = syslog
php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 128M
; Set the following data paths to directories owned by the FPM process user.
;
; Do not change the ownership of existing system directories, if the process
; user does not have write permission, create dedicated directories for this
; purpose.
;
; See warning about choosing the location of these directories on your system
; at http://php.net/session.save-path
php_value[session.save_handler] = redis
;GNUNUX php_value[session.save_path] = /var/lib/php/session
;php_value[session.save_path] = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password"
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
;php_value[opcache.file_cache] = /var/lib/php/opcache

View file

@ -0,0 +1,14 @@
Test une session avec redis
============================
<?php
session_id('jlnp3nfrq92ffquipn4534ojbe');
session_start();
if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
} else {
$_SESSION['count']++;
}
print($_SESSION['count']);
?>

View file

@ -1,2 +1,4 @@
format: '0.1' format: '0.1'
description: PHP configuration description: PHP configuration
depends:
- redis-client

View file

@ -1329,7 +1329,11 @@ browscap = /etc/php/extra/browscap.ini
[Session] [Session]
; Handler used to store/retrieve data. ; Handler used to store/retrieve data.
; http://php.net/session.save-handler ; http://php.net/session.save-handler
session.save_handler = files # GNUNUX session.save_handler = files
session.save_handler = redis
session.save_path = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password"
;GNUNUX https://github.com/phpredis/phpredis/issues/2062
#session.save_path = "tls://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password&stream[verify_peer]=1&stream[cafile]=/etc/pki/ca-trust/source/anchors/ca_Redis.crt&stream[local_cert]=/etc/pki/tls/certs/redis.crt&stream[local_pk]=/etc/pki/tls/private/redis.key"
; Argument passed to save_handler. In the case of files, this is the path ; Argument passed to save_handler. In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this ; where data files are stored. Note: Windows users have to change this
@ -1424,7 +1428,7 @@ session.serialize_handler = php
; Development Value: 1 ; Development Value: 1
; Production Value: 1 ; Production Value: 1
; http://php.net/session.gc-probability ; http://php.net/session.gc-probability
session.gc_probability = 0 session.gc_probability = 1
; Defines the probability that the 'garbage collection' process is started on every ; Defines the probability that the 'garbage collection' process is started on every
; session initialization. The probability is calculated by using gc_probability/gc_divisor, ; session initialization. The probability is calculated by using gc_probability/gc_divisor,

View file

@ -6,6 +6,6 @@ depends:
- ldap-client-fedora - ldap-client-fedora
- oauth2-client - oauth2-client
- relay-mail-client - relay-mail-client
- nginx-common - nginx-https
- php-fpm - php-fpm
- reverse-proxy-client - reverse-proxy-client

View file

@ -1,11 +1,56 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<services> <services>
<service name="piwigo" manage="False"> <service name="piwigo" engine="creole" target="multi-user">
<file source="tmpfile-piwigo.conf">/tmpfiles.d/0piwigo.conf</file>
<file>/etc/piwigo/config.inc.php</file>
<file>/etc/piwigo/database.inc.php</file>
<file mode="755">/bin/piwigo.sh</file>
<file engine="none">/etc/php-fpm.d/piwigo.conf</file>
</service> </service>
</services> </services>
<variables> <variables>
<family name="piwigo" description="Piwigo"> <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
<variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
<variable name="nginx_root_directory" mandatory="True" redefine="True">
<value>/usr/local/share/piwigo</value>
</variable>
<variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
<value>Album photographique</value>
</variable>
<family name="users" leadership="True">
<variable name="piwigo_users" type="unix_user" description="Utilisateur ayant un album" multi="True" mandatory="True"/>
<variable name="piwigo_email" type="mail" description="Adresse courriel" mandatory="True"/>
</family>
<family name="oauth2_client">
<variable name="oauth2_is_client_application" redefine='True'>
<value>True</value>
</variable>
<variable name="oauth2_client_name" redefine='True'>
<value>Album</value>
</variable>
<variable name="oauth2_client_description" redefine='True'>
<value>Album photographique Piwigo</value>
</variable>
<variable name="oauth2_client_category" redefine='True'>
<value>Diffusion</value>
</variable>
<variable name="oauth2_client_logo" redefine='True'>
<value>silique_image.png</value>
</variable>
</family> </family>
</variables> </variables>
<constraints>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username">admin_password</param>
<param name="description">piwigo</param>
<param name="type">cleartext</param>
<target>piwigo_admin_password</target>
</fill>
<fill name="get_locations">
<param name="usernames" type="variable">piwigo_users</param>
<target>nginx_locations</target>
</fill>
</constraints>
</rougail> </rougail>

View file

@ -0,0 +1,6 @@
from risotto.utils import multi_function as _multi_function
@_multi_function
def get_locations(usernames):
return ['/'] + ['/' + user for user in usernames]

View file

@ -0,0 +1,13 @@
<?php
define('PHPWG_ROOT_PATH','./');
if (isset($_GET['v']) and $_GET['v'] == 1)
include_once( PHPWG_ROOT_PATH. 'plugins/piwigo-openstreetmap/osmmap.php');
else if (isset($_GET['v']) and $_GET['v'] == 2)
include_once( PHPWG_ROOT_PATH. 'plugins/piwigo-openstreetmap/osmmap2.php');
else if (isset($_GET['v']) and $_GET['v'] == 3)
include_once( PHPWG_ROOT_PATH. 'plugins/piwigo-openstreetmap/osmmap3.php');
else if (isset($_GET['v']) and $_GET['v'] == 4)
include_once( PHPWG_ROOT_PATH. 'plugins/piwigo-openstreetmap/osmmap4.php');
else
include_once( PHPWG_ROOT_PATH. 'plugins/piwigo-openstreetmap/osmmap3.php');
?>

View file

@ -0,0 +1,288 @@
--- piwigo/admin/include/functions_install.inc.php
+++ piwigo/admin/include/functions_install.inc.php
@@ -21,6 +21,7 @@
* @param string $replaced
* @param string $replacing
*/
+
function execute_sqlfile($filepath, $replaced, $replacing, $dblayer)
{
$sql_lines = file($filepath);
@@ -91,17 +92,15 @@ function activate_core_plugins()
}
/**
- * Connect to database during installation. Uses $_POST.
+ * Connect to database during installation.
*
- * @param array &$infos - populated with infos
* @param array &$errors - populated with errors
*/
-function install_db_connect(&$infos, &$errors)
+function install_db_connect($dbhost, $dbuser, $dbpasswd, $dbname, &$errors)
{
try
{
- pwg_db_connect($_POST['dbhost'], $_POST['dbuser'],
- $_POST['dbpasswd'], $_POST['dbname']);
+ pwg_db_connect($dbhost, $dbuser, $dbpasswd, $dbname);
pwg_db_check_version();
}
catch (Exception $e)
@@ -110,4 +109,101 @@ function install_db_connect(&$infos, &$errors)
}
}
-?>
\ No newline at end of file
+/**
+ * Create and initialize database
+ *
+ * @param object languages - languages informations
+ * @param string language - default language
+ * @param string prefixeTable - prefix of database names
+ */
+function initialize_db($languages, $language, $prefixeTable, &$errors=[])
+{
+ include_once(PHPWG_ROOT_PATH.PWG_LOCAL_DIR .'config/database.inc.php');
+ $result = pwg_query("SHOW TABLES LIKE '${prefixeTable}activity';");
+ if(pwg_db_num_rows($result))
+ {
+ $errors[] = l10n('The database is already imported');
+ return;
+ }
+ // tables creation, based on piwigo_structure.sql
+ execute_sqlfile(
+ PHPWG_ROOT_PATH.'install/piwigo_structure-mysql.sql',
+ DEFAULT_PREFIX_TABLE,
+ $prefixeTable,
+ 'mysql'
+ );
+ // We fill the tables with basic informations
+ execute_sqlfile(
+ PHPWG_ROOT_PATH.'install/config.sql',
+ DEFAULT_PREFIX_TABLE,
+ $prefixeTable,
+ 'mysql'
+ );
+
+ $query = '
+INSERT INTO '.$prefixeTable.'config (param,value,comment)
+ VALUES (\'secret_key\',md5('.pwg_db_cast_to_text(DB_RANDOM_FUNCTION.'()').'),
+ \'a secret key specific to the gallery for internal use\');';
+ pwg_query($query);
+
+ conf_update_param('piwigo_db_version', get_branch_from_version(PHPWG_VERSION));
+ conf_update_param('gallery_title', pwg_db_real_escape_string(l10n('Just another Piwigo gallery')));
+
+ conf_update_param(
+ 'page_banner',
+ '<h1>%gallery_title%</h1>'."\n\n<p>".pwg_db_real_escape_string(l10n('Welcome to my photo gallery')).'</p>'
+ );
+
+ // fill languages table, only activate the current language
+ $languages->perform_action('activate', $language);
+
+ // fill $conf global array
+ load_conf_from_db();
+
+ // PWG_CHARSET is required for building the fs_themes array in the
+ // themes class
+ if (!defined('PWG_CHARSET'))
+ {
+ define('PWG_CHARSET', 'utf-8');
+ }
+ activate_core_themes();
+ activate_core_plugins();
+
+ $insert = array(
+ 'id' => 1,
+ 'galleries_url' => PHPWG_ROOT_PATH.'galleries/',
+ );
+ mass_inserts(SITES_TABLE, array_keys($insert), array($insert));
+
+}
+
+/**
+ * Add first admin in database
+ *
+ * @param string admin_name - admin name
+ * @param string admin_pass1 - admin password
+ * @param string admin_main - admin email
+ * @param string admin_language - language of admin
+ */
+function add_admin($admin_name, $admin_pass1, $admin_mail, $language)
+{
+ // webmaster admin user
+ $inserts = array(
+ array(
+ 'id' => 1,
+ 'username' => $admin_name,
+ 'password' => md5($admin_pass1),
+ 'mail_address' => $admin_mail,
+ ),
+ array(
+ 'id' => 2,
+ 'username' => 'guest',
+ ),
+ );
+ mass_inserts(USERS_TABLE, array_keys($inserts[0]), $inserts);
+
+ create_user_infos(array(1,2), array('language' => $language));
+
+}
+
+?>
--- piwigo/admin/include/functions_upgrade.php
+++ piwigo/admin/include/functions_upgrade.php
@@ -319,4 +319,30 @@ function upgrade_db_connect()
my_error(l10n($e->getMessage()), true);
}
}
+
+/**
+ * Mark all upgrades as done.
+ * Available upgrades must be ignored after a fresh installation. To
+ * make PWG avoid upgrading, we must tell it upgrades have already been
+ * made.
+ */
+function mark_all_upgrades_as_done() {
+ list($dbnow) = pwg_db_fetch_row(pwg_query('SELECT NOW();'));
+ define('CURRENT_DATE', $dbnow);
+ $datas = array();
+ foreach (get_available_upgrade_ids() as $upgrade_id)
+ {
+ $datas[] = array(
+ 'id' => $upgrade_id,
+ 'applied' => CURRENT_DATE,
+ 'description' => 'upgrade included in installation',
+ );
+ }
+ mass_inserts(
+ UPGRADE_TABLE,
+ array_keys($datas[0]),
+ $datas
+ );
+}
+
?>
--- piwigo/install.php
+++ piwigo/install.php
@@ -166,6 +166,7 @@ if (@file_exists($config_file))
include(PHPWG_ROOT_PATH . 'include/constants.php');
include(PHPWG_ROOT_PATH . 'admin/include/functions.php');
+include(PHPWG_ROOT_PATH . 'admin/include/functions_upgrade.php');
include(PHPWG_ROOT_PATH . 'admin/include/languages.class.php');
$languages = new languages('utf-8');
@@ -253,11 +254,10 @@ if (!isset($step))
//---------------------------------------------------------------- form analyze
include(PHPWG_ROOT_PATH .'include/dblayer/functions_'.$dblayer.'.inc.php');
include(PHPWG_ROOT_PATH . 'admin/include/functions_install.inc.php');
-include(PHPWG_ROOT_PATH . 'admin/include/functions_upgrade.php');
if (isset($_POST['install']))
{
- install_db_connect($infos, $errors);
+ install_db_connect($dbhost, $dbuser, $dbpasswd, $dbname, $errors);
pwg_db_check_charset();
$webmaster = trim(preg_replace('/\s{2,}/', ' ', $admin_name));
@@ -328,93 +328,9 @@ define(\'DB_COLLATE\', \'\');
@fputs($fp, $file_content, strlen($file_content));
@fclose($fp);
- // tables creation, based on piwigo_structure.sql
- execute_sqlfile(
- PHPWG_ROOT_PATH.'install/piwigo_structure-mysql.sql',
- DEFAULT_PREFIX_TABLE,
- $prefixeTable,
- 'mysql'
- );
- // We fill the tables with basic informations
- execute_sqlfile(
- PHPWG_ROOT_PATH.'install/config.sql',
- DEFAULT_PREFIX_TABLE,
- $prefixeTable,
- 'mysql'
- );
-
- $query = '
-INSERT INTO '.$prefixeTable.'config (param,value,comment)
- VALUES (\'secret_key\',md5('.pwg_db_cast_to_text(DB_RANDOM_FUNCTION.'()').'),
- \'a secret key specific to the gallery for internal use\');';
- pwg_query($query);
-
- conf_update_param('piwigo_db_version', get_branch_from_version(PHPWG_VERSION));
- conf_update_param('gallery_title', pwg_db_real_escape_string(l10n('Just another Piwigo gallery')));
-
- conf_update_param(
- 'page_banner',
- '<h1>%gallery_title%</h1>'."\n\n<p>".pwg_db_real_escape_string(l10n('Welcome to my photo gallery')).'</p>'
- );
-
- // fill languages table, only activate the current language
- $languages->perform_action('activate', $language);
-
- // fill $conf global array
- load_conf_from_db();
-
- // PWG_CHARSET is required for building the fs_themes array in the
- // themes class
- if (!defined('PWG_CHARSET'))
- {
- define('PWG_CHARSET', 'utf-8');
- }
- activate_core_themes();
- activate_core_plugins();
-
- $insert = array(
- 'id' => 1,
- 'galleries_url' => PHPWG_ROOT_PATH.'galleries/',
- );
- mass_inserts(SITES_TABLE, array_keys($insert), array($insert));
-
- // webmaster admin user
- $inserts = array(
- array(
- 'id' => 1,
- 'username' => $admin_name,
- 'password' => md5($admin_pass1),
- 'mail_address' => $admin_mail,
- ),
- array(
- 'id' => 2,
- 'username' => 'guest',
- ),
- );
- mass_inserts(USERS_TABLE, array_keys($inserts[0]), $inserts);
-
- create_user_infos(array(1,2), array('language' => $language));
-
- // Available upgrades must be ignored after a fresh installation. To
- // make PWG avoid upgrading, we must tell it upgrades have already been
- // made.
- list($dbnow) = pwg_db_fetch_row(pwg_query('SELECT NOW();'));
- define('CURRENT_DATE', $dbnow);
- $datas = array();
- foreach (get_available_upgrade_ids() as $upgrade_id)
- {
- $datas[] = array(
- 'id' => $upgrade_id,
- 'applied' => CURRENT_DATE,
- 'description' => 'upgrade included in installation',
- );
- }
- mass_inserts(
- UPGRADE_TABLE,
- array_keys($datas[0]),
- $datas
- );
-
+ initialize_db($languages, $language, $prefixeTable);
+ add_admin($admin_name, $admin_pass1, $admin_mail, $language);
+ mark_all_upgrades_as_done();
if ($is_newsletter_subscribe)
{
fetchRemote(

View file

@ -1,3 +1,5 @@
set -e
ORIPWD=$PWD
mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share" mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share"
cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share" cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share"
app=$(wget https://api.github.com/repos/Piwigo/Piwigo/releases/latest -q -O - | jq -r '.tag_name') app=$(wget https://api.github.com/repos/Piwigo/Piwigo/releases/latest -q -O - | jq -r '.tag_name')
@ -6,4 +8,65 @@ tar xf *tar.gz
rm -f *tar.gz rm -f *tar.gz
mv Piwigo-* piwigo mv Piwigo-* piwigo
chown -R root: piwigo chown -R root: piwigo
cd - rm -rf piwigo/doc piwigo/README.md # piwigo/install.php
ln -s /etc/piwigo/config.inc.php piwigo/local/config/config.inc.php
ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php
ln -s /srv/piwigo/data piwigo/_data
ln -s /srv/piwigo/upload piwigo/upload
ln -s /srv/piwigo/logs piwigo/logs
cp $OLDPWD/piwigo/postinstall/osmmap.php piwigo/
chmod 644 piwigo/osmmap.php
patch -p0 < $OLDPWD/piwigo/postinstall/piwigo.patch
cp $OLDPWD/piwigo/postinstall/piwigo_cli.php piwigo/
# Plugins
cd piwigo/plugins
wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip
unzip plugin.zip
rm -f plugin.zip
#
wget https://piwigo.org/ext/download.php?rid=8014 -O plugin.zip
unzip plugin.zip
rm -f plugin.zip
#
app=$(wget https://api.github.com/repos/Piwigo/piwigo-openstreetmap/releases/latest -q -O - | jq -r '.tag_name')
wget -q "https://github.com/Piwigo/piwigo-openstreetmap/archive/refs/tags/$app.tar.gz"
tar xf *tar.gz
rm -f *tar.gz
mv piwigo-openstreetmap-* piwigo-openstreetmap
#
wget https://piwigo.org/ext/download.php?rid=7744 -O plugin.zip
unzip plugin.zip
rm -f plugin.zip
# community
wget https://piwigo.org/ext/download.php?rid=8160 -O plugin.zip
unzip plugin.zip
rm -f plugin.zip
echo """<?php
$lang['Edit photos'] = 'Editer les photos';
$lang['Edit Photos'] = 'Editer les photos';
$lang['Edit your photos'] = 'Editer vos photos';
$lang['Photos posted by %s'] = 'Photos postées par %s';
$lang['Photos posted by %s in album %s'] = 'Photos postées par %s dans l\'album %s';
$lang['Select at least one tag'] = 'Sélectionner au moins un tag';
$lang['Select at least one photo'] = 'Sélectionner au moins une photo';
$lang['No photo can be deleted'] = 'Aucune photo ne peut être supprimée';
$lang['You need to confirm deletion'] = 'Vous devez confirmer la suppression';
$lang['No photo selected, no action possible.'] = 'Aucune photo sélectionnée, aucune action possible.';
?>
""" >> community/language/fr_FR/plugin.lang.php
# embedded
wget https://fr.piwigo.org/ext/download.php?rid=7924 -O plugin.zip
unzip plugin.zip
rm -f plugin.zip
# user delete photo
#wget https://fr.piwigo.org/ext/download.php?rid=7974 -O plugin.zip
#unzip plugin.zip
#rm -f plugin.zip
# Theme
cd ../themes/
wget https://piwigo.org/ext/download.php?rid=8163 -O plugin.zip
unzip plugin.zip
rm -f plugin.zip
ln -s /srv/piwigo/bootstrap_darkroom ../local/bootstrap_darkroom
#
cd $ORIPWD

View file

@ -0,0 +1,288 @@
#!/usr/bin/php
<?php
define('PHPWG_ROOT_PATH', dirname($argv[0]) . '/');
include(PHPWG_ROOT_PATH . 'include/config_default.inc.php');
@include(PHPWG_ROOT_PATH. 'local/config/config.inc.php');
defined('PWG_LOCAL_DIR') or define('PWG_LOCAL_DIR', 'local/');
define('DEFAULT_PREFIX_TABLE', 'piwigo_');
include(PHPWG_ROOT_PATH.PWG_LOCAL_DIR .'config/database.inc.php');
include(PHPWG_ROOT_PATH . 'include/dblayer/functions_'.$conf['dblayer'].'.inc.php');
include(PHPWG_ROOT_PATH . 'include/functions.inc.php');
include(PHPWG_ROOT_PATH . 'admin/include/functions_install.inc.php');
include(PHPWG_ROOT_PATH . 'admin/include/functions_upgrade.php');
include(PHPWG_ROOT_PATH . 'include/constants.php');
include(PHPWG_ROOT_PATH . 'include/ws_functions/pwg.extensions.php');
include(PHPWG_ROOT_PATH . 'include/template.class.php');
$filename = PHPWG_ROOT_PATH . 'plugins/OpenIdConnect/main.inc.php';
if (is_file($filename))
{
include($filename);
$OIDC_INSTALLED = true;
}
else
{
$OIDC_INSTALLED = false;
};
// all namespaces with options
$namespaces_data = array('db:install' => array('language:'),
'user:create' => array('login:', 'mail_address:'),
'user:admin:create' => array('login:', 'admin_pass:', 'mail_address:', 'language:'),
'config:show' => array(),
'config:modify' => array('conf_name:', 'value:', 'type:'),
'config:show:array' => array('conf_name:'),
'config:modify:array' => array('conf_name:', 'key:', 'value:', 'type:'),
'config:show:json' => array('conf_name:'),
'config:modify:json' => array('conf_name:', 'key:', 'value:', 'type:'),
'plugin:activate' => array('plugin_name:'),
'plugin:deactivate' => array('plugin_name:'),
'theme:activate' => array('theme_name:'),
);
if ($OIDC_INSTALLED) {
$namespaces_data['user:create'][] = 'oidc';
}
if (is_file(PHPWG_ROOT_PATH . 'plugins/community/admin.php')) {
$namespaces_data['community:permission:add'] = array('type:', 'user_album', 'recursive', 'create_subcategories', 'moderated');
}
// command line must starts with -c namespace
$namespaces = array_keys($namespaces_data);
if ($argc < 3 || $argv[1] != '-c' || !in_array($argv[2], $namespaces)) {
$namespaces_str = implode('|', $namespaces);
exit("Usage: $argv[0]: -c [$namespaces_str]" . PHP_EOL);
}
// load extra parameter for this namespace
$namespace = $argv[2];
$rest_index = 0;
$options = getopt('c:', $namespaces_data[$namespace], $rest_index);
$error = false;
$namespace_options = '';
foreach ($namespaces_data[$namespace] as $parameter) {
if(str_ends_with($parameter, ':')) {
$parameter = substr($parameter, 0, -1);
$namespace_options .= " --$parameter <$parameter>";
if (!isset($options[$parameter])) {
$error = true;
}
} else {
$namespace_options .= " --$parameter";
}
}
if ($rest_index != count($argv)) {
exit("Error in arguments.". PHP_EOL . "Usage: $argv[0]: -c $namespace$namespace_options" . PHP_EOL);
}
if ($error) {
exit("Some arguments are missing.". PHP_EOL . "Usage: $argv[0]: -c $namespace$namespace_options" . PHP_EOL);
}
function get_all_languages()
{
include(PHPWG_ROOT_PATH . 'admin/include/languages.class.php');
return new languages('utf-8');
}
function validate_language($language, $languages) {
$languages_available = array_keys($languages->fs_languages);
if (!in_array($language, $languages_available))
{
exit("Invalid language $language (not in " . implode(', ', $languages_available) . ") ". PHP_EOL . "Usage: $argv[0]: -c $namespace$namespace_options" . PHP_EOL);
}
}
function cast_value($type, $value)
{
if ($type === 'boolean')
{
$value = get_boolean($value);
}
else if ($type === 'integer')
{
$value = intval($value);
}
return $value;
}
function custom_array_modify($ori_config, $options)
{
$value = cast_value($options['type'], $options['value']);
$keys = array_reverse(explode('.', $options['key']));
$update = Array($keys[0] => $value);
for ($i=0; $i<count($keys)-1; $i++)
{
$update = Array($keys[$i+1] => $update);
}
return array_replace_recursive($ori_config, $update);
}
$errors = array();
install_db_connect($conf['db_host'], $conf['db_user'], $conf['db_password'], $conf['db_base'], $errors);
if ( count( $errors ) !== 0 )
{
for ($i=0; $i<count($errors); $i++)
{
print($errors[$i] . PHP_EOL);
}
exit(1);
}
if ($namespace == 'db:install') {
global $user;
$user = Array('status' => 'webmaster');
$language = $options['language'];
$languages = get_all_languages();
validate_language($language, $languages);
$errors = [];
initialize_db($languages, $language, $prefixeTable, $errors);
if ($errors) {
for ($i=0; $i<count($errors); $i++)
{
print($errors[$i] . PHP_EOL);
}
exit(1);
}
// mark_all_upgrades_as_done();
}
else if ($namespace == 'user:create')
{
$password = random_pass();
global $user;
$user = Array('id' => 0);
$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
session_start();
$id = register_user($options['login'], $password, $options['mail_address'], false);
if(array_key_exists('oidc', $options) && !$options['oidc'])
{
single_insert(OIDC_TABLE, [
'sub' => $options['mail_address'],
'user_id' => $id,
]);
}
}
else if ($namespace == 'user:admin:create')
{
$language = $options['language'];
$languages = get_all_languages();
validate_language($language, $languages);
add_admin($options['login'], $options['admin_pass'], $options['mail_address'], $options['language']);
}
else if ($namespace == 'config:show')
{
load_conf_from_db();
$config = safe_unserialize($conf);
var_dump($config);
}
else if ($namespace == 'config:modify')
{
$value = cast_value($options['type'], $options['value']);
load_conf_from_db();
conf_update_param($options['conf_name'], $value);
}
else if ($namespace == 'plugin:activate')
{
global $user, $template;
$user = Array('status' => 'webmaster', 'id' => 0);
$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
session_start();
$template = new Template(PHPWG_ROOT_PATH.'admin/themes', 'clear');
$conf['secret_key'] = 'secret';
$params = array(
'action' => 'activate',
'plugin' => $options['plugin_name'],
'pwg_token' => get_pwg_token(),
);
$errors = ws_plugins_performAction($params, null);
if (! $errors) {
var_dump($errors);
exit(1);
}
}
else if ($namespace == 'plugin:deactivate')
{
global $user, $template;
$user = Array('status' => 'webmaster');
$template = new Template(PHPWG_ROOT_PATH.'admin/themes', 'clear');
$conf['secret_key'] = 'secret';
$params = array(
'action' => 'deactivate',
'plugin' => $options['plugin_name'],
'pwg_token' => get_pwg_token(),
);
$errors = ws_plugins_performAction($params, null);
if (! $errors) {
var_dump($errors);
exit(1);
}
}
else if ($namespace == 'config:show:array')
{
load_conf_from_db();
$config = safe_unserialize($conf[$options['conf_name']]);
var_dump($config);
}
else if ($namespace == 'config:modify:array')
{
load_conf_from_db();
$ori_config = safe_unserialize($conf[$options['conf_name']]);
$new_config = serialize(custom_array_modify($ori_config, $options));
conf_update_param($options['conf_name'], $new_config);
}
else if ($namespace == 'config:show:json')
{
load_conf_from_db();
$config = json_decode($conf[$options['conf_name']], true);
var_dump($config);
}
else if ($namespace == 'config:modify:json')
{
load_conf_from_db();
if(array_key_exists($options['conf_name'], $conf))
{
$ori_config = json_decode($conf[$options['conf_name']], true);
}
else
{
$ori_config = Array();
}
$new_config = json_encode(custom_array_modify($ori_config, $options));
conf_update_param($options['conf_name'], $new_config);
}
else if ($namespace == 'theme:activate')
{
global $page, $template;
$template = new Template(PHPWG_ROOT_PATH.'admin/themes', 'clear');
$conf['mobile_theme'] = '';
$page = Array('page' => $options['theme_name']);
include(PHPWG_ROOT_PATH.'admin/themes_installed.php');
$themes = new themes();
$errors = $themes->perform_action('activate', $options['theme_name']);
if (!empty($errors)) {
var_dump($errors);
exit(1);
}
}
else if ($namespace == 'community:permission:add')
{
include(PHPWG_ROOT_PATH . 'plugins/community/main.inc.php');
$insert = array(
'type' => $options['type'],
'group_id' => null,
'user_id' => null,
'category_id' => null,
'user_album' => array_key_exists('user_album', $options) ? 'true' : 'false',
'`recursive`' => array_key_exists('recursive', $options) ? 'true' : 'false',
'create_subcategories' => array_key_exists('create_subcategories', $options) ? 'true' : 'false',
'moderated' => array_key_exists('moderated', $options) ? 'true' : 'false',
'nb_photos' => -1,
'storage' => -1,
);
mass_inserts(
COMMUNITY_PERMISSIONS_TABLE,
array_keys($insert),
array($insert)
);
}
?>

View file

@ -0,0 +1 @@
PKG="$PKG php-mysqlnd php-mbstring ImageMagick php-cli php-gd perl-Image-ExifTool"

View file

@ -0,0 +1,50 @@
<?php
if(!isset($_SERVER) && isset($_ENV) && isset($_ENV['REQUEST_URI']))
{
$_SERVER = Array('REQUEST_URI' => $_ENV['REQUEST_URI']);
}
%for %%idx, %%user in %%enumerate(%%piwigo_users)
%if %%idx != 0
}
else %slurp
%end if
if(str_starts_with($_SERVER['REQUEST_URI'], '/%%user/')) {
$prefixe = '%%{user}';
%end for
}
else
{
$conf['OIDC'] = Array('issuer_url' => 'https://%%oauth2_client_server_domainname/',
'client_id' => '%%oauth2_client_id',
'client_secret' => '%%oauth2_client_secret',
'scope' => 'openid profile email',
);
require_once(PHPWG_ROOT_PATH . 'plugins/OpenIdConnect/oidc.php');
require_once(PHPWG_ROOT_PATH . 'include/functions.inc.php');
$oidc = get_oidc_client();
try {
$success = $oidc->authenticate();
} catch (Exception $e) {
}
if (isset($_REQUEST['code'])) {
$token_json = $oidc->getTokenResponse();
$oidc->setAccessToken($token_json->access_token);
$name = $oidc->requestUserInfo('nickname');
if(isset($name)) {
redirect('/' . $name . '/plugins/OpenIdConnect/auth.php');
};
print('unknown album');
die();
}
}
$conf['data_location'] = "_data/$prefixe/";
$conf['log_dir'] = "logs/$prefixe";
$conf['upload_dir'] = "./upload/$prefixe";
$conf['graphics_library'] = 'ext_imagick';
$conf['osm_add_osmmap.php'] = false;
$conf['show_exif'] = false;
$conf['derivative_default_size'] = 'large';
#FOR GPX
$conf['upload_form_all_types'] = true;
?>

View file

@ -0,0 +1,32 @@
<?php
$conf['dblayer'] = 'mysqli';
$conf['db_base'] = '%%mariadb_client_database';
$conf['db_user'] = '%%mariadb_client_username';
$conf['db_password'] = '%%mariadb_client_password';
$conf['db_host'] = '%%mariadb_client_server_domainname';
if(!isset($_SERVER) && isset($_ENV) && isset($_ENV['REQUEST_URI']))
{
$_SERVER = Array('REQUEST_URI' => $_ENV['REQUEST_URI']);
}
%for %%idx, %%user in %%enumerate(%%piwigo_users)
%if %%idx != 0
}
else %slurp
%end if
if(str_starts_with($_SERVER['REQUEST_URI'], '/%%user/')) {
$prefixeTable = 'piwigo_%%{user}_';
%end for
}
else
{
die('unknown album');
}
define('PHPWG_INSTALLED', true);
define('PWG_CHARSET', 'utf-8');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');
?>

View file

@ -0,0 +1,2 @@
[www]
php_admin_value[error_reporting] = E_ALL & ~E_WARNING & ~E_DEPRECATED & ~E_STRICT

View file

@ -0,0 +1,14 @@
[Unit]
Description=Piwigo management
After=mariadbclient.service
Before=nginx.service php-fpm.service
[Service]
Type=oneshot
ExecStart=/usr/local/lib/bin/piwigo.sh
User=nginx
Group=nginx
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,85 @@
%echo "#!/bin/bash"
set -x
cd /usr/local/share/piwigo
%for %%user in %%piwigo_users
export REQUEST_URI="/%%user/"
/usr/bin/php piwigo_cli.php -c db:install --language fr_FR
IMPORTED=$?
if [ "$IMPORTED" = "0" ]; then
/usr/bin/php piwigo_cli.php -c user:admin:create --login admin --admin_pass %%piwigo_admin_password --mail_address %%piwigo_admin_email --language fr_FR
fi
#
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key author --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key rating_score --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key visits --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key categories --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key posted_on --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify --conf_name gallery_title --value "%%piwigo_title" --type string
/usr/bin/php piwigo_cli.php -c config:modify --conf_name page_banner --value "%%piwigo_title" --type string
/usr/bin/php piwigo_cli.php -c config:modify --conf_name allow_user_registration --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify --conf_name allow_user_customization --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify --conf_name nb_categories_page --value 40 --type string
/usr/bin/php piwigo_cli.php -c config:modify --conf_name picture_metadata_icon --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify --conf_name picture_favorite_icon --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify --conf_name picture_sizes_icon --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify --conf_name no_photo_yet --value false --type boolean
#
/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name piwigo-openstreetmap
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key left_menu.enabled --value true --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key left_menu.link --value "Voir sur la carte" --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key right_panel.enabled --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key category_description.enabled --value true --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key category_description.height --value 500 --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key category_description.width --value 300 --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key main_menu.enabled --value false --type boolean
#/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key left_menu.link --value Carte --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key batch.global_height --value 300 --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key batch.unit_height --value 300 --type string
#/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key main_menu.height --value 300 --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key map.attrplugin --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key method --value resize --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name osm_conf --key method --value resize --type string
#
/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name GDThumb
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name gdThumb --key margin --value 1 --type integer
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name gdThumb --key big_thumb --value false --type boolean
#/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name gdThumb --key thumb_animate --value true --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name gdThumb --key thumb_metamode --value hide --type string
#
/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name rv_tscroller
#
/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name gvideo
#
/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name OpenIdConnect
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key issuer_url --value https://%%oauth2_client_server_domainname/ --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key client_id --value %%oauth2_client_id --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key client_secret --value %%oauth2_client_secret --type string
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key verify_host --value true --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key verify_peer --value true --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key register_new_users --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key redirect_new_to_profile --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key notify_admins_on_register --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key notify_user_on_register --value false --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key authorization_code_flow --value true --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key password_flow --value false --type boolean
#
/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name community
if [ "$IMPORTED" = "0" ]; then
/usr/bin/php piwigo_cli.php -c community:permission:add --type any_registered_user --create_subcategories
fi
#
/usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name gvideo
#
/usr/bin/php piwigo_cli.php -c theme:activate --theme_name bootstrap_darkroom
/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key fluid_width --value true --type boolean
/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key page_header --value none --type string
/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key bootstrap_theme --value bootswatch-darkly --type string
/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key navbar_main_bg --value bg-primary --type string
/usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key social_enabled --value false --type boolean
#
if [ "$IMPORTED" = "0" ]; then
/usr/bin/php piwigo_cli.php -c user:create --login %%user --mail_address %%user.piwigo_email --oidc
fi
%end for

View file

@ -0,0 +1,6 @@
%for %%user in %%piwigo_users
d /srv/piwigo/logs/%%user 770 root nginx - -
d /srv/piwigo/upload/%%user 770 root nginx - -
d /srv/piwigo/data/%%user 770 root nginx - -
%end for
d /srv/piwigo/bootstrap_darkroom 770 root nginx - -

View file

@ -1,5 +1,4 @@
%set %%chain = %%get_chain(%%rougail_variable, 'MailRelay') %set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay")
%set %%cert = %%get_certificate(%%rougail_variable, 'MailRelay') %set %%cert = %%get_certificate(%%rougail_variable, 'MailRelay')
%%get_private_key(%%rougail_variable, 'MailRelay') %%get_private_key(%%rougail_variable, 'MailRelay')
%%cert %%cert
%%chain

View file

@ -5,7 +5,7 @@
<file mode="400">/secrets/postgresql.pass</file> <file mode="400">/secrets/postgresql.pass</file>
<file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file> <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
<file>/etc/pki/tls/certs/postgresql.crt</file> <file>/etc/pki/tls/certs/postgresql.crt</file>
<file owner_type="variable" owner="pg_client_key_owner" mode="440">/etc/pki/tls/private/postgresql.key</file> <file owner_type="variable" owner="pg_client_key_owner" mode="400">/etc/pki/tls/private/postgresql.key</file>
</service> </service>
</services> </services>
<variables> <variables>
@ -15,7 +15,7 @@
<variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True"/> <variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True"/>
<variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/> <variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/>
<variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True"> <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
<value>root</value> <value>apache</value>
</variable> </variable>
</family> </family>
</variables> </variables>

View file

@ -15,9 +15,13 @@
<variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations"> <variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations">
<value>/var/lib/risotto/configurations</value> <value>/var/lib/risotto/configurations</value>
</variable> </variable>
<variable name="container_journal_path" type="filename" description="Nom du répertoire racine des journaux">
<value>/var/lib/risotto/journals</value>
</variable>
<variable name="host" type="domainname" description="Machine où est démarrer le conteneur" mandatory="True"/> <variable name="host" type="domainname" description="Machine où est démarrer le conteneur" mandatory="True"/>
<variable name="external_ports" type="port" description="Port exposé depuis l'extérieur" multi="True"/> <variable name="external_ports" type="port" description="Port exposé depuis l'extérieur" multi="True"/>
<variable name="srv_dir" type="filename" hidden="True"/> <variable name="srv_dir" type="filename" hidden="True"/>
<variable name="journal_dir" type="filename" hidden="True" mandatory="True"/>
<variable name="config_dir" type="filename" hidden="True" mandatory="True"/> <variable name="config_dir" type="filename" hidden="True" mandatory="True"/>
<variable name="use_systemd_repart" redefine="True"> <variable name="use_systemd_repart" redefine="True">
<value>False</value> <value>False</value>
@ -38,6 +42,13 @@
<param name="join"></param> <param name="join"></param>
<target>srv_dir</target> <target>srv_dir</target>
</fill> </fill>
<fill name="calc_value">
<param type="variable">container_journal_path</param>
<param>/</param>
<param type="variable">domain_name_eth0</param>
<param name="join"></param>
<target>journal_dir</target>
</fill>
<fill name="calc_value"> <fill name="calc_value">
<param type="variable">container_config_path</param> <param type="variable">container_config_path</param>
<param>/</param> <param>/</param>
@ -62,6 +73,12 @@
<param name="dynamic" type="variable">domain_name_eth0</param> <param name="dynamic" type="variable">domain_name_eth0</param>
<target>srv_dir</target> <target>srv_dir</target>
</check> </check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param>
<param name="linked_provider">machine_journal</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>journal_dir</target>
</check>
<check name="set_linked_configuration"> <check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param> <param name="linked_server" type="variable">host</param>
<param name="linked_provider">machine_config</param> <param name="linked_provider">machine_config</param>

View file

@ -1,10 +1,21 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rougail version="0.10"> <rougail version="0.10">
<services>
<service name="redisclient" manage="False">
<file>/etc/pki/ca-trust/source/anchors/ca_Redis.crt</file>
<file>/etc/pki/tls/certs/redis.crt</file>
<file owner_type="variable" owner="redis_client_key_owner" mode="400">/etc/pki/tls/private/redis.key</file>
<!--file owner_type="variable" owner="redis_client_key_owner" mode="400" source="redis.pem">/etc/pki/tls/redis.pem</file-->
</service>
</services>
<variables> <variables>
<family name="redis" description="Redis"> <family name="redis" description="Redis">
<variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True"/> <variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True"/>
<variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True" hidden="True"/> <variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True" hidden="True"/>
<variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" hidden="True"/> <variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" hidden="True"/>
<variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
<value>apache</value>
</variable>
</family> </family>
</variables> </variables>
<constraints> <constraints>

View file

@ -0,0 +1 @@
%%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis")

View file

@ -0,0 +1 @@
%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")

View file

@ -0,0 +1 @@
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")

View file

@ -0,0 +1,5 @@
%set %%ca_chain = %%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis")
%set %%cert = %%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
%%cert
%%ca_chain

View file

@ -6,6 +6,9 @@
<ip ip_type='variable'>account.remote_ip</ip> <ip ip_type='variable'>account.remote_ip</ip>
<file engine="none" source="sysuser-redis.conf">/sysusers.d/0redis.conf</file> <file engine="none" source="sysuser-redis.conf">/sysusers.d/0redis.conf</file>
<file engine="none" source="tmpfile-redis.conf">/tmpfiles.d/0redis.conf</file> <file engine="none" source="tmpfile-redis.conf">/tmpfiles.d/0redis.conf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_Redis.crt</file>
<file>/etc/pki/tls/certs/redis.crt</file>
<file owner="root" group="redis" mode="440">/etc/pki/tls/private/redis.key</file>
</service> </service>
</services> </services>
<variables> <variables>

View file

@ -3,7 +3,7 @@
<variables> <variables>
<variable name="remote" description="Remote client needing an account" type="domainname" provider="redis_client" mandatory="True"/> <variable name="remote" description="Remote client needing an account" type="domainname" provider="redis_client" mandatory="True"/>
<variable name="remote_ip" description="Remote IP" type="ip" provider="redis_client_ip" mandatory="True"/> <variable name="remote_ip" description="Remote IP" type="ip" provider="redis_client_ip" mandatory="True"/>
<variable name="password" description="Remote password" auto_save="True" hidden="True" type="password" mandatory="True" provider="redis_client_password"/> <variable name="password" auto_save="True" hidden="True" type="password" mandatory="True" provider="redis_client_password"/>
</variables> </variables>
<constraints> <constraints>
<fill name="get_password"> <fill name="get_password">

View file

@ -0,0 +1 @@
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="Redis")

View file

@ -99,6 +99,7 @@ protected-mode no
# Accept connections on the specified port, default is 6379 (IANA #815344). # Accept connections on the specified port, default is 6379 (IANA #815344).
# If port 0 is specified Redis will not listen on a TCP socket. # If port 0 is specified Redis will not listen on a TCP socket.
# GNUNUX: for php/php-fpm
port 6379 port 6379
# TCP listen() backlog. # TCP listen() backlog.
@ -141,7 +142,6 @@ timeout 0
#tcp-keepalive 300 #tcp-keepalive 300
tcp-keepalive %%redis_tcp_keepalive tcp-keepalive %%redis_tcp_keepalive
#<GNUNUX #<GNUNUX
#FIXME TLS !!
################################# TLS/SSL ##################################### ################################# TLS/SSL #####################################
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration # By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
@ -190,6 +190,12 @@ tcp-keepalive %%redis_tcp_keepalive
# #
# tls-ca-cert-file ca.crt # tls-ca-cert-file ca.crt
# tls-ca-cert-dir /etc/ssl/certs # tls-ca-cert-dir /etc/ssl/certs
#>GNUNUX
tls-port 6380
tls-cert-file /etc/pki/tls/certs/redis.crt
tls-key-file /etc/pki/tls/private/redis.key
tls-ca-cert-file /etc/pki/ca-trust/source/anchors/ca_Redis.crt
#<GNUNUX
# By default, clients (including replica servers) on a TLS port are required # By default, clients (including replica servers) on a TLS port are required
# to authenticate using valid client side certificates. # to authenticate using valid client side certificates.
@ -896,6 +902,9 @@ replica-priority 100
# #
# For more information about ACL configuration please refer to # For more information about ACL configuration please refer to
# the Redis web site at https://redis.io/topics/acl # the Redis web site at https://redis.io/topics/acl
#>GNUNUX
user %%normalize_family(%%account.remote) on >%%account.password ~* &* +@all
#<GNUNUX
# ACL LOG # ACL LOG
# #

View file

@ -0,0 +1 @@
%%get_certificate(%%domain_name_eth0, 'Redis')

View file

@ -0,0 +1 @@
%%get_private_key(%%domain_name_eth0, 'Redis')

View file

@ -25,12 +25,17 @@
<value>Consulter ces courriels avec Roundcube</value> <value>Consulter ces courriels avec Roundcube</value>
</variable> </variable>
<variable name="oauth2_client_category" redefine='True'> <variable name="oauth2_client_category" redefine='True'>
<value>Collaboration</value> <value>Diffusion</value>
</variable> </variable>
<variable name="oauth2_client_logo" redefine='True'> <variable name="oauth2_client_logo" redefine='True'>
<value>silique_email.png</value> <value>silique_email.png</value>
</variable> </variable>
</family> </family>
<family name="nginx">
<variable name="revprox_client_local_location" redefine="True">
<value>/roundcube/</value>
</variable>
</family>
</variables> </variables>
<constraints> <constraints>
<fill name="get_password"> <fill name="get_password">

View file

@ -31,7 +31,7 @@ $config = [];
// e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false' // e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
// GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail'; // GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
//>GNUNUX //>GNUNUX
$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full'; $config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt';
//<GNUNUX //<GNUNUX
// Database DSN for read-only operations (if empty write database will be used) // Database DSN for read-only operations (if empty write database will be used)